Planning and Verifying Service Composition

A static approach is proposed to study secure composition of services.
We extend the lambda-calculus with primitives for selecting and invoking services that respect given security requirements.
Security-critical code is enclosed in policy framings with a possibly nested, local scope. Policy framings enforce safety and liveness properties. The actual run-time behaviour of services is over-approximated by a type and effect system.
Types are standard, and effects include the actions with possible security  concerns - as well as information about which services may be invoked at run-time.
An approximation is model-checked to verify policy framings within their scopes. This allows for removing any run-time execution monitor, and for determining the plans driving the selection of those services that match the security requirements on demand.