Semantics-based design for Secure Web Services
|
|
- Jean Boyd
- 8 years ago
- Views:
Transcription
1 1 Semantics-based design for Secure Web Services Massimo Bartoetti Pierpaoo Degano Gian Luigi Ferrari Roberto Zunino Dipartimento di Informatica University of Pisa L.go Bruno Pontecorvo, Pisa, Itay Phone Fax
2 2 Abstract We outine a methodoogy for designing and composing services in a secure manner. In particuar, we are concerned with safety properties of service behaviour. Services can enforce security poicies ocay and can invoke other services that respect given security contracts. This ca-by-contract mechanism offers a significant set of opportunities, each driving secure ways to compose services. We discuss how to correcty pan services compositions in severa reevant casses of services and security properties. To this aim, we propose a graphica modeing framework, based on a foundationa cacuus caed λ req [13]. Our formaism features dynamic and static semantics, so aowing for forma reasoning about systems. Static anaysis and mode checking techniques provide the designer with usefu information to assess and fix possibe vunerabiities. Index Terms Web services, ca-by-contract, anguage-based security, static anaysis, system verification. I. INTRODUCTION Service-oriented computing (SOC) is an emerging paradigm to design distributed appications [42], [41], [25]. SOC appications are obtained by suitaby composing and coordinating (i.e. orchestrating) avaiabe services. Services are stand-aone computationa units distributed over a network, and made avaiabe through standard interaction mechanisms. Composition of services may require pecuiar mechanisms to hande compex interaction patterns (e.g. to impement transactions), whie enforcing non-functiona requirements on the system behaviour, ike e.g. security, avaiabiity, performance, transactionaity, quaity of service, etc. [46]. An important aspect is that services are open, in that they are buit with itte or no knowedge about their operating environment, their cients, and further services therein invoked. Web Services [2], [45], [48] buit upon XML technoogies are possiby the most iustrative and we deveoped exampe of the SOC paradigm. A variety of XML-based technoogies have been devised for describing, discovering and invoking web services [17], [19], [16], [49]. There are aso severa standards for defining and enforcing non-functiona requirements of services, e.g. WS-Security [4], WS- Trust [3] and WS-Poicy [47] among others. The success of the SOC paradigm is highy reated to the deveopment of network infrastructures supporting interoperabe and secure messaging among services, as we as high-eve
3 3 coordination standards. A further eement is the definition of nove methodoogies for modeing, anaysing and certifying SOC systems, see e.g. [26]. A chaenging issue for SOC research is how to compose existing services into more compex ones, aso by propery seecting and configuring services so to guarantee that their composition enjoys some desirabe properties. Non-functiona aspects, e.g security, make service composition even harder. From a methodoogica perspective, Software Engineering shoud faciitate the shift from traditiona approaches to the emerging service-oriented soutions. Aong these ines, one of the goas of this paper is to strenghten the adoption of forma techniques for modeing, designing and verifying SOC appications. In particuar, we propose a SOC modeing framework supporting history-based security and ca-by-contract. The starting point of our work is λ req [13], [8], a foundationa cacuus for describing, seecting and securey composing services. The execution of a program may invove accessing securitycritica resources; these actions are ogged into histories. The security mechanism may inspect these histories, and forbid those executions that woud vioate the prescribed poicies. The ca-bycontract seection mechanism impements a matchmaking agorithm based on service behaviour. This agorithm expoits static anaysis techniques to detect the pans for resoving the ca-bycontract invoved in a service orchestration. In our modeing framework, services are rendered as typed diagrams. Service interfaces extend the WSDL interfaces: besides the standard WSDL attributes, we add semantic information about service behaviour. In our mode, the pubished interface of a service is an annotated functiona type, of the form τ H 1 τ 2. Intuitivey, when suppied with an argument of type τ 1, the service evauates to an object of type τ 2. The annotation H is a sort of context-free grammar that describes a the possibe run-time histories of the services. Thus, H can be expoited to constrain the seection of a service that respects the desired security properties. Service interfaces are mechanicay inferred by a type and effect system. To seect a service that matches a given contract, a cient issues a request of the form. ϕ A request type τ = τ 1 τ2 matches those services with interface τ H 1 τ 2 whose abstract behaviour H respects the poicy ϕ. These services are guaranteed to respect ϕ in a the possibe executions. The seection agorithm searches a service repository for an interface matching the request type. Since service interactions may be compex, it might be the case that a oca choice for
4 4 a service is not secure in a broader, goba context. For instance, choosing a ow-security e- mai provider might prevent you from using a home-banking service that exchanges confidentia data through e-mai. In this case, you shoud have panned the seection of the e-mai and bank services so to ensure their compatibiity. To cope with this kind of issues, we define a static machinery that determines the viabe pans for seecting services that respect a the contracts, both ocay and gobay. The main contributions of the present paper are the foowing: 1) a forma modeing anguage for designing secure services. Our graphica formaism resembes UML activity diagrams, and it is used to describe the workfow of services. Besides the usua workfow operators, we can express activities subject to security constraints. The awareness of security from the eary stages of deveopment wi foster security through a the foowing phases of software production. Our diagrams have a forma operationa semantics, that specifies the dynamic behaviour of services. Moreover, diagrams can be staticay anaysed, to infer the contracts satisfied by a service. Our approach aows for a fine-grained characterization of the design choices that affect security (Section II). We support our proposa with some case study scenarios. 2) the integration of a verification technique to study composition properties of service networks. A static anaysis is used to infer an abstraction of the behaviour of a network. This abstraction is then mode-checked to construct a correct orchestrator that coordinates the running services in a secure manner. Secure orchestration wi aso aow for improving the overa performance by avoiding unnecessary dynamic security checks whie executing services. Studying the output of the mode-checker may highight possibe design faws, and suggest how to revise the cas-by-contract and the security poicies. A the above machinery is competey mechanizabe, and we are impementing a too to support our methodoogy. The fact that the too is based on strong theoretica grounds (i.e. λ req type and effect inference and verifier) positivey impacts the reiabiity to our approach. 3) a study of various panning and recovering strategies. We discuss severa situations in which one needs to take a decision before proceeding with the execution. For instance, when a panned service disappears unexpectedy, one can choose to repan, i.e. to adapt the current pan to the new network configuration. Depending on the boundary conditions and on past experience, one can choose among different tactics. We comment on the feasibiity,
5 5 advantages and costs of each of them. The paper is organized as foows. In Section II we introduce a taxonomy of security aspects in service-oriented appications. Section III, IV and V present our forma mode. In particuar, Section III introduces our design notation and the operationa semantics; Section IV presents service contracts, and outines how they can be automaticay inferred; Section V iustrates how to seect services under the ca-by-contract phiosophy, and discusses some panning and recovering strategies. Two scenarios for secure service composition are presented in Section VI. We concude the paper with some remarks (Section VII) about the expected impact of our methodoogy on Software Engineering, and we discuss some reated works. II. A TAXONOMY OF SECURITY ASPECTS IN WEB SERVICES Service composition heaviy depends on which information about a service is made pubic, on how to choose those services that match the user s requirements, and on their actua run-time behaviour. Security makes service composition even harder. Services may be offered by different providers, which ony partiay trust each other. On the one hand, providers have to guarantee that the deivered service respects a given security poicy, in any interaction with the operationa environment, and regardess of who actuay caed the service. On the other hand, cients may want to protect their sensitive data from the services invoked. In the history-based approach to security, the actua access rights of a running piece of code depend on (a suitabe abstraction of) the execution history of a the pieces of code run so far. This approach has been receiving major attention, both at the eve of foundations [5], [30], [44] and of anguage design and impementation [1], [27]. The observations of security-reevant activities, e.g. opening socket connections, reading and writing fies, accessing critica memory regions, are caed events. Histories are sequences of events. The cass of poicies we are concerned with is that of safety properties of histories, i.e. properties that are expressibe through finite state automata. The typica run-time mechanisms for enforcing history-based poicies are reference monitors, which observe program executions and abort them whenever about to vioate the given poicy. Reference monitors enforce exacty the cass of safety properties [43]. Since histories are the main ingredient of our security mode, our taxonomy speaks about how histories are handed and manipuated by services. We focus on the foowing aspects.
6 6 Stateess / statefu services A stateess service does not preserve its history across distinct invocations (yet it checks the history within each invocation). Instead, a statefu service keeps track of the histories of a the past invocations. Steteess services can enforce poicies that inspect the history of the current invocation ony, e.g. resource usage contro. Statefu services aow for more expressive security poicies: for instance, a statefu service can bound the number of invocations on a per-cient basis, whie a stateess service cannot. More in genera, statefu services can expoit their histories to record security-reevant information about the state of cient sessions. Consider for instance a service that requires password authentication, and that gives ony three chances per hour to authenticate. This can be modeed as a statefu service. In this case the history keeps track of the number of faied authentication attempts. The security poicy prevents the service from being used by a caer for which the history has recorded three faied authentication attempts in the ast hour. Athough stateess services admit security poicies that are ess expressive than those of statefu services, static anaysis can usuay infer enough information to ensure secure composition. For instance, consider a cient that wants to buy some pharmaceuticas through an onine vendor, whie being assured that his shopping ist is not eaked to other services (e.g. insurance companies). Staticay anaysing pharmacy services permits to match the cient with a service conforming to its requirements. This is because the information recorded in stateess histories is enough to show possibe eaks. Loca / goba histories Loca histories ony record the events generated by a service ocay on its site. Instead, a goba history may span over mutipe services. Loca histories are the most prudent choice when services do not trust other services, in particuar the histories they generate. In this case, a service ony trusts its own history but it cannot constrain the past history of its caers, e.g. to prevent that its cient has visited a maicious site. Goba histories instead require some trust reation among services: if a service A trusts B, then the history of A may comprise that of B, and so A may check poicies on the behaviour of B. For instance, consider an aiance of services trusting each other, that wish to impement a distributed back-ist. More in detai, when any of the services in the aiance back-ists (through a suitabe event in the history) an externa service, then a the aiance must abstain from invoking that externa service. This can be impemented
7 7 by making the services in the aiance share a goba history. Before invoking an externa service, the caer inspects the goba history to find whether it has been back-isted beforehand. Note that the trust reationship among the services in the aiance is crucia: even a singe untrusted service coud compromise the security of the aiance, by maiciousy modifying the goba history. To securey impement the goba history, i.e. to protect its integrity, communication between services is done through suitabe cryptographic protocos. These protocos must be designed to be coherent with the existing trust reationship, e.g. signed histories are considered reiabe ony if the signer is trusted [51]. First order / higher order requests A request type τ ϕ τ is first order when both τ and τ are base types (Int, Boo, etc.). Instead, if τ or τ are functiona types, the request is higher order. In particuar, if the parameter (of type τ) is a function, then the cient passes some code to be possiby executed by the requested service. Symmetricay, if τ is a function type, then the service returns back some code to the caer. Mobiity of code impacts the way histories are generated, and demands for particuar mechanisms to enforce security on the site where the code is run. A typica protection mechanism is sandboxing, that consists in wrapping code within an execution monitor that enforces a given security poicy. When there is no mobie code, more efficient mechanisms can be devised, e.g. oca checks on security-critica operations. For instance, Java Appets are mobie code appications running on the cient browser, and they can be invoked through higher order requests. A browser cas a service that returns an appet; the browser runs then the appet, whie enforcing its own security poicy, e.g. the standard Java sandboxing. Actuay, history-based security is more genera than Java, since it checks the a the past execution history, whie Java ony checks the frames in the ca stack [34]. Higher order requests aso aow a cient to pass some mobie code as a parameter to a service. The execution of that code can be constrained both by the cient and by the service, by suitabe poicies imposed on its execution. Dependent / independent threads In a network of services, severa threads may run concurrenty and compete for services. A thread is a computation started from a particuar initiator service in the network. Roughy, initiator services are those deegated by the active actors to attain a given goa. Independent
8 8 threads keep execution histories separated, whie dependent threads may share part of their histories Therefore, dependent threads may infuence each other when using the same service, whie independent threads cannot. Impementing independent threads requires that each service records the history of each thread that invoked that service, i.e. services actuay maintain a mapping from thread initiators to their histories. For instance, consider a service that can be invoked ony once. If threads are independent, this one-shot service has no way to enforce singe use. It can ony check that no thread uses it more than once, because each thread keeps its own history. Dependent threads are necessary to correcty impement the one-shot service. III. SERVICES The basic entity in our graphica formaism is that of service. We sha first describe the syntax of services, and then study how they behave when pugged into a network. A service is represented as a box containing its code. The four corners of the box are decorated with information about the service interface and behaviour. The abe : τ indicates the ocation where the service is made avaiabe, and its certified pubished interface τ (discussed ater on in Section IV). The other abes instead are used to represent the state of a service at run-time. : τ π : τ service ocation + interface τ π orchestration pan B event history (m, Φ) monitor fag m + sequence Φ of active poicies (m, Φ) B service code Fig. 1. Execution state of a service. The abe is an abstraction of the service execution history. In particuar, we are concerned with the sequence of security-reevant events happened sometimes in the past, in the spirit of history-based security [1]. The abe (m, Φ) is a pair, where the first eement is a fag m representing the on/off status of the execution monitor, and the second eement is the sequence ϕ 1 ϕ k of active security poicies. The monitor must check that services adhere to each poicy ϕ i, for i 1..k, when the fag is on. Security poicies are modeed as reguar properties
9 9 of event histories, i.e. properties that are recognizabe by a finite state automaton. Athough the soundness of our design and anaysis techniques does not depend on the ogic chosen for expressing reguar properties of histories, we find it convenient to express poicies through our tempate security automata (see beow). The abe π is the pan used for resoving service choices. A pan formaises how a caby-contract is transformed into a ca-by-name. Pans may come in severa different shapes [11]. Here we focus on a very simpe form of pans, i.e. mappings from request abes r to service ocations. We represent pans with the syntax defined in Fig. 2. π,π ::= 0 empty r[] service choice r[?] unresoved choice π π composition Fig. 2. Syntax of pans. The empty pan 0 has no choices; the pan r[] associates the service pubished at site with the request abeed r. A pan is compete when it has no unresoved choices. Composition on pans is associative, commutative and idempotent, and its identity is the empty pan 0. Since pans are functions, they have a singe choice for each request, i.e. r[] r[ ] impies =. The abe B inside the box is a bock that describes the workfow behaviour of the service, in particuar of the security-reevant activities. Formay, B it is a contro fow graph [40] with nodes modeing activities, and arrows modeing intra-procedura fow. The syntax of activities and fow graphs are defined in Fig. 3, whie Fig. 4 summarizes the reevant syntactic categories. Activities comprise basic activities, events, requests, security bocks, and panning bocks. A basic activity a is an interna computation that does not affect security-critica objects. For instance, evauating a booean or arithmetic expression are basic activities. An event α(o) abstracts from a security-critica action α performed on an object o. For instance, write(foo) for writing the fie foo, sgn() for a certificate signed by, etc. We simpy write α when the target object is immateria. A service request takes the form. The abe r uniquey identifies the request in a
10 10 A ::= activities a basic activity α(o) event request ϕ[b] security bock {B} panning bock B = (N, Λ, ) service fow graph where N finite set of nodes Λ : N A abeing function N N set of arrows Fig. 3. Syntax of services. network of services, and the request type τ is defined by: τ ::= b τ ϕ τ where b is a base type (Int,Boo,void,...). The annotation ϕ on the arrow is the query pattern (or contract ) to be matched by the invoked service. For instance, the request type τ ϕ τ matches services with functiona type τ τ, and whose behaviour respects the poicy ϕ. A security bock ϕ[b] annotates B with the poicy ϕ, with the intention that ϕ must be obeyed whie running B. This can be accompished by enabing the execution monitor, that checks the history against ϕ at each step of the execution of B. We sha see ater on a static anaysis of services that wi aow to turn off the execution monitor, whie guaranteeing that the poicy ϕ is obeyed. A panning bock {B} constructs a pan for the execution of B (see Section V for more detais on how this is accompished). Both kinds of bocks can be nested, and they determine the scope of poicies (hence caed oca poicies [7]) and of panning. Service fow graphs B = (N, Λ, ) are directed graphs, where N is the (finite) set of nodes, Λ is a function that maps nodes to activities, and is the set of arrows. Note that oops are
11 11 o,o,... Obj Objects (a finite set) α,α,... Act Actions (a finite set) α(o),... Ev = Act Obj Events,,... Ev Histories (finite sequences of events) ϕ,ϕ,... Po Poicies (reguar properties of histories) r,r,... Req Request abes,,... Loc Service Locations π,π,... Req Loc Pans (functions from Req to Loc) Fig. 4. Syntactic categories. permitted in fow graphs, to mode iterative computations. We assume that each graph has a singe entry node, and a singe exit node. This graphica formaism is based on λ req, a ca-by-vaue λ-cacuus enriched with oca security poicies and ca-by-contract service requests. Since our main focus is on secure composition, in the graphica mode we do not render a the features of λ req. In particuar, we negect variabes, higher-order functions, and parameter passing. However, we fee free to use these features in our exampes, because their treatment can be directy inherited from λ req. Semantics of services We formay define the behaviour of services through a graph rewriting semantics [6]. In this section, we assume that the services which initiate a computation are furnished with an arbitrary pan. In the next section, we sha discuss a static machinery that wi enabe us to construct these pans so to guarantee that computations wi never go wrong, i.e. they satisfy a the contracts and the security poicies on demand. We sha aso show some strategies to adopt when services disappear unexpectedy (Section V). The graph rewriting semantics for the case of dependent threads is spit in two parts: basic activities, events, security bocks, requests and returns are shown in Fig. 5. Instead, Fig. 10 detais the rues that invove panning and recovering strategies, i.e. panning bocks, requests to unavaiabe services, unresoved requests, services going down and up, and pubication of new services. We sha briefy discuss the case of independent threads beow in this section.
12 12 A the remaining axes in the taxonomy are covered by our semantics When irreevant, we omit the abe τ in services. Note that the actua vaues for some abes in rues REQ and RET are defined ater on in Fig. 6, since they depend on the choice made on the security aspects discussed in Section II. This gives rise to different behaviours of requests and returns according to the possibe choices in the taxonomy. The configurations of our semantics are sets (i.e. networks) of services. We mark the next activity to be performed by a running service with an overine, e.g. α(o) means that the event α(o) is about to be fired. An activity just executed is marked with an underine, e.g. α(o). We extend this notation to bocks B, i.e. B means that the entry node of B is the next activity, whie B means that the exit node of B was the ast executed one. Aso, configurations comprise dashed arrows that connect a running request with the invoked service. We now briefy discuss the graph rewritings in Fig. 5. Note that we ony depict rewriting within a context. For instance, the rewriting a a in the SKIP rue can be appied in any context, i.e. within any bock B containing a. A basic activity is just passed over (rue SKIP). The evauation of an event α(o) requires checking compiance of the new history α(o) with each poicy ϕ in Φ (denoted α(o) = Φ), if the execution monitor is on. If a the poicies are respected (rue EV), then α(o) is appended to the current history, and the execution proceeds to the next bock. Otherwise, if some poicy is vioated (rue FAIL), then the execution goes into a stuck state fai. This state modes a security exception (for simpicity, we do not mode here exception handing; extending our formaism in this direction woud require to define, among the other things, how to compensate from aborted computations, e.g. ike in Sagas [32], [20]) The rue SEQ says that, after a bock B has been evauated, the next activity is chosen among the bocks with incoming arrows from B. Note that branching is a specia case of SEQ, where the bock B is a conditiona or a switch. Entering a security bock ϕ[b] resuts in appending the poicy ϕ to the sequence of active poicies. Leaving ϕ[b] removes ϕ from the sequence. In both cases, as soon as a history is found not to respect ϕ, and the execution monitor is on, the evauation gets stuck. A request under a pan r[ ] π ooks for the service at site. If the service is avaiabe (rue REQ), then the cient estabishes a session with that service (dashed arrow),
13 13 π π π π a SKIP a B SEQ B B i B i (m, Φ) (m,φ) (m, Φ) (m, Φ) π π π π α(o) EV α(o) α(o) FAIL fai (m,φ) if m is on, α(o) = Φ α(o) (m,φ) (m, Φ) m is on, α(o) = Φ (m, Φ) π π π π ϕ[b] SECIN ϕ[b] ϕ[b] SECOUT ϕ[b] (m, Φ) (m, Φϕ) (m, Φϕ) (m, Φ) r[ ] π r[ ] π r[ ] π B REQ B, Φ in Fig. 6 (m,φ) (m, Φ) (m, Φ ) π π π B RET B in Fig. 6 (m,φ) (m, Φ ) (m, Φ) Fig. 5. Semantics of services in the case of dependent threads (Part I). and waits unti it returns. Note that the meaning of the abes and Φ is eft undefined in Fig. 5, since it depends on the choice made on the security aspects discussed in Section II. The actua vaues for the undefined abes are shown in Fig. 6. In particuar, the initia history of the invoked service is: (i) empty, if the service is stateess with oca history; (ii)
14 14 REQ Stateess service Statefu service Loca histories Goba histories Loca histories Goba histories = ε = = = Φ = ε Φ = Φ Φ = ε Φ = Φ RET = = = = Fig. 6. Histories and poicies in four cases of the taxonomy. the invoker history, if the service has a goba history; (iii) the service past history, if the service is statefu, with oca history. Returning from a request (rue RET) requires suitaby updating the history of the caer service, according to chosen axes in the taxonomy. The actua vaues for the history are defined in Fig. 6. The cases N/A, PLG IN, PLG OUT and UNRES are defined in Fig. 10, and they have many possibe choices. When no service is avaiabe for a request (e.g. because the pan is incompete, or because the panned service is down), or when you have to construct a pan for a bock, the execution may proceed according to one of the strategies discussed in Section V. A pan is viabe when it drives no stuck computations (uness some service mentioned in the pan becomes unavaiabe). Under a viabe pan, a service can aways proceed its execution without attempting to vioate some security poicy (therefore the execution monitor is unneeded), and it wi aways manage to resove each request. The static machinery described in Section IV discovers viabe pans. An exampe Consider a network composed by two services at ocations and, both statefu and sharing a goba history. The service at starts with an action α (the omitted target object is immateria in this exampe), and then issues a request r, resoved to by the provided pan. The service at performs α within a security bock ϕ[ ], where the poicy ϕ prevents α from being fired twice. A computation of the network is depicted in Fig. 7, where we assume the execution monitor is on. Note that the pan r[ ] is not viabe, because it drives a computation that fais because of an attempted security vioation, right before the second α is fired at.
15 15 r[ ] r[ ] α ϕ[α] EV α ϕ[α] SEQ ε (on, ) ε α (on, ) ε r[ ] r[ ] r[ ] α ϕ[α] REQ α ϕ[α] SECIN α (on, ) ε α (on, ) α (on, ) r[ ] r[ ] r[ ] r[ ] α ϕ[α] FAIL α fai αα = ϕ α (on, ) α (on, ϕ) α (on, ) α (on, ϕ) Fig. 7. A computation of two statefu services with goba history. Independent threads To mode independent threads, each service must keep a separate history for each thread. Equivaenty, we keep a history for each thread initiator. To this aim, instead of a singe history, services now carry a function L mapping the abe I of each initiator to its corresponding history. Moreover, we keep track of the initiator name: each service invoked on behaf of the initiator I is tagged as such. The semantics of services can now be easiy adapted, making L( I ) pay the roe of in the semantics for dependent threads. We depict in Fig. 8 the rue REQ for independent threads. The reation among,, Φ and Φ is sti the one defined by Fig. 6. Note that is used to update L( I ), ony: a other histories in L are eft unchanged. The rue RET is deat with simiary, as for the rues FAIL, PLG IN and PLG OUT. Modeing security poicies Security poicies ϕ are reguar properties of histories, and they are defined through tempate security automata A ϕ(x). A tempate security automaton gives rise to a finite state automaton
16 16 r[ ] π r[ ] π r[ ] π B REQ B = L( I) I, Φ in Fig. 6 I I L (m, Φ) L L = L{ I } L (m, Φ) L (m, Φ ) Fig. 8. Maintaining separate histories in the case of independent threads. when the parameter x is instantiated to an actua object o. These automata wi be expoited to recognize those histories obeying ϕ. Formay, a tempate security automaton A ϕ(x) is a 5-tupe (S,Q,q 0,F,E), where x is a parameter, and: S Act (Obj {x, x}) is the input aphabet, Q is a finite set of states, q 0 Q \ F is the start state, F Q is the set of fina offending states, E Q S Q is a finite set of tempate edges, written q ϑ q. The edges in a tempate security automaton can be of three kinds: either q α(o) q where o is an object, or q α(x) q, or q α( x) q (where x means different from x ). Given a object o Obj, a tempate security automaton A ϕ(x) is instantiated into a finite state automaton A ϕ(o) by binding the variabe x to o. The intuition is that q α(x) q wi resut in an actua transition q α(o) q, whie q α( x) q wi give rise to a finite set of transitions q α(o ) q, for a o Obj \ {o}. More formay, et A ϕ(x) = (S,Q,q 0,F,E) be a tempate security automaton, and et o Obj. The finite state automaton A ϕ(o) is defined by the 5-tupe (Ev,Q,q 0,F,δ), where the transition reation δ is defined as foows: δ = δ {q α(o ) q o Obj, q : q α(o ) q δ }
17 17 where the auxiiary reation δ is defined as: δ = {q α(o) q q α(x) q E } o Obj\{o} {q α(o ) q q α( x) q E } {q α(o ) q q α(o ) q E } Note that the definition for δ adds sef-oops for a the events not expicity mentioned in the tempate automaton A ϕ(x). We say that a history respects ϕ, written = ϕ, when is not in the anguage of A ϕ(o), for a o Obj. When is in the anguage of A ϕ(o) for some object o, we say that vioates ϕ, written = ϕ. Note that instantiated tempate security automata are non-deterministic. Given a history and a poicy ϕ, we want that a the traces of the instances of A ϕ(x) compy with ϕ. This is a form of diaboic (or interna) non-determinism. To account for that, we make the offending states as fina thus going into a fina state represents a vioation of the poicy, whie the other states mean compiance to the poicy. IV. CALL-BY-CONTRACT A service B is pugged into a network by pubishing it at a site, together with its interface τ. We assume that each site pubishes a singe service, and that interfaces are certified, e.g. they are inferred by the type and effect system simiar to that in [13]. Aso, we assume that services cannot invoke each other circuary, since this is quite unusua in the SOC scenario. Contracts The types τ are annotated with history expressions H that over-approximate the possibe runtime histories. Fig. 9 dispays the syntax of types and history expressions. When a service with interface τ H τ is run, it wi generate one of the histories denoted by H. Note that we overoad the symbo τ to range over both service types and request types τ ϕ τ. History expressions, defined in Fig. 9, are a sort of context-free grammars. They incude the empty history ε, events α, and H H that represents sequentiaization of code, H + H for branching, security bocks ϕ[h], recursion µh.h (µ binds the occurrences of the variabe h in H), ocaization : H, and panned seection {π 1 H 1 π k H k }.
18 18 τ,τ ::= types b base type τ H τ annotated functiona type H,H ::= history expressions ε empty h variabe α(o) event H H sequence H + H choice ϕ[h] security bock µh.h recursion : H ocaization {π 1 H 1 π k H k } panned seection Fig. 9. Service interfaces: annotated types and history expressions The semantics of a history expression is a set of histories, possiby carrying security annotations in the form ϕ[]. We denote by H the semantics of H. We now briefy describe how this semantics is constructed: see [8] for the forma treatment. The semantics of the history expression α is the set of histories {α}. The semantics of H H is the set of histories such that H and H. The semantics of H + H comprises the histories such that H H. The semantics of ϕ[h] is the set of histories ϕ[] such that H. The semantics of µh.h is the east fixed point of the operator f(h) = H {H/h}, where we denote with H ρ the semantics of a history expression H in an environment ρ, mapping variabes h to sets of histories. For instance, the semantics of µh. (γ + α h β) consists of a the histories α n γβ n, for n 0 (i.e. γ, αγβ, ααγββ,...). The construct : H ocaizes the behaviour H to the site. E.g., : α ( : α ) β denotes two histories: αβ occurring at ocation, and α occurring at. A panned seection abstracts the behaviour of service requests. Given a pan π, a panned
19 19 seection {π 1 H 1 π k H k } chooses those H i such that π incudes π i. Intuitivey, the history expression H = {r[ 1 ] H 1,r[ 2 ] H 2 } is associated with a request r that can be resoved into either 1 or 2. The histories denoted by H depend on the given pan π: if π chooses 1 (resp. 2 ) for r, then H denotes one of the histories represented by H 1 (resp. H 2 ). If π does not choose either 1 or 2, then H denotes no histories. Certifying contracts and panning Our panning and verification technique for services is inherited from that of the λ req cacuus. The interested reader can find the forma foundations of our work in [10], [8]. Here, we ony summarize the reevant resuts for our present modeing framework. A static anaysis over our diagrams infers judgements of the form H B : τ. Roughy, this means that the service with code B has type τ, and its execution histories are represented by the history expression H. This static anaysys enjoys two fundamenta resuts. Correctness. Effects correcty over-approximate service run-time histories More formay, consider a service with code B such that H B : τ. If running the service (pugged into a network) generates a history, then B ([8], Th. 1). The second property of our static anaysis is type safety. We say that an effect H is vaid under a pan π when the histories denoted by H never vioate the security poicies in H. Type safety ensures that, if (staticay) the effect of a service B is vaid under a pan π, then (dynamicay) the pan π is viabe for B. Type safety. Vaid effects drive computations that never attempt security vioations. More formay, consider a service with code B such that H B : τ. If H is vaid under π, then the execution is secure (i.e. = Φ whenever a running service carries abes and (m, Φ)), and it never reaches a fai configuration. Moreover, if π is compete (i.e. it has no unresoved choices r[?]) and the chosen services do not disappear, then the execution monitor can be safey kept off ([8], Th. 2). A further resut is that the vaidity of history expressions can be mechanicay verified.
20 20 Mode-checking. Vaidity for history expressions is mode-checkabe. The actua mode-checking agorithm for the vaidity of H returns the set of pans under which H is vaid. Determining such viabe pans is not a trivia task: indeed, resoving requests independenty might not ead to a viabe pan, as discussed in the introduction. Our modechecking technique requires severa preiminary steps. Technicay, we first inearize the history expression H to coect a the pans and the associated effects, whie preserving the semantics of H ([8], Ths. 4 and 5). The resuting history expression has the form of a singe, top-eve panned seection {π 1 H 1 π k H k }. We can then check each H i independenty. First, H i is reguarized to remove the redundant framings ϕ[ ϕ[ ] ] ([8], Th. 6). This makes possibe to construct a finite state automaton that recognizes the vaidity of histories ([8], Lemma 8). This finite state automaton is then used in the actua mode-checking of H i ([8], Th. 8). If H i mode-checks, then the associated pan π i is viabe. Summing up: Panning = Correctness + Type Safety + Mode Checking V. PLANNING AND RECOVERING STRATEGIES We now consider the probem of choosing the appropriate service for a bock of requests. Whie one might defer service seection as much as possibe, thus ony performing it when executing a request, it is usuay advantageous to decide how to resove requests in advance, i.e. to buid a pan. This is because eary panning can provide better guarantees than ate service seection. For instance, consider a bock with two consecutive requests r 1 and r 2. It might be that, if we choose to resove r 1 with a particuar service 1, ater on we wi not be abe to find safe choices for r 2. In this case we get stuck, and we must somehow escape from this deadend, possiby with some expensive compensation (e.g. canceing a reservation). Eary panning, instead, can spot this kind of probems and try to find a better way, typicay by considering aso r 2 when taking a choice for r 1. As seen in the previous section, a compete viabe pan π for a bock B guarantees that B can be securey executed without execution monitoring, and that we wi never get stuck uness a service mentioned in π becomes unavaiabe. When we cannot find a compete viabe pan, we
21 21 coud fa back to using an incompete pan with unresoved requests r[?]. In this case, we get a weaker guarantee than the one above, namey that we wi not get stuck unti an unresoved request must actuay be executed. To provide gracefu degradation in our mode, we aso consider the unfortunate case of executing a request r when either r is sti unresoved in the pan (Rue UNRES), or r is resoved with an unavaiabe service (Rue N/A, for Not Avaiabe). Notationay, unavaiabe services are represented as sashed boxes. Therefore, we wi ook for a way to continue the execution, possiby repairing the pan. Figure 10 formaizes the behaviour of services reated to panning and recovering. Rue DOWN modes an ide service becoming unavaiabe. For simpicity, we assume that services cannot become unavaiabe whie serving a request. Unavaiabe services are modeed as sashed boxes. Rue UP modes an unavaiabe service going back to the avaiabe state. Rue PUB is for service pubishing. The behavioura interface τ of a new service (with code B) must be staticay certified, written H B : τ. Note that H = ε for non-initiator services. The effect of an invoked service with type τ = τ 0 H τ 1 is the atent effect H. Rue N/A modes a request to an unavaiabe service. Recovering from this situation demands for updating the current pan, and possiby activating the execution monitor. Beow in this section we sha examine some possibe strategies for doing that. Rue UNRES handes the case of unresoved requests. These are deat with simiary to the rue N/A. Rue PLN IN describes which actions have to be taken when entering a panning bock {B}. Before start the execution of B, we need to devise a pan for resoving the service requests in B. Again, severa strategies are appicabe, as discussed beow. Rue PLN OUT simpy exits from a panning bock. This operation affects neither the pan nor the execution monitor. We now discuss some strategies for constructing or repairing a pan. As a matter of fact, no strategy is aways better than the others, since each of them has advantages and disadvantages, as we wi point out. The choice of a given strategy depends on many factors, some of which ie outside of our forma mode (e.g. avaiabiity of services, cost of dynamic checking, etc.). We devise four main casses of strategies:
22 22 B DOWN B B UP B : τ r[?] π π H B : τ fresh PUB ε B (m, Φ) UNRES π, m, Φ in Fig. 11 (m, Φ ) r[ ] π π N/A π, m, Φ (m,φ) in Fig. 11 (m, Φ ) π π π π {B} PLNIN {B} {B} PLNOUT {B} π, m, Φ (m,φ) in Fig. 12 (m, Φ ) (m,φ) (m, Φ) Fig. 10. Semantics of services in the case of dependent threads (Part II). Greyfriars Bobby. 1 Foow oyay a former pan. If a service becomes unavaiabe, just wait unti it comes back again. This strategy is aways safe, athough it might obviousy bock the execution for an arbitrariy ong time possiby forever. Patch. Try to reuse as much as possibe the current pan. Repace the unavaiabe services with avaiabe ones, possiby newy discovered. The new services must be verified for compatibiity with the rest of the pan. 1 In 1858, a man named John Gray was buried in od Greyfriars Churchyard in Edinburgh. The famous Skye Terrier, Greyfriars Bobby was so faithfu to his master that for fourteen years, unti his own death, Bobby ay on the grave ony eaving for food.
23 23 Sandbox. Try to proceed with the execution monitor turned on. The new pan ony respects a weak form of compatibiity on types ignoring the effect H, but it does not guarantee that contracts and security poicies are aways respected. Turning on the execution monitor ensures that there wi not be security vioations, but execution might get stuck ater on, because of attempted insecure actions. Repan. Try to reconstruct the whoe pan, possiby expoiting newy discovered services. If a viabe pan is found, then you may proceed running with the execution monitor turned off. A compete pan guarantees that contracts and security poicies wi be aways respected, provided than none of the services mentioned in the pan disappear. In Fig. 11, we describe the effects of these strategies in the context of the N/A and UNRES rues. There, we aso make precise the recovered pan π and the (m, Φ ) appearing in the rue. For the Greyfiars Bobby strategy, we patienty wait for the service to reappear; on timeout, we wi try another strategy. The Patch strategy mends the current pan with a oca fix. Note that the Patch strategy is not aways safe: in the genera case, it is impossibe to change just the way to resove the faiing request r and have a new safe pan. We sha return on this issue ater on. However, as the figure shows, in some cases this is indeed possibe, provided that the pan with the new choice for r is checked for vaidity. The Repan strategy is safe when a suitabe pan is found, but it coud invove staticay re-anaysing a arge portion of the system. When a ese fais, it is possibe to run a service under a Sandbox, hoping that we wi not get stuck. From now onwards, we use the foowing abbreviations for the various aternatives described in Section II: stateess (1) / statefu (ω), oca (L) / goba (G), first order (F) / higher-order (H), dependent (D) / independent (I). For instance, the case IFL1 in the figure is the one about independent threads, first order requests, oca histories, and stateess services. In Fig. 12 we ist the strategies for the rue PLN IN, describing how to buid a pan for a bock B. Note that, when we construct a new pan π we aready have a pan π π B, where π B ony pans the requests inside B. We can then reuse the avaiabe information in π and π B to buid π. The former pan π π B can be non-empty when using nested panning bocks, so reusing parts from it is indeed possibe. Since we can reuse the od pan, the strategies are exacty the same of those for the N/A case. The Greyfriars Bobby strategy waits for a the services mentioned in the od pan to be avaiabe at panning time. This is because it might be wise not to start the bock, if we know
24 24 STRATEGY STATE UPDATE CASE CONDITION Greyfriars Bobby Patch Sandbox Repan π Φ π r[ i ] Φ π r[ i ] (on, Φϕ) π (off, Φϕ) a The current pan π has a choice for r IFL1 ϕ[h i ] is vaid IFLω ϕ[h i ] is vaid, and i π IFG1 ϕ[h i ] is vaid DFL1 ϕ[h i ] is vaid a The service i has type τ τ a The new pan π has a choice for r Fig. 11. Faiure handing strategies for a request ϕ τ. that we wi ikey get stuck ater. Instead, if some services keep on being unavaiabe, we shoud rather consider the other strategies. As for the N/A rue, the Patch strategy is not aways safe, but we can sti give some conditions that guarantee the safety of the pan update, which is oca to the bock B. The Repan strategy, instead, can change the whoe pan, even for the requests outside B. If possibe, we shoud aways find a compete pan. When this is not the case, we might proceed with some unresoved requests r[?], deferring them to the N/A rue. As a ast resort, when no viabe pan can be found, or when we deem Repan to be too expensive, we can adopt the Sandbox strategy that turns on the execution monitor. We now show a situation where the Patch strategy is not safe. We consider the case IFLω case (independent threads, first order requests, oca histories, statefu services). The initiator service, in the midde of Fig. 13, performs two requests r 1 and r 2 in sequence. The two requests have the same contract, and thus they can be resoved with the statefu services 1 and 2. The service at 2 performs an event α, within a security bock ϕ. If ϕ aows a singe occurrence of α, we shoud be carefu and invoke the (statefu) service 2 at most once. The current pan π = r 1 [ 1 ] r 2 [ 2 ] is safe, since it invokes 2 exacty once.
25 25 STRATEGY STATE UPDATE CASE CONDITION Greyfriars Bobby π π B Φ a The pan π B has a choice for a r i IFL1 ϕ[h i ] is vaid, for a i Patch π r i [ i ] Φ IFLω IFG1 ϕ i [H i ] are vaid, i are distinct, and a i π i ϕ i [H i ] are vaid, for a i DFL1 ϕ i [H i ] are vaid, for a i Sandbox π r i [ i ] (on, Φϕ) a The services i have type τ i τ i H vaid under π, where Repan π (off, Φϕ) a is the current history, and H approximates the future behaviour (may need to refine the anaysis) Fig. 12. ϕ Panning strategies for a bock B invoving requests req ri τ i i τ i 1 : τ : τ r 1[ 1] r 2[ 2] 2 : τ req r1 τ req r2 τ ϕ[α] 1 (m 1, Φ 1) (m, Φ) 2 (m 2, Φ 2) Fig. 13. An unsafe use of the Patch strategy. Now, consider what happens if the service 1 becomes unavaiabe. The N/A rue is triggered: if we appy Patch and repace the current pan with r 1 [ 2 ] r 2 [ 2 ], then this patched pan is not viabe. Indeed, the new pan invokes 2 twice, so vioating ϕ. The safety condition in Fig. 11 is fase, because 2 π: therefore, this dangerous patch is correcty avoided.
26 r[ 1] r [ 2] >< >: req r τ 9 >= >; 2 ϕ 6 4 act α β ϕ[α] PLNIN 8 >< >: req r τ 9 >= >; 2 ϕ 6 4 act α β ϕ[α] REQ ε (off, ) ε ε ε (off, ) ε ε 0 r[ 1] r [ 2] 1 r[ 1] r [ 2] 2 0 r[ 1] r [ 2] 1 r[ 1] r [ 2] 2 8 >< >: req r τ 9 >= >; 2 ϕ6 4 act α β ϕ[α] SECIN SKIP SEQ EV SECOUT 8 >< >: req r τ 9 >= >; 2 ϕ6 4 act α β ϕ[α] RET DOWN ε (off, ) ε (off, ) ε ε (off, ) α (off, ) ε 0 r[ 1] r [ 2] r[ 1] r [ 1] >< >: req r τ 9 >= >; 2 ϕ 6 4 act α β ϕ[α] N/A 8 >< >: req r τ 9 >= >; 2 ϕ 6 4 act α β ϕ[α] ε (off, ) α ε ε (on, ) α ε Fig. 14. Semantics Exampe An exampe We show in Fig. 14 a short exampe iustrating our service semantics, in the case of statefu oca histories (ILFω). The network is composed of three services: an initiator (abeed 0 ) and two other services ( 1 and 2 ). The initiator performs two requests using the same contract τ; in this exampe we simpy assume that both services 1 and 2 are compatibe with τ. The service 1, when invoked, runs some activity act and then may perform either the event α or the event β. Instead, 2 may perform α, ony. Both services run their code under a oca poicy ϕ, stating that the event α can be performed at most once, in the whoe ife of each service. In the initia state, a the histories are empty (ε), the initiator has not yet computed a pan (0), and the execution monitor is not active (off ).
27 27 We now comment on the transitions. For brevity, in Fig. 14 we sometimes compacted more steps in a singe one, as we sha point out shorty. First, rue PLNIN is used to form a pan, resoving both requests r and r. There are four possibe pans, since each of the requests can be resoved with either 1 or 2. Invoking 2 twice wi surey vioate the poicy ϕ. Service 1 coud aso invaidate the poicy ϕ if the α branch is taken in both invocations: our static machinery, to err on the safe side, assumes this worst-case situation and consider invoking 1 twice as unsafe. So, the ony viabe pans are r[ 1 ] r [ 2 ] and r[ 2 ] r [ 1 ]. In the figure we choose the first pan. In the second transition we simpy use rue REQ and invoke 1. Then many transition rues are appied: we enter the security bock with rue SECIN; we run act with rue SKIP; we choose the α branch with rue SEQ; we run α with rue EV; we finay exit the security bock with rue SECOUT. The event α is therefore recorded in the history of 1. Finay, we can return to 0 using rue RET. Here, we show what happens if service 2 becomes unavaiabe through rue DOWN. To run request r we can not use rue REQ, but instead we can appy rue N/A and try to recovery from the faiure of 2. We then appy the Sandbox strategy. We turn on the execution monitor, and fix the pan so that r resoves to some avaiabe service compatibe with τ: in the exampe, 1. Doing this, we sha run again service 1. If the service wi attempt to perform another α, this wi be prevented by the execution monitor. If instead 1 wi choose the β branch, it wi compete successfuy. VI. SCENARIOS FOR SECURE SERVICE COMPOSITIONS To iustrate some of the features and design faciities made avaiabe by our framework, we consider two sma case studies. First, we consider a car repair scenario, where a car may break and then request assistance from a tow-truck and a garage. The second scenario is about an embedded computationa device that wants to deegate execution of mobie code. A. Car repair In this scenario, we assume a car equipped with a diagnostic system that continuousy reports on the status of the vehice. When the car experiences some major faiure (e.g. engine overheating, exhausted battery, fat tyres) the in-car emergency service is invoked to seect the appropriate tow-truck and garage services. The seection may take into account some driver custom poicies,
Chapter 3: JavaScript in Action Page 1 of 10. How to practice reading and writing JavaScript on a Web page
Chapter 3: JavaScript in Action Page 1 of 10 Chapter 3: JavaScript in Action In this chapter, you get your first opportunity to write JavaScript! This chapter introduces you to JavaScript propery. In addition,
More informationTeamwork. Abstract. 2.1 Overview
2 Teamwork Abstract This chapter presents one of the basic eements of software projects teamwork. It addresses how to buid teams in a way that promotes team members accountabiity and responsibiity, and
More informationAdvanced ColdFusion 4.0 Application Development - 3 - Server Clustering Using Bright Tiger
Advanced CodFusion 4.0 Appication Deveopment - CH 3 - Server Custering Using Bri.. Page 1 of 7 [Figures are not incuded in this sampe chapter] Advanced CodFusion 4.0 Appication Deveopment - 3 - Server
More information3.3 SOFTWARE RISK MANAGEMENT (SRM)
93 3.3 SOFTWARE RISK MANAGEMENT (SRM) Fig. 3.2 SRM is a process buit in five steps. The steps are: Identify Anayse Pan Track Resove The process is continuous in nature and handed dynamicay throughout ifecyce
More informationChapter 3: e-business Integration Patterns
Chapter 3: e-business Integration Patterns Page 1 of 9 Chapter 3: e-business Integration Patterns "Consistency is the ast refuge of the unimaginative." Oscar Wide In This Chapter What Are Integration Patterns?
More informationArt of Java Web Development By Neal Ford 624 pages US$44.95 Manning Publications, 2004 ISBN: 1-932394-06-0
IEEE DISTRIBUTED SYSTEMS ONLINE 1541-4922 2005 Pubished by the IEEE Computer Society Vo. 6, No. 5; May 2005 Editor: Marcin Paprzycki, http://www.cs.okstate.edu/%7emarcin/ Book Reviews: Java Toos and Frameworks
More informationAustralian Bureau of Statistics Management of Business Providers
Purpose Austraian Bureau of Statistics Management of Business Providers 1 The principa objective of the Austraian Bureau of Statistics (ABS) in respect of business providers is to impose the owest oad
More informationIntroduction to XSL. Max Froumentin - W3C
Introduction to XSL Max Froumentin - W3C Introduction to XSL XML Documents Stying XML Documents XSL Exampe I: Hamet Exampe II: Mixed Writing Modes Exampe III: database Other Exampes How do they do that?
More informationChapter 2 Traditional Software Development
Chapter 2 Traditiona Software Deveopment 2.1 History of Project Management Large projects from the past must aready have had some sort of project management, such the Pyramid of Giza or Pyramid of Cheops,
More informationNetwork/Communicational Vulnerability
Automated teer machines (ATMs) are a part of most of our ives. The major appea of these machines is convenience The ATM environment is changing and that change has serious ramifications for the security
More informationSABRe B2.1: Design & Development. Supplier Briefing Pack.
SABRe B2.1: Design & Deveopment. Suppier Briefing Pack. 2013 Ros-Royce pc The information in this document is the property of Ros-Royce pc and may not be copied or communicated to a third party, or used
More informationWith the arrival of Java 2 Micro Edition (J2ME) and its industry
Knowedge-based Autonomous Agents for Pervasive Computing Using AgentLight Fernando L. Koch and John-Jues C. Meyer Utrecht University Project AgentLight is a mutiagent system-buiding framework targeting
More informationSNMP Reference Guide for Avaya Communication Manager
SNMP Reference Guide for Avaya Communication Manager 03-602013 Issue 1.0 Feburary 2007 2006 Avaya Inc. A Rights Reserved. Notice Whie reasonabe efforts were made to ensure that the information in this
More informationHybrid Process Algebra
Hybrid Process Agebra P.J.L. Cuijpers M.A. Reniers Eindhoven University of Technoogy (TU/e) Den Doech 2 5600 MB Eindhoven, The Netherands Abstract We deveop an agebraic theory, caed hybrid process agebra
More informationBusiness schools are the academic setting where. The current crisis has highlighted the need to redefine the role of senior managers in organizations.
c r o s os r oi a d s REDISCOVERING THE ROLE OF BUSINESS SCHOOLS The current crisis has highighted the need to redefine the roe of senior managers in organizations. JORDI CANALS Professor and Dean, IESE
More informationIntroduction the pressure for efficiency the Estates opportunity
Heathy Savings? A study of the proportion of NHS Trusts with an in-house Buidings Repair and Maintenance workforce, and a discussion of eary experiences of Suppies efficiency initiatives Management Summary
More informationQualifications, professional development and probation
UCU Continuing Professiona Deveopment Quaifications, professiona deveopment and probation Initia training and further education teaching quaifications Since September 2007 a newy appointed FE ecturers,
More informationPay-on-delivery investing
Pay-on-deivery investing EVOLVE INVESTment range 1 EVOLVE INVESTMENT RANGE EVOLVE INVESTMENT RANGE 2 Picture a word where you ony pay a company once they have deivered Imagine striking oi first, before
More informationLearning from evaluations Processes and instruments used by GIZ as a learning organisation and their contribution to interorganisational learning
Monitoring and Evauation Unit Learning from evauations Processes and instruments used by GIZ as a earning organisation and their contribution to interorganisationa earning Contents 1.3Learning from evauations
More informationA New Statistical Approach to Network Anomaly Detection
A New Statistica Approach to Network Anomay Detection Christian Caegari, Sandrine Vaton 2, and Michee Pagano Dept of Information Engineering, University of Pisa, ITALY E-mai: {christiancaegari,mpagano}@ietunipiit
More informationNormalization of Database Tables. Functional Dependency. Examples of Functional Dependencies: So Now what is Normalization? Transitive Dependencies
ISM 602 Dr. Hamid Nemati Objectives The idea Dependencies Attributes and Design Understand concepts normaization (Higher-Leve Norma Forms) Learn how to normaize tabes Understand normaization and database
More informationBite-Size Steps to ITIL Success
7 Bite-Size Steps to ITIL Success Pus making a Business Case for ITIL! Do you want to impement ITIL but don t know where to start? 7 Bite-Size Steps to ITIL Success can hep you to decide whether ITIL can
More informationFast Robust Hashing. ) [7] will be re-mapped (and therefore discarded), due to the load-balancing property of hashing.
Fast Robust Hashing Manue Urueña, David Larrabeiti and Pabo Serrano Universidad Caros III de Madrid E-89 Leganés (Madrid), Spain Emai: {muruenya,darra,pabo}@it.uc3m.es Abstract As statefu fow-aware services
More informationInternal Control. Guidance for Directors on the Combined Code
Interna Contro Guidance for Directors on the Combined Code ISBN 1 84152 010 1 Pubished by The Institute of Chartered Accountants in Engand & Waes Chartered Accountants Ha PO Box 433 Moorgate Pace London
More informationAPIS Software Training /Consulting
APIS Software Training /Consuting IQ-Software Services APIS Informationstechnoogien GmbH The information contained in this document is subject to change without prior notice. It does not represent any
More informationSecure Network Coding with a Cost Criterion
Secure Network Coding with a Cost Criterion Jianong Tan, Murie Médard Laboratory for Information and Decision Systems Massachusetts Institute of Technoogy Cambridge, MA 0239, USA E-mai: {jianong, medard}@mit.edu
More informationINDUSTRIAL PROCESSING SITES COMPLIANCE WITH THE NEW REGULATORY REFORM (FIRE SAFETY) ORDER 2005
INDUSTRIAL PROCESSING SITES COMPLIANCE WITH THE NEW REGULATORY REFORM (FIRE SAFETY) ORDER 2005 Steven J Manchester BRE Fire and Security E-mai: manchesters@bre.co.uk The aim of this paper is to inform
More informationSELECTING THE SUITABLE ERP SYSTEM: A FUZZY AHP APPROACH. Ufuk Cebeci
SELECTING THE SUITABLE ERP SYSTEM: A FUZZY AHP APPROACH Ufuk Cebeci Department of Industria Engineering, Istanbu Technica University, Macka, Istanbu, Turkey - ufuk_cebeci@yahoo.com Abstract An Enterprise
More informationEarly access to FAS payments for members in poor health
Financia Assistance Scheme Eary access to FAS payments for members in poor heath Pension Protection Fund Protecting Peope s Futures The Financia Assistance Scheme is administered by the Pension Protection
More informationPREFACE. Comptroller General of the United States. Page i
- I PREFACE T he (+nera Accounting Office (GAO) has ong beieved that the federa government urgenty needs to improve the financia information on which it bases many important decisions. To run our compex
More informationCONTRIBUTION OF INTERNAL AUDITING IN THE VALUE OF A NURSING UNIT WITHIN THREE YEARS
Dehi Business Review X Vo. 4, No. 2, Juy - December 2003 CONTRIBUTION OF INTERNAL AUDITING IN THE VALUE OF A NURSING UNIT WITHIN THREE YEARS John N.. Var arvatsouakis atsouakis DURING the present time,
More informationHuman Capital & Human Resources Certificate Programs
MANAGEMENT CONCEPTS Human Capita & Human Resources Certificate Programs Programs to deveop functiona and strategic skis in: Human Capita // Human Resources ENROLL TODAY! Contract Hoder Contract GS-02F-0010J
More informationSetting Up Your Internet Connection
4 CONNECTING TO CHANCES ARE, you aready have Internet access and are using the Web or sending emai. If you downoaded your instaation fies or instaed esigna from the web, you can be sure that you re set
More informationVendor Performance Measurement Using Fuzzy Logic Controller
The Journa of Mathematics and Computer Science Avaiabe onine at http://www.tjmcs.com The Journa of Mathematics and Computer Science Vo.2 No.2 (2011) 311-318 Performance Measurement Using Fuzzy Logic Controer
More informationWHITE PAPER BEsT PRAcTIcEs: PusHIng ExcEl BEyond ITs limits WITH InfoRmATIon optimization
Best Practices: Pushing Exce Beyond Its Limits with Information Optimization WHITE Best Practices: Pushing Exce Beyond Its Limits with Information Optimization Executive Overview Microsoft Exce is the
More informationLet s get usable! Usability studies for indexes. Susan C. Olason. Study plan
Let s get usabe! Usabiity studies for indexes Susan C. Oason The artice discusses a series of usabiity studies on indexes from a systems engineering and human factors perspective. The purpose of these
More informationApplication and Desktop Virtualization
Appication and Desktop Virtuaization Content 1) Why Appication and Desktop Virtuaization 2) Some terms reated to vapp and vdesktop 3) Appication and Desktop Deivery 4) Appication Virtuaization 5)- Type
More informationIntegrating Risk into your Plant Lifecycle A next generation software architecture for risk based
Integrating Risk into your Pant Lifecyce A next generation software architecture for risk based operations Dr Nic Cavanagh 1, Dr Jeremy Linn 2 and Coin Hickey 3 1 Head of Safeti Product Management, DNV
More informationOracle Project Financial Planning. User's Guide Release 11.1.2.2
Orace Project Financia Panning User's Guide Reease 11.1.2.2 Project Financia Panning User's Guide, 11.1.2.2 Copyright 2012, Orace and/or its affiiates. A rights reserved. Authors: EPM Information Deveopment
More informationBusiness Banking. A guide for franchises
Business Banking A guide for franchises Hep with your franchise business, right on your doorstep A true understanding of the needs of your business: that s what makes RBS the right choice for financia
More informationNCH Software FlexiServer
NCH Software FexiServer This user guide has been created for use with FexiServer Version 1.xx NCH Software Technica Support If you have difficuties using FexiServer pease read the appicabe topic before
More informationSPOTLIGHT. A year of transformation
WINTER ISSUE 2014 2015 SPOTLIGHT Wecome to the winter issue of Oasis Spotight. These newsetters are designed to keep you upto-date with news about the Oasis community. This quartery issue features an artice
More informationLADDER SAFETY Table of Contents
Tabe of Contents SECTION 1. TRAINING PROGRAM INTRODUCTION..................3 Training Objectives...........................................3 Rationae for Training.........................................3
More informationDesign Considerations
Chapter 2: Basic Virtua Private Network Depoyment Page 1 of 12 Chapter 2: Basic Virtua Private Network Depoyment Before discussing the features of Windows 2000 tunneing technoogy, it is important to estabish
More informationDECEMBER 2008. Good practice contract management framework
DECEMBER 2008 Good practice contract management framework The Nationa Audit Office scrutinises pubic spending on behaf of Pariament. The Comptroer and Auditor Genera, Tim Burr, is an Officer of the House
More informationBest Practices for Push & Pull Using Oracle Inventory Stock Locators. Introduction to Master Data and Master Data Management (MDM): Part 1
SPECIAL CONFERENCE ISSUE THE OFFICIAL PUBLICATION OF THE Orace Appications USERS GROUP spring 2012 Introduction to Master Data and Master Data Management (MDM): Part 1 Utiizing Orace Upgrade Advisor for
More informationDistributed Strategic Interleaving with Load Balancing
Distributed Strategic Intereaving with Load Baancing J.A. Bergstra 1,2 and C.A. Middeburg 1,3 1 Programming Research Group, University of Amsterdam, P.O. Box 41882, 1009 DB Amsterdam, the Netherands 2
More informationAccreditation: Supporting the Delivery of Health and Social Care
Accreditation: Supporting the Deivery of Heath and Socia Care PHARMACY E F P T O L P E D P E C M F D T G L E F R Accreditation: Supporting the Deivery of Heath and Socia Care June 9, 2015 marks Word Accreditation
More informationEnhanced continuous, real-time detection, alarming and analysis of partial discharge events
DMS PDMG-RH DMS PDMG-RH Partia discharge monitor for GIS Partia discharge monitor for GIS Enhanced continuous, rea-time detection, aarming and anaysis of partia discharge events Unrivaed PDM feature set
More informationSTRATEGIC PLAN 2012-2016
STRATEGIC PLAN 2012-2016 CIT Bishopstown CIT Cork Schoo of Music CIT Crawford Coege of Art & Design Nationa Maritime Coege of Ireand Our Institute STRATEGIC PLAN 2012-2016 Cork Institute of Technoogy (CIT)
More informationThe BBC s management of its Digital Media Initiative
The BBC s management of its Digita Media Initiative Report by the Comptroer and Auditor Genera presented to the BBC Trust s Finance and Compiance Committee, 13 January 2011 Department for Cuture, Media
More informationprofessional indemnity insurance proposal form
professiona indemnity insurance proposa form Important Facts Reating To This Proposa Form You shoud read the foowing advice before proceeding to compete this proposa form. Duty of Discosure Before you
More informationINDUSTRIAL AND COMMERCIAL
Finance TM NEW YORK CITY DEPARTMENT OF FINANCE TAX & PARKING PROGRAM OPERATIONS DIVISION INDUSTRIAL AND COMMERCIAL ABATEMENT PROGRAM PRELIMINARY APPLICATION AND INSTRUCTIONS Mai to: NYC Department of Finance,
More informationA Description of the California Partnership for Long-Term Care Prepared by the California Department of Health Care Services
2012 Before You Buy A Description of the Caifornia Partnership for Long-Term Care Prepared by the Caifornia Department of Heath Care Services Page 1 of 13 Ony ong-term care insurance poicies bearing any
More informationA Supplier Evaluation System for Automotive Industry According To Iso/Ts 16949 Requirements
A Suppier Evauation System for Automotive Industry According To Iso/Ts 16949 Requirements DILEK PINAR ÖZTOP 1, ASLI AKSOY 2,*, NURSEL ÖZTÜRK 2 1 HONDA TR Purchasing Department, 41480, Çayırova - Gebze,
More informationDriving Accountability Through Disciplined Planning with Hyperion Planning and Essbase
THE OFFICIAL PUBLICATION OF THE Orace Appications USERS GROUP summer 2012 Driving Accountabiity Through Discipined Panning with Hyperion Panning and Essbase Introduction to Master Data and Master Data
More informationOverview of Health and Safety in China
Overview of Heath and Safety in China Hongyuan Wei 1, Leping Dang 1, and Mark Hoye 2 1 Schoo of Chemica Engineering, Tianjin University, Tianjin 300072, P R China, E-mai: david.wei@tju.edu.cn 2 AstraZeneca
More informationMARKETING INFORMATION SYSTEM (MIS)
LESSON 4 MARKETING INFORMATION SYSTEM (MIS) CONTENTS 4.0 Aims and Objectives 4.1 Introduction 4.2 MIS 4.2.1 Database 4.2.2 Interna Records 4.2.3 Externa Sources 4.3 Computer Networks and Internet 4.4 Data
More informationDesign and Analysis of a Hidden Peer-to-peer Backup Market
Design and Anaysis of a Hidden Peer-to-peer Backup Market Sven Seuken, Denis Chares, Max Chickering, Mary Czerwinski Kama Jain, David C. Parkes, Sidd Puri, and Desney Tan December, 2015 Abstract We present
More informationCERTIFICATE COURSE ON CLIMATE CHANGE AND SUSTAINABILITY. Course Offered By: Indian Environmental Society
CERTIFICATE COURSE ON CLIMATE CHANGE AND SUSTAINABILITY Course Offered By: Indian Environmenta Society INTRODUCTION The Indian Environmenta Society (IES) a dynamic and fexibe organization with a goba vision
More informationThe guaranteed selection. For certainty in uncertain times
The guaranteed seection For certainty in uncertain times Making the right investment choice If you can t afford to take a ot of risk with your money it can be hard to find the right investment, especiay
More informationL I C E N S I N G G U I D E
O R A C L E H Y P E R I O N E N T E R P R I S E P E R F O R M A N C E M A N A G E M E N T S Y S T E M L I C E N S I N G G U I D E EPM System Licensing Guide Copyright 2009, Orace and/or its affiiates.
More informationASSET MANAGEMENT OUR APPROACH
ASSET MANAGEMENT OUR APPROACH CONTENTS FOREWORD 3 INTRODUCTION 4 ASSET MANAGEMENT? 6 THE NEED FOR CHANGE 6 KEY PRINCIPLES 7 APPENDIX 1 19 GLOSSARY 20 2 FOREWORD Few things affect our customers ives as
More informationThe eg Suite Enabing Rea-Time Monitoring and Proactive Infrastructure Triage White Paper Restricted Rights Legend The information contained in this document is confidentia and subject to change without
More informationThe Comparison and Selection of Programming Languages for High Energy Physics Applications
The Comparison and Seection of Programming Languages for High Energy Physics Appications TN-91-6 June 1991 (TN) Bebo White Stanford Linear Acceerator Center P.O. Box 4349, Bin 97 Stanford, Caifornia 94309
More informationKey Features of Life Insurance
Key Features of Life Insurance Life Insurance Key Features The Financia Conduct Authority is a financia services reguator. It requires us, Aviva, to give you this important information to hep you to decide
More informationFixed income managers: evolution or revolution
Fixed income managers: evoution or revoution Traditiona approaches to managing fixed interest funds rey on benchmarks that may not represent optima risk and return outcomes. New techniques based on separate
More informationTeach yourself Android application development - Part I: Creating Android products
Teach yoursef Android appication deveopment - Part I: Creating Android products Page 1 of 7 Part of the EE Times Network A Artices Products Course TechPaper Webinars Login Register Wecome, Guest HOME DESIGN
More informationIT Governance Principles & Key Metrics
IT Governance Principes & Key Metrics Smawood Maike & Associates, Inc. 9393 W. 110th Street 51 Corporate Woods, Suite 500 Overand Park, KS 66210 Office: 913-451-6790 Good governance processes that moves
More informationOlder people s assets: using housing equity to pay for health and aged care
Key words: aged care; retirement savings; reverse mortgage; financia innovation; financia panning Oder peope s assets: using housing equity to pay for heath and aged care The research agenda on the ageing
More informationNiagara Catholic. District School Board. High Performance. Support Program. Academic
Niagara Cathoic District Schoo Board High Performance Academic Support Program The Niagara Cathoic District Schoo Board, through the charisms of faith, socia justice, support and eadership, nurtures an
More informationVital Steps. A cooperative feasibility study guide. U.S. Department of Agriculture Rural Business-Cooperative Service Service Report 58
Vita Steps A cooperative feasibiity study guide U.S. Department of Agricuture Rura Business-Cooperative Service Service Report 58 Abstract This guide provides rura residents with information about cooperative
More informationLeadership & Management Certificate Programs
MANAGEMENT CONCEPTS Leadership & Management Certificate Programs Programs to deveop expertise in: Anaytics // Leadership // Professiona Skis // Supervision ENROLL TODAY! Contract oder Contract GS-02F-0010J
More informationCorporate Governance f o r M a i n M a r k e t a n d a i M C o M p a n i e s
Corporate Governance f o r M a i n M a r k e t a n d a i M C o M p a n i e s 23. Corporate governance towards best-practice corporate reporting John Patterson, PricewaterhouseCoopers LLP Reporting is
More informationChapter 2 Developing a Sustainable Supply Chain Strategy
Chapter 2 Deveoping a Sustainabe Suppy Chain Strategy Bakan Cetinkaya Learning Goas. By reading this chapter you wi: Know the basics of competitive strategy and suppy chain strategy and understand their
More informationThe Productive Therapist and The Productive Clinic Peter R. Kovacek, MSA, PT
The Productive Therapist and The Productive Cinic Peter R. Kovacek, MSA, PT Format Interactive Discussions among equa peers Constructive argument Reaity Oriented Mutua Accountabiity Expectation Panning
More informationWe are XMA and Viglen.
alearn with Microsoft 16pp 21.07_Layout 1 22/12/2014 10:49 Page 1 FRONT COVER alearn with Microsoft We are XMA and Vigen. Ca us now on 0115 846 4900 Visit www.xma.co.uk/aearn Emai alearn@xma.co.uk Foow
More informationCI/SfB Ro8. (Aq) September 2012. The new advanced toughened glass. Pilkington Pyroclear Fire-resistant Glass
CI/SfB Ro8 (Aq) September 2012 The new advanced toughened gass Pikington Pyrocear Fire-resistant Gass Pikington Pyrocear, fire-resistant screens in the façade: a typica containment appication for integrity
More informationInfrastructure for Business
Infrastructure for Business The IoD Member Broadband Survey Infrastructure for Business 2013 #5 The IoD Member Broadband Survey The IoD Member Broadband Survey Written by: Corin Tayor, Senior Economic
More informationMICROSOFT DYNAMICS CRM
biztech TM MICROSOFT DYNAMICS CRM Experienced professionas, proven toos and methodoogies, tempates, acceerators and vertica specific soutions maximizing the vaue of your Customer Reationships Competency
More informationThe Web Insider... The Best Tool for Building a Web Site *
The Web Insider... The Best Too for Buiding a Web Site * Anna Bee Leiserson ** Ms. Leiserson describes the types of Web-authoring systems that are avaiabe for buiding a site and then discusses the various
More informationThe IBM System/38. 8.1 Introduction
8 The IBM System/38 8.1 Introduction IBM s capabiity-based System38 [Berstis 80a, Houdek 81, IBM Sa, IBM 82b], announced in 1978 and deivered in 1980, is an outgrowth of work that began in the ate sixties
More informationPrecise assessment of partial discharge in underground MV/HV power cables and terminations
QCM-C-PD-Survey Service Partia discharge monitoring for underground power cabes Precise assessment of partia discharge in underground MV/HV power cabes and terminations Highy accurate periodic PD survey
More informationA Latent Variable Pairwise Classification Model of a Clustering Ensemble
A atent Variabe Pairwise Cassification Mode of a Custering Ensembe Vadimir Berikov Soboev Institute of mathematics, Novosibirsk State University, Russia berikov@math.nsc.ru http://www.math.nsc.ru Abstract.
More informationAPPENDIX 10.1: SUBSTANTIVE AUDIT PROGRAMME FOR PRODUCTION WAGES: TROSTON PLC
Appendix 10.1: substantive audit programme for production wages: Troston pc 389 APPENDIX 10.1: SUBSTANTIVE AUDIT PROGRAMME FOR PRODUCTION WAGES: TROSTON PLC The detaied audit programme production wages
More informationWINMAG Graphics Management System
SECTION 10: page 1 Section 10: by Honeywe WINMAG Graphics Management System Contents What is WINMAG? WINMAG Text and Graphics WINMAG Text Ony Scenarios Fire/Emergency Management of Fauts & Disabement Historic
More informationChapter 3: Authentication and Resource Protection in Windows 2000
Chapter 3: Authentication and Resource Protection in Windows 2000 Page 1 of 23 Chapter 3: Authentication and Resource Protection in Windows 2000 Because this is a user administration book, not a security
More informationOutsourcing of Information Technology Services Application Sofmare System Development. Contract Guidelines technical asnects
Outsourcing of Information Technoogy Services Appication Sofmare System Deveopment Contract Guideines technica asnects United Nations Educationa, Scientific and Cutura Organization Pubished in 1998 by
More informationMeasuring operational risk in financial institutions
Measuring operationa risk in financia institutions Operationa risk is now seen as a major risk for financia institutions. This paper considers the various methods avaiabe to measure operationa risk, and
More informationLexmark ESF Applications Guide
Lexmark ESF Appications Guide Hep your customers bring out the fu potentia of their Lexmark soutions-enabed singe-function and mutifunction printers Lexmark Appications have been designed to hep businesses
More informationLicensed to: CengageBrain User
Licensed to: Licensed to: This is an eectronic version of the print textbook. Due to eectronic rights restrictions, some third party content may be suppressed. Editoria review has deemed that any suppressed
More informationLogics preserving degrees of truth from varieties of residuated lattices
Corrigendum Logics preserving degrees of truth from varieties of residuated attices FÉLIX BOU and FRANCESC ESTEVA, Artificia Inteigence Research Institute IIIA - CSIC), Beaterra, Spain. E-mai: fbou@iiia.csic.es;
More informationHow to Cut Health Care Costs
How to Cut Heath Care Costs INSIDE: TEN TIPS FOR MEDICARE BENEFICIARIES What is one of the biggest financia surprises in retirement? Heath care costs. It s a growing concern among many Medicare beneficiaries,
More informationLife Contingencies Study Note for CAS Exam S. Tom Struppeck
Life Contingencies Study Note for CAS Eam S Tom Struppeck (Revised 9/19/2015) Introduction Life contingencies is a term used to describe surviva modes for human ives and resuting cash fows that start or
More informationMarket Design & Analysis for a P2P Backup System
Market Design & Anaysis for a P2P Backup System Sven Seuken Schoo of Engineering & Appied Sciences Harvard University, Cambridge, MA seuken@eecs.harvard.edu Denis Chares, Max Chickering, Sidd Puri Microsoft
More informationAvaya Remote Feature Activation (RFA) User Guide
Avaya Remote Feature Activation (RFA) User Guide 03-300149 Issue 5.0 September 2007 2007 Avaya Inc. A Rights Reserved. Notice Whie reasonabe efforts were made to ensure that the information in this document
More informationSQL. Ilchul Yoon Assistant Professor State University of New York, Korea. on tables. describing schema. CSE 532 Theory of Database Systems
CSE 532 Theory of Database Systems Lecture 03 SQL Ichu Yoon Assistant Professor State University of New York, Korea Adapted from book authors sides SQL Language for describing database schema & operations
More informationAutomatic Structure Discovery for Large Source Code
Automatic Structure Discovery for Large Source Code By Sarge Rogatch Master Thesis Universiteit van Amsterdam, Artificia Inteigence, 2010 Automatic Structure Discovery for Large Source Code Page 1 of 130
More informationHow To Deiver Resuts
Message We sha make every effort to strengthen the community buiding programme which serves to foster among the peope of Hong Kong a sense of beonging and mutua care. We wi continue to impement the District
More informationPricing Internet Services With Multiple Providers
Pricing Internet Services With Mutipe Providers Linhai He and Jean Warand Dept. of Eectrica Engineering and Computer Science University of Caifornia at Berkeey Berkeey, CA 94709 inhai, wr@eecs.berkeey.edu
More information