Automated Analysis of Infinite State Workflows with Access Control Policies

  • Alessandro Armando
  • Silvio Ranise
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7170)


Business processes are usually specified by workflows extended with access control policies. In previous works, automated techniques have been developed for the analysis of authorization constraints of workflows. One of main drawback of available approaches is that only a bounded number of workflow instances is considered and analyses are limited to consider intra-instance authorization constraints. Instead, in applications, several workflow instances execute concurrently, may synchronize, and be required to ensure inter-instance constraints. Performing an analysis by considering a finite but arbitrary number of workflow instances can give designers a higher confidence about the quality of their business process. In this paper, we propose an automated technique for the analysis of both intra- and inter-instance authorization constraints in workflow systems. We reduce the analysis problem to a model checking problem, parametric in the number of workflow instances, and identify a sub-class of workflow systems with a decidable analysis problem.


Access Control Business Process Access Control Policy Access Control Model Reachability Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdulla, P.A., Delzanno, G., Ben Henda, N., Rezine, A.: Regular Model Checking Without Transducers (On Efficient Verification of Parameterized Systems). In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 721–736. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Alberti, F., Armando, A., Ranise, S.: ASASP: Automated Symbolic Analysis of Security Policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS, vol. 6803, pp. 26–33. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Alberti, F., Armando, A., Ranise, S.: Efficient Symbolic Automated Analysis of Administrative Role Based Access Control Policies. In: 6th ACM Symp. on Information, Computer, and Communications Security, ASIACCS (2011)Google Scholar
  4. 4.
    Armando, A., Ponta, S.E.: Model Checking of Security-sensitive Business Processes. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 66–80. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Armando, A., Ranise, S.: Automated Symbolic Analysis of ARBAC Policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 65–104 (1999)CrossRefGoogle Scholar
  7. 7.
    Cerone, A., Xiangpeng, Z., Krishnan, P.: Modelling and resource allocation planning of BPEL workflows under security constraints. Technical Report 336, UNU-IIST (2006)Google Scholar
  8. 8.
    Comon, H., Jurski, Y.: Multiple counters automata, safety analysis and presburger arithmetic. Technical Report LSV-98-1, LSV ENS Cachan (1998)Google Scholar
  9. 9.
    Crampton, J.: A reference monitor for workflow systems with constrained task execution. In: 10th ACM SACMAT, pp. 38–47. ACM (2005)Google Scholar
  10. 10.
    Dury, A., Boroday, S., Petrenko, A., Lotz, V.: Formal verification of business workflows and role based access control systems. In: SECURWARE, pp. 201–2010 (2007)Google Scholar
  11. 11.
    Enderton, H.B.: A Mathematical Introduction to Logic. Academic Press, New York (1972)zbMATHGoogle Scholar
  12. 12.
    Fu, X., Bultan, T., Su, J.: Formal Verification of E-Services and Workflows. In: Bussler, C.J., McIlraith, S.A., Orlowska, M.E., Pernici, B., Yang, J. (eds.) CAiSE 2002 and WES 2002. LNCS, vol. 2512, pp. 188–202. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by smt solving: Termination and invariant synthesis. In: LMCS, vol. 6(4) (2010)Google Scholar
  14. 14.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  15. 15.
    Warner, J., Atluri, V.: Inter-Instance Authorization Constraints for Secure Workflow Managment. In: SACMAT, pp. 190–199. ACM (2006)Google Scholar
  16. 16.
    Jaeger, T., Tidswell, J.: Practical safety in flexible access control models. ACM Transaction on Information and System Security 4(2), 158–190 (2001)CrossRefGoogle Scholar
  17. 17.
    Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Transactions on Information and System Security (TISSEC) 9(4), 391–420 (2006)CrossRefGoogle Scholar
  18. 18.
    Monakova, G., Kopp, O., Leymann, F.: Improving Control Flow Verification in a Business Process using an Extended Petri Net. In: 1st Central-European Workshop on Services and their Composition, ZEUS (2009)Google Scholar
  19. 19.
    Ramsey, F.P.: On a Problem of Formal Logic. Proceedings of the London Mathematical Society s2-30(1), 264–286 (1930)CrossRefGoogle Scholar
  20. 20.
    Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-Based Access Control Models. IEEE Computer 2(29), 38–47 (1996)CrossRefGoogle Scholar
  21. 21.
    Schaad, A., Lotz, V., Sohr, K.: A model-checking approach to analysing organisational controls in a loan origination process. In: SACMAT, pp. 139–149. ACM (2006)Google Scholar
  22. 22.
    Tripunitara, M.V., Li, N.: The Foundational work of Harrison-Ruzzo-Ullman Revisited. Technical Report CERIAS TR 2006-33, CERIAS and Department of Computer Science. Purdue University (2006)Google Scholar
  23. 23.
    Wang, Q., Li, N.: Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur. 13, 40:1–40:35 (2010)Google Scholar
  24. 24.
    Wang, Q., Li, N., Chen, H.: On the Security of Delegation in Access Control Systems. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 317–332. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Alessandro Armando
    • 1
    • 2
  • Silvio Ranise
    • 2
  1. 1.DISTUniversità degli Studi di GenovaItalia
  2. 2.Security and Trust UnitFBKTrentoItalia

Personalised recommendations