Preserving Privacy in Dynamic Web Service Composition

The proliferation of web services as self-contained web accessible programs and the idea of the Semantic Web of making information computer-interpretable enables the dynamic composition of complex services assembled from various individual services and typically distributed over the web. Following the paradigm of pervasive computing, pro-active agents are installed on mobile phones or PDAs operating on the web and handle the context-aware discovery of appropriate services and use AI-based plan generation techniques to dynamically compose the retrieved service to solve complex tasks. Functional composition of complex services is well understood and supported. However, the introduction of web services in general and dynamic web service composition (e.g. [2, 7]) in particular requires appropriate security facilities to guarantee the security requirements of all participants. On the one hand, web services have to be protected against misuse of their resources, and on the other hand, the user of web services require the privacy of their data. Standard approaches for secure execution of services such as those using REI [6] or Ponder [3] are based on the specification of access control policies to control the individual execution of services and thus focus on the first task. We propose an approach [4, 5] to ensure the privacy of user data by introducing a dynamic security check between plan generation and execution of the plan. Thereby we can guarantee that the execution of a synthesized plan will not distribute user's or newly generated data to a non-entitled web service. We make use of techniques developed in program language security in general and an adapted version of Volpano Smith's [8, 9] security type calculus in particular. To protect the privacy of user related information, the data used in web services is always classified according to its confidentiality. Web services require the corresponding clearances to deal with confidential data. Both classifications and clearances are denoted by a so-called security types. There is a partial ordering ≤ on security types which allow us to compare them. The set of all security types together with ≤ forms a lattice. Similar to the approach presented by Bell and La-Padula [1], the idea is that a web service is only entitled to obtain a specific datum if its clearance is at least as high as the classification of the data. However, in practice we would like to select the clearances of web services and also the classification of data with respect to …