Cerberus: Automated Synthesis of Enforcement Mechanisms for Security-Sensitive Business Processes

  • Luca Compagna
  • Daniel Ricardo dos SantosEmail author
  • Serena Elisa Ponta
  • Silvio Ranise
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9636)


Cerberus is a tool to automatically synthesize run-time enforcement mechanisms for security-sensitive Business Processes (BPs). The tool is capable of guaranteeing that the execution constraints \(EC \) on the tasks together with the authorization policy \(AP \) and the authorization constraints \(AC \) are satisfied while ensuring that the process can successfully terminate. Cerberus can be easily integrated in many workflow management systems, it is transparent to process designers, and does not require any knowledge beyond usual BP modeling. The tool works in two phases. At design-time, the enforcement mechanism M, parametric in the authorization policy \(AP \), is generated from \(EC \) and \(AC \); M can thus be used with any instance of the same BP provided that \(EC \) and \(AC \) are left unchanged. At run-time, a specific authorization policy is added to M, thereby obtaining an enforcement mechanism \(M^*\) dedicated to a particular instance of the security-sensitive business process. To validate our approach, we discuss the implementation and usage of Cerberus in the SAP HANA Operational Intelligence platform.


Model Checker Enforcement Mechanism Execution Engine Reachability Graph Symbolic Model Checker 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Armando, A., Ponta, S.E.: Model checking of security-sensitive business processes. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 66–80. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Basin, D., Burri, S.J., Karjoth, G.: Dynamic enforcement of abstract separation of duty constraints. ACM TISSeC 15(3), 13:1–13:30 (2012)CrossRefGoogle Scholar
  3. 3.
    Bertolissi, C., dos Santos, D.R., Ranise, S.: Automated synthesis of run-time monitors to enforce authorization policies in business processes. In: ASIACCS (2015)Google Scholar
  4. 4.
    dos Santos, D.R., Ranise, S., Ponta, S.E.: Modularity for security-sensitive workflows. In arXiv (2015)Google Scholar
  5. 5.
    Falcone, Y., Havelund, K., Reger, G.: A tutorial on runtime verification. Eng. Dependable Softw. Syst. 34, 141–175 (2012)Google Scholar
  6. 6.
    Ghilardi, S., Ranise, S.: MCMT: a model checker modulo theories. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 22–29. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Terracina, G., Leone, N., Lio, V., Panetta, C.: Experimenting with recursive queries in database and logic programming systems. Theory Pract. Log. Program. 8(2), 129–165 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Wang, Q., Li, N.: Satisfiability and resiliency in workflow authorization systems. TISSeC 13, 40:1–40:35 (2010)Google Scholar
  10. 10.
    Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer-Verlag New York Inc., Secaucus (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Luca Compagna
    • 2
  • Daniel Ricardo dos Santos
    • 1
    • 2
    • 3
    Email author
  • Serena Elisa Ponta
    • 2
  • Silvio Ranise
    • 1
  1. 1.Fondazione Bruno Kessler (FBK)TrentoItaly
  2. 2.SAP Labs FranceMouginsFrance
  3. 3.University of TrentoTrentoItaly

Personalised recommendations