Security Requirements in Service Oriented Architectures for Ubiquitous Computing

Security Requirements in Service Oriented Architectures for Ubiquitous Computing Almerindo Graziano, Domenico Cotroneo, Stefano Russo agrazian@unina.it MobiLab Research Group Università degli studi di Napoli “Federico II”

Outline • Motivation • Addressing Ubiquitous Security • The Story So Far • Security Requirements • Evaluation • Conclusions

Service Oriented Architectures • Established computing paradigm • A SOA is based upon • Service definition • Service Discovery and Delivery • SOAs have evolved from the Internet model • Different service definitions • Different discovery/delivery protocols • Problems • Interoperability and standardization • Security

Addressing Ubiquitous Security • Wireless security • Widely addressed • Security of SOAs in ubiquitous computing • Not widely addressed (often just an afterthought) • Not addressed consistently • No security requirements analysis • Stronger Interoperability problems

Standard Protocols Bluetooth Jini Salutation UPnP SLP JXTA Integrated Architectures SSDS Centaurus Proxy-based protocols Ongoing research Splendor The Story So Far

Secure service registration/deregistration Example: DoS attacks Secure Discovery (service records) Authenticated Authorized Confidential Genuine Anonymous Secure Delivery Authenticated Authorized Confidential Genuine Anonymous Application Security Availability Security Requirements

Evaluation Results

Genuine discovery and delivery are underestimated Achieved partially or not at all Service (de)registration is assumed trusted No architecture addresses security in service definition Application security often out of scope Different access control models ACLs or Capabilities Different granularity User or Devices Location of the PDP Local by the device or remote by a resource manager Different trust models Evaluation

Conclusions • Not possible to address all security requirements • Total security does not exist • Limited resources • Need to use threat models (mobile adversary and mobile victims) • Security requirements driven by use cases • Abuse cases can help model the threats • Use risk assessment to rationalize security issues • Secure interoperability still a challenge • Trust models, access control, authorization management

Ongoing Work • Complete evaluation work to include • Access control models, trust models, authorization management • Design of a Secure SOA for Nomadic Computing • Use/Misuse cases for threat analysis • Threat modelling and design with UMLsec • Validation with UMLsec

Thanks for Your Attention

Security Requirements in Service Oriented Architectures for Ubiquitous Computing

Security Requirements in Service Oriented Architectures for Ubiquitous Computing

Presentation Transcript

Middleware, Service-Oriented Architectures and Grid Computing

Service-Oriented Architectures

Security Issues in Ubiquitous Computing ( UbiComp )

Service Oriented Architectures

Security in Service Oriented and REST architectures

Security for Web Services and Service Oriented Architectures

Service Oriented Architectures

Service-Oriented Architectures

Security for Web Services and Service Oriented Architectures

Service-Oriented Architectures

Security for Web Services and Service Oriented Architectures

Service-oriented Architectures

Security for Web Services and Service Oriented Architectures

Middleware, Service-Oriented Architectures and Grid Computing

Security for Web Services and Service Oriented Architectures

Security for Web Services and Service Oriented Architectures

Service Oriented Architectures

Service-oriented Architectures

Security for Web Services and Service Oriented Architectures

Service-Oriented Architectures/Middlware