Discovering Secure Service Compositions

Luca Pino, George Spanoudakis, Andreas Fuchs, Sigrid Gürgens


Security is an important concern for service based systems, i.e., systems that are composed of autonomous and distributed software services. This is because the overall security of such systems depends on the security of the individual services they deploy and, hence, it is difficult to assess especially in cases where the latter services must be discovered and composed dynamically. This paper presents a novel approach for discovering secure compositions of software services. This approach is based on secure service orchestration patterns, which have been proven to provide certain security properties and can, therefore, be used to generate service compositions that are guaranteed to satisfy these properties by construction. The paper lays the foundations of the secure service orchestration patterns, and presents an algorithm that uses the patterns to generate secure service compositions and a tool realising our entire approach.


  1. Aggarwal, R., Verma, K., Miller, J., and Milnor, W., 2004. Constraint driven web service composition in METEOR-S. In Proc. of the IEEE International Conference on Services Computing, (SCC 2004), pp. 23-30.
  2. Alrifai, M., Risse, T., and Nejdl, W., 2012. A hybrid approach for efficient Web service composition with end-to-end QoS constraints. In ACM Transactions on the Web (TWEB), vol. 6, no. 2, Article 7.
  3. Anisetti, M., Ardagna, C., and Damiani, E., 2013. Security Certification of Composite Services: A Test-Based Approach. In Proc. of the IEEE 20th International Conference on Web Services (ICWS), pp. 475-482.
  4. Bartoletti, M., Degano, P. and Ferrari, G. L., 2005. Enforcing secure service composition. In Proc. 18th Comp. Sec. Found. Workshop (CSFW). IEEE Comp. Soc., pp. 211-223.
  5. Carminati, B., Ferrari, E. and Hung, P. C. K., 2006. Security conscious web service composition. In Proc. of the Int. Conf. on Web Serv. (ICWS). IEEE Comp. Soc., 489-496.
  6. Deubler, M., Grünbauer, J., Jürjens, J. and Wimmel, G., 2004. Sound development of secure service-based systems. In Proc. of 2nd International Conference on Service Oriented Computing (ICSOC). ACM, pp. 115- 124.
  7. Dong, J., Peng, T. and Zhao, Y., 2010. Automated verification of security pattern compositions. Inf. Softw. Technol., vol. 52, no. 3, pp. 274-295.
  8. Dustdar, S., and Schreiner, W., 2005. A survey on web services composition. International Journal of Web and Grid Services, vol. 1, no. 1, pp. 1-30.
  9. Forgy, C., 1982. Rete: A fast algorithm for the many pattern/many object pattern match problem. Artificial Intelligences, vol. 19, no. 1, pp. 17-37.
  10. Fuchs, A. and Gürgens, S., 2011. D05.1 Formal Models and Model Composition. ASSERT4SOA Project, Tech. Rep. [Online]. Available: http://
  11. Fuchs, A., Gürgens, S. and Rudolph, C., 2011. Formal Notions of Trust and Confidentiality - Enabling Reasoning about System Security. Journal of Information Processing, vol. 19, pp. 274-291.
  12. Fujii, K., and Suda, T., 2004. Dynamic service composition using semantic information. In Proc. of the 2nd international conference on Service oriented computing (ICSOC), pp. 39-48. ACM.
  13. Gürgens, S., Ochsenschläger, P. and Rudolph, C., 2002. Authenticity and provability - a formal framework. In Infrastr. Sec. Conf. (InfraSec). LNCS, vol. 2437, SV, pp. 227-245.
  14. Gürgens, S., Ochsenschläger, P. and Rudolph, C., 2005a. Abstractions preserving parameter confidentiality. In Europ. Symp. On Research in Computer Security (ESORICS). 418-437.
  15. Gürgens, S., Ochsenschläger, P. and Rudolph, C., 2005b. On a formal framework for security properties. International Comp. Standards & Interface Journal (CSI), Special issue on formal methods, techniques and tools for secure and reliable app. 27(5) 457-466.
  16. IBM BPM industry packs. [Online]. Available: http:// businessprocess-manager-industry-packs/
  17. Jaeger, M. C., Rojec-Goldmann, G., and Muhl, G., 2004. QoS aggregation for web service composition using workflow patterns. In Proc. of the 8th IEEE International Enterprise distributed object computing conference, (EDOC 2004), pp. 149-159.
  18. Khan, K. M., Erradi, A., Alhazbi, S. and Han, J., 2012. Security oriented service composition: A framework. In Proc. of International Conference on Innovations in Information Technology (IIT), pp. 48-53.
  19. Lelarge, M., Liu, Z. and Riabov, A.V., 2006. Automatic composition of secure workflows. In Proc. of the Third international conference on Autonomic and Trusted Computing, (ATC). Berlin, SV, pp. 322-331.
  20. Majithia, S., Walker, D. W., and Gray, W. A., 2004. A framework for automated service composition in service-oriented architectures. In Proc. of the 1st European Semantic Web Symposium, Lecture Notes in Computer Science, vol. 3053, pp. 269-283.
  21. Mantel, H., 2002. On the Composition of Secure Systems. In Proc. of the 2002 IEEE Symposium on Security and Privacy (SP2002). IEEE Computer Society, Washington, DC, USA, 88-.
  22. Medjahed, B., Bouguettaya, A. and Elmagarmid, A.K., 2003. Composing web services on the semantic web. The VLDB Journal, vol. 12, no. 4, pp. 333-351.
  23. Pino, L. and Spanoudakis, G., 2012a. Constructing secure service compositions with patterns. In Services (SERVICES), 2012 IEEE Eighth World Congress on. IEEE, pp. 184-191.
  24. Pino, L. and Spanoudakis, G., 2012b. Finding secure compositions of software services: Towards a pattern based approach. In 5th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE, pp. 1-5.
  25. Pino, L., Spanoudakis, G., Gürgens, S., Fuchs, A. and Mahbub, K., 2012. D02.2 ASSERT aware service orchestration patterns. ASSERT4SOA Project, Tech. Rep. [Online]. Available:
  26. Ponnekanti, S. R., and Fox, A., 2002. Sword: A developer toolkit for web service composition. In Proc. of the 11th World Wide Web Conference (Web Engineering Track), pp. 7-11.
  27. Raman, B., Agarwal, S., Chen, Y., Caesar, M., Cui, W., Johansson, P., ... and Stoica, I., 2002. The SAHARA model for service composition across multiple providers. In Proceedings of the First International Conference on Pervasive Computing, Lecture Notes in Computer Science, vol. 2414, pp. 1-14.
  28. Shirey, R., 2007. Internet Security Glossary, Version 2. RFC 4949 (Informational), IETF. [Online]. Available:
  29. Spanoudakis, G., Mahbub, K., Pino, L., Foster, H., Maña, A. and Pujol, G., 2011. D02.1 ASSERTs aware service query language and discovery engine. ASSERT4SOA Project, Tech. Rep. [Online]. Available:
  30. Tan, W., Fan, Y., and Zhou, M., 2009. A Petri Net-Based Method for Compatibility Analysis and Composition of Web Services in Business Process Execution Language. In IEEE Transactions on Automation Science and Engineering, vol.6, no.1, pp.94-106.
  31. Van Der Aalst, W. M. P., Ter Hofstede, A. H. M., Kiepuszewski, B. and Barros, A.P., 2003. Workflow patterns. Distrib. Parallel Databases, vol. 14, no. 1, pp. 5-51.
  32. Zisman, A., Spanoudakis, G., Dooley, J. and Siveroni, I., 2013. Proactive and reactive runtime service discovery: A framework and its evaluation. IEEE Transactions on Software Engineering, http://, Dec 2012.

Paper Citation

in Harvard Style

Pino L., Spanoudakis G., Fuchs A. and Gürgens S. (2014). Discovering Secure Service Compositions . In Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-019-2, pages 242-253. DOI: 10.5220/0004855702420253

in Bibtex Style

author={Luca Pino and George Spanoudakis and Andreas Fuchs and Sigrid Gürgens},
title={Discovering Secure Service Compositions},
booktitle={Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},

in EndNote Style

JO - Proceedings of the 4th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - Discovering Secure Service Compositions
SN - 978-989-758-019-2
AU - Pino L.
AU - Spanoudakis G.
AU - Fuchs A.
AU - Gürgens S.
PY - 2014
SP - 242
EP - 253
DO - 10.5220/0004855702420253