- About this Journal ·
- Abstracting and Indexing ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Recently Accepted Articles ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents
International Journal of Distributed Sensor Networks
Volume 2013 (2013), Article ID 693639, 10 pages
Distributed Information Flow Verification Framework for the Composition of Service Chain in Wireless Sensor Network
School of Computer Science and Technology, Shaanxi Key Laboratory of Network and System Security, Xidian University, China
Received 28 February 2013; Revised 13 April 2013; Accepted 15 April 2013
Academic Editor: Liangmin Wang
Copyright © 2013 Ning Xi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Dynamic service composition provides us with a promising approach to cooperate different sensor nodes in WSN to build complex applications based on their basic functions. Usually multiple nodes located in different regions provide data with different security levels, and it is critical to ensure the security of the information flow in the composite services. However, the energy-limited nature of sensor nodes in WSN poses a significant challenge for the centralized information flow verification with which the verification node needs to consume lots of computation and network resources. In this paper, we specify the security constraints for each service participant to secure the information flow in a service chain based in the lattice model and then present a distributed verification framework that cooperates different service participants to verify their information flow policies distributively. The evaluation results show a significant decrease on the verification cost of the single verification node, which provides a better load balance in each sensor node.
WSN is the key enablers for the development of the Internet of Things (IoT), which is responsible for collecting surrounding context and environment information. In a service-oriented WSN [1, 2], multiple sensor nodes with different basic services, for example, data aggregation, data processing, and decoding, can cooperate with each other to develop new applications rapidly. However, because of the variety and regional characteristics of WSN, the data provided by the sensor nodes have different security levels. When services are composed together, data are transmitted among these nodes, respectively, where an operation in a node assigning high-level data to a low-level object would cause the information leakage with a serious impact on the public safety or personal privacy.
For example, a personal-health helper service can be provided for the healthy advice according to the body status and environments data. Most of the former work, mainly focus on the access control of the individual services [3, 4]. But in a service chain, data may be computed from its prior services which can result in the undesired information leakage. When the collection service is completed, the data collected by the wearable sensors and environmental sensors are delivered to the data processing node, such as mobile phone. Healthy information may leak to untrusted third party through the illegal operations during data processing. So the information flow security is one of the major concerns about the service composition in sensor network environments.
One issue in information flow security of the composite service is the dynamic dependence among various objects in different service participants. Accorsi and Wonnemann  use Petri nets to represent the workflow and detect information leaks in workflow descriptions based on static information flow analysis. But this work can only validate the information flow in fixed workflow with static input and output dependences. In service-oriented WSN, there are several candidate services with same functions where the dependences between input and output are different from each other. It is necessary for user to select appropriate service for the secure composition of the service chain. She et al. [6, 7] define transformation factors to measure how likely the output depends on the input data in different candidate services. But it is hard to define the LR, MR, and HR transformation factors. Therefore, a suitable dependence model is required for the analysis of the information flow in different candidate services.
Another major issue for the information flow verification in WSN is the energy cost of the verification node. Zorgati and Abdellatif  and She et al.  propose the centralized verification approach against the information flow control policies to ensure an end-to-end security in wired network. However, in WSN, the sensor node is energy limited, and the centralized way consumes lots of energy of the verification node. Yildiz and Godart  propose an decentralized service composition approach considering the information flow policies in an inexpensive manner, but its policies are static. Based on the information flow type system, Hutter and Volkamer  specify the composition rules to control the security of dynamically computed data and their proliferation to other web services. But it costs extra energy of the sensor node to compile the service code again before the service execution.
In this paper, we present a distributed information flow verification approach applied on the composition of the service chain in wireless sensor network. Our contributions include the following. For the dynamic dependences in service chain, we define the intra and inter dependences among different objects in composite service based on the PDG. We specify the security constraints for each service participant based on the dependences and lattice model. We propose a decentralized information flow verification approach to execute the verification process distributively to provide a better load balance of the sensor nodes in WSN.
The rest of the paper is structured as follows. Section 2 presents the basic definitions of the wireless sensor service system. Section 3 specifies the security constraints for each service participants based on the analysis of the information flow in the service chain. In Section 4, we propose the distributed information flow verification framework based on the secure information flow model. Section 5 evaluates the proposed verification approach. Section 6 concludes the paper.
2. Wireless Sensor Service System
A wireless sensor service system (WSS) is a large-scale distributed environment which consists of multiple wireless sensor nodes, public data resources and security authorities, which is shown in Figure 1. Sensor nodes in WSN can collect these resources, and provide different basic functions, such as data analyzing or processing, which are treated as various services in WSN. There is also a security authority for each data resources for the management of these data security levels which are used for the security verification. The service on each sensor node can be defined as follows.
Definition 1. Each service is a tuple , where is the identifier of the service; is the set of input of service; is the set of the output of service; is composed of a sequence of actions ; is the certificate of the service which specifies the security properties of service.
In WSS system, various services are provided by different sensor nodes. These individual services can also be combined together to generate a more powerful service. During the execution of composite service, each service node collects data from its local storage or the public resources, processes the input data, and finally provides results to the sink nodes. On the other hand, these nodes may also update the local storage or store to the public data resources in WSS. A composite service can be denoted as a directed graph, where the vertex is the service component and the edge represents an composition relationship from one service to another. In this paper, we investigate a simplified composite service, the service chain, which is defined as follows.
Definition 2. A service chain can be represented as a tuple where is a sequence of services ; is the set of input of , ; is set of output of .
In a service chain , the predecessor of a service can be denoted as , and the successor of a service is denoted as . denotes the node who sends the initial request to , and denotes the sink node who receives the service result from . Figure 2 shows a simple service chain model.
Due to the dynamic and heterogeneous sensor network environment, it is necessary to select appropriate service to satisfy the different requirements including QoS and security. In this paper, we focus on the verification of the information flow security in composite service chain and providing support for the security enforced selection of services in WSN.
3. Secure Information Flow Model
3.1. Security Label Model
For the information with different sensitivities, we use multilevel security labels to describe the security properties of objects .
Definition 3. Security label model is defined as a lattice , where is a finite set of security levels that is totally ordered by ≤.
The lattice model is widely used in government or military systems in which the security classes are determined solely from the four security levels: unclassified, confidential, secret, and top secret .
For a clear discussion, in this paper, we define that each object has a provided and required security level, and , which specifies the read and write permissions possessed by . The provided security labels of the objects can be given by the data owners, which are specified in certificates. And the required security labels of data objects will be computed according to the dependence of the input and output data.
3.2. Information Flow in Service Component
In a service chain, the information flow through is shown in Figure 3. We consider a data flow model in which each service may read from a set of input data objects and write to a set of output data objects. The set of input objects of a service includes all the objects that receives from its predecessor and all data objects obtained from the public data resources or stored in the local storage in sensor nodes. The set of output objects of includes all the objects that sends to its successor and all the data objects that updates to the public data resources and the local storage.
For the input information for , there is , where(i) is the set of all input objects that receives from its predecessor ;(ii) is the set of all input objects from the public data resources;(iii) is the set of all input objects located in local storage in sensor nodes.
For the output information for , there is , where(i) is the set of all output objects that sends to its successor ;(ii) is the set of all output objects that updates to the public data resources;(iii) is the set of all output objects that writes to the local storage in sensor nodes.
In order to validate the information flow in , we need to analyze the relationships between the input and output objects. The output is computed from during the execution of the service function . The syntax of is defined as follows: A service function consists of a collection of activities, some of which are the control and computation operations, while some of which are responsible for receiving the inputs from different sources and producing outputs data to the required objects . We can establish the program dependence graph (PDG)  of according to its syntax to analyze the relationships among different objects used in . The PDG is defined as follows.
Definition 4. Program dependence graphs (PDG) is a directed graph , where the expressions and the activities in constitute the nodes of the graph and the edges express data and control dependences. A data dependence represented by an edge means that the activity assigns variable which is used in activity . A control dependence represented by an edge means that the execution of depends on the value of the expression , which is typically a branch and loop condition.
Once a program dependence graph has been constructed, program backward slice  is used to analyze the dependences among the different objects that are used in activities and expressions in . Here we use to represent the obtained dependency set of an object .
Based on the dependency set , we can compute output object required security level according to the following equations: for ,
Based on the previous equation, we can obtain the following.
Theorem 5. For , there is
Each service has different levels of inputs and outputs. The value of the input objects with high-level security label may flow to the low-level output objects during the execution of the service and cause the information leak. Therefore, the definition of the secure information flow in service component is given as follows.
Definition 6. The information flow in service component is considered secure if it satisfies that for , there are
The previous condition provides that there are no lower level objects in public resources and local storage storing the data with higher security level during the execution of each service.
3.3. Secure Information Flow in Service Chain
Consider the service chain . The output data sent from to , , may be dynamically computed from some data stored by sensor node and public data resources, and , and some data received from , . may be further processed by and computed into which is delivered to service , . And the dependence between objects belonging to different service components is considered as the interservice dependence. The interservice dependence set of object , , is defined as follows.
Definition 7. For objects and where , is in which satisfies one of the following two conditions: , .
For two adjacent services and where , there are four cases that need to be considered. For = , there is an interservice dependence between and . For and , there is an interservice dependence between them if there are objects and that depends on. For and , externally depends on if there are objects and that depends on . For = , if there are two objects , that , while data object in depends on , and depends on in , we call that externally depends on .
For two services and where , if there is an object in , which externally depends on , while externally depends on , the dependence between and is the interservice dependence.
For a service chain where and , , we use that denotes the start node which sends the initial request to , and denotes the sink node which receives the service results from . And we assume that , , , and .
Definition 8. The information flow in service chain is considered secure if and only if it satisfies that for , there are
According to the definition of the secure information flow in and , we can obtain the following lemmas and theorems.
Lemma 9. In a service chain , , satisfies
Proof. First, let , then there are two service components and .
For , Theorem 5 provides that , and there is .
And there is no interservice dependence in , so the lemma is proved.
For , there are two cases to consider.
Case .. Theorem 5 provides .
Case .. In this case, the definition of the interservice dependence provides where Theorem 5 provides that And there is Based on (8), (9), and (10), we can get In a conclusion, when , the lemma is proved.
Then we suppose that the lemma is true when ; that is, for , , there are And the case that is proved as follows: for , there are also two cases to consider.
Case .. In this case, Theorem 5 provides .
Case .. In this case, the definition of the interservice dependence provides where Theorem 5 provides that The previous assumption provides that for , there is and there is
Based on (14), (15), and (16), we can get In a conclusion, when , the lemma is proved.
Lemma 10. If the information flow of each service in first step of is secure, , satisfies
Proof. For , there are also two cases to consider.
Case 1. . In this case, the secure information flow Definition 6 provides .
Case 2. . In this case, the definition of the interservice dependence provides where The secure information flow Definition 6 provides Theorem 5 provides that And the Lemma 9 provides that And there is Based on (20), (21), (22), and (23), we can get In a conclusion, the lemma is proved.
Theorem 11. For a service chain , if the information flow in each service component is considered secure, the flow in the service chain is secure.
Proof. Let , and the theorem is proved based on Lemma 10.
4. Distributed Information Flow Verification Framework for Wireless Service Composition
4.1. Information Flow Verification Framework
For a service chain , there are several candidate services but different implementations by developers for each service step . In the distributed information flow verification framework, each sensor node is only responsible for validating its next-step candidate service node , which can balance the energy cost on a single verification node. The distributed information flow verification framework is shown in Figure 4.
In our framework, Service Authorization Centre (SAC) is a trusted third party for service certificate generation before the deployment of the sensor node. There are two phases for the verification of the information flow: service certificate setup and service verification phase. The service certificate that specifies the security properties of the service, that is, the dependence between the service input and output, is first generated and signed by a SAC. During the service composition procedure, the service composer obtains the required service certificates, and verifies the information flow in candidate nodes. These two phases are detailed in the following sections.
4.2. Service Certificate Setup
Service certificate setup is the preparation phase of the verification process, which is shown in Figure 5. In this phase, service developer submits authorization request containing service function code in service node to SAC. And then the generated service certificate is installed on the sensor node with the service. Considering the complexity and security of the service code transmission, the authorization process is executed by the offline mode between the service developer and SAC, which does not need to consume extra energy of the sensor node.
Definition 12. A service certificate is a tuple , where is the issuer, that is, SAC; is the service identifier; is the set of statements that describe the output data dependence.
The service certificate specifies the attributes of the service including the service identifier, the dependence between input and output objects in the service function. Regarding the PDG construction of service function, SAC uses the algorithms presented in  to generate the PDG. Once a program dependence graph PDG = has been computed, a dependence set can be established for each node by using intraprocedural backward slice , written containing the set of all nodes in PDG from which can be reached as follows: . In this paper we mainly consider the dependences between the input and output objects in the PDG nodes; that is, , . For each , its input dependence is written into the certificate. Finally, the certificate is signed by SAC and sent to the service node. Then the service certificate setup phase is complete. The Algorithm 1 is shown as follows.
When there is a request for the service, the node needs to send its certificate to the composer for its information flow verification. The provided security levels of the public and local input data and output objects are also required to be sent to the verification node. If the realization of the service is changed, for example, a new version service is published, the service needs to be authorized by SAC again and reinstalled on the sensor node.
4.3. Service Verification
Service verification is a vital phase in which the verification node requires the service certificates and validates the candidate nodes against the information flow control policies. The verification procedure is shown in Figure 6. During the verification process, service composer , required for the service certificate and the provided security levels of the public and local data and objects first. Then the composer computes the required security levels of the output objects and then validates whether they satisfy the security constrains.
4.3.1. Required Security Level Computation
According to the secure information flow definition in service chain, the required security levels of the data objects need to be computed first. The required security levels of the objects in each service are computed according to the following three computation rules (CR): For , ; For , where ; For , .
specifies that the required security levels of the input objects from public and local storage are equal to their provided security levels. specifies that the required security levels of the input objects from predecessor are determined by that of the output objects in . specifies that the required security levels of the output objects are computed from that of the input objects that the output depends on.
4.3.2. Service Verification
During the service verification, the information flow control policy (IFCP) specifies how to validate a candidate service . Based on the security label model and the definition of the secure information flow in each service, we define the information flow control policies in each service as follows: For , , ; For , , .
Based on the required security level computation rules and information flow control policies, verification node can validate the candidate sensor node in a service chain. The Algorithm 2 is shown as follows.
4.4. Decentralized Information Flow Verification Algorithm for the Service Chain
For each step verification, verification node obtains the passed candidate service set , then the verification node will notice these passed sensor nodes to verify the following candidate services. And there are three types of messages for the synchronization of the verification procedure, that is, , , and . is used to allow the candidate service to execute the procedure. When the nodes in service chain all pass the service verification process, with the executable path is sent to inform its requestor . During each step verification will be sent to the predecessor of the verification node when there are no candidate services passed the verification in next step. The Algorithm 3 is presented as above.
5. Experiments and Evaluations
This paper studies distributed information verification framework for the service composition in WSN. Through the security analysis in Section 3, the information flow security can be ensured by the Theorem 11. In this section, we investigate the impact of distributed service verification on the sensor node’s cost including verification time and communication effort. A centralized approach implements the service verification work by a single sensor node. We test both approaches with NS-3  in multiple scenarios. Table 1 shows further details about the simulation configuration.
Figure 7 shows the computation time on the verification node. In the centralized way, time rises vastly with the increase of the candidate service number. That is because the execution paths that need to be verified are increased at an exponential rate. However, time increases slowly in the distributed way because there is no significant variations on the candidate nodes that each sensor node needs to verify.
Figure 8 shows the communication effort on the verification node. In Figure 8, the communication effort in the centralized way is evidently higher than that used the distributed way. That is because the single verification node needs to communicate with all other service nodes in centralized way, while it just needs to communicate with the next-step service nodes which can decrease the communication effort and save the energy of the sensor nodes.
In this paper, we specify the security constraints for each service participant based on the partial order model and propose a decentralized information flow verification approach that cooperates each sensor node to verify the information flow security distributively and builds up secure service chains in wireless sensor environments. Through the simulation on NS-3, the result shows that this approach can decrease the cost of the sensor nodes effectively.
This work is supported by Program for the Key Program of NSFC-Guangdong Union Foundation (U1135002), Major National S&T Program (2011ZX03005-002), National Natural Science Foundation of China (60872041, 61072066), and the Fundamental Research Funds for the Central Universities (JY10000903001, JY10000901034, and K5051203010).
- A. Rezgui and M. Eltoweissy, “Service-oriented sensor-actuator networks,” IEEE Communications Magazine, vol. 45, no. 12, pp. 92–100, 2007.
- D. Gračanin, M. Eltoweissy, A. Wadaa, and L. A. DaSilva, “A service-centric model for wireless sensor networks,” IEEE Journal on Selected Areas in Communications, vol. 23, no. 6, pp. 1159–1165, 2005.
- E. Bertino, A. C. Squicciarini, and D. Mevi, “A fine-grained access control model for Web services,” in Proceedings of the IEEE International Conference on Services Computing (SCC '04), pp. 33–40, September 2004.
- R. Bhatti, E. Bertino, and A. Ghafoor, “A trust-based context-aware access control model for Web-services,” in Proceedings of the IEEE International Conference on Web Services (ICWS '04), pp. 184–191, July 2004.
- R. Accorsi and C. Wonnemann, “Static information flow analysis of workflow models,” in INFORMATIK, 2010-Business Process and Service Science-Proceedings of ISSS and BPSC, vol. 177 of Lecture Notes in Informatics, pp. 194–205, 2010.
- W. She, I. L. Yen, B. Thuraisingham, and E. Bertino, “The SCIFC model for information flow control in web service composition,” in Proceedinds of the IEEE International Conference on Web Services (ICWS '09), pp. 1–8, July 2009.
- W. She, I. L. Yen, B. Thuraisingham, and E. Bertino, “Policy-driven service composition with information flow control,” in Proceedings of the IEEE 8th International Conference on Web Services (ICWS '10), pp. 50–57, July 2010.
- H. Zorgati and T. Abdellatif, “SEWSEC: a SEcure web service composer using Information flow control,” in Proceedings of the 6th International Conference on Risks and Security of Internet and Systems (CRiSIS '11), 2011.
- W. She, I. L. Yen, B. Thuraisingham, and S. Y. Huang, “Rule-based run-time information flow control in service cloud,” in Proceedings of the IEEE International Conference on Web Services (ICWS '11), pp. 524–531, 2011.
- U. Yildiz and C. Godart, “Information flow control with decentralized service compositions,” in Proceedongs of the IEEE International Conference on Web Services (ICWS '07), pp. 9–17, July 2007.
- D. Hutter and M. Volkamer, “Information flow control to secure dynamic web service composition,” Science Security in Pervasive Computing, vol. 3934, pp. 196–210, 2006, Lecture Notes in Computer.
- D. E. Denning, “A lattice model of secure information flow,” Communications of the ACM, vol. 19, no. 5, pp. 236–243, 1976.
- J. Ferrante, K. J. Ottenstein, and J. D. Warren, “The program dependence graph and its use in optimization,” ACM Transactions on Programming Languages and Systems, vol. 9, no. 3, pp. 319–349, 1987.
- G. Snelting, T. Robschink, and J. Krinke, “Efficient path conditions in dependence graphs for software safety analysis,” ACM Transactions on Software Engineering and Methodology, vol. 15, no. 4, pp. 410–457, 2006.
- Open Source Project, NS-3 Project, http://www.nsnam.org/.