System Abuse by Service Composition: Analysis and Prevention

We know that several chemicals can be combined to form explosives. Therefore, we do not want these to end up in airplanes together. Similarly, in the architecture of complex systems, it is often possible to combine the results of several system services to acquire illegitimate benefits or disrupt operation. For example, in what is called simboxing, telephone services are purchased from different providers, and a composite service is set up which redirects incoming calls to the service purchased from the target provider, bypassing interconnection fees. Due to their complex nature, such attacks are extremely hard to predict and prevent. This paper provides a first systematic description and classification of the phenomenon of system abuse by service composition, as well as an analysis to identify the most common types of attacks in the design phase. We employ attack trees to express ways to achieve the goal of obtaining a service at a cost lower than the regular amount charged. We use the purchase of railway tickets as a running example, where the atomic services are the rights to travel between two directly adjacent stations. These can potentially be composed in various ways to travel cheaper, for example where there are stations A, B, and C on a railway line, and a single ticket from B to A via C is cheaper than a return ticket from B to C. Our method provides the foundations for systematically discovering such issues.Infrastructures, Systems and ServicesTechnology, Policy and Managemen