Distributed Information Flow Verification Framework for the Composition of Service Chain in Wireless Sensor Network

Dynamic service composition provides us with a promising approach to cooperate different sensor nodes in WSN to build complex applications based on their basic functions. Usually multiple nodes located in different regions provide data with different security levels, and it is critical to ensure the security of the information flow in the composite services. However, the energy-limited nature of sensor nodes in WSN poses a significant challenge for the centralized information flow verification with which the verification node needs to consume lots of computation and network resources. In this paper, we specify the security constraints for each service participant to secure the information flow in a service chain based in the lattice model and then present a distributed verification framework that cooperates different service participants to verify their information flow policies distributively. The evaluation results show a significant decrease on the verification cost of the single verification node, which provides a better load balance in each sensor node.


Introduction
WSN is the key enablers for the development of the Internet of Things (IoT), which is responsible for collecting surrounding context and environment information.In a service-oriented WSN [1,2], multiple sensor nodes with different basic services, for example, data aggregation, data processing, and decoding, can cooperate with each other to develop new applications rapidly.However, because of the variety and regional characteristics of WSN, the data provided by the sensor nodes have different security levels.When services are composed together, data are transmitted among these nodes, respectively, where an operation in a node assigning highlevel data to a low-level object would cause the information leakage with a serious impact on the public safety or personal privacy.
For example, a personal-health helper service can be provided for the healthy advice according to the body status and environments data.Most of the former work, mainly focus on the access control of the individual services [3,4].But in a service chain, data may be computed from its prior services which can result in the undesired information leakage.When the collection service is completed, the data collected by the wearable sensors and environmental sensors are delivered to the data processing node, such as mobile phone.Healthy information may leak to untrusted third party through the illegal operations during data processing.So the information flow security is one of the major concerns about the service composition in sensor network environments.
One issue in information flow security of the composite service is the dynamic dependence among various objects in different service participants.Accorsi and Wonnemann [5] use Petri nets to represent the workflow and detect information leaks in workflow descriptions based on static information flow analysis.But this work can only validate the information flow in fixed workflow with static input and output dependences.In service-oriented WSN, there are several candidate services with same functions where the dependences between input and output are different from each other.It is necessary for user to select appropriate service for the secure composition of the service chain.She et al. [6,7] define transformation factors to measure how likely the output depends on the input data in different candidate services.But it is hard to define the LR, MR, and HR transformation factors.Therefore, a suitable dependence model is required for the analysis of the information flow in different candidate services.
Another major issue for the information flow verification in WSN is the energy cost of the verification node.Zorgati and Abdellatif [8] and She et al. [9] propose the centralized verification approach against the information flow control policies to ensure an end-to-end security in wired network.However, in WSN, the sensor node is energy limited, and the centralized way consumes lots of energy of the verification node.Yildiz and Godart [10] propose an decentralized service composition approach considering the information flow policies in an inexpensive manner, but its policies are static.Based on the information flow type system, Hutter and Volkamer [11] specify the composition rules to control the security of dynamically computed data and their proliferation to other web services.But it costs extra energy of the sensor node to compile the service code again before the service execution.
In this paper, we present a distributed information flow verification approach applied on the composition of the service chain in wireless sensor network.Our contributions include the following.(1) For the dynamic dependences in service chain, we define the intra and inter dependences among different objects in composite service based on the PDG.(2) We specify the security constraints for each service participant based on the dependences and lattice model.(3) We propose a decentralized information flow verification approach to execute the verification process distributively to provide a better load balance of the sensor nodes in WSN.
The rest of the paper is structured as follows.Section 2 presents the basic definitions of the wireless sensor service system.Section 3 specifies the security constraints for each service participants based on the analysis of the information flow in the service chain.In Section 4, we propose the distributed information flow verification framework based on the secure information flow model.Section 5 evaluates the proposed verification approach.Section 6 concludes the paper.

Wireless Sensor Service System
A wireless sensor service system (WSS) is a large-scale distributed environment which consists of multiple wireless sensor nodes, public data resources and security authorities, which is shown in Figure 1.Sensor nodes in WSN can collect these resources, and provide different basic functions, such as data analyzing or processing, which are treated as various services in WSN.There is also a security authority for each data resources for the management of these data security levels which are used for the security verification.The service on each sensor node can be defined as follows.
Definition 1.Each service   is a tuple   = ⟨  ,   ,   ,   ,   ⟩, where   is the identifier of the service;   is the set of input of service;   is the set of the output of service;   is composed of a sequence of actions ⟨ 1 ,  2 , . ..⟩;   is the certificate of the service which specifies the security properties of service.In WSS system, various services are provided by different sensor nodes.These individual services can also be combined together to generate a more powerful service.During the execution of composite service, each service node collects data from its local storage or the public resources, processes the input data, and finally provides results to the sink nodes.On the other hand, these nodes may also update the local storage or store to the public data resources in WSS.A composite service can be denoted as a directed graph, where the vertex is the service component and the edge represents an composition relationship from one service to another.In this paper, we investigate a simplified composite service, the service chain, which is defined as follows.
Definition 2. A service chain   can be represented as a tuple   = ⟨,,⟩ where  is a sequence of services ⟨ 1 ,  2 , . ..⟩;  is the set of input of   ,   ;  is set of output of   .In a service chain   , the predecessor of a service   can be denoted as  −1 , and the successor of a service   is denoted as  +1 . 0 denotes the node who sends the initial request to  1 , and  +1 denotes the sink node who receives the service result from   .Figure 2 shows a simple service chain model.
Due to the dynamic and heterogeneous sensor network environment, it is necessary to select appropriate service to satisfy the different requirements including QoS and security.In this paper, we focus on the verification of the information flow security in composite service chain and providing support for the security enforced selection of services in WSN.The lattice model is widely used in government or military systems in which the security classes are determined solely from the four security levels: unclassified, confidential, secret, and top secret [12].

Secure Information Flow Model
For a clear discussion, in this paper, we define that each object  has a provided and required security level, Pr() and Re(), which specifies the read and write permissions possessed by .The provided security labels of the objects can be given by the data owners, which are specified in certificates.And the required security labels of data objects will be computed according to the dependence of the input and output data.

Information Flow in Service
Component.In a service chain, the information flow through   is shown in Figure 3.We consider a data flow model in which each service may read from a set of input data objects and write to a set of output data objects.The set of input objects of a service   includes all the objects that   receives from its predecessor  −1 and all data objects obtained from the public data resources or stored in the local storage in sensor nodes.The set of output objects of   includes all the objects that   sends to its successor  +1 and all the data objects that   updates to the public data resources and the local storage.
For the input information for   , there is In order to validate the information flow in   , we need to analyze the relationships between the input and output objects.The output   is computed from   during the execution of the service function   .The syntax of   is defined as follows: (1) A service function consists of a collection of activities, some of which are the control and computation operations, while some of which are responsible for receiving the inputs from different sources  and producing outputs data to the required objects .We can establish the program dependence graph (PDG) [13] of   according to its syntax to analyze the relationships among different objects used in   .The PDG is defined as follows.
Definition 4. Program dependence graphs (PDG) is a directed graph ⟨, ⃗ ⟩, where the expressions and the activities in   constitute the nodes of the graph and the edges express data and control dependences.A data dependence represented by an edge  →    means that the activity  assigns variable  which is used in activity   .A control dependence represented by an edge  →   means that the execution of  depends on the value of the expression , which is typically a branch and loop condition.
Once a program dependence graph PDG = ⟨, ⃗ ⟩ has been constructed, program backward slice [14] is used to analyze the dependences among the different objects that are used in activities and expressions in PDG.Here we use Dep() to represent the obtained dependency set of an object .
Based on the dependency set Dep(), we can compute output object required security level according to the following equations: for ∀ ∈   , Based on the previous equation, we can obtain the following.

International Journal of Distributed Sensor Networks
Local Data resources Each service   has different levels of inputs and outputs.The value of the input objects with high-level security label may flow to the low-level output objects during the execution of the service and cause the information leak.Therefore, the definition of the secure information flow in service component is given as follows.
Definition 6.The information flow in service component   is considered secure if it satisfies that for ∀ ∈   , ∪   , , there are The previous condition provides that there are no lower level objects in public resources and local storage storing the data with higher security level during the execution of each service.which is delivered to service   ,  > .And the dependence between objects belonging to different service components is considered as the interservice dependence.The interservice dependence set of object , Dep inter (), is defined as follows.

Secure Information Flow in
Definition 7.For objects V ∈   and  ∈   where  > , V is in Dep inter () which satisfies one of the following two conditions: (1)  =  − 1 : For two adjacent services   and   where  =  − 1, there are four cases that need to be considered.(1) For V ∈    =  ∈    , there is an interservice dependence between  and V. (2) For V ∈    and  ∉    , there is an interservice dependence between them if there are objects  ∈    and V =  that  depends on.(3) For V ∉    and  ∈    ,  externally depends on V if there are objects  ∈    and  =  that depends on V. (4) For V ∉    =  ∉    , if there are two objects  1 ∈    ,  2 ∈    that  1 =  2 , while data object  in   depends on  2 , and  1 depends on V in   , we call that externally depends on V.
For two services   and   where  >  + 1, if there is an object  in   ,  <  <  which  externally depends on V, while  externally depends on , the dependence between  and V is the interservice dependence.
For a service chain   where   = ⋃{ According to the definition of the secure information flow in   and   , we can obtain the following lemmas and theorems.

Lemma 9. In a service chain 𝑠
Proof.First, let  = 1, then there are two service components  0 and  1 .
And there is no interservice dependence in  0 , so the lemma is proved.
In a conclusion, when  = 1, the lemma is proved.Then we suppose that the lemma is true when  =  − 1; that is, for ∀ ∈    , 0 ≤  ≤  − 1, there are And the case that  =  is proved as follows: for ∀ ∈    , there are also two cases to consider.Case 1.  = , ∀V ∈   ∧ V ∈ Dep().In this case, Theorem 5 provides Re() ≥ Re(V).
The previous assumption provides that for 0 ≤  ≤ −1, there is and there is Re Based on ( 14), (15), and (16), we can get In a conclusion, when  = , the lemma is proved.

Lemma 10. If the information flow of each service in first 𝑚
Proof.For ∀ ∈    ∪    , there are also two cases to consider.
Case 2. 0 ≤  < , ∀V ∈   ∧ V ∈ Dep inter ().In this case, the definition of the interservice dependence provides ∃ 1 ,  2 where ( The secure information flow Definition 6 provides Theorem 5 provides that And the Lemma 9 provides that And there is Based on (20), ( 21), (22), and (23), we can get In a conclusion, the lemma is proved.
Theorem 11.For a service chain   , if the information flow in each service component   is considered secure, the flow in the service chain is secure.
Proof.Let  =  + 1, and the theorem is proved based on Lemma 10.

Distributed Information Flow Verification Framework for Wireless Service Composition
4.1.Information Flow Verification Framework.For a service chain   = ⟨ 0 ,  1 , . . .,   ,  +1 ⟩, there are several candidate services but different implementations by developers for each service step   .In the distributed information flow verification framework, each sensor node is only responsible for validating its next-step candidate service node  , , which can balance the energy cost on a single verification node.The distributed information flow verification framework is shown in Figure 4.
In our framework, Service Authorization Centre (SAC) is a trusted third party for service certificate generation before the deployment of the sensor node.There are two phases for the verification of the information flow: service certificate setup and service verification phase.The service certificate that specifies the security properties of the service, that is, the dependence between the service input and output, is first generated and signed by a SAC.During the service composition procedure, the service composer obtains the required service certificates, and verifies the information flow in candidate nodes.These two phases are detailed in the following sections.

Service Certificate Setup.
Service certificate setup is the preparation phase of the verification process, which is shown in Figure 5.In this phase, service developer submits authorization request containing service function code in service node to SAC.And then the generated service certificate  is installed on the sensor node with the service.Considering the complexity and security of the service code transmission, the authorization process is executed by the offline mode between the service developer and SAC, which does not need to consume extra energy of the sensor node.Definition 12.A service certificate  is a tuple ⟨, , ⟩, where  is the issuer, that is, SAC;  is the service identifier;  is the set of statements that describe the output data dependence.
The service certificate  specifies the attributes of the service including the service identifier, the dependence between input and output objects in the service function.Regarding the PDG construction of service function, SAC uses the algorithms presented in [13] to generate the PDG.Once a program dependence graph PDG = ⟨, ⃗ ⟩ has been computed, a dependence set can be established for each node  ∈  by using intraprocedural backward slice [14], written () containing the set of all nodes in PDG from which  can be reached as follows: () = { |  → * }.In this paper we mainly consider the dependences between the input and output objects in the PDG nodes; that is, For each  , ∈   , its input dependence is written into the certificate.Finally, the certificate is signed by SAC and sent to the service node.Then the service certificate setup phase is complete.The Algorithm 1 is shown as follows.
When there is a request for the service, the node needs to send its certificate to the composer for its information flow verification.The provided security levels of the public and local input data and output objects are also required to be sent to the verification node.If the realization of the service is changed, for example, a new version service is published, the service needs to be authorized by SAC again and reinstalled on the sensor node.

Service Verification.
Service verification is a vital phase in which the verification node requires the service certificates and validates the candidate nodes against the information flow control policies.The verification procedure is shown in Figure 6.During the verification process, service composer  −1 , required for the service certificate and the provided security levels of the public and local data and objects first.Then the composer computes the required security levels of the output objects and then validates whether they satisfy the security constrains.CR 1 specifies that the required security levels of the input objects from public and local storage are equal to their provided security levels.CR 2 specifies that the required security levels of the input objects from predecessor are determined by that of the output objects in  −1 .CR 3 specifies that the required security levels of the output objects are computed from that of the input objects that the output depends on.BS(x)=backwardSlice(x) (7) for each  ∈ BS() do (8) if Var() ∈   then (9) pushInto(  ⋅ (Var(), Var())) (10) end if (11) end for (12) end for (13) Re() = Pr() (8) Re(V) = Pr(V) (9) Re() = Re(exOutput()) (10) end for (11) for each  ∈    , V ∈    do (12) for each  ∈ () do (13) Re() = ⊔ max Re() (14) end for (15) if

Decentralized Information Flow Verification Algorithm
for the Service Chain.For each step verification, verification node obtains the passed candidate service set  , , then the verification node will notice these passed sensor nodes to verify the following candidate services.And there are three types of messages for the synchronization of the verification procedure, that is,  ,  , and  .  is used to allow the candidate service  , to execute the  Vℎ() procedure.When the nodes in service chain all pass the service verification process,   with the executable path is sent to inform its requestor  0 .During each step verification   will be sent to the predecessor of the verification node when there are no candidate services passed the verification in next step.The Algorithm 3 is presented as above.

Experiments and Evaluations
This paper studies distributed information verification framework for the service composition in WSN.Through the security analysis in Section 3, the information flow security can be ensured by the Theorem 11.In this section, we investigate the impact of distributed service verification on the sensor node's cost including verification time and communication effort.A centralized approach implements the service verification work by a single sensor node.We test both approaches with NS-3 [15] in multiple scenarios.Table 1 shows further details about the simulation configuration.
Figure 7 shows the computation time on the verification node.In the centralized way, time rises vastly with the increase of the candidate service number.That is because the execution paths that need to be verified are increased at an exponential rate.However, time increases slowly in the distributed way because there is no significant variations on the candidate nodes that each sensor node needs to verify.
Figure 8 shows the communication effort on the verification node.In Figure 8, the communication effort in the centralized way is evidently higher than that used the distributed way.That is because the single verification node needs to

Conclusion
In this paper, we specify the security constraints for each service participant based on the partial order model and propose a decentralized information flow verification approach that cooperates each sensor node to verify the information flow security distributively and builds up secure service chains in wireless sensor environments.Through the simulation on NS-3, the result shows that this approach can decrease the cost of the sensor nodes effectively.

Figure 1 :
Figure 1: A wireless sensor service system.

Figure 3 :
Figure 3: Information flow in service component.

4. 3 . 1 .CR 3
Required Security Level Computation.According to the secure information flow definition in service chain, the required security levels of the data objects need to be computed first.The required security levels of the objects in each service  , are computed according to the following three computation rules (CR): CR 1 For ∀ ∈    ∪    , Re() = Pr(); CR 2 For ∀ ∈    , Re() = Pr(V) where V ∈   −1 ∧ V = ; For ∀ ∈   , Re() = ⊔ max Re(V) V ∈   ∧ V ∈ Dep().

Figure 7 :
Figure 7: Computation time on the verification node(s).

Figure 8 :
Figure 8: Communication effort on the verification node(s).
Service Chain.Consider the service chain ⟨ 1 ,  2 , . . .,   ⟩.The output data sent from   to  +1 ,    , may be dynamically computed from some data stored by sensor node and public data resources,    and    , and some data received from  −1 ,   −1 .   may be further processed by  +1 , . . .,  −1 and computed into ∪    } and   = ⋃{   ∪   }, 0 ≤  ≤ +1, we use  0 that denotes the start node which sends the initial request to  1 , and  +1 denotes the sink node which receives the service results from   .And we assume that max Re (V) 4.3.2.Service Verification.During the service verification, the information flow control policy (IFCP) specifies how to validate a candidate service  , .Based on the security label model and the definition of the secure information flow in each service, we define the information flow control policies in each service   as follows: Based on the required security level computation rules and information flow control policies, verification node can validate the candidate sensor node  , in a service chain.The Algorithm 2 is shown as follows.Service   ⟨  ,   ,   ,   ,   ,   ⟩.Output: Service certificate of   ⟨, , ⟩.(1) \ \Var () represents the variables objects in  statement (2)   ⋅  = Input: signature(  ⋅ , ) (14) return   Algorithm 1: Service Certificate Set Up().Passed Service Set  , .(1) \ \exOutput (  , ) represents   , 's corresponding output in its predecessor (2) \ \filterService (  ,  , ) represents filtering the unsatisfied candidate service  , from   (3)  , =   (4) for each  , ∈   do
communicate with all other service nodes in centralized way, while it just needs to communicate with the next-step service nodes which can decrease the communication effort and save the energy of the sensor nodes.