Abstract
Business processes are usually specified by workflows extended with access control policies. In previous works, automated techniques have been developed for the analysis of authorization constraints of workflows. One of main drawback of available approaches is that only a bounded number of workflow instances is considered and analyses are limited to consider intra-instance authorization constraints. Instead, in applications, several workflow instances execute concurrently, may synchronize, and be required to ensure inter-instance constraints. Performing an analysis by considering a finite but arbitrary number of workflow instances can give designers a higher confidence about the quality of their business process. In this paper, we propose an automated technique for the analysis of both intra- and inter-instance authorization constraints in workflow systems. We reduce the analysis problem to a model checking problem, parametric in the number of workflow instances, and identify a sub-class of workflow systems with a decidable analysis problem.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abdulla, P.A., Delzanno, G., Ben Henda, N., Rezine, A.: Regular Model Checking Without Transducers (On Efficient Verification of Parameterized Systems). In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 721–736. Springer, Heidelberg (2007)
Alberti, F., Armando, A., Ranise, S.: ASASP: Automated Symbolic Analysis of Security Policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS, vol. 6803, pp. 26–33. Springer, Heidelberg (2011)
Alberti, F., Armando, A., Ranise, S.: Efficient Symbolic Automated Analysis of Administrative Role Based Access Control Policies. In: 6th ACM Symp. on Information, Computer, and Communications Security, ASIACCS (2011)
Armando, A., Ponta, S.E.: Model Checking of Security-sensitive Business Processes. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 66–80. Springer, Heidelberg (2010)
Armando, A., Ranise, S.: Automated Symbolic Analysis of ARBAC Policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 65–104 (1999)
Cerone, A., Xiangpeng, Z., Krishnan, P.: Modelling and resource allocation planning of BPEL workflows under security constraints. Technical Report 336, UNU-IIST (2006)
Comon, H., Jurski, Y.: Multiple counters automata, safety analysis and presburger arithmetic. Technical Report LSV-98-1, LSV ENS Cachan (1998)
Crampton, J.: A reference monitor for workflow systems with constrained task execution. In: 10th ACM SACMAT, pp. 38–47. ACM (2005)
Dury, A., Boroday, S., Petrenko, A., Lotz, V.: Formal verification of business workflows and role based access control systems. In: SECURWARE, pp. 201–2010 (2007)
Enderton, H.B.: A Mathematical Introduction to Logic. Academic Press, New York (1972)
Fu, X., Bultan, T., Su, J.: Formal Verification of E-Services and Workflows. In: Bussler, C.J., McIlraith, S.A., Orlowska, M.E., Pernici, B., Yang, J. (eds.) CAiSE 2002 and WES 2002. LNCS, vol. 2512, pp. 188–202. Springer, Heidelberg (2002)
Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by smt solving: Termination and invariant synthesis. In: LMCS, vol. 6(4) (2010)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Warner, J., Atluri, V.: Inter-Instance Authorization Constraints for Secure Workflow Managment. In: SACMAT, pp. 190–199. ACM (2006)
Jaeger, T., Tidswell, J.: Practical safety in flexible access control models. ACM Transaction on Information and System Security 4(2), 158–190 (2001)
Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Transactions on Information and System Security (TISSEC) 9(4), 391–420 (2006)
Monakova, G., Kopp, O., Leymann, F.: Improving Control Flow Verification in a Business Process using an Extended Petri Net. In: 1st Central-European Workshop on Services and their Composition, ZEUS (2009)
Ramsey, F.P.: On a Problem of Formal Logic. Proceedings of the London Mathematical Society s2-30(1), 264–286 (1930)
Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-Based Access Control Models. IEEE Computer 2(29), 38–47 (1996)
Schaad, A., Lotz, V., Sohr, K.: A model-checking approach to analysing organisational controls in a loan origination process. In: SACMAT, pp. 139–149. ACM (2006)
Tripunitara, M.V., Li, N.: The Foundational work of Harrison-Ruzzo-Ullman Revisited. Technical Report CERIAS TR 2006-33, CERIAS and Department of Computer Science. Purdue University (2006)
Wang, Q., Li, N.: Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur. 13, 40:1–40:35 (2010)
Wang, Q., Li, N., Chen, H.: On the Security of Delegation in Access Control Systems. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 317–332. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Armando, A., Ranise, S. (2012). Automated Analysis of Infinite State Workflows with Access Control Policies. In: Meadows, C., Fernandez-Gago, C. (eds) Security and Trust Management. STM 2011. Lecture Notes in Computer Science, vol 7170. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29963-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-29963-6_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29962-9
Online ISBN: 978-3-642-29963-6
eBook Packages: Computer ScienceComputer Science (R0)