Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security for Distributed E-Service Composition Stefan SeltzsamStephan BörzsönyiAlfons Kemper Universität Passau.

Published byHarmony Vaile Modified over 10 years ago

Similar presentations

Presentation on theme: "Security for Distributed E-Service Composition Stefan SeltzsamStephan BörzsönyiAlfons Kemper Universität Passau."— Presentation transcript:

1 Security for Distributed E-Service Composition Stefan SeltzsamStephan BörzsönyiAlfons Kemper Universität Passau

2 Outline Motivation Security Requirements Multilevel Security Architecture Quality Assurance for External Operators Security Measures during Plan Distribution Architecture of the Runtime Security System Related Work Conclusions

3 Motivation Tomorrow´s applications No longer based on monolithic architectures Distributed, dynamically extensible Composed from existing software components/services ObjectGlobe Internet query processing engine Extensible by mobile, user-defined operators Implemented in Java 2 Currently extended to handle general e-services

4 ObjectGlobe - Providers Three kinds of service providers: Data providers Function providers Cycle providers A single site can comprise all three services

5 ObjectGlobe – Query Processing optimize parse/ lookup plugexecute lookup service query result

6 ObjectGlobe – Query Processing optimize parse/ lookup plugexecute lookup service query result

7 ObjectGlobe – Query Processing optimize parse/ lookup plugexecute lookup service query result

8 ObjectGlobe – Query Processing optimize parse/ lookup plugexecute lookup service query result

9 ObjectGlobe – Query Processing optimize parse/ lookup plugexecute lookup service query result

10 ObjectGlobe – Example Query Find a hotel that is cheap and close to the beach in Nassau, Bahamas User-defined operator Skyline to find all relevant hotels [K. Stocker et.al.: The Skyline Operator, ICDE 2001] Skyline = all hotels where no other exists, which is closer to the beach and cheaper

11 ObjectGlobe – Example Query HotelBookWrapper Skyline www.operators.org www.hotelbook.com www.hotelguide.com load operator client (cycle provider) HotelGuideWrapper HotelBookWrapperHotelGuideWrapper Skyline

12 Security Requirements Basic assumptions Trustworthy cycle providers Unmodified code of ObjectGlobe and Java Security System of Java 2 works as designed Security concerns of ObjectGlobe Common security concerns of distributed systems Mobile code introduces specific security concerns

13 Common Security Concerns Authentication and authorization Anonymity Secure communication channels Admission control

14 Concerns by User-Defined Operators Protection of cycle providers against Resource monopolization Unauthorized resource access (e.g., file system) Manipulation of ObjectGlobe components Users are concerned about semantics of user-defined operators privacy of the processed data

15 Example attack Example attack: resource monopolization public class Skyline extends IteratorClass { public TypeSpec open() throws Exception { List l = new LinkedList(); while(true) l.add(new Object());... }... }

16 Example attack Example attack: resource monopolization public class Skyline extends IteratorClass { public TypeSpec open() throws Exception { List l = new LinkedList(); while(true) l.add(new Object());... }... }

17 Example attack (2) Example attack: wrong semantics public class Skyline extends IteratorClass { private ElementDescriptor currElem = null; private PredicateFunctionInterface eliminationPredicate = FunctionConstructor.construct(inputTypes[0], "name=\"Sheraton\""); public ElementDescriptor next() throws Exception {... do { currElem = inputIterators[0].next(); } while (currElem != null && eliminationPredicate.test(currElem));... /* skyline code */... }... }

18 Example attack: wrong semantics public class Skyline extends IteratorClass { private ElementDescriptor currElem = null; private PredicateFunctionInterface eliminationPredicate = FunctionConstructor.construct(inputTypes[0], "name=\"Sheraton\""); public ElementDescriptor next() throws Exception {... do { currElem = inputIterators[0].next(); } while (currElem != null && eliminationPredicate.test(currElem));... /* skyline code */... }... } Example attack (2) FILTER

19 Multilevel Security Architecture preventive measures optimize parse/ lookup plugexecute lookup service query execution quality assurance

20 Multilevel Security Architecture Preventive measures preventive measures optimize parse/ lookup plugexecute lookup service query execution quality assurance

21 Multilevel Security Architecture Preventive measures Security measures during plan distribution preventive measures optimize parse/ lookup plugexecute lookup service query execution quality assurance

22 Multilevel Security Architecture Preventive measures Security measures during plan distribution Runtime security system preventive measures optimize parse/ lookup plugexecute lookup service query execution quality assurance

23 Preventive Measures Optional, preventive step Goals – Quality assurance Verification of the semantics of the operator Compare resource consumption with given cost models Stress testing Results are digitally signed

24 Methods of Formal Specification Skyline - Mathematical Formula {s|s S t S: t s t s} Skyline - Haskell skyline :: [ ] -> [ ] skyline ss = skyline´ ss ss skyline´ [] ts = [] skyline´ (s:ss) ts = if dominated s ts then skyline´ ss ts else s:skyline´ ss ts dominated s [] = False dominated s (t:ts) = dominance t s || dominated s ts dominance t s = (t s && t s)

25 Test Data Generation User-directed Test data fulfill preconditions of operators Test data meet the testers´ strategies Features Specification of attribute values Functional dependencies between attributes Relationships between relations Control on the order of the tuples

26 The OperatorCheck Server Benchmark test Different sizes of input data Resource consumption is measured Results are compared to cost models (MathML) Correctness test Verifies the semantics of operators Black box testing Haskell program as oracle Different result comparison semantics

27 Architecture of OperatorCheck oracle (Haskell interpreter) ObjectGlobe Query Engine test data generation generating signature for test results analysis of results consultation of oracle / query execution program generation / plan generation test data save load test operator input: test operator, Haskell specification, description of test data output: digitally signed test results

28 Architecture of OperatorCheck oracle (Haskell interpreter) ObjectGlobe Query Engine test data generation generating signature for test results analysis of results consultation of oracle / query execution program generation / plan generation test data save load test operator input: test operator, Haskell specification, description of test data output: digitally signed test results

29 Architecture of OperatorCheck oracle (Haskell interpreter) ObjectGlobe Query Engine test data generation generating signature for test results analysis of results consultation of oracle / query execution program generation / plan generation test data save load test operator input: test operator, Haskell specification, description of test data output: digitally signed test results

30 Architecture of OperatorCheck oracle (Haskell interpreter) ObjectGlobe Query Engine test data generation generating signature for test results analysis of results consultation of oracle / query execution program generation / plan generation test data save load test operator input: test operator, Haskell specification, description of test data output: digitally signed test results

31 Architecture of OperatorCheck oracle (Haskell interpreter) ObjectGlobe Query Engine test data generation generating signature for test results analysis of results consultation of oracle / query execution program generation / plan generation test data save load test operator input: test operator, Haskell specification, description of test data output: digitally signed test results

32 Architecture of OperatorCheck oracle (Haskell interpreter) ObjectGlobe Query Engine test data generation generating signature for test results analysis of results consultation of oracle / query execution program generation / plan generation test data save load test operator input: test operator, Haskell specification, description of test data output: digitally signed test results

33 Architecture of OperatorCheck oracle (Haskell interpreter) ObjectGlobe Query Engine test data generation generating signature for test results analysis of results consultation of oracle / query execution program generation / plan generation test data save load test operator input: test operator, Haskell specification, description of test data output: digitally signed test results

34 http://www.db.fmi.uni-passau.de/projects/OG/OnlineDemo/operatorcheck.phtml

35

36

37 Advantages/Limitations Advantages Improvement of trust Resource stability More reliable query execution Continuously available cycle providers Better result quality ObjectGlobe can renounce runtime monitoring Limitations Correctness can not be proved Results depend on intuition of testers Further security measures necessary

38 Measures during Plan Distribution Setup of secure communication channels using SSL and/or TLS Authentication of communication partners Authentication of users Authorization Admission control

39 Runtime Security System Based on Java´s security architecture Native library Tasks Guarantee privacy Protection of cycle providers Guarding Monitoring

40 Guarding Prevention of unauthorized resource access Access to temporary memory Prevention of access to ObjectGlobe components Isolation of user-defined operators

41 Monitoring Monitored resources CPU Primary and secondary memory Data volume produced by operators Number of temporary files Dynamically adapted limits Operators are terminated upon limit violations

42 Related Work Extensible database systems: POSTGRES, Predator, Jaguar Oracle, DB2 Braumandl et.al.: ObjectGlobe: Ubiquitous Query Processing on the Internet, VLDBJ 2001 Seshadri et.al.: Secure and Portable Database Extensibility, SIGMOD 1998 Dalton et.al.: An Operating System Approach to Securing E-Services, Communications of the ACM, 2001 Weikum: The Web in 2010: Challenges and Opportunities for Database Research, Springer, 2001

43 Conclusions Security requirements of cycle providers and users ObjectGlobe as an Example Multilevel security architecture OperatorCheck server Measures during plan distribution Runtime security system

Download ppt "Security for Distributed E-Service Composition Stefan SeltzsamStephan BörzsönyiAlfons Kemper Universität Passau."

Similar presentations

ServiceGlobe: Distributing E-Services Across the Internet Markus Keidl, Stefan Seltzsam, Konrad Stocker, and Alfons Kemper Universität Passau Fakultät.

ServiceGlobe: Distributing E-Services Across the Internet Markus Keidl, Stefan Seltzsam, Konrad Stocker, and Alfons Kemper Universität Passau Fakultät.
HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (http://lead.ou.edu)

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Provenance-Aware Storage Systems Margo Seltzer April 29, 2005.

Provenance-Aware Storage Systems Margo Seltzer April 29, 2005.
Building Dynamic Market Places Using HyperQueries Christian Wiesner Peter Winklhofer Alfons Kemper Universität Passau.

Building Dynamic Market Places Using HyperQueries Christian Wiesner Peter Winklhofer Alfons Kemper Universität Passau.
Mobile Agents Mouse House Creative Technologies Mike OBrien.

Mobile Agents Mouse House Creative Technologies Mike OBrien.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Operating System Security

Operating System Security
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
H28.1 6-Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.

H Apr-01 Clark Thomborson Software Security CompSci 725 Handout 28: Report Writing #2 (Sample Titles & Abstracts) Clark Thomborson University of.
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)

An Introduction to Proof-Carrying Code David Walker Princeton University (slides kindly donated by George Necula; modified by David Walker)
G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.

G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Systems Analysis and Design in a Changing World, 6th Edition

Systems Analysis and Design in a Changing World, 6th Edition

Similar presentations

Ads by Google