SOA-Security Lab

1^st Place of the 2010 IEEE International Services Cup

Our Motivation

Creating secure Web Service-based composed applications is challanging due to the complexity of the WS-* specifications and the multitude of security specifications. On a technical layer, security services requires

Plenty of configurations
Strong security knowledge
Complex Security Configurations

Our Solution

The SOA Security Lab is designed as a virtualused testing environment for service-related security concepts. Our platform comprises several layers as shown in Figure 1.

Figure 1. Layers of the SOA Security Lab

Composed applications (provided as Software as a Service) can be created using a visual modeller and are executed in virtual machines (Infrastructure as a Service). Users can integrate external services (e.g. Amazon services), use the cloud platform to execute constom services (Platform as a Service) or compose predefined services (Component as a Service).

Figure 2 shows the main components of our platform:

1.	Scenario Management:	Visual creation of components
2.	Policy Management:	Generationof security configurations
3.	Deployment Service:	Deployment and Execution of applications
4.	Security Analysis:	Monitoring and analysis of security mechanisms

Features

1. Visual Creation of Composed Application

Composed applications based on Web Services can be created by modelling the structure of the desired system as shown in Figure 3. In order to secure the system, security requirements such as the protection of exchanged messages, the authentication of users, or the necessary trust relationships can be modelled as well. In addition, this model is verified to ensure a proper transformation to service configuration files and policies.

Figure 3. Modeling of a securecomposed application. The services require the authentication of users as well as a confidential exchange of messages.

2. Generation of Security Configurations

The Policy Management performes the transformation of the model to service configuration files and security policies (e.g WS-SecurityPolicy) that can be deployed and enforced at services and frontends used in the composed application. This information is based on security configuration patterns that provide expert knowledge to transform simple security intentions to complex security configurations. The different layers in the transformation process are shown in Figure 4.

Figure 4. Model-driven Generation of Configuration Files

Modelling Layer: This layer is the foundation for a pattern-based transformation. System design models are enhanced with security intentions to specify security requirements.

Platform Independent Model: This layer represents a platform-independent model that describes security policies in a platform independent language.

Configuration Files: This is the technical layer which states security requirements in a deployable notation, e.g. WS-SecurityPolicy.

3. Deployment and Execution of Applications

Services, frontends and related metadata are stored in the service repository. On demand a virtual machine is created for the user to execute a modelled use case. The Scenario Management component (see Figure 5) deploys all components and configuration files related to the modelled use case. Finally, each user can eecute, analyse and test composed applications in its own isolated environment.

Figure 5. Deployment of composed applications

Figure 6. Visualising the structure of exchanged messages

4. Monitoring and Analysis of Security Mechanisms

Our platform enables users to gain insight into services and the security modules used to enforce security policies. For each service, the security modules can be visualised. The messages that passed these modules can be inspected as well. Figure 6 shows the visualisation in our platform that depicts a chain of security modules and a service request that passed this chain. The message security protocols and mechanisms used to secure this message are analysed and highlighted.

Demo

Live demo:www.soa-security-lab.de

Related Publications

Michael Menzel, Robert Warschofsky, Ivonne Thomas, Christian Willems, Christoph Meinel: The Service Security Lab: A Model-Driven Platform to Compose and Explore Service Security in the Cloud. Proceedings of the 2010 IEEE World Congress on Services (Services 2010), pp.115-122, (Miami, USA, Juli 2010).
Michael Menzel, Robert Warschofsky, Christoph Meinel: A Pattern-Driven Generation of Security Policies for Service-Oriented Architectures. Proceedings of the 2010 IEEE International Conference on Web Services (ICWS 2010), pp.243-250, (Miami, USA, Juli 2010).
Michael Menzel, Christoph Meinel: SecureSOA - Modelling Security Requirements for Service-oriented Architectures. Proceedings of the 2010 IEEE International Conference on Services Computing (SCC 2010), pp.146-153, Miami, USA, Juli 2010.

People

Research and Development
- Prof. Dr. Christoph Meinel
- Ivonne Thomas
- Robert Warschofsky
Student Developer
- Florian Thomas
- Frederik Leidloff

Contact us!

Want to contact us for a coffee, question or chat? Feel free to contact us: sec-eng-webadmin(at)hpi.de

News

July 2022

HPI Cybersecurity Courses for German-Chinese Summer School at Nanjing University

HPI has maintained close relations with well-known Chinese universities for more than two decades and opened its own HPI Research School at Nanjing University back in 2011. As part of an interdisciplinary summer school at Nanjng University, HPI specifically offered a Lecture Series on cybersecurity from July 5 to 7, 2022.

June 2022

Announcement: The free Online-Course "Tatort Internet: Auflage 2022" (German) starts in October. In the Course, Prof. Meinel and the Security-Team present fundamentals of IT-Security as well as current news on security around the world. You can enroll into the course already from today so that you do not miss the start in October!

May 2022

openHPI-Kurs: Cloud Computing (German) presented by Prof. Meinel, Hendrik Steinbeck and Daniel Köhler. Aside the fundamentals on Cloud Computing and it's enablers such as the Internet and Virtualization, the course further touches on areas such as Risks and Responsibilities when using or providing cloud services.

Edit: The course has finished, but the teaching-material is still available for self-paced study!

March 2022

[German] DDoS-Attacks: What are they and how do they work?

The attack from Russia against the Ukraine is not only run in the physical world. Cyber-War is becoming more and more prominent and the Online-Activists Anonymous have started to perform DDoS-Attacks against Russion webpages, companies and servers. In the German Interview, Daniel Köhler explains, what DDoS-Attacks are and how they are usually run.

January 2022

In January, a repetition of our English-language cybersecurity series started on openHPI with the course Confidential Communication in the Internet.

Join the Team!

Teaching

Sommer Semester 2024

Master Seminar: Emerging Technologies for Security Operations

Winter Semester 2023/44

Bachelor Seminar: Big Data Security Analytics
Master Seminar: Network Security in Practice
Master Project
- Towards Red Team Exercising

Team

Supervisor: Prof. Dr. sc. nat., Dr. rer. nat. Christoph Meinel
Head & Senior Researcher: Dr. rer. nat. Feng Cheng
PostDoc/PhD Students/Research Assistants:
- Dr.-Ing.Pejman Najafi
- Eric Klieme, M.Sc.
- Alexander Mühle, M.Sc.
- Daniel Köhler, M.Eng.
- Mehryar Majd, M.Sc.
- Farzad Motlagh, M.Sc.
- Mehrdad Hajizadeh, M.Sc. (Visiting PhD Student, TU Chemnitz)
- Dominic Schaa (Master student assistant)
- Jonas Schmitz (ongoing Master thesis)
- Lars Prepens (ongoing Master thesis)
- Lieven Leue (ongoing Master thesis)
- Mohamed Budagow (ongoing Master thesis)
External PhD Students:
- Hendrik Graupner M.Sc. (with Bundesdruckerei GmbH)
- Kennedy Torkura, M.Sc. (external, Mitigant GmbH, Potsdam)
- Kaja Schmidt, M.Sc. (with European Commision)
Former Team Members