Formal Methods for the Security of the Internet of Services

In the Internet of Services (IoS), systems and applications are no longer the result of programming components in the traditional meaning but are built by composing services that are distributed over the network and reconfigured and consumed dynamically in a demand-driven, flexible way. However, composing services leads to new, subtle and dangerous, vulnerabilities due to interference between component services and policies, the shared communication layer, and application functionality. 

In this seminar, I will briefly present the AVANTSSAR Platform and the SPaCIoS Tool, two integrated toolsets for the formal specification and automated validation of trust and security of applications in the IoS at design time and run time, respectively. (Both have been developed in the context of FP7 projects that I have been coordinating.) To highlight some of my contributions to AVANTSSAR and SPaCIoS, I will focus on two particular results. 
First, I will discuss a compositionality result that formalizes conditions for vertical composition of security protocols, i.e., when an application protocol (e.g., a banking service) runs over a channel established by another protocol (e.g., a secure channel provided by TLS). This is interesting and useful as protocol composition can lead to attacks even when the individual protocols are all secure in isolation.
Second, I will discuss how although computer security typically revolves around threats, attacks and defenses, the sub-field of security protocol analysis has so far focused almost exclusively on the notion of attack. I will motivate that there is room for a fruitful notion of defense for vulnerable protocols and that the conceptual bridge lies in the notion of multiple non-collaborating attackers and interference between simultaneous attack procedures.