Towards an Automatic Analysis of Web Service Security

Yannick Chevalier 1 Denis Lugiez 2 Michael Rusinowitch 3
3 CASSIS - Combination of approaches to the security of infinite states systems
FEMTO-ST - Franche-Comté Électronique Mécanique, Thermique et Optique - Sciences et Technologies (UMR 6174), INRIA Lorraine, LORIA - Laboratoire Lorrain de Recherche en Informatique et ses Applications
Abstract : Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WS-Security standard. We have introduced a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike other protocol models (in symbolic analysis) ours can handle non-deterministic receive/send actions and unordered sequence of XML nodes. Then to detect the attacks we have to consider the services as combining multiset operators and cryptographic ones and we have to solve specific satisfiability problems in the combined theory. By an extension of the combination techniques we obtain a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives. This combination technique allows one to decide insecurity in a modular way by reducing the associated constraint solving problems to problems in simpler theories.
Document type :
Conference papers
Complete list of metadatas

https://hal.inria.fr/inria-00557707
Contributor : Michaël Rusinowitch <>
Submitted on : Wednesday, January 19, 2011 - 5:38:00 PM
Last modification on : Thursday, June 27, 2019 - 4:27:42 PM

Links full text

Identifiers

Citation

Yannick Chevalier, Denis Lugiez, Michael Rusinowitch. Towards an Automatic Analysis of Web Service Security. 6th International Symposium on Frontiers of Combining Systems - FroCoS'07, Sep 2007, Liverpool, United Kingdom. pp.133-147, ⟨10.1007/978-3-540-74621-8_9⟩. ⟨inria-00557707⟩

Share

Metrics

Record views

241