Reasoning about Security Policies of Services using Answer Set Programming Vernon Asuncion, Khaled M. Khan, Abdelkarim Erradi, Saleh Alhazbi Department of Computer Science and Engineering, KINDI Lab Qatar University, Qatar {vernon,k.khan,erradi,salhazbi}@qu.edu.qa Abstract—In this paper, we propose a formal framework for checking the consistency of security policies of services using Answer Set Programming (ASP). We illustrate that the formalisation of security policies of the service providers and the service consumers in ASP is an effective way for reasoning about the compatibility of policies to enable the dynamic discovery and invocation of services. Keywords-Software services, answer set programming, security policy, reasoning policy. I. I NTRODUCTION Dynamic selection of autonomous services is increasingly used to assemble Service Oriented Systems (SOS). In SOS it is important to enable users to express the desired security attributes associated with the services, and use them for service discovery. On the other hand, the service providers can advertise the security capabilities and requirements for their service offerings. Policies are typically used to express the security requirements and capabilities. A security policy of a stakeholder may contain several alternatives, and prefer- ences could be associated with each alternative. Therefore, in order to enable interaction between dynamically discovered services, their security policies have to be reconciled. The challenge is to find a service that mutually satisfies the most preferred security policy alternative of the stakeholders. This can be mapped to a search problem since alternative policies introduce non-determinism in the system. This paper addresses security policy reconciliation using Answer set programming (ASP). ASP [2] is a form of logic programming that is geared towards search problems and has been proven to be effective even on propositional satisfiability (SAT) like problems [1]. In this paper, we show how ASP could be used to effectively specify security policies of stakeholders and then reason about their compatibility as outlined in [3]. II. SECURITY POLICY OF SERVICES A. Definition of security policy A security policy P is a non-empty set of alternatives {A 1 ,...,A l }. One of the alternatives should be satisfied by a partner service for the interaction to take place. Each alter- native A i contains a non-empty set of security properties as- sertions and instances tuples {(p i,1 ,I i,1 ),..., (p i,mi ,I i,mi )} such each of the p i,j (for 1 ≤ j ≤ m i ) is a security property and I i,j is a non-empty set of security property instances {I i,j,1 ,...,I i,j,nj }. Examples of a security property p i,j are: digital signature, encryption, and protocol.A security property may have many instances. For example, instances I i,j,k ∈ I i,j (for 1 ≤ k ≤ n j ) of the security property p i,j are: AES, CAST 5, and Blowfish. An abstract service S is a label for the set of service instances {s 1 ,s 2 ,s 3 ,...} that implement the abstract service S . That is, if we assume S to be the abstract service WebSearch, then S in this case would be the label of the set of all the available websearch engines, i.e., S = W ebSearch = {google, yahoo, AOL, bing, yandex, . . .}.A user usr of an abstract service S is looking for an instance of S .A service provider prv offers an instance of S . A stakeholder (usr and prv) of S may have two classes of policies R = {R 1 ,..., R s } (security requirements) and C = {C 1 ,..., C t } (security capa- bilities) to the service S . In other words, R represents the security requirements and C represents the security capabilities of a stakeholder. Definition 1: A Service Oriented System (SOS) Γ is a tuple (Srv, Pol, usr, prv, Γ usr , Γ prv ) where: Srv is a set of abstract services; P ol is a set of policies; usr is a set of of service users; prv is a set of service providers; Γ usr (resp. Γ prv ) is a set of tuples of the form (u, S , C , R) (resp. (p, S , C , R)) and such that: u ∈ usr (resp. p ∈ Prv), S∈ Srv, and C , P⊆ P ol. We say that a SOS Γ is definite if all the policies P∈ P ol are sets of the form {A 1 }, i.e., all the policies in P ol only has one alternative. B. Reasoning about policy consistency Assume P ol = {P 1 ,..., P n } is a set of policies and P i = {A i,1 ,...,A i,ni }, for 1 ≤ i ≤ n, are the alternatives of P i . Let P Ai,j i denote the definite policy {A i,j } such that 1 ≤ j ≤ n i , i.e., P Ai,j i = {A i,j } for some j between 1 and n i . A set of policies is a definite policy instance of P ol, denoted P ol DefI , iff P ol DefI is of the form {P A1,j 1 1 ,..., P A1,jn n } and such that for 1 ≤ i ≤ n, we have that 1 ≤ j i ≤ n i . Generally speaking, a definite policy instance P ol DefI of P ol is a set of definite policies derived from P ol based on a single selection of an alternative of each policies in P ol so that P ol DefI is a set of definite policies. Let Γ be a SOS. Then by Γ P ol DefI , we denote the definite SOS that is obtained from Γ by replacing all the occurrences of all the policies P i ∈ P ol by some definite form P Ai,j i of P i . 2014 IEEE International Conference on Services Computing 978-1-4799-5066-9/14 $31.00 © 2014 IEEE DOI 10.1109/SCC.2014.123 857