Section: New Results

Verification of Collaborative Systems

We investigate security problems occurring in decentralized systems. We develop general techniques to enforce read and update policies for controlling access to XML documents based on recursive DTDs (Document Type Definition). Moreover, we provide a necessary and sufficient condition for undoing safely replicated objects in order to enforce access control policies in an optimistic way.

Automatic Analysis of Web Services Security

Participants : Tigran Avanesov, Mohamed Anis Mekki, Michaël Rusinowitch, Mathieu Turuani, Laurent Vigneron.

Automatic composition of web services is a challenging task. Many works have considered simplified automata models that abstract away from the structure of messages exchanged by the services. For the domain of secured services (using e.g. digital signing or timestamping) we propose a novel approach to automated orchestration of services under security constraints. Given a community of services and a goal service, we reduce the problem of generating a mediator between a client and a service community to a security problem where an intruder should intercept and redirect messages from the service community and a client service till reaching a satisfying state. In his thesis Mohamed Anis Mekki [36] [27] presents a tool that compiles the obtained trace describing the execution of a the mediator into its corresponding runnable code. For that the tool computes an executable specification of the mediator as prudent as possible of her role in the orchestration. This specification is expressed in ASLan language, a formal language designed for modeling Web Services tied with security policies that was developed in AVANTSSAR project. Then we can check with automatic tools that this ASLan specification verifies required security properties such as secrecy and authentication. If no flaw is found, we compile the specification into a Java servlet that can be used by the mediator to execute the orchestration.

In his thesis, Tigran Avanesov [13] [28] gives a decision procedure for the satisfiability problem of general deducibility constraints. Two cases are considered: the standard Dolev-Yao theory and its extension with an associative, commutative idempotent operator. The result is applied to solve the automated distributed orchestration problem for secured Web services. As a second application a procedure is given to decide the security of a cryptographic protocol in the presence of several non-communicating intruders. It is also shown in this thesis how to detect some XML rewriting attacks on Web services.

Secure Querying and Updating of Recursive XML Views

Participants : Bao Thien Hoang, Houari Mahfoud, Abdessamad Imine.

Most state-of-the-art approaches for securing XML documents allow users to access data only through authorized views defined by annotating an XML grammar (e.g. DTD) with a collection of XPath expressions. To prevent improper disclosure of confidential information, user queries posed on these views need to be rewritten into equivalent queries on the underlying documents. A major concern here is that query rewriting for recursive views is still an open problem. In this work, we show that this query rewriting is possible using only the expressive power of the standard XPath [70] . We present the extension of the downward class of XPath, composed only by child and descendant axes, with some axes and operators and we propose a general approach to rewrite queries under recursive XML views. Unlike Regular XPath-based works, we provide a linear rewriting algorithm which processes the queries only over the annotated XML grammar. An experimental evaluation demonstrates that our algorithm is efficient and scales well. Finally, we plan to investigate how to combine read and update policies without revealing sensitive information to unauthorized users.

On the Undoability Problem in Distributed Collaborative Systems

Participants : Asma Cherif, Abdessamad Imine.

Combining Operational Transformation (OT) and undo approaches is a challenging problem. Even though various undo solutions have been proposed over the recent years, verifying their correctness still is a challenging problem due to the absence of formal guidelines to undo operations. In this work, we address the undo problem from a theoretical point of view [68] . We provide a necessary and sufficient condition for undoing replicated objects based on OT with respect to three inverse properties. To overcome the difficulty of necessity proof, we use Constraint Satisfaction Problems (CSP) theory in order to cover all possible transformation cases. As the main result, we prove that it is impossible to achieve a correct undo for objects with non-commutative operations. To relax this impossibility result, we sketch a preliminary solution that consists in adding explicitly a new form of idle operations.