Advertisement

Towards PaaS Offering of BPMN 2.0 Engines: A Proposal for Service-Level Tenant Isolation

  • Majid Makki
  • Dimitri Van Landuyt
  • Wouter Joosen
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 824)

Abstract

Business processes modeling and management solutions provide powerful abstraction mechanisms for the control flow of complex, task-driven applications, and as such allow for better alignment with business-related concerns. Despite the existence and wide adoption of standardized business process management languages such as WS-BPEL and BPMN 2.0, workflow engines in current Platform-as-a-Service (PaaS) offerings are in practice more restricted, in part for reasons such as vendor lock-in, but also due to restrictions of multi-tenant environments.

In this paper, we explore the main security-related problems caused by offering BPMN2-compliant workflow engines in a multi-tenant PaaS environment, particularly focusing on threats caused by misbehaving tenants and the lack of proper tenant isolation. In addition, we propose a service-level tenant isolation framework that allows PaaS offerings to support workflow engines which comply with the BPMN 2.0 standard, and we discuss the technical feasibility of implementing this framework using Java technologies such as OSGi and the Resource Consumption Management API (JSR-284).

Keywords

Platform-as-a-Service (PaaS) Workflow engines Multi-tenancy Untrusted code Tenant isolation 

Notes

Acknowledgement

This research is partially funded by the Research Fund KU Leuven (project GOA/14/003 - ADDIS), the strategic basic research (SBO) project DeCoMAdS, and the MuDCads O&O project.

References

  1. 1.
    Rimal, B.P., Choi, E., Lumb, I.: A taxonomy and survey of cloud computing systems. In: INC, IMS and IDC, pp. 44–51 (2009)Google Scholar
  2. 2.
    Walraven, S., Truyen, E., Joosen, W.: Comparing paas offerings in light of SaaS development. Computing 96(8), 669–724 (2014)CrossRefGoogle Scholar
  3. 3.
    AWS: Amazon Simple Workflow Service (Amazon SWF). https://aws.amazon.com/documentation/swf/. Accessed 12 June 2017
  4. 4.
    Google: Google App Engine Fantasm. https://cloud.google.com/appengine/articles/fantasm. Accessed 12 June 2017
  5. 5.
    Opara-Martins, J., Sahandi, R., Tian, F.: Critical review of vendor lock-in and its impact on adoption of cloud computing. In: 2014 International Conference on Information Society (i-Society), pp. 92–97. IEEE (2014)Google Scholar
  6. 6.
    Ko, R.K., Lee, S.S., Wah Lee, E.: Business process management (BPM) standards: a survey. Bus. Process Manag. J. 15(5), 744–791 (2009)CrossRefGoogle Scholar
  7. 7.
    Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., et al.: A view of cloud computing. Commun. ACM 53(4), 50–58 (2010)CrossRefGoogle Scholar
  8. 8.
    OMG: Business Process Model and Notation 2.0. http://www.omg.org/spec/BPMN/2.0/PDF/. Accessed 04 Aug 2015
  9. 9.
    OASIS: Web Services Business Process Execution Language. http://docs.oasis-open.org/wsbpel/2.0/OS/wsbpel-v2.0-OS.html. Accessed 04 June 2016
  10. 10.
    Rodero-Merino, L., Vaquero, L.M., Caron, E., Muresan, A., Desprez, F.: Building safe PaaS clouds: a survey on security in multitenant software platforms. Comput. Secur. 31(1), 96–108 (2012)CrossRefGoogle Scholar
  11. 11.
    Li, Y., Li, W., Jiang, C.: A survey of virtual machine system: current technology and future trends. In: 2010 Third International Symposium on Electronic Commerce and Security (ISECS), pp. 332–336. IEEE (2010)Google Scholar
  12. 12.
    Bernstein, D.: Containers and cloud: from LXC to docker to kubernetes. IEEE Cloud Comput. 1(3), 81–84 (2014)CrossRefGoogle Scholar
  13. 13.
    Wikipedia: List of BPMN Engines. https://en.wikipedia.org/wiki/List_of_BPMN_2.0_engines. Accessed 05 July 2017
  14. 14.
    OSGi-Alliance: OSGi specification (2012). https://osgi.org/download/r4v43/osgi.core-4.3.0.pdf. Accessed 19 April 2017
  15. 15.
    JCP: JSR 284: Resource Consumption Management API. https://jcp.org/en/jsr/detail?id=284. Accessed 12 June 2017
  16. 16.
    Microsoft: The stride threat model (2015). https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx. Accessed 19 April 2017
  17. 17.
    Shostack, A.: Threat Modeling: Designing for Security. Wiley, New York (2014)Google Scholar
  18. 18.
    RedHat-JBoss: jBPM. http://www.jbpm.org/. Accessed 04 June 2017
  19. 19.
    Alfresco: Activiti User Guide. https://www.activiti.org/userguide/. Accessed 24 May 2017
  20. 20.
    Czajkowski, G., Daynés, L.: Multitasking without comprimise: a virtual machine evolution. ACM SIGPLAN Not. 36, 125–138 (2001)CrossRefGoogle Scholar
  21. 21.
    Herzog, A., Shahmehri, N.: Problems running untrusted services as Java threads. Certification Secur. Inter-Organ. E-Serv. 177, 19–32 (2004)CrossRefGoogle Scholar
  22. 22.
    Pawlak, R., Monperrus, M., Petitprez, N., Noguera, C., Seinturier, L.: Spoon: a library for implementing analyses and transformations of Java source code. Softw. Pract. Exp. 46(9), 1155–1179 (2016)CrossRefGoogle Scholar
  23. 23.
    Lam, P., Bodden, E., Lhoták, O., Hendren, L.: The soot framework for Java program analysis: a retrospective. In: Cetus Users and Compiler Infrastructure Workshop (CETUS 2011), vol. 15, p. 35 (2011)Google Scholar
  24. 24.
    Oracle: Java 8 SE platform security. https://docs.oracle.com/javase/8/docs/technotes/guides/security/overview/jsoverview.html. Accessed 19 April 2017
  25. 25.
    Gong, L., Ellison, G.: Inside Java (TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, London (2003)Google Scholar
  26. 26.
    Parallel Universe: Quasar. http://docs.paralleluniverse.co/quasar/. Accessed 09 July 2017
  27. 27.
    Pathirage, M., Perera, S., Kumara, I., Weerawarana, S.: A multi-tenant architecture for business process executions. In: 2011 IEEE International Conference on Web services (ICWS), pp. 121–128. IEEE (2011)Google Scholar
  28. 28.
    Apache: Apache ode. http://ode.apache.org/. Accessed 09 July 2017
  29. 29.
    Yu, D., Zhu, Q., Guo, D., Huang, B., Su, J.: jBPM4S: a multi-tenant extension of jBPM to support BPaaS. In: Bae, J., Suriadi, S., Wen, L. (eds.) AP-BPM 2015. LNBIP, vol. 219, pp. 43–56. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-19509-4_4CrossRefGoogle Scholar
  30. 30.
    Walraven, S., De Borger, W., Vanbrabant, B., Lagaisse, B., Van Landuyt, D., Joosen, W.: Adaptive performance isolation middleware for multi-tenant SaaS. In: 2015 IEEE/ACM 8th International Conference on Utility and Cloud Computing (UCC), pp. 112–121. IEEE (2015)Google Scholar
  31. 31.
    Krebs, R., Loesch, M., Kounev, S.: Platform-as-a-service architecture for performance isolated multi-tenant applications. In: 2014 IEEE 7th International Conference on Cloud Computing (CLOUD), pp. 914–921. IEEE (2014)Google Scholar
  32. 32.
    Krebs, R., Momm, C., Kounev, S.: Metrics and techniques for quantifying performance isolation in cloud environments. Sci. Comput. Program. 90, 116–134 (2014)CrossRefGoogle Scholar
  33. 33.
    Lin, H., Sun, K., Zhao, S., Han, Y.: Feedback-control-based performance regulation for multi-tenant applications. In: 2009 15th International Conference on Parallel and Distributed Systems (ICPADS), pp. 134–141. IEEE (2009)Google Scholar
  34. 34.
    Krebs, R., Spinner, S., Ahmed, N., Kounev, S.: Resource usage control in multi-tenant applications. In: 2014 14th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid), pp. 122–131. IEEE (2014)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Majid Makki
    • 1
  • Dimitri Van Landuyt
    • 1
  • Wouter Joosen
    • 1
  1. 1.imec-DistriNetKU LeuvenHeverleeBelgium

Personalised recommendations