Abstract
The verification of access controls is essential for providing secure systems. Model checking is an automated technique used for verifying finite state machines. The properties to be verified are usually expressed as formula in temporal logic. In this paper we present an approach to verify access control security properties of a security annotated business process model. To this end we utilise a security enhanced BPMN notation to define access control properties.
To enhance the usability the complex and technical details are hidden from the process modeller by using an automatic translation of the process model into a process meta language (Promela) based on Coloured Petri net (CPN) semantics.
The model checker SPIN is used for the process model verification and a trace file is written to provide visual feedback to the modeller on the abstraction level of the verified process model. As a proof of concept the described translation methodology is implemented as a plug-in for the free web-based BPMN modelling tool Oryx.
Topics
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Zur Muehlen, M.: Organizational Management in Workflow Applications – Issues and Perspectives. Inf. Technol. and Management 5(3-4), 271–291 (2004)
Cao, X., Iverson, L.: Intentional Access Management: Making Access Control Usable for End-Users. In: SOUPS 2006: Proceedings of the second symposium on Usable privacy and security, vol. 2, pp. 20–31. ACM Press, New York (2006)
Alotaiby, F.T., Chen, J.X.: A model for team-based access control (tmac 2004). In: ITCC 2004: Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC 2004), Washington, DC, USA, p. 450. IEEE Computer Society, Los Alamitos (2004)
Oh, S., Park, S.: Task-role-based access control model. Inf. Syst. 28(6), 533–562 (2003)
Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: FMSE 2004: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pp. 45–55. ACM, New York (2004)
Thomas, R.K.: Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. pp. 166–181 (1997)
Schaad, A., Lotz, V., Sohr, K.: A model-checking approach to analysing organisational controls in a loan origination process. In: SACMAT 2006: ACM symposium on Access control models and technologies, pp. 139–149. ACM, New York (2006)
Jeager, T.: Managing access control complexity using metrics. In: SACMAT 2001: Proceedings of the sixth ACM symposium on Access control models and technologies, pp. 131–139. ACM Press, New York (2001)
Wolter, C., Schaad, A., Meinel, C.: Task-based entailment constraints for basic workflow patterns. In: SACMAT 2008: Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 51–60. ACM, New York (2008)
Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. In: Proc. IEEE, vol. 63, pp. 1278–1308. IEEE Computer Society Press, Los Alamitos (1975)
Tan, K., Crampton, J., Gunter, C.A.: The Consistency of Task-Based Authorization Constraints in Workflow Systems. In: CSFW, p. 155- (2004)
Wang, Q., Li, N.: Satisfiability and Resiliency in Workflow Systems. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 90–105. Springer, Heidelberg (2007)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)
Jensen, K., Kristensen, L., Wells, L.: Coloured Petri Nets and CPN Tools for modelling and validation of concurrent systems. International Journal on Software Tools for Technology Transfer (STTT) 9(3), 213–254 (2007)
Liu, Y., Mueller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)
Awad, A., Decker, G., Weske, M.: Efficient Compliance Checking Using BPMN-Q and Temporal Logic. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 326–341. Springer, Heidelberg (2008)
Object Management Group. Business Process Modeling Notation Specification (2006), http://www.bpmn.org
Holzmann, G.J.: The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley Professional, Reading (2003)
Russell, N., van der Aalst, W.M.P., ter Hofstede, A.H.M., Edmond, D.: Workflow Resource Patterns: Identification, Representation and Tool Support. In: Pastor, Ó., Falcão e Cunha, J. (eds.) CAiSE 2005. LNCS, vol. 3520, pp. 216–232. Springer, Heidelberg (2005)
Wohed, P., van der Aalst, W.M.P., Dumas, M., ter Hofstede, A.H.M., Russell, N.: On the Suitability of BPMN for Business Process Modelling. In: Dustdar, S., Fiadeiro, J.L., Sheth, A.P. (eds.) BPM 2006. LNCS, vol. 4102, pp. 161–176. Springer, Heidelberg (2006)
Botha, R.A., Eloff, J.H.P.: Separation of Duties for Access Control Enforcement in Workflow Environments. IBM System Journal 40(3), 666–682 (2001)
Wolter, C., Schaad, A.: Modelling of Task-Based Authorization Constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)
Sadiq, W.S., Governatori, G., Namiri, K.: Modeling Control Objectives for Business Process Compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)
Desel, J., Reisig, W., Rozenberg, G. (eds.): Lectures on Concurrency and Petri Nets. LNCS, vol. 3098. Springer, Heidelberg (2004)
Dijkman, R.M., Dumas, M., Ouyang, C.: Formal semantics and analysis of bpmn process models. Technical report, Queensland University of Technology (2007)
Ribeiro, O.R., Fernandes, J.M.: Translating Synchronous Petri Nets into PROMELA for Verifying Behavioural Properties. In: International Symposium on Industrial Embedded Systems, SIES 2007 (2007)
Ouyang, C., Verbeek, E., van der Aalst, W.M.P., Breutel, S., Dumas, M., ter Hofstede, A.H.M.: Formal semantics and analysis of control flow in ws-bpel. Sci. Comput. Program. 67(2-3), 162–198 (2007)
Yang, Y., Tan, Q., Xiao, Y., Yu, J., Liu, F.: Exploiting Hierarchical CP-Nets to Increase the Reliability of Web Services Workflow. In: SAINT 2006: Proceedings of the International Symposium on Applications on Internet, pp. 116–122. IEEE Computer Society Press, Los Alamitos (2006)
Nakajima, Shin: Lightweight formal analysis of Web service flows. Progress in informatics: PI 2, 57–76 (2005)
Fu, X., Bultan, T., Su, J.: Analysis of interacting BPEL web services. In: WWW 2004: Proceedings of the 13th international conference on World Wide Web, pp. 621–630. ACM Press, New York (2004)
Fu, X., Bultan, T., Su, J.: Model checking XML manipulating software. In: ISSTA 2004: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis, pp. 252–262. ACM, New York (2004)
Fisteus, J.A., Fernández, L.S., Kloos, C.D.: Applying model checking to BPEL4WS business collaborations. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 826–830. Springer, Heidelberg (2006)
Xiangpeng, Z., Cerone, A., Krishnan, P.: Verifying BPEL Workflows Under Authorisation Constraints. In: Dustdar, S., Fiadeiro, J.L., Sheth, A.P. (eds.) BPM 2006. LNCS, vol. 4102, pp. 439–444. Springer, Heidelberg (2006)
Masood, A., Bhatti, R., Ghafoor, A., Mathur, A.: Model-based Testing of Access Control Systems that Employ RBAC Policies. In: BPM 2006. LNCS, pp. 439–444. Springer, Heidelberg (2006)
Huang, W.-k., Atluri, V.: SecureFlow: A Secure Web-Enabled Workflow Management System. In: ACM Workshop on Role-Based Access Control, pp. 83–94 (1999)
Crampton, J.: A Reference Monitor for Workflow Systems with Constrained Task Execution. In: SACMAT 2005: Proceedings of the tenth ACM Symposium on Access Control Models and Technologies, pp. 38–47. ACM, New York (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wolter, C., Miseldine, P., Meinel, C. (2009). Verification of Business Process Entailment Constraints Using SPIN. In: Massacci, F., Redwine, S.T., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2009. Lecture Notes in Computer Science, vol 5429. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00199-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-00199-4_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00198-7
Online ISBN: 978-3-642-00199-4
eBook Packages: Computer ScienceComputer Science (R0)