Abstract: To ensure that the service composition meets user's functional requirements under the premise of protecting user's privacy information is a key issue of service composition privacy protection. Existing Web service access control models can't effectively control the spread of information and the indirect pollution of the data in the system, which leads to the indirect leakage of privacy information. Information flow analysis is a method to ensure the end-to-end security of information transmission. Therefore, this paper proposes an information flow control model to protect the privacy data of service composition. Firstly, this paper uses privacy policies to specify the privacy privilege, uses privacy data item dependency graph to describe the relationship between privacy data items, and puts forward the information flow control model of service composition to formally specify the service's privacy strategy. Nextly, this paper models the behaviors of Web service composition by extending the Petri net to support privacy semantics. Furthermore, this paper presents a service composition privacy requirement verification algorithm to verify the privacy data leakage, so as to verify whether the behaviors of service composition meet service's privacy strategy. Finally, a case study illustrates the availability of the approach on a concrete workflow in BPEL notation.

Key words: service composition, privacy protection, information flow control, Petri net

摘要： 确保服务组合在满足用户功能性需求的前提下保护用户的隐私信息，是服务组合隐私保护的关键性问题。现有的Web服务访问控制模型不能有效地控制信息在系统内的传播和数据的间接污染，从而导致隐私信息的间接泄漏，而信息流分析方法是一种保障系统端到端信息传输安全性的方法，因此提出一种信息流控制模型对服务组合的隐私数据进行保护。首先使用隐私策略矩阵规约服务的隐私权限，使用隐私数据项依赖图描述服务组合过程中隐私数据项间的依赖关系，提出服务组合信息流控制模型，对服务的隐私策略进行形式化规约。然后利用带隐私语义的Petri网模型对服务组合的行为进行建模，提出服务组合隐私需求验证算法，用于验证服务组合的行为是否满足服务的隐私策略。最后通过一个BPEL实例说明该方法的有效性。

关键词: 服务组合, 隐私保护, 信息流控制, Petri网