A Risk-Evaluation Assisted System for Service Selection · Time for Risk Evaluation 1 10 100 1000...

A Risk-Evaluation Assisted System for Service Selection

Ennan Zhai and Liang Gu

{firstname.lastname}@yale.edu

Yale University

Service Oriented Architecture

Custom Built App

COTS Packages

Datasets

External Services

Low-level Systems

Developer

Service1 Service2

Service Bus

Custom Built App

COTS Packages

Datasets

External Services

Low-level Systems

Service1 Service2

Service Bus

Unexpected Risks

Developer

Custom Built App

COTS Packages

Datasets

External Services

Low-level Systems

Service1 Service2

Service Bus

Developer

Unexpected Risks

Example

Video App

Example

Video App

S3 Azure

Crypt Lib

Example

Video App

Encoding

S3 Azure

Encoding Crypt Lib

Example

Video App

Encoding

S3 Azure

Encoding Crypt Lib

Query Query

What leads to the problem?

What leads to the problem?

• Lack of systematic approach to avoid these bugs.

• No service provider is wiling to share the information.

Target

• Can we reduce such risk before the service selection of application developers?

• No service provider is wiling to share the information.

Solution: Risk-Based Service Selection

• Select services based on requirements.

• At-best effort to avoid potential bugs within services.

• Do not leak information of service providers.

Solution: Risk-Based Service Selection

• Motivating Example

• REaaS Design

• Evaluation

Road-Map

Motivating Example

App Developer

Service A Service B Service C

Motivating Example

App Developer


Select a service without overflow bugs

Motivating Example

App Developer


ESaaS

Motivating Example

App Developer


ESaaSService Score

Service B 0.1

Service C 0.8

Service A 1.3

Motivating Example


• REaaS Design

• Evaluation

Road-Map

App Developer


ESaaS

REaaS Workflow

App Developer


ESaaS

Step1: Service Registration

App Developer


ESaaS

Step2: Requirement Submission

App Developer


ESaaSService Score

Service B 0.1

Service C 0.8

Service A 1.3

Step3: Risk Evaluation


• We developed a tool automatically getting dependency.

• Running on service side and very fast.


• Requirements include:- availability - integrity- confidentiality

• The options follow CVSS (an open bug DB)


Risk score of service i


Different bugs’ impact under different objects


Different bugs’ impact under different objects

Gotten from CVSS + CVE

Trust?

Trust?

App Developer


ESaaS

Trust?

App Developer


ESaaS

?

?

TPM-Based REaaS

TPM-Based REaaS

App Developer


ESaaS

TPM-Based REaaS

App Developer


ESaaS

§=hashcode(actions)

§§

TPM-Based REaaS

App Developer


ESaaS

TPM-Based REaaS

App Developer


ESaaS§


• REaaS Design

• Evaluation

Road-Map

Case Study

MySQL PostgreSQL Riak MongoDB

# of packages 588 736 103 108

Risk score 8 7 4 2

Performance Evaluation

• One Dell XPS14 laptop - 2.8GHz 4-Core Intel Xeon CPU- 16GB memory

• Public dataset with N packages- N = 10, 100, 1000, and 10000

Time for Dependency Collection

1

10

100

1000

10 100 1000 10000

Run

ning

tim

e(s

econ

ds)

# of packages within a service

no TPMWith TPM

Time for Risk Evaluation

1 10

100 1000

10000 100000 1e+06

10 100 1000 10000

Run

ning

tim

e(s

econ

ds)

# of packages within a service

no TPMWith TPM

Conclusion

• The first-step towards practical risk-based service selection approach.

• TPM-based approach to prevent privacy leakage.

• A realistic case study and performance evaluation.

Thanks!

A Risk-Evaluation Assisted System for Service Selection · Time for Risk Evaluation 1 10 100 1000...

Documents

Transcript of A Risk-Evaluation Assisted System for Service Selection · Time for Risk Evaluation 1 10 100 1000...