USING LATTICE TO DYNAMICALLY PREVENT INFORMATION LEAKAGE FOR WEB SERVICES

Transcription

1 USING LATTICE TO DYNAMICALLY PREVENT INFORMATION LEAKAGE FOR WEB SERVICES Shih-Chie Chou Departmet of Computer Sciece ad Iformatio Egieerig, Natioal Dog Hwa Uiversity, Taiwa ABSTRACT The use of web services becomes importat. Sice web services may be provided by ukow providers, may researchers desiged mechaisms to esure secure access of web services. Existig mechaisms geerally statically decides whether a requester ca ivoke a web service but igore the importace of dyamically prevetig iformatio leakage durig web service executio. This paper proposes a latticebased iformatio flow cotrol model WSIFC (web service iformatio flow cotrol) to dyamically prevet iformatio leakage. It uses simple rules to moitor the flows of sesitive iformatio durig web service executio. KEYWORDS Web service, iformatio flow cotrol, iformatio leakage prevetio 1. INTRODUCTION May researchers desig mechaisms to esure secure access of web services. Existig researches geerally statically decide whether a requester ca ivoke a web service usig mechaisms such as attributes ad credetials. I our opiio, the static operatio is isufficiet. It is also ecessary to dyamically esure web service security. Dyamically esurig web service security prevets iformatio leakage durig web service executio. This prevetio is importat because a web service may be dishoest or malicious, which may leak sesitive iformatio received from requesters. Eve a hoest ad friedly web service may also icidetally leak iformatio durig web service executio. For example, suppose a requester seds his credit card iformatio to a hoest web service for a paymet. If the web service icidetally displays the credit card iformatio o the scree ad the iformatio is captured by a malicious perso, iformatio leakage occurs. Accordig to the above descriptio, dyamically prevetig iformatio leakage durig web service executio is crucial. The prevetio ca be achieved by a iformatio flow cotrol model [1-2], which esures that every iformatio flow is secure durig software executio. A iformatio flow may occur uder the followig situatio: (a) assig a expressio result to a variable, (b) read a iput device, (c) write a output device, ad (d) sed iformatio to aother site. Our previous work proposed a iformatio flow cotrol model for web services [3], which is composed of a trust maagemet mechaism ad a iformatio flow cotrol model. The former mechaism statically checks whether a requester ca ivoke a web service ad the latter model dyamically prevets iformatio leakage durig web service executio. Although the dyamic iformatio flow cotrol model prevets all iformatio leakage, its rutime overhead is large. To reduce the overhead, we use a far simpler approach to desig a ew iformatio flow cotrol model WSIFC (web service iformatio flow cotrol) for web services. WSIFC is a pure dyamic model. It reuses the trust maagemet mechaism of our previous work to statically decide whether a requester ca ivoke a web service. DOI : /ijsptm

2 2. RELATED WORK XACML [4] is a stadard offerig mechaisms to describe access policies for web services. The model proposed i [5] is a implemetatio of XACML. It allows requesters to use PMI (privilege maagemet ifrastructure) for maagig the checkig, retrieval, ad revocatio of autheticatio. The model also uses a RBAC-based web service access cotrol policy to determie whether a requester ca ivoke a web service. The model proposed i [6] uses X- GTRBAC [7] to cotrol the access of web services. X-GTRBAC ca be used i heterogeeous ad distributed sites. Moreover, it applies TRBAC [8] to cotrol the factor related to time. The model i [9] determies whether a compositio of web services ca be ivoked. It offers a laguage to describe policies, which check whether a compositio of web services ca be ivoked. The model i [10] uses RBAC (role-based access cotrol) cocept [11] to defie policies of accessig a web service. It is a two-leveled mechaism. The first level checks the roles assiged to requesters ad web services. A authorized requester is a cadidate to ivoke a web service. The secod level uses parameters as service attributes ad assigs permissios to the attributes. A authorized requester ca ivoke a web service oly whe it possesses the permissios to access the attributes. I additio to the researches discussed above, quite a few researches focus o egotiatio amog requesters ad web services. I geeral, egotiatio ca be regarded as access cotrol. We survey some of them. The model Trust-Serv [12] uses state machies to dyamically choose web services at ru time. The choosig is a kid of egotiatio. It uses trust egotiatio [13] to select web services that ca be ivoked. The kerel compoet to determie whether a web service ca be ivoked is credetial. The model i [14] uses digital credetials for egotiatio. It defies strategies for egotiatio policies. The model i [15] hadles k-leveled ivocatio of web services. The primary compoet used i the model is credetials. I the survey of [16], the authors especially emphasize the importace of data privacy i a cloud computig eviromet (a cloud computig eviromet mode ca also be applied i web services). They believe that iformatio flow cotrol is a good solutio for the problem. However, the article did ot propose a cocrete iformatio flow cotrol model for cloud eviromets. Accordig to our survey, existig models geerally statically determie whether a requester ca ivoke a web service. As to dyamically prevetig iformatio leakage durig web service executio, they do othig. 3. THE MODEL Our previous work uses two time-cosumig rules ad a complicated joi operator to cotrol every variable access [3]. This results i large rutime overhead. I our opiio, sedig sesitive iformatio to a web services may be uavoidable. However, requesters may ot sed too much sesitive iformatio to web services accordig to security cosideratio. For the web services whose providers are ot trusted by a requester, the requester may eve sed o sesitive iformatio to the web services. To reduce rutime overhead, our model WSIFC cotrols oly the access of sesitive variables. WSIFC is based o lattice. A lattice is a partial ordered graph cosistig of a mi-ode ad a max-ode. If a lattice is used to cotrol iformatio flows, the mi-ode possesses the least privileges while the max-ode possesses the most oes. The traditioal lattice-based model uses the o read up ad o write dow rules to cotrol iformatio flows (ote that the ca flow relatioships i [1] iherits the spirit of the two rules). If the security levels of sesitive iformatio are structured usig the lattice model ad the two rules are obeyed, o iformatio leakage will occur. However, the traditioal lattice-based iformatio flow cotrol model is a MAC (madatory access cotrol), which is criticized as too restricted. To loose the restrictio, 16

3 WSIFC oly places sesitive variables i a lattice ad uses simple rules to replace the restricted o read up ad o write dow rules. Before formally defiig WSIFC, we first describe iformatio leakage i more details. Geerally, iformatio leakage occurs whe malicious persos or web services illegally obtai others sesitive iformatio. I geeral, persos ca obtai iformatio from scree or files, ad web services ca obtai iformatio from files or other web services (either executig o the same site or o the other oes). Iformatio leakage may thus happe whe: (a) sesitive iformatio is output to screes or files or (b) sesitive iformatio is trasferred to other web services. I our research, we suppose iformatio trasferrig o the etwork is secure ad thus skip the problem of cryptography. We also skip the effect of viruses ad worms because they are out of the scope of our research. Below we tur our focus back to WSIFC. WSIFC uses security levels to decide whether a istructio may leak sesitive iformatio durig the executio of a web service. It attached a security level to every sesitive variable. Sice a lattice is partial ordered ad WSIFC is lattice-based, security levels should also be partial ordered. To achieve this, a security level i WSIFC is defied as: (Gp, security level umber), i which Gp is a group umber ad security level umber decides the sesitivity of the variable. To compare or exchage iformatio associated with security levels, the iformatio should be withi the same group, which achieves partial orderig. Partial orderig is ecessary whe variables are icomparable. For example, a variable storig a America s salary with a uit of USD caot be compared with oe storig a Taiwaese s salary with a uit of NTD. Accordig to the above descriptio, the group umber i a security level achieves partial orderig ad the security level umber decides the sesitivity of a variable. A security level umber is betwee 0 ad, i which 0 meas the less sesitive iformatio ad the most sesitive oe. The umber is decided by the user, i which larger results i fier-graied cotrol. I additio to security level, a sesitive variable is also associated with a tag, which is a set. A compoet i the set is a IP address plus a port umber pair (port umbers represet web services i the IP). Tag decides whether sedig iformatio of a sesitive variable to aother web service is secure. If the IP address plus port umber pair of a web service is withi a sesitive variable s tag, iformatio of the variable ca be set to the web service. By ow we have discussed sesitive variables. As to o-sesitive oes, they possess either security levels or tags. That is, o-sesitive variables are ot placed i a lattice. Nevertheless, the security level ad tag of a variable may be adjusted durig web service executio, which implies that a o-sesitive variable may become sesitive ad vice versa durig rutime. For example, after executig the statemet a=b;, the security level ad tag of variable a is adjusted to be the same as those of b. If b is sesitive, a becomes sesitive. As metioed before, sesitive iformatio maaged by a web service may be leaked oly whe: (a) it is output to files or screes or (b) whe it is trasferred to other web services. The latter case of leakage ca be preveted by tags associated with sesitive variables. To achieve the former leakage prevetio, every file ad scree that may receive output iformatio should also be associated with a security level. Geerally, the security level of a scree is decided by its locatio. The oly possibility of chagig a scree s security level is chagig its locatio. However, chagig scree locatio is oly kow by persos ad web service will ever kow that. Therefore, the security levels of screes will be uchaged durig web service executio. As to files, their security levels also caot be adjusted because the adjustmet will affect the access of the existig iformatio withi the files. For example, if the security level umber of a file is 3, it ca be accessed by a user possessig a privilege to access files whose security level umber is 3 or lower. If the security level of a file is adjusted to be 4, the user metioed above ca o loger 17

4 access the file. Adjustig the security levels of files is thus ifeasible. I additio to writig a file, readig a file may also cause iformatio leakage. For example, if a low sesitive variable iteds to read the cotets of a high sesitive file, rules should be defied to prevet iformatio leakage. We will give iformatio leakage prevetio rules for WSIFC after defiig the model. The kerel cocepts of WSIFC have bee described i details above. Below we give a defiitio to WSIFC. To prevet iformatio leakage durig the executio of a web service, WSIFC should be embedded i the web service. Defiitio WSIFC = (SV, SC, SF, SVSL, SCSL, SFSL, SVTAG, MIN, MAX), i which a. SV is the set of sesitive variables. Iitially, every variable i a web service is o-sesitive. Whe the web service is ivoked ad receives sesitive iformatio set from a requester, the parameters receivig sesitive iformatio become sesitive. Durig web service executio, sesitive parameters may be assiged to other variables, which results i more sesitive variables that should be moitored. b. SC is the set of sesitive screes. The security levels of screes are decided by their locatios ad will be uchaged durig web service executio. c. SF is the set of sesitive files. The security levels of sesitive files caot be chaged. d. SVSL is the set of security levels for sesitive variables. A security level is composed of a group umber ad a security level umber. e. SCSL is the set of security levels for sesitive screes. The security level of a sesitive scree caot be chaged durig the executio of a web service. f. SFSL is the set of security levels for sesitive files. The security level of a sesitive file caot be chaged durig the executio of a web service. g. SVTAG is a set of tags. If the iformatio of a sesitive variable ca be trasferred to other web services, the variable should be associated with a tag cotaiig a set of IP address plus port umber pairs. h. MIN is the mi-ode of WSIFC. i. MAX is the max-ode of WSIFC. For simplificatio purposes, we do ot iclude other I/O devices such as keyboards ad mice i Defiitio 1. WSIFC uses the same approaches to cotrol iformatio flows to/from I/O devices other tha files ad screes. If a device ca be read, its cotrol is the same as readig a file. If iformatio ca be output to a device ad the iformatio ca oly be accessed by persos, the cotrol is the same as writig iformatio to a scree. If iformatio ca be output to a device ad the iformatio ca be accessed by persos ad web services, the cotrol is the same as writig a file. (0,15) (1,15) (2,15) (0,2) (1,2) (2,2) (0,1) (1,1) (2,1) (0,0) (1,0) (2,0) Figure 1. A example lattice of WSIFC 18

5 I the lattice-based WSIFC, a ode may cotai oe or more security levels. Moreover, sice variables, files, screes, ad other I/O devices may be i the same security level, a security level i WSIFC may be associated with multiple sesitive items such as variables ad files. Figure 1 depicts a example lattice of WSIFC, which oly shows the security levels but ot the sesitive items associated with the security levels. I the followig paragraphs we will defie the rules to cotrol iformatio flows usig WSIFC. Rule 1. Sesitive variables appear i a derivatio statemet should be i the same group. Here a derivatio statemet is oe that will cause iformatio flows such as assigmet statemet. As to o-sesitive variables or costats, they ca appear i ay statemet ad will ot affect the executio of the statemet. Rule 1 is a umbrella rule costraiig the others. That is, if Rule 1 is violated, o derivatio statemet ca be executed Rule 2. If the variable d_var is derived from variables i the sesitive variable set {var i var i is a sesitive variable ad i is betwee 1 ad } ad other o-sesitive variables, WSIFC allows d_var to receive the derived iformatio i ay case. After the assigmet, the security level umber ad tag of d_var are respectively chaged to MAX ( SLV ((var ) )) ad i i= 1 I tag, i which: i=1 i a. The fuctio SLV extracts a sesitive variable s security level umber from its security level. b. The fuctio MAX extracts from a set of umbers the maximum oe. c. tag i is the tag of the sesitive variable var i. be executed. Rule 2 may cofuse may readers because it completely violates the o read up ad o write dow rules of the traditioal lattice-based model. I additio, it cotrols either read or write access. We explai Rule 2 as follows. Before that, we make a crucial assumptio, which is: every data assiged to a variable is reliable. Existig iformatio flow cotrol models geerally do ot allow iformatio with high security level to be assiged to low security level variable. O the other had, WSIFC allows every assigmet. To prevet leakage whe sesitive iformatio is output, WSIFC chages the security level ad tag of a variable receivig a value as metioed above. Suppose variable d_var is assiged a value derived from a sesitive variable set {var i }. The, the security level umber of d_var will be chaged to MAX ( SLV ((var ) )). Accordig to the chage, the security i i= 1 level of d_var will be upgraded if the iitial SLV(d_var) is smaller tha MAX ( SLV ((var ) )). The upgradig prevets the variable d_var from beig leaked. O i i= 1 the other had, if the iitial SLV(d_var) is larger tha MAX ( SLV ((var ) )), the security i i= 1 level of d_var will be dowgraded. Uder this situatio, the iformatio obtaied by d_var will also ot be leaked. Accordig to the crucial assumptio every data assiged to a variable is reliable metioed above, both read ad write access are secure accordig to Rule 2. Below we use the statemet a=b+c+d; to explai Rule 2 (here we bypass the discussio of tags, which will be discussed i Rule 6). Suppose the iitial security levels of the variables a, b, c, d, are respectively (1,1), (1,2), (1,3), ad (1,4). I this case, the security level of the variable a is the smallest ad existig iformatio flow cotrol model will ba the assigmet. However, WSIFC allows the above statemet to execute. After the executio, WSIFC chages the security of 19

6 variable a to be (1,4). Accordig to the chage, the security level of variable a have bee upgraded ad therefore o iformatio leakage will occur. O the other had, if the iitial security level of variable a is (1,5), the security level of variable a will be set (1,4) after the assigmet. Rule 2 will become o-secure oly whe the above crucial assumptio is t fulfilled. I this case, low security level variables may maliciously corrupt the iformatio carried by high security level variables (ote that eve i this case, o iformatio leakage will occur). We caot estimate the possibility of the corruptio. However, as the assumptio is a compromise to reduce rutime overhead, takig risk is uavoidable. We thik that makig a compromise to bypass write check i Rule 2 is acceptable because the compromise may oly corrupt but ot leak iformatio. Sice the primary objective of WSIFC is prevetig iformatio leakage, a compromise that will ot hurt the primary objective is ot that serious. Rule 3. To output the iformatio of a sesitive variable SVAR to a scree SCRN, SLV(SCRN) should be at least as large as SLV(SVAR). Remember that the fuctio SLV extracts a sesitive variable s security level umber. This rule avoids high sesitive iformatio to be captured by persos that ca oly read low sesitive iformatio from a scree. Rule 4. If a variable VAR iteds to read iformatio from a file FLE, the readig operatio is allowed. After the readig, the security level ad tag of VAR should be set the same as those of the iformatio read from FLE. The spirit of this rule is the same as Rule 2, because readig a value from a file correspods to derivig a value from the file ad the assigig the value to the variable. Rule 5. If a sesitive variable VAR iteds to write its iformatio to a file FLE, SLV(FLE) should be at least as large as SLV(VAR). Readig ad writig a file are totally differet. Whe readig iformatio from a file to a variable, the iformatio beig read ca be protected as log as the security level ad tag of the variable are set the same as the iformatio. O the other had, sice the security level of a file caot be chaged as metioed before, writig iformatio with high security level to a low security level file may result i iformatio leakage. Rule 6. To sed the iformatio of a sesitive variable to aother web service, the service s IP address plus port umber pair should be withi the tag of the variable. I the sedig operatio, the iformatio ad the security level of the variable should be set together so that the web service receivig the iformatio ca protect the iformatio usig WSIFC. 4. PROVE OF CORRECTNESS Iformatio leakage may occur uder the followig cases: (a) the iformatio of a variable is output to a scree, (b) the iformatio of a variable is output to a file, ad (c) the iformatio of a variable is set to web services i other sites. The above cases reveal that iformatio leakage may occur oly whe variable cotets are output (sedig iformatio to other sites ca be cosidered a special case of output). Below we prove that oe of the above metioed cases will leak iformatio. Case 1: Outputtig the iformatio of a sesitive variable to a scree will ot leak iformatio. To prove this case, we make the followig assumptios: (a) SLV(VAR) of the sesitive variable VAR is m ad (b) VAR is output to a scree SCRN whose SLV(SCRN) is. If a perso iteds to access the scree SCRN, the perso should possess a privilege to access screes whose security level umbers are at least. Sice m accordig to Rule 3, Case 1 is true. 20

7 Case 2: Outputtig the iformatio of a sesitive variable to a file will ot leak iformatio. Iformatio output to a scree may oly be leaked to persos. However, iformatio output to a file may be leaked to persos or leaked by web services that read the file. Both the above two situatios should be cosidered for Case 2. Provig iformatio output to a file will ot be leaked to persos is similar to that i Case 1. We do ot duplicate the proof. Below we prove iformatio output to a file will ot be leaked by web services that read the file. Here we oly cosider web services that will ot trasfer iformatio to other sites because the type of web services will be discussed i Case 3 below. To prove Case 2, we assume that: (a) SLV(VAR) of the sesitive variable VAR is m, (b) VAR is output to a file FLE whose SLV(FLE) is, ad (c) WSIFC is embedded i every web service that will access FLE. The third assumptio is crucial because WSIFC caot cotrol iformatio flows of a web service ot embeddig WSIFC. Accordig to Rule 5, m. If a web service reads VAR from FLE ad assigs its iformatio to the variable VAR1, SLV(VAR1) should be set the value m accordig to Rule 4. If VAR1 is output to a scree, the proof of Case 1 esures that the output iformatio will ot be leaked to persos. If VAR1 is output to a file FLE1, the proof goes back to the begiig of this proof. That is, this proof is edless. Although the proof is edless, we kow that the iformatio of a sesitive variable may be: (a) operated by a web service, (b) output to a scree, or (c) writte to a file. The iformatio operated by a web service will ot be leaked because o output occurs. The iformatio output to a scree will ot be leaked as described above. As to the iformatio output to a file, Rules 3 through 5 esures that the iformatio will ot be leaked to persos. Sice o iformatio will be trasferred to other sites i this case, o iformatio will be leaked to persos correspods to o iformatio leakage. Accordig to the above descriptio, Case 2 is true. Case 3: Sedig the iformatio of a sesitive variable to web services i other sites will ot leak iformatio. Suppose the web service WEBSER executig o aother site receives the iformatio of a sesitive variable VAR. To esure WEBSER will ot leak the iformatio it receives, WSIFC should be embedded i WEBSER. As Rule 6 required, WEBSER is withi the tag of VAR, which meas that WEBSER is trusted by VAR. Suppose the parameter PAR i WEBSER receives the iformatio of VAR. Sice receivig the iformatio of a argumet by a parameter ca be regarded as a assigmet statemet, the security level ad tag of PAR will be set the same as those of VAR accordig to Rule 2. After the argumet has bee received, WSIFC will cotrol the iformatio flows of WEBSER durig web service executio. Accordig to Cases 1 ad 2 above, o iformatio leakage will occur i a ormally executig web service that embeds WSIFC. Therefore, Case 3 is true. 5. PROBLEM DISCUSSION May problems should be solved before WSIFC ca be widely applied. We discuss some as follows. 1. WSIFC should be embedded i every web service. To use WSIFC for iformatio leakage prevetio durig web service executio, WSIFC should be embedded i every web service. It is really a problem to require every service provider to embed WSIFC i the web services they provided. Perhaps someday every requester will uderstad the importace of prevetig iformatio leakage durig web service executio. At that day, a stadard model for the prevetio will be defied. Whe the day comes, we hope that more or less of the cocepts i WSIFC ca be icluded i the stadard. 2. The defiitio of security levels betwee requesters ad that withi the web services should be the same. We use a example to explai this. Suppose a requester thiks that a variable with a 21

8 security level umber 8 is oly accessible by maagers or employees with higher grades but a web service thiks this security level is accessible by vice maagers or employees with higher grades. With the assumptios, the iformatio set to the web service may be leaked to vice maagers. To solve this problem, a stadard seems ecessary. 3. Eve the above problems have bee solved, iformatio leakage may still occur. This problem may happe i a web service provided by dishoest or malicious service providers. To solve this problem, we suggest: (a) do t sed highly sesitive iformatio to web services provided by ufamiliar providers, (b) ivoke web services provided by the providers trusted by a requester wheever possible, ad (c) ever ivoke ay web service of a provider if it used to leak iformatio. The third solutio may be the most importat because it is a puishmet. This problem reveals that esurig the security of every service ivocatio is difficult. Perhaps this is the most serious problem to solve because requirig every service provider to be hoest is almost impossible. There are still other problems. We do ot ited to discuss more because may problems are ot withi the techical area but withi the huma maagemet area. We thik that the problems are out of the scope of our research. 6. CONCLUSION May researchers desiged mechaisms to esure secure access of web services. Accordig to our survey, existig models geerally statically decide whether a requester ca ivoke a web service but igore the importace of dyamically prevetig iformatio leakage durig web service executio. This paper proposes a iformatio flow cotrol model WSIFC (web service iformatio flow cotrol) for the prevetio. WSIFC is based o lattice. The traditioal latticebased iformatio flow cotrol model is a MAC (madatory access cotrol) ad is criticized as too restricted. To overcome this, WSIFC uses simple rules to replace the o read up ad o write dow rules for MAC. To reduce rutime overhead, WSIFC oly moitors the flows of sesitive iformatio usig simple rules. WSIFC should be embedded i every web service. If a web service does ot embed the model, iformatio leakage may occur whe the web service is ivoked. Sice web services are provided by providers aroud the world, we caot require every provider to embed WSIFC i their web services. This is a problem almost without solutio. Perhaps the software world eeds a stadard for embeddig a iformatio flow cotrol model i every web service. If the stadard is fially defied, we hope that the importat cocepts proposed by WSIFC ca be used. REFERENCES [1] Deig, D. E., A Lattice Model of Secure Iformatio Flow. Comm. ACM, vol. 19, o. 5, [2] Chou, S. C., Embeddig Role-Based Access Cotrol Model i Object-Orieted Systems to Protect Privacy. Joural of Systems ad Software, 71(1-2), [3] Chou S. C., ad Huag, C. H., A Exteded XACML Model to Esure Secure Iformatio Access for Web Services. Joural of Systems ad Software, vol. 83, o. 1., [4] OASIS, extesible Access Cotrol Markup Laguage (XACML) Versio 1.0. OASIS Stadard 18. [5] She, H. -B., Hog, F., A Attribute-Based Access Cotrol Model for Web Services. IEEE Iteratioal Coferece o Parallel ad Distributed Computig Applicatios ad Techologies (PDCAT'06), [6] Bhatti, R., Bertio, E., Ghafoor, A., A Trust-based Cotext-aware Access Cotrol Model for Web Services. IEEE ICW 04,

9 [7] Bhatti, R., Ghafoor, A., Bertio, E., Joshi, J. B. D., X-GTRBAC: A XML-Based Policy Specificatio Framework ad Architecture for Eterprise-Wide Access Cotrol. ACM Trasactios o Iformatio ad System Security, Vol. 8, No. 2, [8] Bertio, E., Boatti P. A., Ferrari, E., TRBAC: A Temporal Role-Based Access Cotrol Model. ACM Trasactios o Iformatio ad System Security, Vol. 4, No. 3, [9] Seamos, K. E., Wislett, M., Yu, T., Limitig the Disclosure Access Cotrol Policies durig Automated Trust Negotiatio. Network ad Distributed System Security Symposium. [10] Woohoesodo R., Tari, Z., A Role Based Access Cotrol for Web Services. Proceedigs of the 2004 IEEE Iteratioal Coferece o Service Computig, [11] Sadhu, R. S., Coye, E. J., Feistei, H. L., Youma, C. E., Role-Based Access Cotrol Models. IEEE Computer, vol. 29, o. 2, [12] Skogsrud, H., Beatallah, B., Casati, F., Trust-Serv: Model-Rrive Lifecycle Maagemet of Trust Negotiatio Policies for Web Services. Iteratioal World Wide Web Coferece, [13] Yu, T., Wislett, M., Seamos, K., Supportig Structured Credetials ad Sesitive Policies through Iteroperable Strategies for Automated Trust Negotiatio. ACM Trasactios o Iformatio ad System Security, vol. 6, o. 1, [14] Koshutaski, H., Massacci, F., Iteractive Credetial Negotiatio for Stateful Busiess Processes, Lecture otes i computer sciece, [15] ecella, M., Ouzzai, M., Paci, F., Bertio, E., A Access Cotrol Eforcemet for Coversatio-based Web Services. Iteratioal World Wide Web Coferece, [16] J. Baco, D. Eyers, T. F. J. M. Pasquier, J. Sigh, ad P. Piezuch, Iformatio Flow Cotrol for Secure Cloud Computig, IEEE Tras. Network ad Service Maagemet, 11(1), pp , AUTHORS Shih-Chie Chou is curretly a professor i the Departmet of Computer Sciece ad Iformatio Egieerig, Natioal Dog Hwa Uiversity, Hualie, Taiwa. His research iterests iclude software egieerig, process eviromet, software reuse, ad iformatio flow cotrol. 23