Enabling Message Security for RESTful Services

Also check out our recent paper at the IEEE International Conference on Web Services 2012, more details can be found in the link below:

https://blogs.sap.com/2012/06/26/enabling-message-security-for-restful-services/

The full paper is available here: http://ieeexplore.ieee.org/document/6257797/ 

 

Advertisements

Recent papers

I have participated in two papers that were presented at SecRet 2008:

  • Claude Kirchner, Hélène Kirchner and Anderson Santana de Oliveira – Analysis of Rewrite-Based Access Control Policies

    The rewrite-based approach provides executable specifications for security policies, which can be independently designed, verified, and then anchored on programs using a modular discipline. In this paper, we describe how to perform queries over these rule-based policies in order to increase the trust of the policy author on the correct behavior of the policy. The analysis we provide is founded on the narrowing process, which provides both the necessary abstraction for simulating executions of the policy over access requests and the
    mechanism for solving what-if queries from the security administrator. We illustrate this general approach by the analysis of a firewall system policy.

  • Horatiu Cirstea, Pierre-Etienne Moreau and Anderson Santana de Oliveira – Rewrite Based Specification of Access Control Policies

    Data protection within information systems is one of the main concerns in computer systems security and different access control policies can be used to specify the access requests that should be granted or denied. These access control mechanisms should guarantee that
    information can be accessed only by authorized users and thus prevent all information leakage. We propose a methodology for specifying and implementing access control policies using the rewrite based framework Tom. This approach allows us to check that any reachable state
    obtained following an access granted in the implementation satisfies the policy specification. We show that when security levels are not totally ordered some information leakage can be detected.