TY - GEN
T1 - An access and information flow control paradigm for secure information sharing in service-based systems
AU - Solanki, Nidhiben
AU - Hoffman, Timothy
AU - Yen, I. Ling
AU - Bastani, Farokh
AU - Yau, Sik-Sang
N1 - Publisher Copyright:
© 2015 IEEE.
Copyright:
Copyright 2017 Elsevier B.V., All rights reserved.
PY - 2015/9/21
Y1 - 2015/9/21
N2 - Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.
AB - Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.
KW - Access control
KW - Data dependency
KW - Information flow control
KW - Service-based systems
UR - http://www.scopus.com/inward/record.url?scp=84962469633&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84962469633&partnerID=8YFLogxK
U2 - 10.1109/COMPSAC.2015.195
DO - 10.1109/COMPSAC.2015.195
M3 - Conference contribution
AN - SCOPUS:84962469633
T3 - Proceedings - International Computer Software and Applications Conference
SP - 60
EP - 67
BT - Proceedings - 2015 IEEE 39th Annual Computer Software and Applications Conference - Stephen S. Yau Academic Symposium, COMPSAC 2015
A2 - Huang, Gang
A2 - Chu, William
A2 - Hsiung, Pao-Ann
A2 - Yang, Jingwei
A2 - Chang, Carl K.
A2 - Ahamed, Sheikh Iqbal
A2 - Crnkovic, Ivica
PB - IEEE Computer Society
T2 - 2015 IEEE 39th Annual Computer Software and Applications Conference - Stephen S. Yau Academic Symposium, COMPSAC 2015
Y2 - 1 July 2015 through 5 July 2015
ER -