Abstract
Service cloud provides added value to customers by allowing them to compose services from multiple providers. Most existing web service security models focus on the protection of individual web services. When multiple services from different domains are composed together, it is critical to ensure the proper information flow on the chain of services. In a service chain, each service needs to determine whether the sensitive information can be directly or indirectly disseminated to the subsequent services. Also, each service in the chain needs to decide whether to accept the data passed to it directly or indirectly from prior services. Moreover, the input data that service si receives from si-1, si. InF, may cause certain side effects inside si, such as updating si's backend database using data computed from si. InF. Service si may wish to allow such side effects in one situation while reject some side effects in another situation. All these decisions should be made based on the service's information flow control policies. To achieve fine-grained information flow control, it is also necessary to analyze the flow and processing of the data and derive the dependencies between the data dynamically generated or used in a service chain. In this paper, we develop a run-time information flow control model for service cloud. First, we develop a run-time dependency analysis mechanism which enables each service in the service chain to determine the correlation between the locally accessed data and the data dynamically generated by the services in the service chain. Then, we develop a model to enable each service in a service chain to specify policies on how its sensitive information can be released to its subsequent services and what types of input data from prior services can be accepted and how they can flow within the services. Finally, we design a run-time protocol to enforce these policies in a service chain.