Antonino Sabetta

Towards Security Certification Schemas for the Internet of Services

The Internet of Services (IoS) has become the dominant paradigm for building applications in an ad-hoc, dynamic fashion by composing services from a variety of different providers. While the business value of the IoS is undoubted, security and trustworthiness concerns still constitute an obstacle for uptake. In this paper we argue that security certification is a valid means to address these issues. However, existing certification schemes addressing static systems and environments do not scale to the IoS and, thus, cannot be straightforwardly adapted. We investigate into the reasons for the lack of scale and conclude that three areas need to be addressed: explicit representation, machine readability, and advanced composition support. For each of these areas, we sketch solutions and identify further challenges.

Impact assessment for vulnerabilities in open-source software libraries

Software applications integrate more and more open-source software (OSS) to benefit from code reuse. As a drawback, each vulnerability discovered in bundled OSS may potentially affect the application that includes it. Upon the disclosure of every new vulnerability, the application vendor has to assess whether such vulnerability is exploitable in the particular usage context of the applications, and needs to determine whether customers require an urgent patch containing a non-vulnerable version of the OSS. Unfortunately, current decision making relies mostly on natural-language vulnerability descriptions and expert knowledge, and is therefore difficult, time-consuming, and error-prone. This paper proposes a novel approach to support the impact assessment based on the analysis of code changes introduced by security fixes. We describe our approach using an illustrative example and perform a comparison with both proprietary and open-source state-of-the-art solutions. Finally we report on our experience with a sample application and two industrial development projects.

Risk-Based Privacy-Aware Information Disclosure

Risk-aware access control systems grant or deny access to resources based on the notion of risk. It has many advantages compared to classical approaches, allowing for more flexibility, and ultimately supporting for a better exploitation of data. The authors propose and demonstrate a risk-aware access control framework for information disclosure, which supports run-time risk assessment. In their framework access-control decisions are based on the disclosure-risk associated with a data access request and, differently from existing models, adaptive anonymization operations are used as risk-mitigation method. The inclusion of on-the-fly anonymization allows for extending access to data, still preserving privacy below the maximum tolerable risk. Risk thresholds can be adapted to the trustworthiness of the requester role, so a single access control framework can support multiple data access use cases, ranging from sharing data among a restricted highly trusted group to public release low trust value. The authors have developed a prototype implementation of their framework and have assessed it by running a number of queries against the Adult Data Set from the UCI Machine Learning Repository, a publicly available dataset that is widely used by the research community. The experimental results are encouraging and confirm the feasibility of the proposed approach.

Risk-Aware Information Disclosure

Risk-aware access control systems grant or deny access to resources based on some notion of risk. In this paper we propose a model that considers the risk of leaking privacy-critical information when querying, e.g., datasets containing personal information. While querying databases containing personal information it is current practice to assign all-or-nothing access to avoid the disclosure of sensitive information. Using our model, access-control decisions are based on the disclosure-risk associated with a data access request and, differently from existing models, we include adaptive anonymization operations as risk-mitigation methods. By applying these operations, a request that would otherwise be rejected, is permitted after reducing the risk associated with the returned dataset.

Towards a trustworthy service marketplace for the future internet

Digital economy is moving towards offering advanced business services, integrated into different applications and consumed from heterogeneous devices. Considering the success of actual software marketplaces, it is possible to foresee that Service Marketplaces (SM) will play a key role for the future Internet of Services. At present, on all offered software, marketplace operators define requirements that are common, and are validated before admitting them. However, the requirements, the validation process, and its results are not completely evident to the service consumers, resulting in a significant shortcoming especially with respect to security characteristics. In addition, having common security requirements for all services and applications makes the validation possibly inadequate to address the specific requirements that consumers may have. In order to address these points, we propose the concept of a trustworthy service marketplace for the upcoming Internet of Services, where the security characteristics of services are certified and treated as first-class entities, represented in a machine-processable format. This allows service consumers --- either human end-users or computer agents --- to reason about these security features and to match them with their specific security requirements.

A Marketplace for Business Software with Certified Security Properties

Digital marketplaces (e.g., the Amazon Web Service Marketplace or the Google Apps Marketplace), offer computation and data platforms as services to Independent Software Vendors (ISVs). ISVs, in turn develop applications and services on these platforms and sell these software products to customers, through the marketplace.

Ensuring trust in service consumption through security certification

The service-based paradigm is enabling new models of software provisioning based on cloud architectures. An increasing number of organizations are either providing their software as a service or acting as enablers by providing platforms on which service providers can offer their services. However the service implementations and the characteristics of the underlying cloud architectures are often opaque to the service consumers. The resulting deficit of trust on the security of such services is hampering the adoption of these new software paradigms by the industry. In this paper, we discuss an approach for security certification of services that can help fill this trust deficit, and we analyze the challenges that we face in realizing this approach. In particular, we concentrate on the problem of ensuring a robust binding between a security certificate and the corresponding service, outlining some possible approaches to tackle this issue.

Machine-Readable Privacy Certificates for Services

Privacy-aware processing of personal data on the web of services requires managing a number of issues arising both from the technical and the legal domain. Several approaches have been proposed to matching privacy requirements (on the clients side) and privacy guarantees (on the service provider side). Still, the assurance of effective data protection (when possible) relies on substantial human effort and exposes organizations to significant (non-)compliance risks. In this paper we put forward the idea that a privacy certification scheme producing and managing machine-readable artifacts in the form of privacy certificates can play an important role towards the solution of this problem. Digital privacy certificates represent the reasons why a privacy property holds for a service and describe the privacy measures supporting it. Also, privacy certificates can be used to automatically select services whose certificates match the client policies (privacy requirements).

Towards a development environment to orchestrate services with certified security properties

Because of their nature and due to the technology on which they are currently based, service-oriented systems face important challenges related to security and trust. The lack of visibility of important information about service internals and about the operational environment in which they are operated, is hampering the adoption of a truly open service-oriented paradigm to realise applications composed of services coming from outside of the boundaries of a single organisation. The Assert4Soa project is investigating ways to address this challenge by proposing a novel approach to the certification of security properties, targeting specifically software services. In this paper we introduce an integrated environment, under development in the context of Assert4Soa, that supports the implementation of service-based applications built from services with certified security properties.

Vulnerable open source dependencies: counting those that matter

Background: Vulnerable dependencies are a known problem in todays open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. Aim: Our paper addresses the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in OSS software, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. Method: Careful analysis of deployed dependencies, aggregation of dependencies by their projects, and distinction of halted dependencies allow us to obtain a counting method that avoids over-inflation. To understand the industrial impact of a more precise approach, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) in Maven when considering all the library versions. Results: We found that about 20% of the dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82% of the deployed vulnerable dependencies. The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version, while 1% of the vulnerable dependencies in our sample are halted, and therefore, potentially require a costly mitigation strategy. Conclusions: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.