The 2006 IEEE Workshop on Web Services Security was held May 21, 2006, in Oakland, California, USA. The workshop provided a forum for the presentation, discussion, and dissemination of new results on security challenges presented by the Web Services. It was organized in conjunction with the 2006 IEEE Symposium on Security and Privacy.

The program committee selected 6 papers for inclusion into the proceedings. Each submission was reviewed by at least 3 members of the Program Committee. The Program Committee meeting was held electronically. We would like to thank all the authors for submitting to WSSS.

The one day workshop comprised of presentations, followed by discussions of the accepted papers.  In addition to the research program, the workshop featured 2 invited talks and panel discussion.

Conformance testing procedures for generating tests from the finite state model representation of Role Based Access Control (RBAC) policies are proposed and evaluated. A test suite generated using one of these procedures has excellent fault detection ability but is astronomically large. Two approaches to reduce the size of the generated test suite were investigated. One is based on a set of six heuristics and the other directly generates a test suite from the finite state model using random selection of paths in the policy model. A fault model specific to the implementations of RBAC systems was used to evaluate the fault detection effectiveness of the generated test suites; the model incorporates both mutation-based and malicious faults. Empirical studies revealed that adequacy assessment of test suites using faults that correspond to first-order mutations may lead to a false sense of confidence in the correctness of policy implementation. The second approach to test suite generation, combined with one or more heuristics, is most effective in the detection of both first-order mutation and malicious faults and generates a significantly smaller test suite than the one generated directly from the finite state models.

Performance of fingerprint recognition systems is heavily influenced by the quality of fingerprints provided by the user. Image quality analysis is traditionally performed using local and global structures of fingerprint images like ridge flow, analysis of ridge-valley structures, contrast ratios etc. With large scale deployment of fingerprint recognition in systems like US VISIT program, image quality issues of fingerprint images from extreme age groups becomes even a more important issue. The impact of image quality on performance of fingerprint recognition systems should be a positive one i.e. higher image quality should lead to better overall performance of the system, and removal of lower quality images should improve performance of the system. This research study studied the impact of fingerprint image quality of two different age groups: 18-25, and 62 and above on overall performance using two different matchers. The difference in image quality between the two age groups was analyzed, and then the impact of image quality on performance of fingerprint matchers between the two groups was analyzed. Image quality analysis was performed using NFIQ which is part of NIST Fingerprint Image Software (NFIS). Neurotechnologija VeriFinger and bozorth3 (NFIS) matchers were used to assess overall performance. For the purposes of the research study, overall performance was measured using False Non Matches.

Access hierarchies are useful in many applications and are modeled as a set of access classes organized by a partial order. A user who obtains access to a class in such a hierarchy is entitled to access objects stored at that class, as well as objects stored at its descendant classes. Efficient schemes for this framework assign only one key to a class and use key derivation to permit access to descendant classes. Ideally, the key derivation uses simple primitives such as cryptographic hash computations and modular additions. A straightforward key derivation time is then linear in the length of the path between the user’s class and the class of the object that the user wants to access.

Recently, work presented in [2] has given an efficient solution that significantly lowers this key derivation time, while using only hash functions and modular additions. Two fast-key-derivation techniques in that paper were given for trees, achieving O(log log n) and O(1) key derivation times, respectively, where n is the number of access classes. The present paper presents efficient key derivation techniques for hierarchies that are not trees, using a scheme that is very different from the above-mentioned paper. The construction we give in the present paper is recursive and uses the one-dimensional case solution as its base. It makes a novel use of the notion of the dimension d of an access graph, and provides a solution through which no key derivation requires more than 2d+1 hash function computations, even for “unbalanced” hierarchies whose depth is linear in their number of access classes n.

The significance of this result is strengthened by the fact that many access graphs have a low d value (e.g., trees correspond to the case d=2). Our scheme has the desirable property (as did [2] for trees) that addition and deletion of edges and nodes in the access hierarchy can be “contained” in the node and do not result in modification of keys at other nodes (no wholesale re-keying as changes are made to the access hierarchy).

Reconstructing the sequence of computer events that led to a particular event is an essential part of the digital investigation process.  The ability to quantify the accuracy of automatic event reconstruction systems is an essential step in standardizing the digital investigation process thereby making it resilient to tactics such as the Trojan Horse defense.  In this paper, we present findings from an empirical study to measure and compare the accuracy and effectiveness of a suite of such event reconstruction techniques.  We quantify (as applicable) the rates of false positives, false negatives, and scalability both in terms of computational burden and memory-usage.  Some of our findings are quite surprising in the sense of not matching a priori expectations, and whereas other findings qualitatively match the a priori expectations they were never before quantitatively put to the test to determine the boundaries of their applicability. For example, our results show that automatic event reconstruction systems proposed in literature have very high false-positive rates (up to 96\%).

The paper shows that information leaks are inherent in object models based on subtyping and inclusion polymorphism. Web services interact with other systems across organizational boundaries using such an object model. In the context of web services, information leaks pose serious security and privacy concerns. A safe web service is one which neither is a source of any information leak nor exploits any information leak. The paper defines properties of such a safety model and proposes mechanisms to enforce the safety requirements. Leaks inherent in the programming paradigm however cannot always be completely masked while keeping the desired interoperability and flexibility of services intact, especially in compositional scenarios. Therefore the paper also proposes use of processes of service certification and versioning aided by data flow analysis as measures against, and a cost estimation model in case of information leaks.

With the increase in information and data accessibility, there is a growing concern for security and privacy of data. In large corporate Intranets, the insider attack is a major security problem. Numerous studies have shown that unauthorized accesses, in particular by insiders, pose a major security threat for distributed enterprise environments. This problem is highly magnified in a multi-domain environment that spans multiple enterprises collaborating to meet their business requirements. The challenge is in developing new or extending existing security models for efficient security management and administration in multi-domain environments that allow extensive interoperation among individuals or systems belonging to different security domains.

In this dissertation, we have addressed the issue of secure interoperation from policy management perspective. In particular, we have developed a policy-based framework that allows secure information and resource sharing in multi-domain environments supporting both tightly-coupled and loosely-coupled collaborations. The level of coupling in such environments is characterized by the degree of interoperation, the level of trust among domains, and the security, autonomy, and privacy requirements of the collaborating domains. The proposed framework provides efficient solutions and strategies for ensuring secure interoperation in both tightly-coupled and loosely-coupled multi-domain environments. This framework is designed for distributed systems that employ role based access control (RBAC) policies, and therefore addresses the secure interoperability requirements of emerging distributed application systems.

Voice over IP (VoIP) systems are gaining in popularity as the technology for transmitting voice traffic over IP networks. As the popularity of VoIP systems increases, they are being subjected to different kinds of intrusions some of which are specific to such systems and some which follow a general pattern of IP attacks. VoIP systems pose several new challenges to Intrusion Detection System (IDS) designers. First, these systems employ multiple protocols for call management (e.g., SIP) and data delivery (e.g., RTP). Second, the systems are distributed in nature and employ distributed clients, servers and proxies. Third, the attacks to such systems span a large class, from denial of service to billing fraud attacks. Finally, the systems are heterogeneous, have soft real time requirements, and are typically under several different administrative domains. In this paper, we propose the design of an intrusion detection system targeted to VoIP systems, called SPACEDIVE. SPACEDIVE is structured to detect different classes of intrusions, including, masquerading, denial of service, and media stream-based attacks. It can be installed at multiple points