Secure Service Composition with Quantitative Information Flow Evaluation in Mobile Computing Environments

The advances in mobile technologies enable mobile devices to cooperate with each other to perform complex tasks to satisfy users’ composite service requirements. However, data with different sensitivities and heterogeneous systems with diverse security policies pose a great challenge on information flow security during the service composition across multiple mobile devices. The qualitative information flow control mechanism based on non-interference provides a solid security assurance on the propagation of customer’s private data across multiple service participants. However, strict discipline limits the service availability and may cause a high failure rate on service composition. Therefore, we propose a distributed quantitative information flow evaluation approach for service composition across multiple devices in mobile environments. The quantitative approach provides us a more precise way to evaluate the leakage and supports the customized disciplines on information flow security for the diverse requirements of different customers. Considering the limited energy feature on mobile devices, we use a distributed evaluation approach to provide a better balance on consumption on each service participant. Through the experiments and evaluations, the results indicate that our approach can improve the availability of composite service effectively while the security can be ensured.


Introduction
With the development of intelligent terminal, 5G and IoT technologies, various mobile applications enrich our daily lives with more flexible and convenient IT services delivery [1,2]. Moreover, high speed processors and stable connections enable the efficient service interactions among different mobile devices. Based on service-oriented architecture, service composition across multiple mobile devices provides a promising way for integrating several distributed services to satisfy users' complex requirements [3]. Most works focus on improving the efficiency and availability of composite services in mobile computing [4][5][6]. However, various data with different sensitivities and heterogeneous systems with diverse security policies pose a great challenge on information flow security during the service composition across multiple devices [7]. In particular, if one service component contains malicious code or vulnerabilities, customers' sensitive data may be leaked. In addition, illegal providers or attackers may collude together to eavesdrop private data more effectively based on feedback from different components, in which private data may also be leaked even if individual service is protected by an access control mechanism [8,9].
In order to prevent the data leakage during service composition, types of information flow mechanisms are proposed including type of system [10], model checking [11,12], program static analysis [13,14] and real-time monitoring [15,16]. Considering the limited energy and dynamic composition relationships, we propose a distributed information flow verification framework for secure service composition in mobile computing environments [7]. Although these approaches provide a solid assurance on information flow security of composite service, implementing them in a real application is still a challenge. These approaches are based on a qualitative discipline, i.e., non-interference [17], which strictly limits the complete absence of any causal flow from high-level sources to low-level sinks. Too strict discipline causes the loss of service availability on account of the security limitations on the cross-level operations in program. It may also cause a high failure rate on service composition because few services can satisfy the discipline. In fact, it is usually permitted in practice to tolerate some leakage for a better service availability. For example, the area of our location may be allowed to be observed by mobile service providers for a customized and more precise route planning. Therefore, for a better balance on service security and availability, it is important for us to measure "how much" information is leaked and "how many" leaks are allowed by customers during the service composition.
In order to quantifying the leakage, many quantitative information flow approaches are proposed based on Shannon's information theory [18]. The authors in [19,20] propose the approach to quantify interference in a simple imperative language for the information flow verification. The authors in [21] present an automatic method for information-flow verification that discovers what information is leaked and computes its comprehensive quantitative interpretation. The authors in [22] establish a tight bound on the maximum leakage from repeated independent runs. However, these approaches mainly focus on a single program that works in a centralized way. During the service composition, there may be several services with similar functions but developed by different mobile service providers, which requires us to select appropriate services for optimized performance [6,23]. It would be a resource-consuming work to evaluate all possible services by a single piece of equipment, which is hard to be implemented due to the energy-limited features of mobile terminals. In addition, all candidate services must be reevaluated even if a small change of one service occurs, which also increases the evaluation load on mobile devices.
In this paper, we present a distributed quantitative information flow evaluation approach applied on the service composition in a mobile computing environment. Our contributions mainly include: (1) we make the quantifying rules on information flows based on the static analysis; (2) we propose the quantitative definition on secure information flow in composite services and specify the security constraints on each service component for distributed evaluation; (3) we design a distributed quantitative information flow evaluation framework and approach for secure service composition in mobile environment, which can provide a better service availability and load balance with affordable costs.
The rest of the paper is structured as follows. Section 2 presents the basic models of the mobile service system. Section 3 details the quantifying rules and the security theorems based on the static analysis. In Section 4, the distributed quantitative information flow evaluation approach is proposed according to the security theorems. Section 5 evaluates our proposed approach. Section 6 concludes the paper.

System Model
As shown in Figure 1, the Mobile Service System (MSS) is a distributed IT system consisting of multiple network domains. A domain can have various types of resources, such as data, information, and other physical resources. Mobile terminals in the domain can use these resources and its application functions to provide various services to users, e.g., s 1 , s 2 , etc. These services can be composed together for a more complex users' application. Moreover, there are several candidate services that can execute the similar functions for a given service. These services can be developed by different service providers.
For example, s 1 can be provided by A, B or other service providers, i.e., s 1|A , s 1|B and so on. In addition, there is also a security authority in each domain for the security management in the domain. Referring to the system model in [7], each domain D can be represented as D = S, R, SA , where S is the set of various services, i.e., S = {s 0 , s 1 , . . . }; R is the set of physical resources that can be collected by mobile services in the domain, e.g., environment data, traffic data and so on; SA is the security authority. Each service s i in S is defined as a tuple s i = id i , dom i , In i , Out i , Pg i , Ce i , where id i is the identifier of the service provider; dom i is the domain that s i belongs to; In i is the set of inputs in s i ; Out i is the set of the outputs in s i ; Pg i is the program of s i , which describes the execution procedure of s i ; Ce i is the certificate of the service which specifies the security properties.
Due to the user's complex requirements, different services s i in multiple domains may be composed together to achieve the service goal. In this paper, we investigate a typical composite service, i.e., the service chain S ch [7], as shown in Figure 2. A service chain is widely used in service composition because of its simplified composition structure which is easy to deploy and control. In service chain S ch , s 0 receives the request from user and starts the composition procedure. Then, each service s i , 0 < i < n, receives the intermediate result as the inputs from its unique predecessor s i−1 , executes the service program Pg i and outputs the intermediate result to its unique successor s i+1 . Finally, the last one s n sends the final results to the user. During the execution, service providers (SP) can input and obtain some data according to the service request, which may cause the leakage of a user's private information.

Threat Model
Based on our system model, we make the following assumptions about the security capabilities of the participants in MSS.
• User: The user is the data owner who has access to all inputs and outputs including public and private information. We partition them into two sets: L(low) for public data and H(high) for private data. In addition, users don't intentionally collude to leak the private data.
• Service Providers: Service providers from different mobile devices are honest but curious. They execute the service functions in accordance with their descriptions. They can not access users' high-level data directly due to the privacy policies, but they can freely observe the public data including all low-level inputs and outputs before and after (but not during) the service's execution. Some of them may try to analyze the value of the private data based on users' low-level inputs and outputs on purpose. In addition, different services may collude together to analyze a user's private data more effectively.
For a clear description, we define LIn i and LOut i as the public inputs and outputs with low-level security L. H In i and HOut i are defined as the private inputs and outputs with high-level security H. Then, we can obtain that In i = LIn i H In i and Out i = LOut i HOut i .
• SA: Security Authority is the trusted third party that executes the security function honestly without any interception and manipulation.

Quantitative Information Flow Model Based on Information Theory
Shannon's theory provides a standard measurement on information quantity known as self-information or entropy. For random variable X for storing different data x ∈ X in service program Pg i , its entropy can be defined as [24] H where X is a random variable, p(x) is shorthand for P(X = x), which is the probability of X = x, and the sum is over the range of X. In Equation (1), the base for log is conventional to use base 2 for the analysis in computer program. The conditional entropy can be used to represent the amount of information carried by X give the knowledge of variable Y, which is defined as: where H(X|Y = y) = ∑ x p(x|y) log 1 p(x|y) , and p(x|y) is the probability that random variable X = x given that random variable Y = y.
Based on the information quantity on each variable, the mutual information provides a general way of measuring the amount of information stored by X that can be learned by observing another random variable Y, which is defined as: According to our system model, LIn and LOut are the low-level inputs and outputs that service providers can observe during the service composition. Based on Equation (3), for each X ∈ In, the leakage through the flow from X to Y ∈ Out can be defined as We use F LIn (X LOut) to represent the overall leakage of X through all different flows from X to any Y in LOut. For a clear description, we assume all the inputs and outputs are k bits variables and the inputs are uniformly distributed and independent from each other in the following calculation. Then, we can derive the first basic Quantifying Rule (QR) as follows: Then, we can obtain the quantitative definition on information flow security in a service as follows: where LIn and LOut are the low-level input and output observations, and K is the security threshold that depends on a user's requirement and the system running environment.
According to Definition 1, we can derive the following two facts: (1) if K = 0, it requires that there is no flow from X to any Y in LOut, which becomes the qualitative definition of standard non-interference as shown in [25]. (2) if 0 < K ≤ k, it is considered secure if there is at least k − K unknown bits for service providers. A user can choose different thresholds for diverse security requirements in different running environments.

Quantifying the Information Flow in Service Components
Clark et al. [20] propose the basic analysis rules to quantify leakage for a software program with sequence, branch and loop structures. These rules are specified for the single program analysis in a centralized way, which aim at quantifying the overall leakage instead of each flow's leakage. Therefore, they don't support distributed quantifying across multiple services. Based on some basic rules in [20], we design the improved quantifying rules on different information flows through the static analysis. Our rules are based on the worst case assumption for guaranteeing the security. First, for the s i 's program Pg i , its syntax can be defined as follow by referring to [20]. It is a simple imperative language including all basic notions, operations and structures in a program: There are two kinds of flows to consider, i.e., explicit and implicit flow [17]. The explicit flow occurs as a result of executing the assignment statement. For example, for the statement var := E, if E contains variable var, there is an explicit flow between var and var , namely var → var . Implicit flow occurs as a result of executing a statement C or not when this statement C is conditioned on the value of an binary expression B. This type of flow usually exists in the branch and the loop structures. If B contains var and var appears in C or C as an objective variable, there is an implicit flow between var and var , namely var B var . Based on the basic dependence and its transitivity, we can define the intra flows from var to var as follow, which is represented as δ(var, var ).
Definition 2. ∀var, var ∈ Var in s i , and there are four cases to consider: (1) ∃v ∈ Var that satisfies var → v and v → var , then δ(var, var ) = var → var .
(4) ∃v ∈ Var that satisfies var B v and v B var , then δ(var, var ) = var B var .
Here, we use var var to represent all the flows from var to var . According to our attacker model, the attacker can observe the low-level inputs and outputs before and after the execution of service. Thus, we mainly focus on the flows between the inputs and outputs. In addition, we can also obtain that In i ⊆ Var and Out i ⊆ Var. In order to analyze these flows among the different inputs and outputs in s i , we construct the PDG (Program Dependence Graph) first [26], and then use the program slicing [27] to obtain all the flows from inputs to outputs based on Definition 2. Then, we define F i = {δ(X, Y)|X ∈ In i , Y ∈ Out i } as the set of all intra flows in s i for the following calculation.
Based on the definition of F i , we can derive the following quantifying rules on the leakage of each flow in s i . In this paper, we consider the worst case assumptions in which we focus on the computation of the upper bound of leakage for a strong security assurance.
where LIn i is the low level input observations in s i .
QR 2 is used to analyze the leakage of the explicit flow. It is easy to follow that, when there is an explicit flow from X to Y, we regard this as all the information of X having been delivered to Y based on knowledge of LIn i , i.e., H(X|Y, LIn i ) = 0.
QR 3 is used to analyze the leakage of the implicit flow, which includes the following three cases.
(1) For the basic boolean expressions (E < E ) or (E > E ), we consider the worst case in which the value of B and E can be observed based on the knowledge of Y and Z. Then, attackers can deduce one more bit information about X in E at most after the service execution, which complies with 1 − Bit rule in [20].
For example, for the following program in which x is the 5 bits high level input ranging from −16 to 15, y is the low level output, If attackers know the value of z, then he can deduce if the value of x is greater or less than z through the output value of y. Based on information theory, the entropy of x in state s and s can be calculated as follows: H(x s |z s , y s ) = P x<z H(x s |z s , y s = 0)+ (1 − P x<z )H(x s |z s , y s = 1).
In addition, we can also get that H(x s |z s , y s ) is minimum when z = 0, i.e., Min(H(x s |z s , y s )) = (1/2)log(16) + (1/2)log(16) = 4. Then, the attacker can obtain one bit of information about x at most through this flow.
(2) For the equality expression (E == E ), it is a special case in which service providers may obtain all bits of X in E or E when this expression is true. In this case, the leakage depends on how much information leaked from X to E and E , i.e., F LIn i (X E) + F LIn i (X E ).
These quantifying rules are consistent with the rules in [20]. Based on the quantifying on explicit and implicit flows, we can calculate the overall leakage from X to Y through different flows by the following rules.
For QR 4, we also consider the worst case in which the leakage of information through each flow is different. Then, the overall quantity on leakage from X to Y is the sum of the leakage in each flow δ(X, Y). Based on the above quantifying rules and Definition 1, we can derive the following theorem on information flow security in s i . Theorem 1. ∀X ∈ H In i in s i , the flows in s i are K-secure if they satisfy that where K is the security threshold.
Proof. Based on the information entropy and the quantifying rules, it is easy to deduce that According to Definition 1, the flows in s i are secure.

Quantifying the Information Flow in the Service Chain
In our threat model, different service providers may collude together to analyze s user's private data. It means that different providers may share their knowledge on the low-level inputs and outputs during the service composition, which causes more leakage on a user's private data. In order to quantify the additional leakage of private data across different services, we design the quantifying rules based on the analysis of the inter-service flows.
For service chain S ch = s 0 , s 1 , s 2 , . . . , s n where In ch = 0≤i≤n In i = In 0,1,...,n and Out ch = 0≤i≤n Out i = Out 0,1,...,n , the inter-service flows may occur between the inputs and outputs across multiple services, which is shown as Figures 3 and 4.  Adjacent-service flow is the basic inter-service flow, which occurs because of the transmission on the intermediate result between the outputs and inputs across the adjacent services, such as the inter-service flow between Out i,2 and In i+1,2 . Based on the adjacent-service flows, more inter-service flows occur due to the transitivity of the information flow, such as the inter-service flow between In i,n and Out j,1 , 0 ≤ i < j. Therefore, we can formally define the inter-service flows as follows [7]: Definition 3. ∀X ∈ In i and ∀Y ∈ Out j where 0 ≤ i < j ≤ n, there are following two cases.
(1) j = i + 1: ∃W 1 ∈ Out i , W 2 ∈ In j , W 1 → W 2 that satisfy X W 1 and W 2 Y, then X W 2 and X Y. (2) j > i + 1: ∃W ∈ In l ∪ Out l , i < l < j that satisfy X W and W Y, then X Y.
Based on Definition 3, we can obtain all the inter-service flows. Here, we define F ch = {X Y|X ∈ In i , Y ∈ Out j , 0 ≤ i < j ≤ n}. According to the composition structure of service chain model, the intermediate result is the only method that passes the value of input source across multiple services. Then, we can obtain the following proposition. Proposition 1. ∀X ∈ In i and ∀Y ∈ Out j , 0 ≤ i < j ≤ n, if X Y, ∃W ∈ In j satisfies that X W and W Y.
On the basis of Proposition 1, for each inter-service flow X Y, its leakage from X to Y depends on the quantity of information that X passes to W and how much information is leaked through the intra-service flow W Y. Then, we use F LIn i,i+1,...,j (X Y) W to represent the additional leakage of X to Y through W, which can be calculated based on the following rule. QR 5. ∀X ∈ H In i , Y ∈ LOut j and W ∈ In j satisfy X W and W Y, then we have For the inter-service flow X Y through W, there are two cases to consider in QR 5.
(1) W ∈ LIn j : Because W ∈ LIn j , the information of X is leaked through W. Then, service providers can not obtain additional information about X through the flow W Y. For this type of flow, F LIn i,i+1,...,j (X Y) W = 0. (2) W ∈ H In j : During the service composition, it is considered secure that private data are delivered between high-level sources and sinks. Thus, the explicit flows usually occur between the high-level inputs and outputs. In this case, we also consider the worst assumption that all the information of X is delivered to W based on QR 2. Because W ∈ H In j , the information of X can not be leaked through W. The leakage of X depends on how much information of W leaks through the flow W Y. In addition, we assume that the leakage from X to Y is different from the previous flows. Then, we can obtain that F LIn i,i+1,...,j (X Y) W = F LIn j (W Y). In addition, for each inter-service flow X Y, the information of X may leak to Y through different W. Then, we can deduce the following lemma. Lemma 1. ∀X ∈ Hin i and Y ∈ LOut j , 0 ≤ i < j ≤ n, satisfy X Y, then where W satisfies X W and W Y.
Proof. According to the above analysis and the service chain model, we can deduce that lemma is proved.
Based on Lemma 1, we can obtain that Lemma 2. In a service chain S ch = {s 0 , s 1 , . . . , s n }, ∀X ∈ Hin i and ∀Y ∈ LOut ch satisfy X Y, then F LIn i,i+1,...,n (X LOut ch ) ≤ L(X) i + L(X) i+1,...,n , where L(X) i is the leakage of X to ∀Y ∈ LOut i in service s i , namely, and L(X) i+1,...,n is the additional leakage of X to ∀Y ∈ LOut j , i < j ≤ n in following services s i+1 , . . . , s j , namely, and W satisfies X W and W Y in Equation (10).

Proof. The proof is shown in Appendix A.
Based on Lemma 2, we can derive the following information flow security theorem. (2) ∀X ∈ H In i , 0 ≤ i < j; it satisfies that L(X) i,...,j−1 + L(X) j ≤ K, where K is the security threshold. L(X) i,...,j−1 is the overall leakage of X from s i to s j−1 , namely, L(X) i,...,j−1 = L(X) i + L(X) i+1,...,j−1 (12) and L(X) j is the leakage of X in s j , namely, and W satisfies X W and W Y in Equation (13).
Theorem 2 can be proved based on Lemma 2 and Definition 1. The security constraints on each service are given in Theorems 1 and 2, which makes a basis for the decentralized evaluation in mobile computing environment. Each service requires that the leakage of high level data through the intra and inter flows can not exceed the threshold K.

Distributed Quantitative Information Flow Evaluation for Service Composition in a Mobile Computing Environment
In MSS, services may be composed together to accomplish a user's complex service requirement. For a service chain S ch = {s 0 , s 1 , s 2 , . . . , s n }, there are several candidate service components with the same functions but different providers for each service step s i . In order to efficiently evaluate the leakage for the service composition in a mobile computing environment, we propose a distributed quantitative information flow evaluation approach based on Theorems 1 and 2.
By referring to Figure 1, candidate services and security authorities will be involved in the evaluation procedure. The procedure includes two phases, i.e., intra-service evaluation and inter-service evaluation. First, each candidate service is evaluated by its local SA, and SA generates a security certificate for the following inter-service evaluation. When these candidate services are going to be composed together, the inter-service evaluation process will be executed for the evaluation on leakage by inter-service flows.

Intra-Service Evaluation
The intra-service evaluation is executed by SA before the service composition. SA evaluates each candidate service s i based on the quantifying rules and Theorem 1, and generates security certificates Ce i for secure ones. This phase can be executed in an offline way to reduce the evaluation cost during the composition.
During the intra-service evaluation, SA first obtains the PDG of s i , then computes the quantity of leakage from ∀X ∈ H In i to ∀Y ∈ LOut i based on the above QRs. After that, SA validates the flow in s i . For secure services, a certificate Ce i specifying the quantity of leakage on each high-level inputs L(X) i is generated for the following evaluation. Insecure ones without certificates are not allowed to be composed during the service composition. The intra-service evaluation procedure is presented as Algorithm 1.
In the computation of the leakage on X Y, we record the value in the certificate which can be used in the inter-service evaluation phase. It can avoid the repeated work on quantifying leakage in a same service component. At the end of the procedure, we record the flows between high level inputs and outputs in certificate instead of computing its leakage. It is based on our worst assumption that information has been passed to high level outputs if there is a flow, which usually happens. In the meantime, it can save lots of efforts on computation of leakage during inter-service evaluation without loss on security.
For a clear description on our intra-service evaluation algorithm, consider the following service's program: In the above example, hin and hout are high-level inputs and outputs while lin and lout are low-level ones. First, the code needs to be sent to SA. Then, SA constructs the PDG of 'Compare' service and obtains the intra-service flow set F i = {hin → hout, hin hin>lin lout, lin hin>lin lout}.
After that, we compute the leakage from hin to lout through the flow hin hin>lin lout based on QR 3.
The leakage is validated according to security threshold K. If it is considered secure, the leakage of hin through each flow, current overall leakage of hin and the intra-service flows between hin and hout will be recorded in certificate Ce i for the inter-service evaluation. Finally, certificate Ce i is signed by SA for the protection against manipulation. for each Y ∈ LOut i do 4: for each δ(X, Y) ∈ F i do 5: compute F LIn i (δ(X, Y)) based on QR 2 and QR 3 6:

Algorithm 1 Intra_Eval()
end for 8: record the F LIn i (X Y) into service certificate Ce i 9: L(X) i = L(X) i + F LIn i (X Y) 10: end for 11: if L(X) i ≥ K then 12: return False 13: end if 14: record the L(X) i into service certificate Ce i

15:
for each Y ∈ HOut i do 16: if ∃δ(X, Y) ∈ F i then 17: record the flow from X to Y into service certificate Ce i

Inter-Service Evaluation
Inter-Service evaluation is a vital phase to evaluate the leakage of high level data during service composition. In this phase, s i firstly retrieves current leakage on high level data L(X) 0,1,...,i and their inter flows F 0,1,...,i . Then, s i requires s i+1 's intra flow and leakage through the certificate Ce i+1 , and it updates the inter-service flow set and evaluates the candidate service s i+1 according to Theorem 2. The inter-Service evaluation procedure is shown as Algorithm 2.
During the evaluation on candidate service s i+1 , the additional leakage L(X) i+1 is first calculated based on QR 5 and Lemma 1. After that, the overall leakage of each high-level input, L(X) 0,1,...,i+1 , is computed and validated. If the overall leakage on any high-level input exceeds security threshold K, it means that this candidate service s i+1 is not secure for composition.

Distributed Quantitative Information Flow Evaluation Algorithm for the Service Composition in Mobile Computing Environments
Based on the intra-service and inter-service evaluation procedure, we propose a distributed quantitative information flow evaluation algorithm for service composition across multiple mobile devices. The evaluation algorithm on each high level input is presented as Algorithm 3.

end if
The algorithm is deployed on each service node in a mobile computing environment. Then, it works in a step-by-step way through the cooperation among multiple services in different mobile devices. For each possible service chain, a user sends a start message to the first service s 0 to start the evaluation procedure. During each step evaluation, each candidate service s i+1 is evaluated by its predecessor s i . If it returns true, s i will send a start message with current leakage and flows to its successors to continue the evaluation procedure. Otherwise, s i will send a failure message to a user to check whether this service chain is not secure, and the evaluation on this chain will stop. In addition, for each high-level input in the service chain, it needs to be initiated in its first service based on the certificate. When the final service s n passes the evaluation, then it will send a success message with the overall leakage L(X) 0,1,...,n on each high level input to user. The leakage can be used as a security criterion on different candidate service chains.

Experiments and Evaluations
The information flow security can be ensured by Theorem 2, and the security proof and analysis are shown in Appendix A. The basic comparisons of related approaches are shown in Table 1.  Table 1, traditional approaches validate the information flow across multiple services based on non-interference, i.e., qualitative verification. Comparing with quantitative approaches for a program, our approach supports the distributed quantifying on the flows across multiple services, which is more appropriate for the service composition in a mobile computing environment. Although we refer to the rules in [20], these rules are used to quantify the overall leakage of high-level inputs instead of each flow's leakage, which is more suitable for the centralized evaluation on a single program.
We also implemented our approach in Huawei mobile phones and ran the evaluation procedure in a WLAN network with the speed of 150 Mbps. The basic configuration is shown in Table 2. In order to evaluate the performance of our approach, we construct a data set of android applications. These applications support two security levels, i.e., H (High) and L (Low). Each application has two high-level inputs, two low-level inputs, two high-level outputs and two low-level outputs. The flows between different inputs and outputs in each application are randomly generated. These applications can be regarded as basic services in mobile computing environments, which can be composed together as a composite service by network communication. For the composite service, the number of service step N s is from 1 to 10. The number of candidate service N c for each step is also from 1 to 10. N s means this composite service is composed by N s types of applications. N c means there are N c applications having similar functions but different implementations for each type service. In our experiments, we focus on the evaluations on service availability, time cost and energy cost.
(1) Service Availability: we use success number and success rate to evaluate the availability of the composite service. Success number N suc is the number of the composite services that successfully pass the validation. In addition, success rate R suc is the percentage of successful composite services in all possible ones, which can be calculated as the following equation: where N all is the number of all possible composite services composed of different candidate applications in our data set.
In this test, we execute the quantitative approaches with different security threshold (K = 8, 16, 32) and qualitative approaches 100 times separately. Figure 5 shows the average success number and success rate on service composition with different approaches. Figure 5a shows the variation on average success number of service composition with fixed service steps (N s = 5) but different number of candidate services N c . With the increase in N c , the number is rising because it is easier to be successfully composed with more candidate services. Figure 5b shows the variation on average success rate of service composition with fixed candidate services (N c = 5) but a different number of service steps N s . With the increase in N s , the rate is declining because it is harder to find an appropriate service that can satisfy the security constraints. Throughout both figures, the quantitative approaches have better performance compared to the qualitative approach. Especially for the success rate when N s = 10 in Figure 5b, few services could pass the qualitative validation which may cause failure on service composition. On the contrary, the success rate is still high in quantitative approaches. It indicates that the performance of the quantitative approach is apparently superior to that of the qualitative approach. Moreover, it is easier to be successful with a higher security threshold.
(2) Time Cost: we focus on the time cost on different types of information flow validation approaches. The time cost mainly includes two types of costs, i.e., computation and communication. Figure 6a shows the overall time cost including computation and communication on qualitative and quantitative approaches. With the increase in the number of candidate services, the time cost is rising because of the increase in the complexity and the number of possible service chains. It also costs more time due to the additional computations and communications in quantitative evaluation approaches. However, we can minimize the cost by precomputation on the quantity of leakage in each candidate service.  Figure 6b shows the average computation cost on each mobile device involved in the distributed and centralized quantitative approaches. We use the time cost on computation to represent the computation cost in this test. Instead of executing all of the evaluation work on a single device, the distributed way coordinates all participants to accomplish the evaluation together, which provides a better balance on the computation cost on mobile devices.
(3) Energy Cost on User's device: During the evaluation, the energy cost is mainly caused by the computation and the communication cost on a user's device. In our distributed approach, the user starts the evaluation with little computation cost. The computation cost is also evaluated in the above 'time cost' test. Thus, we focus on the communication cost on the user's mobile device in this test. Figure 7 shows the communication cost on the user's mobile device in the distributed and centralized evaluation approaches. For the centralized evaluation approach, all candidate services will be evaluated by user's device. For our distributed approach, a user's device only needs to send the request to its following services and receives the final results from the last-step services. Therefore, the communication cost in a centralized approach is higher than that in our distributed approach. By combining the evaluation on the computation cost, they indicate that the energy cost on a user's device can be reduced by our distributed approach.
Based on the above experiments, the results show that our approach can provide better service availability with a small increase in time cost, provide a better load balance on computation and reduce the overload on the users' mobile phones effectively.

Conclusions
Strict qualitative disciplines decrease the availability of the composite service and may cause a high failure rate on service composition. In this paper, we propose a distributed quantitative information flow evaluation approach for secure service composition in mobile computing environments. Our approach first evaluates the intra-service leakage between different inputs and outputs in each service, and then ensures the inter-service flow security based on the constraints specified in Theorem 2. Our framework and approach works in a distributed way which is quite suitable for the evaluation executed by energy-limited devices in mobile computing environments. Through experiments and evaluations, the results show that our approach can improve the service availability effectively and provide a better load balance on each device.

Acknowledgments:
The authors would like to thank the administrative and technical support provided by Yang Xiang, Jun Zhang and Chao Chen from Swinburne University.

Conflicts of Interest:
The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.

Appendix A. Proof of Lemma 2
In this section, we are going to prove Lemma 2 by using mathematical induction.
For F LIn 0 (X LOut 0 ), we can infer that For F LIn 0,1 (X LOut 1 ), Based on Lemma 1, we can obtain that where W satisfies X W and W Y. According to Equations (A1), (A2) and (A4), (2) ∀X ∈ H In 1 , there is no inter flow because s 1 is the last service. Then, Therefore, when n = 1, lemma is proved. Then, we suppose that the Lemma is true when n = m. Then, the case that n = m + 1 is proved as follows: (1) ∀X ∈ H In i , 0 ≤ i ≤ m, we can obtain that LOut ch = LOut i,i+1,...,m LOut m+1 . Then, F LIn i,..m+1 (X LOut ch ) ≤ F LIn i,..m (X LOut i,i+1,...,m ) + F LIn i,..m+1 (X LOut m+1 ) Based on our assumption on n = m, we can get that F LIn i,...,m (X where W satisfies X W and W Y . Based on Lemma 1, we can deduce the following equation: where W satisfies X W and W Y . Based on Equations (A5)-(A7), F LIn i,...,m+1 (X ∀X ∈ H In m+1 , we can prove that a lemma is true similar to case (2) in n = 1. Therefore, when n = m + 1, Lemma 2 is proved.