SEVENTH FRAMEWORK PROGRAMME THEME ICT Annex I - Description of work. List of Beneficiaries

Transcription

1 FP7-ICT October 17, 2007 AVANTSSAR, project no SEVENTH FRAMEWORK PROGRAMME THEME ICT Secure, dependable and trusted Infrastructures Grant agreement for: Small/medium-scale focused research project (STREP) Annex I - Description of work Project acronym: AVANTSSAR Project full title: Automated Validation of Trust and Security of Service-oriented Architectures Grant agreement no: Date of preparation of Annex I (latest version): October 17, 2007 Date of approval of Annex I by Commission: October 23, 2007 List of Beneficiaries Beneficiary Beneficiary Beneficiary Beneficiary Country Date enter Date exit number name short name type project project 1(coordinator) Università di Verona UNIVR academia Italy month 1 month 36 2 ETH Zurich ETH Zurich academia Switzerland month 1 month 36 3 Institut National de Recherche en Informatique academia et Automatique INRIA (research org.) France month 1 month 36 4 Institut de Recherche en academia Informatique de Toulouse UPS-IRIT (research org.) France month 1 month 36 5 Università di Genova UGDIST academia Italy month 1 month 36 6 IBM Research GmbH IBM industry/research Switzerland month 1 month 36 7 OpenTrust OpenTrust industry (SME) France month 1 month 36 8 Institute e-austria Timişoara IEAT research org. (SME) Romania month 1 month 36 9 SAP AG SAP industry Germany month 1 month Siemens Aktiengesellschaft SIEMENS industry Germany month 1 month 36

2 FP7-ICT October 17, 2007 AVANTSSAR, project no Contents A Budget breakdown and project summary 7 A1 Overall budget breakdown for the project A2 Project summary A3 List of beneficiaries B 11 B1 Concept and objectives, progress beyond state-of-the-art, S/T methodology and work plan.. 12 B1.1 Concept and project objectives The overall goal of the AVANTSSAR project Objective ICT : Secure, dependable and trusted Infrastructures Success criteria B1.2 Progress beyond the state-of-the-art State of the art Challenges Contributions and advance brought by the project Application limits of the proposed formal approach B1.3 S/T methodology and associated work plan Overall strategy of the work plan Timing of the different WPs and their components Detailed work description Workpackage list Deliverables list WP 1: Project Management WP 1.1: Project coordination WP 1.2: Project meetings WP 1.3: Project administration WP 2: Modelling trust and security aspects of service-oriented architectures WP 2.1: Atomic services and non-composed policies WP 2.2: Static service and policy composition WP 2.3: Dynamic service and policy composition WP 3: Automated reasoning techniques WP 3.1: Satisfiability of ASLan policies WP 3.2: Model-checking services with respect to policies WP 3.3: Attacker models WP 3.4: Compositional reasoning for services and policies

3 FP7-ICT October 17, 2007 AVANTSSAR, project no WP 3.5: Abstraction techniques for composed services and policies About the limitations of our techniques for reasoning about trust and security WP 4: The AVANTSSAR Validation Platform WP 4.1: TS Orchestrator WP 4.2: TS Validator WP 4.3: Platform Integration About the platform limitations WP 5: Proof of concept WP 5.1: Definition of the relevant problem cases WP 5.2: Formalisation of the problem cases WP 5.3: Validation of the problem cases WP 5.4: Assessment Approach to scalability issues in the case studies WP 6: Dissemination and Industry migration WP 6.1: Dissemination WP 6.2: Migration to industrial development environments WP 6.3: Migration to standardisation bodies Workpackage descriptions (WP tables) Graphical presentation of the components showing their interdependencies B2 Implementation B2.1 Management structure and procedures Operational, decision-making and advisory bodies Project administration Consortium Agreement Project Meetings Risk management and damage mitigation Management procedures Summary of project organisation B2.2 Beneficiaries UNIVR: University of Verona, Italy ETH Zurich: Eidgenössische Technische Hochschule Zürich, Switzerland INRIA: Cassis Group, INRIA Lorraine, France UPS-IRIT: LiLaC Team, Institut de Recherche en Informatique de Toulouse, France. 92 UGDIST: Dipartimento di Informatica Sistemistica e Telematica, Università di Genova, Italy IBM: IBM Research GmbH, Zurich Research Laboratory (ZRL) OPENTRUST: OPENTRUST, Trust and Security Software IeAT: Institute e-austria Timişoara, Romania SAP: SAP AG and its SAP Research Business Unit, Germany SIEMENS: Siemens Aktiengesellschaft, Corporate Technology, Security, Germany B2.3 Consortium as a whole B2.4 Resources to be committed B3 Impact B3.1 Strategic impact European Dimension of the Consortium Relation with other national and international research activities B3.2 Plan for the use and dissemination of foreground Management of knowledge and intellectual property

4 FP7-ICT October 17, 2007 AVANTSSAR, project no Dissemination Plan Exploitation Plan OpenTrust IBM SAP SIEMENS Contributions to standards B4 Ethical Issues References Appendix A: The AVISPA Tool Appendix B: Proof of concept case studies B.1 Application areas and scenarios E-Business E-government E-health B.2 Families of problem cases Single Sign-On Authorisation Policies Trust Management Workflow Security Sensor Networks Public Key Infrastructure (PKI) Digital Contract Signing Public Bidding Identity Mixer

5 FP7-ICT October 17, 2007 AVANTSSAR, project no List of Figures 1 The AVANTSSAR Validation Platform and its usage towards Enterprise SOA Dependencies between the workpackages GANTT Chart of the AVANTSSAR Project The domain of the ASLan language PERT chart of the AVANTSSAR project The architecture of the AVISPA Tool A screen-shot of the AVISPA Tool in basic mode A screen-shot of the AVISPA Tool in expert mode Loan Origination Process Workflow Loan Origination Process enabled by the SAP NetWeaver platform OpenTrust SPI implementation architecture The use of PKI in an airplane software distribution system The basic protocols of identity mixer

6 FP7-ICT October 17, 2007 AVANTSSAR, project no List of Tables 1 Application areas and some related problem cases Workpackage list Deliverables list Project Effort Form 1: Indicative efforts per beneficiary per WP Project Effort Form 2: Indicative efforts per activity type per beneficiary List of project milestones (and decision points) Tentative schedule of project reviews Technical risks associated to the milestones (and decision points), their probability, and the corresponding management and mitigation strategies List of beneficiaries Main tasks attributed to the beneficiaries Expertise of the beneficiaries Ethical Issues Table

7 FP7-ICT October 17, 2007 AVANTSSAR, project no Part A Budget breakdown and project summary

8 FP7-ICT October 17, 2007 AVANTSSAR, project no A1 Overall budget breakdown for the project

9 FP7-ICT October 17, 2007 AVANTSSAR, project no A2 Project summary Grant agreement Preparation Forms EUROPEAN COMMISSION 7th Framework Programme on Research, Technological Development and Demonstration Collaborative Project A.1: Our Project Project number (1) Project acronym (2) AVANTSSAR ONE FORM PER PROJECT Project Title (3) Starting Date (4) GENERAL INFORMATION Automated Validation of Trust and Security of Service-oriented Architectures 01/01/2008 Duration in months (5) 36Call (part) identifier (6) FP7-ICT Activity code(s) most ICT ICT ICT relevant to your topic (7) Free keywords (8) Service-Oriented Architectures. Secure and dependable infrastructures. Web Services. Trust. Security. Policies. Obligations. Orchestration. Formal Methods. Automated Validation. Protocols. Abstract(9) (max char.) Driven by rapidly changing requirements and business needs, IT systems and applications are undergoing a paradigm shift: components are replaced by services, distributed over the network, and composed and reconfigured dynamically in a demand-driven way into service-oriented architectures. Exposing services in future network infrastructures entails a wide range of trust and security issues. Solving them is extremely hard since making the service components trustworthy is not sufficient: composing services leads to new subtle and dangerous vulnerabilities due to interference between component services and policies, the shared communication layer, and application functionality. Thus, one needs validation of both the service components and their composition into secure service architectures. AVANTSSAR proposes a rigorous technology for the formal specification and Automated VAlidatioN of Trust and Security of Service-oriented ARchitectures. This technology will be automated into an integrated toolset, the AVANTSSAR Validation Platform, tuned on relevant industrial case studies. The project will develop: - ASLan, the first formal language for specifying trust and security properties of services, their associated policies, and their composition into service architectures. - Automated techniques to reason about services, their dynamic composition, and their associated security policies into secure service architectures. - The AVANTSSAR Validation Platform, an automated toolset for validating trust and security aspects of service-oriented architectures. - A library of validated composed services and service architectures, proving that our technology scales to envisaged applications. Migrating project results to industry and standardisation organisations will speed up the development of new network and service infrastructures, enhance their security and robustness, and increase the public acceptance of emerging IT systems and applications based on them.

10 FP7-ICT October 17, 2007 AVANTSSAR, project no A3 List of beneficiaries Beneficiary Beneficiary Beneficiary Beneficiary Country Date enter Date exit number name short name type project project 1(coordinator) Università di Verona UNIVR academia Italy month 1 month 36 2 ETH Zurich ETH Zurich academia Switzerland month 1 month 36 3 Institut National de Recherche en Informatique academia et Automatique INRIA (research org.) France month 1 month 36 4 Institut de Recherche en academia Informatique de Toulouse UPS-IRIT (research org.) France month 1 month 36 5 Università di Genova UGDIST academia Italy month 1 month 36 6 IBM Research GmbH IBM industry/research Switzerland month 1 month 36 7 OpenTrust OpenTrust industry (SME) France month 1 month 36 8 Institute e-austria Timişoara IEAT research org. (SME) Romania month 1 month 36 9 SAP AG SAP industry Germany month 1 month Siemens Aktiengesellschaft SIEMENS industry Germany month 1 month 36

11 FP7-ICT October 17, 2007 AVANTSSAR, project no Part B

12 FP7-ICT October 17, 2007 AVANTSSAR, project no B1 Concept and objectives, progress beyond state-of-the-art, S/T methodology and work plan B1.1 Concept and project objectives Our society and economic system are currently facing dramatic changes in their infrastructures and processes: the continuous expansion of communication and information infrastructures, the ubiquity of computing resources, the pressure of global competition, and the increased pace of societal development require individuals and businesses to be capable of dynamically adapting in real-time to changing needs, and to spontaneously evaluate and react to events as they happen. For instance, a business needs to adjust its supply chain instantaneously if its preferred supplier turns out to be unable to deliver or switch to an auction or broker mechanism to find a replacement within minutes, because it cannot afford to have its customers wait. Similarly, an individual might want to have access to governmental and administrative infrastructures (e.g., for tax declaration processing), everywhere and at any time, using a variety of devices in different environments. As another example, public entities like firefighters, ambulances, or hospitals need to react within seconds in case of emergency, evaluate their available resources in the given context, and adapt their operation to the situation. Also, when dealing with personal data, such as in health care, it is essential to ensure the privacy of the citizens and to give them control over the information they provide. These changes are giving rise to a major paradigm shift in the way ICT systems and applications are designed, implemented, and deployed. To meet frequently changing requirements and business needs, for instance in a federation of enterprises, components are replaced by services that are distributed over the network (e.g. the Internet) and composed at run-time in a demand-driven and flexible way. Each service may rely on the existence and availability of other (possibly, dynamically retrieved) services to perform its computation; moreover, this includes dynamic adaptation and explicit combination of applicable policies, which determine the actions executed and the messages exchanged. For example, a service granting the access to a resource of a business partner may use a local authentication service, trusted by both partners, to assess the identity of a client and rely on authorisation services on both ends that combine their policies to decide whether to grant the access or not. This paradigm shift towards service-oriented architectures reaches up to the vision of ambient intelligence, where computers and networks are integrated into the everyday environment, providing easy-to-use human interfaces to a variety of services and applications, and allowing people to access services wherever they are, whenever they want, and in the form most natural for them. This includes the interaction with the physical world and the collection of substantial quantities of personal data, and this requires new solutions that integrate provisions for trust, security, and privacy. Service orientation and ambient intelligence require one to reconsider trust and security requirements and policies, the mechanisms used to enforce them, and their deployment. Resources will be increasingly exposed to an outside world that cannot be completely controlled, since there is no central ownership and likely no central application control (independent service providers wish to conceal details of their service implementation to protect their intellectual properties). Service providers need to respect their local security policies while still matching them against the application owners policies, thus leading to policy negotiation and trust evaluation. The responsibility for security property enforcement is federated among the different service owners. Moreover, significant parts of the security functionality will most likely be provided through dedicated services. These are decoupled from the application, which emphasises the need for their appropriate composition: depending on their functionality and the given context, they may be subject to subtle and new types of interference when being composed. As an example, consider the area of policy composition [149, 153, 175]: even under simple criteria such as conjunction, the composition of non-discretionary policies yields new properties that are not present in the individual policies under composition [134]. Hence, in order to guarantee the correctness of the composed system, one needs to analyse

13 FP7-ICT October 17, 2007 AVANTSSAR, project no the security of these emergent properties (i.e., features that are not present in the individual components but instead result from their interaction and composition [135, 242]), a crucial problem which has only begun to be addressed. Security will thus become a responsibility of the infrastructure itself, with an individual application orchestrating the security features to match both its security policy and those of the service providers, allowing for the negotiation of policies and the establishing of trust relationships within the infrastructure. Since composition and integration are the basic principles of service orientation, in order to provide simultaneously the desired flexibility, dynamic adaptation, and security, we need even more than the combination of validated secure services: we need means for validating their secure composition. The overall goal of the AVANTSSAR project The overall goal of the AVANTSSAR (Automated VAlidatioN of Trust and Security of Service-oriented ARchitectures) project is to develop a technology supporting the formal specification and automatic validation of trust and security in service-oriented systems. The AVANTSSAR technology will provide the ability to formally model and automatically reason about services, their composition, their required security properties and associated policies, both at network and application level. This will include not only standard properties such as authentication and secrecy, but also authorisation, access control, trust delegation and obligations, identity management, etc. The AVANTSSAR technology will thus speed up the development of the next generation of service-oriented architectures, guarantee their correctness, and therefore increase the public acceptance of advanced, distributed ICT systems and applications based on them. In order to ensure the migration of the project results into industry and standardisation bodies, this technology will be automated as part of an integrated toolset, the AVANTSSAR Validation Platform, which will be tuned on case studies of industrial relevance. To this end, the project will accomplish the following tasks: Design the first formal modelling language that is fully dedicated to specifying trust and security aspects of services, their composition, as well as the properties that they are required to satisfy and the policies that they manipulate and abide by. Develop novel automated techniques to reason about runtime composition of services and their associated security policies into secure service-oriented architectures. Develop the AVANTSSAR Validation Platform comprised of automated tools for the validation of trust and security aspects of service-oriented architectures. Develop a library of secure composed services and secure service-oriented architectures by applying our validation technology to proof-of-concept case studies taken from practice, in particular those provided by the industrial partners of the project. The AVANTSSAR Validation Platform and its usage in Enterprise SOA are depicted in Figure 1, where, here and in the rest of this proposal, we use TS as an abbreviation for Trust and Security. In the following sections we will illustrate the techniques that will be developed within the project. This collection of techniques will enable the specification (WP 2), enforcement (through TS wrapper generation) and automatic validation (WP 3) of the security relevant aspects of service-oriented architectures. The development of the AVANTSSAR Validation Platform (WP 4) will allow us to quantitatively assess the effectiveness of the techniques developed in the project. This will be done by using the AVANTSSAR Validation Platform to automatically validate a number of representative problem cases provided by the industrial partners (WP 5). Dissemination of the technical achievements of the project is addressed in a dedicated workpackage (WP 6), which will also take care of the migration into industrial practice.

14 FP7-ICT October 17, 2007 AVANTSSAR, project no Application level Logical level (new) Service implemented e.g. in BPEL Secured service/policy The AVANTSSAR Validation Platform CP CS insecure Vulnerability : Tool input/output : Policy P : Composed Policy CS : Composed Service TS : Trust and Security CP S : Service Specification of the available services e.g. in WSDL/UDDI Policy P P1 P2 S1 S2 P3 P4 S3 Composed service/policy S4 TS Wrapper CP CS TS VALIDATOR secure TS ORCHESTRATOR feedback Services orchestration/ composition such that CP P and for all i, CP Pi P1 P2 S1 S2 validation problem P3 P4 S3 S4 TS Wrapper P1 S1 PN SN Figure 1: The AVANTSSAR Validation Platform and its usage towards Enterprise SOA

15 FP7-ICT October 17, 2007 AVANTSSAR, project no The AVANTSSAR Validation Platform takes as input specifications of trust and security requirements expressed in terms of policies and models of services, including a specification of their security relevant behaviour as well the local policies they respect. These service specifications can be both statically configured or dynamically discovered. The main components of the platform are the following: The TS Orchestrator provides the means to compose the service models in a way presumed to respect the global policies. In case of dynamic composition of services, this orchestration is synthesised utilising TS Wrappers which add security functionality not provided by the initial set of services. The TS Validator automatically analyses the validation problem resulting from the TS Orchestrator output. Failed validation means the existence of vulnerabilities that need to be fixed; otherwise, the composition of the services is guaranteed to be secure, i.e. to respect the global policies. Whenever the TS Validator detects a vulnerability on the composed service, a feedback loop to the TS Orchestrator is initiated. Several options exist to revise the TS Orchestrator results in order to fix the vulnerability: using a different composition pattern, revising the local policies, or introducing new services or policies to the orchestra. Any combination of these will be supported. The AVANTSSAR Validation Platform operates on the logical level. Hence, the specifications of services and their orchestration provided to the platform (and resulting from the validation and synthesis activities) need to be transformed to and from the modelling artifacts and languages used at the application level. This transformation is non-trivial, since, in many cases, the modelling techniques available at the application level do not provide the concepts or expressiveness needed for automated validation of the security of services and their composition. (Otherwise, they could be used directly.) AVANTSSAR explicitly addresses this transformation through an Industry Migration workpackage (WP 6) that takes current industrial best practise languages and models into account, and systematically relates them to each other. Tools will be provided to assist designers in extending their models with the augmentations required for validation. This is key to successful exploitation of the AVANTSSAR results in real-world industrial settings, since the industry standards are used as a matter of fact, and for good reasons. The AVANTSSAR approach, thus, does not ask for disruptive changes, but its Industry Migration allows for a smooth integration in existing environments. This will be demonstrated by some of the project s industrial partners. We will assess our techniques and tools developed in the project on a broad spectrum of problem cases of real-world complexity, which are provided by our industrial partners, from the areas of e-business, e- government, and e-health, as described in the proof-of-concept workpackage (WP 5). To this end, we have already identified 9 families of problem cases, each of them exhibiting more than one representative security challenge. These problem cases already cover a broad range of abstraction levels, trust and security aspects, and application areas occurring in the secure service domain, but we expect more problem cases will be identified and considered during the development of the project. Table 1 gives an overview of the e-business, e-government, and e-health application areas with respect to the scenarios and problem cases that we aim to tackle during the project. More details are given in Appendix B. The problem cases considered will be used as specification and validation benchmarks for the concepts and tools being developed during the project. Objective ICT : Secure, dependable and trusted Infrastructures The AVANTSSAR project fits naturally into the objectives of the ICT Work Programme : it addresses challenge 1 of the 2007 calls which focuses on Pervasive and Trusted Network and Service Infrastructures. In particular, within

16 FP7-ICT October 17, 2007 AVANTSSAR, project no Table 1: Application areas and some related problem cases Areas Scenarios Problem Cases E-Business in general Banking Services SW Distribution Services Credential Anonymizer... E-Government in general Citizen Portals Document Exchange Procedures... E-Health in general Telematics Infrastructure Patient Monitoring... Single Sign-On Authorisation Policies Trust Management Workflow Security Sensor Networks Public Key Infrastructure Digital Contract Signing Public Bidding Identity Mixer... Objective ICT : Secure, dependable and trusted Infrastructures the EC envisions the target outcome b) Security and trust in dynamic and reconfigurable service architectures supporting assured and scale-free composition of services and service coalitions with managed operation across several administrative or business domains, enabling flexible business models as well as Security and resilience in network infrastructures, Trusted computing infrastructures, and Identity management and privacy enhancing tools, which are other target outcomes envisioned for objective ICT The project focuses on Objective ICT , but it is worth mentioning that there are contributions to other objectives in Challenge 1, including Objective ICT : The Network of the Future, Objective ICT : Service and Software Architectures, Infrastructures and Engineering, and Objective ICT : ICT in support of the networked enterprise. With its novel approach to reasoning about security and trust in service-oriented architectures, AVANTSSAR will in particular provide new principles, methodologies, and tools for the design of complex, yet secure, service and software architectures, infrastructures, and engineering (Objective ICT ). In particular,

17 FP7-ICT October 17, 2007 AVANTSSAR, project no the results of AVANTSSAR will add a security support to the engineering of development processes, product lifecycle and tools for dynamically composed systems with dependable quality of service and reliability properties, through a validation approach to the management of their complexity. The project, thus, will also support all organisations developing or using software and services, particularly SMEs, to improve their competitiveness and adjust to the emerging global service economy. Success criteria The AVANTSSAR project includes an entire workpackage, WP 5, wholly committed to the definition and formalisation of a set of industrial problem cases, against which the models, techniques, and tools developed in WP 2, WP 3, and WP 4 will be thoroughly assessed (see WP 5.4). The success criteria related to this assessment are given hereafter, followed by specific success criteria defined for workpackage WP 6 devoted to dissemination and industry migration. The successful outcomes of WP 2, WP 3, and WP 4 will be measured, in the context of WP 5, against a set of applications of real-world complexity. Specifically, WP 5.1 will select and describe at least 15 problem cases of high relevance to the industry partners, covering all application scenarios, from the set of cases described in Appendix B. These problem cases will be used as benchmarks to determine the success of the other workpackages, as detailed below: WP 2 defines the specification language ASLan for the formal modelling of trust and security aspects of service-oriented architectures, including features for both services and policies. The success goal of WP 2 will be the ability to formally model (within WP 5.2) at least 12 of the 15 problem cases selected in WP 5.1. WP 3 defines a set of automated reasoning techniques, which provide the means to tackle the complexity of validating security in service-oriented architectures. We will judge the success of the automated reasoning techniques of WP 3 by the ability to formally validate (within WP 5.3) at least 10 of the problem cases formalised in WP 5.2. WP 4 implements the AVANTSSAR Validation Platform, which integrates the results of WP 2 and WP 3, providing a toolset supporting security specification, validation and enforcement. Its success will be judged by the ability to perform validation (again within WP 5.3) of at least 10 of the problem cases used to assess WP 3 in an automated manner. WP 6 is concerned with dissemination and industry migration. Indicators for success in this respect will be: The integration of the AVANTSSAR Validation Platform into the SAP development environment and its successful application on one of the SAP application scenarios (e.g. banking services from the e-business area, patient monitoring from the healthcare area). 1 To this effect, we will implement a high-level interface between our validation platform and the SAP integrated development environment, including a specification language on top of ASLan, suited for industrial use. The transfer of results of AVANTSSAR in educational activities within industry, universities, workshops, working groups or standardisation organisations (e.g. AVANTSSAR workshops, theses, course materials, presentations at standardisation committees, etc). At least 3 such educational activities will be carried out. At least 5 papers will be published in international conferences or journals. 1 It is worth pointing out that one application scenario refers to a multitude of problem cases and thus to tackle one entire application scenario means to cope with the validation of various problem cases.

18 FP7-ICT October 17, 2007 AVANTSSAR, project no The provision of results to standardisation bodies, placing them at their disposition. We will formalize part of standards (candidates are for instance XACML, WS-trust, WS-SecureConversation, and WS-policy) and formally analyse them. The standards will be analysed on their own, but also in the context of at least 3 problem cases emerging from the assessment in WP 5.

19 FP7-ICT October 17, 2007 AVANTSSAR, project no B1.2 Progress beyond the state-of-the-art State of the art Automated analysis of security protocols, the basic components of security-sensitive services, has been widely studied and several analysis tools with different degrees of automation have been developed (see e.g [70, 71, 114, 176, 179, 123, 205]). This includes the industrial-strength technology of some of the project partners, the AVISPA Tool for protocol analysis [30] (developed in the context of the EU Project AVISPA Automated Validation of Internet Security Protocols and Applications, nominated for the 2006 Descartes prize for research ; see Appendix A for more details). The AVISPA Tool will provide one of the stepping stones for the AVANTSSAR project. While AVISPA and these other approaches have validated a substantial number of large-scale security protocols and provided support for improving the security of systems, the challenge of the automated validation of secure composed services and, in general, of secure service-oriented architectures still falls largely outside the scope of state-of-the-art technologies. Besides the recent application of standard techniques such as model-checking to the formal analysis of security systems and Web Services (e.g. [34, 35, 130, 150, 206]), and aside from other related work that we will discuss in Section B3 (such as the SENSORIA project and the NESSI Open Framework), the project that is most closely related to AVANTSSAR is the Samoa project at Microsoft Research Cambridge [64, 65, 66, 67, 68, 136]. This approach exploits recent advances in the analysis of security protocols in the practical setting of XML Web Services. Samoa proposes a logic-based approach to checking SOAP-based protocols based on a specification language that extends the pi-calculus with an XML syntax for handling SOAP envelopes. The ProVerif resolution-based protocol verifier [70] is then applied to verify authentication and secrecy properties. However, the focus is on the XML encoding of security tokens and messages applied to relatively simple protocols as well as rather low-level policies and properties. It is therefore highly doubtful whether this verification approach will scale when considering complex/composed services and higher-level security properties involving dynamic composition and dynamic policies. Currently, there exists no framework for the composition of services that takes into account the intricacies generated by the combination of trust and security policies and protocols. In particular, while initial work has been carried out on the automatic composition of security policies or requirements for services (e.g. [192, 225, 56, 63]), none of these approaches has sufficient coverage for our purposes, and major questions remain unanswered. As we already remarked above, the same holds, for example, also to the security analysis of policy composition [134, 135, 149, 153, 175, 242]. Challenges The complexity of reasoning about trust and security aspects of services and service-oriented architectures becomes evident when considering three of the main characteristics of service orientation: their heterogeneous, distributed, and dynamic nature. Service-oriented applications are heterogeneous: the various individual components may be built using different technology and run in different environments. Nevertheless, both the components and their requirements may interact, and in some cases even interfere with each other. Still, most currently existing security solutions are limited to protecting applications within a single security context. Moreover, the messagepassing nature of interactions of Web Services (WS [8, 234]) and of other security-sensitive services increases their vulnerability: even assuming that the cryptographic primitives work correctly (that is, the system cannot be attacked exploiting weaknesses of cryptographic keys or of encryption/decryption algorithms), it allows for attacks based on interception, modification, and replay of messages. However, future serviceoriented software architectures need to consider security among multiple/heterogeneous security contexts: for instance, between a requester and a service there might be multiple intermediaries that must be able to read or even modify the contents of a message, or the same service might be used in different environments

20 FP7-ICT October 17, 2007 AVANTSSAR, project no (e.g. mobile vs. stationary). Thus, a notion of static end-to-end security is not applicable here, as in the case of simpler IP-communications. Furthermore, service-oriented architectures are distributed systems, i.e. the functionality and resources are distributed over several machines or processes. It is hard to design distributed systems correctly, or efficiently validate them, due to the exponential state space complexity that arises from all the states that individual processes can reach independently of each other, even in an environment that is not hostile [193]. In a distributed system, attackers can abuse situations that have not been thought of in the design of the system. Service-oriented applications as well as their security requirements, are in general not static but rather continuously evolving. Their interaction takes place in highly dynamic environments where the composition of services can be undertaken at runtime. Some security policies are dynamically modified (e.g., for incident handling or in case of emergency), and agents may join or be excluded from a community sharing some security context. At various steps of their execution, services may require to obtain from their clients credentials testifying to their security clearances. In order to fully describe these trust and security aspects of services and the ways they interact with their clients, security policies must be regarded as part of the service specifications and as first-class objects exchanged and processed by the services. This generates complex evolving environments and therefore ensuring security of service-oriented architectures remains a far-reaching goal. In fact, the challenge of verifying service-oriented applications cannot be addressed by employing, and scaling up, the current generation of formal analysis approaches and tools. There are two main reasons for this. First, security properties of protocols are in general non-compositional (see, e.g., [160, 113]). For instance, assuming that components such as channels are secure does not prevent spoofing attacks, which result in channel downgrading. Methods have been developed for compositional interactive theorem proving for such protocols (see, e.g., [124, 117]), but they have so far proven unsuitable for automatic verification. Second, the effort required for the verification of security properties is exponential with respect to the number of protocol roles involved even for restricted instances of the problem (see, e.g., [203]). Contributions and advance brought by the project The innovative challenge that we will tackle in AVANTSSAR is to develop a general model for the combination and integration of different services and policies within the context of service-oriented computing, focusing on trust and security aspects. In particular, regarding the verification of dynamic composite services, one has to consider the various ways in which component services can be coordinated, and develop new techniques that allow for compositional validation reflecting this modularity. Furthermore the compositional validation will help us address the complexity problem. To the best of our knowledge, there is currently no method for the validation of such complex trust and security aspects of services. Moreover, for the practical use and take-up by industry and standardisation organisations, it is essential that any such verification technique provides a high degree of automation. The research innovation proposed in the AVANTSSAR project is to ensure global security of dynamically composed services and their integration into complex service-oriented architectures by developing an integrated platform of automated reasoning techniques and tools. AVANTSSAR will achieve this by first devising new automated procedures for the problems of security analysis of services, and their negotiation and synthesis, and then implementing these procedures. Tackling this goal requires the development of novel languages and methods, as well as the extension and scaling up of previous results by the project members. For example, among other things, we will extend our results on the different attacker models and related model-checking techniques obtained in the course of the AVISPA project, and we will devise new algorithms for automated synthesis of services (exploiting our skills on automated controller synthesis and modal and other non-classical logics). To explain our technical approach in more detail, consider again Figure 1.

21 FP7-ICT October 17, 2007 AVANTSSAR, project no From a modelling point of view, AVANTSSAR, through its language ASLan, will provide the first approach for comprehensive specification of all aspects related to security of service architectures, a significant advance over approaches which have focused only on some of their elements, such as languages and calculi for security protocols, policy definition languages or service description languages. While this is a significant and difficult undertaking, it is absolutely necessary as a basis for validation, since by the very definition of service-oriented architectures, all of the above-mentioned elements interact. More specifically, AVANTSSAR will support modelling transformations of specifications of services and their orchestration between the logical and application level. At the logical level, we will develop a TS Orchestrator that receives as input ASLan specifications of a set of services and associated policies as well as a compositional policy P, and outputs the ASLan specification of a composed service CS and associated policy CP. The resulting validation problem will require in particular to check that CS abides by CP, as well as that CP implies both P and all given individual policies. With respect to the automated techniques required by validation problems such as these, AVANTSSAR will go beyond mere extension and optimisation of existing methods. As a central issue, we will develop novel compositional reasoning techniques based on recent work [9] that gives sufficient, automatically verifiable conditions for protocols not to interfere at the network level, and includes the development of decomposition techniques that detect component services for which compositional results can be used. In addition, AVANTSSAR will define and analyse novel attacker models defined with respect to subterm constraints in addition to traditional equality constraints and develop reasoning techniques that are parameterised with respect to such intruder models. We will develop different kinds of validation techniques, ranging from the application of non-classical logics (in particular, for reasoning about obligations and trust), to techniques for the satisfiability of ASLan policies and for the model-checking of services with respect to policies. The automated AVANTSSAR validation platform, in addition to improving over already powerful verification capabilities, proposes a novel approach to verification of composed services and service architectures which combines synthesis and validation. The TS Orchestrator combines component services with the goal of satisfying a global policy, including synthesis of wrappers in the case of dynamic composition. Finally, the resulting system is analysed automatically by the TS Validator, which assures (or disproves) that the service composition is indeed secure. Compared to existing libraries of validated security protocols, AVANTSSAR aims by its stated success criteria to prove scalability to a new level of complexity, by providing a library of validated SOA problem cases extracted from applications in the areas of e-business, e-government, and e-health, representative of the security needs of society and industry. By providing proof of concept for the envisaged design and validation flow, AVANTSSAR will assist industrial designers in developing service architectures conceived for automated validation, and thereby foster migration of our results and technologies into industrial best practise languages and models. Application limits of the proposed formal approach As we have seen, the spectrum of features we propose for the modelling and fully automated validation of trust and security properties in service-oriented architectures is considerably broader than proposed in any individual approach so far. Naturally, our approach will have several limitations, e.g. theoretical limitations on the reasoning techniques and platform limitations on the types of attacks that can be handled, which we discuss in detail at the end of workpackages WP 3.5 and WP 4.3. While other application limits are more difficult to predict or evaluate a priori, we will explicitly address limitations and assumptions in the assessment package WP 5.4, and the set of case studies will give a clear quantitative measure of success.

22 FP7-ICT October 17, 2007 AVANTSSAR, project no B1.3 S/T methodology and associated work plan Overall strategy of the work plan AVANTSSAR is a 36-month project that can be subdivided into four main technical parts and a dissemination package, together with a workpackage WP 1 devoted to project management. As described above (and in more detail in the following sections), the main goal of the project is the development of the AVANTSSAR Validation Platform depicted in Figure 1. The dependencies (and input output relations) between the workpackages are depicted in Figure 2. Modelling Reasoning Automation Application Dissemination WP2 Modelling trust & security aspects of SOA ASLan spec. lang. WP3 Automated reasoning techniques validation techniques WP4 The AVANTSSAR validation platform tool support AVANTSSAR Library WP5 Proof of concept WP6 Dissemination and industry migration W P 1 P r o j e c t M a n a g e m e n t Figure 2: Dependencies between the workpackages Workpackage WP 2 has as main goal the definition of the AVANTSSAR Specification Language (ASLan), which will allow users of the platform to formally model trust and security-related aspects of serviceoriented architectures resulting from the run-time composition of services and their associated policies. Workpackage WP 3 will focus on the development of automated reasoning techniques for service architectures formally described and specified using the concepts and language of WP 2. Workpackage WP 4 will integrate and implement the reasoning techniques and decision procedures developed in WP 3 for systems modelled using the ASLan language. The result will be a uniform toolset,

23 FP7-ICT October 17, 2007 AVANTSSAR, project no the AVANTSSAR Validation Platform, with support for both design and analysis. It will be able to automatically check whether a set of services can be securely combined, orchestrate their composition by providing a protecting security wrapper for the composed service, and validate the result. Workpackage WP 5 will define and formalise a set of industrial problem cases, against which the models, techniques, and tools developed in WP 2, WP 3, and WP 4 will be assessed. This includes producing the AVANTSSAR Library, a set of formalised and validated secure services and service architectures, providing proof of concept that the developed technology scales to the envisaged applications. Workpackage WP 6 has as objective to facilitate the dissemination and migration of the project results into the scientific community and industry. Besides the dissemination activity, for which appropriate and standard communication media including a web site, forums, project workshops, and reports will be set up to disseminate the project results, a considerable effort will be dedicated to the migration of the project outcomes to industry (see WP 6.2 and WP 6.3). For instance, WP 6.2 aims to migrate the project outcomes to the development process of the SAP industrial partner. In general, while the four technical workpackages address issues such as expressiveness, scalability and automation, WP 6.2 and WP 6.3 will focus on making the results of the other workpackages accessible to, and readily exploitable by, industry designers and developers.

24 FP7-ICT October 17, 2007 AVANTSSAR, project no Timing of the different WPs and their components A GANTT chart depicting the scheduling of the workpackages is given in Figure 3: it depicts the timelines of the single workpackages and their sub-workpackages, as well as the 7 planned project meetings (a kick-off meeting, 3 synchronisation meetings attended by all consortium partners, and 3 project review meetings).

25 FP7-ICT October 17, 2007 AVANTSSAR, project no Month WP1 WP1: Project management kick off meeting 1st synch meeting 1st review meeting 2nd synch meeting 2nd review meeting 3rd synch meeting final review meeting WP2: Modelling trust and security aspects of SOA WP2 WP2.1 WP2.2 WP2.3 WP3 WP3: Automated reasoning techniques WP3.1 WP3.2 WP3.3 WP3.4 WP3.5 WP4 WP4: The AVANTSSAR validation platform WP4.1 WP4.2 WP4.3 WP5 WP5: Proof of concept WP5.1 WP5.2 WP5.3 WP5.4 WP6 WP6: Dissemination and industry migration WP6.1 WP6.2 WP6.3 WP1: Project Management WP2: Mod. T&S of SOA WP3: Auto. reas. techn. WP4: AVANTSSAR Val. P. WP5: Proof of concept WP6: Diss. and ind. migr. WP2.1 Initial ASLan WP2.2 Extended ASLan WP2.3 Final ASLan WP3.1 Sat. of ASLAN P. WP3.2 Mod. Ch. P. w.r.t. S. WP3.3 Attacker Models WP3.4 Comp. Reas. for S.&P. WP3.5 Abs. for Comp. S.&P. WP4.1 TS Orchestrator WP4.2 TS Validator WP4.3 Platform Integration WP5.1 Def. Pb. Cases WP5.2 Form. Pb. Cases WP5.3 Val. Pb. Cases WP5.4 Assessment WP6.1 Dissemination WP6.2 Migration industry WP6.3 Migration Stand. Org. Figure 3: GANTT Chart of the AVANTSSAR Project

26 FP7-ICT October 17, 2007 AVANTSSAR, project no Detailed work description Workpackage list The workplan is organised in 6 workpackages, which are listed in Table 2. Responsibilities and timelines are clearly defined for every workpackage. Note that, for simplicity of exposition, we identify sub-workpackages and tasks, and simply speak of the former. Workpackage no. Workpackage title Table 2: Workpackage list Type of activity Lead benef. no. Lead beneficiary short name Personmonths Start month 1 Project Management MGT 1 UNIVR Modelling Trust and Security Aspects of Service-Oriented Architectures 3 Automated Reasoning Techniques 4 The AVANTSSAR Validation Platform RTD 2 ETH Zurich RTD 4 UPS-IRIT RTD 5 UGDIST Proof of concept RTD 9 SAP Dissemination and Industry Migration RTD 9 SAP TOTAL 590 End month Legend: in Table 2 and in the workpackage tables given in the subsequent pages, we follow the Guide for Applicants and indicate the nature of the workpackage activity by writing RTD for Research and technological development and MGT for Management.

27 FP7-ICT October 17, 2007 AVANTSSAR, project no Deliverables list The workplan comprises 25 deliverables, which are listed in Table 3. Legend: in the list of deliverables, we follow the Guide for Applicants and indicate the nature of the deliverable using the following codes: R = Report, P = Prototype, D = Demonstrator, O = Other. Deliverables D4.1 and D4.2 are of type R&P as they will describe the development and prototypical implementation of the AVANTSSAR Validation Platform. Deliverables D5.2 and D5.3 are of type R&O as they will comprise reports as well as specifications. Deliverable D6.1 is of type O as it will comprise the activation and maintanance of the AVANTSSAR Website and the publication of the package of the AVANTSSAR Platform. The dissemination level is indicated using the following codes: PU = Public. PP = Restricted to other programme participants (including the Commission Services. RE = Restricted to a group specified by the consortium (including the Commission Services). CO = Confidential, only for members of the consortium (including the Commission Services). The person months missing from the total in Table 3 are those that are not directly linked to deliverables but rather are devoted to continuous management and administration activities in WP 1.

28 FP7-ICT October 17, 2007 AVANTSSAR, project no Del. no. Deliverable name Table 3: Deliverables list WP no. Lead beneficiary Nature Estimated indicative personmonths Dissemination level D1.1 Project Presentation 1 UNIVR 1 R PU 3 D1.2 Basic Dissemination and Use Plan 1 UNIVR 2 R PU 6 D1.3 Progress/Assessment Report for Year 1 1 UNIVR 1 R PU 12 D1.4 Progress/Assessment Report for Year 2 1 UNIVR 1 R PU 24 D1.5 Final Project Report 1 UNIVR 2 R PU 36 D1.6 Final Dissemination and Use Plan 1 UNIVR 2 R PU 36 D1.7 Technology Implementation Plan 1 SAP 2 R PU 36 D2.1 Requirements for modelling and ASLan v.1 2 ETH Zurich D2.2 ASLan v.2 with static service and policy composition D2.3 ASLan final version with dynamic service and policy composition D3.1 Decision procedures for service synthesis and satisfiability of ASLan policies 2 ETH Zurich 2 ETH Zurich 41 R PU R PU R PU 30 3 UPS-IRIT 76 R PU 30 D3.2 Model-checking techniques 3 UPS-IRIT 28 R PU 32 D3.3 Attacker models 3 INRIA 20 R PU 12 D3.4 Abstraction and compositional reasoning techniques for service analysis 3 INRIA 30 R PU 34 D4.1 AVANTSSAR Validation Platform v.1 4 UGDIST 60 R&P PU 24 D4.2 AVANTSSAR Validation Platform v.2 4 UGDIST 50 R&P PU 36 D5.1 Problem cases and their trust and security requirements 5 SAP 16 R PU 6 D5.2 Formalised problem cases 5 SAP 51 R&O RE 30 D5.3 AVANTSSAR Library of validated problem cases D5.4 Assessment of the AVANTSSAR Validation Platform 5 SAP 30 R&O RE 36 5 SAP 12 R PU 36 D6.1 AVANTSSAR Website and Package 6 UNIVR 6 O PU 1 36 D6.2.1 State-of-the-art on specification languages for service-oriented architectures 6 SAP 6 R PU 6 D6.2.2 Industrial language requirements 6 SAP 20 R RE 12 D6.2.3 Migration to industrial development environments: lessons learned and bestpractices 6 SAP 49 R PU 36 D6.3 Migration to standardisation bodies 6 SIEMENS 15 R PU 36 TOTAL 579 Delivery date (projmonth)

29 FP7-ICT October 17, 2007 AVANTSSAR, project no WP 1: Project Management Project management will aim to keep the project on target in a way that the individual task objectives and the overall project objectives can be best achieved. Given the relatively small size of our consortium and, most importantly, the past history of successful collaboration between all partners (in several European, international, and national projects), we expect that project management will be effective and unproblematic. WP 1.1: Project coordination Overall, this workpackage describes how we will coordinate the cooperation between the project partners, as well as the communication between the partners and the European Commission. It also fixes responsibilities for financial and other kinds of administration involved in running the project. Finally, it sets standards for monitoring the technical content and progress of each workpackage, supervising the evolving project results at each milestone, and coordinating the synergies between the different workpackages. WP 1.2: Project meetings General project meetings, attended by all consortium partners, will take place every 6 months. More specifically, in addition to two annual project review meetings and a final review meeting, there will be one project meeting per year, attended by all site leaders and representatives of all project sites, in order to synchronise and assess the results. There will also be additional meetings and bilateral visits, which will be arranged as needed. We will organise three project workshops, possibly in combination with the meetings; the last of these workshops will be an open one, possibly as part of the ARSPA ( Automated Reasoning for Security Protocol Analysis ) workshop series that was originated during the AVISPA project (see for more details on the workshop series and the associated journal special issues). The following is a preliminary timetable for the project meetings: Month 1: Kick-off meeting. Month 6: First synchronisation and assessment meeting. Month 12: First review meeting. Month 18: Second synchronisation and assessment meeting. Month 24: Second review meeting. Month 30: Third synchronisation and assessment meeting. Month 36: Final review meeting. WP 1.3: Project administration The project coordinator will also coordinate, with the support of the different site leaders, the financial and bureaucratic administration of the project, managing in particular the cost statements, the budgetary overviews, the budget for the management task, etc.

30 FP7-ICT October 17, 2007 AVANTSSAR, project no WP 2: Modelling trust and security aspects of service-oriented architectures This workpackage provides the conceptual framework for modelling service-oriented architectures, and in particular their trust and security aspects, embedded in the AVANTSSAR Specification Language (ASLan). We will employ this formal language in the specification and analysis activities in the subsequent workpackages, including those for the validation of the problem cases and the construction of the AVANTSSAR Library in WP 5. The domain of the ASLan language covers all trust and security-relevant aspects of Service-Oriented Architectures. In particular, the language will allow one to specify the trust and security-relevant aspects of the functionality offered by a service, the composition principles used to build complex services, the imposed restrictions (e.g., obligations, trust, etc.), the properties required to be satisfied by a service, and the applicable policies. The design of ASLan will take into account existing languages for policy definition, service description, and service orchestration, and extend on them. The definition of ASLan will be taken as input by WP 3, which will formalise rules for reasoning about these services, and formulate theorems which will be implemented in the AVANTSSAR platform developed in WP 4. Workpackage structure Development of ASLan will proceed accordingly in coordination with WP 3, WP 4 and WP 5, in particular with the latter, which will convert informally or semi-formally described industrial problem cases into validation problems whose formal description in ASLan requires increasingly complex concepts and language elements. WP 2.1: Atomic services and non-composed policies This sub-package introduces the basic language elements needed to model non-composed services and their policies. As a preliminary task, it also defines general requirements for the ASLan language. WP 2.2: Static service and policy composition This sub-package introduces elements needed to model more complex services and policies, which are obtained from the previously defined elementary building blocks by static (design-time) composition. WP 2.3: Dynamic service and policy composition This sub-package introduces elements needed to model the dynamic (run-time) composition of language elements. As a final task, it will evaluate and revise the language based on the final modelling outcomes of WP 5 and produce the ASLan language report. Requirements for the ASLan language The requirements for ASLan are derived from the target application domain and the proposed methodology. First, regarding the target application domain, the selection of concepts and notions to be covered by the ASLan language will be driven by the problem cases in WP 5. This will be the starting point for task WP 2.1, which will define the initial subset of ASLan. Second, related to the methodology proposed in WP 3 and WP 4, the first goal of the modelling is to turn informal specifications and requirements of the system into formal equivalents. This requires the development of language constructs for the specification of services and policies, as depicted in Figure 4. In WP 5, the trust and security aspects of services and policies in a service-oriented architecture will be extracted and translated into ASLan specifications. These specifications will comprise the domains relevant to services and their composition, and to the trust- and security- relevant aspects of policies such as the cryptographic primitives employed to secure the messages, and application-level properties such as anonymity and obligations.

31 FP7-ICT October 17, 2007 AVANTSSAR, project no Service Oriented Architecture AVANTSSAR focus Trust and security relevant aspects } ASLan domain Services Policies Provide (security) functionaliy, e.g.: identity providers time stamping functionality credentials provision policy decision Constrain service executions, e.g.: access control security parameters anonymity obligations trust Figure 4: The domain of the ASLan language The concepts appearing in the development of ASLan are addressed below in order of increasing complexity, first for services, and then for policies. Services Our language has to describe the trust and security aspects of the basic building blocks of service-oriented architectures, as well as the composition of these building blocks. The ASLan language has to capture the behaviour of a service at an abstraction level that will permit reasoning about: the security functionality of individual services, the resulting security functionality of a set of services, and changes in the architectural implementation, in particular the substitution of a component providing a service with another one providing similar functionality. Modelling of, and reasoning about, the security behaviour of a component-based system is complex. Ideally, one would like to simplify the problem by reasoning about the security aspects only. However, in a SOA, application-level and security functionalities are often closely coupled: the application logic determines how services are put together, and, moreover, the composition can cause security features to interfere, often in non-obvious ways. For example, a correct authentication protocol (ISAKMP), and an access control policy that is sound with respect to the business requirements (stating that a symmetric key is to be shared by all users and by the server) can, when employed together, lead to by-passing of access control restriction (a user can get the password of another user) [221]. One must also ensure that auditing policies do not interfere with confidentiality and privacy requirements. Thus it is essential to be able to capture not only security functionality but also elements of application functionality in the same model and language, while providing facilities for the abstraction of both.

32 FP7-ICT October 17, 2007 AVANTSSAR, project no Atomic services (in WP 2.1) Atomic services are represented by an interface that defines a set of available operations, each operation being a function invoked by a message sent to the service and replying with another message. Arbitrarily complex services can be considered as atomic, as long as their implementation is not exposed and they are seen only through their interface. Atomic services provide functionality not only for the business logic, but they also can provide the basic building blocks of security functionality. They cover, for instance, identity providers, time-stamping functionality, provision of credentials, access control rule evaluation (also known as policy decision), and logging or audit services. In service-oriented computation, a single atomic service is typically not sufficient to satisfy an application-level requirement. Instead, services must be composed (see below). The description language for atomic services must allow one to express the mechanisms used for service identification, service invocation, and message transmission, including the formats used. Web services and their description languages offer a good starting point. In the Web Service architecture, atomic services are services published and described by a WSDL [238] file on a Web Server. Though this description may be of interest in ASLan when the functional definition of a service is security-relevant, we will focus our attention on the policies attached to these atomic services as well as on other composed services that rely on these atomic services to perform a complex task. Composed services Atomic services can be composed to build more complex services. The composition can serve many purposes. Within the scope of this proposal, we focus on the trust and security constraints, as respected by these composed services. These constraints are imposed by the component services employed and by the composed service designer. Service composition can appear and be seen in two major different contexts. The first is static composition, at design-time, when one wishes to obtain an application-level functionality through combination of building blocks. Run-time service composition on the other hand relates to situations where the use of a service has to be validated during the normal operation of a service-level architecture, starting from the information provided in its interface. This includes situations such as service discovery (from a library of services matching given interface properties), or service substitution with another appropriate architectural component. Static service composition (in WP 2.2) Composed services utilise the functionality of their component services to satisfy their security policies, and ultimately the application-level security requirements. These requirements are property-oriented and refer to either abstract security concepts (e.g. access control) or application-level policies (e.g. separation of duty). To express these concepts, ASLan needs to provide appropriate language elements, such as channels, principals, identities (referring to subjects and resources), obligations and trust. They have to be accompanied with means to specify service composition, in terms of service orchestration, choreography, message passing, etc. Note that the models and language elements required for composed services differ from those necessary to describe the characteristics of atomic services. For instance, they need to capture service orchestration, service invocation, and interactions between services. ASLan has to be sufficiently expressive to cover all of them. We will start our investigations by examining existing service description languages, the features that they offer, and their limitations for expressing interaction and composition in the security domain as described above. The Business Process Execution Language (WS-BPEL) [185], whose contributors include IBM, Microsoft, and SAP, provides a means to specify business processes and their interaction. It supports modularisation by allowing one to define how a business process can make use of a given web service as well as how a given functionality can be provided as a web service. To describe the coordination necessary to

33 FP7-ICT October 17, 2007 AVANTSSAR, project no achieve a given goal, it includes notions to describe both the logic and the stateful information needed for such a coordination. The Choreography Description Language (WS-CDL) [239] describes a higher layer in the Web Services architecture stack, focusing on a global viewpoint of the observable behaviour and information exchange. Outside of the Web Services standardisation effort, a relevant approach is the Orc language by Misra et al. [181], designed for orchestrating distributed services, and providing constructs that express the concurrent invocation of sites offering services for the purpose of achieving a common goal. All the languages mentioned are not specifically oriented towards security. So even if they are suitable to express the composition aspects, we need extensions to describe security properties and policies. Dynamic service composition (in WP 2.3) The language developed up to this point is sufficient to describe or model design-time activities: specification of atomic services and static service composition. The language will be extended to cope with dynamic aspects, including run-time service composition, security requirements evolution, and dynamic policies. Necessary language elements both on the level of service composition (e.g. directory services and dynamic binding) and atomic services (e.g. delegation and group protocols) will be added. Within the AVANTSSAR project, we aim to model situations where services can be added dynamically to the system, or where a service calls other services to carry out a required subtask, e.g., obtain certain access credentials, also known as run-time composition. We will develop language features to enable the modelling of an infrastructure that allows for dynamic composition of services, by introducing a refinement layer and refining a service call to a directory service call with dynamic binding. We will address modelling issues for which there is currently little work so far (cf. [55, 192, 63]), such as modelling service disruption or reconfiguration of the service infrastructure. Along the way we will address provisions for changing services that are already present, as a change in the service structure can imply that previously established policies are no longer true, e.g., addition of new principals for a role previously reserved only to one. Run-time composition may even lead to cascading compositions: an emerging authentication requirement may ask for a secured connection to a login service that has not been included before, which in turn requires a logging service to register password failures, etc. Policies Security policies (in WP 2.1) Security properties are abstract descriptions of protection needs or requirements. They express what has to be achieved, without prescribing the means to do this. Thus, the implementation of security properties can be done in many different ways, for instance, via cryptographic mechanisms, access control policies, or organisational means. For example, security properties might specify that: only the users in a certain group are able to access a given resource, or a certain user is trusted to perform a given action according to the stipulations and restrictions provided by a given process description. Security policies are rules that prescribe the use of technical, political, management, financial, and administrative mechanisms arranged to restrict the possible behaviours of a system in order to achieve certain security properties. Security policies may be implemented through organisational procedures or via a policy management system that is able to interpret and directly enforce (apply) the policy through system objects that explicitly represent the policy (policy objects). In the latter case, the policy specification expresses how the policy is to be enforced: the policy object contains statements that can be executed by a policy

34 FP7-ICT October 17, 2007 AVANTSSAR, project no enforcement point. Note that the implementation of a security policy may be incorrect and therefore not ensure that the policy is indeed adhered to. Thus, there is a validation task applying to policy enforcement. Due to the wide range of security aspects that can be addressed in a policy, its individual statements (policy assertions) can relate to different concepts and address different abstraction levels. The concepts may include access control (leading to assertions of the form user u is allowed/denied to perform action a on service s or resource r ) and several flavours of separation of duty (with assertions like tasks t1 and t2 are mutually exclusive in work flow w ), that induce security properties like authentication or confidentiality, which must hold when a resource leaves the protected part of the service-oriented architecture, security parameters (like the kind of encryption allowed), obligations (like file f must be removed after one month ) that induce structural constraints on composed services in which this service appears, anonymity (like users of service s remain anonymous ), trust, with assertions relating to required or assigned trust values or constraints, like any user of service s must have been authenticated by a trusted server as playing a role r. In general, we do not exclude more abstract properties (like message m is kept confidential ) being part of a policy. However, the distinguishing feature between security properties and policies is the fact that policies are explicitly represented as objects that a service can operate upon. In contrast to security properties, security policies are meaningful when associated to an atomic (e.g. authorization) or a composed service (e.g. separation of duty), an operation (e.g. to express obligations imposed after the execution of the operation) or a message (e.g. to express the cryptographic primitives employed to secure the message). In addition, policies might be composed themselves. This leads to composition operators defined on policy objects, and a definition of an implementation relation between policy objects. These objects can define both the requirements imposed by the service or operation (e.g. presence of an auditor) and locally-enforced assertions (e.g. a service accepts only communications via TLS). Composition of policies (in WP 2.2) The language requires a number of constructs for modelling composition of policies. We elaborate on a number of types of policy composition or change, which we will need to model in ASLan. From global to local policies. Suppose a service S is composed of component services S 1,..., S n. If S is required to abide by a policy P, then we can achieve this by decomposing P into component policies P 1,..., P n that the component services S 1,..., S n abide by. In the simplest case, where the component services do not interfere and the component policies partition P, the composition operator on policies is conjunction, which means we want all of them to be respected. In more complex cases, we will define more sophisticated composition operators on policies. A particular case is given if P is enforced by a dedicated component service k. In this case, we can say that the dedicated component service enforces a policy defined on the level of the composed service rather than on the component level. Technically speaking, we have S k has (and abides by) the policy P, while for any i k, S i does not have (is unaware of) the policy P. This resembles the situation of S k being the policy enforcement point for S. However, it still has to be shown that the delegation of P s enforcement to S k is valid in the presence of S i for i k, i.e., the global policy P is properly implemented locally. The situation is illustrated by a separation of duty policy for a service implementing a work-flow system, where two component services, each implementing a task, should be mutually exclusive, i.e., they should never be executed by the same user within the same work-flow instance. The global policy P can be enforced by either:

35 FP7-ICT October 17, 2007 AVANTSSAR, project no requiring both services to enforce the global security policy P locally implying that the policy has to be made known to both services, which must be designed to abide by it; or using a third component service as policy enforcement point for P, e.g. the resulting composite service only calls a task after invoking this service to check whether executing the task would comply to P ; or using local access policies P 1 and P 2 for the two component services S 1 and S 2, stating which user is allowed to perform the task protected by them. In this case, the local policies do not need to be aware of the global policy P. Also, the local policies can be at a different abstraction level: they might talk about users and resources for a particular service, whereas the global policy P is given in terms of tasks and their relations. It is the task of the validator to check that the combination of the local policies refines/implements the given global policy P. Dynamic policies. The separation of duty example also covers the case of dynamic policies. Since the local policies are access control policies and, thus, are not aware of the work-flow security context (for instance, S 1 protecting a task T 1 is not aware of the user that is currently assigned to task T 2 ), they have to be updated each time the work-flow security context changes. For instance, as soon as user u is assigned to task T 2 in a work-flow instance, P 1 has to be updated with a statement expressing that u is not entitled to call S 1. Thus, language constructs are needed to express the possibility of policy change over time. Obligations. Another example of policy implementation occurs with respect to obligations [62, 148, 41, 223] imposed on a user after a resource has been utilised. Consider a requirement on logging particular events for a composed service that is expressed by a policy stating which events have to be logged under which conditions. Such a policy can be implemented through local policies that apply to the component services, requiring each to provide a log for their locally occurring events. The merge of the component logs serves then to meet the global policy assertions. While composing services induces a minimal policy on the composed service as explained above, obligations in turn impose conditions on the structure of the composed service in which a component service is employed. The ASLan language After developing features for both dynamic and static composition, we close off the workpackage with the final task of evaluating its use in the case studies of WP 5, implementing the needed revisions, and by producing a final report of the full language. The models and language elements for policy specification offered through ASLan have to be carefully designed to allow for describing the different aspects, abstraction levels and relations. ASLan thus provides a significant extension to existing policy languages [116, 2, 154, 235], and will be the first language to allow for comprehensive specifications of all aspects related to service security.

36 FP7-ICT October 17, 2007 AVANTSSAR, project no WP 3: Automated reasoning techniques This work package is devoted to the development of automated reasoning techniques for the ASLan language. By automating the reasoning about security-relevant aspects of services and associated policies, these techniques will serve as the basis for the automated validation technology to be developed in the project. Since the goal of the reasoning techniques developed for ASLan specifications is the implementation into the AVANTSSAR Validation Platform, we will focus on reasoning techniques that allow for automation. Among the existing techniques, and given the scientific background of the project members as well as earlier experience within the related AVISPA project (see [30] and the Appendix A), we will focus on decision procedures for satisfiability and model-checking problems. To elaborate on this, a satisfiability problem is the problem of determining whether a given logical formula (e.g. encoding a security policy) has a model (e.g. representing a possible execution of the service under scrutiny); a model-checking problem is the problem of determining whether a given model (possibly representing the execution of the service under scrutiny in a hostile environment) enjoys the security properties specified by a given formula. In WP 3.1 we will focus on policies viewed as logical formulae and will develop techniques for solving the satisfiability problem for the policies defined in ASLan. In WP 3.2 we will focus on the relation between services and policies and will develop techniques for model checking the security properties of services. The validation of a policy does not only depend on the services, but also on the assumptions on the environment, which includes possible attackers (or intruders ). Since the definition of our model-checking problems crucially depends on the abilities of the attackers, it is particularly important to identify attacker models that are relevant for the analysis of service-oriented architectures. As little work has been done in this direction (see [67, 65] for some first steps), in WP 3.3, we will focus on the definition of attacker models. Finally, in order to tame the complexity of industrial-scale SOA applications, we will develop techniques based on compositional reasoning in WP 3.4 and on abstraction in WP 3.5. WP 3.1: Satisfiability of ASLan policies Message-level policies. We first focus on the domain of message policies, where the relevant concepts are channels, the transport of messages, and cryptography is used to protect (parts of) messages. Given a communication where a message is emitted according to a policy p and is accepted only if it abides by a policy p, the problem of determining whether communication can take place can be reduced to checking the satisfiability of the conjunction of the two policies p and p. In its simplest form, this problem amounts to unification or equality tests on terms (which is sufficient for cryptographic protocols), but significant extensions are needed for supporting XPath constraints which occur in standards such as WS-SecurityPolicy [186]. In particular this may include the computation of intersection of tree languages representing the messages that can be issued according to p and accepted according to p. Trust negotiation. The problem of determining whether a requester can have access to a service and/or to a specific resource given an initial set of certificates can be reduced to the satisfiability of the conjunction of the policies of the issuer and the requester with the resource request. We believe that a solution to this problem will define a sequence of certificate exchanges (signed by trusted parties), from which one can derive a communication scheme that solves the trust negotiation problem in a setting that is more general than in standard models [75, 184, 213, 167]. We will also use abduction techniques in order to specify, for each resource, a minimal set of certificates that need to be presented by a client to access a given resource. Request message analysis and response synthesis. For synthesising a composed service, the TS Orchestrator (of WP 4.2) has also to propose a policy for securing the exchanges between services. While the satisfiability techniques described above permit to ensure that this policy satisfies the requirement of all parties, it can be executed only if each service can access the relevant keys or other critical data needed to process the messages. The trust negotiation only proposes a possible way for a services to access resource. In this subtask, however, we will ensure that for each service involved in the composition, there is a sequence

37 FP7-ICT October 17, 2007 AVANTSSAR, project no of operations (like encryption or decryption of a node) that enables the service to retrieve the data needed for its computation from a secured request, and to secure its response according to the negotiated policy. This problem is akin to the protocol compilation problem [151, 86] and can be solved by an extension to the message constraints in ASLan policies of the intruder deduction techniques we have employed in [98]. Resolution of structural constraints. In addition to the techniques above, we will explore an approach relying on automata-based models [57, 192] or Petri nets [200] of Web Services. To this end, service message contents will be abstracted away. The satisfiability problem of a ASLan specification in this setting corresponds to the synthesis of a composed service matching the functional and security requirements of the specification. We have begun addressing this problem when component services have access control and authorisation constraints, and impose further reputation constraints on other component services. In [90], the UPS-IRIT partner has proposed an automatic composition synthesis technique, which is sound, complete, and terminating, but otherwise too complex for implementation in a runtime environment. In order to permit such an implementation, we plan to employ other techniques from automatic control theory [196] to automatically synthesise services in this abstraction. Existing algorithms for automatic control [29, 128] provide effective decision procedures in a general setting. We will develop methods based on these general techniques but dedicated and tailored to the specific case of the constraints imposed on service composition by ASLan obligations. WP 3.2: Model-checking services with respect to policies In this sub-workpackage, we will verify that the execution of a given service in a hostile environment abides by a given policy. To this end we will have to incorporate, in addition to the composition and component services specifications, an attacker (defined in WP 3.3 scheduled to start before this subworkpackage) representing the hostile environment in which the service will be executed. To achieve our goal of runtime verification, our first task will be to develop model-checking techniques to improve the efficiency of the tools developed in WP 4. Among general model-checking techniques, bounded model checking and partial-order reduction (POR) seem to be the most promising ones to this end. The former, by supporting reasoning about LTL formulae, allows for reasoning about complex, trace-based security properties. The latter allows for reductions to the size of the explored state space in the model by only exploring selected orderings of transitions. This technique is particularly efficient when analysing models of parallel computation and when the ordering of two transitions does not matter, and is in this regard promising for the automated analysis of services whose operations may often be independent. POR has already been employed by project members together with symbolic techniques in cryptographic protocol analysis [49]. Our second task will be to integrate the different attacker models that will be developed in WP 3.3 into a unified attacker model against which we will assess the security of a composed service. We have shown that it is possible to perform a modular validation in existing attacker models [99], but it needs to be extended to fit the attacker models that will be defined in WP 3.3. WP 3.3: Attacker models We will specify in this subworkpackage some attacker models dedicated to some of the aspects of service communications. These attacker models will come in addition to the standard Dolev-Yao [122] attacker that abstracts from the details of real cryptography (e.g. the factorisation problem). The modularity result from WP 3.2 will permit to glue these attacker models into a unified threat model. In the last few years the Dolev-Yao model has been extended to take into account the properties of lowlevel primitives (e.g. [110, 118, 166, 50, 97, 93, 100]). These extensions are however insufficient to address the problems we will tackle in this proposal [34]. We list now some of the extensions that will be needed:

38 FP7-ICT October 17, 2007 AVANTSSAR, project no In order to analyse the security of the SOAP-embedded protocol defined by the protection at the level of messages of communications between services, we will have to extend the standard intruder model to take into account the properties of XML nodes in the standard unordered tree model. In particular, we will need to address the fact that the ordering of descendants of a node often does not matter, that a non-conforming node can be ignored or cause a message to be rejected, etc. In order to verify message security expressed within common standards such as WS-SecurityPolicy [186], we will extend the deductive power of the attacker with XPath queries into messages. In order to take into account the access control mechanisms, and to avoid non-deterministic issuing of requests to a policy enforcement point, we will have to provide a reasoning technique enabling the analysis tool to derive which permissions are available, and at which moment, to the intruder. In order to take into account of the fact that services often rely on tranport protocols enjoying some given security properties (e.g. TLS is often used as a unilateral or a bilateral communication authentic and/or confidential channel), we will develop model checking techniques that will support reasoning about communication channels enjoying security-relevant properties, such as authenticity, confidentiality, and resilience. Given the experience of the consortium on the analysis of security protocols, we believe that all these demanding challenges can be tackled and resolved successfully within this three-year project. This workpackage is central to our proposition, since model checking can only be achieved within domains on which a pertaining intruder model can be defined and with respect to which we can give a decision procedure for the different model-checking problems. WP 3.4: Compositional reasoning for services and policies In general, security properties are not preserved under service composition. For example, when a new service is added to an existing system, new messages appear on the network level. These messages can interfere with already existing services and may allow malicious parties to compromise the security of the system [160, 113]. We will develop compositional reasoning along the lines of [9], in order to (1) enforce the policy of a service at the message level, and (2) ensure that service composition preserves the desired security properties. This includes the development of decomposition techniques for isolating service compositions that need to be analysed as a composed whole. Preliminary results achieved in [9] suggest that it is possible to decompose most services into components that can be feasibly verified by the AVANTSSAR toolset. Decomposition would be performed by static analysis of services, detecting structural message differences between the different services. If such structural differences are detected, compositional theorems can be used. Otherwise, decomposition fails, and the composed services can only be verified as a single system. WP 3.5: Abstraction techniques for composed services and policies Abstraction consists in transforming the model to be analysed (a concrete model) into a simpler one (an abstract model) amenable to analysis. This transformation can be defined on the states of the model (data abstraction) or on the relation defining the possible transitions between states of the model (control abstraction), or both. One requires that the transformation must be sound with respect to a class of properties, i.e. a property proved on the transformed model must also hold in the original one. This requirement implies that the original model must be over-approximated in the sense that every reachable state or trace of the concrete system has a counterpart (modulo an abstraction relation) in the abstract system. Thus, in the worst case, a concrete system may be secure, while we are not able to prove this using its abstraction. We plan to employ data and control abstraction techniques in the following ways:

39 FP7-ICT October 17, 2007 AVANTSSAR, project no Data abstraction: In the analysis of security protocols, data abstraction has been used to verify protocols for an unbounded number of sessions, e.g. [69, 74, 78, 103, 131, 182, 233], mapping the infinite set of fresh data created during the sessions to a finite set, and giving sufficient conditions such that this abstraction is correct [79]. For the analysis of services, we plan to extend this abstraction to model the different possible agents and the large amount of data present in real-world service-oriented architectures. We also plan to abstract some functional properties of services such as the update of a bank account when security properties rely on the actual value of some data. Control abstraction: Assuming that a state of a transition system consists of a set of predicates that hold in the state, we may consider the set of reachable predicates rather than the set of reachable states (i.e. the set of all predicates that may hold in a reachable state). Similarly, for a trace-based model, one may approximate the set of all possible traces by the set of all events that can occur in a possible trace. This kind of abstraction has been successfully applied in planning, a problem akin to the service synthesis problem, and was also used by most abstract-interpretation-based approaches for protocol verification, e.g. [69, 74, 78, 103, 131, 182, 233]. Notice that our analysis method will abstract the control flow within a component service. We plan in particular to abstract the policy decision and enforcement points, and the certificate requests addressed to them, with rules describing the obtainable certificates. About the limitations of our techniques for reasoning about trust and security Before any assessment, and according to the technical design choices we have made in this project, which is focusing on automation and symbolic validation, we can expect a priori the following application limits as direct consequences of the abstractions that we need to introduce: Abstraction from functional properties. For some services, the security properties rely on the actual value of some data, such as updating of bank account. We consider it unfeasible (in fact, it is undecidable, anyway) to take all such situations into account for building security wrappers and validating composed services; hence (as mentioned in WP 3.5) we will abstract such cases away. Assumption on credentials and encryption algorithms. A large part of the trust and security of composed services relies on unforgeable credentials and on encryption algorithms that cannot be broken. In particular, we may assume the existence of properly functioning public-key infrastructures, whenever required by the applications. Although the cryptographic algorithms might be subject to attacks, the only weaknesses in cryptographic algorithms that we will consider in the project are the ones that can be modelled at a symbolic level, using, for instance, equations and abstract deduction rules for simulating the intruder behaviour. Security properties that are not covered. Electronic commerce services, such as contract-signing protocols, require to check properties like balance or abuse-freeness that are not trace-based ones (as they need to envisage several executions simultaneously) but rather are more of a game-theoretic nature: a participant should not gain some advantage on the other one when signing the contract. In general, these properties are difficult to verify with automated tools. But some experiments have been successful performed using Murphi in [218] and using AVISPA s back-ends OFMC in [141] and SATMC [15] (see also [217]). There is also a possibility to get automated proofs for such properties thanks to recent results in [155] that give a complete verification algorithm for contract signing protocols and game-theoretic properties. The techniques and technologies that we will develop in the project will not address these properties since they lead to higher complexity [156] that we believe it is not compatible with such a flexible automated tool as the one we envisage.

40 FP7-ICT October 17, 2007 AVANTSSAR, project no WP 4: The AVANTSSAR Validation Platform The role of WP 4 is to integrate the results of WP 2 and WP 3 into the AVANTSSAR Validation Platform (Figure 1), a collection of tools and decision procedures that supports security specification, validation and enforcement in service-oriented architectures. It will be assessed on the problem cases defined in WP 5 and will be disseminated in WP 6, which will also address migration into industrial practice. The core activity of the AVANTSSAR platform is automatic validation that is implemented through the Trust and Security (TS) Validator module as task WP 4.2. For composition of services under security constraints, we will also design in WP 4.1 a Trust and Security (TS) Orchestrator that includes a function for generating a Trust and Security (TS) Wrapper that can be viewed as a logical-level firewall. The tools in WP 4 are designed to work at the logical level and handle XML syntax as unordered trees. However, the output of these tools will be translated in WP 6 to the application level, helping the designer to cope with application-level trust and security requirements in order to derive a runnable composed service that is provably resistant to the class of security threats given by the attacker model defined in WP 3. The platform (see WP 4.3) will be implemented in such a way that future migration of its underlying technology into industry is possible, either in integrated development environments (such as Eclipse, NetBeans, etc.), or as published services (that can be called at runtime). In particular, special effort will be dedicated to providing the highest possible degree of automation. WP 4.1: TS Orchestrator The TS Orchestrator will check the compatibility of security policies of component services in a composition and will perform automatic trust negotiation. This includes, for instance, finding a way for a Client to provide credentials to a Server, possibly by involving helpful third parties. Then, the TS Orchestrator will implement the techniques of WP 3.1 to generate the request and responses message sequences that are needed to collect and check the credentials. Note that for the case of dynamic service composition these communication protocols have to be generated at runtime and existing trust negotiation systems do not support this runtime synthesis [75, 237, 60, 184, 213, 167]. Since many security mechanisms are implemented using cryptographic techniques, our work will benefit from the experience and the efficient analysis methods for cryptographic protocols that we have already developed in the context of the AVISPA project [30]. The protocols and security tests generated by the TS Orchestrator will form what we call the TS Wrapper of the composed service. This TS Wrapper will be compiled in WP 6 to a dedicated application-level firewall. We now briefly describe the architecture of the TS Orchestrator: 1. In a first negotiation phase, the TS Orchestrator will build compatible security policies (and security associations for services to be composed) selected from the sets of possible ones in each component service. It will rely on the automated reasoning techniques of WP 3.1 in order to check the compatibility of policies of services that are candidates to enter in a composition (for building some targeted service). We will also consider timing constraints in the policies since they might be critical for many application, e.g. healthcare, certificate validity period, and the like. This may require an extension of the satisfiability procedures of WP 3.1 (see, for example, [54]). 2. The TS Orchestrator will then apply a synthesis algorithm in order to build on-the-fly the protocols for exchanging the credentials required to comply with the respective policies of the component services. This subtask will require checking that the security constraints permit at least one successful execution of the composed service. Our protocol synthesis method will rely on WP 3.1 (access control) for building a sequence of access control requests (containing for instance certificate payloads) and associated responses.

41 FP7-ICT October 17, 2007 AVANTSSAR, project no We will then compute the operations on messages to be performed by the security wrapper and the service to synthesise the response to a request. This will be done at the ASLan message level by implementing advanced equational reasoning techniques [98] for modelling XML datastructure properties from WP 3.1 (synthesis). This raises the problem of defining what messages are acceptable by a given application-level firewall (see WP 3.1, message-level policies). We have already obtained preliminary results on detecting attacks exploiting the ambiguity caused by unordered nodes in XML documents [98] in the attacker model of WP 3.3. These results will have to be extended to richer XPath expressions specifying the nodes to be protected. To specify acceptable messages, we will also investigate generalised tree-automata for implementing a logic that counts (for expressing and verifying statements like this message should contain at most one node of this type ) in the context of the static ambient calculus [115] (see WP 3.1). 4. For the cases where the security policies impose structural constraints on the composition (that can often be expressed as obligations), we will implement an extension of the Roman model [58] in the vein of our previous work [90] to perform automatic composition synthesis under such policy constraints. This is an automata-based model, in which transitions are extended to perform credential reassignments: the value of these credentials can be changed by an available service after the execution of an action. Existing satisfiability procedures for this model are highly inefficient and some restrictions and heuristics will be proposed for feasibility. Connection with the TS Validator. Once a composed service has been synthesised, the TS Orchestrator provides it to the TS Validator (described in WP 4.2): when the composed service is found to be vulnerable to an attack by the TS Validator, the composed service has to be modified by the TS Orchestrator, e.g. by modifying components, or adapting the policies, to prevent the attack. WP 4.2: TS Validator Here we will address the validation of (possibly dynamically) composed services generated by the TS Orchestrator: when composing a service from several services, each with its own message level security policy, we have for instance to ensure that the global execution of a service does not leak secret data nor permits forgery. The TS Validator will check resilience of the composed service provided by the orchestrator against the attacker model from WP 3 using the techniques developed in WP 3.2, WP 3.3, and WP 3.5. Analysis of a Composed Service. We will first translate services and policies into message patterns (and execution flow) as well as into security goals. We will then incrementally enrich the execution context. As a first step, we will analyse an instance of services in isolation, i.e. without interactions from services in the environment, and with security goals, expressed by formulas in ASLan, such as authentication, secrecy, integrity, access control authorisation, and anonymity. As a second step, we will extend the analysis to an unbounded number of services to the environment using abstraction techniques of WP 3.5. Note that, when adding a service, the TS Orchestrator may break the correctness of other services by exploiting similarities at the message level [113]. Hence, the TS Validator has the challenging task to perform On-the-fly validation of composed services (since they might be dynamically composed). Therefore, we will implement analysis tools to validate on-the-fly composition of services at the message level. While bold, this objective seems achievable given the theoretical results achieved in [9] and the performance of the tools developed during the AVISPA project [30]. In addition to their extension to the richer format of messages employed in service communication, these tools will also have to be extended to check security goals expressed by formulas in ASLan (and also handling timing constraints).

42 FP7-ICT October 17, 2007 AVANTSSAR, project no Implementing Modular Reasoning Techniques. As experience shows, standard model-checking techniques do not scale well to the complexity of Web Services composition. In order to reduce the complexity of On-the-fly validation, we shall rely on state-of-the-art security analysis techniques inherited from the AVISPA project and on new efficient reasoning techniques developed in WP 3. We will therefore use some of the abstraction techniques of WP 3.5, namely abstraction of control, to obtain models that are feasible for automated analysis. We will also consider techniques to reason modularly on the structure of a composed service in order to reduce the global security requirement of the composed service to the analysis of individual component service in a specific security context. In particular, we will exploit disjointness and typing properties of the signatures of the policies and their underlying cryptographic messages to ensure absence of feature interactions as described in WP 3. Also, we will automatically exploit reductions of the state-space, when this is possible, by the use of channel abstractions. WP 4.3: Platform Integration The three main tools to be built as described above will be packaged for integration into a single platform. For that purpose, we will design a service-oriented architecture, and will develop our AVANTSSAR platform as an orchestration of the various components, and therefore also validate this orchestration using the validation platform itself. From the TS Orchestrator WP 4.1, we will derive automatically an abstract Security Wrapper for a composed service CS in ASLan. This wrapper will be automatically translated, see WP 6, into an applicationlevel firewall tailored for monitoring communication with service CS extending the capabilities of current application-level firewalls (e.g. [80, 138]). About the platform limitations Like in most other aspects of human life, there is no perfect security. If we tried to attain total security the cost would be enormous, in terms of money, effort, flexibility, and functionality. The many approaches an attacker may choose in a real world situation to disrupt the functionality of a system, to gain access to secrets or privileges, to deceive an adversary, to build up trust and abuse his position later, to fool a registration authority, etc., are so versatile that it is impossible to predict or prevent them all. Our validation privileges give us confidence that the verified systems are indeed secure at a certain level of abstraction (or, we could say: design) and under a set of assumptions about the environment (including correct human behaviour, correct cryptography, correct implementations, no side-channel attacks, etc.). We review here the main limitations of the Validation Platform. First of all, as discussed at the end of WP 3, we have application limits as consequences of the abstractions that we need to introduce to strive for automation and symbolic validation: Vulnerabilities due to functional properties that were not modelled: Some functionality, both at the level of design or implementation, although not meant to be security relevant, may contain software code that later on is discovered to be a security flaw and exploited. For instance, some protocols or programs react differently when a syntactically valid input than when garbage is presented. While this may be perfectly reasonable under the environment initially considered, this feature may be used in special cases by an attacker as an oracle to determine correct passwords or keys. In other cases, the output of a program depends implicitly on confidential data, and thus monitoring the output could perhaps release information about the confidential information. Cryptographic attacks: Depending on the type of cryptography used, there are possibilities of breaking the algorithms or implementations on which the applications rely. Examples are: chosen-message attack,

43 FP7-ICT October 17, 2007 AVANTSSAR, project no birthday attack, brute force attack, chosen-cipher text attack, chosen-plaintext attack, cryptanalysis, differential cryptanalysis, small subgroup confinement attack, timing attacks, and many others. Attacks on Credentials: There are many attacks in this category: Passwords are usually vulnerable to dictionary attacks, smartcards are vulnerable to side-channel attacks. Attacks on further security properties, not in our scope: As discussed at the end of WP 3, we do not consider for instance special contract-signing properties and others. Another case are attacks against availability (Denial of Service), which deserve a more detailed discussion. Denial-of-Service (DoS) Attacks: The business process design needs good guarantees for service availability. However, there are many ways an attacker can make a system unavailable or at least to greatly reduce its performance. These types of attack are very hard to prevent, because the behaviour of whole networks needs to be analysed, not only of a small number of modules or services. There is no general DoS attacker model: new unknown types of DoS attacks can appear at any time. Distributed denial of service (DDoS) attacks are very common. A brute-force method for DDoS is to use a botnet, a large collection of compromised hosts, to flood a system with service requests, for instance. Non-brute force attacks to Web Services can be performed by sending malicious requests that may cause memory consumption or CPU overloading. Such attacks can be classified in 3 categories according to [137]: (1) attacks that do not respect message syntax, (2) attacks that do not respect message sequencing, and (3) attacks that respect both message syntax and sequencing (e.g. these attacks are rather based on oversized payload). The TS-wrappers that will be generated by the AVANTSSAR Platform will aim at preventing attacks in the first two categories, although we will aim at tackling some attacks in the third category by introducing timing constraints in the policies as mentioned in WP 4.1. Note that, according again to [137], protection technologies for denial-of-service attacks at the level of service composition have not been developed yet. Second, there is a large collection of attacks that are out of the scope of AVANTSSAR, simply because they are not visible at the level of abstraction that we are modelling: Phishing and other Social Engineering-based Attacks: The attackers obtain sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an , instant messaging contact, or even surface mails or telephone calls, directing users to give their details. Backdoors: A backdoor is a piece of code, in an installed program, or in a (modified) low-level program and/or hardware device, that bypasses the normal authentication or authorisation mechanisms. A backdoor login system can have a hard coded user and password combination. Somebody who knows how to run the backdoor is not subject to the installed security measures. Trojans, Viruses, Worms, etc.: This class of attacks is rather well-known. Trojans may run malicious code while pretending to do something else. A virus propagates itself by inserting its code into other computer files, attaching itself to an existing program. A worm also replicates itself, but without seriously harming the targeted computers, it usually consumes bandwidth of the network. Human Error, including Implementation Errors and Administration, Handling or Organisational Errors: Human error is by far the most common cause of computer insecurity. Even well-designed, secure computer systems are vulnerable if the people responsible for its operation are unaware, careless, negligent or deceived by an attacker. Software flaws, for instance buffer overflows, are often exploited to gain control of a computer, or to cause it to operate in an unexpected manner.

44 FP7-ICT October 17, 2007 AVANTSSAR, project no Indirect Attacks: The intruder first acquires control of one or several other computers and uses them to attack the targeted system. Direct Access Attacks: If the attacker can access the physical system he wants to compromise, he may perhaps install his own software (for instance a keystroke logging monitor) or hardware, (for instance a hardware key logger). He may read the memory or the disks, bypassing the operating system security services by booting another operating system on a CD drive. He may even install a camera to record the activities of the authorized user. Third, there are several attacks that are out of our scope, due to their intrinsic complexity. The problem here is not one or several services, but the structure and architechture of current web applications as such, allowing computers to run untrusted code: Injection attacks: Injection flaws, particularly SQL and XML injection, are common in web applications, and mentioned in the OWASP Top 10 of most common web application security vulnerabilities (see http: // ). For instance, a web application that uses XPath to query an XML document can input tricky data, exploiting ambiguity in parsing, that will lead the query interpreter into executing unintended commands or changing data. In the AVANTSSAR project, we will work under the hypothesis that query and message parsing are unambiguous. To our knowledge, there are no automatic tools to prevent such attacks. However, for specific cases, we will aim at investigating the possibility of automated detection of some of them (similar to the way we capture typing errors in security protocols using the AVISPA Tool). Cross-Scripting Attacks: An attacker gets control of a user s browser in order to execute a malicious script (usually an HTML/JavaScript code) within the context of trust of a web application s site. The limitations we have just listed are of different relevance in practice. Many attacks we observe on today s systems are denial of service attacks, attacks that exploit flaws of the implementation, such as buffer overflows or scripting attacks, and social engineering attacks, while few attacks are known that exploit weaknesses in cryptographic algorithms. Therefore, from a practical security point of view, our abstraction of cryptographic primitives is the least important limitation. The limitations in detecting lowlevel implementation-based attacks like buffer-overflows also appear to be of minor relevance, since such problems can be prevented by different implementation disciplines. A similar argument can be made about the problem of social engineering attacks, which simply requires different measures than formal validation of services. Thus, the aspect of denial of service is the only limitation of our approach that is of large practical relevance and that cannot be so easily ruled out by simple means.

45 FP7-ICT October 17, 2007 AVANTSSAR, project no WP 5: Proof of concept The role of WP5 is to select and formalise a broad spectrum of industry-relevant problem cases as ASLan specifications and then to validate these specifications using the AVANTSSAR Validation Platform. This proof of concept approach will provide a benchmark on which we will employ and evaluate the concepts, methodologies, techniques, and tools developed in WP 2, WP 3, and WP 4. With respect to Figure 1, the current workpackage bridges between the application level and the logical level, providing input to the AVANTSSAR Validation Platform as well as feedback on the practical suitability of all of its components. We will guide and assess the development of the AVANTSSAR Validation Platform with a number of challenging problem cases emerging from a variety of real-world application scenarios based on the serviceoriented paradigm and selected from the areas of interest of the industrial partners. We believe that finding, describing, formalising, and verifying a large variety of challenging proof of concept problem cases drawn from different contexts is the key factor in evaluating our approach. Therefore, we will invest a considerable effort in this workpackage, building up a highly relevant benchmark test suite which we call the AVANTSSAR Library of validated SOA problem cases, as will be described below. A detailed list of application scenarios and related candidate problem cases from the areas of e-business, e- government, and e-health is presented in Appendix B. Procedurally, in this workpackage our industrial partners will identify and define those problem cases that are most relevant for their practical use (see WP 5.1), and then formally specify (see WP 5.2) and validate (see WP 5.3) them using the concepts, techniques and tools resulting in the other workpackages, providing fruitful feedback for their development. This will result in the production of the AVANTSSAR Library of validated SOA problem cases. Last but not least we will exploit this library to evaluate and assess the AVANTSSAR approach (see WP 5.4). WP 5.1: Definition of the relevant problem cases During the project lifetime, we will investigate in detail the security requirements and constraints of the different scenarios in order to select the most relevant problem cases, with the purpose of finding a wide set of applications that ensures the maximal coverage of our tool and at the same time covers a range of requirements and complexity that is representative of the security needs of the European society and industry. Also, we will choose our problem cases taking into consideration the ongoing evolution of the application fields and the needs of our industrial partners, which may evolve over time. This may result in some alterations to the preliminary set of the scenarios described and extensions of the problem cases presented in the Appendix B. During the selection process, we will collect detailed descriptions of the problem cases, complete them and disambiguate them as far as required, and present them in a coherent way. This includes choosing an appropriate level of detail vs. abstraction. We need to specify the security-relevant functionality of the services, as well as the application-level requirements and the corresponding user scenarios. The result of this process is a collection of problem cases. This activity will be done incrementally, closely coupled with the progress in the preceding workpackages. Thus, the first level will be to handle atomic services with static policies, the second level will add statically composed services, and the third level will include also runtime service composition and dynamic policies. Work in WP 5.1 will take advantage of the application domain knowledge and of the close links to standardisation bodies available within our consortium, in particular of the industrial partners. WP 5.2: Formalisation of the problem cases The next step is to formalise each problem case chosen, including its security requirements, applying the concepts and description formalisms developed in WP 2. This will also give in-depth insight to details of the

46 FP7-ICT October 17, 2007 AVANTSSAR, project no description techniques actually needed in practice, and thus provide important feedback to that workpackage. The security requirements may be given at different abstraction levels: there are general, rather abstract requirements (such as anonymity ) and more concrete requirements that are constrained by the concrete scenario of the problem case (such as a particular level of pseudonymity or a requirement about which entities may have access to certain information). In formalising the problem cases, we will need to perform a certain amount of abstraction and simplification, which will be probably necessary to deal with the limitations of our approach (say, due to the complexity of policies that the tools will be able to handle) or because certain functionality of the services not related to security will be outside the scope of our analysis. This functionality may be non-security related (e.g., correctly searching the requested patient in a data-base), and in this case we assume that this functionality may be abstracted to a simple (correct) action, without considering the actual implementation of this functionality. Such an implementation may turn out to cause security breaches itself (e.g. buffer overflows, information flow issues, etc); these types of security issues cannot be addressed with our approach, of course. The functionality may also be security-related, but at a different layer than the one that we are addressing (e.g. cyptoghraphic mechanisms, physical security of smart-cards, or administrative controls). Again, a side-channel attack to a trusted chip may render the whole system insecure, but we will not address these issues. The usual experience when formalising (or also when implementing) a service or system is that the specification is not complete or not as precise as actually needed. Often, parts of the informal specification are presented in a language that is not readily translatable to a formal specification. We expect that in many cases there will be a need to discuss the services (including the related requirements) with their developers, in order to properly interpret the intended meaning of the (proposed) implementations or standards. These discussions are conducted in continuation of the process initiated in WP 5.1. WP 5.3: Validation of the problem cases The final step towards the AVANTSSAR Library of validated SOA problem cases will be to validate the validation problems (i.e., the problem cases properly formalised in ASLan) using the tools developed in WP 4. This will give crucial feedback on the usability, effectiveness, and efficiency of the tools developed there. Usually, there will be several iteration loops between formalisation and validation since after an initial formalisation, it may turn out that either the tools are not (yet) strong enough to handle all required properties, or that the output of the tools indicates that some of the properties do not hold. This may be due to lack of preciseness in the specification or a misunderstanding in the formalisation, leading to a new loop in the validation process. However, if the tool output indicates a real security deficiency present in the design of the service, this will provide invaluable feedback to designers and implementors in industry and standardisation bodies. WP 5.4: Assessment The assessment of the AVANTSSAR validation platform against the validation problems will provide valuable feedback for the design of our modelling language ASLan developed in WP 2 and for the improvement of the reasoning techniques developed and automated in WP 3 and WP 4. In particular, we will explicitly assess the coverage and efficiency of both our modelling language and tools: Coverage: for each problem case formalised, we will state clearly the limitations we experienced during modelling and verification, and which assumptions have been made in order to enable automated validation.

47 FP7-ICT October 17, 2007 AVANTSSAR, project no Efficiency: it will be assessed on the individual complexity of the selected problem cases. The main criteria is the degree of simplification brought by the techniques developed in WP 3. Given the prospective and bold nature of our proposal, we do not include CPU-time and memory performances in our current assessment criteria, even though we will consider and improve these points whenever possible. Besides the quality of analysis assessment, we will measure the AVANTSSAR results according to the following success criteria, as also described in Section B1.1. At least 15 problem cases shall be selected and described, covering all application scenarios. At least 12 problem cases shall be formalised in ASLan, which is the success criterion for WP 2. At least 10 problem cases shall be formally validated, which is the success criterion for WP 3. At least 10 problem cases shall be validated in an automated manner, which is the success criterion for WP 4. Approach to scalability issues in the case studies We have discussed a number of limitations of the AVANTSSAR Validation Platform to analyse certain aspects of services, such as resistance against denial of service attacks, that we are not going to address. In the analysis of services, also limitations in the size parameters of the validation problems are to be expected, for instance in the number of sessions, entities or resources, for which the automated validation can be achieved with reasonable resources. Such bounds are in fact limitations that are often faced in automated validation: although one cannot validate that the design is correct for any value of the size parameter (e.g. for any number of sessions), the validation for a bounded size significantly increases the confidence in the design. As we develop the tools, we will be able to cope with larger portions of the cases studies. Initially, we only want to be able to express non-composed policies and the functionality and the properties of atomic services. Some of our use cases may be atomic services. On the other hand, all our case studies all have such atomic components, but it is a non trivial modelling effort to find (or define) those components together with the properties and policies that will be relevant when composing the service later. It is often clear what the properties of the whole system should be (say, from a user perspective) and what the resulting global policy should be (say, who is allowed to do what), but not the properties (say, assumptions or commitments) of the single pieces of the system. Then, we would use the tools to verify that the atomic services with their policies offer the properties that are claimed. In a next phase of our tools, we will describe and validate statically composed services, including the results of the composition of their policies. Some use cases aim only at this stage, as discussed below. At the end we will be able to tackle dynamic service composition, where there may be some aspects of policy negotiation included. In the case of the Banking Services application scenario, we expect to focus on the following atomic services: authentication and authorisation services, non-repudiation services, archive and logging services, services enforcing separation of duty constraints and others establishing secure communication channels, etc. These services and their composition (in order to accomplish more complex security requirement, e.g., accurate auditing trails using non-repudiation, logging, authentication and authorisation services) will be validated mainly from a static point of view. Dynamic validation will be experimented only in a second stage and on a few examples originating from scenario extensions. For instance, we can easily imagine a scenario extension in which a personal financial advisor service is provided by a financial credit institution to dynamically select from a dynamic set of different banks (all making available a loan origination process service) the best loan offer for a customer. Last but not least, another scalability dimension, of interest for both the static and dynamic validations, concerns the number of concurrent banking services (e.g., the

48 FP7-ICT October 17, 2007 AVANTSSAR, project no number of loan origination processes running in parallel) we will be able to validate. Not surprisingly this cannot be estimated at this early stage. In the case of Software Distribution Services, although a decomposition of the services in atomic services has not been defined yet, we envision that the following would be atomic services: signing components, secure repository services, re-signing services, bootstrapping services (for keys), and archive and logging services. A large part of the case studies related to Software Distribution Services are statically composed. For instance, the following case is a static situation of composed services: there is a small number of software suppliers, one system manufacturer and a small set of machine owners where the software is to run. Each of the entities runs a signing service and the corresponding keys are known by all or by a certificate authority. Each owner has a service to bootstrap the keys and certificate in his machine and has logging and archive facilities. Some examples of dynamically composed Software Distribution Services appear when the set of software suppliers is not known in advance and the set of end customers (machine owners, where the software is to run) is open to negotiation. Then, some negotiation on policies seems to be necessary. In the case of Identity Mixer, the basic protocols can be regarded as atomic services, namely issuing a credential, proving the possession of a credential, and de-anonymisation. In the case of Citizen Portals, it is very unclear what the atomic services will be. Most surely there will be an authentication service, a secure-tunnel connection set up, and a mail service, but it is not decided if these services are atomic or composed. A large portion of the services in Citizen Portals are static, due to the necessary trust relationships that must be in place. For that reason, Citizen Portals do not offer initially dynamically composed services. In the case studies related to Document Exchange Procedures, the Signature and Proof Solution, Open- Trust SPI, is based on 1. sets of web services for signature, validation and proof management operations, 2. sets of optional trusted third party connectors (e.g., Certificates Authorities, External Stamping or Archiving services) and, most important of all, 3. web services contracts, profiles and policies (hashing, signature, stamping, ciphering, storage, archiving, etc.) We envision that SPI simple signature and ciphering methods, for example, are atomic services with either simple or composed policies, SPI advanced methods with proof life cycle management are composed services with either simple or composed policies, and, depending on the SPI services contract (including a set of profiles and policies) and depending also on the API calling parameters, any SPI service could be a static service (simple contract and static parameters) or a dynamic one (advanced contract with composed profiles/policies and full use of dynamic parameters). For the scalability, we will start by modelling and validating SPI simple methods in static mode and then SPI advanced methods in static mode, and after that we will build progressively some intermediate test cases with the use of dynamic parameters and composed profiles/policies. Among the atomic services of the German e-health telematics infrastructure are the VPN gateway, the signature service, the encryption and decryption service and the authentication and anonymisation services. Currently, the only static services of the German e-health telematics infrastructure whose specifications are sufficiently detailed for our purposes are the prescription service and the electronic medication service. In the current versions, there are no dynamic services foreseen for the e-health telematics infrastructure, but this might change as the infrastructure is rolled out and new services are added. In the case of the Patient Monitoring scenario, we will investigate on similar atomic services and on their composition with particular focus on those about non-repudiation. This application scenario will present also interesting dynamic aspects. For instance, standard authentication services might fail to capture the heterogeneity of actors and of possible situations that can arise in this scenario, which call for more flexible authentication services. One of this can offer to a doctor the possibility to authenticate himself using a

49 FP7-ICT October 17, 2007 AVANTSSAR, project no multitude of authentication factors at his disposal so that if the doctor forgets his authentication badge, he can use another authentication service dynamically discovered to authenticate himself at the purpose of taking care of the patient request.

50 FP7-ICT October 17, 2007 AVANTSSAR, project no WP 6: Dissemination and Industry migration This workpackage is dedicated to the dissemination and migration of the project results into the scientific community, industry and standardisation bodies. Other forms of exploitation are not expected at this early stage, but will be promptly communicated if any. Dissemination. In order to coordinate the dissemination of the project results through appropriate channels and in appropriate forums, we will organise the project workshops and the preparation of presentations and reports, and coordinate the dissemination of scientific publications. This sub-workpackage will also maintain the AVANTSSAR Website, which will contain all results, standards and tools, as far as they are publicly available. Moreover, in combination with the project meetings, we will also organise annual Project Workshops to disseminate results among the project partners and the European Commission. We will also invite researchers, scientists and users from academia, from standardisation bodies (e.g., OASIS or W3C), and from industry to attend the workshops in the second project half, and in particular at the final workshop. Researchers from the different project partners are attending, or will attend, meetings of organisations like OASIS, IETF, ARINC, or W3C, and we also plan to present the results of our project at these meetings. We will organise the efforts of all partners in preparing the presentation of, and reporting on, the main project results, which will illustrate the methods and tools developed, and highlight their applications at the European level. In order to reach a wide academic and industrial audience, all project partners will aim to publish project results in international journals, conferences, and symposia. Industry migration. There is a gap between advanced formal methods (FM) techniques and their real exploitation within industry and standardisation committees. A variety of practical and cultural reasons lead the industrial world to perceive FM approaches as being expensive in terms of time and effort in comparison to the benefits that it can provide, and difficult to be integrated within industrial processes. Without these perceived obstacles, the use of FM within Industry would be clearly an advantage and would promote a safer and more secure programming environment. One clear obstacle is the lack of automated FM verification technology. As a matter of fact, standard development environments do not include mathematical validation features. The introduction of such a feature as a push-button technology, as AVANTSSAR is intending to provide, would be strongly welcomed by industrial developers and designers and in particular from standardization bodies, that could then check more rapidly the correctness of the proposed solutions. Another problem is the gap between the problem case that needs to be solved in Industry and the abstract specification provided by formal methods: in order to provide specifications that can be verified or used in any other form for practical purposes, the current FM approaches tend to construct only rather small models that abstract away many important details, only describing a layer or a part of the solution. Last but not least FM languages and models are usually quite different from those used in industrial design and development environments (e.g., UML, Java, ABAP), making integration of formal methods more involved than strictly necessary. The industry migration activity provides a means to expedite the transferring of the project results into the development process of the industrial partners of the consortium, but also of the industrial European community in general. This includes in particular the standardization organisations which on the one hand are mostly driven by industry and on the other hand strongly influence the future of industrial development. WP 2, WP 3, WP 4 and WP 5 provide techniques and application examples for specifying and verifying complex policy-driven, dynamically orchestrated, aggregated or layered systems. Afterwards, industry migration in WP 6 focuses on making those methodologies and technologies accessible to, and readily exploitable by, industry developers and designers. With respect to Figure 1, this amounts to migrate the research outcomes of the logical level into the application level.

51 FP7-ICT October 17, 2007 AVANTSSAR, project no Procedurally, industry migration is executed on two parallel paths, i.e., migration to industrial development environments (see WP 6.2) and migration to standardization committees (see WP 6.3). The first path will consume about 80% of the industry migration effort. WP 6.1: Dissemination This sub-workpackage coordinates the dissemination of the results by (i) maintaining the AVANTSSAR website and AVANTSSAR software package, (ii) organising the project workshops, and (iii) coordinating the dissemination of scientific publications. WP 6.2: Migration to industrial development environments This sub-workpackage focuses on the migration of the AVANTSSAR research results to industrial development environments (e.g., Eclipse, NetBeans). Industrial Suited Specification Languages will be devised (probably in the form of UML-like, model-driven languages), equipped with easy-to-use GUIs and translators to and from ASLan, and migrated to the selected development environments. Similarly, industrial instances of the AVANTSSAR Validation Platform will be implemented and migrated as well. The resulting industrial development environments, enhanced with the migrated features, will be throughly assessed against the security and trust problem cases collected in WP 5. WP 6.3: Migration to standardisation bodies In the second migration path, (b) migration into standardisation bodies, the results of AVANTSSAR will be brought to standardization. This may be the result of AVANTSSAR problem cases as, e.g., secured services, protocols or interfaces that are successfully validated through the AVANTSSAR Validation Platform are proposed for standardization (candidates are for instance XACML, WS-trust, WS-SecureConversation, and WS-policy). Alternatively this migration can amount to proposing to the standardization committees an Industrial Suited Specification Language, which will probably consist of extensions to standardised languages (perhaps via an XML namespace) to include the AVANTSSAR specific policies needed to integrate Web Services with our tools (see B3.1). The migration to standardisation bodies requires a certain level of maturity of the AVANTSSAR results and this is why this sub-workpackage is expected to run only for the last year of the project.

52 FP7-ICT October 17, 2007 AVANTSSAR, project no Workpackage descriptions (WP tables) Work package number 1 Start date or starting event: month 1 Work package title Project Management Activity type MGT Beneficiary number Beneficiary short name UNIVR ETH Zurich INRIA UPS-IRIT UGDIST IBM OpenTrust IEAT SAP SIEMENS PMs per beneficiary WP leader: Objectives Project management, coordination, and administration.

53 FP7-ICT October 17, 2007 AVANTSSAR, project no Description of work This workpackage describes general administrative responsibilities and tasks for coordinating the project, including the project meetings, and the management of deliverables and milestones. WP 1.1: Project coordination. The project coordination will be carried out by the partner UNIVR, with Prof. Luca Viganò acting as Scientific Coordinator (SC) and Financial and Administrative Coordinator (FAC) of the project. The SC/FAC will chair the Project Coordination Committee (PCC), which will address high-level management and financial issues, and consists of the Site Leaders (i.e. the scientific and/or administrative coordinators of the different project partners). The SC/FAC will coordinate the communication between the project partners and the European Commission, and coordinate tasks and optimise synergistic interaction between the project partners. To this end, the SC/FAC will manage both a common distributed repository of the project code and documentation (using the concurrent versionmanagement tool SVN), and the AVANTSSAR Website, which will also be used for the dissemination of the project results to the scientific community and industry (this is in collaboration with WP 6, which will actually carry out the maintainance of the AVANTSSAR Website). The coordination task will also include guidelines for deliverables, presentation standards, deadlines, information flow, dissemination, and reporting. This will allow the SC to (i) consolidate the project planning, (ii) manage the input of the project partners on the different WPs, (iii) supervise the evolving project results at each milestone, (iv) supervise the assessment and evaluation of the results, and (v) assemble and control the project reports and deliverables. The SC will be supported in this task by the PCC and by the different Workpackage Leaders, who will be responsible for the detailed coordination, planning, monitoring, realisation and reporting of the respective workpackages and the detailed coordination of tasks between the different workpackages. WP 1.2: Project meetings. General project meetings, attended by all consortium partners, will take place every 6 months. More specifically, in addition to two annual project review meetings and a final review meeting, there will be one project meeting per year, attended by all site leaders and representatives of all project sites, in order to synchronise and assess the results. There will also be additional meetings and bilateral visits, which will be arranged as needed. We will organise three project workshops, possibly in combination with the meetings; the last of these workshops will be an open one, possibly as part of the ARSPA ( Automated Reasoning for Security Protocol Analysis ) workshop series that was originated during the AVISPA project (see for more details on the workshop series and the associated journal special issues). The following is a preliminary timetable for the project meetings: Month 1: Kick-off meeting. Month 6: First synchronisation and assessment meeting. Month 12: First review meeting. Month 18: Second synchronisation and assessment meeting. Month 24: Second review meeting. Month 30: Third synchronisation and assessment meeting. Month 36: Final review meeting. WP 1.3: Project administration. The SC/FAC of UNIVR will coordinate, with the support of the PCC, the financial and bureaucratic administration of the project, managing in particular the cost statements, the budgetary overviews, the budget for the management task, etc.

54 FP7-ICT October 17, 2007 AVANTSSAR, project no Role and technical activities of the beneficiaries The Project Coordination Committee (PCC) will consist of all the Site Leaders (i.e. the scientific and/or administrative coordinators of the different project partners), and will address all project high-level management and financial issues. UNIVR will carry out the scientific and financial/administrative project coordination and management. The SC/FAC will chair the PCC, coordinate the communication with the Commission and the Project Officer, and organise the project meetings and workshops. UNIVR will also manage and coordinate the AVANTSSAR Website and the repository of the source code of the AVANTSSAR Validation Platform, with the support of UGDIST. UGDIST will provide information requested by the SC/FAC, will contribute to the common distributed repository and AVANTSSAR Website by providing content and will participate in the project meetings; UGDIST will also support UNIVR in managing and coordinating the repository of the source code of the AVANTSSAR Validation Platform. ETH Zurich, INRIA, UPS-IRIT, IBM, OpenTrust, IEAT, SAP, SIEMENS will provide information requested by the SC/FAC, will contribute to the common distributed repository and AVANTSSAR Website by providing content and will participate in the project meetings. Deliverables Del. no. Deliverable name Lead beneficiary Estimated indicative PMs Nature Dissemination level D1.1 Project Presentation UNIVR 1 R PU 3 D1.2 Basic Dissemination and Use Plan UNIVR 2 R PU 6 D1.3 Progress/Assessment Report for Year UNIVR 1 R PU 12 1 D1.4 Progress/Assessment Report for Year UNIVR 1 R PU 24 2 D1.5 Final Project Report UNIVR 2 R PU 36 D1.6 Final Dissemination and Use Plan UNIVR 2 R PU 36 D1.7 Technology Implementation Plan SAP 2 R PU 36 Delivery date (projmonth) The person months missing from the estimated indicative PMs are those that are not directly linked to deliverables but rather are devoted to continuous management and administration activities.

55 FP7-ICT October 17, 2007 AVANTSSAR, project no Milestones (decision points) Milestone no. MS1 MS2 MS4 MS6 Milestone name Basic Dissemination and Use Plan, and Trust and security requirements of problem cases ASLan v.1, Attacker models and reasoning techniques, Platform architecture, and Assessment 1 Reasoning techniques for ASLan v.2 specifications, Platform prototype, Assessment v.2, ASLan for industry Final assessment, Migration to industry and standardisation organisations, Final Dissemination and Use Plan, and Technology Implementation plan Lead beneficiary UNIVR ETH Zurich UPS-IRIT UNIVR Delivery date month 6 (first synchronization meeting) month 12 (first review meeting) month 24 (second review meeting) month 36 (third review meeting)

56 FP7-ICT October 17, 2007 AVANTSSAR, project no Work package number 2 Start date or starting event: month 1 Work package title Modelling trust and security aspects of service-oriented architectures Activity type RTD Beneficiary number Beneficiary short name UNIVR ETH Zurich INRIA UPS-IRIT UGDIST IBM OpenTrust IEAT SAP SIEMENS PMs per beneficiary WP leader: Objectives Identification of the modelling concepts needed to describe the trust and security-related aspects of serviceoriented architectures, and definition of the AVANTSSAR modelling language (called ASLan), to be used for automated reasoning and validation in WP 3 and WP 4. Description of work This workpackage covers the development of the ASLan language, the common modelling language for the AVANTSSAR platform. The work will start by taking into account the trust and security problem cases in WP 5 derived from service-oriented application scenarios and identifying the key concepts needed in their modelling. Next, the development itself, consisting in defining the syntax and semantics of the language, will proceed in several iterations. It will gradually include the language features needed to model atomic services and policies, their static composition as well as dynamic composition at run-time. This stepwise extension and refinement of the language will make key features available in time for developing the corresponding automated reasoning techniques in WP 3, implementing them in WP 4 and modelling the problem cases in WP 5. Feedback from modelling will drive the necessary revisions to the language features. WP 2.1: Initial version of the ASLan language for atomic services and policies. This task includes defining and modelling the basic building blocks of service functionality, such as security protocols, identity providers, time stamping, credentials, access control, evaluation and enforcement, digital signature verification, encryption, etc., as well as the security aspects captured by policies, their explicit representation in terms of policy objects, and the specification of policy assertions. WP 2.2: Extended version of the ASLan language for static composition. This tasks will define the language elements needed to specify relations and dependencies between services and policies, specifically those needed for their composition, in terms of basic elements such as channels, principals, identities, and message passing, in a way that will allow for subsequent formal reasoning in the composition calculus of WP 3. WP 2.3: Final version of the ASLan language, with support for dynamic run-time composition. This task will define support for modelling and specifying dynamic aspects of both services and policies, providing the necessary concepts to model the evolution of systems and their environments.

57 FP7-ICT October 17, 2007 AVANTSSAR, project no Role and technical activities of the beneficiaries UNIVR will focus on developing methodologies for modelling the dynamics of trust relationships and service and access control policies. ETH Zurich will lead the design and development of the ASLan language. ETH Zurich will focus on developing the main concepts and formal semantics of the language. INRIA will participate in the definition of the semantics of the ASLan language, focusing on features to be supported by automated analysis. UPS-IRIT will participate in the definition of ASLan, focusing on service and access control policies. UGDIST will participate in the definition of ASLan, focusing on features to be supported by automated analysis. IBM will participate in the definition of ASLan, with the focus on the formal semantics of the language and its relation to automated analysis. OpenTrust will participate in the definition of ASLan, focusing on service and access control policies and automated analysis. SAP will participate in the definition of ASLan, as provider of requirements for modelling and with focus on the ASLan usability from the point of view of the non-expert end-user, the formal semantics of the language, and its relation to the user perspective of the semantics. SIEMENS will participate in the definition of ASLan, with focus on the usability from the point of view of the non-expert end-user, the formal semantics of the language, and its relation to the user perspective of the semantics. Deliverables Del. no. Deliverable name D2.1 Requirements for modelling and ASLan v.1 D2.2 ASLan v.2 with static service and policy composition D2.3 ASLan final version with dynamic service and policy composition Lead beneficiary Estimated indicative PMs Nature IEAT will participate in the definition of ASLan, focusing on its formal semantics and features for composition. Dissemination level ETH Zurich 41 R PU 12 ETH Zurich 29 R PU 18 ETH Zurich 29 R PU 30 Delivery date (projmonth)

58 FP7-ICT October 17, 2007 AVANTSSAR, project no Milestones (decision points) Milestone no. Milestone name MS2 ASLan v.1, Attacker models and reasoning techniques, Platform architecture, and Assessment 1 MS3 ASLan v.2 (statically composed services and policies), Validator and Orchestrator prototypes, and First formalisation of problem cases MS5 ASLan final version, Decidability results, Formalised problem cases, and AVANTSSAR in industry MS6 Final assessment, Migration to industry and standardisation organisations, Final Dissemination and Use Plan, and Technology Implementation plan Lead beneficiary ETH Zurich UGDIST SAP UNIVR Delivery date month 12 (first review meeting) month 18 (second synchronization meeting) month 30 (third synchronization meeting) month 36 (third review meeting)

59 FP7-ICT October 17, 2007 AVANTSSAR, project no Work package number 3 Start date or starting event: month 1 Work package title Automated reasoning techniques Activity type RTD Beneficiary number Beneficiary short name UNIVR ETH Zurich INRIA UPS-IRIT UGDIST IBM OpenTrust IEAT SAP SIEMENS PMs per beneficiary WP leader: Objectives Development of reasoning techniques and of theoretical results that will be implemented in WP 4 in the AVANTSSAR Validation Platform. These techniques will focus on the logics and models defined within the ASLan language developed in WP 2.

60 FP7-ICT October 17, 2007 AVANTSSAR, project no Description of work WP 3.1. Satisfiability of ASLan policies. To achieve this, we will tackle the following tasks: Discovery of security association between compatible services: we will provide a procedure to solve the policy compatibility problems that services impose on their communications. Decision procedure for the reachability of a resource: given an access control system specified in ASLan, our goal here will be to provide procedures deciding if a resource is accessible to an agent having a given set of credentials, and a procedure that returns minimal sets of credentials needed to access a resource. We will synthesise from a solution an effective communication scheme permitting the agent to access the resource. We assume here that certificate-granting services will not impose constraints on the execution of other certificate-granting services. Synthesis of a composed service from requirements: we will formulate a procedure permitting us to give a composed service that satisfies some structural constraints on the workflow, the forbidden and the mandatory operations to execute. Executability of a negotiated message format: we will provide a procedure that elaborates on the two previous ones to synthesise a sequence of operations on messages received and sent by a service. The existence of such a sequence will guarantee the executability of a policy negotiated at runtime. WP 3.2. Model-checking of ASLan services with respect to policies. To achieve this, we will tackle the following tasks: Development of partial-order reduction techniques to reduce the search space associated with our validation problems. Integration of attacker models: we will provide a way to integrate different attacker models by giving a modularity result on the analysis of services. We believe that current combination results will not be sufficient since the incorporation of XPath constraints on messages and associated rewriting operations imply a significant change in the usual notion of attacker deductions. WP 3.3. Attacker models. To achieve this, we will tackle the following tasks: XML and XPath properties: we will provide a decision procedure for the analysis of services when the messages exchanged are in the XML format (as is usual for Web Services) and when XPath queries are permitted to constrain the contents of messages. Extension of attacker deduction systems to access control: we will extend attacker deductions to formalise the fact that the attacker can employ credentials to access a protected resource. This implies, among other things, a parameterisation of the deductions of the attacker by the access control system. WP 3.4. Compositional reasoning for services and policies. We will devise techniques to reason modularly on the composed services. These techniques will have to be extended to accommodate the enrichment of security goals in the ASLan specification of security policies. WP 3.5. Abstraction techniques for composed services and policies. To achieve this, we will tackle the following tasks: Data abstraction techniques for large-scale systems: we will investigate ways to model finitely large infrastructures such as databases in order to apply model-checking techniques. Application of control abstraction techniques to accelerate model-checking: we will investigate ways to abstract complex services. We will focus on sound (but maybe incomplete) abstractions.

61 FP7-ICT October 17, 2007 AVANTSSAR, project no Role and technical activities of the beneficiaries UNIVR will work at devising automated reasoning techniques for dynamic trust negotiation, for different attacker models and channels, and for the simplification of models for composed services and policies. ETH Zurich will focus on designing compositional reasoning methods that enable the decomposition of composed services into parts that can be verified independently of one another. Conversely, related transformations will be developed that enable the safe composition of services. INRIA will work on designing a decision procedure for the reachability of a resource and the executability of the negotiated policy; on deriving modularity results for the analysis of composed services with respect to different attackers; and on the analysis of services when messages have XML format and access control is modelled as well. UPS-IRIT will focus on providing decision procedures for trust negotiation and for the resolution of structural constraints. UGDIST will develop an LTL bounded model-checking technique for service-oriented architectures that will support reasoning about security policies and communication channels enjoying a variety of security-relevant properties. IBM This workpackage is the central one for IBM. The focus is on the integration of abstraction techniques and compositional reasoning into the automated validation and on the extension of intruder models with the features required for reasoning about services. OpenTrust has a very minor role in the WP and will participate in key meetings and project follow-up. IEAT will focus on compositional analysis techniques and assume-guarantee rules for composed services. SAP will contribute to the specification of different attacker models and to the LTL model-checking technique for service-oriented architectures that will be developed by UGDIST. SIEMENS has a minor role in this WP, concentrating on the understandability of the compositional reasoning constructs from the user point of view. Deliverables Del. no. Deliverable name Lead beneficiary Estimated indicative PMs Nature Dissemination level D3.1 Decision procedures for service synthesis UPS-IRIT 76 R PU 30 and satisfiability of ASLan poli- cies D3.2 Model-checking techniques UPS-IRIT 28 R PU 32 D3.3 Attacker models INRIA 20 R PU 12 D3.4 Abstraction and compositional reasoning techniques for service analysis INRIA 30 R PU 34 Delivery date (projmonth)

62 FP7-ICT October 17, 2007 AVANTSSAR, project no Milestones (decision points) Milestone no. Milestone name MS2 ASLan v.1, Attacker models and reasoning techniques, Platform architecture, and Assessment 1 MS4 Reasoning techniques for ASLan v.2 specifications, Platform prototype, Assessment v.2, ASLan for industry MS5 ASLan final version, Decidability results, Formalised problem cases, and AVANTSSAR in industry MS6 Final assessment, Migration to industry and standardisation organisations, Final Dissemination and Use Plan, and Technology Implementation plan Lead beneficiary ETH Zurich UPS-IRIT SAP UNIVR Delivery date month 12 (first review meeting) month 24 (second review meeting) month 30 (third synchronization meeting) month 36 (third review meeting)

63 FP7-ICT October 17, 2007 AVANTSSAR, project no Work package number 4 Start date or starting event: month 6 Work package title The AVANTSSAR Validation Platform Activity type RTD Beneficiary number Beneficiary short name UNIVR ETH Zurich INRIA UPS-IRIT UGDIST IBM OpenTrust IEAT SAP SIEMENS PMs per beneficiary WP leader: Objectives Integration of the results of WP 2 and WP 3 into AVANTSSAR Platform, a collection of tools to be matched against the problem cases defined in WP 5. Description of work The objective of this workpackage is to provide tool support for the reasoning techniques derived from WP 2 and WP 3 with the so-called AVANTSSAR Platform, that is, an automatic composition and security analysis platform for Web Services and their security policies. While this platform will allow users to decide if some elementary or composed service/policy is secure or not, its ultimate goal is to automatically compose services in a way that the resulting service is secure (if such a composition exists), and to provide a validated security wrapper protecting the resulting service. To achieve this goal, the workpackage is broken down into the following subworkpackages/subtasks. WP 4.1: The TS Orchestrator. We will design a TS Orchestrator capable of checking compatibility of security policies and composing security associations at run-time. More precisely, this orchestrator will first build compatible security policies (relying on automated reasoning to check compatibility), eventually considering timing constraints (e.g. validity periods for certificates). Then, the orchestrator will automatically build the protocols for exchanging credentials required by the service policies. These protocols will be checked for executability with respect to particularities of XML message exchanges (e.g. associativity and commutativity of nodes). WP 4.2: The TS Validator. We will then check resilience of the composed services against a powerful attacker. This will include techniques to (i) analyse static security policies, incrementally enriched with generic security goals expressed by formulas in ASLan and with a model of the environment allowing an unbounded number of services (using abstractions); (ii) reduce the impact on the analysis of excessive number, and large size, of messages by using closure or overapproximation of sensitive information, or by reasoning modularly on the structure of composed services; and (iii) to dynamically validate security services by offering a separate validating service to be called by other services at run-time, thus securing groups of services whose composition is unpredictable. WP 4.3: Platform integration. We will combine the two main tools, plus secondary tools, into an integrated platform to obtain the AVANTSSAR Validation Platform.

64 FP7-ICT October 17, 2007 AVANTSSAR, project no Role and technical activities of the beneficiaries UNIVR will contribute to the development of the TS Orchestrator and TS Validator by implementing the different automated reasoning techniques formalised in WP 3. ETH Zurich will focus on integrating the compositional reasoning methods developed in WP3 into the TS Validator. INRIA will focus on developing a tool for automatically building protocols to exchange credentials; this procedure lies in the kernel of the TS Orchestrator. INRIA will also work on the TS Validator, especially by contributing to the implementation of abstractions for an unbounded number of services, to modular reasoning techniques, and to the run-time validation service. UPS-IRIT will focus on developing a tool for trust negotiation and automated service synthesis. This tool will eventually be part of the TS Orchestrator. UGDIST will lead the design and the development of the AVANTSSAR Validation Platform. This will encompass the coordination of all the key activities of the workpackage, including the identification of the requirements, the definition of the interfaces, testing as well as performance assessment of the component tools. Moreover, UGDIST will also contribute to the development of the TS Orchestrator and of the TS Validator by implementing an LTL bounded model checking technique for service oriented architectures that will support reasoning about security policies and communication channels enjoying a variety of security-relevant properties. IBM will contribute to the TS Validator, implementing and integrating the foundational work from WP3. OpenTrust has a very minor role in the WP, providing requirements and feedback. IEAT will contribute to the implementation of compositional reasoning techniques and model checking algorithms for the TS Validator. SAP will contribute to the design and development of the AVANTSSAR Validation Platform. This is a critical task SAP needs to be significantly involved in to be successful in migrating the platform to its industrial development environment. SIEMENS has a very minor role in the WP, providing requirements and feedback.

65 FP7-ICT October 17, 2007 AVANTSSAR, project no Deliverables Del. no. Deliverable name D4.1 AVANTSSAR Validation Platform v.1 D4.2 AVANTSSAR Validation Platform v.2 Lead beneficiary Estimated indicative PMs Nature Dissemination level UGDIST 60 R&P PU 24 UGDIST 50 R&P PU 36 Delivery date (projmonth) Deliverables D4.1 and D4.2 are of type R&P as they will describe the development and prototypical implementation of the AVANTSSAR Validation Platform. Deliverable D4.1 will include a TS Orchestrator automatically building the protocols for exchanging credentials and a TS Validator checking the resilience of composed services against an active attacker (where we recall that TS stands for Trust and Security ). In Deliverable D4.2, the TS Orchestrator will handle run-time composition and the TS Validator will handle an unbounded number of services, modular analysis, and dynamic validation. Milestones (decision points) Milestone no. MS2 MS3 MS4 MS6 Milestone name ASLan v.1, Attacker models and reasoning techniques, Platform architecture, and Assessment 1 ASLan v.2 (statically composed services and policies), Validator and Orchestrator prototypes, and First formalisation of problem cases Reasoning techniques for ASLan v.2 specifications, Platform prototype, Assessment v.2, ASLan for industry Final assessment, Migration to industry and standardisation organisations, Final Dissemination and Use Plan, and Technology Implementation plan Lead beneficiary ETH Zurich UGDIST UPS-IRIT UNIVR Delivery date month 12 (first review meeting) month 18 (second synchronization meeting) month 24 (second review meeting) month 36 (third review meeting)

66 FP7-ICT October 17, 2007 AVANTSSAR, project no Work package number 5 Start date or starting event: month 1 Work package title Proof of concept Activity type RTD Beneficiary number Beneficiary short name UNIVR ETH Zurich INRIA UPS-IRIT UGDIST IBM OpenTrust IEAT SAP SIEMENS PMs per beneficiary WP leader: Objectives To define and formalise a set of industrial problem cases, against which the models, techniques, and tools developed in WP 2, WP 3, and WP 4 will be assessed. This includes producing the AVANTSSAR Library, a set of formalised and validated secure services and service architectures, providing proof of concept that the developed technology scales to the envisaged applications.

67 FP7-ICT October 17, 2007 AVANTSSAR, project no Description of work The work on the problem cases will be done incrementally, according to their relevance for the industrial partners and closely following the progress in the preceding workpackages. WP 5.1: Definition of the relevant problem cases We investigate the security requirements and constraints of the different scenarios in order to select the most relevant problem cases. We will collect detailed informal descriptions, complete and disambiguate them, focussing on the security-relevant aspects, and present them in a semi-formal, but coherent way. The result shall be a collection of precisely described problem cases for the formalisation in WP 5.2. The problem cases come from the following three classes: Atomic services with static policies Statically composed services with static policies Runtime service composition and dynamic policies. WP 5.2: Formalisation of the problem cases We formalise each of the problem cases chosen in the ASLan language developed in WP 2 and according to the concepts developed in WP 3. This includes the precise documentation of abstractions and simplifications that were made during the formalisation, as well as insights and practical experience gained during the formalisation process. This documentation will provide valuable feedback to the designers of the models and methods of WP 2 and WP 3. Also, this may require further clarification of the semi-formal descriptions provided by WP 5.1, and we will discuss any remaining ambiguities with the developers of the services and designs. WP 5.2 will result in the AVANTSSAR Library, consisting of a set of formally defined SOA problem cases. WP 5.3: Validation of the problem cases We validate each of the problem cases of the AVANTSSAR Library with the tools that we develop in WP 4. Again, this will give valuable feedback on the usability, effectiveness, and efficiency of the tools developed there. We expect several iteration loops between formalisation and validation. This may be due to mistakes in the formalisation, requiring the validation steps to be repeated after corrections. Also, we will clearly document our feedback to the designers and implementors in industry and standardisation bodies. The result will be the validation, or the identification of weaknesses, for each of the problem cases in the AVANTSSAR Library. WP 5.4: Assessment We assess the AVANTSSAR validation framework and tools against the problem cases in terms of coverage and efficiency of all tools. This will provide valuable feedback for the design of our modelling language ASLan developed in WP 2 and for the improvement of the reasoning techniques developed in WP 3 and WP 4. We will document precisely the limitations of the formal models and languages and the assumptions necessary to enable automated validation, and the improvements in performance resulting from the techniques developed in WP 3 for modular analysis of services.

68 FP7-ICT October 17, 2007 AVANTSSAR, project no Role and technical activities of the beneficiaries UNIVR will provide support to industrial partners in formalising and validating their problem cases, and will manage the set-up and maintainance of the AVANTSSAR Library. ETH Zurich will provide support to industrial partners in formalising and validating their problem cases. In particular, ETH Zurich will collect feedback from the case studies to facilitate the development of the ASLan language from WP 2, as well as the compositional reasoning methods from WP 3. INRIA will provide support to industrial partners in formalising and validating their problem cases; feedback from the case studies will help tuning and possibly improving the procedures developed in WP 3 and WP 4. UPS-IRIT will provide support to industrial partners in formalising and validating their problem cases; feedback from the case studies will help tuning and possibly improving the procedures developed in WP 3 and WP 4. UGDIST will provide support to industrial partners in formalising and validating their problem cases. We expect in particular to contribute to the formalisation and validation of the Loan Orgination Process and of the Single Sign On case studies described in Appendix B. IBM will provide support to other industrial project partners in formalising and validating their problem cases. Moreover, IBM will perform the formalisation and analysis of the identity mixer problem case. OpenTrust will participate in the definition and in the formalization of problem cases (based on our customer return of experience) and will contribute to tuning and possibly improving the procedures developed in the previous workpackage. IEAT will provide support in formalising and validating problem cases of industrial partners. Moreover, it will formalise and validate a public domain case study, most likely related to grid security. SAP will lead the proof of concept workpackage. This will encompass the coordination of all the key activities of the workpackage, including the selection, definition and formalisation of a set of industrial problem cases, the delivery of the AVANTSSAR Library (i.e., a set of formalised and validated secure services and service architectures), and the three project assessment phases. Moreover, SAP will perform the formalisation and analysis of the problem cases emerging from the Banking Services, and Patient Monitoring application scenarios as well as provide support to other industrial project partners in formalising and validating their problem cases. SIEMENS will perform the formalisation and analysis of the problem cases related to SW Distribution Services, E-Government Citizen Portals, and Health Telematics Infrastructure for the German e-health card as well as provide support to other industrial project partners or standardisation organisations in formalising and validating their problem cases.

69 FP7-ICT October 17, 2007 AVANTSSAR, project no Deliverables Del. no. Deliverable name Lead beneficiary Estimated indicative PMs Nature Dissemination level D5.1 Problem cases and their trust and security SAP 16 R PU 6 requirements D5.2 Formalised problem cases SAP 51 R&O RE 30 D5.3 AVANTSSAR Library of validated SAP 30 R&O RE 36 problem cases D5.4 Assessment of the AVANTSSAR Validation Platform SAP 12 R PU 36 Delivery date (projmonth) Deliverables D5.2 and D5.3 are of type R&O as they will comprise reports as well as specifications. Milestones (decision points) Milestone no. Milestone name MS1 Basic Dissemination and Use Plan, and Trust and security requirements of problem cases MS3 ASLan v.2 (statically composed services and policies), Validator and Orchestrator prototypes, and First formalisation of problem cases MS4 Reasoning techniques for ASLan v.2 specifications, Platform prototype, Assessment v.2, ASLan for industry MS5 ASLan final version, Decidability results, Formalised problem cases, and AVANTSSAR in industry MS6 Final assessment, Migration to industry and standardisation organisations, Final Dissemination and Use Plan, and Technology Implementation plan Lead beneficiary UNIVR UGDIST UPS-IRIT SAP UNIVR Delivery date month 6 (first synchronization meeting) month 18 (second synchronization meeting) month 24 (second review meeting) month 30 (third synchronization meeting) month 36 (third review meeting)

70 FP7-ICT October 17, 2007 AVANTSSAR, project no Work package number 6 Start date or starting event: month 1 Work package title Dissemination and industry migration Activity type RTD Beneficiary number Beneficiary short name UNIVR ETH Zurich INRIA UPS-IRIT UGDIST IBM OpenTrust IEAT SAP SIEMENS PMs per beneficiary WP leader: Objectives To disseminate and migrate the project results into the scientific community, industry, and standardisation bodies.

71 FP7-ICT October 17, 2007 AVANTSSAR, project no Description of work This will be achieved by carrying out the following sub-workpackages. WP 6.1: Dissemination. Dissemination includes the creation and maintenance of the project website, the organisation of Project Workshops (combined with the project meetings), and scientific publications. WP 6.2: Migration to industrial development environments. This sub-workpackage focuses on migrating the concepts, methods, and techniques resulting from WP 2, WP 3, and WP 4 to real-world industrial development environments using the problem cases of WP 5 as common means for assessment. This is a major activity of the workpackage and will be performed according to the following plan: a selection of the industrial partners engages its research divisions to interact with its development units for understanding their methodologies and needs in materia of both (i) specification languages and modelling artifacts, and (ii) integration of the AVANTSSAR Validation Platform; industrially-suited specification languages (ISSL) emerge on top of ASLan (as developed in WP 2), taking into account the requirements elicitated by the industrial partners in the previous phase; industrial prototypical instances of the AVANTSSAR Validation Platform are constructed based on the prototype developed in WP 4, considering the requirements elicitated in the first phase; the development environments of the selected industrial partners are reproduced under the perimeter of the corresponding research labs as experimental prototype environments on which the research divisions test, tune, and assess the ISSLs and industrial prototypal instances of the AVANTSSAR Validation Platform against the security and trust problems collected in WP 5. Since each industrial partner has its own development environment, constraints, know-how, and internal review teams, each partner may execute parts of the above phases in autonomy. Therefore, each partner may come up with its own separate migration strategy and some of the results of this workpackage will be owned by the respective industrial partner only. Even then, technical reports on lessons learned & best practices will be made available to facilitate the migration of AVANTSSAR beyond the project boundaries. WP 6.3: Migration to standardisation bodies. Around 20% of the industry migration effort will be dedicated to this second path. Two alternative directions are foreseen for migrating the project results to standardization bodies. The first one amounts to proposing to standardization bodies individual secured services (or the interfaces to such services) that will emerge as solutions to our case studies (e.g., XACML, WS-trust, WS-SecureConversation, and WS-policy). The second one is that an ISSL, devised on top of ASLan and taking into account the requirements elicitated by the industrial partners interacting with their development units and with standardization bodies, is proposed for standardization. This sub-workpackage will run only for the last year of the project so as to approach the standardization committees with mature project achievements.

72 FP7-ICT October 17, 2007 AVANTSSAR, project no Role and technical activities of the beneficiaries UNIVR will lead the dissemination sub-workpackage WP 6.1. This encompasses the coordination of all the key activities of the sub-workpackage, including the creation and maintenance of the project website and of forums, the organisation of project workshops and project meetings, and the collection of the project scientific publications. Moreover, UNIVR will contribute to dissemination by delivering scientific publications, and by presenting the results of the project in scientific events and representing the project consortium in general dissemination forums, such as standardisation organisation meetings. ETH Zurich will contribute to dissemination by delivering scientific publications and by presenting the results of the project in scientific events. INRIA will mainly contribute to dissemination by delivering scientific publications and by participating in workshops. UPS-IRIT will mainly contribute to dissemination by delivering scientific publications and by presenting the results of the project in scientific events. UGDIST will contribute to dissemination by delivering scientific publications and by presenting the results of the project in scientific events. IBM will contribute to dissemination by scientific publications and presentations in scientific events. Moreover, IBM will investigate if the AVANTSSAR platform can be integrated into the deployment process of new services and architectures at IBM. OpenTrust will contribute to migration by applying the methodology and tools developed within the project into one of the Opentrust product in order to investigate if the AVANTSSAR platform can be integrated into our development. IEAT will contribute to dissemination by scientific publications and by presentations in workshops and other scientific events. SAP will lead this workpackage supported by UNIVR and SIEMENS. More specifically, SAP will coordinate all the key activities of WP 6.2 (i.e., migration to industrial development environments). Moreover, SAP will be the main contributor in WP 6.2 where it will migrate the concepts, methods, and techniques resulting from the other workpackages to its industrial development environment using the problem cases emerging from its application scenarios as common means for assessment. Last but not least, SAP will contribute to the dissemination activity by delivering scientific publications and presenting the results of the project in scientific events. SIEMENS will lead the migration to standardisation bodies sub-workpackage WP 6.3. This encompasses the coordination of all the key activities of the sub-workpackage. Moreover, SIEMENS will contribute to dissemination by delivering scientific publications, presenting the results of the project in scientific events and to standardisation organisations.

73 FP7-ICT October 17, 2007 AVANTSSAR, project no Deliverables Del. no. Deliverable name Lead beneficiary Estimated indicative PMs Nature Dissemination level D6.1 AVANTSSAR Website and Package UNIVR 6 O PU 1 36 D6.2.1 State-of-the-art on specification languages SAP 6 R PU 6 for service-oriented architec- tures D6.2.2 Industrial language requirements SAP 20 R RE 12 D6.2.3 Migration to industrial development SAP 49 R PU 36 environments: lessons learned and best-practices D6.3 Migration to standardisation bodies SIEMENS 15 R PU 36 Delivery date (projmonth) Deliverable D6.1 is of type O as it will comprise the activation and maintanance of the AVANTSSAR Website and the publication of the package of the AVANTSSAR Platform. Milestones (decision points) Milestone no. Milestone name MS1 Basic Dissemination and Use Plan, and Trust and security requirements of problem cases MS5 ASLan final version, Decidability results, Formalised problem cases, and AVANTSSAR in industry MS6 Final assessment, Migration to industry and standardisation organisations, Final Dissemination and Use Plan, and Technology Implementation plan Lead beneficiary UNIVR SAP UNIVR Delivery date month 6 (first synchronization meeting) month 30 (third synchronization meeting) month 36 (third review meeting)

74 FP7-ICT October 17, 2007 AVANTSSAR, project no Table 4, Project Effort Form 1, summarises the indicative staff efforts in person months per beneficiary per workpackage. Table 5, Project Effort Form 2, summarises the indicative efforts per activity type per beneficiary. The workpackage leader for each WP is indicated by showing the relevant PM figure in bold face font contained in a box. Table 4: Project Effort Form 1: Indicative efforts per beneficiary per WP Beneficiary number Beneficiary short name WP1 WP2 WP3 WP4 WP5 WP6 TOTAL per Beneficiary 1 UNIVR ETH Zurich INRIA UPS-IRIT UGDIST IBM OPENTRUST IEAT SAP SIEMENS Total

75 FP7-ICT October 17, 2007 AVANTSSAR, project no Table 5: Project Effort Form 2: Indicative efforts per activity type per beneficiary ACTIVITY TYPE UNIVR ETH Zurich INRIA UPS-IRIT UGDIST IBM OpenTrust IEAT SAP SIEMENS TOTAL ACTIVITIES RTD/Innovation activities WP WP WP WP WP Total research Demonstration activities Total demonstration Consortium management activities WP Total management Other activities Total other TOTAL BENEFICIARIES

76 FP7-ICT October 17, 2007 AVANTSSAR, project no Table 6 shows the 6 major milestones of the project, which provide its major decision points, and which are synchronised with the 6 project meetings. Table 6: List of project milestones (and decision points) Milestone no. MS1 MS2 MS3 MS4 Milestone name Basic Dissemination and Use Plan, and Trust and security requirements of problem cases ASLan v.1, Attacker models and reasoning techniques, Platform architecture, and Assessment 1 ASLan v.2 (statically composed services and policies), Validator and Orchestrator prototypes, and First formalisation of problem cases Reasoning techniques for ASLan v.2 specifications, Platform prototype, Assessment v.2, ASLan for industry MS5 ASLan final version, Decidability results, Formalised problem cases, and AVANTSSAR in industry MS6 Final assessment, Migration to industry and standardisation organisations, Final Dissemination and Use Plan, and Technology Implementation plan WPs no s. Lead beneficiary Delivery date 1, 5, 6 UNIVR month 6 (first synchronization meeting) 1, 2, 3, 4 ETH Zurich month 12 (first review meeting) 2, 4, 5 UGDIST month 18 (second synchronization meeting) 1, 3, 4, 5 UPS-IRIT month 24 (second review meeting) 2, 3, 5, 6 SAP month 30 (third synchronization meeting) 1, 2, 3, 4, 5, 6 UNIVR month 36 (third review meeting)

77 FP7-ICT October 17, 2007 AVANTSSAR, project no Graphical presentation of the components showing their interdependencies A PERT chart representing the logical dependencies between the workpackages is given in Figure 5. WP1 Proj. Management Start 1 End 36 FF SS WP6 Diss. & Ind. Migr. Start 1 End 36 SS WP5 Start 1 FF Proof of Concept End SS WP2 Model. TS of SOA FF+6 Start 36 1 End 30 SS FF+4 WP3 Aut. Reas. Techn. Start 1 End 34 SS+5 FF+2 SS+5 FF WP4 Validation Platform Start 6 End 36 Figure 5: PERT chart of the AVANTSSAR project

78 FP7-ICT October 17, 2007 AVANTSSAR, project no B2 Implementation B2.1 Management structure and procedures Management and creation of an efficient organisation is obviously important for the success of the project. The objectives of project management are the following ones: 1. meeting the objectives of the project within the agreed budget and time-frame, 2. co-ordinating project activities and ensuring effective internal communication, 3. carrying out risk management as well as quality control of the work carried out and of the deliverables produced, 4. providing adequate information to governing and decision making bodies to resolve problems or conflict situations, 5. ensuring project compliance with EC rules, and 6. setting up an organisation to support the above objectives. Workpackage WP 1 will be devoted to the management of the project. This workpackage describes general administrative responsibilities and tasks for coordinating this project, including the project meetings, as well as the management of the reports, deliverables and milestones. Operational, decision-making and advisory bodies The project management and coordination will be carried out by UNIVR, which will act as the central node in the project, chairing and moderating the project meetings, assembling and controlling the deliverables, and supervising the evolving project results at each milestone as well as the assessment results. The Scientific Coordinator (SC), Prof. Luca Viganò, has considerable research management experience. He was a senior member of the research groups of Prof. David Basin at the ETH Zurich in Switzerland (Jan Oct. 2006) and the University of Freiburg in Germany (Sep Dec. 2002). Basin and Viganò co-led a number of EC, international and national projects, on the development and application of automated formal methods to problem areas in computer security; in particular: The 30-month FET Open Project IST , AVISPA: Automated Validation of Internet Security Protocols and Applications, which has been carried out by the partners INRIA, ETH Zurich, SIEMENS, and UGDIST. More information is available at [30] and org/. The 12-month FET Open Assessment Project IST , AVISS: Automated Verification of Infinite State Systems, which was carried out by the partners INRIA, the University of Freiburg and UGDIST (cf. [30]). He will be assisted in this task by the other key staff members of UNIVR and by the new scientific personnel that will be appointed in the context of the AVANTSSAR project, as well as by the administrative office of the Department of Computer Science of the University of Verona and the Institutional and Legal Affairs, Research and International Relations of that same university. The SC will chair the Project Coordination Committee (PCC), which will address high-level management and financial issues, and consists of the Site Leaders (i.e. the coordinators of the different project partners). The PCC will also supervise and validate the writing of the Dissemination and Use Plan, of the Yearly Progress Reports, and of the Final Management Report (which will be included in the Final Project Report), and of the Technology and Implementation Plan, which will also be part of the dissemination in WP 6. With the support of the PCC, the SC will also devise a project-internal project management plan. In particular, the SC will

79 FP7-ICT October 17, 2007 AVANTSSAR, project no coordinate the communication flow between the project partners and the European Commission, and coordinate tasks and optimise synergistic interaction between the project partners. To this end, the SC will manage both a common distributed repository of the project code and documentation (using the concurrent versionmanagement tool SVN) and the AVANTSSAR Website, which will also be used for the dissemination of the project results to the scientific community and industry (see WP 6). The project management plan will guide the coordination task, which will also include guidelines for deliverables, presentation standards, deadlines, information flow, dissemination and reporting, as well as quality assurance measures. This will allow the SC and PCC to consolidate the project planning, manage the input of the project partners on the different WPs, supervise the evolving project results at each milestone, supervise the assessment and evaluation of the results, manage project risks, control changes in the workplan and take executive decisions (e.g. re-distributing resources), resolve possible conflicts, and assemble and control the project reports and deliverables. With the support of the PCC, the different Workpackage (WP) Leaders will be responsible for the detailed coordination, planning, monitoring, realisation and reporting of the respective workpackages, and the detailed coordination of tasks between the different workpackages. In the unlikely case of a conflict or dispute, the members of the PCC will vote on the issue, with the SC s vote counting twice in the case of a tie. Project management will aim to keep the project on target in a way that the individual task objectives and the overall project objectives can be best achieved. Given the relatively small size of our consortium and, most importantly, the past history of successful collaboration between all partners (in several European, international, and national projects), we expect that project management will be effective and unproblematic. In addition to the use of a common on-line repository, , telephone, and video-conference will be means for effective communication within the consortium. Project administration The Financial and Administrative Coordinator (FAC) will also be Prof. Luca Viganò. He will be supported by the administrative staff of UNIVR, which has extensive experience with the financial and administrative coordination of European Community projects. Each project partner will be responsible for carrying out its planned contribution within its budget, to contribute to deliverables, to provide full documentation of project activities, to provide documentation on the financial situation of the project to the FAC for reports to EC officers and authorities (such as cost statements). The FAC will coordinate, with the support of the PCC, the financial and bureaucratic administration of the project, managing in particular the cost statements, the budgetary overviews, the budget for the management task, etc.

80 FP7-ICT October 17, 2007 AVANTSSAR, project no Consortium Agreement The Consortium Agreement, signed by all partners before the start of the project, sets the principles of the consortium management, and places the relationship between the project partners and their responsibilities on a legal basis for the duration of the work. Besides specifying the details of the management structure and of the decision making process outlined above, this agreement deals with issues related to the technical contribution of each beneficiary in terms of tasks, human, material and financial contributions, rules for dissemination and use (confidentiality, ownership of results, patent rights, exploitation of results, protection and dissemination of knowledge), financial provisions, and legal provisions. Table 7: Tentative schedule of project reviews Review Tentative timing, i.e. after planned venue Comments, if any number month X = end of a reporting period of review 1 After project month: 12 Bruxelles 2 After project month: 24 Bruxelles 3 After project month: 36 Bruxelles Project Meetings General project meetings, attended by all consortium partners, will take place every 6 months. More specifically, in addition to two annual project review meetings and a final review meeting, there will be one project meeting per year, attended by all site leaders and representatives of all project sites, in order to synchronise and assess the results. There will also be additional meetings and bilateral visits, which will be arranged as needed. We will organise three project workshops, possibly in combination with the meetings; the last of these workshops will be an open one, possibly as part of the ARSPA ( Automated Reasoning for Security Protocol Analysis ) workshop series that was originated during the AVISPA project (see for more details on the workshop series and the associated journal special issues). The following is a preliminary timetable for the project meetings (the tentative schedule of project reviews is summarised in Table 7): Month 1: Kick-off meeting. Month 6: First synchronisation and assessment meeting. Month 12: First review meeting. Month 18: Second synchronisation and assessment meeting. Month 24: Second review meeting. Month 30: Third synchronisation and assessment meeting. Month 36: Final review meeting.

81 FP7-ICT October 17, 2007 AVANTSSAR, project no Risk management and damage mitigation Risks are an inherent element of quality RTD projects. However, unmanaged risks may have a detrimental impact on the project schedule and results, and eventually give rise to contractual litigation. The complexity of the technical and technological issues tackled by the project thus requires careful monitoring and management of risks. The management process will identify and monitor risks that could have an impact on the project schedule and results and will take appropriate measures to suppress or mitigate their effects. While some risks (such as too ambitious objectives, technological bottlenecks, or poor integration of competencies) can be identified during the elaboration of the project and adapted strategies devised within the workplan as shown in Section B1.3, other risks, either internal (e.g. non performing or defaulting partner) or external to the project (e.g. technical developments outside the project, or market evolution) may appear during project implementation and will require timely management decisions. Risk monitoring during project implementation will be one of the SC/FAC s (i.e. Prof. Luca Viganò s) responsibilities, with the support of the PCC. A risk management method comprising risk identification, evaluation and ranking, mitigation and residual risks follow-up, will by applied by all WP leaders, and co-ordinated by the PCC. More in detail, we envisage the following three potential major sources of risk: Project risks that affect the project schedule or resources. There are four major project risks that we will have to tackle: Technical risks associated to the milestones (and decision points): see Table 8. Underestimation of effort needed to complete the activities. To prevent this, we have carefully studied and planned the allocation of resources to the different project activities (Tables 4 and 5). Moreover, we will closely monitor resource consumption and promptly take corrective actions. This will also be facilitated by the planned incremental delivery of results (e.g. with different, incremental versions of methodologies and technologies, as illustrated in the list of deliverables). Budget has been carefully assigned and no major changes are expected. Rather, if useful, minor adjustments will be carried out by the different partners to the budget locally allocated to them, shifting the partner s budget allocated to one task to another task of that same partner. Staff-related risks. No staff turnover is expected but the hiring of new scientific personnel might cause some initial stalling due to missing new staff (although recruiting of potential researchers is already underway). This risk will be strongly mitigated, and possibly avoided altogether, by the planned contributions of permanent staff, especially at the beginning of the project. Management risks. All risks related to management will be mitigated by the management structure (described in detail above in this section) and by the management empowerment regulated by the consortium agreement that will be signed by all partners. Moreover, all partners have considerable experience at working together on large projects (such as AVISPA) and are strongly committed to the project, which will greatly simplify the management tasks. Product risks that affect the quality or performance of the technologies being developed. We will achieve a high quality control through the careful scheduling of the project activities (see the GANTT and PERT charts in Figures 3 and 5) as well as the internal and external assessment of project results: this will be achieved by the assessment deliverables as well as the major project milestones that are linked to the review and assessment points (and thus constitute decision points, supporting risk monitoring and also the activation of corrective measures to bring the project back in track). Business risks that affect the consortium s development of methodologies and technologies. There are several such risks:

82 FP7-ICT October 17, 2007 AVANTSSAR, project no Table 8: Technical risks associated to the milestones (and decision points), their probability, and the corresponding management and mitigation strategies Risk Probability Management and mitigation strategy MS1: Basic Dissemination and Use Plan, and Trust and security requirements of problem cases Failure to deliver Basic Dissemination and Use Plan. Failure to identify trust and security requirements of problem cases. nil low A basic version of the Dissemination and Use Plan will be delivered in time. An appropriate number of PMs have been devoted to the task both from academia and industry so that at least an initial set of trust and security requirements will be identified. MS2: ASLan v.1, Attacker models and reasoning techniques, Platform architecture, and Assessment 1 Failure to identify a single language capable of expressing all the necessary security aspects of SOA. Reasoning techniques do not scale up to the needed complexity. Failure to identify a suitable architecture for the AVANTSSAR Validation Platform. moderate/high moderate low A task force will be devoted to this activity in order to possibly identify separate partial languages and either define translations among them or plan for a modular verification technique to combine them. Design from scratch new techniques addressing the complexity of the problem. Some adjustments to the original architecture design might be needed. MS3: ASLan v.2 (statically composed services and policies), Validator and Orchestrator prototypes, and First formalisation of problem cases Failure to deliver ASLan v.2 moderate/high Identify different languages and translators between them, or implement a modular verification technique to combine them. Failure to deliver Validator and Orchestrator prototypes, or First formalisation of problem cases low For prototypes: semi-automated versions; for formalisations of problem cases: partial specifications. MS4: Reasoning techniques for ASLan v.2 specifications, Platform prototype, Assessment v.2, ASLan for industry Failure to deliver reasoning techniques. moderate/high Focus on and deliver interactive techniques rather than automatic ones, techniques for partial specifications, and/or techniques focused on particular case studies rather than general specifications. Failure to deliver Platform prototype, Assessment v.2, ASLan for industry. low Incremental delivery of results. MS5: ASLan final version, Decidability results, Formalised problem cases, and AVANTSSAR in industry Failure to deliver ASLan final version moderate Identify different languages and translators between them, or implement a modular verification technique to combine them. Failure to produce decidability results. moderate/high Focus on decidability for simpler problems (e.g. by putting bounds on some parameters). Failure to deliver formalised problem cases low Partial specifications. Failure to present AVANTSSAR technology to industry. low More active dissemination by additional presentations to industry and standardisation organisations. MS6: Final assessment, Migration to industry and standardisation organisations, Final Dissemination and Use Plan, and Technology Implementation plan Failure to migrate AVANTSSAR technology to industry. Failure to deliver Final assessment, Final Dissemination and Use Plan, and Technology Implementation plan. low/moderate nil Partial integration of technology in industrial development process. The documents will be delivered.

83 FP7-ICT October 17, 2007 AVANTSSAR, project no Inability to provide adequate and timely trust and security requirements for reallife service-oriented architectures. This risk will be mitigated by a close monitoring of emerging approaches and standards in the relevant areas. Since all of the four industrial partners of the consortium are key players in the development of secure service-oriented architectures and participate in standardisation efforts, we will be able to take pro-active measures to swiftly react to such novelties. Industrial relevance of the selected case studies for the success criteria. Our case studies (and, as a direct consequence, our success criteria) are driven by the industrial partners of the consortium, with a strong backing from the related development divisions. Competition with related projects and products. We will continually compare our results and technologies with those developed by competing projects and approaches also thanks to the project workshops, to which related researchers will be invited (and will possibly spawn a series of international workshops such as the ARSPA workshop series that was spawned from the AVISPA project workshops). Moreover, all partners have existing collaborations and connections to several such researchers, and will organise smaller meetings with them. These workshops and meetings will provide forums for the continuous exchange and cross-fertilisation of scientific and technological advances and will help prevent replication of work. Insufficient dissemination, technology implementation and exploitation. A large scale academic and industrial dissemination (at conferences, meetings and standardisation organisations) is planned in WP 6, in particular with the delivery of the Dissemination and Use Plans at months 6 and 36 and of the Technology Implementation Plan at month 36. The workshops and meetings mentioned above will also help us to disseminate the project results in both the academic and the industrial communities, and plan further steps for dissemination, technology implementation, and exploitation. Management procedures The different activities of project will be managed with the following methodology. Meetings: Regular meetings of the PCC and the WP Leaders will take place on a bi-yearly basis and will be combined when possible, including combination with the kick-off, synchronization, and review meetings. Research Reports: Reports on deliverables and milestones will be produced by WP Leaders in accordance with the workplan and made available to the PCC. Bi-yearly progress reports will be produced by the PCC. Contractual reports collected by the Project Coordinator with the assistance of the PCC will be sent to the EC Project Officer. Financial reports: The actual effort of each partner will be monitored by the SC/FAC on a bi-annual basis and compared to the workplan. Any major deviation will be discussed by the PCC. A summary financial report will be included in the progress report. Protection and dissemination of knowledge (IPR): The Parties have agreed to general IPR principles such that Foreground generated solely or jointly by academic parties will be public domain, while Foreground generated jointly by academic parties and industrial parties, or Foreground generated solely by industrial parties will be treated differently. Detailed IPR provisions are described in the Consortium Agreement: in accordance with Article I.4 of the Grant Agreement, the Parties have entered into a Consortium Agreement where they have specified and/or supplemented as between themselves, the provisions of the Grant Agreement, including (but not limited to) access rights and

84 FP7-ICT October 17, 2007 AVANTSSAR, project no liability. Whenever possible without compromising the IPR of the consortium members, dissemination of project results will be encouraged through usual means including publication of scientific papers, presentations in conferences, advertising on the project Web site. The PCC will be responsible for overseeing this policy and other related issues. Summary of project organisation WHAT? Administrative Management Project and financial reports, budget allocation, project results impact. HOW? Following instructions from the PCC, interacts with WP leaders for monitoring and reporting. Executive and Strategic Management Implementations of project tasks through WP inputs to SC. Risk management, new orientations, conflict solving, corrective actions. Top-down decisions based on work plan, bottom-up reporting to SC. Operational Activities Research and innovation, training. Through WP leaders. WHO? SC/FAC PCC WP leaders

85 FP7-ICT October 17, 2007 AVANTSSAR, project no B2.2 Beneficiaries In the following pages, we give a brief description of each of the project beneficiaries by providing a brief description of each organisation, the main tasks they have been attributed (see the workpackage tables for more details on the role and technical activities of the beneficiaries in the individual workpackages), the previous experience relevant to these tasks, and a short profile of the staff members who will be undertaking the work, including information on the new personnel that the beneficiaries plan to hire to carry out the project work.

86 FP7-ICT October 17, 2007 AVANTSSAR, project no UNIVR: University of Verona, Italy The University of Verona is one of the largest universities in the North-East of Italy. The Department of Computer Science started in 2000 as a spin-off of a science and technology department, and has been ranked for three consecutive years as the first computer science department of Italy by an official analysis of CENSIS (the national centre for statistical analysis of the society). The department has more than 40 faculties covering the principal subjects of computer science. The UNIVR group will benefit of the administrative support from the department, which has a strong record of national and international projects. Main tasks in the AVANTSSAR project. Project coordination and management (WP 1). Modelling and validation techniques for web services and policies (WP 2 and WP 3). Design and implementation of the AVANTSSAR validation platform (WP 4). Expertise: Theoretical Foundations and Automated Tools for Security Analysis Theoretical foundations and development and implementation of formal reasoning techniques for the specification and verification of protocols, services, and systems for information security and mobile networks, e.g. [3, 4, 5, 6, 7, 10, 11, 35, 48, 49, 50, 51, 52, 82, 83, 84, 85, 86, 120, 121, 143, 144, 145, 161, 177, 178, 227, 228]. Key Staff Prof. Dr. Luca Viganò ( vigano) received his Ph.D. in Computer Science from the University of Saarbrücken, Germany, in 1997, and his Habilitation in Computer Science from the University of Freiburg, Germany, in He held a senior research scientist position in ETH Zurich s Information Security Group from January 2003 to October Since October 2006, he is an Associate Professor of Computer Science at the University of Verona, Italy. His research focuses on formal methods and tools for the specification, verification, and construction of secure systems, and on the theory and applications of non-classical and security logics. On these topics, he has taught several classes, tutorials, and industrial courses, and has co-authored more than 50 publications. He has served as PC-chair and PC-member in several international conferences and workshops. In particular, in 2004, he founded and has since been co-chairing the workshop series on Automated Reasoning for Security Protocol Analysis ARSPA. He participated and is currently participating in the administration and research activity of a number of projects on information security, including the projects AVISS [31] and AVISPA [30]. Prof. Dr. Massimo Merro ( merro) received his Ph.D. in Computer Science from the Ecole des Mines de Paris, France, in He was research fellow at the University of Sussex (UK; May 2000 Apr. 2002), research fellow at the EPFL (Switzerland; May Oct. 2002), and Assistant Professor for Computer Science at the University of Verona (Nov to Sept. 2006). Since Oct. 2006, he is Associate Professor at the same university. His research interests include formal methods applied to concurrent and distributed systems, process calculi for mobile systems, concurrent and distributed object-oriented languages, formalisation of distributed algorithms, and security aspects of ad hoc networks. He has taught several classes and tutorials, and has co-authored more than 25 publications on international journals and conferences. He has served as PC-member in several international conferences and workshops. Dr. Alessandra Di Pierro ( dipierro) received her Ph.D. in Computer Science from the University of Pisa, Italy, in She was then employed at City University (London; ), and was an assistant professor in the Department of Computer Science at the University of Pisa ( ). She is now assistant professor at the Department of Computer Science at the University of Verona. Her research focuses on probabilistic and quantitative aspects of languages, models, program analysis and abstract interpretation, particularly in application to problems in language-based security. She has served as PC-member in several international conferences and workshops, and published over 40 papers. UNIVR plans to hire two full-time post-doctoral researchers to work on the project.

87 FP7-ICT October 17, 2007 AVANTSSAR, project no Five relevant publications [35] M. Backes, S. Mödersheim, B. Pfitzmann, and L. Viganò. Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario. In Proc. of FOSSACS 06, LNCS 3921, pp Springer, [51] D. Basin, S. Mödersheim, and L. Viganò. OFMC: A symbolic model checker for security protocols. International Journal of Information Security, 4(3): , [121] A. Di Pierro, C. Hankin, and H. Wiklicky. Quantitative Static Analysis of Distributed Systems. Journal of Functional Programming, 15(5): 1 47, [177] M. Merro. An Observational Theory for Mobile Ad Hoc Networks. In Proc. of MFPS 07, [178] M. Merro, F. Zappa Nardelli. Behavioural Theory for Mobile Ambients. J. ACM, 52(6): , 2005.

88 FP7-ICT October 17, 2007 AVANTSSAR, project no ETH Zurich: Eidgenössische Technische Hochschule Zürich, Switzerland The Swiss Federal Institute of Technology Zurich (ETH Zurich, or simply ETH Zurich) is an institution of the Swiss Confederation dedicated to higher learning and research. ETH Zurich has a central infrastructure for, and considerable experience with, the administration of EU-projects; in particular, since the start of the 6th Framework Programme of the European Union, ETH Zurich has been involved in 178 EU-projects. The Information Security Group ( headed by David Basin consists of 20 researchers, focusing on different aspects of the development of rigorous methods and tools for building secure and reliable systems, such as methods and tools for the formal specification and validation of industrial-scale security protocols, as well as the development of a framework for trust, security and contract management in dynamically-evolving virtual organisations. The group collaborates with several international academic and industrial partners. David Basin is also director of the Zurich Information Security Center (ZISC, a cooperation between members of ETH Zurich and industry, with the aim of providing a coordinated program of state-of-the-art research and education in information security. Main tasks in the AVANTSSAR project. Development of the ASLan language (WP 2). Development of compositional reasoning techniques and validation techniques (WP 3). Design of the AVANTSSAR validation platform (WP 4). Expertise: Theoretical Foundations and Automated Tools for Security Analysis The ETH Zurich group has broad experience in information security, software engineering, formal methods (logics, model-checking, and theorem-proving) and application of semi-automated formal methods to distributed systems and security protocols and systems, e.g. [3, 11, 35, 42, 43, 44, 45, 46, 47, 49, 50, 51, 52, 81, 112, 113, 9, 82, 83, 84, 142, 143, 147, 114, 214, 227]. Key Staff Prof. Dr. David Basin ( basin) is a full professor and has the chair for Information Security at ETH Zurich s Department of Computer Science since January He is also the director of the ZISC. He received his Ph.D. from Cornell University in 1989, and his Habilitation from the University of Saarbrücken in He held a postdoctoral research position at the University of Edinburgh ( ), he led a subgroup, within the programming logics research group, at the Max-Planck-Institut für Informatik in Saarbrücken ( ), and he held a full professor chair in software engineering at the University of Freiburg ( ). His research focuses on information security, in particular methods and tools for modelling, building, and validating secure, reliable systems. He has co-authored over 100 publications. He has taught numerous courses, tutorials, and industrial courses on information security, at universities and international schools, and he has organised, or been a member of, the program committee of over 80 international conferences and workshops. He is an editor of 4 international journals. He has participated in and/or coordinated a number of projects at the national and international level on trust and security, most notably the FET-Open projects, AVISS [31], AVISPA [30] and TrustCoM [226]. Dr. Cas Cremers ( received his PhD in computer science in 2006, at the Eindhoven University of Technology. Since 2006 he is a postdoctoral researcher at ETH Zürich. Cas Cremers is the developer of the protocol analysis tool Scyther [114]. His main contributions are in the area of models for abstract security protocols, automatic verification, and compositionality aspects of security protocols. Out of the 72 person-months of ETH Zurich, 4 will be carried out by the key staff, while for the other 68 person-months we will employ one Ph.D. student and one postdoc. Five relevant publications [44] D. Basin, J. Doser, and T. Lodderstedt. Model Driven Security: from UML Models to Access Control

89 FP7-ICT October 17, 2007 AVANTSSAR, project no Infrastructures. ACM Transactions on Software Engineering and Methodology, to appear. [51] D. Basin, S. Mödersheim, and L. Viganò. OFMC: A symbolic model checker for security protocols. International Journal of Information Security, 4(3): , [147] M. Hilty, D. Basin, and A. Pretschner. On obligations. In 10th European Symposium on Research in Computer Security (ESORICS 2005), LNCS 3679, pages Springer-Verlag, [113] C.J.F. Cremers. Feasibility of multi-protocol attacks. Proc. of the first international conference on availability, reliability and security (ARES), [114] C.J.F. Cremers. Scyther - Semantics and Verification of Security Protocols. Ph.D. dissertation, University Press Eindhoven, 2006.

90 FP7-ICT October 17, 2007 AVANTSSAR, project no INRIA: Cassis Group, INRIA Lorraine, France. INRIA (National Institute for Research in Computer Science and Control, is a French public-sector scientific and technological institute. INRIA is a member of ERCIM EEIG, European Research Consortium for Computer Science and Mathematics. INRIA, the University Henri Poincaré-Nancy 1, the University Nancy 2, the Institut National Polytechnique of Lorraine and the CNRS are associated within a research centre called LORIA (Laboratoire Lorrain de Recherche en Informatique et ses Applications, located in Nancy. LORIA has a staff of 450 persons, including more than 150 research scientists and 120 PhD students. This STREP project at INRIA Lorraine will be based on the Cassis group (that comprises 24 people). Research in the Cassis group focuses on designing fundamental techniques and tools for security analysis and for verification, using automated deduction and constraint solving. The group has developed innovative security protocol verifiers, such as Casrul, CL-AtSe, and T4SP. Main tasks in the AVANTSSAR project. Validation techniques for Web Services and policies (WP 3). Design and implementation of the AVANTSSAR validation platform (WP 4). Expertise: Theoretical Foundations and Automated Tools for Security Analysis The Cassis group at INRIA has a strong, internationally acknowledged experience in automated deduction [32, 108, 202, 230, 229, 231] and security analysis [204, 92, 111, 152, 11]. Dr. Rusinowitch is the head of the Cassis group and has participated as site leader in the FET Open Project IST AVISPA [30]. Key Staff Dr. Michaël Rusinowitch ( rusi) received a Thèse d État in Computer Science in 1987 at the University of Nancy. Since 1994 he is Directeur de Recherche at INRIA. His research is mainly concerned with security analysis, theorem-proving, term-rewriting, and their application to software verification. He contributed to the development of automated deduction with constraints (e.g. [109, 183]), to new proof methods based on induction and rewriting (e.g. [77]) and to the verification of security protocols [152, 92, 201]. He has published his works in more than 60 international conferences and 28 journal papers, and is the author of a book on automated deduction. He has been a member of program committees for many international conferences and co-chairman of the conference on Rewriting Techniques and Applications, and International Joint Conference on Automated Reasoning in He is coordinator of a project supported by ACI Sécurité Informatique, SATIN, and involving 6 national partners from academy or industry. Dr. Mathieu Turuani ( turuani) studied at Ecole Normale Supérieure of Cachan and got his Ph.D. in Computer Science from the University of Nancy in His appointments include a Post-Doctoral position at the Computer Science Department of the Stanford University (2004). His PhD work was distinguished by an AFIF national award. Since 2005 he is researcher at INRIA (Nancy). His researches focuses on theoretical and practical aspects of the verification of cryptographic protocols [204, 97, 33]. Dr. Laurent Vigneron ( vigneron) is an assistant professor at the University Nancy 2 since 1997, and works at LORIA. He received his Ph.D. from University of Nancy in 1994, and held a postdoctoral position at the University of Stony Brook (NY) in He is secretary of the IFIP Working Group 1.6 on rewriting. His research interest include automated deduction and verification of security protocols [96, 106, 105]. He developed the automated deduction system datac[229] and a protocol translator for AVISPA [91]. He has published many papers in international journals and conferences. INRIA plans to hire one PhD student to work on the project. Five relevant publications [97] Y. Chevalier, R. Küsters, M. Rusinowitch, and M. Turuani. An NP Decision Procedure for Protocol Insecurity with XOR. Theoretical Computer Science 338(1-3): , 2005.

91 FP7-ICT October 17, 2007 AVANTSSAR, project no [100] Y. Chevalier and M. Rusinowitch. Hierarchical Combination of Intruder Theories. Proceedings of 17th International Conference on Term Rewriting and Applications, volume 4098 of Lecture Notes in Computer Science, pages , Springer, [106] Y. Chevalier and L. Vigneron. Strategy for Verifying Security Protocols with Unbounded Message Size. Journal of Automated Software Engineering, 11(2): , April [33] M. Backes, A. Datta, A. Derek, J. C. Mitchell, M. Turuani. Compositional analysis of contract-signing protocols. Theoretical Computer Science 367(1-2): 33-56, [204] M. Rusinowitch and M. Turuani. Protocol Insecurity with Finite Number of Sessions and Composed Keys is NP-complete. Theoretical Computer Science, 299: , 2003.

92 FP7-ICT October 17, 2007 AVANTSSAR, project no UPS-IRIT: LiLaC Team, Institut de Recherche en Informatique de Toulouse, France The Institut de Recherche en Informatique de Toulouse (IRIT) is a joint computer science research institute between the Universities of Toulouse 1 and Toulouse 3 (UPS), and the CNRS (UMR 5505). It is one of the largest CS institute in France, gathering over 400 scientists including doctoral students over its premises. Main tasks in the AVANTSSAR project. The Lilac team at UPS-IRIT will focus their work on the reasoning techniques of WP 3 for ASLan. Borrowing from its experience on the composition of services, it will also participate in the definition of the requirements for ASLan in WP 2. UPS-IRIT also plans to help in the design and implementation of the AVANTSSAR validation platform of WP 4. Expertise: Cryptographic Protocols Analysis and Security Policies The group from UPS-IRIT was recently formed to work on the combination of the message-passing view and the security policy view of Web services. P. Balbiani has worked intensively on the propositional dynamic logic with intersection, that permits to express parallelism, and on deontic logic, that permits to express norms. This work has lead to the definition of a logic for privacy policies [2, 39, 41]. Team member Y. Chevalier has previously worked within the AVISPA project on the automated analysis of cryptographic protocols [102, 101, 104, 10, 92, 96, 95, 94, 99, 11]. Since June 2006, he collaborates with P. Balbiani on the definition and translation to XACML of a logic dedicated to express access control with obligations in a distributed system. Finally, G. Feuillade has worked on the area of automatic control synthesis, and will join P. Balbiani and PhD student F. Cheikh [90] on the analysis of the behavioural fragment of ASLan. Key Staff Dr. Philippe Balbiani ( graduated from the ENSEEIHT engineering school in From 1988 to 1990 he prepared his doctorate at Université Paul Sabatier Toulouse 3, which he received in From 1991 to 1995 he was a full-time CNRS researcher at UPS-IRIT. He then moved to the Laboratoire d Informatique de Paris-Nord (LIPN) where he received his Habilitation in Since September 2000 he is working as a CNRS researcher at UPS-IRIT. He is since September 2005 leader of the Lilac group at UPS-IRIT. He is working on modal logics and their applications to computer science. His current research is oriented toward the formalisation of obligations and permissions and the translation of these concepts into more expressive security policy languages. He has coauthored more than 40 papers in international journals and conferences, and was guest editor of the Journal of Applied Non-Classical Logic. Dr. Yannick Chevalier ( is a former student of the ÉNS of Lyon where he received his graduation in He passed the agrégation in 1999, and was Mathematics teacher for one year. He joined the Cassis group at Loria to prepare a Ph.D. on the analysis of cryptographic protocols (received in 2003). Since 2004 he is lecturer at Université Paul Sabatier Toulouse 3. His main contributions are in the area of symbolic analysis of cryptographic protocols in term of flaw detections in presence of algebraic primitives and validation. He has coauthored more than 10 papers in international conferences or journals. Dr. Guillaume Feuillade ( is a former student of ÉNS Cachan. He defended successfully a Ph.D. thesis in 2005 on the automated synthesis of Petri nets from mu-calculus specifications. He then was hired by Université Paul Sabatier Toulouse 3 as a lecturer, and joined the Lilac group at UPS-IRIT to work on the automated synthesis of services. His main contributions include several undecidability results for the automated synthesis of Petri nets. UPS-IRIT will hire two PhD students and one Post-doc student (for one year) to work on the project. Five relevant publications

93 FP7-ICT October 17, 2007 AVANTSSAR, project no [40] P. Balbiani and F. Cheikh. Safety problems in access control with temporal constraints. In MMM-ACNS, vol of LNCS, pp Springer, [41] P. Balbiani, Y. Chevalier, and M. Kourjieh. Reasoning on actions and obligations. available at http: // [90] F. Cheikh, G. D. Giacomo, and M. Mecella. Automatic web services composition in trustaware communities. In Proc. of the 3rd ACM workshop on Secure Web Services, pp , ACM Press. [99] Y. Chevalier and M. Rusinowitch. Combining intruder theories. In L. Caires, G. F. Italiano, L. Monteiro, C. Palamidessi, and M. Yung, editors, ICALP, vol of LNCS, pp Springer, [128] G. Feuillade and S. Pinchinat. Modal Specifications for the Control Theory of Discrete Events Systems. Discrete Event Dynamic Systems, 17: , 2007.

94 FP7-ICT October 17, 2007 AVANTSSAR, project no UGDIST: Dipartimento di Informatica Sistemistica e Telematica, Università di Genova, Italy The University of Genova is one of the oldest universities in Italy with a long history of collaboration with other universities and research institutes in Europe. The Dipartimento di Informatica Sistemistica e Telematica (DIST), founded in 1984, has an academic staff consisting of about 40 professors and 20 research assistants. Main tasks in the AVANTSSAR project. Modelling and development of model-checking techniques for Web Services and policies (WP 2 and WP 3) and their implementation in the AVANTSSAR platform (WP 4). Expertise: Automated Reasoning and Model Checking of Software and Protocols The UGDIST group has a long history of research in Automated Reasoning [23, 133, 28, 16, 25, 26, 27, 14] and its application to model checking of software [12, 24, 13] and of security protocols [19, 22, 18, 11, 15, 20]. In particular, the group has shown how protocol insecurity can be reduced to an AI planning problem and, in turn, to a sequence of SAT problems which can be solved by means of state-of-the-art SAT solvers. The group has been involved in several national and international research projects, including two projects funded by the Italian Ministry of Research and University (a Galileo Project with France, a Vigoni Project with Germany), the Research Training Network CALCULEMUS (HPRN-CT ), the FET Open projects AVISS (IST ) and AVISPA (IST ), and a FIRB project (RBAU01P5SS) funded by the Italian Ministry of University and Research. The group will benefit of the administrative support from DIST, which has a long record of international projects (more than 90 EU-funded projects since 1984). Key Staff Prof. Dr. Alessandro Armando ( is associate professor at DIST. His appointments include a research position at the University of Edinburgh ( ) and one at INRIA- Lorraine, Nancy ( ). He is the head of the AI-Lab at DIST. He is the author of more than 50 research works in international journals and conferences. He coordinated the AVISPA project and a project for the co-tutoring of PhD students in a network of European Research Institutions. He is currently coordinator of a FIRB project funded by the Italian Ministry of University and Research on the automatic analysis of cryptographic protocols. He is member of the Steering Committee of a number of international conferences including the International Joint Conference on Automated Reasoning (IJCAR) and the International Symposium on Frontiers of Combining Systems (FroCoS). He has been PC member of several conferences, chair of the FroCoS 02, co-chair the 1st Workshop on Automatic Reasoning for Security Protocol Analysis (ARSPA 04), and will co-chair the 4th IJCAR (Sydney, 2008). He gave an invited talk at the Security Area Advisory Group (SAAG) meeting during the 62th Meeting of the Internet Engineering Task Force (IETF). Prof. Dr. Enrico Giunchiglia ( enrico) is full professor at DIST. He published more than 80 papers, mainly in the areas of Artificial Intelligence and Formal Verification. He is Editor in Chief of the European Journal of Artificial Intelligence (AI Communications), member of the Editorial Board of the Artificial Intelligence Journal (AIJ), of the Journal of Artificial Intelligence Research (JAIR) and of the Journal on Satisfiability, Boolean Modeling and Computation. He has been PC member in various conferences, including IJCAI, ECAI, AAAI, DATE, SAT, and (co-)chair of various events, including the 6th International Conference on the Theory and Applications of Satisfiability Testing (SAT) and the 13th International Conference on Automated Planning & Scheduling (ICAPS). He has been invited to deliver several talks and tutorials at various conferences and events, including the International Conference on Automated Deduction and the International Conference on Automated Planning & Scheduling. UGDIST plans to hire one post-doctoral researcher and one PhD student to work on the project. Five relevant publications [20] A. Armando and L. Compagna. SAT-based Model-Checking for Security Protocols Analysis. To appear

95 FP7-ICT October 17, 2007 AVANTSSAR, project no on the International Journal on Information Security, Springer. [15] A. Armando, R. Carbone and L. Compagna. LTL Model Checking for Security Protocols. In the Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF20), Springer, [17] A. Armando, C. Castellini, E. Giunchiglia, and M. Maratea. The SAT-based approach to separation logic. Journal of Automated Reasoning, pages 1 27, [13] A. Armando, M. Benerecetti, and J. Mantovani. Abstraction refinement of linear programs with arrays. In Proceedings of TACAS 07, LNCS 4424, pages Springer, [22] A. Armando, L. Compagna, and P. Ganty. SAT-based Model-Checking of Security Protocols using Planning Graph Analysis. In Proceedings of Formal Methods Europe (FME 03), LNCS Springer, 2003.

96 FP7-ICT October 17, 2007 AVANTSSAR, project no IBM: IBM Research GmbH, Zurich Research Laboratory (ZRL) IBM Research GmbH, Zurich Research Laboratory (ZRL), with approximately 300 employees, is a whollyowned subsidiary of the IBM Research division with headquarters at the T.J. Watson Research Center. ZRL, which was established in 1956, represents the European branch of IBM Research. It is involved in more than 80 joint projects with universities throughout Europe, in research programs established by the European Union and the Swiss government, and in co-operation agreements with research institutes of industrial partners. In the Computer Science department of ZRL, research is focused on the fields of secure and trusted systems, mobile computing, business process technology and optimisation. Furthermore, the department has a long history in systems management and cryptography research. In the area of security, current research is focused on privacy and cryptography, in particular identity management, Web services and policies, intrusion detection, mobile and ubiquitous computing, and smartcards. The lab has participated in several EU-funded projects such as the PRIME project (IST ). Much of this research has become or had a direct influence on IBM s products and services. Main tasks in the AVANTSSAR project. IBM s focus will be on the development of techniques and tools for automated analysis, both on the theoretical and practical side (WP 3 and WP 4). IBM will also work on the formalisation of applications and problem cases (WP 5 and WP 6). Expertise: Cryptography, Formal Methods, Service-Oriented Architectures The security and cryptography group has experience in the design and analysis of security-sensitive algorithms, protocols, and service-oriented architectures and their policies [37, 88, 87, 150, 159]. The experience in security covers the entire range from computational reasoning in cryptography to the formal analysis of systems [11, 35, 49, 50, 51, 143, 144], including work to bridge the gap between these different views of security [36, 38, 220]. Key Staff Dr. Birgit Pfitzmann ( bpf/) is a senior research staff member of IBM Research at the Zurich Research Lab. Birgit Pfitzmann joined IBM in Since then she contributed to several research projects in risk and compliance, identity management, web services security, privacy, and formal verification of cryptographic protocols. Before joining IBM, she was a tenured professor and dean of the Department for Computer Science at the University of Saarland in Saarbrücken. Birgit Pfitzmann co-authored more than 100 research papers in security, privacy and cryptography, and served on the program committees of several international conferences on these topics. She was the program chair of Eurocrypt 2001 and the ACM CCS 2004, and is the co-program chair of the IEEE Symposium on Security and Privacy 2006 and She is Member of the IACR, where she served on the Board of Directors, and of the ACM and GI, and Senior Member of the IEEE. Her scientific accomplishments include the development of cryptographic primitives with novel security properties, and the cryptanalysis of cryptographic protocols. She contributed to the area of applying formal methods to the verification of cryptographic protocols, and is currently one of the leading researchers in the field of modelling and verifying cryptographic systems. At IBM she developed protocols for federated identity management with novel security and privacy properties. Dr. Sebastian Mödersheim has worked in the information security group of Prof. Dr. David Basin in the context of the EU-projects AVISS and AVISPA. He received a doctoral degree from the ETH Zurich in 2007 and works since then as a post-doc at the IBM ZRL. Sebastian Mödersheim is the lead developer of the protocol analysis tool OFMC [51]. He contributed on symbolic constraint-based analysis of security protocols, the integration of algebraic properties, and abstraction based model-checking. Five relevant publications [35] M. Backes, S. Mödersheim, B. Pfitzmann, and L. Viganò. Symbolic and Cryptographic Analysis of the

97 FP7-ICT October 17, 2007 AVANTSSAR, project no Secure WS-ReliableMessaging Scenario. In Proceedings of FOSSACS 06, [37] M. Backes, B. Pfitzmann, and M. Schunter. A toolkit for managing enterprise privacy policies. In 8th European Symposium on Research in Computer Security (ESORICS 2003), LNCS 2808, [51] D. Basin, S. Mödersheim, and L. Viganò. OFMC: A symbolic model checker for security protocols. International Journal of Information Security, 4(3): , [87] J. Camenisch, A. Shelat, D. Sommer, S. Fischer-Hübner, M. Hansen, H. Krasemann, G. Lacoste, R. Leenes, and J. Tseng. Privacy and identity management for everyone. In ACM DIM, [159] G. Karjoth, B. Pfitzmann, M. Schunter, and M. Waidner. Service-oriented assurance comprehensive security by explicit assurances. In First Workshop on Quality of Protection (QoP 2005), 2005.

98 FP7-ICT October 17, 2007 AVANTSSAR, project no OPENTRUST: OPENTRUST, Trust and Security Software OPENTRUST, developer of OpenTrust TM, an open source trust and security infrastructure, designs and develops added value software solutions and services that enable implementation of secure web services based on open source infrastructures. OpenTrust TM enables management of strong authentication, digital certificates, digital signature, and proof management. Opentrust PKI: an open source PKI market leader. Opentrust SCM: a powerful solution for managing card s lifecycle. Opentrust XCH: a simple and secure way of exchanging documents via Extranet or Intranet. Opentrust SPI: a digital signature and proof management infrastructure. In 5 years, OPENTRUST has become a recognised leader in Open Source Trust & Security services, with over 70 key corporate and government customers who work together through C3I, the OPENTRUST Customers Network. Alex Fletcher of the Open Source Analyst Entiva Group states: OpenTrust is an open, modular platform for integrating trust into a global infrastructure using a standardised-based approach. Most of the Global 1000 are already hip to the futility of the silo approach to securing business application and services. Plus, the push towards Service Oriented Architecture (SOA) driven methodologies has exposed the need to integrate and expose security functions to a potentially indeterminate number of components. In essence, the next generation of ICT architecture will implicitly require better, more flexible and open platforms by default. A truly reliable and secure infrastructure, OpenTrust TM has already been adopted by numerous large enterprises and administrations including AGF, Areva, Nissan, Mobistar, Sanofi, Caisse d Epargne, The National Bank of Belgium, Total, Thales, Michelin, CEA, La Poste, Swiss Ministry of Defense, French Ministry of Agriculture, French Ministry of Finances, Cetrel (Luxembourg), Banksys (Belgium) etc. Founded in 2000, OPENTRUST is based out of Paris and employs 60 people. OPENTRUST is backed by the following institutional investors: Iris Capital, Credit Agricole Private Equity, ELAIA and Seeft Ventures. Main tasks in the AVANTSSAR project. OPENTRUST s focus will be on the formalisation of application and problem cases and the dissemination of AVANTSSAR s results (WP 5 and WP 6). Expertise: OPENTRUST, Trust and Security Software OPENTRUST, developer of OpenTrust TM, an open source trust and security infrastructure, designs and develops added value software solutions and services that enable implementation of secure web services based on open source infrastructures. OpenTrust TM enables management of strong authentication, digital certificates, digital signature and proof management. Key Staff Sherley Brothier, OPENTRUST CTO. Former head of the Sycomore administration system, co-founder and director of Inet6, he is currently the manager of our OpenTrust TM development team. Nat Makarevitch, OPENTRUST Co-Founder. A major player and promoter of Open Source technology in the French speaking community since Founder and developer of and www. ikarios.fr. Nathalie Jolly, OPENTRUST Project Director. Project manager since 2001 and former subproject leader of CARE-MAN, a major pluridisciplinary European project, she is now in charge of implementing OPENTRUST PKI solution among French major companies (Renault, Caisse Epargne). Tuan Nguyen, OPENTRUST Project Director. Former CTO of Kotio, R&D manager and professional services director of Netquartz, he is in charge of implementing the OpenTrust SPI solution among Clients and Partners. OPENTRUST will hire a new engineer or Ph.D. student for working on AVANTSSAR.

99 FP7-ICT October 17, 2007 AVANTSSAR, project no Five relevant publications [72] L. Bloch, C. Wolfhugel, N. Makarevitch, C. Queinnec, and H. Schauer. Securite Informatique, Eyrolles Edition, [162] M. F. Krafft, R. Hertzog, R. Mas, and N. Makarevitch. Debian, administration et configuration avancee, Eyrolles Edition, [172] N. Makarevitch. Choisir un système libre (open source), article/choix-distri/. [173] N. Makarevitch. OpenTrust PAM, the secure access solution for portals, com/content/view/237/205/lang,en/. [174] N. Makarevitch. Collection Cahiers de l Admin /cahiers-de-l-admin.

100 FP7-ICT October 17, 2007 AVANTSSAR, project no IeAT: Institute e-austria Timişoara, Romania IeAT (Institute e-austria Timişoara) is an independent Romanian research institute for Computer Science and Information Technologies, established jointly by the West University and Politehnica University of Timişoara, Romania, and the Research Institute for Symbolic Computation (RISC) Linz, Austria. The name e-austria acknowledges pilot funding for its creation. IeAT was set up to support competitive Romanian researchers to remain in the country, as well as a technology-transfer centre for a future Software Technology Park in Timişoara, with special focus on providing development opportunities for SMEs. Research at IeAT has a strong focus on model checking, software analysis and automated theorem proving, which are significant for this project. IeAT leads the action line on formalisms for compositional timing specifications in the components and modelling cluster of the FP6 network of excellence ARTIST2 (IST ), and participated in ECO-NET grant 08112WJ on executable and verifiable models for the security of communicating systems, led by Université Paris 12. It is also a partner in the FP6 infrastructure project SCIEnce (RI ), with a joint research action dedicated to grid and web services for symbolic computation, and special tasks on service composition and security. In 2005, IeAT has hosted a NATO Advanced Research Workshop on Verification of infinite-state systems with applications to security, and in 2006 an international Workshop on Information and Computer Security. Locally, it has joint projects on system verification and safety with key ICT companies such as Alcatel and Siemens VDO Automotive. Main tasks in the AVANTSSAR project. IeAT s main effort will be on reasoning techniques for automated validation (WP 3) in particular compositional assume-guarantee, and the corresponding modelling and language support in WP 2. IeAT will also contribute to the modelling and validation of problem cases (WP 5). Expertise: Compositional reasoning and methods for state-space reduction IeAT has specific expertise in model checking using partial order techniques [107] for state space reduction [163, 164, 165, 180], which are valuable in dealing with the enormous branching factor in modelling possible intruder behaviour. Another area of expertise is in compositional reasoning and circular assumeguarantee rules [146, 125] which we expect to apply in analysing the interaction of modular security services. Key Staff Prof. Dr. Marius Minea ( marius) is senior researcher at IeAT and associate professor at the Politehnica University of Timişoara, Romania, since He received his Ph.D. from Carnegie Mellon University in 1999 with a thesis on partial order reduction methods for verification of timed systems and was a postdoctoral researcher at the University of California, Berkeley, focusing on compositional methods for embedded system design. He has coauthored more than 25 articles in international journals and conferences. His main interests are model checking applied to real-time systems and security, partial order reduction methods, compositional and assume-guarantee reasoning, and abstraction in software verification. IeAT plans to support one PhD student for the full duration of the project and hire one post-doc starting with the second year. Five relevant publications [53] D. Beauquier, M. Duflot, M. Minea. A probabilistic property-specific approach to information flow. In Mathematical Methods, Models, and Architectures for Computer Network Security. 3rd International Workshop, LNCS 3685 pp Springer, [107] E. M. Clarke, O. Grumberg, M. Minea, and D. Peled. State space reduction using partial order techniques. Software Tools for Technology Transfer, 2(3): , [125] J. Elmqvist, S. Nadjm-Tehrani, M. Minea. Safety interfaces for component-based systems. In Computer Safety, Reliability, and Security, 24th Intĺ. Conf., LNCS 3688, pp Springer, 2005.

101 FP7-ICT October 17, 2007 AVANTSSAR, project no [146] T. A. Henzinger, M. Minea, V. Prabhu. Assume-guarantee reasoning for hierarchical hybrid systems. In Hybrid Systems: Computation and Control. 4th Int l. Workshop, LNCS 2034, pp Springer, [165] R. Kurshan, V. Levin, M. Minea, D. Peled, and H. Yenigün. Combining software and hardware verification techniques. Formal Methods in System Design, 21(3): , 2002.

102 FP7-ICT October 17, 2007 AVANTSSAR, project no SAP: SAP AG and its SAP Research Business Unit, Germany SAP has grown to become the world s leading provider of e-business software solutions. With 12 million users, 96,400 installations, and more than 1,500 partners, SAP is the world s largest inter-enterprise software company and the world s third-largest independent software supplier, overall. SAP employs over 39,300 people in more than 50 countries. SAP Research is the technology research department of SAP and as an integral part of SAP s R&D activities, SAP Research is responsible for identifying, researching, understanding, developing and evaluating new and emerging technologies, processes and e-business solutions that strategically influence the future of SAP business applications.sap Research is a Global Business Unit under the direction of SAP AG operating Research Centers in various countries. These Centers are usually co-located with Academic Partners and focused on specific research topics. Depending on the needs of the projects, SAP Research will consider to distribute workpackages among its locations in order to engage Researchers with the required expertise. This will increase the effectiveness and efficiency of the execution of the project. In the context of this document, SAP refers to SAP AG and its SAP Research Business Unit. SAP Research has identified six long-term and global research programs, including Security & Trust (S&T), which will run the AVANTSSAR project. With its deep expertise in the areas of Business Process Security, Authorisation, Trust Management, Context-aware Security and Security Engineering, and its previous and ongoing involvement in major EU funded projects in the area (incl. TrustCom, Serenity, MOSQUITO, WASP, ITAIDE, R4eGov), SAP Research is well positioned to achieve the objectives of AVANTSSAR and contribute to the success of the project. Main tasks in the AVANTSSAR project. As main activity, SAP will lead the workpackages on Proof of concept (WP 5) and Dissemination and Industry Migration (WP 6). Expertise: Trust and security for enterprise service-oriented business systems and formal methods Members of the S&T program have an excellent background in trust and security for open and heterogeneous business systems [197, 240], workflow and service security [210, 212], trust management in open environments and virtual organisations [198, 158, 140, 157, 241], and formal methods for security [168, 170, 129, 189, 191, 15, 20]. This expertise ensures the ability to provide excellent results in AVANTSSAR research workpackages. SAP Research s ability to provide and conduct industrial-scale case studies suitable for the validation, assessment and migration of the project s results stems from the fact that research activities are closely interwoven with SAP s solution groups requirements elicitation and design activities as well as SAP s product groups long-term product development strategy. The scenarios and problem cases will be worked out in close cooperation with both relating Research Programs and SAP s Business Groups. Key Staff Volkmar Lotz has received his diploma in Computer Science from the University of Kaiserslautern in Since November 2004, he is the Program Manager for S&T at SAP Research. His responsibilities include the definition and implementation of SAP s security research agenda, its strategic alignment to SAP s business needs, and the maintenance of a global research partner network. From 1989 to 2004, he was affiliated with Siemens Corporate Technology, since 1994, in the Security Department. From 1999 to 2004, he was heading the Formal Methods in Security group, emphasizing on security requirements engineering, evaluation and certification, cryptographic protocol verification, and mobile code security. His current research interests include Business Process Security, Service Security, Authorisation, Security Engineering, and Compliance. Volkmar has published numerous scientific papers in his area of interest and is regularly serving on Programme Committees of internationally renowned conferences and workshops. Dr. Luca Compagna is a member of SAP Labs France where he is contributing to the S&T Research Area and leading the EU project SERENITY. He received his MSc in Informatic Eng. from the U. of Genova and his Ph.D. in Electronics and Computer Science Eng. jointly from the U. of Genova and Edinburgh. His area of interests include security engineering, automated reasoning, and their application to the modelling and

103 FP7-ICT October 17, 2007 AVANTSSAR, project no analysis of industrial relevant scenarios. He contributed to three projects on information security, including AVISPA recently shortlisted for the EU Descartes Price, and he has published various scientific publications in his area of interest. SAP plans to hire one new full-time employee and at least one new Ph.D. student to work on the project. Five relevant publications [15] A. Armando, R. Carbone and L. Compagna. LTL Model Checking for Security Protocols. To appear in IEEE Computer Security Foundations Symposium, [21] A. Armando and L. Compagna. SAT-based Model-Checking for Security Protocols Analysis. To appear on the International Journal on Information Security, [236] M. Wimmer, A. Kemper, M. Rits and V. Lotz. Consolidating the Access Control of Composite Applications and Workflows. In DBSec, [211] A. Schaad, V. Lotz and K. Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In SACMAT, [170] V. Lotz, V. Kessler, and G. Walter. A Formal Security Model for Microprocessor Hardware. In IEEE Transactions on Software Engineering, 26(8): , Aug

104 FP7-ICT October 17, 2007 AVANTSSAR, project no SIEMENS: Siemens Aktiengesellschaft, Corporate Technology, Security, Germany Siemens, headquartered in Berlin and Munich, is one of the world s largest electrical engineering and electronics companies. In the fiscal year 2006 (which ended September 30), the company employed approximately 475,000 people and posted sales of e billion from continuing operations. Net income for the year totaled e3.033 billion. Siemens has a strong international presence, with operations in over 190 countries and manufacturing facilities at about 290 locations worldwide. The company s business portfolio is focused on six key areas: Information and Communications, Automation and Control, Power, Transportation, Medical and Lighting. Innovation is a top priority for a world-class electrical engineering and electronics company. In fiscal 2006, Siemens invested e5.7 billion in R&D. The company is the largest patent applicant in Germany, in second place in Europe and among the top ten in the United States. Most of Siemens s approximately 49,000 researchers and developers are working on software projects, making the company one of the world s largest software developers. Work in AVANTSSAR will be conducted by the Security department of Siemens Corporate Technology, Information & Communications, in Munich. Main tasks in the AVANTSSAR project. The focus of Siemens will be the proof of concept case studies in WP 5 which includes strong interaction with all other workpackages. Expertise: security applications and formal methods The security department at Siemens Corporate Technology consists of about 35 researchers working on a broad spectrum of security topics. It is among the few industrial groups utilising formal methods for the validation of industrial-scale security-sensitive applications, e.g. [169, 170, 171, 190, 187, 191, 199]. People working in AVANTSSAR have strong background in formal methods, fixed-net and mobile communication, and application security. Thus they can provide and conduct substantial real-world case studies. The group will benefit from the substantial experience matured during the AVISPA project. There will also be synergy with current projects, in particular using the results from the EU Project SPICE (Nokia Siemens Networks recently replaced Siemens as SPICE participant), which is concerned with the secure integration of service building blocks, and of the German founded Research Project VESUV, providing a Web Service mechanism for securing the document transfer in e-government and e-tourism. Key Staff Dr. Jorge Cuellar studied mathematics (BA. and MA.) at the Universidad de los Andes, Bogota and obtained a Ph.D. from the University of Mainz. Since 1987 he has been with Siemens, where he is Principal Research Scientist and has held visiting teaching positions at various universities. He has been Program Committee member of a number of international conferences, co-chairman of the IEEE International Conference on Software Engineering and Formal Methods (SEFM 04) and and will co-chair the FME Symposium Formal Methods 2008 (FM 08). He has worked on operating systems, formal methods, neural networks, performance, network and mobile security and Internet protocols. Dr. David von Oheimb ( received his Ph.D. in Computer Science in February 2001 from the Munich University of Technology. He joined Siemens Corporate Technology in 2001, where as a Senior Research Scientist he is responsible for the formal analysis and certification of ICT security. Dr. Monika Maidl studied mathematics at the Ludwig-Maximilians-Universität München and University of Cambridge. Since 2005, she has been with Siemens AG as Research Scientist working on ICT application security, including formal verification of protocols and software distribution. SIEMENS plans to employ one more researcher and at least one Ph.D. student to work on the project. Five relevant publications [170] V. Lotz, V. Kessler, and G. Walter. A Formal Security Model for Microprocessor Hardware. IEEE Transactions on Software Engineering, 26(8): , 2000.

105 FP7-ICT October 17, 2007 AVANTSSAR, project no [190] D. von Oheimb and V. Lotz. Formal Security Analysis with Interacting State Machines. In Proceedings of the NICTA Formal Methods Workshop on Operating Systems Verification, pages 37 72, [187] D. von Oheimb. Information flow control revisited: Noninfluence = Noninterference + Nonleakage. In Proceedings of ESORICS 2004, LNCS 3193, pages Springer, [188] D. v. Oheimb and J. Cuellar. Designing and verifying core protocols for location privacy. In Information Security, LNCS Springer, [199] R. Robinson, M. Li, S. Lintelman, K. Sampigethaya, R. Poovendran, D. von Oheimb, J.-U. Bußer, and J. Cuellar. Electronic distribution of airplane software and the impact of information security on airplane safety. Submitted for publication, 2007.

106 FP7-ICT October 17, 2007 AVANTSSAR, project no B2.3 Consortium as a whole As summarised in the list of beneficiaries (which we repeat in Table 9 for the sake of readability), the consortium combines 10 partners from academia or academic research organisations (UNIVR, ETH Zurich, INRIA, UPS-IRIT, UGDIST) and industrial research (IBM, OPENTRUST, IEAT, SAP, SIEMENS). Moreover it is worth noting that OPENTRUST is an SME and IEAT is an SME research organisation. Table 9: List of beneficiaries Beneficiary Beneficiary Beneficiary Beneficiary Country Date enter Date exit number name short name type project project 1(coordinator) Università di Verona UNIVR academia Italy month 1 month 36 2 ETH Zurich ETH Zurich academia Switzerland month 1 month 36 3 Institut National de Recherche en Informatique academia et Automatique INRIA (research org.) France month 1 month 36 4 Institut de Recherche en academia Informatique de Toulouse UPS-IRIT (research org.) France month 1 month 36 5 Università di Genova UGDIST academia Italy month 1 month 36 6 IBM Research GmbH IBM industry/research Switzerland month 1 month 36 7 OpenTrust OpenTrust industry (SME) France month 1 month 36 8 Institute e-austria Timişoara IEAT research org. (SME) Romania month 1 month 36 9 SAP AG SAP industry Germany month 1 month Siemens Aktiengesellschaft SIEMENS industry Germany month 1 month 36 The partners possess complementary scientific and practical competence, and they represent a great research experience and capability in Europe in the topics of the proposed project. These groups are among the European leaders in their respective areas and have a long and successful history of international collaboration and strong bi- and multi-lateral relations. This is witnessed by the large number of projects that several of the partners have carried out together, in particular the AVISPA project [30], which will provide a stepping stone for AVANTSSAR. The partners will apply their expertise to tackle the challenges raised by the project objectives as described in more detail in Section B1.3, where the responsibilities for the research to be carried out in the workpackages are clearly defined. It is precisely thanks to this complementary scientific and practical competence, and to our long history of successful collaboration, that we expect to achieve the challenge objectives of AVANTSSAR. Two SMEs are involved in the project. IeAT is an SME research institution in Romania and will provide AVANTSSAR with its expertise on compositional validation methods for security-critical systems. IeAT also acts as a technology transfer centre, having projects with companies (such as Alcatel) for which automated validation technology is of interest, and is involved in several Romanian networks that stimulate research participation of information technology SMEs. OPENTRUST is a French SME that will provide AVANTSSAR its unique expertise in the design of digital signature and dematerialisation of document exchange procedures composed in a modular way from various security services (time-stamping, digital certificates management,archiving, etc.). OPENTRUST solutions will drive and allow us to refine the AVANTSSAR validation vision; dually AVANTSSAR will provide OPENTRUST with tools to reduce the time and effort to perform the critical security analysis of OPENTRUST s solutions. Table 10 summarises the main tasks assigned to the project beneficiaries, while Table 11 summarises their expertise, which will allow them to carry out the tasks according to the lists of workpackages and deliverables given in Tables 2 and 3 and the staff effort given in Tables 4 and 5. More detailed descriptions of the role and technical activities of the beneficiaries in the individual workpackages can be found in the workpackage tables. Further details on the planned exploitation of results can be found in Section B3.2.

107 FP7-ICT October 17, 2007 AVANTSSAR, project no Table 10: Main tasks attributed to the beneficiaries Benef. Name Main tasks 1 UNIVR Project coordination and management (WP 1), modelling and validation techniques for web services and policies (WP 2 and WP 3), design and implementation of the AVANTSSAR validation platform (WP 4). 2 ETH Zurich Development of the ASLan language (WP 2) and of compositional reasoning techniques and validation techniques (WP 3). Design of the AVANTSSAR validation platform (WP 4). 3 INRIA Validation techniques for web services and policies (WP 3). Design and implementation of the AVANTSSAR validation platform (WP 4). 4 UPS-IRIT Definition of the requirements for ASLan (WP 2), reasoning techniques for ASLan (WP 3), design and implementation of the AVANTSSAR validation platform (WP 4). 5 UGDIST Modelling and development of model checking techniques for web services and policies (WP 2 and WP 3) and their implementation in the AVANTSSAR validation platform (WP 4). 6 IBM Development of techniques and tools for automated analysis, both on the theoretical and practical side (WP 3, WP 4); formalisation of applications and problem cases (WP 5, WP 6). 7 OPENTRUST Formalisation of application and problem cases and dissemination of AVANTSSAR s results (WP 5, WP 6). 8 IEAT Reasoning techniques for automated validation (WP 3), in particular compositional assume-guarantee, and the corresponding modelling and language support (WP 2). Modelling and validation of problem cases (WP 5). 9 SAP Leading of the workpackages on Proof of concept (WP 5) and Dissemination, Exploitation, and Industry Migration (WP 6) 10 SIEMENS The focus of Siemens will be the verification of the case studies in WP 5 including a strong participation in the definition of the AVANTSSAR Specification Language, ASLan (WP 2).

108 FP7-ICT October 17, 2007 AVANTSSAR, project no Benef. Expertise Table 11: Expertise of the beneficiaries 1 UNIVR offers expertise on the theoretical foundations and the development and implementation of formal reasoning techniques for the specification and verification of protocols, services, and systems for information security and mobile networks. 2 ETH Zurich offers expertise on the development, implementation, and application of formal methods and semi-automated reasoning techniques for the specification, analysis, and validation of protocols, services, and systems for information security, trust, and privacy. 3 INRIA provides expertise on the foundations of automated reasoning for verification and security analysis, and has long experience in the development of automated tools for the validation of security-critical systems. 4 UPS-IRIT offers expertise on the definition, treatment, and application of non-classical logics to security policies, and on the automated compilation and analysis of security protocols. 5 UGDIST offers expertise on automated reasoning techniques and their application to the design and development of model checking tools for software and security protocols. 6 IBM has both designed and analysed security relevant systems. Their expertise in both fields ranges from reasoning on the level of the actual cryptography up to the level of abstract analysis using formal methods. 7 OPENTRUST is the developer of a Proof Management Middleware which allows for the simple and modular integration of digital signature, encryption, time-stamping and strong authentication features within a business process. 8 IEAT has expertise on state space reduction methods in model checking using partial orders as well as compositional reasoning and circular assume-guarantee rules. 9 SAP is the recognised leader in service-oriented enterprise systems and architectures. It offers expertise in security for open, heterogeneous, and adaptive enterprise systems, business processes, and services, in trust management for collaborative environments and virtual organisations, and in formal methods for security. 10 SIEMENS routinely designs and evaluates security concepts and solutions and actively participates in their standardisation. It is among the few industrial groups utilising formal methods for the validation of industrial-scale security-sensitive applications.

109 FP7-ICT October 17, 2007 AVANTSSAR, project no Sub-contracting The only subcontracting foreseen in the project is for auditing reasons: SAP AG plans to subcontract Deloitte & Touche Wirtschaftsprüfungsgesellschaft GmbH for the preparation of the required audit certificates amounting to e4.000 per statement. Other countries There are no consortium members from countries outside the EU Member States and Associate States.

110 FP7-ICT October 17, 2007 AVANTSSAR, project no B2.4 Resources to be committed The descriptions in this proposal demonstrate a realistic assessment of the efforts necessary to effectively realise our plans and an optimal distribution of the effort across the project partners. In particular, as summarised in the staff effort shown in Tables 4 and 5, the project will require a total of 590 person months, distributed between the two principal kinds of activities as follows: RTD: 568 person months for research and innovation, and Management: 22 person months for project and consortium management. Research and innovation Personnel As can be seen from form A3 of the proposal, the vast majority of the planned costs will cover personnel costs for RTD. The key staff listed in the individual participants descriptions in Section B2.2 will provide the backbone of the consortium, and we are planning to hire at least seventeen new researchers at various level (ranging from young Ph.D. students to experienced researchers or engineers) to support the development of the desired methodologies and technologies. The majority of the research and innovation (RTD) effort (96.3% of the total effort) is focused on the development of the AVANTSSAR validation platform (languages, techniques, and tools), and on its application to the industrial case studies for the proof of concept and the subsequent dissemination and industry migration. The effort allocated to these tasks is adequate for the achievement of the project goals because the AVANTSSAR partners bring into the consortium a wealth of expertise from previous work, projects, and the industrial development of commercial products. The effort of the academic partners (UNIVR, ETH Zurich, INRIA, UPS-IRIT, UGDIST) and that of the industrial research organisations IBM and IEAT will be spread quite uniformly over the three technical workpackages WP 2, WP 3, and WP 4. The industrial partners OpenTrust, SAP, and SIEMENS will spend most of their efforts on the workpackages WP 5 and WP 6, devoted to the application of the project s novel methodologies and technologies and their industry migration. 96 person months (16.3% of the total effort) will be devoted to dissemination of the project results and migration of our technologies into industrial practice, as described in Section B3.2. Dissemination will take place through appropriate channels and in appropriate forums: in order to reach a wide academic and industrial audience, and ensure a wide take-up of the project results, both in academic and industrial contexts, all project partners will aim to publish project results in international journals, conferences, and symposia. In particular, as a key to the successful exploitation of the AVANTSSAR results in real-world industrial settings, the majority of these 96 person months will be devoted to industry migration demonstrating a smooth integration of our technologies in existing environments. In addition, activities oriented towards the general public are planned. Protection and exploitation of intellectual property and knowledge arising from the project will also play an important role. Travel Travel will be fundamental not only for the dissemination of our results but also, and most importantly, for ensuring the tight synergy between the consortium partners and the intense exchange and cross-fertilisation of ideas and results required by the project. Hence, all partners have requested substantial funding for travelling to such project-internal technical meetings, as well as to external meetings (conferences, workshops, industry days, etc.) where the project results will be presented. Equipment The equipment costs will be limited to a few thousands Euros for the hardware and software necessary for the maintenance of the common distributed repository of the project and the AVANTSSAR Website (as described in Section B2.1), and for the support of the uniform assessment of the AVANTSSAR platform and its application to the problem cases.

111 FP7-ICT October 17, 2007 AVANTSSAR, project no Management Resources for project management are adequate (3.7% of the total effort in PM). The project coordination and management will be carried out by the project coordinator Prof. Viganò with the help of the other members of the UNIVR research group and of the administrative infrastructure of UNIVR. The management costs have been kept to the minimum required for the smooth course of the project and the assessment of its scientific and administrative progress (via the required internal and external audits). As remarked above, the only subcontracting foreseen in the project is for auditing reasons, and thus very limited. Resources complementary to EC contribution In addition to the funding requested from the EC, all partners will bring their own resources to the project (for the budget complementary to the requested EC contribution). This includes both the technical work to be provided by permanent scientific staff members and the administrative support from the local offices, as well as the hardware and software necessary for the successful completion of the project (except for the equipment mentioned above). Third parties INRIA, as a beneficiary of AVANTSSAR, will use the University of Nancy 2 (a fellow member of the Joint Research Unit LORIA ) to carry out part of the work (as identified in this document): Dr. Laurent Vigneron, who is an assistant professor at the University of Nancy 2, will be working together with the INRIA team. Dr. Vigneron is a member of the Cassis Group, lead by Dr,. Michael Rusinowitch who is also the leader of the INRIA site. Dr. Vigneron is a leading expert in automated reasoning and protocol analysis; in particular, he was one of the main developers of the AVISPA platform and has a unique competence in designing protocol analysis tools, which is strongly related to the platform for service analysis that we will develop in the AVANTSSAR project. Hence, it is important that University of Nancy 2 be assigned tasks in the workpackages WP 3 and WP 4. Laurent Vigneron will, in particular, contribute to the following two tasks: he will work on the development of an attacker model for XML messages (WP 3.3, Attacker models), and he will address the problem of automatically generating XML protocols and checking their executability (WP 4.1, The TS Orchestrator). The estimated total budget for these contributions is 2 person months, corresponding to Euros, 75% of which supported by the European Union. UPS, as a member of a Joint Research Unit composed of the 2 owners/members UPS and the Centre National de la Recherche Scientifique CNRS, will use CNRS as a third party for carrying out part of the work allocated to UPS-IRIT (as identified in this document). More specifically, in the context of a collaboration agreement established between UPS and CNRS, UPS have been designated to act as the principal legal entity for the laboratory Institut de Recherche en Informatique de Toulouse (IRIT). The CNRS will thus act as a third party in the context of the AVANTSSAR project through the involvement of Dr. Philippe Balbiani, who will be leading the UPS-IRIT site. Dr. Balbiani has considerable experience on the formal specification and analysis of security policies and access control models and mechanisms, which will be of particular importance for the development of decision procedures for service synthesis and satisfiability of ASLan policies and the other tasks to be carried out in WP 3. In his contribution, with an estimated total budget of 15 person months, corresponding to Euros, Philippe Balbiani (Irit-CNRS) will concentrate on the definition of algorithms for the synthesis of services and algorithms for the satisfiability of ASLan policies. Together with Guillaume Feuillade (lecturer, UPS) and Fahima Cheikh (student, UPS), Philippe Balbiani has devised an algorithm that, given a family of available services and the specification of a requested service, computes, if it exists, a mediator service that coordinates the tasks performed by the available services in such a way that the requested service is obtained. However, in its current version, this algorithm considers

112 FP7-ICT October 17, 2007 AVANTSSAR, project no that the messages exchanged by the available services are atomic. Hence, in the course of the project, the sphere of activity of the algorithm for the synthesis of services will be extended to the practical case where the exchanged messages follow an XML syntax. These tasks will be carried out in WP 3.1. Together with Yannick Chevalier (lecturer, UPS) and Marwa El Houri (student, UPS), Philippe Balbiani has devised a logical language based on deontic logic and dynamic logic that will be used for expressing policy securities in ASLan. In this language, the notion of trust delegation and the notion of obligation, which are essential within the context of the composition of policies and services, will be definable. Hence, ASLan policies being nothing but logical formulas, the main objective in this respect is the ability to check their satisfiability. Also these tasks will be carried out in WP 3.1. We thus believe that the overall financial plan is adequate for such an ambitious workplan: the relatively high funding requested is justified by the scope and objectives of the project, which require a consortium that integrates state-of-the-art academic and industrial experience such as ours.

113 FP7-ICT October 17, 2007 AVANTSSAR, project no B3 Impact B3.1 Strategic impact The ICT community, in particular the major software and computing vendors, including IBM, Microsoft, HP, and SAP, are currently driving the trend to develop complex solutions on top of service architectures. These allow one to build and integrate applications on demand by offering a variety of universally applicable services, features, and functions that are combined, utilised, adapted, and dissolved in immediate response to given needs. This technology is pervasive, since the required computing infrastructures are available anywhere and anytime, and its ubiquity affects all aspects of public, business, and private life. By means of adaptivity and pervasion, this trend addresses the needs of today s rapidly evolving economy and society. Yet, society will benefit from this development only if systems, applications, and infrastructures can be trusted to respect individual security and protection needs. This is increasingly challenging: security architectures and functionalities will have to be flexible, adaptive, and evolving themselves, thus amplifying the demand for providing evidence for their correctness. Lack of security is a major obstacle for the utilisation of service orientation: according to [139], industry is reticent to incorporate this technology due to the low level of security that can be guaranteed with this paradigm today. Ensuring the security of service architectures is therefore crucial for their adoption by industry. The research envisaged in this AVANTSSAR project is unique in the domain of service-oriented computing and service-oriented architectures 1. by its goal of providing a formal model for obtaining provably secure services; 2. by advancing key formal verification technologies, and especially the latest theorem-proving, modelchecking and constraint-solving techniques, to cover challenge problems raised by the complexity of run-time composed secure services; 3. by assessing the developed tools on industrial services of a complexity that has never been considered before; 4. by starting the migration of this technology to standardisation bodies and companies. In particular, we expect that the automation of our technology, allowing for less human-interaction in the validation of services, will allow enterprises working in security areas to benefit from advanced technologies enhancing their product to higher levels of confidence. This will be relevant not only for major companies, such as the AVANTSSAR partners IBM, SAP and SIEMENS, but also, and even more so, for SMEs such as OPENTRUST, which have less person-power available. Following the above, a population of service providers will offer partial security functionality and policy enforcement, and the application security architecture will be composed of these services. Due to the distributed nature of the infrastructure and the service architectures, the use of services in different environments subject to different security requirements and policies, and the complexity of secure composition of these services, it becomes absolutely crucial for the feasibility and the acceptance of pervasive and trusted network and service infrastructures that evidence for the adequate enforcement of security and trust is provided. With its rich set of methods, languages and tools, the AVANTSSAR project provides a comprehensive framework for the provision of validated services for trust and security and secure composition of services, thus implementing a major enabling technology for meeting the security challenges raised by the new communications and ICT paradigms. Its results strengthen the European position in laying the fundamentals of the new emerging service infrastructures, since proven quality and interoperability is considered to be the major distinctive factor in the global competition of service providers, in particular in highly sensitive and complex domains like security and dependability. The AVANTSSAR results will allow a service provider to convince service consumers of the adequacy of their offering through rigorously demonstrating its qualities.

114 FP7-ICT October 17, 2007 AVANTSSAR, project no They enable application providers to justify adequate security and policy enforcement with their customers, leading to increased customer confidence. The success criteria of the project are ambitious and involve the assessment on a significant number of problem cases (see Table 1, the text describing it, and Appendix B). These real-life benchmarks will show that AVANTSSAR is not only able to address industrial scale problems within the global infrastructure, but ready to be deployed. With its validation support for the entire range of services for trust and security (ranging from static services working in isolation to run-time composition of services in reconfigurable architectures), its easy-to-comprehend specification languages, an integrated toolset combining the strengths of various techniques for automated validation, and its novel reasoning techniques for secure composition, AVANTSSAR will seamlessly integrate in development and runtime security and dependability frameworks for service-oriented architectures and ambient intelligence. The project will thus significantly contribute to substantially improving the security and dependability of networks and service infrastructures having a complexity and scale that are an order of magnitude greater than those of today s infrastructures. In fact, as we discussed in more detail above, the AVANTSSAR project fits naturally into the objectives of the ICT Work Programme (in particular, in Objective ICT : Secure, dependable and trusted Infrastructures ): establishing trust and security in today s service-oriented applications has strategic economic and social impact beyond the disciplines of security and software construction. The scientific and technological challenges, in particular the complexity of securing service-oriented architectures, significantly surpass the state-of-the-art in automated software validation and thus carry a substantial level of risk. However, a successful project outcome will have long-term implications, laying the foundations of a new generation of provably secure distributed, service-oriented ICT systems and applications. The impact of AVANTSSAR goes beyond the technical innovations towards business and industry. Service orientation implies new business models, with value chains being distributed over a set of contributors, the service providers, and established on demand by orchestrating and composing the required services towards an application by service consumers. The loose coupling of services opens a new business case for independent service providers: companies focusing on their core competencies within a value chain and offering these on a service marketplace in a ready-to-be-integrated fashion. This opportunity applies to security as well: we see an emerging market for independent providers of services that show specific security features, given that they can justify the properties and constraints applying to their offerings and that the service consumers can validate the contribution of the services to their individual security requirements. This market leverages the business of the security industry and opens new opportunities: while adding new security functionality to an application or infrastructure is currently a major integration effort that needs to be done individually for each project under consideration, service orientation has the potential to provide the same flexibility and ease of integration to the security architecture as it does to the applications. A key success factor for this new business opportunities is the ability to re-use the secure services in different settings with different security requirements applying. Re-use requires evaluating the properties being provided by the secure services, the maintenance of these properties in the presence of orchestrating services including security services, and relating these properties to the application s security requirements. AVANTSSAR provides the necessary means to facilitate a service business for the security industry for the relevant stakeholders: the secure service providers by enabling them to advertise the trust and security properties and constraints of their offers and to justify the validity of these claims. Their business model is strengthened through the facilitation of increased secure service re-use. the secure service consumers by evaluating the contribution of the secure services provided independently and their fit into the application s environment.

115 FP7-ICT October 17, 2007 AVANTSSAR, project no The fact that AVANTSSAR is offering push-button technologies for the validation of trust and security properties of services and their composition further strengthens the outlined business case. Following the dynamism of service-oriented applications and their varying security environments, immediate response to a validation task turns out to be a key enabling factor. Given these considerations, AVANTSSAR is well positioned to support a strong and competitive ICT security industry in Europe. This impact even goes beyond the security industry acting as secure service provider: it allows the European software and systems industry to meet one of the most important key performance indicator, i.e., security, on their move towards establishing a service ecosystem, thus providing a unique position for the European ICT industry. Europe is particularly well positioned to exploit the opportunities provided by a service ecosystem for economy, government and society, ahead of other economies. The European Technology Platform on Software and Services (the Networked European Software and Services Initiative NESSI) gathers 22 partners and more than 200 institutional members to address the major changes that are driving the ICT services marketplace. With this unique workforce, NESSI pushes the European economy on top of the service economy vision and guarantees the necessary span over companies, industries and nations. NESSI aims to provide a unified view for European research in Services Architectures and Software Infrastructures that will define technologies, strategies and deployment policies fostering new, open, industrial solutions and societal applications that enhance the safety, security and well-being of citizens. AVANTSSAR can provide a major contribution to the NESSI goals, since adequate security and trust is a recognised key success factor for NESSI. Though not being positioned as a NESSI compliant project, major NESSI partners (IBM, SAP, Siemens) are represented in the AVANTSSAR consortium, thus taking care of dissemination of the results towards NESSI. Particular attention will be paid to possible contributions to the NESSI Open Framework, that is likely to benefit from the AVANTSSAR results. European Dimension of the Consortium The development of an approach like ours, based on multiple advanced technologies, requires a research effort with a truly European dimension. The expertise required by the AVANTSSAR project cannot be found in a single national research group or site. Indeed, it would be very difficult to pursue the technical and socioeconomical objectives of the proposed project without the participation of different research groups, from both academia and industry. The development and exploitation of the techniques to be applied in the project require a considerable variety and a high degree of advanced technical and technological skills. The partners of the AVANTSSAR consortium are among the leading European experts both in the different automated deduction techniques upon which the project will be based, and/or in the analysis of protocols, services, and applications for trust and security. Moreover, the partners have a common background on automated verification strengthened by a long and successful history of international collaboration and strong bilateral relations. In particular, besides a number of smaller-scale, national and international projects involving the consortium partners (e.g. INRIA UGDIST, INRIA UPS-IRIT, ETH Zurich UGDIST), the four partners UGDIST, INRIA, ETH Zurich and SIEMENS carried out the project FP5 FET-Open project AVISPA: Automated Validation of Internet Security Protocols and Applications (project IST [30]; see Appendix A for more information on AVISPA). 2 The AVISPA project 2 The AVISPA project originated from the FET Open Assessment Project Automated Verification of Infinite State Systems (AVISS), IST , which was carried out by the ETH Zurich team (which at that time was based in Freiburg, Germany), UGDIST, and INRIA.

116 FP7-ICT October 17, 2007 AVANTSSAR, project no has developed a push-button, industrial-strength technology for the analysis of large-scale Internet securitysensitive protocols and applications that is available at the URL together with all the results and publications of the project. nominated for the The project was so successful that it was 2006 Descartes prize for research. The AVISPA technology is now widely employed by a large, world-wide community of academic and industrial users, who have been using it to validate and standardise their security protocols and applications. This technology will provide a fundamental stepping stone for the techniques and technologies to be developed in the AVANTSSAR project, in concert with the expertise provided by the other partners IBM, IeAT, UPS- IRIT, OPENTRUST, and SAP. This is even more so given that the AVISPA project has lead to a strong and continued cross-fertilisation and synergy of ideas and results between the partners, as well as to an intense exchange of researchers. The AVANTSSAR consortium, therefore, collects the set of complementary technological skills required to tackle such a high-risk project like ours, to a degree only possible in such a multi-national cooperation. Relation with other national and international research activities The AVANTSSAR partners have been involved in a number of projects, at the international and national levels, which are related to the objectives of AVANTSSAR. We briefly illustrate the most relevant ones. The partners INRIA and UPS-IRIT are involved in the Cops project (funded by the ANR, the French National Research Agency) together with the Laboratoire d Informatique Fondamentale de Marseille (LIFM). This 3-year project focuses on the definition and implementation of security policies for Web Services. Since Cedric Fournet of Microsoft Research Cambridge is both a consultant for Cops and also one of the major players in the SAMOA project [207], which is developing formal tools for securing Web Services, we expect that AVANTSSAR will greatly benefit from the interactions between Cops and SAMOA. UGDIST is coordinating the V@PSI, a research project funded by the Italian Ministry of University and Research in collaboration with the University of Trento and the University of Napoli. V@PSI is a 3-year project that is developing a range of automatic analysis techniques for Internet security protocols, including also Web Services. We expect substantial interaction and cross-fertilisation between AVANTSSAR and V@PSI: on the one hand, the validation of security services pursued by AVANTSSAR is a natural and important generalisation of the research goals of V@PSI; on the other hand, we expect to re-use in AVANTSSAR some of the automatic analysis techniques developed in V@PSI. ETH Zurich is involved in the project VerSePro (funded by the Swiss National Science Foundation SNSF) together with the Ecole Polytechnique Federale de Lausanne EPFL. This 4-year project, which started in the autumn of 2005, aims at the development and verification of security and privacy protocols for wireless networks. We thus expect that it will be possible to re-use in AVANTSSAR some of the techniques developed in VerSePro and vice versa. Furthermore, ETH Zurich is involved in the project ComposeSec (funded by the Hasler Foundation). This 3-year project will start in September 2007, and aims at analysing complex protocol suites or services built by combining networked components. The goal of this project is to develop effective compositional methods, with accompanying tool support, to tackle this problem. This includes foundational work on bridging the gap between currently used security protocol models and high-level analysis models of composed services. SIEMENS participates in the German founded Research Project VESUV, providing a Web Service mechanism for securing the document transfer for e-government and e-tourism applications, and has been involved in the EU project SPICE, whose general goal is to design a mobile Service creation and execution platforms

117 FP7-ICT October 17, 2007 AVANTSSAR, project no for mobile and fixed networks beyond 3G. One of its topics is creating an easy and simple way to compose and roll out new services, as combinations of existing services. (Siemens was recently replaced by Nokia- Siemens Networks within SPICE.) The AVANTSSAR goal of verifying the security of such composite services fits perfectly with this: on the one hand, SPICE and VESUV extend our application know-how on service architectures, and on the other hand, some main results of these projects will be validated using the formal techniques and tools to be developed in AVANTSSAR. OPENTRUST (formerly INETSYS) is involved in the European Integrated Project CARE-MAN, based on the joint call between IST and NMP priorities in FP6. This project will provide a validated, intelligent, fully automated diagnostic device with a modular technological system based on biosensor technology, combining successful transduction principles, biochemical recognition methods and communication capabilities to allow a multi parameter measurement characterising diseases defined by doctors and needs in hospitals. The integration of e-health capabilities is achieved through networking functions and interfaces to current and future medical data systems. IeAT is involved in the ARTIST2 FP6 network of excellence on Embedded System Design, specifically in the development of compositional reasoning techniques for both functional and non-functional properties of complex systems. Joint work in one cluster involving network partners EPFL and VERIMAG focuses precisely on security properties. Another recent collaboration within a French ECO-NET project addresses the problems of modelling and verification jointly for policies and protocols, as proposed here. IeAT is also a partner in the FP6 infrastructure project SCIEnce (RI ), with a joint research action dedicated to grid and web services for symbolic computation, and special tasks on service composition and security. SAP is involved in several European projects related to the provision of security technology and frameworks for open, heterogeneous, and adaptive enterprise software systems. Besides for TrustCoM (see above), SAP is involved in WASP (Wirelessly Accessible Sensor Populations, [232]) focusing on wireless sensor networks and context-aware security, and R4eGov [195] aiming at security and privacy for an e-administration in the large. The focus on context-aware security and business-process security for workflows in the e- Administration domain, respectively, shows high potential of synergies with the AVANTSSAR work in terms of the expertise. Moreover, the AVANTSSAR Validation platform can contribute to the validation of the security solutions resulting from these other projects. SAP will particularly encourage interaction with the SERENITY (System Engineering for Security and Dependability, [216]) Integrated Project. SERENITY enhances security and dependability for Ambient Intelligence ecosystems by capturing security expertise and making it available for automated processing. SERENITY, which captures a variety of established composition principles for secured services through its integration schemes, comprises three validation tools each capable of formally analysing security solutions at a very specific layer of the application stack, but it misses a validation technique able to reason on integration schemes combining security solutions at different application layers. AVANTSSAR thus complements the SERENITY functionalities by providing a techniques that can be used to formally validate the SERENITY integration schemes, and candidates itself for a possible integration into the SERENITY environment. Last but not least, the integration schemes can both provide guidance for the design of the AVANTSSAR composition techniques and serve as additional benchmarks. The latter can be especially useful at the very beginning of the AVANTSSAR project, where the more mature SERENITY case studies can be used as drivers for the AVANTSSAR research work. Some of the members of the AVANTSSAR team, including ETH Zurich, INRIA, SAP, SIEMENS, and UNIVR also participate, at different levels, in the activities of the European Research Consortium in Informatics and Mathematics (ERCIM [126]). In particular, ERCIM has recently set up a specific Working Group on Security and Trust Management, which aims at steering the research of ERCIM institutions on a series of activities (e.g., research projects, workshops, dissemination of knowledge) for fostering the European research and development on security, trust and privacy in ICT. These are among the main issues of current and future research efforts for security in Europe (cf., for example, We thus expect that the results of AVANTSSAR will be beneficial for this ERCIM WG, which will in turn

118 FP7-ICT October 17, 2007 AVANTSSAR, project no provide a major forum for the peer-evaluation and dissemination of our results. There are a number of European research projects that are related to the objectives of AVANTSSAR, in particular, the following three: ASTRO is a joint research project between ITC (Trento) and the University of Trento that aims at the automated composition of distributed business processes, i.e. the development of technology, methods and tools that support an effective, flexible, reliable, easy-to-use, low-cost, and time-efficient composition of electronic distributed business processes [224]. The research objectives of ASTRO are thus relevant to AVANTSSAR. Conversely, by focusing on the automated validation of trust and security of service-oriented architectures, AVANTSSAR will provide solutions that are largely complementary to those of ASTRO. SENSORIA, Software Engineering for Service-Oriented Overlay Computers [215], is an FP6 Integrated Project part of the Global Computing Initiative which aims at developing a novel comprehensive approach to the engineering of software systems for service-oriented overlay computers where foundational theories, techniques and methods are fully integrated in a pragmatic software engineering approach. We thus expect considerable interaction and exchange of expertise with the SENSORIA consortium, which will be facilitated by the fact that several of the AVANTSSAR partners already collaborate at different levels with several of the SENSORIA partners. In particular, the research work and expected results of AVANTSSAR are complementary to the SENSORIA, and the focus of AVANTSSAR is on automated validation of trust and security relevant aspects of service-oriented architectures as opposed to the software engineering techniques for general service-oriented overlay computers of SENSORIA. We thus expect to be able to exploit some of the foundational work carried out in SENSORIA, and vice versa expect that also SENSORIA will benefit from the functionalities provided by the security service validation framework that we will develop in AVANTSSAR. PRIME, PRivacy and Identity Management for Europe, is an FP6-funded project (IST ) that aims at providing individuals with means to enhance their privacy and retain control over personal information in an ICT world that is becoming pervasive via an integrative approach of the legal, social, economic and technical areas of concern. PRIME elaborates a framework to integrate all technical and non-technical aspects of privacy-enhancing identity management. On the technical side, the IBM Zurich Research Lab is a project partner of PRIME that develops the identity mixer system, which is one of the problem cases that will be validated with the AVANTSSAR platform (see also appendix B.2). It is expected that the activities within the AVANTSSAR project yield a better understanding of the identity mixer, possibly identifying weaknesses in the design of the identity mixer and thus contribute to the development and the quality of the system.

119 FP7-ICT October 17, 2007 AVANTSSAR, project no B3.2 Plan for the use and dissemination of foreground The AVANTSSAR project represents an unprecedented effort to apply automated validation methods to trust and security aspects of service-oriented architectures comprising of composed services, and we thus expect that it will generate a large interest in both academia and industry. Dissemination will have a high priority in this proposal and WP 6 will be devoted to all the activities relevant to accomplish this task. In particular, a basic version of the Dissemination and Use Plan for the project s foreground (i.e. the knowledge generated during the project) will be delivered at month 6 (deliverable D1.2) and the final version of this plan will be delivered at month 36 (D1.6). A Technology Implementation Plan will also be delivered at the end of the project (D1.7). The following paragraphs describe the strategy and measures that our consortium will adopt to ensure the management of knowledge and intellectual property, the use of results and the dissemination of the foreground beyond the Consortium, and the exploitation of results. The section ends with a description of the contributions to standards that we envisage. Management of knowledge and intellectual property As specified in Section B2.1, a Consortium Agreement will be signed by all partners before the start of the project, setting the principles of the consortium management, and placing the relationship between the project partners and their responsibilities on a legal basis for the duration of the work. It will, in particular, include specific arrangements concerning intellectual property rights to be applied among the participants and their affiliates, in compliance with the general arrangements stipulated in the contract. It will thus specify the rules for dissemination and use (confidentiality, ownership of results, patent rights, exploitation of results, protection and dissemination of knowledge), as well as financial and legal provisions. Dissemination Plan The main targets of the dissemination activity will be industry, research institutions, and standardisation bodies working on the design of services for security like OASIS, W3C, and IETF. Appropriate measures are planned to ensure an effective and timely dissemination of the project results to potential users, both at the European level and worldwide. Moreover, since the European Society as a whole will ultimately benefit from the results of the project (in terms of increased reliability of, and confidence in, the electronic market), special measures are planned to reach the public. Dissemination to industry, research institutions, and standardisation bodies will be carried out by a variety of means, including: Talks at relevant international conferences and forums (both presenting the technical achievements and surveying the project s objectives and results). Publication of papers in proceedings of international conferences as well as in international scientific journals. Organisation of workshops on project-related topics, including project workshops where attendance of external experts and professionals is based on invitation. Organisation of tutorials and thematic schools. Design and management of a publicly available web-site that includes descriptions of the main project results and, in particular, the AVANTSSAR software suite. Press releases will be used to reach and make the public aware of both the short-term and long-term impact of the project results. Notice that the partners have already considerable experience in such activities, from previous projects.

120 FP7-ICT October 17, 2007 AVANTSSAR, project no Moreover, SIEMENS and SAP are members of ForTIA ( the Formal Techniques Industrial Association, which is a subgroup of Formal Methods Europe (FME). Since its goals include to ensure that good tools and techniques are researched, developed and deployed, ForTIA will have an active interest in applying and disseminating the formal methodology to be developed in AVANTSSAR. Exploitation Plan The new techniques and methodologies, the formal models of the case studies, as well as the prototype tool for the automated validation of trust and security in composed services developed by the project will be of interest to researchers and professionals working on the design of new secure services. The AVANTSSAR consortium will aim at making available techniques, formal models of the case studies, and tools in order to provide support and to encourage designers to use the project s results. We do not believe that automatic tools for the security validation of services will be attractive enough for a commercial market for reasons of potential market volume and appropriate pricing. On the other hand, all efforts should be made to increase the chance of AVANTSSAR being accepted as a de facto standard methodology and toolset within standardisation bodies, thus opening a market for consulting and services relating to the security validation of services. We will implement the following measures in order to release our techniques, models, and tools outside the consortium and to stimulate the exploitation of the AVANTSSAR results by industry and standardisation bodies: Development of the AVANTSSAR Validation Platform, i.e. a software suite for the automatic security validation of services. The release of the software, the documentation, and the formalisation of the case studies will be considered: we aim at the public availability of an automatic tool supporting the security validation of services which would be the main vehicle for the exploitation of the result both by the partners involved in the project as well as by the industries or standardisation bodies. New versions of the AVANTSSAR Validation Platform will be released regularly and a mailing list for the users set up and supported by the consortium. Organisation of educational activities. As remarked above, we will transfer the results of AVANTSSAR in educational activities within industry, universities, workshops, working groups or standardisation organisations (e.g. AVANTSSAR workshops, theses, course materials, presentations at standardisation committees, invited short courses at visited Universities, etc). At least 3 such educational activities will be carried out, with the direct involvement of academic and industrial partners of the consortium. Organisation of the AVANTSSAR Technology Migration Workshop, presumably in the context of the ForTIA industrial interest group on formal methods, mentioned above. This event is specifically targeted to service designers from industry and standardisation bodies in which methods, techniques, tools, case studies, and success stories developed within the project will be publicly presented. Additionally, the industrial partners in the consortium will use the results of the project (namely, the formal models of the services and the automated validation techniques and tools) in the design and development process of their products in order to reduce the security-related risk and, thus, contribute to the reduction of the total cost of ownership. The AVANTSSAR case studies will provide the test bed for potential integration of the AVANTSSAR results into the companies development environments and procedures. OpenTrust. The main strategic impact of AVANTSSAR is to improve the design of future versions of OpenTrust s global software platform OpenTrust by addressing new security aspects and validating their security. AVANTSSAR is a means to: validate the security obtained from the composition of the OpenTrust platform and the corresponding third party services,

121 FP7-ICT October 17, 2007 AVANTSSAR, project no share the technical approach of OpenTrust with specialised research teams and other industrial companies, improve the skills of the OpenTrust R&D team on the techniques and tools for the automated security validation of services that will be developed in the project. In order to guarantee a high level of security to its customers, OpenTrust has obtained in January 2006 an EAL2+ Common Criteria certification of its software under the control of the French ICT Security governmental agency (DCSSI). Nevertheless, the security issues of services within dematerialisation solutions are not addressed by any of the standards organisations. We are convinced that the usage of the AVANTSSAR techniques and tools will reinforce OpenTrust s competitiveness by raising dramatically the customers trust in its software. IBM. IBM is a large software and services company with particular strengths in middleware. Serviceoriented architectures and web services in particular are a core area, e.g., in the IBM WebSphere brand and also as a services methodology. IBM has played a leading role in developing Web Services standards, and in particular Web Services security and policy standards and corresponding implementations. Furthermore, IBM is a provider of core security technologies, e.g., with the IBM Tivoli brand and with the IBM Internet Security Services (ISS) platform. With the increasing dynamics and configurability of these services and architectures, we perceive that tool support for the validation and ultimately verification of actually implemented or deployed versions will become a must at some point in the future. We envision that the AVANTSSAR results can play an important role in this. We will therefore investigate the feasibility of integrating the validation with the AVANTSSAR platform into the deployment process of SOA services. One crucial requirement for such an integration is that the validation tools have reached a sufficient level of maturity and scope. Secondly, as we cannot expect the end users to be experts in formal verification, it is necessary that the services and policies can be specified in a form used in the SOA community (such as the XACML standard), if necessary by the help of translators or extractors from such languages to the verification tools. Apart from this, the detailed timeline will depend on the development of the market, in particular on the speed of adoption of truly dynamic services. As a specific dissemination target, IBM Zurich Research Laboratory is the developer of the identity mixer protocols for providing strong authentication while protecting the privacy of the users. The identity mixer, which is used in the FP6 integrated project PRIME (Privacy and Identity Management for Europe), is a complex system based on innovative cryptographic methods developed at IBM. The formalisation and validation of the identity mixer within the AVANTSSAR project provides a complementary view to the cryptographic proofs of the security of the identity mixer conducted by IBM researchers so far. It is expected that the activities within the AVANTSSAR yield a better understanding of the identity mixer on a more abstract level which does not focus on the cryptography, but on the interplay of all protocols and components of the system, possibly identifying weaknesses in the design of the identity mixer and thus contribute to the development and the quality of the system. The successful validation with AVANTSSAR will increase the confidence into the identity mixer and therefore sensibly contribute to the promotion of secure privacy technologies. SAP. SAP is a major industrial driver of service-oriented architectures. SAP s Enterprise Service Architecture (ESA) and Business Process Platform (BPP) enables flexible business processes that can efficiently adapt to evolving business needs. ESA is a distributed software model within which all functionality is defined as independent Web services. It elevates the concept of web services design, management, and composition to an enterprise level that addresses enterprise business requirements. Through BPP, business requirements are captured through business process models that map to services. The model-based approach allows for easy adaptation of the enterprise software to changing business needs in a routine way. This paves

122 FP7-ICT October 17, 2007 AVANTSSAR, project no the way to the vision of easy and open integration across enterprises and borders, leading to the support of fully virtualised organisations. Security is of utmost importance for the realisation of the enterprise services road map, and a key competitive factor. Services for trust and security will be part of the service landscape, and need to be flexibly combined according to changing security requirements and policies. Being able to rigorously demonstrate that a given set of services composed in a particular way meets security requirements and enforces the application security policies is crucial to increase customers confidence and enable them to fully exploit the benefits of service orientation. Automating such validation is key, since it serves for reduced additional effort and smooth integration in the existing development environment. The AVANTSSAR results provide the necessary qualities, and will contribute to advance the traceable security of both SAP s and independent vendor s service offerings beyond the current state-of-the-art. The results will thus significantly add to the competitive advantage of the products of this industrial partner. SIEMENS. Siemens is currently working on the design and development of tools for SW Distribution Services (for the realms of infrastructure control, automation, industrial production, medical equipment, power generation and transmission, and IT Sofware), E-Government (concretely, Citizen Portals and Document Exchange Procedures), Health Telematics Infrastructure (in particular for the German e-health card), Patient Data Analysis, Power transmission systems on electrical grids (including negotiation), and others. In all those examples, secure inter-working is absolutely necessary to avoid that data is tampered with or that information is leaked to untrusted parties. A particular aspect of these examples is the dynamic character of the communication relations, trust assumptions, security requirements, and even of the business relations. But secure dynamically composed services offer still unsolved problems. The AVANTSSAR results will be crucial to tackle these challenges in a verifiable way that will increase the competitive edge of the products of Siemens, raise and sustain the trust of customers and partners in the complex applications built by the company, and will prove to be a adequate for higher-level common-criteria evaluation. Contributions to standards There is considerable motivation in industry for standardising the basic constituents of the infrastructure for service interoperability over the Internet since this avoids the development of proprietary, incompatible solutions and it is considered to be the best approach to make long-term decisions and to achieve long product cycles. AVANTSSAR has the potential to provide the reference assessment technology for the validation of security services that have already been standardised or are undergoing standardisation. This potential can be realized by providing an effective tool with wide coverage that features push-button automation, which should increase the acceptance and dissemination of the approach. AVANTSSAR significantly contributes to the strong European position in verification of security properties of security-critical systems, which in turn enables the European industry to provide high-quality products and solutions with rigorously assessed properties. The contribution of AVANTSSAR to both the security verification community and the security services developers community, including key standardisation bodies (see below), will be supported by a broad spectrum of dissemination activities; for details, see the description of Workpackage 6 in Section WP 6. Moreover, the results obtained by AVANTSSAR can be immediately exploited in industry. For instance, SIEMENS has a substantial interest in supporting its standardization work in IETF, OASIS, and other bodies by means of rigorously validating its proposals and thus increasing their acceptance. Previous experience (e.g. the UMTS authentication and key exchange protocol standardised by 3GPP, the H.530 authentication protocol for multimedia standardised at ITU, and the EAP authentication protocols standardization at the IETF) showed that verification can be the key to ensuring correctness and therefore acceptance in

123 FP7-ICT October 17, 2007 AVANTSSAR, project no standardization. The automation provided by the AVANTSSAR approach will substantially reduce the effort involved, enabling formal analysis to be carried out as a routine, every-day activity, thus leading to substantial increase in quality of standardised solutions. The main ideas to transfer the results of AVANTSSAR to standardization will be (a) to propose individual secured services (time stamping, mail services, authentication services, notary services, etc., or their interfaces) resulting as solutions from our case studies to standardization, and (b) to propose extensions to one or several standard languages, via an XML namespace, identified by a AVANTSSAR-URI reference, to describe the industrially-suited specification languages (ISSL, defined in WP 6) or ASLan (defined in WP 2) specific policies needed to automatically integrate Web Services with AVANTSSAR. Another possibility of linking and binding the Web Service to AVANTSSAR is via RDF or an Ontology or Rule language. The languages to be extended could be in particular WS-SX, WSBPEL, WS-CDL, WSDL, or WS-Agreement: WS-SX ( has three standards: WS-SecureConversation, WS-SecurityPolicy, and WS-Trust, and is defining the interoperability of the three. For instance, a requestor R gets a security token from an identity Provider, subsequentially uses the token to establish a secure conversation with a service S, and then R and S exchange messages in that secure conversation. This is done with one particular choice of tokens, security mechanisms, etc. WSBPEL and WS-CDL The most important standardisation activity related to the orchestration languages is undertaken by the OASIS Web Services Business Process Execution Language (WSBPEL) Technical Committee ( home.php?wg abbrev=wsbpel). The standardisation of the Web Services Choreography Description Language (WS-CDL) is led by the Web Services Choreography Working Group ( The most interesting problem with BPEL and WS-CDL is how to express security requirements and security goals at this level and how to enforce (implement) them. WSDL The standardisation of a Services Description Language (WSDL), a core language tailored to describe Web services based on an abstract model of what the service offers, is being conducted by the Web Services Description Working Group When describing how to access a service, it is also important to publish the policies that determine which security mechanisms the requestor must apply. This is an open issue today. In the new WSDL-2.0 (January 2006) the issue is left out-of-scope, the only syntactical means is to use secure-channel features, which are simply internationalised URLs, IRIs, without any semantics attached to them. After that, the requestor must find the intersection between this published and his own. This logical step is still missing and there is no tool support for this. WS-Agreement is a Web Services protocol for establishing agreement between two parties, such as between a service provider and consumer. In the case of Security Services, the service provider and the consumer must agree on trust assumptions, liability, revocation issues, etc. For example, suppose the service creates and provides keys that will be used for cryptographical purposes. Of course, those keys must have the expected entropy and they should not be guessable for an attacker. Moreover the keys must be securely stored by the service provider. Those all are part of the trust agreement that the partners accept. Moreover, the consequences in case that those assumptions are not met must also be subject to the agreement. If the service provider has used a bad random number generator for creating the keys, or he has not protected the keys, he must provide some liability to the consumer of the service. All these topics are open issues today. Further information about WS-Agreement, as defined by the Global Grid Forum (GGF) working group Grid Resource Allocation Agreement Protocol (GRAAP) is available via graap-wg@ggf.org.

124 FP7-ICT October 17, 2007 AVANTSSAR, project no B4 Ethical Issues The project s subject does not raise any ethical issues that are subject to any national or international regulations. None of the AVANTSSAR cases studies or technical results will use or make public any data or content that might raise ethical or privacy issues. More precisely, in the context of our cases studies (including the ones emerging from the e-health application area), we will not involve any volunteer in experiments and similar, and we will use realistic (but not real) user data without violating any citizen personal and private dimension. Although the criteria of a person s participation in AVANTSSAR project will not be the gender, nationality, race or colour, we are fully aware of the under-representation of women in European research and in the ICT domain at the international level, and the exemplary role women in top positions might have on attracting more female researchers into scientific and industrial research. Therefore the AVANTSSAR project will promote the participation of women to the project, and their capabilities, skills, expertise, experience, and qualifications will be encouraged in order to provide opportunities to young women scientists at the start of their careers to work alongside experienced scientists. All the project partners are equal opportunities employers with excellent track records: women s participation in research is consolidated among the AVANTSSAR consortium, and the key staff of the partners already comprise Dr. Alessandra Di Pierro (UNIVR), Dr. Birgit Pfitzmann (IBM), Nathalie Jolly (OPEN- TRUST), Dr. Monika Maidl (SIEMENS). Moreover, all project partners are committed to implement equal opportunities policies in relation with their human resources departments and one of the roles of the Project Coordination Committee, overseen by the Project Coordinator, will be to ensure that women are informed about the goals and opportunities in the project and are involved at all levels. The AVANTSSAR project will contribute in this way to help women with gaining recognition in their scientific careers.

125 FP7-ICT October 17, 2007 AVANTSSAR, project no Table 12: Ethical Issues Table Informed Consent Does the proposal involve children? Does the proposal involve patients or persons not able to give consent? Does the proposal involve adult healthy volunteers? Does the proposal involve Human Genetic Material? Does the proposal involve Human biological samples? Does the proposal involve Human data collection? Research on Human embryo/foetus Does the proposal involve Human Embryos? Does the proposal involve Human Foetal Tissue / Cells? Does the proposal involve Human Embryonic Stem Cells? Privacy Does the proposal involve processing of genetic information or personal data (e.g. health, sexual lifestyle, ethnicity, political opinion, religious or philosophical conviction) Does the proposal involve tracking the location or observation of people? Research on Animals Does the proposal involve research on animals? Are those animals transgenic small laboratory animals? Are those animals transgenic farm animals? Are those animals cloned farm animals? Are those animals non-human primates? Research Involving Developing Countries Use of local resources (genetic, animal, plant etc) Benefit to local community (capacity building i.e. access to healthcare, education etc) Dual Use Research having direct military application Research having the potential for terrorist abuse ICT Implants Does the proposal involve clinical trials of ICT implants? I CONFIRM THAT NONE OF THE ABOVE ISSUES APPLY TO MY PROPOSAL YES PAGE

126 FP7-ICT October 17, 2007 AVANTSSAR, project no References 1. M. Abadi and C. Fournet. Private authentication. Theoretical Computer Science, 322(3): , A. Abou El Kalam, R. El Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miège, C. Saurel, and G. Trouessin. Organization based access control. In Policy [194]. 3. R. Accorsi, D. Basin, and L. Viganò. Towards an awareness-based semantics for security protocol analysis. In J. Goubault-Larrecq, editor, Electronic Notes in Theoretical Computer Science, volume 55. Elsevier Science Publishers, R. Accorsi, D. Basin, and L. Viganò. Modal specifications of trace-based security properties. In Proceedings of the Second International Workshop on Security of Mobile Multiagent Systems (SEMAS-2002), pages Research Report DFKI-RR-02-03, DFKI Kaiserslautern/Saarbrücken, Germany, P. Adao, P. Mateus, T. Reis, and L. Viganò. Towards a Quantitative Analysis of Security Protocols. ENTCS 155, 164(3):3 25, A. Aldini and A. Di Pierro. On Quantitative Analysis of Probabilistic Protocols. ENTCS 112, A. Aldini and A. Di Pierro. Noninterference and the most powerful probabilistic adversary. In Proceedings of WITS 06, G. Alonso, F. Casati, H. Kuno, and V. Machiraju. Web services: Concepts, Architectures and Applications. Springer-Verlag, S. Andova, C. Cremers, K. Gjøsteen, S. Mauw, S. Mjølsnes, and S. Radomirović. Sufficient conditions for composing security protocols, In preparation. 10. A. Armando, D. Basin, M. Bouallagui, Y. Chevalier, L. Compagna, S. Mödersheim, M. Rusinowitch, M. Turuani, L. Viganò, and L. Vigneron. The AVISS Security Protocol Analysis Tool. In Proceedings of CAV 02, LNCS 2404, pages Springer-Verlag, URL of the AVISS and AVISPA projects: A. Armando, D. A. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuéllar, P. H. Drielsma, P.-C. Héam, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò, and L. Vigneron. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In K. Etessami and S. K. Rajamani, editors, CAV, volume 3576 of Lecture Notes in Computer Science, pages Springer, A. Armando, M. Benerecetti, and J. Mantovani. Model checking linear programs with arrays. Electr. Notes Theor. Comput. Sci., 144(3):79 94, A. Armando, M. Benerecetti, and J. Mantovani. Abstraction refinement of linear programs with arrays. In Proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 07), March 24-April 1, 2007, Braga, Portugal, volume 4424 of Lecture Notes in Computer Science, pages Springer Verlag, A. Armando, M. P. Bonacina, S. Ranise, and S. Schulz. On a rewriting approach to satisfiability procedures: Extension, combination of theories and an experimental appraisal. In B. Gramlich, editor, FroCos, volume 3717 of Lecture Notes in Computer Science, pages Springer, A. Armando, R. Carbone, and L. Compagna. LTL model checking for security protocols. In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF20), July 6-8, 2007, Venice, Italy, LNCS. Springer Verlag, A. Armando, C. Castellini, and E. Giunchiglia. SAT-Based Procedures for Temporal Reasoning. In Proceedings of 5th European Conference on Planning (ECP-99), LNAI, pages , Berlin, Springer Verlag. 17. A. Armando, C. Castellini, E. Giunchiglia, and M. Maratea. The SAT-based approach to separation logic. Journal of Automated Reasoning, pages 1 27, A. Armando, C. Castellini, and J. Mantovani. Software model checking using linear constraints. In J. Davies, W. Schulte, and M. Barnett, editors, ICFEM, volume 3308 of Lecture Notes in Computer Science, pages Springer, 2004.

127 FP7-ICT October 17, 2007 AVANTSSAR, project no A. Armando and L. Compagna. Automatic SAT-Compilation of Protocol Insecurity Problems via Reduction to Planning. In Proceedings of FORTE 2002, LNCS 2529, pages Springer-Verlag, A. Armando and L. Compagna. Sat-based model-checking for security protocols analysis. International Journal of Information Security (to appear), A. Armando and L. Compagna. SAT-based model-checking for security protocols analysis. To appear on the International Journal of Information Security, A. Armando, L. Compagna, and P. Ganty. SAT-based Model-Checking of Security Protocols using Planning Graph Analysis. In Proceedings of FME 2003, LNCS Springer-Verlag, A. Armando and E. Giunchiglia. Embedding Complex Decision Procedures inside an Interactive Theorem Prover. Annals of Mathematics and Artificial Intelligence, 8: , A. Armando, J. Mantovani, and L. Platania. Bounded Model Checking of Software using SMT Solvers instead of SAT Solvers. In A. Valmari, editor, Proceedings of Spin06, International Workshop on Model Checking of Software, volume 3925 of Lecture Notes in Computer Science, pages Springer Verlag, A. Armando and S. Ranise. A Practical Extension Mechanism for Decision Procedures. In 4th Workshop on Tools for System Design and Verification (FM-TOOLS 2000), pages 53 57, Reisenburg Castle, Germany, July Extended version to appear on the Journal of Universal Computer Science. 26. A. Armando and S. Ranise. Termination of Constraint Contextual Rewriting. In H. Kirchner and C. Ringeissen, editors, 3rd International Workshop on Frontiers of Combining Systems (FroCoS 2000), LNCS 1794, pages 47 61, Berlin, Springer-Verlag. 27. A. Armando, S. Ranise, and M. Rusinowitch. A rewriting approach to satisfiability procedures. Information and Computation, to appear. 28. A. Armando, A. Smaill, and I. Green. Automatic Synthesis of Recursive Programs: The Proof-Planning Paradigm. Automated Software Engineering, 6(4): , A. Arnold, A. Vincent, and I. Walukiewicz. Games for synthesis of controllers with partial observation. Theoretical Computer Science, 303(1):7 34, June Automated Validation of Internet Security Protocols and Applications. URL: org/. 31. Automated Verification of Infinite State Systems. URL: L. Bachmair, I. V. Ramakrishnan, A. Tiwari, and L. Vigneron. Congruence Closure modulo Associativity- Commutativity. In H. Kirchner and C. Ringeissen, editors, 3rd International Workshop on Frontiers of Combining Systems (FroCoS 2000), LNCS 1794, pages , Berlin, Springer Verlag. 33. M. Backes, A. Datta, A. Derek, J. C. Mitchell, and M. Turuani. Compositional Analysis of Contract Signing Protocols. Theoretical Computer Science, 4098, To appear. 34. M. Backes and T. Groß. Tailoring the dolev-yao abstraction to web service realities. In ACM Secure Web Services Workshop (SWS), pages 65 74, M. Backes, S. Mödersheim, B. Pfitzmann, and L. Viganò. Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario. In Proceedings of FOSSACS 06, LNCS 3921, pages Springer, M. Backes and B. Pfitzmann. Relating symbolic and cryptographic secrecy. In IEEE Symposium on Security and Privacy, M. Backes, B. Pfitzmann, and M. Schunter. A toolkit for managing enterprise privacy policies. In 8th European Symposium on Research in Computer Security (ESORICS 2003), LNCS 2808, M. Backes, B. Pfitzmann, and M. Waidner. Symmetric authentication within a simulatable cryptographic library. International Journal of Information Security (IJIS), 4(3): , P. Balbiani. Constitution et développement d une logique de modalités aléthiques, déontiques, dynamiques et temporelles en vue de la formalisation du raisonnement sur les actions et sur les normes. In Actes des Troisièmes Journées Francophones Modèles Formels de l Interaction (MFI 05), pages 23 34, May 2005.

128 FP7-ICT October 17, 2007 AVANTSSAR, project no P. Balbiani and F. Cheikh. Safety problems in access control with temporal constraints. In V. Gorodetsky, I. Kotenko, and V. A. Skormin, editors, MMM-ACNS, volume 3685 of Lecture Notes in Computer Science, pages Springer, P. Balbiani, Y. Chevalier, and M. Kourjieh. Reasoning on actions and obligations. available at easychair.org/floc-06/fcs-arspa06.pdf. 42. D. Basin. Lazy infinite-state analysis of security protocols. In Proceedings of CQRE 99, LNCS 1740, pages Springer-Verlag, D. Basin and G. Denker. Maude versus Haskell: an Experimental Comparison in Security Protocol Analysis. In K. Futatsugi, editor, Electronic Notes in Theoretical Computer Science, volume 36. Elsevier Science Publishers, D. Basin, J. Doser, and T. Lodderstedt. Model Driven Security: from UML Models to Access Control Infrastructures. ACM Transactions on Software Engineering and Methodology, to appear. 45. D. Basin, S. Friedrich, M. Gawkowski, and J. Posegga. Bytecode Model Checking: An Experimental Analysis. In D. Bosnacki and S. Leue, editors, Model Checking Software, 9th International SPIN Workshop, volume 2318 of LNCS, pages 42 59, Grenoble, France, April Springer-Verlag. 46. D. Basin, S. Friedrich, J. Posegga, and H. Vogt. Java Byte Code Verification by Model Checking. In 11th International Conference on Computer-Aided Verification (CAV 99), LNCS 1633, pages , Berlin, Springer-Verlag. 47. D. Basin, H. Kuruma, K. Takaragi, and B. Wolff. Specifying and verifying hysteresis signature system with hol-z. Technical Report 471, Department of Computer Science, ETH Zürich, D. Basin, S. Mödersheim, and L. Viganò. An On-The-Fly Model-Checker for Security Protocol Analysis. In E. Snekkenes and D. Gollmann, editors, Proceedings of ESORICS 03, LNCS 2808, pages Springer- Verlag, Available at D. Basin, S. Mödersheim, and L. Viganò. Constraint Differentiation: A New Reduction Technique for Constraint- Based Analysis of Security Protocols. In V. Atluri and P. Liu, editors, Proceedings of CCS 03, pages ACM Press, D. Basin, S. Mödersheim, and L. Viganò. Algebraic intruder deductions. In Proceedings of LPAR 05, LNAI 3835, pages Springer, D. Basin, S. Mödersheim, and L. Viganò. OFMC: A symbolic model checker for security protocols. International Journal of Information Security, 4(3): , D. Basin, F. Rittinger, and L. Viganò. A Formal Analysis of the CORBA Security Service. In D. Bert, J. P. Bowen, M. C. Henson, and K. Robinson, editors, ZB 2002: Formal Specification and Development in Z and B, LNCS 2272, pages Springer-Verlag, Heidelberg, D. Beauquier, M. Duflot, and M. Minea. A probabilistic property-specific approach to information flow. In Mathematical Methods, Models, and Architectures for Computer Network Security. 3rd International Workshop, volume 3685 of LNCS, pages Springer, B. Benatallah, F. Casati, J. Ponge, and F. Toumani. On temporal abstractions of web service protocols. In O. Belo, J. Eder, J. F. e Cunha, and O. Pastor, editors, CAiSE Short Paper Proceedings, volume 161 of CEUR Workshop Proceedings. CEUR-WS.org, D. Berardi. Automatic Service Composition. Models, Techniques and Tools. PhD thesis, Università La Sapienza, Roma, D. Berardi, D. Calvanese, G. De Giacomo, R. Hull, and M. Mecella. Automatic Composition of Transition-based semantic Web Services with Messaging. In Proc. 31st Int. Conf. Very Large Data Bases, VLDB 2005, pages , D. Berardi, D. Calvanese, G. De Giacomo, M. Lenzerini, and M. Mecella. Automatic Composition of e-services that export their Behavior. In Proc. 1st Int. Conf. on Service Oriented Computing, ICSOC 2003, volume 2910, 2003.

129 FP7-ICT October 17, 2007 AVANTSSAR, project no D. Berardi, D. Calvanese, G. D. Giacomo, M. Lenzerini, and M. Mecella. Automatic composition of e-services that export their behavior. In Service-Oriented Computing - ICSOC 2003, First International Conference, Trento, Italy, December 15-18, 2003, Proceedings, volume 2910 of Lecture Notes in Computer Science, pages Springer, E. Bertino, J. Crampton, and F. Paci. Access control and authorization constraints for ws-bpel. In ICWS, E. Bertino, E. Ferrari, and A. C. Squicciarini. Trust-x: A peer-to-peer framework for trust establishment. IEEE Transactions on Knowledge and Data Engineering, 16(7): , E. Bertino and L. Martino. Security in soa and web services. In IEEE International Conference on Services Computing (SCC 06), C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekera. Provisions and obligations in policy rule management. J. Network Syst. Manage., 11(3), D. Beyer, A. Chakrabarti, and T. A. Henzinger. Web service interfaces. In A. Ellis and T. Hagino, editors, WWW, pages ACM, K. Bhargavan, R. Corin, C. Fournet, and A. D. Gordon. Secure sessions for web services. ACM Transactions on Information and System Security (TISSEC), To appear. 65. K. Bhargavan, C. Fournet, and A. D. Gordon. A semantics for web services authentication. In N. D. Jones and X. Leroy, editors, Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2004, Venice, Italy, January 14-16, 2004, pages ACM Press, K. Bhargavan, C. Fournet, and A. D. Gordon. Verifying policy-based security for web services. In 11th ACM Conference on Computer and Communications Security (CCS 04), pages , Oct K. Bhargavan, C. Fournet, A. D. Gordon, and R. Pucella. Tulafale: A security tool for web services. In F. S. de Boer, M. M. Bonsangue, S. Graf, and W. P. de Roever, editors, Formal Methods for Components and Objects, Second International Symposium, FMCO 2003, Leiden, The Netherlands, November 4-7, 2003, Revised Lectures, volume 3188 of Lecture Notes in Computer Science, pages Springer, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Tse. Verified interoperable implementations of security protocols. In 19th IEEE Computer Security Foundations Workshop (CSFW 06), pages IEEE Computer Society, June B. Blanchet. An efficient cryptographic protocol verifier based on prolog rules. In Proceedings of CSFW 01, pages IEEE Computer Society Press, B. Blanchet. Automatic verification of cryptographic protocols: a logic programming approach. In PPDP, pages 1 3. ACM, B. Blanchet. A computationally sound mechanized prover for security protocols. IEEE Transactions on Dependable and Secure Computing, 2007, to appear. 72. L. Bloch, C. Wolfhugel, N. Makarevitch, C. Queinnec, and H. Schauer. Securite Informatique. Eyrolles Edition, Y. Boichut, P.-C. Héam, and O. Kouchnarenko. Handling Algebraic Properties in Automatic Analysis of Security Protocols. In 3rd International Colloquium on Theoretical Aspects of Computing, ICTAC, volume 4281 of Lecture Notes in Computer Science, pages , Tunis, Tunisia, November Y. Boichut, P.-C. Heam, O. Kouchnarenko, and F. Oehl. Improvements on the Genet and Klay Technique to Automatically Verify Security Protocols. In Proc. Int. Workshop on Automated Verification of Infinite- State Systems (AVIS 2004), joint to ETAPS 04, pages 1 11, Barcelona, Spain, The final version will be published in EN in Theoretical Computer Science, Elsevier. 75. P. Bonatti and P. Samarati. A unified framework for regulating access and information release on the web. Journal of Computer Security, 10(3): , M. S. Bouassida, N. Chridi, I. Chrisment, O. Festor, and L. Vigneron. Automatic Verification of a Key Management Architecture for Hierarchical Group Protocols. In F. Cuppens and H. Debar, editors, Proceedings of 5th Conference on Security and Network Architectures (SAR), pages , Seignosse, France, June 2006.

130 FP7-ICT October 17, 2007 AVANTSSAR, project no A. Bouhoula and M. Rusinowitch. Observational Proofs by Rewriting. Theoretical Computer Science, 275(1 2): , L. Bozga, Y. Lakhnech, and M. Perin. Pattern-based abstraction for verifying secrecy in protocols. In Proceedings of TACAS 2003, LNCS Springer-Verlag, P. Broadfoot, G. Lowe, and A. Roscoe. Automating data independence. In Proceedings of Esorics 2000, LNCS 1895, pages Springer-Verlag, G. Brose. Securing web services with soap security proxies. In Proceedings of the International Conference on Web Services, ICWS 03, June 23-26, 2003, Las Vegas, Nevada, USA, pages CSREA Press, A. Bundy, D. Basin, D. Hutter, and A. Ireland. Rippling: Meta-level Guidance for Mathematical Reasoning. Cambridge Tracts in Theoretical Computer Science (No. 56). Cambridge University Press, C. Caleiro, L. Viganò, and D. Basin. Towards a metalogic for security protocol analysis. In Proc. Workshop on the Combination of Logics: Theory and Applications (Comblog 04). Instituto Superior Técnico, Lisbon, C. Caleiro, L. Viganò, and D. Basin. Deconstructing Alice and Bob. Electronic Notes in Theoretical Computer Science 135(1):3 22 (Proceedings of the Second Workshop on Automated Reasoning for Security Protocol Analysis, ARSPA 2005), C. Caleiro, L. Viganò, and D. Basin. Metareasoning about security protocols using distributed temporal logic. Electronic Notes in Theoretical Computer Science (Proceedings of the Workshop on Automated Reasoning for Security Protocol Analysis, ARSPA 2004), 125(1):67 89, C. Caleiro, L. Viganò, and D. Basin. Relating strand spaces and distributed temporal logic for security protocol analysis. Logic Journal of the IGPL, 13(6): , C. Caleiro, L. Viganò, and D. Basin. On the semantics of alice&bob specifications of security protocols. Theoretical Computer Science, 367(1-2):88 122, J. Camenisch, A. Shelat, D. Sommer, S. Fischer-Hübner, M. Hansen, H. Krasemann, G. Lacoste, R. Leenes, and J. Tseng. Privacy and identity management for everyone. In ACM DIM, J. Camenisch and E. van Herreweghen. Design and implementation of the idemix anonymous credential system. In ACM Computer and Communication Security, Common Criteria for Information Technology Security Evaluation (CC). ISO/IEC 15408, commoncriteriaportal.org/. 90. F. Cheikh, G. D. Giacomo, and M. Mecella. Automatic web services composition in trustaware communities. In SWS 06: Proceedings of the 3rd ACM workshop on Secure web services, pages 43 52, New York, NY, USA, ACM Press. 91. Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, J. Mantovani, S. Mödersheim, and L. Vigneron. A high level protocol specification language for industrial security-sensitive protocols. In Proceedings of Workshop on Specification and Automated Processing of Security Requirements (SAPS), Linz, Austria, September (13 pages). 92. Y. Chevalier, R. Küsters, M. Rusinowitch, and M. Turuani. An NP Decision Procedure for Protocol Insecurity with XOR. In Proceedings of the Logic In Computer Science Conference, LICS 03, pages , Available at Y. Chevalier, R. Küsters, M. Rusinowitch, and M. Turuani. Deciding the Security of Protocols with Diffie- Hellman Exponentiation and Products in Exponents. In Proceedings of the Foundations of Software Technology and Theoretical Computer Science, FST TCS 03, LNCS Springer-Verlag, Available at avispa-project.org. 94. Y. Chevalier, R. Küsters, M. Rusinowitch, and M. Turuani. Deciding the Security of Protocols with Commuting Public Key Encryption. In Workshop on Automated Reasoning for Security Protocol Analysis - ARSPA 2004, Electronic Notes in Theoretical Computer Science - ENTCS, Cork, Ireland, Jul Y. Chevalier, R. Küsters, M. Rusinowitch, M. Turuani, and L. Vigneron. Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents. In Proceedings of FSTTCS 2003, Lecture Notes in Computer Science. Springer-Verlag, 2003.

131 FP7-ICT October 17, 2007 AVANTSSAR, project no Y. Chevalier, R. Küsters, M. Rusinowitch, M. Turuani, and L. Vigneron. Extending the Dolev-Yao Intruder for Analyzing an Unbounded Number of Sessions. In M. Baaz, editor, Computer Science Logic (CSL 03) and 8th Kurt Gödel Colloquium (8th KCG), volume 2803 of Lecture Notes in Computer Science, Vienna, Austria, August Springer. Available at Y. Chevalier, R. Ksters, M. Rusinowitch, and M. Turuani. An NP Decision Procedure for Protocol Insecurity with XOR. Theoretical Computer Science, 338(1-3): , June Y. Chevalier, D. Lugiez, and M. Rusinowitch. Towards an automatic analysis of web service security. Technical Report XXX, INRIA, Feb copy cannot be found! 99. Y. Chevalier and M. Rusinowitch. Combining intruder theories. In L. Caires, G. F. Italiano, L. Monteiro, C. Palamidessi, and M. Yung, editors, ICALP, volume 3580 of Lecture Notes in Computer Science, pages Springer, Y. Chevalier and M. Rusinowitch. Hierarchical combination of intruder theories. In F. Pfenning, editor, Proceedings of 17th International Conference, RTA 2006, volume 4098 of Lecture Notes in Computer Science, pages , Seattle (WA), August Springer Y. Chevalier and L. Vigneron. A Tool for Lazy Verification of Security Protocols. In Proceedings of ASE 01. IEEE Computer Society Press, Y. Chevalier and L. Vigneron. Towards Efficient Automated Verification of Security Protocols. In Proceedings of the Verification Workshop (VERIFY 01) (in connection with IJCAR 01), Università degli studi di Siena, TR DII 08/01, pages 19 33, Y. Chevalier and L. Vigneron. Automated Unbounded Verification of Security Protocols. In Proceedings of CAV 2002, LNCS 2404, pages Springer, Y. Chevalier and L. Vigneron. Automated Unbounded Verification of Security Protocols. In E. Brinksma and K. Guldstrand Larsen, editors, 14th International Conference on Computer Aided Verification, CAV 2002, volume 2404 of Lecture Notes in Computer Science, pages , Copenhagen (Denmark), July Springer Y. Chevalier and L. Vigneron. Rule-based Programs describing Internet Security Protocols. In S. Abdennadher and C. Ringeissen, editors, 5th Int. Workshop on Rule-Based Programming (RULE), Aachen, Germany, June Y. Chevalier and L. Vigneron. Strategy for Verifying Security Protocols with Unbounded Message Size. Journal of Automated Software Engineering, 11(2): , April E. M. Clarke, O. Grumberg, M. Minea, and D. Peled. State space reduction using partial order techniques. Software Tools for Technology Transfer, 2(3): , H. Comon, P. Narendran, R. Nieuwenhuis, and M. Rusinowitch. Decision Problems in Ordered Rewriting. In V. Pratt, editor, Proceedings 13th IEEE Symposium on Logic in Computer Science, pages , Los Alamitos, CA, IEEE Computer Society Press H. Comon, P. Narendran, R. Nieuwenhuis, and M. Rusinowitch. Deciding the Confluence of Ordered Term Rewrite Systems. ACM Transactions on Computational Logic, 4(1):33 55, January H. Comon-Lundh and S. Delaune. The finite variant property: How to get rid of some algebraic properties. In Giesl [132], pages V. Cortier and B. Warinschi. Computationally Sound, Automated Proofs for Security Protocols. In Proc. 14th European Symposium on Programming (ESOP 05), volume 3444 of Lecture Notes in Computer Science, pages , Edinburgh, U.K, April Springer C. Cremers. Compositionality of security protocols: a research agenda. VODCA 2004 ENTCS, 142(3):99 110, C. Cremers. Feasibility of multi-protocol attacks. In Proc. of the first international conference on availability, reliability and security (ARES). IEEE Computer Society Press, C. Cremers. Scyther - Semantics and Verification of Security Protocols. Ph.D. dissertation, Eindhoven University of Technology, 2006.

132 FP7-ICT October 17, 2007 AVANTSSAR, project no S. Dal-Zilio and D. Lugiez. Xml schema, tree logic and sheaves automata. In R. Nieuwenhuis, editor, RTA, volume 2706 of Lecture Notes in Computer Science, pages Springer, N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. In M. Sloman, J. Lobo, and E. Lupu, editors, POLICY, volume 1995 of Lecture Notes in Computer Science, pages Springer, A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. Abstraction and refinement in protocol derivation. In 17th IEEE Computer Security Foundations Workshop, (CSFW ), June 2004, Pacific Grove, CA, USA, pages 30. IEEE Computer Society, S. Delaune and F. Jacquemard. A decision procedure for the verification of security protocols with explicit destructors. In V. Atluri, B. Pfitzmann, and P. D. McDaniel, editors, ACM Conference on Computer and Communications Security, pages ACM, M. Deubler, J. Grünbauer, J. Jürjens, and G. Wimmel. Sound development of secure service-based systems. In M. Aiello, M. Aoyama, F. Curbera, and M. P. Papazoglou, editors, Service-Oriented Computing - ICSOC 2004, Second International Conference, New York, NY, USA, November 15-19, 2004, Proceedings, pages ACM Press, A. Di Pierro, C. Hankin, and H. Wiklicky. Approximate non-interference. Journal of Functional Programming, 12(1):37 81, A. Di Pierro, C. Hankin, and H. Wiklicky. Quantitative static analysis of distributed systems. Journal of Functional Programming, 15(5):1 47, D. Dolev and A. Yao. On the Security of Public-Key Protocols. IEEE Transactions on Information Theory, 2(29), B. Donovan, P. Norris, and G. Lowe. Analyzing a Library of Security Protocols using Casper and FDR. In Proceedings of the Workshop on Formal Methods and Security Protocols, N. Durgin, J. Mitchell, and D. Paulovic. A compositional logic for protocol correctness. In Proceedings of the 14th IEEE Computer Security Foundations Workshop: CSFW 01, pages IEEE Computer Society Press, New York, June J. Elmqvist, S. Nadjm-Tehrani, and M. Minea. Safety interfaces for component-based systems. In Computer Safety, Reliability, and Security, 24th International Conference, volume 3688 of LNCS, pages Springer, ERCIM European Research Consortium in Informatics and Mathematics. URL: URL of the Working Group on Security and Trust Management: European Commission. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Journal of the European Communities of 23 November 1995, L(281):31, privacy/eudirective/eu Directive.html G. Feuillade and S. Pinchinat. Modal Specifications for the Control Theory of Discrete Events Systems. Discrete Event Dynamic Systems, 17: , june K. Fischer and V. Lotz. Authorization and Delegation of Privileges in Mobile Agent Systems. Informatik-Forum, 2, X. Fu, T. Bultan, and J. Su. Analysis of interacting bpel web services. In WWW 04: Proceedings of the 13th international conference on World Wide Web, pages ACM Press, T. Genet and F. Klay. Rewriting for cryptographic protocol verification. In Proceedings of CADE 00, LNCS 1831, pages Springer-Verlag, J. Giesl, editor. Term Rewriting and Applications, 16th International Conference, RTA 2005, Nara, Japan, April 19-21, 2005, Proceedings, volume 3467 of Lecture Notes in Computer Science. Springer, E. Giunchiglia, A. Armando, and P. Pecchiari. Structured Proof Procedures. Annals of Mathematics and Artificial Intelligence, 15(I):1 18, 1995.

133 FP7-ICT October 17, 2007 AVANTSSAR, project no V. D. Gligor. Security of Emergent Properties in Ad-Hoc Networks. In Proceedings of the 12th International Security Protocols Workshop, LNCS Springer, V. D. Gligor and S. Gavrila. Application-Oriented Security Policies and Their Composition. In Proceedings of the 1999 International Security Protocols Workshop, LNCS 1550, pages Springer, A. D. Gordon and R. Pucella. Validating a web service security abstraction by typing. In XMLSEC 02: Proceedings of the 2002 ACM workshop on XML security, pages ACM Press, N. Gruschka, M. Jensen, and N. Luttenberger. A stateful web service firewall for bpel. In 2007 IEEE International Conference on Web Services (ICWS 2007), July 9-13, 2007, Salt Lake City, Utah, USA, pages IEEE Computer Society, N. Gruschka, N. Luttenberger, and R. Herkenhöner. Event-based soap message validation for ws-securitypolicyenriched web services. In Proceedings of the 2006 International Conference on Semantic Web & Web Services, SWWS 2006, Las Vegas, Nevada, USA, June 26-29, 2006, pages 80 86, C. Gutiérrez, E. Fernández-Medina, and M. Piattini. A survey of web services security. In A. Laganà, M. L. Gavrilova, V. Kumar, Y. Mun, C. J. K. Tan, and O. Gervasi, editors, Proceedings of ICCSA 2004, LNCS 3043, pages Springer, J. Haller, Y. Karabulut, and P. Robinson. Integrating a Unifying Trust Management Approach into Dynamic Virtual Organizations. In echallenges, P. Hankes Drielsma and S. Mödersheim. The ASW protocol revisited: A unified view. In Proceedings of the IJCAR04 Workshop ARSPA, To appear in ENTCS, available at P. Hankes Drielsma and S. Mödersheim. The ASW Protocol Revisited: A Unified View. In Proceedings of the Workshop on Automated Reasoning for Security Protocol Analysis (ARSPA 2004), pages Electronic Notes in Theoretical Computer Science 125, P. Hankes Drielsma, S. Mödersheim, and L. Viganò. A formalization of off-line guessing for security protocol analysis. In Proceedings of LPAR 04, LNAI 3452, pages Springer, P. Hankes Drielsma, S. Mödersheim, L. Viganò, and D. Basin. Formalizing and Analyzing Sender Invariance. In Proceedings of FAST 2006, LNCS. Springer, to appear M. Hennessy, M. Merro, and J. Rathke. Towards a behavioural theory of access and mobility control in distributed systems. Theoretical Computer Science, 322(3): , T. A. Henzinger, M. Minea, and V. Prabhu. Assume-guarantee reasoning for hierarchical hybrid systems. In Hybrid Systems: Computation and Control. 4th International Workshop, volume 2034 of LNCS, pages Springer, M. Hilty, D. Basin, and A. Pretschner. On obligations. In 10th European Symposium on Research in Computer Security (ESORICS 2005), LNCS 3679, pages Springer-Verlag, M. Hilty, D. A. Basin, and A. Pretschner. On obligations. In S. D. C. di Vimercati, P. F. Syverson, and D. Gollmann, editors, ESORICS, volume 3679 of Lecture Notes in Computer Science, pages Springer, H. Hinton and E. Lee. The Compatibility of Policies. In Proceedings of the 1994 ACM Conference on Computer and Communications Security, M. Hondo, N. Nagaratnam, and A. Nadalin. Securing web services. IBM Systems Journal, 41(2): , F. Jacquemard, M. Rusinowitch, and L. Vigneron. Compiling and verifying security protocols. In Proceedings of LPAR 00, LNCS 1955, F. Jacquemard, M. Rusinowitch, and L. Vigneron. Compiling and Verifying Security Protocols. In M. Parigot and A. Voronkov, editors, Logic for Programming and Automated Reasoning, volume 1955 of Lecture Notes in Computer Science, pages , St Gilles (Réunion, France), November Springer-Verlag D. Johnson and E. Thyer. Security and the Composition of Machines. In Proceedings of the 1988 CSFW, L. Kagal, T. Finin, and A. Joshi. A policy language for a pervasive computing environment. In Policy [194], pages 63.

134 FP7-ICT October 17, 2007 AVANTSSAR, project no D. Kähler and R. Küsters. Constraint solving for contract-signing protocols. In M. Abadi and L. de Alfaro, editors, CONCUR Concurrency Theory, 16th International Conference, CONCUR 2005, San Francisco, CA, USA, August 23-26, 2005, Proceedings, volume 3653 of Lecture Notes in Computer Science, pages Springer, D. Kähler, R. Küsters, and T. Truderung. Infinite state amc-model checking for cryptographic protocols. In Proceedings of the Twenty-Second Annual IEEE Symposium on Logic in Computer Science (LICS 2007). IEEE, Computer Society Press, To appear Y. Karabulut. Investigating the Trust Management Approaches for Trustworthy Business Processing in Dynamic Virtual Organizations. In Proceedings of The Seventh International Conference on Electronic Commerce Research (ICECR-7), Y. Karabulut. Towards a Next-Generation Trust Management Infrastructure for Open Computing Systems. In R. Philip, V. Harald, and W. Waleed, editors, Privacy, Security and Trust within the Context of Pervasive Computing Series, volume 780 of The International Series in Engineering and Computer Science, G. Karjoth, B. Pfitzmann, M. Schunter, and M. Waidner. Service-oriented assurance comprehensive security by explicit assurances. In First Workshop on Quality of Protection (QoP 2005), J. Kelsey, B. Schneier, and D. Wagner. Protocol interactions and the chosen protocol attack. In B. Christianson, B. Crispo, T. Lomas, and M. Roe, editors, Proceedings of the International Workshop on Security Protocols, volume 1361 of Lecture Notes in Computer Science, pages Springer-Verlag, Berlin, J. Kleist, M. Merro, and U. Nestmann. Mobile objects as mobile processes. Information & Computation, 177(2): , M. F. Krafft, R. Hertzog, R. Mas, and N. Makarevitch. Debian, administration et configuration avancee. Eyrolles Edition, R. Kurshan, V. Levin, M. Minea, D. Peled, and H. Yenigün. Verifying hardware in its software context. In IEEE/ACM International Conference on Computer-Aided Design, pages IEEE Computer Society, R. Kurshan, V. Levin, M. Minea, D. Peled, and H. Yenigün. Static partial order reduction. In Tools and Algorithms for Construction and Analysis of Systems, 4th International Conference, volume 1384 of LNCS, pages Springer, R. Kurshan, V. Levin, M. Minea, D. Peled, and H. Yenigün. Combining software and hardware verification techniques. Formal Methods in System Design, 21(3): , P. Lafourcade, D. Lugiez, and R. Treinen. Intruder deduction for c-like equational theories with homomorphisms. In Giesl [132], pages A. J. Lee, M. Winslett, J. Basney, and V. Welch. Traust: A trust negotiation based authorization service for open systems. In SACMAT 2006, 11th ACM Symposium on Access Control Models and Technologies, Lake Tahoe, California, USA, June 7-9, 2006, Proceedings, pages ACM, V. Lotz. Threat Scenarios as a Means to Formally Develop Secure Systems. Journal of Computer Security, 5:31 67, V. Lotz, V. Kessler, and G. Walter. A Formal Security Model for Microprocessor Hardware. In Proc. of FM 99 World Congress on Formal Methods, LNCS 1708, pages Springer-Verlag, V. Lotz, V. Kessler, and G. Walter. A Formal Security Model for Microprocessor Hardware. IEEE Transactions on Software Engineering, 26(8): , Aug V. Lotz and G. Walter. Formally Modelling Hardware Processor Security. In Proc. EUROSMART Security Conference, pages , June N. Makarevitch. Choisir un système libre (open source), choix-distri/ N. Makarevitch. OpenTrust PAM, the secure access solution for portals, content/view/237/205/lang,en/.

135 FP7-ICT October 17, 2007 AVANTSSAR, project no N. e. Makarevitch. Collection Cahiers de l Admin. cahiers-de-l-admin J. McLean. A General Theory of Composition for a Class of Possibilistic Properties. IEEE Transactions on Software Engineering, 1(22):53 66, C. Meadows. The NRL Protocol Analyzer: An Overview. Journal of Logic Programming, 26(2): , See M. Merro. An Observational Theory for Mobile Ad Hoc Networks, Proceedings of MFPS M. Merro and F. Zappa Nardelli. Behavioural theory for mobile ambients. Journal of the ACM, 52(6): , J. K. Millen and G. Denker. Capsl and mucapsl. Journal of Telecommunications and Information Technology, 4:16 27, M. Minea. Partial order reduction for model checking of timed automata. In Concurrency Theory, 10th International Conference, volume 1384 of LNCS, pages Springer, J. Misra and W. Cook. Computation orchestration: A basis for wide-area computing. To appear in Journal of Software and Systems Modeling, S. Mödersheim. On the Relationships between Models in Protocol Verification (extended version), Submitted, available as ETH TechReport, Dep. of Computer Science, No. 512, publications P. Narendran, M. Rusinowitch, and R. Verma. RPO constraint solving is in NP. In Annual Conference of the European Association for Computer Science Logic, Brno (Czech Republic), August Available as Technical Report 98-R-023, LORIA, Nancy (France) W. Nejdl, D. Olmedilla, and M. Winslett. Peertrust: Automated trust negotiation for peers on the semantic web. In Secure Data Management, VLDB 2004 Workshop, SDM 2004, Toronto, Canada, August 30, 2004, Proceedings, volume 3178 of Lecture Notes in Computer Science. Springer, Oasis Consortium. Web Services Business Process Execution Language Version abbrev=wsbpel, 23 January, Oasis Technical Comittee on Secure Exchange. Ws-securitypolicy ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-cd-02.pdf, D. v. Oheimb. Information flow control revisited: Noninfluence = Noninterference + Nonleakage. In P. Samarati, P. Ryan, D. Gollmann, and R. Molva, editors, Computer Security ESORICS 2004, volume 3193 of LNCS, pages Springer, D. v. Oheimb and J. Cuellar. Designing and verifying core protocols for location privacy. In Information Security, volume 4176 of LNCS. Springer, Presented at the 9th Information Security Conference (ISC 06), preprint version at D. v. Oheimb and V. Lotz. Generic Interacting State Machines and their Instantiation with Dynamic Features. In Proc. of International Conference on Formal Engineering Methods (ICFEM 2003), volume 2885 of Lecture Notes in Computer Science. Springer-Verlag, D. v. Oheimb and V. Lotz. Formal Security Analysis with Interacting State Machines. In G. Klein, editor, Proc. NICTA Formal Methods Workshop on Operating Systems Verification, pages 37 72, Sydney, Australia, National ICT Australia, Technical Report T-1. ISM.html D. v. Oheimb, V. Lotz, and G. Walter. Analyzing SLE 88 memory management security using Interacting State Machines. International Journal of Information Security, 4(3): , index/ /s ; preprint: MM.html M. Pistore, P. Traverso, and P. Bertoli. Automated composition of Web Services by Planning in Asynchronous Domains. In Proc. Int. Conf. on Automated Planning ans Schedulling, ICAPS 05, pages 2 11, 2005.

136 FP7-ICT October 17, 2007 AVANTSSAR, project no A. Pneuli and R. Rosner. Distributed reactive systems are hard to synthesize. In IEEE, editor, Proceedings: 31st Annual Symposium on Foundations of Computer Science: October 22 24, 1990, St. Louis, Missouri, pages , th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), 4-6 June 2003, Lake Como, Italy. IEEE Computer Society, R4eGov. URL: P. Ramadge and W. Wonham. The control of discrete event systems. Proceedings of the IEEE, 77:81 98, M. Rits, B. D. Boe, and A. Schaad. Xact: a bridge between resource management and access control in multilayered applications. In SESS 05: Proceedings of the 2005 workshop on Software engineering for secure systems building trustworthy applications, pages 1 7, New York, NY, USA, ACM Press P. Robinson, J. Haller, and R. Kilian-Kehr. Towards trust relationship planning for virtual organizations. In itrust, pages , R. Robinson, M. Li, S. Lintelman, K. Sampigethaya, R. Poovendran, D. von Oheimb, J.-U. Bußer, and J. Cuellar. Electronic distribution of airplane software and the impact of information security on airplane safety, Submitted for publication S. Rosario, A. Benveniste, S. Haar, and C. Jard. Net systems semantics of web services orchestrations modeled in orc. Technical report, INRIA, M. Rusinowitch. A decidable analysis of security protocols. In J.-J. Lévy, E. Mayr, and J. Mitchell, editors, 18th IFIP World Computer Congress on Theoretical Computer Science - TCS 2004, Toulouse, France, August Kluwer Academic Publishers M. Rusinowitch, S. Stratulat, and F. Klay. Mechanical Verification of an Incremental ABR Conformance Algorithm. In A. Emerson and P. Sistla, editors, 12th International Conference on Computer-Aided Verification (CAV 2000), LNCS, Berlin, Springer-Verlag M. Rusinowitch and M. Turuani. Protocol Insecurity with Finite Number of Sessions is NP-complete. In Proceedings of the 14th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, M. Rusinowitch and M. Turuani. Protocol Insecurity with Finite Number of Sessions and Composed Keys is NP-complete. Theoretical Computer Science, 299: , Available at P. Ryan, S. Schneider, M. Goldsmith, G. Lowe, and B. Roscoe. Modelling and Analysis of Security Protocols. Addison Wesley, G. Salaün, L. Bordeaux, and M. Schaerf. Describing and reasoning on web services using process algebra. In Proceedings of the IEEE International Conference on Web Services (ICWS 04). IEEE Computer Society, Samoa: Formal Tools for Securing Web Services. URL: J. Santiago and L. Vigneron. Automatically Analysing Non-repudiation with Authentication. In Proceedings of 3rd Taiwanese-French Conference on Information Technology (TFIT), pages , Nancy, France, March SAP Netweaver Oveview. SAP, OV SAP NetWeaver.pdf A. Schaad. An extended analysis of delegating obligations. In DBSec, pages 49 64, A. Schaad, V. Lotz, and K. Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In SACMAT, pages , A. Schaad, P. Spadone, and H. Weichsel. A case study of separation of duty properties in the context of the austrian elaw process. In SAC, pages , K. E. Seamons, T. Chan, E. Child, M. Halcrow, A. Hess, J. Holt, J. Jacobson, R. Jarvis, A. Patty, B. Smith, T. Sundelin, and L. Yu. Trustbuilder: Negotiating trust in dynamic coalitions. discex, 02:49, D. Senn, D. Basin, and G. Caronni. Firewall conformance testing. In Proceedings of TestCom 2005, LNCS 3502, pages Springer-Verlag, 2005.

137 FP7-ICT October 17, 2007 AVANTSSAR, project no SENSORIA Software Engineering for Service-Oriented Overlay Computers. URL: de/ System Engineering for Security and Dependability. URL: V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Special issue of Theoretical Computer Science on security, Accepted for publication V. Shmatikov and J. C. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, 283(2): , June M. Solanki, A. Cau, and H. Zedan. Augmenting semantic web service descriptions with compositional specification. In WWW 04: Proceedings of the 13th international conference on World Wide Web, pages ACM Press, C. Sprenger, M. Backes, D. Basin, B. Pfitzmann, and M. Waidner. Cryptographically Sound Theorem Proving. In 19th IEEE Computer Security Foundations Workshop (CSFW). IEEE Computer Society Press, P. Sultan. An example of vpn server spoofing. spoofed vpn server.html The AVISPA Project. Url: L. W. N. v. d. TORRE. Reasoning about obligations: defeasibility in preference-based deontic logic. PhD thesis, Tinbergen Institute, M. Trainotti, M. Pistore, G. Calabrese, G. Zacco, G. Lucchese, F. Barbon, P. Bertoli, and P. Traverso. ASTRO: Supporting Composition and Execution of Web Services. In Service-Oriented Computing - ICSOC 2005: Third International Conference, LNCS 3826, pages Springer Verlag, URL of the ASTRO project: P. Traverso and M. Pistore. Automated composition of Semantic Web Services into Executable Processes. In Proc. 3rd Int. Semantic Web Conf., November TrustCoM Trust and Contract Management Framework for Dynamic Virtual Organizations. URL: http: // L. Viganò. Labelled Non-Classical Logics. Kluwer Academic Publishers, Dordrecht, L. Viganò. Automated Security Protocol Analysis with the AVISPA Tool. ENTCS 155, 155:61 86, L. Vigneron. Positive Deduction modulo Regular Theories. In H. Kleine-Büning, editor, Proceedings of Computer Science Logic, LNCS 1092, pages , Berlin, Springer-Verlag. URL: protheo/softwares/datac/ L. Vigneron. Automated Deduction Techniques for Studying Rough Algebras. Fundamenta Informatica, 33(1):85 103, L. Vigneron and A. Wasilewska. Rough Sets based Proofs Visualisation. In R. N. Davé and T. Sudkamp, editors, Proceedings of NAFIPS 99, pages IEEE Computer Society Press, Wirelessly Accessible Sensor Populations. URL: C. Weidenbach. Towards an automatic analysis of security protocols. In H. Ganzinger, editor, Proceedings of the 16th International Conference on Automated Deduction: CADE 99, LNCS 1632, pages Springer-Verlag, Berlin, G. Wiehler. Mobility, Security and Web Services. Publicis Corporate Publishing, D. Wijesekera and S. Jajodia. Policy algebras for access control the predicate case. In V. Atluri, editor, ACM Conference on Computer and Communications Security, pages ACM, M. Wimmer, A. Kemper, M. Rits, and V. Lotz. Consolidating the access control of composite applications and workflows. In DBSec, pages 44 59, W. Winsborough and N. Li. Towards practical automated trust negotiation, 2002.

138 FP7-ICT October 17, 2007 AVANTSSAR, project no World Wide Web Consortium. Web Services Description Language (WSDL) March, World Wide Web Consortium. Web Services Choreography Description Language Version K. Wrona and L. Gomez. Context-aware security and secure context-awareness in ubiquitous computing environments. In Proc. 13th Wireless World Research Forum (WWRF), Jeju island, Korea, March K. Wrona and P. Mahonen. Cooperative and cognitive networks with reputation and trust. China Communication Magazine, 1:64 75, A. Zakinthinos and E. Lee. A General Theory of Security Properties. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, 1997.

139 FP7-ICT October 17, 2007 AVANTSSAR, project no Appendix A: The AVISPA Tool The AVISPA Tool is a state-of-the-art push-button tool for the Automated V alidation of I nternet S ecurity-sensitive P rotocols and Applications. It has been developed jointly by the four partners of the FET Open Project IST and the BBW Project , AVISPA: Automated Validation of Internet Security Protocols and Applications ( [222]): the research team lead by A. Armando at the University of Genova, Italy; the team lead by M. Rusinowitch at INRIA-Lorraine, Nancy, France; the team lead by D. Basin at the ETH Zurich, Switzerland; and the team lead by J. Cuellar at SIEMENS AG, Munich, Germany. The project was so successful that it was nominated for the The AVISPA Tool 2006 Descartes prize for research. (i) provides a modular and expressive formal language for specifying security protocols and properties, the High-Level Protocol Specification Language HLPSL, and (ii) integrates different back-ends that implement a variety of automatic analysis techniques ranging from protocol falsification (by finding an attack on the input protocol) to abstraction-based verification methods for infinite numbers of sessions. The architecture of the tool is depicted in Figure 6. A user interacts with the tool by specifying a security problem (a protocol paired with a security property that it is expected to achieve) in the High-Level Protocol Specification Language HLPSL. The HLPSL is an expressive, modular, role-based, formal language that allows for the specification of control-flow patterns, data structures, different cryptographic operators and their algebraic properties, alternative adversary models, as well as complex security properties. These features allow one to specify protocols in HLPSL without resorting to specific techniques to simplify the protocols first, as is often required in weaker approaches. The AVISPA Tool automatically translates (via the HLPSL2IF Translator) a user-defined security problem into an equivalent specification written in the rewrite-based formalism Intermediate Format IF. An IF specification describes an infinite-state transition system amenable to formal analysis: IF specifications are automatically input to the back-ends of the AVISPA Tool, which implement different techniques to search the corresponding infinite-state transition system for states that represent attacks on the intended properties of the protocols. The current version of the tool integrates four back-ends: the On-the-fly Model-Checker OFMC, the Constraint-Logic-based Attack Searcher CL-AtSe, the SAT-based Model-Checker SATMC, and the TA4SP protocol analyzer, which verifies protocols by implementing tree automata based on automatic approximations. All the back-ends of the tool analyse protocols under the assumptions of perfect cryptography and that the protocol messages are exchanged over a network that is under the control of a Dolev-Yao intruder [122]. That is, the back-ends analyse protocols by considering the standard protocol-independent, asynchronous model of an active intruder who controls the network but cannot break cryptography; in particular, the intruder can intercept messages and analyse them if he possesses the corresponding keys for decryption, and he can generate messages from his knowledge and send them under any party name. Upon termination, each back-end of the AVISPA Tool outputs the result of its analysis using a common and precisely defined output format stating whether the input problem was solved (giving a description of the considered protocol goal or, in case it was violated, the related attack trace), some of the system resources were exhausted, or the problem was not tackled by the required back-end for some reason. In order to assess the strength of the AVISPA Tool, and to demonstrate proof-of-concept on a large collection of practically relevant, industrial protocols, we have given HLPSL specifications of a substantial set of security protocols currently being drafted or standardised by organisations like the IETF, along with the security properties these protocols are expected to enjoy. The result of this specification effort is the

140 FP7-ICT October 17, 2007 AVANTSSAR, project no AVISPA Library, which currently comprises 215 security problems derived from 33 industrial-scale security protocols. We have assessed the AVISPA Tool by running it against the AVISPA Library, and the results indicate that, to the best of our knowledge, no other tool exhibits the same scope and robustness while enjoying the same performance and scalability. In particular, the AVISPA Tool has detected a number of previously unknown attacks on some of the protocols analysed, e.g., on some protocols of the ISO-PK family, on the IKEv2 protocol with digital signatures, on the SET protocol, on the ASW protocol, and on the H.530 protocol. The AVISPA Tool has been designed to be easily usable by ICT professionals, engineers, and protocol designers working in industry or standardisation organisations. We thus deployed the AVISPA Tool as a download-able single package to be installed on the users local machines, as well as a remote tool that can be employed by external users thanks to a web-based graphical user interface that supports the editing of protocol specifications and allows the user to select, configure, and execute the different back-ends of the tool. The package and the web-based graphical user interface, as well as the AVISPA Library, are available at the project s web-site [222]. Using the interface, the user can easily load a protocol specification among the ones provided in the AVISPA Library, or write a specification on his own and invoke one or all of the back-ends. An XEmacs mode for editing protocol specifications is available as well. In case an attack is found, the attack trace is output in ASCII as well as in a graphical format, using Message Sequence Charts, which can be displayed in a new window or output to a postscript file. The interface features specialised menus for both novice users (basic mode) and expert users (expert mode), as displayed in Figure 7 and Figure 8, respectively. In particular, Figure 8 shows part of the specification of the H.530 protocol (in the main window of the interface and in an XEmacs window) and the message sequence chart of the attack trace that the AVISPA Tool found when analysing the protocol (in the bottom window). High Level Protocol Specification Language (HLPSL) Translator HLPSL2IF Intermediate Format (IF) On the fly CL based SAT based Tree Automata based Model Checker Attack Searcher Model Checker Protocol Analyzer OFMC CL AtSe SATMC TA4SP Output Figure 6: The architecture of the AVISPA Tool. The AVISPA technology is now widely employed by a large, world-wide community of academic and industrial users, who have been using it to validate and standardise their security protocols and applications (see, for instance, the Project-external papers and publications using the AVISPA Tool and its technologies at In particular, we have begun applying the AVISPA Tool also for the analysis of web services and the first results are very promising, e.g. [35, 73, 76, 208]. Hence, the AVISPA Tool will indeed provide a fundamental stepping stone for the techniques and technologies to be developed in the AVANTSSAR project, in concert with the expertise provided by the other partners IBM, IeAT, UPS-IRIT, OPENTRUST, and SAP.

141 FP7-ICT October 17, 2007 AVANTSSAR, project no Figure 7: A screen-shot of the AVISPA Tool in basic mode.

142 FP7-ICT October 17, 2007 AVANTSSAR, project no Figure 8: A screen-shot of the AVISPA Tool in expert mode.

143 FP7-ICT October 17, 2007 AVANTSSAR, project no Appendix B: Proof of concept case studies This is an appendix to the proof of concept workpackage, WP 5. In Section B.1 we describe in more detail the application areas that we will consider and for each of them we present some candidate application scenarios. In Section B.2 we present part of the related problem cases we plan to formalise and verify in the duration of the project, which should give an impression on the scope, scale, and difficulty level of the problem cases that we will deal with. B.1 Application areas and scenarios ICT infrastructures in areas such as e-business, e-government, and e-health are of significant impact for the core business of the AVANTSSAR industrial partners and, in general, critical elements in Europe s industrial portfolio. We will initially focus on these three areas without excluding the possibility to expand into others to adapt to potential shifts of relevance for our industrial partners. The pivot point is to select a proper assortment of diversified application scenarios with heterogeneous requirements and constraints from a few areas, e.g., secure vehicle software distribution and the German e-health card infrastructure, from the areas of e-business and e-health, respectively. From these scenarios we will proceed to elicitate a broad spectrum of different industry-relevant problem cases that will serve as a benchmark on which we will employ and evaluate the concepts, methodologies, techniques, and tools developed in WP 2, WP 3, and WP 4. E-Business In the emerging global economy, e-business has increasingly become a necessary component of business strategy and a strong catalyst for economic development. The integration of information and communications technology (ICT) in business has revolutionised relationships within organisations and those between and among organisations and individuals. Specifically, the use of ICT in business has enhanced productivity, encouraged greater customer participation, and enabled mass customisation, besides reducing costs. Electronic business applications include commercial and administrative processes, but also automation, logistics and others, empowered by information systems. They allow enterprises to link their internal and external processes more efficiently and flexibly, to work more closely with suppliers and partners, and to better satisfy the needs and expectations of their customers. Integration is at the core of e-business: application-toapplication (A2A) integration within and between enterprises, integration with database engines, automated interaction with customers and suppliers (e.g., across the firewall) resulting in B2B integration, etc. Hereafter we present an initial set of e-business scenarios we will start working on. From these description it will be clear how most of our problem cases described in Section B.2 are related to the e-business application area, namely, single sign-on, authorisation policies, trust management, workflow security, sensor networks, PKI, digital contract signing, and the identity mixer. Banking Services. Banking offers a challenging and interesting example of e-business application scenario where (quite) contradictory needs require to be accommodated. E.g., on the one hand banking applications have to be flexible to fulfil the needs of all the parties involved (e.g., bankers, partners, customers, investors, administration, etc) and on the other hand they must stiffly guarantee protection against trust, security, and privacy threats as well as compliance with respect to evolving country regulations (e.g. Sarbanes-Oxley, Basel II). The banking domain has to enforce security in the context of distributed control and responsibility, and evolution of services and infrastructures. Particular measures like establishment of secure communication channels, separation of duties, secure logging of events, non-repudiable actions, digital signature, etc, need to be considered and applied to fulfil the security requirements imposed by the mandatory law regulations.

144 FP7-ICT October 17, 2007 AVANTSSAR, project no Borrowing a case study from the SERENITY (System Engineering for Security and Dependability) Integrated Project, 3 we will consider a typical loan origination process described in the workflow of Figure 9 and in the context of which the activities about assignment of rights, roles, and tasks need to be carefully considered from a trust and security point of view. We will investigate these trust and security aspects in the Workflow Security problem cases of Section B.2. Figure 9: Loan Origination Process Workflow. The loan origination process describes a customer wanting to buy a bundled product. Several external (through Credit Bureaux) and internal ratings (through the banking internal system) need to be obtained by the processing clerks in order to check the credit worthiness of the customer. Once the credit worthiness of the customer has been positively established, the bank selects a bundle product and submits it to the customer. If the customer is satisfied by the proposed product, both the parties come to an agreement and sign a contract. In this banking example, we will emphasise the necessity of preventing frauds (by means of, e.g., separation of duty, see the Workflow Security problem cases of Section B.2), insuring a secure channel any time the bank needs to communicate securely with another partner involved in the process (by means of, e.g., TLS or SSL transport layer protocols), preserving the integrity of data and the right to privacy of the customers (by means of access control mechanisms to enforce the defined authorisation policies, see the Authorisation Policies problem cases of Section B.2), and ultimately to guarantee the business model of the involved financial institutions. The loan origination process is a classical example of a business process enabled by the SAP NetWeaver [209] (see Figure 10), i.e., an integration and application platform for interoperable, collaborative, and process-centered applications based on the Enterprise Service-Oriented Architecture. Figure 10 clearly shows that a coalition of various systems, under the control of different organisations, have to smoothly interact and collaborate to accomplish the loan origination process. This is enabled by the underlying service-oriented 3 Notice that the complementarity between AVANTSSAR and SERENITY has been already explained in details within Relation with other national and international research activities of Section B3.1.

145 FP7-ICT October 17, 2007 AVANTSSAR, project no computing paradigm allowing, e.g., a new and previously unknown Credit Bureau to join the coalition, as an alternative external rating service provider for the bank, without changing the core infrastructure. In such a context where not all the parties involved know each other in advance, trust becomes a critical factor. We will investigate this aspect in the Trust Management problem cases presented in Section B.2. Figure 10: Loan Origination Process enabled by the SAP NetWeaver platform. Software Distribution Services. A particularly important and very general ICT infrastructure application scenario is secure software distribution/download/update. The Siemens project partner currently runs multiple projects that involve secure software distribution. We will consider trust and security problem cases appearing in distributing software and SW-related data (parameters, configuration data, keys, certificates, policies, etc.) from content providers to a potentially large and widespread set of consumers. Instances include software updates for safety-critical embedded systems in e.g. cars, engines, airplanes, power plants, industrial production equipment,... firmware and configuration updates for critical ICT infrastructure components like routers, firewalls, mobile phones, etc.

146 FP7-ICT October 17, 2007 AVANTSSAR, project no provision of commercial consumer media contents like navigation data The main potential security concerns are integrity of the payload and authenticity of its origin, which often is required for safety reasons, freshness of the software, in particular to prevent version rollback, confidentiality of the payload and authenticity of the receivers, which may be required to protect intellectual property, non-repudiation of origin or receipt, which may be required for legal reasons (accountability), content availability, which may be required for service continuity. denial-of-service attacks. This includes protection against Many objectives are typically achieved by application of (public-key) cryptography or similar mechanisms. The distribution process may thus be seen as an application-level crypto protocol with extensions to, e.g., business process policies. The main challenge are the management of certificates and secret keys, including their creation, distribution, and revocation (in case of compromise or expiration), the integration of channels already secured at transport level, the integration of application-level policies. Note that key distribution is yet another (higher-level) instance of the general software distribution problem. Since public-key cryptography will play a vital role for any secure software distribution solution, certificate management will be a major security functionality implemented by the application service. Important security services therefore are signatures, time stamping and a PKI service. Each of these basic services will have its own policy. Credential Anonymizer. Electronic versions of legal documents, that we also call credentials, contain often more information than is necessary for a particular purpose. To protect the privacy of users, it is desirable to avoid revealing information within transactions that is actually not necessary for that purpose, and to give users control and transparency about the information they reveal. For instance, when one rents a car via an electronic service, it is necessary to prove that one owns a driver s license, however a lot of information on the drivers license is irrelevant, such as the date of birth. Even the concrete name is actually irrelevant, as long as it is ensured that the person renting the car is indeed the owner of the driver s license. The identity mixer system described in Section B.2 as a family of problem cases is designed to provide a solution for such a problem. Rather than showing (i.e., transmitting a copy of) an electronic credential like a driver s license to some organisation like a car rental, the user only proves the possession of a driver s license, without revealing any information that is not necessary (or that the user does not intend to reveal). In particular, the user may be known to the verifying organisation only by a pseudonym and only prove that this pseudonym belongs to the owner of the credential. Note that this scenario is not only limited to the e-business application area, but similarly also to the e-government and e-health application areas, while this is however one of the first concrete application scenarios the IBM partner has been working on, and we will extend this preliminary list of scenarios during the course of the project.

147 FP7-ICT October 17, 2007 AVANTSSAR, project no E-government In general and in particular for purposes of e-government, today s Internet does not offer simple and costeffective authentication procedures and security services, except for very limited and restricted environments or applications. Electronic transactions over the Web need to have the legal binding, certainty, and liability that is now common for surface mail or, more generally, other types of paperwork. Acceptance or trust in the security of the communication within the Web on part of the administration or the citizens is crucial for the social modernisation effect provided by this electronic communication infrastructure. Our single sign-on, authorisation policies, trust management, workflow security, PKI, digital contract signing, public bidding, and the identity mixer problem cases will be of use in this application area. Citizen Portals. The proposed solution within some countries of the European Union, and in particular Germany and Austria, is to create and maintain certified Citizen Portals that will support a secure communication interface within the Internet. With them, the citizen will have a secure, personalised access point in Internet, which enables to communicate with government offices, e-health providers, and other service providers in a straight-forward, easy, and yet secure way. The citizen may access form this portal a great variety of services with different authentication, authorisation, and protection requirements. The portal is responsible for providing the corresponding security mechanisms and protecting the privacy of the citizen. In particular, the person-related data (more precisely: Personally Identifiable Information, PII) must be adequately protected and the informational self-determination ensured. In other words, the individual has the right to decide what information about him may be communicated to the individual service providers and under what circumstances. This is a requirement that follows from the User Consent Principle (sometimes called User Control ) of the Privacy European Directive 95/46/EC)[127]. E-government portals will probably offer a secure and reliable electronic mailing address, used for authenticated, non-anonymous communication, a long living document repository, a secure file exchange server, to share information with certain selected communication partners or service, declaration administration, authentication or time-stamping of documents and perform certain other notary acts, authentication services for other applications, including the 20 benchmarked public services of the European Union, 4 links and authentication services to other service providers, for instance financial institutions or health providers. The exact requirements for the Citizen Portals within Germany are still under discussion. From a security point of view, authentication, privacy and accountability will certainly be part of it. The security functionality of the scenarios will need time stamping, authentication services, notary services and PKI services as basic security services. 4 See society/eeurope/2005/all about/egovernment/index en.htm as well as society/eeurope/2002/action plan/pdf/basicpublicservices.pdf

148 FP7-ICT October 17, 2007 AVANTSSAR, project no Document Exchange Procedures. Another important and general ICT application scenario in the e-government area, but also in the e-business area, are secure document exchange procedures. The OPEN- TRUST project partner currently provides high level solutions that will help a quick and secure implementation of such procedures. In a typical e-business and e-government process, the end-users connect to a portal and use its document exchange procedures. More and more, electronic signatures are required to guarantee trust values like authentication, integrity and non repudiation. State of the art portals are in charge of the whole business workflow but delegate all signature validation and proof management operations to specialist middlewares. OPENTRUST s OpenTrust Signature and Proof Infrastructure (OpenTrust SPI) is a powerful and secure software suite which offers a full range of digital signature, encryption, time-stamping and proof management services. The suite is composed of four modules: SPI Sign is a client-side signature toolkit. It s available in both Applet and ActiveX technologies. SPI Autosign is the central, automatic and easy-to-use solution for the mass generation of digital signatures which can be fully integrated in all business applications. SPI Security Server is a middleware server with electronic signature validation and digital proof management Web services. SPI Viewer is a signature and proof file reader application. It allows also user-friendly verification and extraction features. The SPI modules integration in a business process is fast and painless through simple API calls and Web administration interfaces. The SPI Security Server offers a front side access in Web Service protocol and has built-in connectors with trusted secondary third parties which provide either of the following services: PKI services in charge of delivering certificate revocation lists and/or answer in OCSP queries, time-stamping services in charge of providing timestamps upon request, archiving services in charge of archiving files upon request. Problem cases specific to the document exchange procedures are digital contract signing and public bidding. Moreover, the authorisation policies, trust management and workflow security problem cases describe services used to implement parts of the document exchange procedure scenario. E-health Health care scenarios involve a multitude of actors (patients, doctors, social workers, external service providers, pharmacies, health insurances, etc), devices (health-care terminals, personal computers, PDAs, phones, body sensors, VPNs, central servers, etc), patient data databases, and other applications remotely cooperating to enhance and help daily lives of patients as well as the quality, effectiveness and cost-efficiency of health care systems and institutions. Patient health data, electronic prescriptions, treatment bills, and other health-related information needs to be protected against disclosure and manipulation. The single sign-on, authorisation policies, trust management, sensor networks, PKI, and the identity mixer problem cases described in Section B.2 are related to this application area, which is partly reflected by the scenarios described next.

149 FP7-ICT October 17, 2007 AVANTSSAR, project no Viewer Viewer Viewer Sign Applet Sign ActiveX Autosign Business App Business App Business App Business App OpenTrust SPI Security Server Timstamp services Certification Authority Archiving services Figure 11: OpenTrust SPI implementation architecture Telematics Infrastructure. The German healthcare will soon be based on a new telematics infrastructure which will be composed of the decentral administrative ICT systems in surgeries, hospitals and pharmacies and other so called primary systems, and centralised healthcare services by health insurances and other back-end institutions. The decentral elements are connected to the central ones via broker services and dedicated VPN gateways. The primary systems are connected via secure interfaces, called connectors, which are equipped with card terminals. Many components of the telematics infrastructure will be required to undergo a certification according to the Common Criteria (CC)[89]. Some of the necessary generic security specifications, called Protection Profiles, are already available. Two mandatory healthcare services which will be realized first, namely insurance validation and electronic medication. Further services are in preparation, like the management of emergency data, and (in the long term) centralised management of patient data with appropriate access for all healthcare professionals. Note that the services themselves are not a proper part of the telematics infrastructure. A major requirement for medical systems is that only authorised persons should have access to patient data. This quickly leads to rather fine-grain access control system will have to be realized. There are further rather general requirements, for example that treatment of patient shall only take place in the presence of a valid health card, or that medication has to be secured in accordance with the German law for digital signatures. In some cases, the privacy of the healthcare professional has to be protected with respect to the back-end services. Other important aspects are the security of the various chip cards which will be used within the whole system, and the communication security, which means protection of confidentiality and integrity, and prevention of impersonation attacks. Here the decentralised parts of the telematics infrastructure, i.e. the connectors and the card terminals, play the major role. First of all, it has to be prevented that cloned connectors will be able to connect to the VPN gateways, and only authorised institutions may connect to the broker service. Communication has to be secured between each connector and its attached card terminals, as well as between the connectors and the VPN gateways. Additionally, each service has its own set of specific security requirements. For example, for the insurance validation service, many special authentication