CESSA: Compositional Evolution of Secure Services using Aspects

The partners of the CESSA research project will provide solutions for the evolution of secure SOAs by providing an aspect-oriented structuring and programming model that allows security functionalities to be modularized that cross administrative and technological domains. By means of security aspects and a new notion of aspect-aware service interfaces, CESSA will enable the synthesis of SOA-based applications that are correct by construction and will allow the formal analysis of security properties of SOAs. Furthermore, the partners will demonstrate that security aspects support the secure horizontal (i.e., orchestration and choreography of services) and vertical composition (i.e., service implementation) of real-world industrial SOAs in the context of (i) an extension of an enterprise information system, extension that is motivated by needs for evolution of software in the financial sector due to regulatory requirements, and (ii) the integration into a commercial SOA of embedded devices using customized virtual machines.

CESSA is a project supported by the ANR, the French national research organization (project id.: 09-SEGI-002-01).

The three-year project ended on 18. Jan. 2013 (Final report, 31 March 2013).

(The references to research articles [N] can be found on the Publications page.)

• Asp4CXF [1]: Model, language and implementation platform for aspects allowing service applications to be modified that are built using Apache's CXF service model.
• RESTful security protocol [7]: Protocol for secure interactions wih RESTful web services.
• MicroEJ service and aspect libraries: Libraries providing a service stack and aspect model for specialized JVMs by partner IS2T geared toward resource-limited electronic boards and devices.

(The references to research articles [N] can be found on the Publications page.)

• Bigbro [2]: Tool, realized as an Eclipse plugin, for the vulnerability analysis of web services.
• HiPolDS, E3 [6]: Specification language and corresponding implementation support for hierarchical security policies.
• Typed service interactions: type system for services that is robust in the presence of attackers.
• Privacy annotation aspects: Tool for the augmentation of Java programs with privacy annotations that are checkable by external tools.

École des Mines de Nantes
Diana Allam, Tony Bourdier, Rémi Douence, Herve Grall, Ismael Mejía, Jean-Claude Royer, Mario Südholt (coordinator)

Eurecom
Davide Balzarotti, Matteo Dell-Amico, Engin Kirda, Yves Roudier (PI), Muhammad Sabir Idrees

IS2T
Gaëtan Harel, Jérôme Leroux, Fred Rivard (PI)

SAP
Jean Christophe Pazzaglia (PI), Anderson Santana de Oliveira, Gabriel Serme