Static Analysis Method of Secure Privacy Information Flow for Service Composition

被引：0

作者：

Peng H.-F. ^{[1
,2
]}

Huang Z.-Q. ^{[1
]}

Liu L.-Y. ^{[3
]}

Li Y. ^{[1
]}

Ke C.-B. ^{[4
]}

机构：

[1] College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing

[2] College of Computer Engineering, Nanjing Institute of Technology, Nanjing

[3] Department of E-Commerce, Nanjing Audit University, Nanjing

[4] College of Computer, Nanjing University of Posts and Telecommunications, Nanjing

来源：

Huang, Zhi-Qiu (zqhuang@nuaa.edu.cn) | 1739年 / Chinese Academy of Sciences卷 / 29期

基金：

中国国家自然科学基金;

关键词：

Information flow security; Privacy protection; Security model; Service composition; Static analysis; Workflow net;

D O I：

10.13328/j.cnki.jos.005276

中图分类号：

学科分类号：

摘要：

Many service composition scenarios involve the sharing of user's privacy data. Due to the transparency of composition's business logic and lack of privacy protocol between user and member service, how to prevent the leakage of user privacy information has become a hot research topic in the field of service-oriented computing. A static analysis method of secure privacy information flow for service composition is proposed in this article according to the characteristics of privacy protection. Firstly, a security model is developed to formalize the security policy of privacy information flow on three aspects: service reputation, retention and purpose. Then, the composition is modeled with privacy workflow net, which gives support to the analysis of privacy information flow, and the detection of privacy information leakage is performed by analyzing execution paths of composition. Finally, a case study is included to demonstrate the effectiveness of the proposed method, and the performance experiment is also presented. Compared with the existing relevant works, the security model proposed reflects the characteristics of privacy protection, and the analysis method is able to deal with issues caused by the aggregation of privacy data items. Therefore, the application of this method can prevent the information leakage more efficiently. © Copyright 2018, Institute of Software, the Chinese Academy of Sciences. All rights reserved.

引用

页码：1739 / 1755

页数：16

共 26 条

[11] Peng H.F., Huang Z.Q., Fan D.J., Zhang Y.L., Specification and verification of user privacy requirements for service composition, Ruan Jian Xue Bao/Journal of Software, 27, 8, pp. 1948-1963, (2016)
[12] Bacon J., Eyers D., Pasquier T.F.J.M., Singh J., Papagiannis I., Pietzuch P., Information flow control for secure cloud computing, IEEE Trans. on Network and Service Management, 11, 1, pp. 76-89, (2014)
[13] Nakajima S., Model-Checking of safety and security aspects in Web service flows, Proc. of the 4th Int'l Conf. on Web Engineering, pp. 488-501, (2004)
[14] Denning D.E., A lattice model of secure information flow, Communications of the ACM, 19, 5, pp. 236-243, (1976)
[15] Hutter D., Volkamer M., Information flow control to secure dynamic Web service composition, Proc. of the 3rd Int'l Conf. on Security in Pervasive Computing, pp. 196-210, (2006)
[16] Accorsi R., Lehmann A., Lohmann N., Information leak detection in business process models: Theory, application, and tool support, Information Systems, 47, pp. 244-257, (2015)
[17] Bell D.E., Lapadula L.J., Secure computer systems: Mathematical foundations, MITRE Technical Report, 2547, (1996)
[18] Knorr K., Multilevel security and information flow in Petri net workflows, Proc. of the 9th Int'l Conf. on Telecommunication Systems-Modeling and Analysis, pp. 1-16, (2001)
[19] Cranor L., Dobbs B., Egelman S., Hogben G., Humphrey J., Langheinrich M., Marchiori M., Presler-Marshall M., Reagle J., Schunter M., Stampley D.A., Wenning R., The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C, (2006)
[20] Van Der Aalst W.M.P., Verification of workflow nets, Proc. of the 18th Int'l Conf. on Application and Theory of Petri Nets, pp. 407-426, (1997)

← 1 2 3 →