Open Access
This article is
 freely available
 reusable
Entropy 2019, 21(8), 753; https://doi.org/10.3390/e21080753
Article
Secure Service Composition with Quantitative Information Flow Evaluation in Mobile Computing Environments
School of Cyber Engineering, Xidian University, Xi’an 710071, China
^{*}
Author to whom correspondence should be addressed.
Received: 31 May 2019 / Accepted: 30 July 2019 / Published: 1 August 2019
Abstract
:The advances in mobile technologies enable mobile devices to cooperate with each other to perform complex tasks to satisfy users’ composite service requirements. However, data with different sensitivities and heterogeneous systems with diverse security policies pose a great challenge on information flow security during the service composition across multiple mobile devices. The qualitative information flow control mechanism based on noninterference provides a solid security assurance on the propagation of customer’s private data across multiple service participants. However, strict discipline limits the service availability and may cause a high failure rate on service composition. Therefore, we propose a distributed quantitative information flow evaluation approach for service composition across multiple devices in mobile environments. The quantitative approach provides us a more precise way to evaluate the leakage and supports the customized disciplines on information flow security for the diverse requirements of different customers. Considering the limited energy feature on mobile devices, we use a distributed evaluation approach to provide a better balance on consumption on each service participant. Through the experiments and evaluations, the results indicate that our approach can improve the availability of composite service effectively while the security can be ensured.
Keywords:
quantitative information flow; secure information flow model; service composition; mobile computing1. Introduction
With the development of intelligent terminal, 5G and IoT technologies, various mobile applications enrich our daily lives with more flexible and convenient IT services delivery [1,2]. Moreover, high speed processors and stable connections enable the efficient service interactions among different mobile devices. Based on serviceoriented architecture, service composition across multiple mobile devices provides a promising way for integrating several distributed services to satisfy users’ complex requirements [3]. Most works focus on improving the efficiency and availability of composite services in mobile computing [4,5,6]. However, various data with different sensitivities and heterogeneous systems with diverse security policies pose a great challenge on information flow security during the service composition across multiple devices [7]. In particular, if one service component contains malicious code or vulnerabilities, customers’ sensitive data may be leaked. In addition, illegal providers or attackers may collude together to eavesdrop private data more effectively based on feedback from different components, in which private data may also be leaked even if individual service is protected by an access control mechanism [8,9].
In order to prevent the data leakage during service composition, types of information flow mechanisms are proposed including type of system [10], model checking [11,12], program static analysis [13,14] and realtime monitoring [15,16]. Considering the limited energy and dynamic composition relationships, we propose a distributed information flow verification framework for secure service composition in mobile computing environments [7]. Although these approaches provide a solid assurance on information flow security of composite service, implementing them in a real application is still a challenge. These approaches are based on a qualitative discipline, i.e., noninterference [17], which strictly limits the complete absence of any causal flow from highlevel sources to lowlevel sinks. Too strict discipline causes the loss of service availability on account of the security limitations on the crosslevel operations in program. It may also cause a high failure rate on service composition because few services can satisfy the discipline. In fact, it is usually permitted in practice to tolerate some leakage for a better service availability. For example, the area of our location may be allowed to be observed by mobile service providers for a customized and more precise route planning. Therefore, for a better balance on service security and availability, it is important for us to measure “how much” information is leaked and “how many” leaks are allowed by customers during the service composition.
In order to quantifying the leakage, many quantitative information flow approaches are proposed based on Shannon’s information theory [18]. The authors in [19,20] propose the approach to quantify interference in a simple imperative language for the information flow verification. The authors in [21] present an automatic method for informationflow verification that discovers what information is leaked and computes its comprehensive quantitative interpretation. The authors in [22] establish a tight bound on the maximum leakage from repeated independent runs. However, these approaches mainly focus on a single program that works in a centralized way. During the service composition, there may be several services with similar functions but developed by different mobile service providers, which requires us to select appropriate services for optimized performance [6,23]. It would be a resourceconsuming work to evaluate all possible services by a single piece of equipment, which is hard to be implemented due to the energylimited features of mobile terminals. In addition, all candidate services must be reevaluated even if a small change of one service occurs, which also increases the evaluation load on mobile devices.
In this paper, we present a distributed quantitative information flow evaluation approach applied on the service composition in a mobile computing environment. Our contributions mainly include: (1) we make the quantifying rules on information flows based on the static analysis; (2) we propose the quantitative definition on secure information flow in composite services and specify the security constraints on each service component for distributed evaluation; (3) we design a distributed quantitative information flow evaluation framework and approach for secure service composition in mobile environment, which can provide a better service availability and load balance with affordable costs.
The rest of the paper is structured as follows. Section 2 presents the basic models of the mobile service system. Section 3 details the quantifying rules and the security theorems based on the static analysis. In Section 4, the distributed quantitative information flow evaluation approach is proposed according to the security theorems. Section 5 evaluates our proposed approach. Section 6 concludes the paper.
2. Mobile Service System
2.1. System Model
As shown in Figure 1, the Mobile Service System (MSS) is a distributed IT system consisting of multiple network domains. A domain can have various types of resources, such as data, information, and other physical resources. Mobile terminals in the domain can use these resources and its application functions to provide various services to users, e.g., ${s}_{1}$, ${s}_{2}$, etc. These services can be composed together for a more complex users’ application. Moreover, there are several candidate services that can execute the similar functions for a given service. These services can be developed by different service providers. For example, ${s}_{1}$ can be provided by A, B or other service providers, i.e., ${s}_{1A}$, ${s}_{1B}$ and so on. In addition, there is also a security authority in each domain for the security management in the domain.
Referring to the system model in [7], each domain D can be represented as $D=\langle S,R,SA\rangle $, where S is the set of various services, i.e., $S=\{{s}_{0},{s}_{1},\dots \}$; R is the set of physical resources that can be collected by mobile services in the domain, e.g., environment data, traffic data and so on; $SA$ is the security authority. Each service ${s}_{i}$ in S is defined as a tuple ${s}_{i}=\langle i{d}_{i},do{m}_{i},I{n}_{i},Ou{t}_{i},P{g}_{i},C{e}_{i}\rangle $, where $i{d}_{i}$ is the identifier of the service provider; $do{m}_{i}$ is the domain that ${s}_{i}$ belongs to; $I{n}_{i}$ is the set of inputs in ${s}_{i}$; $Ou{t}_{i}$ is the set of the outputs in ${s}_{i}$; $P{g}_{i}$ is the program of ${s}_{i}$, which describes the execution procedure of ${s}_{i}$; $C{e}_{i}$ is the certificate of the service which specifies the security properties.
Due to the user’s complex requirements, different services ${s}_{i}$ in multiple domains may be composed together to achieve the service goal. In this paper, we investigate a typical composite service, i.e., the service chain ${S}_{ch}$ [7], as shown in Figure 2. A service chain is widely used in service composition because of its simplified composition structure which is easy to deploy and control. In service chain ${S}_{ch}$, ${s}_{0}$ receives the request from user and starts the composition procedure. Then, each service ${s}_{i}$, $0<i<n$, receives the intermediate result as the inputs from its unique predecessor ${s}_{i1}$, executes the service program $P{g}_{i}$ and outputs the intermediate result to its unique successor ${s}_{i+1}$. Finally, the last one ${s}_{n}$ sends the final results to the user. During the execution, service providers (SP) can input and obtain some data according to the service request, which may cause the leakage of a user’s private information.
2.2. Threat Model
Based on our system model, we make the following assumptions about the security capabilities of the participants in MSS.
• User: The user is the data owner who has access to all inputs and outputs including public and private information. We partition them into two sets: L($low$) for public data and H($high$) for private data. In addition, users don’t intentionally collude to leak the private data.
• Service Providers: Service providers from different mobile devices are honest but curious. They execute the service functions in accordance with their descriptions. They can not access users’ highlevel data directly due to the privacy policies, but they can freely observe the public data including all lowlevel inputs and outputs before and after (but not during) the service’s execution. Some of them may try to analyze the value of the private data based on users’ lowlevel inputs and outputs on purpose. In addition, different services may collude together to analyze a user’s private data more effectively.
For a clear description, we define $LI{n}_{i}$ and $LOu{t}_{i}$ as the public inputs and outputs with lowlevel security L. $HI{n}_{i}$ and $HOu{t}_{i}$ are defined as the private inputs and outputs with highlevel security H. Then, we can obtain that $I{n}_{i}=LI{n}_{i}\bigcup HI{n}_{i}$ and $Ou{t}_{i}=LOu{t}_{i}\bigcup HOu{t}_{i}$.
• SA: Security Authority is the trusted third party that executes the security function honestly without any interception and manipulation.
3. Quantitative Information Flow Model for Service Composition in a Mobile Computing Environment
3.1. Quantitative Information Flow Model Based on Information Theory
Shannon’s theory provides a standard measurement on information quantity known as selfinformation or entropy. For random variable X for storing different data $x\in X$ in service program $P{g}_{i}$, its entropy can be defined as [24]
where X is a random variable, $p(x)$ is shorthand for $P(X=x),$ which is the probability of $X=x$, and the sum is over the range of X. In Equation (1), the base for $log$ is conventional to use base 2 for the analysis in computer program.
$$\mathcal{H}(X)=\sum _{x}p(x)log\frac{1}{p(x)},$$
The conditional entropy can be used to represent the amount of information carried by X give the knowledge of variable Y, which is defined as:
where $\mathcal{H}(XY=y)={\sum}_{x}p(xy)log\frac{1}{p(xy)}$, and $p(xy)$ is the probability that random variable $X=x$ given that random variable $Y=y$.
$$\mathcal{H}(XY)=\sum _{y}p(y)\mathcal{H}(XY=y),$$
Based on the information quantity on each variable, the mutual information provides a general way of measuring the amount of information stored by X that can be learned by observing another random variable Y, which is defined as:
$$\begin{array}{c}{\displaystyle \mathcal{I}(X;Y)=\sum _{x}\sum _{y}p(x,y)log\frac{p(x,y)}{p(x)p(y)}}\hfill \\ \hspace{1em}\hspace{1em}=\mathcal{H}(X)+\mathcal{H}(Y)\mathcal{H}(X,Y)\hfill \\ \hspace{1em}\hspace{1em}=\mathcal{H}(X)\mathcal{H}(XY)\hfill \\ \hspace{1em}\hspace{1em}=\mathcal{H}(Y)\mathcal{H}(YX).\hfill \end{array}$$
According to our system model, $LIn$ and $LOut$ are the lowlevel inputs and outputs that service providers can observe during the service composition. Based on Equation (3), for each $X\in In$, the leakage through the flow from X to $Y\in Out$ can be defined as
$${\mathcal{F}}_{LIn}(X\u21ddY)=\mathcal{I}(X;YlIn)=\mathcal{H}(XlIn)\mathcal{H}(XY,LIn).$$
We use ${\mathcal{F}}_{LIn}(X\u21ddLOut)$ to represent the overall leakage of X through all different flows from X to any Y in $LOut$. For a clear description, we assume all the inputs and outputs are k bits variables and the inputs are uniformly distributed and independent from each other in the following calculation. Then, we can derive the first basic Quantifying Rule (QR) as follows:
QR 1.
$\forall X\in In$, $Max({\mathcal{F}}_{LIn}(X\u21ddLOut))=\mathcal{H}(X)=k$ and $Min({\mathcal{F}}_{LIn}(X\u21ddLOut))=0$.
Then, we can obtain the quantitative definition on information flow security in a service as follows:
Definition 1.
$\forall X\in HIn$ in a service, the flows in service are Ksecure, for $0\le K\le k$, if
where $LIn$ and $LOut$ are the lowlevel input and output observations, and K is the security threshold that depends on a user’s requirement and the system running environment.
$${\mathcal{F}}_{LIn}(X\u21ddLOut)<K,$$
According to Definition 1, we can derive the following two facts: (1) if $K=0$, it requires that there is no flow from X to any Y in $LOut$, which becomes the qualitative definition of standard noninterference as shown in [25]. (2) if $0<K\le k$, it is considered secure if there is at least $kK$ unknown bits for service providers. A user can choose different thresholds for diverse security requirements in different running environments.
3.2. Quantifying the Information Flow in Service Components
Clark et al. [20] propose the basic analysis rules to quantify leakage for a software program with sequence, branch and loop structures. These rules are specified for the single program analysis in a centralized way, which aim at quantifying the overall leakage instead of each flow’s leakage. Therefore, they don’t support distributed quantifying across multiple services. Based on some basic rules in [20], we design the improved quantifying rules on different information flows through the static analysis. Our rules are based on the worst case assumption for guaranteeing the security. First, for the ${s}_{i}$’s program $P{g}_{i}$, its syntax can be defined as follow by referring to [20]. It is a simple imperative language including all basic notions, operations and structures in a program:
$$\begin{array}{c}C\in Com\phantom{\rule{1.em}{0ex}}var\in Var\phantom{\rule{1.em}{0ex}}E\in Exp\phantom{\rule{1.em}{0ex}}B\in BExp\phantom{\rule{1.em}{0ex}}const\in \mathbb{N}\hfill \\ P::=P;C\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}C\hfill \\ C::=\mathbf{skip}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}var:=E\hfill \\ \phantom{\rule{1.em}{0ex}}\phantom{\rule{1.em}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{if}(B)\phantom{\rule{4pt}{0ex}}\mathbf{then}\phantom{\rule{4pt}{0ex}}C\phantom{\rule{4pt}{0ex}}\mathbf{else}\phantom{\rule{4pt}{0ex}}{C}^{\prime}\hfill \\ \phantom{\rule{1.em}{0ex}}\phantom{\rule{1.em}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{while}(B)\phantom{\rule{4pt}{0ex}}C\hfill \\ E::=var\phantom{\rule{4pt}{0ex}}\left\phantom{\rule{4pt}{0ex}}const\phantom{\rule{4pt}{0ex}}\right\phantom{\rule{4pt}{0ex}}E+{E}^{\prime}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}E\ast {E}^{\prime}\hfill \\ B::=E\phantom{\rule{4pt}{0ex}}R\phantom{\rule{4pt}{0ex}}{E}^{\prime}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\neg B\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}B\wedge {B}^{\prime}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}B\vee \phantom{\rule{3.33333pt}{0ex}}{B}^{\prime}\hfill \\ R::=<\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}>\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}==.\hfill \end{array}$$
There are two kinds of flows to consider, i.e., explicit and implicit flow [17]. The explicit flow occurs as a result of executing the assignment statement. For example, for the statement $va{r}^{\prime}:=E$, if E contains variable $var$, there is an explicit flow between $var$ and $va{r}^{\prime}$, namely $var\to va{r}^{\prime}$. Implicit flow occurs as a result of executing a statement C or not when this statement C is conditioned on the value of an binary expression B. This type of flow usually exists in the branch and the loop structures. If B contains $var$ and $va{r}^{\prime}$ appears in C or ${C}^{\prime}$ as an objective variable, there is an implicit flow between $var$ and $va{r}^{\prime}$, namely $var\stackrel{B}{\u290f}va{r}^{\prime}$. Based on the basic dependence and its transitivity, we can define the intra flows from $var$ to $va{r}^{\prime}$ as follow, which is represented as $\delta (var,va{r}^{\prime})$.
Definition 2.
$\forall var,va{r}^{\prime}\in Var$ in ${s}_{i}$, and there are four cases to consider:
(1) $\exists v\in Var$ that satisfies $var\to v$ and $v\to va{r}^{\prime}$, then $\delta (var,va{r}^{\prime})=var\to va{r}^{\prime}$.
(2) $\exists v\in Var$ that satisfies $var\to v$ and $v\stackrel{B}{\u290f}va{r}^{\prime}$, then $\delta (var,va{r}^{\prime})=var\stackrel{B}{\u290f}va{r}^{\prime}$.
(3) $\exists v\in Var$ that satisfies $var\stackrel{B}{\u290f}v$ and $v\to va{r}^{\prime}$, then $\delta (var,va{r}^{\prime})=var\stackrel{B}{\u290f}va{r}^{\prime}$.
(4) $\exists v\in Var$ that satisfies $var\stackrel{B}{\u290f}v$ and $v\stackrel{{B}^{\prime}}{\u290f}va{r}^{\prime}$, then $\delta (var,va{r}^{\prime})=var\stackrel{B}{\u290f}va{r}^{\prime}$.
Here, we use $var\u21ddva{r}^{\prime}$ to represent all the flows from $var$ to $va{r}^{\prime}$. According to our attacker model, the attacker can observe the lowlevel inputs and outputs before and after the execution of service. Thus, we mainly focus on the flows between the inputs and outputs. In addition, we can also obtain that $I{n}_{i}\subseteq Var$ and $Ou{t}_{i}\subseteq Var$. In order to analyze these flows among the different inputs and outputs in ${s}_{i}$, we construct the PDG (Program Dependence Graph) first [26], and then use the program slicing [27] to obtain all the flows from inputs to outputs based on Definition 2. Then, we define ${\mathit{F}}_{i}=\left\{\delta (X,Y)\rightX\in I{n}_{i},Y\in Ou{t}_{i}\}$ as the set of all intra flows in ${s}_{i}$ for the following calculation.
Based on the definition of ${\mathit{F}}_{i}$, we can derive the following quantifying rules on the leakage of each flow in ${s}_{i}$. In this paper, we consider the worst case assumptions in which we focus on the computation of the upper bound of leakage for a strong security assurance.
QR 2.
$\forall X\in HI{n}_{i}$ and $Y\in LOu{t}_{i}$ satisfy $X\to Y$, then we have
where $LI{n}_{i}$ is the low level input observations in ${s}_{i}$.
$${\mathcal{F}}_{LI{n}_{i}}(X\to Y)=\mathcal{H}(X)=k,$$
QR 3.
$\forall X\in HI{n}_{i}$ and $Y\in LOu{t}_{i}$ satisfy $X\stackrel{B}{\u290f}Y$, then we have
where ${\mathcal{F}}^{Eq}={\mathcal{F}}_{LI{n}_{i}}(X\u21ddE)+{\mathcal{F}}_{LI{n}_{i}}(X\u21dd{E}^{\prime})$, ${\mathcal{F}}^{B}={\mathcal{F}}_{LI{n}_{i}}(X\stackrel{B}{\u290f}Y)+{\mathcal{F}}_{LI{n}_{i}}(X\stackrel{{B}^{\prime}}{\u290f}Y)$.
$${\mathcal{F}}_{LI{n}_{i}}(X\stackrel{B}{\u290f}Y)=\left\{\begin{array}{cc}1\hfill & \mathrm{B}::=\mathrm{E}<{\mathrm{E}}^{\prime}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathrm{E}>{\mathrm{E}}^{\prime},\hfill \\ {\mathcal{F}}^{Eq}\hfill & \mathrm{B}::=\mathrm{E}=={\mathrm{E}}^{\prime},\hfill \\ {\mathcal{F}}^{B}\hfill & \mathrm{B}::=\neg \mathrm{B}\phantom{\rule{4pt}{0ex}}\mathrm{B}\wedge {\mathrm{B}}^{\prime}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathrm{B}\vee {\mathrm{B}}^{\prime},\hfill \end{array}\right.$$
QR 2 is used to analyze the leakage of the explicit flow. It is easy to follow that, when there is an explicit flow from X to Y, we regard this as all the information of X having been delivered to Y based on knowledge of $LI{n}_{i}$, i.e., $\mathcal{H}(XY,LI{n}_{i})=0$.
QR 3 is used to analyze the leakage of the implicit flow, which includes the following three cases.
(1) For the basic boolean expressions $(E<{E}^{\prime})$ or $(E>{E}^{\prime})$, we consider the worst case in which the value of B and ${E}^{\prime}$ can be observed based on the knowledge of Y and Z. Then, attackers can deduce one more bit information about X in E at most after the service execution, which complies with $1Bit$ rule in [20].
For example, for the following program in which x is the 5 bits high level input ranging from −16 to 15, y is the low level output,
If attackers know the value of z, then he can deduce if the value of x is greater or less than z through the output value of y. Based on information theory, the entropy of x in state s and ${s}^{\prime}$ can be calculated as follows:
In addition, we can also get that $\mathcal{H}({x}_{s}{z}_{s},{y}_{{s}^{\prime}})$ is minimum when $z=0$, i.e., $Min(\mathcal{H}({x}_{s}{z}_{s},{y}_{{s}^{\prime}}))=(1/2)log(16)+(1/2)log(16)=4$. Then, the attacker can obtain one bit of information about x at most through this flow.
$$\left\{\mathrm{state}\phantom{\rule{4pt}{0ex}}\mathbf{s}\right\}\mathbf{if}(x<z)\phantom{\rule{4pt}{0ex}}\mathbf{then}\phantom{\rule{4pt}{0ex}}y=0\phantom{\rule{4pt}{0ex}}\mathbf{else}\phantom{\rule{4pt}{0ex}}y=1\left\{\mathrm{state}\phantom{\rule{4pt}{0ex}}{\mathbf{s}}^{\prime}\right\}.$$
$$\begin{array}{c}\mathcal{H}({x}_{s}{z}_{s})=5,\hfill \\ \mathcal{H}({x}_{s}{z}_{s},{y}_{{s}^{\prime}})={P}_{x<z}\mathcal{H}({x}_{s}{z}_{s},{y}_{{s}^{\prime}}=0)+\hfill \\ \phantom{\rule{1.em}{0ex}}\phantom{\rule{1.em}{0ex}}\phantom{\rule{1.em}{0ex}}\phantom{\rule{1.em}{0ex}}\phantom{\rule{1.em}{0ex}}\phantom{\rule{1.em}{0ex}}\phantom{\rule{1.em}{0ex}}(1{P}_{x<z})\mathcal{H}({x}_{s}{z}_{s},{y}_{{s}^{\prime}}=1).\hfill \end{array}$$
(2) For the equality expression $(E=={E}^{\prime})$, it is a special case in which service providers may obtain all bits of X in E or ${E}^{\prime}$ when this expression is true. In this case, the leakage depends on how much information leaked from X to E and ${E}^{\prime}$, i.e., ${\mathcal{F}}_{LI{n}_{i}}(X\u21ddE)+{\mathcal{F}}_{LI{n}_{i}}(X\u21dd{E}^{\prime})$.
(3) For the complex expressions $(\neg B)$, $(B\wedge {B}^{\prime})$ and $(B\vee {B}^{\prime})$, the leakage of X depends on the quantity of leakage on each condition B and ${B}^{\prime}$, i.e., ${\mathcal{F}}_{LI{n}_{i}}(X\stackrel{B}{\u290f}Y)+{\mathcal{F}}_{LI{n}_{i}}(X\stackrel{{B}^{\prime}}{\u290f}Y)$.
These quantifying rules are consistent with the rules in [20]. Based on the quantifying on explicit and implicit flows, we can calculate the overall leakage from X to Y through different flows by the following rules.
QR 4.
$\forall X\in HI{n}_{i}$ and $Y\in LOu{t}_{i}$ satisfy $X\u21ddY$, then we have
$${\mathcal{F}}_{LI{n}_{i}}(X\u21ddY)=\sum _{\delta (X,Y)\in {\mathit{F}}_{i}}{\mathcal{F}}_{LI{n}_{i}}(\delta (X,Y)).$$
For QR 4, we also consider the worst case in which the leakage of information through each flow is different. Then, the overall quantity on leakage from X to Y is the sum of the leakage in each flow $\delta (X,Y)$. Based on the above quantifying rules and Definition 1, we can derive the following theorem on information flow security in ${s}_{i}$.
Theorem 1.
$\forall X\in HI{n}_{i}$ in ${s}_{i}$, the flows in ${s}_{i}$ are Ksecure if they satisfy that
where K is the security threshold.
$$\sum _{Y\in LOu{t}_{i}}{\mathcal{F}}_{LI{n}_{i}}(X\u21ddY)<K,\phantom{\rule{1.em}{0ex}}0\le K\le k,$$
Proof.
Based on the information entropy and the quantifying rules, it is easy to deduce that
$${\mathcal{F}}_{LI{n}_{i}}(X\u21ddLOu{t}_{i})\le \sum _{Y\in LOu{t}_{i}}{\mathcal{F}}_{LI{n}_{i}}(X\u21ddY)<K.$$
According to Definition 1, the flows in ${s}_{i}$ are secure. □
3.3. Quantifying the Information Flow in the Service Chain
In our threat model, different service providers may collude together to analyze s user’s private data. It means that different providers may share their knowledge on the lowlevel inputs and outputs during the service composition, which causes more leakage on a user’s private data. In order to quantify the additional leakage of private data across different services, we design the quantifying rules based on the analysis of the interservice flows.
For service chain ${S}_{ch}=\langle {s}_{0},{s}_{1},{s}_{2},\dots ,{s}_{n}\rangle $ where $I{n}_{ch}={\bigcup}_{0\le i\le n}I{n}_{i}=I{n}_{0,1,\dots ,n}$ and $Ou{t}_{ch}={\bigcup}_{0\le i\le n}Ou{t}_{i}=Ou{t}_{0,1,\dots ,n}$, the interservice flows may occur between the inputs and outputs across multiple services, which is shown as Figure 3 and Figure 4.
Adjacentservice flow is the basic interservice flow, which occurs because of the transmission on the intermediate result between the outputs and inputs across the adjacent services, such as the interservice flow between $Ou{t}_{i,2}$ and $I{n}_{i+1,2}$. Based on the adjacentservice flows, more interservice flows occur due to the transitivity of the information flow, such as the interservice flow between $I{n}_{i,n}$ and $Ou{t}_{j,1}$, $0\le i<j$. Therefore, we can formally define the interservice flows as follows [7]:
Definition 3.
$\forall X\in I{n}_{i}$ and $\forall Y\in Ou{t}_{j}$ where $0\le i<j\le n$, there are following two cases.
(1) $j=i+1$: $\exists {W}_{1}\in Ou{t}_{i}$, ${W}_{2}\in I{n}_{j}$, ${W}_{1}\to {W}_{2}$ that satisfy $X\u21dd{W}_{1}$ and ${W}_{2}\u21ddY$, then $X\u21dd{W}_{2}$ and $X\u21ddY$.
(2) $j>i+1$: $\exists W\in I{n}_{l}\cup Ou{t}_{l}$, $i<l<j$ that satisfy $X\u21ddW$ and $W\u21ddY$, then $X\u21ddY$.
Based on Definition 3, we can obtain all the interservice flows. Here, we define ${\mathit{F}}_{ch}=\{X\u21ddYX\in I{n}_{i},Y\in Ou{t}_{j},0\le i<j\le n\}$. According to the composition structure of service chain model, the intermediate result is the only method that passes the value of input source across multiple services. Then, we can obtain the following proposition.
Proposition 1.
$\forall X\in I{n}_{i}$ and $\forall Y\in Ou{t}_{j}$, $0\le i<j\le n$, if $X\u21ddY$, $\exists W\in I{n}_{j}$ satisfies that $X\u21ddW$ and $W\u21ddY$.
On the basis of Proposition 1, for each interservice flow $X\u21ddY$, its leakage from X to Y depends on the quantity of information that X passes to W and how much information is leaked through the intraservice flow $W\u21ddY$. Then, we use ${\mathcal{F}}_{LI{n}_{i,i+1,\dots ,j}}{(X\u21ddY)}_{W}$ to represent the additional leakage of X to Y through W, which can be calculated based on the following rule.
QR 5.
$\forall X\in HI{n}_{i}$, $Y\in LOu{t}_{j}$ and $W\in I{n}_{j}$ satisfy $X\u21ddW$ and $W\u21ddY$, then we have
$${\mathcal{F}}_{LI{n}_{i,i+1,\dots ,j}}{(X\u21ddY)}_{W}=\left\{\begin{array}{cc}0,\hfill & W\in {\mathit{LIn}}_{j},\hfill \\ {\mathcal{F}}_{LI{n}_{j}}(W\u21ddY),\hfill & W\in {\mathit{HIn}}_{j}.\hfill \end{array}\right.$$
For the interservice flow $X\u21ddY$ through W, there are two cases to consider in QR 5.
(1) $W\in LI{n}_{j}$: Because $W\in LI{n}_{j}$, the information of X is leaked through W. Then, service providers can not obtain additional information about X through the flow $W\u21ddY$. For this type of flow, ${\mathcal{F}}_{LI{n}_{i,i+1,\dots ,j}}{(X\u21ddY)}_{W}=0$.
(2) $W\in HI{n}_{j}$: During the service composition, it is considered secure that private data are delivered between highlevel sources and sinks. Thus, the explicit flows usually occur between the highlevel inputs and outputs. In this case, we also consider the worst assumption that all the information of X is delivered to W based on QR 2. Because $W\in HI{n}_{j}$, the information of X can not be leaked through W. The leakage of X depends on how much information of W leaks through the flow $W\u21ddY$. In addition, we assume that the leakage from X to Y is different from the previous flows. Then, we can obtain that ${\mathcal{F}}_{LI{n}_{i,i+1,\dots ,j}}{(X\u21ddY)}_{W}={\mathcal{F}}_{LI{n}_{j}}(W\u21ddY)$.
In addition, for each interservice flow $X\u21ddY$, the information of X may leak to Y through different W. Then, we can deduce the following lemma.
Lemma 1.
$\forall X\in Hi{n}_{i}$ and $Y\in LOu{t}_{j}$, $0\le i<j\le n$, satisfy $X\u21ddY$, then
where W satisfies $X\u21ddW$ and $W\u21ddY$.
$${\mathcal{F}}_{LI{n}_{i,i+1,\dots ,j}}(X\u21ddY)\le \sum _{W\in HI{n}_{j}}{\mathcal{F}}_{LI{n}_{j}}(W\u21ddY),$$
Proof.
According to the above analysis and the service chain model, we can deduce that
lemma is proved. □
$${\mathcal{F}}_{LI{n}_{i,i+1,\dots ,j}}(X\u21ddY)\le \sum _{W\in I{n}_{j}}{\mathcal{F}}_{LI{n}_{i,i+1,\dots ,j}}{(X\u21ddY)}_{W}=\sum _{W\in HI{n}_{j}}{\mathcal{F}}_{LI{n}_{j}}(W\u21ddY)$$
Based on Lemma 1, we can obtain that
Lemma 2.
In a service chain ${S}_{ch}=\{{s}_{0},{s}_{1},\dots ,{s}_{n}\}$, $\forall X\in Hi{n}_{i}$ and $\forall Y\in LOu{t}_{ch}$ satisfy $X\u21ddY$, then
where $\mathcal{L}{(X)}_{i}$ is the leakage of X to $\forall Y\in LOu{t}_{i}$ in service ${s}_{i}$, namely,
and $\mathcal{L}{(X)}_{i+1,\dots ,n}$ is the additional leakage of X to $\forall Y\in LOu{t}_{j},i<j\le n$ in following services ${s}_{i+1},\dots ,{s}_{j}$, namely,
and W satisfies $X\u21ddW$ and $W\u21ddY$ in Equation (10).
$${\mathcal{F}}_{LI{n}_{i,i+1,\dots ,n}}(X\u21ddLOu{t}_{ch})\le \mathcal{L}{(X)}_{i}+\mathcal{L}{(X)}_{i+1,\dots ,n},$$
$$\mathcal{L}{(X)}_{i}=\sum _{Y\in LOu{t}_{i}}{\mathcal{F}}_{LI{n}_{i}}(X\u21ddY),$$
$$\mathcal{L}{(X)}_{i+1,\dots ,n}=\sum _{j=i+1}^{n}\sum _{Y\in LOu{t}_{j}}\sum _{W\in HI{n}_{j}}{\mathcal{F}}_{LI{n}_{j}}(W\u21ddY),$$
Proof.
The proof is shown in Appendix A. □
Based on Lemma 2, we can derive the following information flow security theorem.
Theorem 2.
For a service chain ${s}_{ch}=\{{s}_{0},{s}_{1},\dots ,{s}_{n}\}$, the information flows are Ksecure if each service component ${s}_{j},0\le j\le n$, satisfies the following two conditions:
(1) Flows in each service component ${s}_{j}$ are secure.
(2) $\forall X\in HI{n}_{i}$, $0\le i<j$; it satisfies that
where K is the security threshold. $\mathcal{L}{(X)}_{i,\dots ,j1}$ is the overall leakage of X from ${s}_{i}$ to ${s}_{j1}$, namely,
and $\mathcal{L}{(X)}_{j}$ is the leakage of X in ${s}_{j}$, namely,
and W satisfies $X\u21ddW$ and $W\u21ddY$ in Equation (13).
$$\mathcal{L}{(X)}_{i,\dots ,j1}+\mathcal{L}{(X)}_{j}\le K,$$
$$\mathcal{L}{(X)}_{i,\dots ,j1}=\mathcal{L}{(X)}_{i}+\mathcal{L}{(X)}_{i+1,\dots ,j1}$$
$$\mathcal{L}{(X)}_{j}=\sum _{Y\in LOu{t}_{j}}\sum _{W\in HI{n}_{j}}{\mathcal{F}}_{LI{n}_{j}}(W\u21ddY)$$
Theorem 2 can be proved based on Lemma 2 and Definition 1. The security constraints on each service are given in Theorems 1 and 2, which makes a basis for the decentralized evaluation in mobile computing environment. Each service requires that the leakage of high level data through the intra and inter flows can not exceed the threshold K.
4. Distributed Quantitative Information Flow Evaluation for Service Composition in a Mobile Computing Environment
In MSS, services may be composed together to accomplish a user’s complex service requirement. For a service chain ${S}_{ch}=\{{s}_{0},{s}_{1},{s}_{2},\dots ,{s}_{n}\}$, there are several candidate service components with the same functions but different providers for each service step ${s}_{i}$. In order to efficiently evaluate the leakage for the service composition in a mobile computing environment, we propose a distributed quantitative information flow evaluation approach based on Theorems 1 and 2.
By referring to Figure 1, candidate services and security authorities will be involved in the evaluation procedure. The procedure includes two phases, i.e., intraservice evaluation and interservice evaluation. First, each candidate service is evaluated by its local SA, and SA generates a security certificate for the following interservice evaluation. When these candidate services are going to be composed together, the interservice evaluation process will be executed for the evaluation on leakage by interservice flows.
4.1. IntraService Evaluation
The intraservice evaluation is executed by SA before the service composition. SA evaluates each candidate service ${s}_{i}$ based on the quantifying rules and Theorem 1, and generates security certificates $C{e}_{i}$ for secure ones. This phase can be executed in an offline way to reduce the evaluation cost during the composition.
During the intraservice evaluation, SA first obtains the PDG of ${s}_{i}$, then computes the quantity of leakage from $\forall X\in HI{n}_{i}$ to $\forall Y\in LOu{t}_{i}$ based on the above QRs. After that, SA validates the flow in ${s}_{i}$. For secure services, a certificate $C{e}_{i}$ specifying the quantity of leakage on each highlevel inputs $\mathcal{L}{(X)}_{i}$ is generated for the following evaluation. Insecure ones without certificates are not allowed to be composed during the service composition. The intraservice evaluation procedure is presented as Algorithm 1.
In the computation of the leakage on $X\u21ddY$, we record the value in the certificate which can be used in the interservice evaluation phase. It can avoid the repeated work on quantifying leakage in a same service component. At the end of the procedure, we record the flows between high level inputs and outputs in certificate instead of computing its leakage. It is based on our worst assumption that information has been passed to high level outputs if there is a flow, which usually happens. In the meantime, it can save lots of efforts on computation of leakage during interservice evaluation without loss on security.
For a clear description on our intraservice evaluation algorithm, consider the following service’s program:
public static intCompare(inthin, int lin){ 
int hout, lout; 
hout=hin; 
lout=−1; 
if(hin>lin) 
lout=0; 
else 
lout=1; 
} 
In the above example, $hin$ and $hout$ are highlevel inputs and outputs while $lin$ and $lout$ are lowlevel ones. First, the code needs to be sent to SA. Then, SA constructs the PDG of ’Compare’ service and obtains the intraservice flow set ${\mathit{F}}_{i}=\{hin\to hout,hin\stackrel{hin>lin}{\u290f}lout,lin\stackrel{hin>lin}{\u290f}lout\}$. After that, we compute the leakage from $hin$ to $lout$ through the flow $hin\stackrel{hin>lin}{\u290f}lout$ based on QR 3. The leakage is validated according to security threshold K. If it is considered secure, the leakage of $hin$ through each flow, current overall leakage of $hin$ and the intraservice flows between $hin$ and $hout$ will be recorded in certificate $C{e}_{i}$ for the interservice evaluation. Finally, certificate $C{e}_{i}$ is signed by SA for the protection against manipulation.
Algorithm 1$Intra\_Eval()$ 
Input:${s}_{i}$, K 
Output:True or False, $C{e}_{i}$. 

4.2. InterService Evaluation
InterService evaluation is a vital phase to evaluate the leakage of high level data during service composition. In this phase, ${s}_{i}$ firstly retrieves current leakage on high level data $L{(X)}_{0,1,\dots ,i}$ and their inter flows ${\mathit{F}}_{0,1,\dots ,i}$. Then, ${s}_{i}$ requires ${s}_{i+1}$’s intra flow and leakage through the certificate $C{e}_{i+1}$, and it updates the interservice flow set and evaluates the candidate service ${s}_{i+1}$ according to Theorem 2. The interService evaluation procedure is shown as Algorithm 2.
During the evaluation on candidate service ${s}_{i+1}$, the additional leakage $L{(X)}_{i+1}$ is first calculated based on QR 5 and Lemma 1. After that, the overall leakage of each highlevel input, $L{(X)}_{0,1,\dots ,i+1}$, is computed and validated. If the overall leakage on any highlevel input exceeds security threshold K, it means that this candidate service ${s}_{i+1}$ is not secure for composition.
Algorithm 2$Inter\_Eval()$ 
Input:${s}_{i+1}$, K, $\mathcal{L}{(X)}_{0,1,\dots ,i}$, ${\mathit{F}}_{0,1,\dots ,i}$ 
Output: True or False, $\mathcal{L}(X)0,1,\dots ,i+1$, ${\mathit{F}}_{0,1,\dots ,i+1}$. 

4.3. Distributed Quantitative Information Flow Evaluation Algorithm for the Service Composition in Mobile Computing Environments
Based on the intraservice and interservice evaluation procedure, we propose a distributed quantitative information flow evaluation algorithm for service composition across multiple mobile devices. The evaluation algorithm on each high level input is presented as Algorithm 3.
Algorithm 3$Eval\_SC()$ 
Input:${s}_{i}$, ${s}_{i+1}$K 
Output:$\mathcal{L}(X)0,1,\dots ,n$ 

The algorithm is deployed on each service node in a mobile computing environment. Then, it works in a stepbystep way through the cooperation among multiple services in different mobile devices. For each possible service chain, a user sends a start message to the first service ${s}_{0}$ to start the evaluation procedure. During each step evaluation, each candidate service ${s}_{i+1}$ is evaluated by its predecessor ${s}_{i}$. If it returns true, ${s}_{i}$ will send a start message with current leakage and flows to its successors to continue the evaluation procedure. Otherwise, ${s}_{i}$ will send a failure message to a user to check whether this service chain is not secure, and the evaluation on this chain will stop. In addition, for each highlevel input in the service chain, it needs to be initiated in its first service based on the certificate. When the final service ${s}_{n}$ passes the evaluation, then it will send a success message with the overall leakage $\mathcal{L}{(X)}_{0,1,\dots ,n}$ on each high level input to user. The leakage can be used as a security criterion on different candidate service chains.
5. Experiments and Evaluations
The information flow security can be ensured by Theorem 2, and the security proof and analysis are shown in Appendix A. The basic comparisons of related approaches are shown in Table 1.
According to Table 1, traditional approaches validate the information flow across multiple services based on noninterference, i.e., qualitative verification. Comparing with quantitative approaches for a program, our approach supports the distributed quantifying on the flows across multiple services, which is more appropriate for the service composition in a mobile computing environment. Although we refer to the rules in [20], these rules are used to quantify the overall leakage of highlevel inputs instead of each flow’s leakage, which is more suitable for the centralized evaluation on a single program.
We also implemented our approach in Huawei mobile phones and ran the evaluation procedure in a WLAN network with the speed of 150 Mbps. The basic configuration is shown in Table 2.
In order to evaluate the performance of our approach, we construct a data set of android applications. These applications support two security levels, i.e., H (High) and L (Low). Each application has two highlevel inputs, two lowlevel inputs, two highlevel outputs and two lowlevel outputs. The flows between different inputs and outputs in each application are randomly generated. These applications can be regarded as basic services in mobile computing environments, which can be composed together as a composite service by network communication. For the composite service, the number of service step ${N}_{s}$ is from 1 to 10. The number of candidate service ${N}_{c}$ for each step is also from 1 to 10. ${N}_{s}$ means this composite service is composed by ${N}_{s}$ types of applications. ${N}_{c}$ means there are ${N}_{c}$ applications having similar functions but different implementations for each type service. In our experiments, we focus on the evaluations on service availability, time cost and energy cost.
(1) Service Availability: we use success number and success rate to evaluate the availability of the composite service. Success number ${N}_{suc}$ is the number of the composite services that successfully pass the validation. In addition, success rate ${R}_{suc}$ is the percentage of successful composite services in all possible ones, which can be calculated as the following equation:
where ${N}_{all}$ is the number of all possible composite services composed of different candidate applications in our data set.
$${R}_{suc}=\frac{{N}_{suc}}{{N}_{all}},$$
In this test, we execute the quantitative approaches with different security threshold (K = 8, 16, 32) and qualitative approaches 100 times separately. Figure 5 shows the average success number and success rate on service composition with different approaches.
Figure 5a shows the variation on average success number of service composition with fixed service steps (${N}_{s}=5$) but different number of candidate services ${N}_{c}$. With the increase in ${N}_{c}$, the number is rising because it is easier to be successfully composed with more candidate services. Figure 5b shows the variation on average success rate of service composition with fixed candidate services (${N}_{c}=5$) but a different number of service steps ${N}_{s}$. With the increase in ${N}_{s}$, the rate is declining because it is harder to find an appropriate service that can satisfy the security constraints.
Throughout both figures, the quantitative approaches have better performance compared to the qualitative approach. Especially for the success rate when ${N}_{s}=10$ in Figure 5b, few services could pass the qualitative validation which may cause failure on service composition. On the contrary, the success rate is still high in quantitative approaches. It indicates that the performance of the quantitative approach is apparently superior to that of the qualitative approach. Moreover, it is easier to be successful with a higher security threshold.
(2) Time Cost: we focus on the time cost on different types of information flow validation approaches. The time cost mainly includes two types of costs, i.e., computation and communication. Figure 6a shows the overall time cost including computation and communication on qualitative and quantitative approaches. With the increase in the number of candidate services, the time cost is rising because of the increase in the complexity and the number of possible service chains. It also costs more time due to the additional computations and communications in quantitative evaluation approaches. However, we can minimize the cost by precomputation on the quantity of leakage in each candidate service.
Figure 6b shows the average computation cost on each mobile device involved in the distributed and centralized quantitative approaches. We use the time cost on computation to represent the computation cost in this test. Instead of executing all of the evaluation work on a single device, the distributed way coordinates all participants to accomplish the evaluation together, which provides a better balance on the computation cost on mobile devices.
(3) Energy Cost on User’s device: During the evaluation, the energy cost is mainly caused by the computation and the communication cost on a user’s device. In our distributed approach, the user starts the evaluation with little computation cost. The computation cost is also evaluated in the above ’time cost’ test. Thus, we focus on the communication cost on the user’s mobile device in this test.
Figure 7 shows the communication cost on the user’s mobile device in the distributed and centralized evaluation approaches. For the centralized evaluation approach, all candidate services will be evaluated by user’s device. For our distributed approach, a user’s device only needs to send the request to its following services and receives the final results from the laststep services. Therefore, the communication cost in a centralized approach is higher than that in our distributed approach. By combining the evaluation on the computation cost, they indicate that the energy cost on a user’s device can be reduced by our distributed approach.
Based on the above experiments, the results show that our approach can provide better service availability with a small increase in time cost, provide a better load balance on computation and reduce the overload on the users’ mobile phones effectively.
6. Conclusions
Strict qualitative disciplines decrease the availability of the composite service and may cause a high failure rate on service composition. In this paper, we propose a distributed quantitative information flow evaluation approach for secure service composition in mobile computing environments. Our approach first evaluates the intraservice leakage between different inputs and outputs in each service, and then ensures the interservice flow security based on the constraints specified in Theorem 2. Our framework and approach works in a distributed way which is quite suitable for the evaluation executed by energylimited devices in mobile computing environments. Through experiments and evaluations, the results show that our approach can improve the service availability effectively and provide a better load balance on each device.
Author Contributions
Conceptualization, N.X. and J.M.; methodology, N.X., C.S. and J.M.; software, J.L. and N.X.; validation, J.L. and N.X.; formal analysis, N.X.; writing—original draft preparation, N.X.; writing—review and editing, C.S.; supervision, J.M.
Funding
This research is funded by the Natural Science Basis Research Plan in Shaanxi Province of China (Grant No. 2016JM6034) and the National Natural Science Foundation of China (61502368 and U1405255).
Acknowledgments
The authors would like to thank the administrative and technical support provided by Yang Xiang, Jun Zhang and Chao Chen from Swinburne University.
Conflicts of Interest
The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.
Appendix A. Proof of Lemma 2
In this section, we are going to prove Lemma 2 by using mathematical induction.
Proof.
First, let $n=1$, then ${S}_{ch}=\{{s}_{0},{s}_{1}\}$ where $I{n}_{ch}=\{I{n}_{0},I{n}_{1}\}$ and $Ou{t}_{ch}=\{Ou{t}_{0},Ou{t}_{1}\}$. In addition, we consider the following two cases:
(1)$\forall X\in HI{n}_{0}$, based on the service chain model, $LOu{t}_{ch}=LOu{t}_{0}\bigcup LOu{t}_{1}$. Then, we can get that
$${\mathcal{F}}_{LI{n}_{0,1}}(X\u21ddLOu{t}_{ch})\le {\mathcal{F}}_{LI{n}_{0}}(X\u21ddLOu{t}_{0})+{\mathcal{F}}_{LI{n}_{0,1}}(X\u21ddLOu{t}_{1}).$$
For ${F}_{LI{n}_{0}}(X\u21ddLOu{t}_{0})$, we can infer that
$${\mathcal{F}}_{LI{n}_{0}}(X\u21ddLOu{t}_{0})\le \sum _{Y\in LOu{t}_{0}}{\mathcal{F}}_{LI{n}_{0}}(X\u21ddY).$$
For ${\mathcal{F}}_{LI{n}_{0,1}}(X\u21ddLOu{t}_{1})$,
$${\mathcal{F}}_{LI{n}_{0,1}}(X\u21ddLOu{t}_{1})\le \sum _{{Y}^{\prime}\in LOu{t}_{1}}{\mathcal{F}}_{LI{n}_{0,1}}(X\u21dd{Y}^{\prime}).$$
Based on Lemma 1, we can obtain that
where W satisfies $X\u21ddW$ and $W\u21ddY$.
$${\mathcal{F}}_{LI{n}_{0,1}}(X\u21dd{Y}^{\prime})\le \sum _{W\in HI{n}_{1}}{\mathcal{F}}_{LI{n}_{1}}(W\u21dd{Y}^{\prime}),$$
According to Equations (A1), (A2) and (A4),
$${\mathcal{F}}_{LI{n}_{0,1}}(X\u21ddLOu{t}_{ch})\le \sum _{Y\in LOu{t}_{0}}{\mathcal{F}}_{LI{n}_{0}}(X\u21ddY)+\sum _{{Y}^{\prime}\in LOu{t}_{1}}\sum _{W\in HI{n}_{1}}{\mathcal{F}}_{LI{n}_{1}}(W\u21dd{Y}^{\prime}).$$
(2)$\forall X\in HI{n}_{1}$, there is no inter flow because ${s}_{1}$ is the last service. Then,
$$\begin{array}{c}\hfill {\mathcal{F}}_{LI{n}_{1}}(X\u21ddLOu{t}_{1})\le \sum _{Y\in LOu{t}_{1}}{\mathcal{F}}_{LI{n}_{1}}(X\u21ddY).\end{array}$$
Therefore, when $n=1$, lemma is proved.
Then, we suppose that the Lemma is true when $n=m$. Then, the case that $n=m+1$ is proved as follows:
(1)$\forall X\in HI{n}_{i}$, $0\le i\le m$, we can obtain that $LOu{t}_{ch}=LOu{t}_{i,i+1,\dots ,m}\bigcup LOu{t}_{m+1}$. Then,
$${\mathcal{F}}_{LI{n}_{i,..m+1}}(X\u21ddLOu{t}_{ch})\le {\mathcal{F}}_{LI{n}_{i,..m}}(X\u21ddLOu{t}_{i,i+1,\dots ,m})+{\mathcal{F}}_{LI{n}_{i,..m+1}}(X\u21ddLOu{t}_{m+1})$$
Based on our assumption on $n=m$, we can get that
where W satisfies $X\u21ddW$ and $W\u21dd{Y}^{\prime}$.
$${\mathcal{F}}_{LI{n}_{i,\dots ,m}}(X\u21ddLOu{t}_{i,i+1,\dots ,m})\le \sum _{Y\in LOu{t}_{i}}{\mathcal{F}}_{LI{n}_{i}}(X\u21ddY)+\sum _{j=i+1}^{m}\sum _{{Y}^{\prime}\in LOu{t}_{j}}\sum _{W\in HI{n}_{j}}{\mathcal{F}}_{LI{n}_{j}}(W\u21dd{Y}^{\prime}),$$
Based on Lemma 1, we can deduce the following equation:
where W satisfies $X\u21ddW$ and $W\u21dd{Y}^{\prime}$.
$${\mathcal{F}}_{LI{n}_{i,\dots ,m+1}}(X\u21ddLOu{t}_{m+1})\le \sum _{{Y}^{\prime}\in LOu{t}_{m+1}}\sum _{W\in HI{n}_{m+1}}{\mathcal{F}}_{LI{n}_{m+1}}(W\u21dd{Y}^{\prime}),$$
Based on Equations (A5), A6), and (A7),
$${\mathcal{F}}_{LI{n}_{i,\dots ,m+1}}(X\u21ddLOu{t}_{ch})\le \sum _{Y\in LOu{t}_{i}}{\mathcal{F}}_{LI{n}_{i}}(X\u21ddY)+\sum _{j=i+1}^{m+1}\sum _{{Y}^{\prime}\in LOu{t}_{j}}\sum _{W\in HI{n}_{j}}{\mathcal{F}}_{LI{n}_{j}}(W\u21dd{Y}^{\prime}),$$
(2)$\forall X\in HI{n}_{m+1}$, we can prove that a lemma is true similar to case (2) in $n=1$.
Therefore, when $n=m+1$, Lemma 2 is proved. □
References
 Agiwal, M.; Roy, A.; Saxena, N. Next, Generation 5G Wireless Networks: A Comprehensive Survey. IEEE Commun. Surv. Tutor. 2016, 18, 1617–1655. [Google Scholar] [CrossRef]
 Beshley, H.; Kyryk, M.; Beshley, M.; Panchenko, O. Method of Information Flows Engineering and Resource Distribution in 4G/5G Heterogeneous Network for M2M Service Provisioning. In Proceedings of the 2018 IEEE 4th International Symposium on Wireless Systems within the International Conferences on Intelligent Data Acquisition and Advanced Computing Systems (IDAACSSWS), Lviv, Ukraine, 20–21 September 2018; pp. 229–233. [Google Scholar] [CrossRef]
 Ngoc, N.C.H.; Lin, D.; Nakaguchi, T.; Ishida, T. QoSAware Service Composition in Mobile Environments. In Proceedings of the 2014 IEEE 7th International Conference on ServiceOriented Computing and Applications, Matsue, Japan, 17–19 November 2014; pp. 97–104. [Google Scholar] [CrossRef]
 Ridhawi, Y.A.; Karmouch, A. Decentralized PlanFree SemanticBased Service Composition in Mobile Networks. IEEE Trans. Serv. Comput. 2015, 8, 17–31. [Google Scholar] [CrossRef]
 Palade, A.; Clarke, S. StigmergyBased QoS Optimisation for Flexible Service Composition in Mobile Communities. In Proceedings of the 2018 IEEE World Congress on Services (SERVICES), San Francisco, CA, USA, 2–7 July 2018; pp. 27–28. [Google Scholar] [CrossRef]
 Deng, S.; Huang, L.; Taheri, J.; Yin, J.; Zhou, M.; Zomaya, A.Y. MobilityAware Service Composition in Mobile Communities. IEEE Trans. Syst. Man Cybern. Syst. 2017, 47, 555–568. [Google Scholar] [CrossRef]
 Xi, N.; Ma, J.; Sun, C.; Zhang, T. Decentralized Information Flow Verification Framework for the Service Chain Composition in Mobile Computing Environments. In Proceedings of the 2013 IEEE 20th International Conference on Web Services, Santa Clara, CA, USA, 27 June–2 July 2013; pp. 563–570. [Google Scholar] [CrossRef]
 Bertino, E.; Squicciarini, A.C.; Mevi, D. A finegrained access control model for web services. In Proceedings of the IEEE International Conference on Services Computing (SCC 2004), Shanghai, China, 15–18 September 2004; pp. 33–40. [Google Scholar]
 Bhatti, R.; Bertino, E.; Ghafoor, A. A trustbased contextaware access control model for webservices. Distrib. Parallel Databases 2005, 18, 83–105. [Google Scholar] [CrossRef]
 Hutter, D.; Volkamer, M. Information Flow Control to Secure Dynamic Web Service Composition; SPC; Springer: Berlin/Heidelberg, Germany, 2006; Volume 3934, pp. 196–210. [Google Scholar]
 Nakajima, S. ModelChecking of Safety and Security Aspects in Web Service Flows; ICWE; Springer: Munich, Germany, 2004; Volume 3140, pp. 488–501. [Google Scholar]
 Rossi, S. Model Checking Adaptive Multilevel Service Compositions; FACS; Springer: Guimaraes, Portugal, 2010; pp. 106–124. [Google Scholar]
 She, W.; Yen, I.L.; Thuraisingham, B.; Huang, S.Y. RuleBased RunTime Information Flow Control in Service Cloud. In Proceedings of the 2011 IEEE International Conference on Web Services, Washington, DC, USA, 4–9 July 2011; pp. 524–531. [Google Scholar] [CrossRef]
 She, W.; Yen, I.L.; Thuraisingham, B.; Bertino, E. Securityaware service composition with finegrained information flow control. Serv. Comput. IEEE Trans. 2013, 6, 330–343. [Google Scholar] [CrossRef]
 Schwartz, E.J.; Avgerinos, T.; Brumley, D. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proceedings of the 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 16–19 May 2010; pp. 317–331. [Google Scholar] [CrossRef]
 Schuette, J.; Brost, G.S. LUCON: Data Flow Control for MessageBased IoT Systems. In Proceedings of the 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE), New York, NY, USA, 1–3 August 2018; pp. 289–299. [Google Scholar] [CrossRef]
 Denning, D.E. A Lattice Model of Secure Information Flow. Commun. ACM 1976, 19, 236–243. [Google Scholar] [CrossRef]
 Smith, G. Recent Developments in Quantitative Information Flow (Invited Tutorial). In Proceedings of the 2015 30th Annual ACM/IEEE Symposium on Logic in Computer Science, Kyoto, Japan, 6–10 July 2015; pp. 23–31. [Google Scholar] [CrossRef]
 Clark, D.; Hunt, S.; Malacaria, P. Quantitative Information Flow, Relations and Polymorphic Types. J. Log. Comput. 2005, 15, 181–199. [Google Scholar] [CrossRef]
 Clark, D.; Hunt, S.; Malacaria, P. A static analysis for quantifying information flow in a simple imperative language. J. Comput. Secur. 2007, 15, 321–371. [Google Scholar] [CrossRef]
 Backes, M.; Kopf, B.; Rybalchenko, A. Automatic Discovery and Quantification of Information Leaks. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 17–20 May 2009; IEEE Computer Society: Washington, DC, USA, 2009; pp. 141–153. [Google Scholar] [CrossRef]
 Smith, D.M.; Smith, G. Tight Bounds on Information Leakage from Repeated Independent Runs. In Proceedings of the 2017 IEEE 30th Computer Security Foundations Symposium (CSF), Santa Barbara, CA, USA, 21–25 August 2017; pp. 318–327. [Google Scholar] [CrossRef]
 Zhou, B.; Shi, Q.; Yang, P. A Survey on Quantitative Evaluation of Web Service Security. In Proceedings of the 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, 23–26 August 2016; pp. 715–721. [Google Scholar] [CrossRef]
 Clark, D.; Hunt, S.; Malacaria, P. Quantitative Analysis of the Leakage of Confidential Data. Electron. Notes Theor. Comput. Sci. 2002, 59, 238–251. [Google Scholar] [CrossRef]
 Xi, N.; Sun, C.; Ma, J.; Shen, Y. Secure service composition with information flow control in service clouds. Future Gener. Comput. Syst. 2015, 49, 142–148. [Google Scholar] [CrossRef]
 Ferrante, J.; Ottenstein, K.J.; Warren, J.D. The Program Dependence Graph and Its Use in Optimization. ACM Trans. Program. Lang. Syst. 1987, 9, 319–349. [Google Scholar] [CrossRef]
 Snelting, G.; Robschink, T.; Krinke, J. Efficient Path Conditions in Dependence Graphs for Software Safety Analysis. ACM Trans. Softw. Eng. Methodol. 2006, 15, 410–457. [Google Scholar] [CrossRef]
Approach  Mode  Service Composition  

Our Approach  Quantitative  Distributed  √ 
She et al. [13,14]  Qualitative  Centralized  √ 
Xi et al. [25]  Qualitative  Distributed  √ 
Clark et al. [20,24]  Quantitative  Centralized  × 
Smith et al. [22]  Quantitative  Centralized  × 
Mobile Environment  
Network Type  WLAN 
Network Speed  150 Mbps 
Mobile Mode  random walk 
Mobile Devices  Huawei nova 3 
Device’s CPU and RAM  2.8 GHz, 6 G 
Mobile Device’s Operation System  Android 9.0 
Data Set  
Service Step  1–10 
Candidate Number  1–10 
Security Level  H, L 
High Level Input and Output  2, 2 
Low Level Input and Output  2, 2 
Flows between Input and Output  randomly generated 
© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).