Abstract
We present an automated and efficient approach for the verification of information flow control for business process models. Building on the concept of Place-based Non-Interference, the novelty is that Petri net reachability is employed to detect places in which information leaks occur. We show that the approach is sound and complete, and present its implementation, the Anica tool. Anica employs state of the art model-checking algorithms to test reachability. An extensive evaluation comprising over 550 industrial process models is carried out and shows that information flow analysis of process models can be done in milliseconds.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
van der Aalst, W.M.P.: The application of Petri nets to workflow management. Journal of Circuits, Systems and Computers 8(1), 21–66 (1998)
Accorsi, R., Lowis, L., Sato, Y.: Automated certification for compliant cloud-based business processes. Bus. & Information Systems Eng. 3(3), 145–154 (2011)
Accorsi, R., Wonnemann, C.: Strong non-leak guarantees for workflow models. In: ACM Symposium on Applied Computing, pp. 308–314. ACM (2011)
Accorsi, R., Wonnemann, C.: InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 194–209. Springer, Heidelberg (2011)
Accorsi, R., Wonnemann, C., Dochow, S.: SWAT: A security workflow toolkit for reliably secure process-aware information systems. In: Conference on Availability, Reliability and Security, pp. 692–697. IEEE (2011)
Accorsi, R., Wonnemann, C., Stocker, T.: Towards forensic data flow analysis of business process logs. In: Incident Management and Forensics, pp. 94–110. IEEE (2011)
Anderson, R.: Security engineering. Wiley (2008)
Armando, A., Ranise, S.: Automated Analysis of Infinite State Workflows with Access Control Policies. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 157–174. Springer, Heidelberg (2012)
Atluri, V., Chun, S.A., Mazzoleni, P.: A Chinese Wall security model for decentralized workflow systems. In: ACM Computer & Communication Security, pp. 48–57. ACM (2001)
Atluri, V., Warner, J.: Security for workflow systems. In: Handbook of Database Security, pp. 213–230. Springer (2008)
Attali, I., Caromel, D., Henrio, L., Aguila, F.: Secured information flow for asynchronous sequential processes. Electr. Notes Theor. Comput. Sci. 180(1), 17–34 (2007)
Barkaoui, K., Ayed, R.B., Boucheneb, H., Hicheur, A.: Verification of workflow processes under multilevel security considerations. In: Risks and Security of Internet and Systems, pp. 77–84. IEEE (2008)
Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. MITRE Corporation (1973)
Busi, N., Gorrieri, R.: Structural non-interference in elementary and trace nets. Mathematical Structures in Computer Science 19(6), 1065–1090 (2009)
Denning, D.E.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976)
Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Communications of the ACM 20(7), 504–513 (1977)
Fahland, D., Favre, C., Koehler, J., Lohmann, N., Völzer, H., Wolf, K.: Analysis on demand: Instantaneous soundness checking of industrial business process models. Data Knowl. Eng. 70(5), 448–466 (2011)
Focardi, R., Gorrieri, R.: Classification of Security Properties. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 331–396. Springer, Heidelberg (2001)
Frau, S., Gorrieri, R., Ferigato, C.: Petri Net Security Checker: Structural Non-interference at Work. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 210–225. Springer, Heidelberg (2009)
Gorrieri, R., Vernali, M.: On Intransitive Non-interference in Some Models of Concurrency. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2011. LNCS, vol. 6858, pp. 125–151. Springer, Heidelberg (2011)
Harris, W., Kidd, N., Chaki, S., Jha, S., Reps, T.W.: Verifying Information Flow Control over Unbounded Processes. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 773–789. Springer, Heidelberg (2009)
Huang, H., Kirchner, H.: Formal specification and verification of modular security policy based on colored Petri nets. IEEE Trans. Dependable Sec. Comput. 8(6), 852–865 (2011)
ISO/IEC Information Security Management System 27001 (2005), http://www.27000.org/iso-27001.html (last accessed in June 2012)
Juszczyszyn, K.: Verifying enterprise’s mandatory access control policies with coloured Petri nets. In: Enabling Technologies, pp. 184–189. IEEE (2003)
Katt, B., Zhang, X., Hafner, M.: Towards a Usage Control Policy Specification with Petri Nets. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2009, Part II. LNCS, vol. 5871, pp. 905–912. Springer, Heidelberg (2009)
Kovács, M., Seidl, H.: Runtime Enforcement of Information Flow Security in Tree Manipulating Processes. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 46–59. Springer, Heidelberg (2012)
Lohmann, N., Mennicke, S., Sura, C.: The Petri Net API: A collection of Petri net-related functions. In: Algorithms and Tools for Petri Nets. CEUR Workshop Proc., vol. 643, pp. 148–155. CEUR-WS.org (2010)
Lohmann, N., Verbeek, E., Dijkman, R.: Petri Net Transformations for Business Processes – A Survey. In: Jensen, K., van der Aalst, W.M.P. (eds.) ToPNoC II. LNCS, vol. 5460, pp. 46–63. Springer, Heidelberg (2009)
Lohmann, N., Wolf, K.: How to Implement a Theory of Correctness in the Area of Business Processes and Services. In: Hull, R., Mendling, J., Tai, S. (eds.) BPM 2010. LNCS, vol. 6336, pp. 61–77. Springer, Heidelberg (2010)
Lowis, L., Accorsi, R.: Vulnerability analysis in SOA-based business processes. IEEE T. Services Computing 4(3), 230–242 (2011)
Murata, T.: Petri nets: Properties, analysis and applications. Proc. IEEE 77(4), 541–580 (1989)
Pfeiffer, S., Unger, S., Timmermann, D., Lehmann, A.: Secure Information Flow Awareness for Smart Wireless eHealth Systems. In: Multi-Conference on Systems, Signals and Devices. IEEE (2012)
Röhrig, S., Knorr, K.: Security analysis of electronic business processes. Electronic Commerce Research 4(1-2), 59–81 (2004)
Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)
Shafiq, B., Masood, A., Joshi, J., Ghafoor, A.: A role-based access control policy verification framework for real-time systems. In: Object-Oriented Real-Time Dependable Systems, pp. 13–20. IEEE (2005)
Trusted Computer Security Evaluation Criteria, DoD (1983), http://csrc.nist.gov/publications/history/dod85.pdf (last accessed in June 2012)
Wolf, K.: Generating Petri Net State Spaces. In: Kleijn, J., Yakovlev, A. (eds.) ICATPN 2007. LNCS, vol. 4546, pp. 29–42. Springer, Heidelberg (2007)
Zhang, Z.-L., Hong, F., Xiao, H.-J.: Verification of strict integrity policy via Petri nets. In: Conference on Systems and Networks Communications, p. 23 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Accorsi, R., Lehmann, A. (2012). Automatic Information Flow Analysis of Business Process Models. In: Barros, A., Gal, A., Kindler, E. (eds) Business Process Management. BPM 2012. Lecture Notes in Computer Science, vol 7481. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32885-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-32885-5_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32884-8
Online ISBN: 978-3-642-32885-5
eBook Packages: Computer ScienceComputer Science (R0)