Contracts for security adaptation

Security is considered to be one of the main challenges as regards the widespread application of Service Oriented Architectures across organisations. WS-Security, and its successive extensions, have emerged to fulfil this need, but these approaches hinder the loose-coupling among services, therefore constraining their reusability and replaceability. Software adaptation is a sound solution to overcome the incompatibilities in interface, behaviour and security constraints among stateful services. However, programming adaptors from scratch is a tedious and error-prone task where special care must be given to concurrency and security issues. In this work, we propose to use security adaptation contracts that allow us to express and adapt the security requirements of the services and their orchestration. Given a security adaptation contract and the behavioural description of the services (such as BPEL processes or Windows Workflows), we can generate the protocol of the orchestrator that complies with the security requirements (confidentiality, integrity and authenticity), while overcoming incompatibilities at the signature, behaviour and security QoS levels. The formalisation behind security adaptation contracts has other applications such as security policy negotiation and automatic security protocol verification.