Sage Journals: Discover world-class research

Abstract

Dynamic service composition provides us with a promising approach to cooperate different sensor nodes in WSN to build complex applications based on their basic functions. Usually multiple nodes located in different regions provide data with different security levels, and it is critical to ensure the security of the information flow in the composite services. However, the energy-limited nature of sensor nodes in WSN poses a significant challenge for the centralized information flow verification with which the verification node needs to consume lots of computation and network resources. In this paper, we specify the security constraints for each service participant to secure the information flow in a service chain based in the lattice model and then present a distributed verification framework that cooperates different service participants to verify their information flow policies distributively. The evaluation results show a significant decrease on the verification cost of the single verification node, which provides a better load balance in each sensor node.

1. Introduction

WSN is the key enablers for the development of the Internet of Things (IoT), which is responsible for collecting surrounding context and environment information. In a service-oriented WSN [1, 2], multiple sensor nodes with different basic services, for example, data aggregation, data processing, and decoding, can cooperate with each other to develop new applications rapidly. However, because of the variety and regional characteristics of WSN, the data provided by the sensor nodes have different security levels. When services are composed together, data are transmitted among these nodes, respectively, where an operation in a node assigning high-level data to a low-level object would cause the information leakage with a serious impact on the public safety or personal privacy.

For example, a personal-health helper service can be provided for the healthy advice according to the body status and environments data. Most of the former work, mainly focus on the access control of the individual services [3, 4]. But in a service chain, data may be computed from its prior services which can result in the undesired information leakage. When the collection service is completed, the data collected by the wearable sensors and environmental sensors are delivered to the data processing node, such as mobile phone. Healthy information may leak to untrusted third party through the illegal operations during data processing. So the information flow security is one of the major concerns about the service composition in sensor network environments.

One issue in information flow security of the composite service is the dynamic dependence among various objects in different service participants. Accorsi and Wonnemann [5] use Petri nets to represent the workflow and detect information leaks in workflow descriptions based on static information flow analysis. But this work can only validate the information flow in fixed workflow with static input and output dependences. In service-oriented WSN, there are several candidate services with same functions where the dependences between input and output are different from each other. It is necessary for user to select appropriate service for the secure composition of the service chain. She et al. [6, 7] define transformation factors to measure how likely the output depends on the input data in different candidate services. But it is hard to define the LR, MR, and HR transformation factors. Therefore, a suitable dependence model is required for the analysis of the information flow in different candidate services.

Another major issue for the information flow verification in WSN is the energy cost of the verification node. Zorgati and Abdellatif [8] and She et al. [9] propose the centralized verification approach against the information flow control policies to ensure an end-to-end security in wired network. However, in WSN, the sensor node is energy limited, and the centralized way consumes lots of energy of the verification node. Yildiz and Godart [10] propose an decentralized service composition approach considering the information flow policies in an inexpensive manner, but its policies are static. Based on the information flow type system, Hutter and Volkamer [11] specify the composition rules to control the security of dynamically computed data and their proliferation to other web services. But it costs extra energy of the sensor node to compile the service code again before the service execution.

In this paper, we present a distributed information flow verification approach applied on the composition of the service chain in wireless sensor network. Our contributions include the following. (1) For the dynamic dependences in service chain, we define the intra and inter dependences among different objects in composite service based on the PDG. (2) We specify the security constraints for each service participant based on the dependences and lattice model. (3) We propose a decentralized information flow verification approach to execute the verification process distributively to provide a better load balance of the sensor nodes in WSN.

The rest of the paper is structured as follows. Section 2 presents the basic definitions of the wireless sensor service system. Section 3 specifies the security constraints for each service participants based on the analysis of the information flow in the service chain. In Section 4, we propose the distributed information flow verification framework based on the secure information flow model. Section 5 evaluates the proposed verification approach. Section 6 concludes the paper.

2. Wireless Sensor Service System

A wireless sensor service system (WSS) is a large-scale distributed environment which consists of multiple wireless sensor nodes, public data resources and security authorities, which is shown in Figure 1. Sensor nodes in WSN can collect these resources, and provide different basic functions, such as data analyzing or processing, which are treated as various services in WSN. There is also a security authority for each data resources for the management of these data security levels which are used for the security verification. The service on each sensor node can be defined as follows.

Figure 1

A wireless sensor service system.

Definition 1.

Each service $s_{i}$ is a tuple $s_{i} = 〈 {i d}_{i}, {I n}_{i}, {O u t}_{i}, F_{i}, C e_{i} 〉$ , where $i d_{i}$ is the identifier of the service; ${I n}_{i}$ is the set of input of service; ${O u t}_{i}$ is the set of the output of service; $F_{i}$ is composed of a sequence of actions $〈 a_{1}, a_{2}, \dots 〉$ ; $C e_{i}$ is the certificate of the service which specifies the security properties of service.

In WSS system, various services are provided by different sensor nodes. These individual services can also be combined together to generate a more powerful service. During the execution of composite service, each service node collects data from its local storage or the public resources, processes the input data, and finally provides results to the sink nodes. On the other hand, these nodes may also update the local storage or store to the public data resources in WSS. A composite service can be denoted as a directed graph, where the vertex is the service component and the edge represents an composition relationship from one service to another. In this paper, we investigate a simplified composite service, the service chain, which is defined as follows.

Definition 2.

A service chain $s_{c}$ can be represented as a tuple $s_{c} = 〈 C H, I n, O u t 〉$ where $C H$ is a sequence of services $〈 s_{1}, s_{2}, \dots 〉$ ; $I n$ is the set of input of $s_{c}$ , $s_{c}$ ; $O u t$ is set of output of $s_{c}$ .

In a service chain $s_{c}$ , the predecessor of a service $s_{i}$ can be denoted as $s_{i - 1}$ , and the successor of a service $s_{i}$ is denoted as $s_{i + 1}$ . $s_{0}$ denotes the node who sends the initial request to $s_{1}$ , and $s_{n + 1}$ denotes the sink node who receives the service result from $s_{n}$ . Figure 2 shows a simple service chain model.

Figure 2

A service chain model.

Due to the dynamic and heterogeneous sensor network environment, it is necessary to select appropriate service to satisfy the different requirements including QoS and security. In this paper, we focus on the verification of the information flow security in composite service chain and providing support for the security enforced selection of services in WSN.

3. Secure Information Flow Model

3.1. Security Label Model

For the information with different sensitivities, we use multilevel security labels to describe the security properties of objects o.

Definition 3.

Security label model is defined as a lattice $(S L, \leq)$ , where $S L$ is a finite set of security levels that is totally ordered by ≤.

The lattice model is widely used in government or military systems in which the security classes are determined solely from the four security levels: unclassified, confidential, secret, and top secret [12].

For a clear discussion, in this paper, we define that each object o has a provided and required security level, $Pr (o)$ and $Re (o)$ , which specifies the read and write permissions possessed by o. The provided security labels of the objects can be given by the data owners, which are specified in certificates. And the required security labels of data objects will be computed according to the dependence of the input and output data.

3.2. Information Flow in Service Component

In a service chain, the information flow through $s_{i}$ is shown in Figure 3. We consider a data flow model in which each service may read from a set of input data objects and write to a set of output data objects. The set of input objects of a service $s_{i}$ includes all the objects that $s_{i}$ receives from its predecessor $s_{i - 1}$ and all data objects obtained from the public data resources or stored in the local storage in sensor nodes. The set of output objects of $s_{i}$ includes all the objects that $s_{i}$ sends to its successor $s_{i + 1}$ and all the data objects that $s_{i}$ updates to the public data resources and the local storage.

Figure 3

Information flow in service component.

For the input information for $s_{i}$ , there is ${I n}_{i} = {{I n}_{i}^{M}, {I n}_{i}^{D}, {I n}_{i}^{L}}$ , where (i)

${I n}_{i}^{M} = {{I n}_{i, 1}^{M}, {I n}_{i, 2}^{M}, \dots, {I n}_{i, n}^{M}}$ is the set of all input objects that $s_{i}$ receives from its predecessor $s_{i - 1}$ ;

(ii)

${I n}_{i}^{D} = {{I n}_{i, 1}^{D}, {I n}_{i, 2}^{D}, \dots, {I n}_{i, n}^{D}}$ is the set of all input objects from the public data resources;

(iii)

${I n}_{i}^{L} = {{I n}_{i, 1}^{L}, {I n}_{i, 2}^{L}, \dots, {I n}_{i, n}^{L}}$ is the set of all input objects located in local storage in sensor nodes.

For the output information for $s_{i}$ , there is ${O u t}_{i} = {{O u t}_{i}^{M}, {O u t}_{i}^{D}, {O u t}_{i}^{L}}$ , where (i)

${O u t}_{i}^{M} = {{O u t}_{i, 1}^{M}, {O u t}_{i, 2}^{M}, \dots, {O u t}_{i, n}^{M}}$ is the set of all output objects that $s_{i}$ sends to its successor $s_{i + 1}$ ;

(ii)

${O u t}_{i}^{D} = {{O u t}_{i, 1}^{D}, {O u t}_{i, 2}^{D}, \dots, {O u t}_{i, n}^{D}}$ is the set of all output objects that $s_{i}$ updates to the public data resources;

(iii)

${O u t}_{i}^{L} = {{O u t}_{i, 1}^{L}, {O u t}_{i, 2}^{L}, \dots, {O u t}_{i, n}^{L}}$ is the set of all output objects that $s_{i}$ writes to the local storage in sensor nodes.

In order to validate the information flow in $s_{i}$ , we need to analyze the relationships between the input and output objects. The output ${O u t}_{i}$ is computed from $I n_{i}$ during the execution of the service function $F_{i}$ . The syntax of $F_{i}$ is defined as follows:

\begin{array}{l} f : : = a; f, \\ a : : = skip ∣ input (i n, e) ∣ var ≔ e ∣ a; a \\ ∣ if (e) then a else a \\ ∣ while (e) a ∣ output (o u t, e), \\ e : : = var ∣ e Re \\ R : : = + ∣ - ∣ = ∣ < . \end{array}

(1)

A service function consists of a collection of activities, some of which are the control and computation operations, while some of which are responsible for receiving the inputs from different sources

i n

and producing outputs data to the required objects

o u t

. We can establish the program dependence graph (PDG) [13] of

F_{i}

according to its syntax to analyze the relationships among different objects used in

F_{i}

. The PDG is defined as follows.

Definition 4.

Program dependence graphs (PDG) is a directed graph $〈 V, \vec{E} 〉$ , where the expressions and the activities in $F_{i}$ constitute the nodes of the graph and the edges express data and control dependences. A data dependence represented by an edge $a \to_{d}$ $a^{'}$ means that the activity a assigns variable x which is used in activity $a^{'}$ . A control dependence represented by an edge $e \to_{c}$ a means that the execution of a depends on the value of the expression e, which is typically a branch and loop condition.

Once a program dependence graph $PDG = 〈 V, \vec{E} 〉$ has been constructed, program backward slice [14] is used to analyze the dependences among the different objects that are used in activities and expressions in $PDG$ . Here we use $Dep (o)$ to represent the obtained dependency set of an object o.

Based on the dependency set $Dep (o)$ , we can compute output object required security level according to the following equations: for $\forall u \in {O u t}_{i}$ ,

\begin{matrix} Re (u) = \underset{\max}{⊔} Re (v), v \in {I n}_{i} \land v \in Dep (u) . \end{matrix}

(2)

Based on the previous equation, we can obtain the following.

Theorem 5.

For $\forall u \in {O u t}_{i}^{M}$ , there is

\begin{matrix} Re (u) \geq Re (v), \forall v \in {I n}_{i} \land v \in Dep (u) . \end{matrix}

(3)

Each service $s_{i}$ has different levels of inputs and outputs. The value of the input objects with high-level security label may flow to the low-level output objects during the execution of the service and cause the information leak. Therefore, the definition of the secure information flow in service component is given as follows.

Definition 6.

The information flow in service component $s_{i}$ is considered secure if it satisfies that for $\forall u \in {O u t}_{i, j}^{D} \cup {O u t}_{i, j}^{L}$ , there are

\begin{matrix} Pr (u) \geq Re (u) = \underset{\max}{⊔} Re (v), v \in {I n}_{i} \land v \in Dep (u) . \end{matrix}

(4)

The previous condition provides that there are no lower level objects in public resources and local storage storing the data with higher security level during the execution of each service.

3.3. Secure Information Flow in Service Chain

Consider the service chain $〈 s_{1}, s_{2}, \dots, s_{n} 〉$ . The output data sent from $s_{i}$ to $s_{i + 1}$ , ${O u t}_{i}^{M}$ , may be dynamically computed from some data stored by sensor node and public data resources, ${I n}_{i}^{L}$ and ${I n}_{i}^{D}$ , and some data received from $s_{i - 1}$ , ${O u t}_{i - 1}^{M}$ . ${O u t}_{i}^{M}$ may be further processed by $s_{i + 1}, \dots, s_{j - 1}$ and computed into ${O u t}_{j - 1}^{M}$ which is delivered to service $s_{j}$ , $j > i$ . And the dependence between objects belonging to different service components is considered as the interservice dependence. The interservice dependence set of object u, $De p_{inter} (u)$ , is defined as follows.

Definition 7.

For objects $v \in s_{i}$ and $u \in s_{j}$ where $j > i$ , v is in $De p_{inter} (u)$ which satisfies one of the following two conditions: (1)

$i = j - 1 :$

$\exists w_{1} \in O u t_{i}^{M}, w_{2} \in I n_{j}^{M}, w_{1} = w_{2}$

$(v \in Dep (w_{1}) \lor w_{1} = v) \land (w_{2} \in Dep (u) \lor w_{2} = u)$ ,

(2)

$i \neq j - 1 :$

$\exists w \in s_{k}, i < k < j$

$v \in De p_{inter} (w) \land w \in De p_{inter} (u)$ .

For two adjacent services $s_{i}$ and $s_{j}$ where $i = j - 1$ , there are four cases that need to be considered. (1) For $v \in {O u t}_{i}^{M}$ = $u \in {I n}_{j}^{M}$ , there is an interservice dependence between u and v. (2) For $v \in {O u t}_{i}^{M}$ and $u \notin {I n}_{j}^{M}$ , there is an interservice dependence between them if there are objects $w \in {I n}_{j}^{M}$ and $v = w$ that u depends on. (3) For $v \notin {O u t}_{i}^{M}$ and $u \in {I n}_{j}^{M}$ , u externally depends on v if there are objects $w \in {O u t}_{i}^{M}$ and $u = w$ that depends on v. (4) For $v \notin {O u t}_{i}^{M}$ = $u \notin {I n}_{j}^{M}$ , if there are two objects $w_{1} \in {O u t}_{i}^{M}$ , $w_{2} \in {I n}_{j}^{M}$ that $w_{1} = w_{2}$ , while data object u in $s_{j}$ depends on $w_{2}$ , and $w_{1}$ depends on v in $s_{i}$ , we call uthat externally depends on v.

For two services $s_{i}$ and $s_{j}$ where $j > i + 1$ , if there is an object w in $s_{k}$ , $i < k < j$ which w externally depends on v, while u externally depends on w, the dependence between u and v is the interservice dependence.

For a service chain $s_{c}$ where $I n_{s c} = ⋃_{} ‍ {{I n}_{i}^{L} \cup {I n}_{i}^{D}}$ and $O u t_{s c} = ⋃_{} ‍ {{O u t}_{i}^{L} \cup {O u t}_{i}^{D}}$ , $0 \leq i \leq n + 1$ , we use $s_{0}$ that denotes the start node which sends the initial request to $s_{1}$ , and $s_{n + 1}$ denotes the sink node which receives the service results from $s_{n}$ . And we assume that ${I n}_{0}^{M} = ϕ$ , ${O u t}_{0}^{D} \cup {O u t}_{0}^{L} = ϕ$ , ${I n}_{n + 1}^{L} \cup {I n}_{n + 1}^{D} = ϕ$ , and ${O u t}_{n + 1}^{M} = ϕ$ .

Definition 8.

The information flow in service chain $s_{c}$ is considered secure if and only if it satisfies that for $\forall u \in {O u t}_{c}$ , there are

\begin{matrix} Pr (u) \geq \underset{\max}{⊔} Re (v) \\ v \in {I n}_{c} \land (v \in Dep (u) \lor v \in De p_{inter} (u)) \\ 1 \leq j < i . \end{matrix}

(5)

According to the definition of the secure information flow in $s_{i}$ and $s_{c}$ , we can obtain the following lemmas and theorems.

Lemma 9.

In a service chain $s_{c} 〈 s_{1}, s_{2}, \dots, s_{m} 〉$ , $\forall u \in {O u t}_{i}^{M}$ , $0 \leq i \leq m$ satisfies

\begin{matrix} Re (u) \geq Re (v) \\ v \in {I n}_{j} \land (v \in Dep (u) \lor {Dep}_{inter}  (u)), \\ 0 \leq j \leq i . \end{matrix}

(6)

Proof.

First, let $m = 1$ , then there are two service components $s_{0}$ and $s_{1}$ .

For $\forall u \in {O u t}_{0}^{M}$ , Theorem 5 provides that $\forall v \in {I n}_{0} \land v \in Dep (u)$ , and there is $Re (u) \geq Re (v)$ .

And there is no interservice dependence in $s_{0}$ , so the lemma is proved.

For $\forall u \in {O u t}_{1}^{M}$ , there are two cases to consider.

Case 1. $j = 1, \forall v \in {I n}_{1} \land v \in Dep (u)$ . Theorem 5 provides $Re (u) \geq Re (v)$ .

Case 2. $j = 0, \forall v \in I n_{0} \land v \in De p_{inter} (u)$ . In this case, the definition of the interservice dependence provides $\exists w_{1} and w_{2}$ where

\begin{matrix} w_{1} \in {O u t}_{0}^{M} = w_{2} \in {I n}_{1}^{M}, \\ v \in Dep (w_{1}) \land w_{2} \in Dep (u) . \end{matrix}

(7)

Theorem 5 provides that

\begin{matrix} Re (u) \geq Re (w_{2}), \end{matrix}

(8)

\begin{matrix} Re (w_{1}) \geq Re (v) . \end{matrix}

(9)

And there is

\begin{matrix} Re (w_{2}) = Re (w_{1}) . \end{matrix}

(10)

Based on (8), (9), and (10), we can get

\begin{matrix} Re (u) \geq Re (v) . \end{matrix}

(11)

In a conclusion, when

m = 1

, the lemma is proved.

Then we suppose that the lemma is true when $m = n - 1$ ; that is, for $\forall u \in {O u t}_{i}^{M}$ , $0 \leq i \leq n - 1$ , there are

\begin{matrix} Re (u) \geq Re (v), \\ v \in {I n}_{j} \land (v \in Dep (u) \lor v \in De p_{inter} (u)), \\ 0 \leq j \leq i . \end{matrix}

(12)

And the case that

m = n

is proved as follows: for

\forall u \in O u t_{n}^{M}

, there are also two cases to consider.

Case 1. $j = i, \forall v \in I n_{n} \land v \in Dep (u)$ . In this case, Theorem 5 provides $Re (u) \geq Re (v)$ .

Case 2. $0 \leq j < i, \forall v \in {I n}_{j} \land v \in De p_{inter} (u)$ . In this case, the definition of the interservice dependence provides $\exists w_{1}, w_{2}$ where

\begin{matrix} w_{1} \in {O u t}_{n - 1}^{M} = w_{2} \in {I n}_{n}^{M}, \\ (v \in Dep (w_{1}) \lor v \in De p_{inter} (w_{1})) \land w_{2} \in Dep (u) . \end{matrix}

(13)

Theorem 5 provides that

\begin{matrix} Re (u) \geq Re (w_{2}) . \end{matrix}

(14)

The previous assumption provides that for

0 \leq i \leq n - 1

, there is

\begin{matrix} Re (w_{1}) \geq Re (v), \end{matrix}

(15)

and there is

\begin{matrix} Re (w_{2}) = Re (w_{1}) \end{matrix}

(16)

Based on (14), (15), and (16), we can get

\begin{matrix} Re (u) \geq Re (v) . \end{matrix}

(17)

In a conclusion, when

m = n

, the lemma is proved.

Lemma 10.

If the information flow of each service in first m step of $s_{c}$ is secure, $\forall u \in {O u t}_{i}^{D} \cup {O u t}_{i}^{L}$ , $0 \leq i \leq m$ satisfies

\begin{matrix} Pr (u) \geq Re (v), \\ v \in {I n}_{j} \land (v \in Dep (u) \lor {Dep}_{inter}  (u)), \\ 0 \leq j \leq i \end{matrix}

(18)

Proof.

For $\forall u \in {O u t}_{i}^{D} \cup {O u t}_{i}^{L}$ , there are also two cases to consider.

Case 1. $j = i, \forall v \in {I n}_{i} \land v \in Dep (u)$ . In this case, the secure information flow Definition 6 provides $Pr (u) \geq Re (v)$ .

Case 2. $0 \leq j < i, \forall v \in {I n}_{j} \land v \in De p_{inter} (u)$ . In this case, the definition of the interservice dependence provides $\exists w_{1}, w_{2}$ where

\begin{matrix} w_{1} \in {O u t}_{n - 1}^{M} = w_{2} \in {I n}_{n}^{M}, \\ (v \in Dep (w_{1}) \lor v \in De p_{inter} (w_{1})) \land w_{2} \in Dep (u) . \end{matrix}

(19)

The secure information flow Definition 6 provides

\begin{matrix} Pr (u) \geq Re (u) . \end{matrix}

(20)

Theorem 5 provides that

\begin{matrix} Re (u) \geq Re (w_{2}) . \end{matrix}

(21)

And the Lemma 9 provides that

\begin{matrix} Re (w_{1}) \geq Re (v) . \end{matrix}

(22)

And there is

\begin{matrix} Re (w_{2}) = Re (w_{1}) . \end{matrix}

(23)

Based on (20), (21), (22), and (23), we can get

\begin{matrix} Pr (u) \geq Re (v) . \end{matrix}

(24)

In a conclusion, the lemma is proved.

Theorem 11.

For a service chain $s_{c}$ , if the information flow in each service component $s_{i}$ is considered secure, the flow in the service chain is secure.

Proof.

Let $m = n + 1$ , and the theorem is proved based on Lemma 10.

4. Distributed Information Flow Verification Framework for Wireless Service Composition

4.1. Information Flow Verification Framework

For a service chain $s_{c} = 〈 s_{0}, s_{1}, \dots, s_{n}, s_{n + 1} 〉$ , there are several candidate services but different implementations by developers for each service step $s_{i}$ . In the distributed information flow verification framework, each sensor node is only responsible for validating its next-step candidate service node $s_{i, j}$ , which can balance the energy cost on a single verification node. The distributed information flow verification framework is shown in Figure 4.

Figure 4

Decentralized information flow verification framework.

In our framework, Service Authorization Centre (SAC) is a trusted third party for service certificate generation before the deployment of the sensor node. There are two phases for the verification of the information flow: service certificate setup and service verification phase. The service certificate that specifies the security properties of the service, that is, the dependence between the service input and output, is first generated and signed by a SAC. During the service composition procedure, the service composer obtains the required service certificates, and verifies the information flow in candidate nodes. These two phases are detailed in the following sections.

4.2. Service Certificate Setup

Service certificate setup is the preparation phase of the verification process, which is shown in Figure 5. In this phase, service developer submits authorization request containing service function code in service node to SAC. And then the generated service certificate $C e$ is installed on the sensor node with the service. Considering the complexity and security of the service code transmission, the authorization process is executed by the offline mode between the service developer and SAC, which does not need to consume extra energy of the sensor node.

Figure 5

Service certificate setup phase.

Definition 12.

A service certificate $C e$ is a tuple $〈 C A, s, D e 〉$ , where $C A$ is the issuer, that is, SAC; s is the service identifier; $D e$ is the set of statements that describe the output data dependence.

The service certificate $C e$ specifies the attributes of the service including the service identifier, the dependence between input and output objects in the service function. Regarding the PDG construction of service function, SAC uses the algorithms presented in [13] to generate the PDG. Once a program dependence graph PDG = $〈 V, \vec{E} 〉$ has been computed, a dependence set can be established for each node $x \in V$ by using intraprocedural backward slice [14], written $D e (x)$ containing the set of all nodes in PDG from which x can be reached as follows: $D e (x) = {y ∣ y \to_{*} x}$ . In this paper we mainly consider the dependences between the input and output objects in the PDG nodes; that is, $D e_{i n} ({O u t}_{i, k}) = {v ∣ v \in D e ({O u t}_{i, k}) \land v \in {I n}_{i}}, 0 \leq i \leq n + 1$ , $0 \leq k \leq | {O u t}_{i} |$ . For each ${O u t}_{i, k} \in {O u t}_{i}$ , its input dependence is written into the certificate. Finally, the certificate is signed by SAC and sent to the service node. Then the service certificate setup phase is complete. The Algorithm 1 is shown as follows.

Algorithm 1: Service_Certificate_Set_Up().

Input: Service $s_{i} 〈 i d_{i}, d o m_{i}, I n_{i}, O u t_{i}, F_{i}, C e_{i} 〉$ .

Output: Service certificate of $C e_{i} 〈 C A, s, D e 〉$ .

$(1)$ ∖∖ Var $(x)$ represents the variables objects in x statement

$(2)$ $C e_{i} \cdot s = i d_{i}$

$(3)$ PDG $G 〈 V, \vec{E} 〉$

$(4)$ generatePDG $(F_{i}, G)$

$(5)$ for each output node $x \in G \land V a r (x) \in O u t_{i}$ do

$(6)$ BS(x)=backwardSlice(x)

$(7)$ for each $y \in B S (x)$ do

$(8)$ if $V a r (y) \in I n_{i}$ then

$(9)$ pushInto( $C e_{i} \cdot D e (V a r (x), V a r (y)))$

$(10)$ end if

$(11)$ end for

$(12)$ end for

$(13)$ signature( $C e_{i} \cdot C A, S A C$ )

$(14)$ return $C e_{i}$

When there is a request for the service, the node needs to send its certificate to the composer for its information flow verification. The provided security levels of the public and local input data and output objects are also required to be sent to the verification node. If the realization of the service is changed, for example, a new version service is published, the service needs to be authorized by SAC again and reinstalled on the sensor node.

4.3. Service Verification

Service verification is a vital phase in which the verification node requires the service certificates and validates the candidate nodes against the information flow control policies. The verification procedure is shown in Figure 6. During the verification process, service composer $s_{i - 1}$ , required for the service certificate and the provided security levels of the public and local data and objects first. Then the composer computes the required security levels of the output objects and then validates whether they satisfy the security constrains.

Figure 6

Service Verification Phase.

4.3.1. Required Security Level Computation

According to the secure information flow definition in service chain, the required security levels of the data objects need to be computed first. The required security levels of the objects in each service $s_{i, j}$ are computed according to the following three computation rules (CR):

$CR 1$ For $\forall u \in {I n}_{i}^{D} \cup {I n}_{i}^{L}$ , $Re (u) = Pr (u)$ ;

$CR 2$ For $\forall u \in {I n}_{i}^{M}$ , $Re (u) = Pr (v)$ where $v \in {O u t}_{i - 1}^{M} \land v = u$ ;

$CR 3$ For $\forall u \in {O u t}_{i}$ , $Re (u) = ⊔_{\max} Re (v) v \in I n_{i} \land v \in Dep (u)$ .

$CR 1$ specifies that the required security levels of the input objects from public and local storage are equal to their provided security levels. $CR 2$ specifies that the required security levels of the input objects from predecessor are determined by that of the output objects in $s_{i - 1}$ . $CR 3$ specifies that the required security levels of the output objects are computed from that of the input objects that the output depends on.

4.3.2. Service Verification

During the service verification, the information flow control policy (IFCP) specifies how to validate a candidate service $s_{i, j}$ . Based on the security label model and the definition of the secure information flow in each service, we define the information flow control policies in each service $s_{i}$ as follows:

$IFCP 1$ For $\forall u \in {O u t}_{i}^{D}$ , $Pr (u) \geq Re (u) \Rightarrow true$ , $Pr (u) < Re (u) \Rightarrow false$ ;

$IFCP 2$ For $\forall u \in {O u t}_{i}^{L}$ , $Pr (u) \geq Re (u) \Rightarrow true$ , $Pr (u) < Re (u) \Rightarrow false$ .

Based on the required security level computation rules and information flow control policies, verification node can validate the candidate sensor node $s_{i, j}$ in a service chain. The Algorithm 2 is shown as follows.

Algorithm 2: Service_Verification().

Input: $Re (O u t_{i - 1}^{M})$ , Candidate Service Set $S_{i}$ , $Pr (I n_{i - 1}^{D})$ , $Pr (I n_{i - 1}^{L})$ , $Pr (O u t_{i - 1}^{D})$ , $Pr (O u t_{i - 1}^{L})$

Output: Passed Service Set $S_{p, i}$ .

$(1)$ $∖ ∖$ exOutput $(I n_{i, j}^{M})$ represents $I n_{i, j}^{M}$ 's corresponding output in its predecessor

$(2)$ $∖ ∖$ filterService $(S_{p}, S_{i, j})$ represents filtering the unsatisfied candidate service $s_{i, j}$ from $S_{p}$

$(3)$ $S_{p, i} = S_{i}$

$(4)$ for each $s_{i, j} \in S_{i}$ do

$(5)$ requestCert $(s_{i, j}, C e)$

$(6)$ for each $u \in I n_{i, j}^{D}, v \in I n_{i, j}^{L}, w \in I n_{i, j}^{M}$ do

$(7)$ $Re (u) = Pr (u)$

$(8)$ $Re (v) = Pr (v)$

$(9)$ $Re (w) = Re (e x O u t p u t (w))$

$(10)$ end for

$(11)$ for each $u \in O u t_{i}^{D}$ , $v \in O u t_{i}^{L}$ do

$(12)$ for each $w \in D e (u)$ do

$(13)$ $Re (u) = ⊔_{\max} Re (w)$

$(14)$ end for

$(15)$ if $Pr (u) < Re (u)$ then

$(16)$ filterService $(S_{p, i}, S_{i, j})$

(17) break;

(18) end if

(19) for each $w \in D e (v)$ do

(20) $Re (v) = ⊔_{\max} Re (w)$

(21) end for

(22) if $Pr (v) < Re (v)$ then

(23) filterService $(S_{p, i}, S_{i, j})$

(24) break;

(25) end if

(26) end for

(27) end for

(28) return $S_{p, i}$

4.4. Decentralized Information Flow Verification Algorithm for the Service Chain

For each step verification, verification node obtains the passed candidate service set $S_{p, i}$ , then the verification node will notice these passed sensor nodes to verify the following candidate services. And there are three types of messages for the synchronization of the verification procedure, that is, $s t a r t_m e s s a g e$ , $s u c c e s s_m e s s a g e$ , and $f a i l_m e s s a g e$ . $s t a r t_m e s s a g e$ is used to allow the candidate service $s_{i, j}$ to execute the $V e r i f y_S e r v i c e C h a i n ()$ procedure. When the nodes in service chain all pass the service verification process, $s u c c e s s_m e s s a g e$ with the executable path is sent to inform its requestor $s_{0}$ . During each step verification $f a i l_m e s s a g e$ will be sent to the predecessor of the verification node when there are no candidate services passed the verification in next step. The Algorithm 3 is presented as above.

Algorithm 3: Verify_ServiceChain().

Input: $Re (O u t_{i - 1}^{M})$ , Candidate Service Set $S_{i + 1}$ .

Output: Secure Execution Path P

$(1)$ if $i \neq 1$ then

$(2)$ wait start_message

$(3)$ end if

$(4)$ if $i = n$ then

$(5)$ send success_message with secure execution path P to the requestor

$(6)$ else

$(7)$ push $S_{i, j}$ into the Execution Path P

$(8)$ $S_{p, i + 1} = S e r v i c e_V e r i f i c a t i o n (R e (O u t_{i - 1}^{M}), S_{i + 1})$

$(9)$ if $S_{p, i + 1} = ϕ$ then

$(10)$ send fail_message to its predecessor

$(11)$ else

$(12)$ for each $s_{i + 1, k} \in S_{p, i + 1}$ do

$(13)$ send start_message to $s_{i + 1, k}$

$(14)$ end for

$(15)$ end if

$(16)$ end if

5. Experiments and Evaluations

This paper studies distributed information verification framework for the service composition in WSN. Through the security analysis in Section 3, the information flow security can be ensured by the Theorem 11. In this section, we investigate the impact of distributed service verification on the sensor node's cost including verification time and communication effort. A centralized approach implements the service verification work by a single sensor node. We test both approaches with NS-3 [15] in multiple scenarios. Table 1 shows further details about the simulation configuration.

Table 1

Simulation Configuration.

General
Simulator	NS-3
Field ( $m^{2}$ )	$100 \times 100$
Radio type	Zigbee
Service step	4
Simulation duration (s)	1000
Random
Node placement
Node movement
Security level	Unclassified, confidential, secret, and top secret
Controlled
Candidate number	5–10
Verification mode	Centralized, decentralized

Figure 7 shows the computation time on the verification node. In the centralized way, time rises vastly with the increase of the candidate service number. That is because the execution paths that need to be verified are increased at an exponential rate. However, time increases slowly in the distributed way because there is no significant variations on the candidate nodes that each sensor node needs to verify.

Figure 7

Computation time on the verification node(s).

Figure 8 shows the communication effort on the verification node. In Figure 8, the communication effort in the centralized way is evidently higher than that used the distributed way. That is because the single verification node needs to communicate with all other service nodes in centralized way, while it just needs to communicate with the next-step service nodes which can decrease the communication effort and save the energy of the sensor nodes.

Figure 8

Communication effort on the verification node(s).

6. Conclusion

In this paper, we specify the security constraints for each service participant based on the partial order model and propose a decentralized information flow verification approach that cooperates each sensor node to verify the information flow security distributively and builds up secure service chains in wireless sensor environments. Through the simulation on NS-3, the result shows that this approach can decrease the cost of the sensor nodes effectively.

Footnotes

Acknowledgments

This work is supported by Program for the Key Program of NSFC-Guangdong Union Foundation (U1135002), Major National S&T Program (2011ZX03005-002), National Natural Science Foundation of China (60872041, 61072066), and the Fundamental Research Funds for the Central Universities (JY10000903001, JY10000901034, and K5051203010).

References

Rezgui

Eltoweissy

Service-oriented sensor-actuator networks

IEEE Communications Magazine 2007 45 12 92 100

2-s2.0-37549064717

10.1109/MCOM.2007.4395372

Gračanin

Eltoweissy

Wadaa

DaSilva

L. A.

A service-centric model for wireless sensor networks

IEEE Journal on Selected Areas in Communications 2005 23 6 1159 1165

2-s2.0-20844445668

10.1109/JSAC.2005.845625

Bertino

Squicciarini

A. C.

Mevi

A fine-grained access control model for Web services

Proceedings of the IEEE International Conference on Services Computing (SCC ′04)

September 2004

33 40

2-s2.0-4644227527

10.1109/RIDE.2004.1281700

Bhatti

Bertino

Ghafoor

A trust-based context-aware access control model for Web-services

Proceedings of the IEEE International Conference on Web Services (ICWS ′04)

July 2004

184 191

2-s2.0-4744370524

10.1109/ICWS.2004.1314738

Accorsi

Wonnemann

Static information flow analysis of workflow models

INFORMATIK, 2010-Business Process and Service Science-Proceedings of ISSS and BPSC 2010 177 194 205 Lecture Notes in Informatics

She

Yen

I. L.

Thuraisingham

Bertino

The SCIFC model for information flow control in web service composition

Proceedinds of the IEEE International Conference on Web Services (ICWS ′09)

July 2009

1 8

2-s2.0-70449475560

10.1109/ICWS.2009.13

She

Yen

I. L.

Thuraisingham

Bertino

Policy-driven service composition with information flow control

Proceedings of the IEEE 8th International Conference on Web Services (ICWS ′10)

July 2010

50 57

2-s2.0-77957283243

10.1109/ICWS.2010.37

Zorgati

Abdellatif

SEWSEC: a SEcure web service composer using Information flow control

Proceedings of the 6th International Conference on Risks and Security of Internet and Systems (CRiSIS ′11)

2011

She

Yen

I. L.

Thuraisingham

Huang

S. Y.

Rule-based run-time information flow control in service cloud

Proceedings of the IEEE International Conference on Web Services (ICWS ′11)

2011

524 531

10.

Yildiz

Godart

Information flow control with decentralized service compositions

Proceedongs of the IEEE International Conference on Web Services (ICWS ′07)

July 2007

9 17

2-s2.0-44949107692

10.1109/ICWS.2007.109

11.

Hutter

Volkamer

Information flow control to secure dynamic web service composition

Science Security in Pervasive Computing 2006 3934 196 210 Lecture Notes in Computer

2-s2.0-33745823075

10.1007/11734666_15

12.

Denning

D. E.

A lattice model of secure information flow

Communications of the ACM 1976 19 5 236 243

2-s2.0-0016949746

10.1145/360051.360056

13.

Ferrante

Ottenstein

K. J.

Warren

J. D.

The program dependence graph and its use in optimization

ACM Transactions on Programming Languages and Systems 1987 9 3 319 349

2-s2.0-0023385308

10.1145/24039.24041

14.

Snelting

Robschink

Krinke

Efficient path conditions in dependence graphs for software safety analysis

ACM Transactions on Software Engineering and Methodology 2006 15 4 410 457

2-s2.0-33750912954

10.1145/1178625.1178628

15.

Open Source Project, NS-3 Project, http://www.nsnam.org/

Distributed Information Flow Verification Framework for the Composition of Service Chain in Wireless Sensor Network

Abstract

1. Introduction

2. Wireless Sensor Service System

Definition 1.

Definition 2.

3. Secure Information Flow Model

3.1. Security Label Model

Definition 3.

3.2. Information Flow in Service Component

Definition 4.

Theorem 5.

Definition 6.

3.3. Secure Information Flow in Service Chain

Definition 7.

Definition 8.

Lemma 9.

Proof.

Lemma 10.

Proof.

Theorem 11.

Proof.

4. Distributed Information Flow Verification Framework for Wireless Service Composition

4.1. Information Flow Verification Framework

4.2. Service Certificate Setup

Definition 12.

Algorithm 1: Service_Certificate_Set_Up().

4.3. Service Verification

4.3.1. Required Security Level Computation

4.3.2. Service Verification

Algorithm 2: Service_Verification().

4.4. Decentralized Information Flow Verification Algorithm for the Service Chain

Algorithm 3: Verify_ServiceChain().

5. Experiments and Evaluations

6. Conclusion

Footnotes

Acknowledgments

References