Scientific Workflow Provenance Querying with Security Views

Provenance, the metadata that pertains to the derivation history of a data product, has become increasingly important in scientific workflow environments. In many cases, both data products and their provenance can be sensitive and effective access control mechanisms are essential to protect their confidentiality. In this paper, we propose i) a formalization of scientific workflow provenance as the basis for querying and access control; ii) a security specification mechanism for provenance at various granularity levels and the derivation of a full security specification based on inheritance, overriding, and conflict resolution rules; iii) a formalization of security views that are derived from a scientific workflow run provenance for different roles of users; and iv) a framework that integrates abstraction views and security views such that a user can examine provenance at different abstraction levels while respecting the security policy prescribed for her. We have developed the SecProv prototype to validate the effectiveness of our approach.

[1]  Joon S. Park,et al.  Access control mechanisms for inter-organizational workflow , 2001, SACMAT '01.

[2]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..

[3]  Ricardo Martinho,et al.  Supporting Authentication Requirements in Workflows , 2006, ICEIS.

[4]  Shiyong Lu,et al.  Storing and Querying Scientific Workflow Provenance Metadata Using an RDBMS , 2007, Third IEEE International Conference on e-Science and Grid Computing (e-Science 2007).

[5]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[6]  Uri Braun,et al.  A Security Model for Provenance , 2006 .

[7]  Susan B. Davidson,et al.  Towards a Model of Provenance and User Views in Scientific Workflows , 2006, DILS.

[8]  Vijayalakshmi Atluri,et al.  Analysing the Safety of Workflow Authorization Models , 1998, DBSec.

[9]  António Rito Silva,et al.  Workflow Access Control from a Business Perspective , 2004, ICEIS.

[10]  Shengli Wu,et al.  Authorization and Access Control of Application Data in Workflow Systems , 2004, Journal of Intelligent Information Systems.

[11]  Vijayalakshmi Atluri,et al.  Security for Workflow Systems , 2001, Inf. Secur. Tech. Rep..

[12]  Francis Fung,et al.  A prototype secure workflow server , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[13]  Yogesh L. Simmhan,et al.  A survey of data provenance in e-science , 2005, SGMD.

[14]  Ravi S. Sandhu,et al.  Secure Role-Based Workflow Models , 2001, DBSec.

[15]  Edward A. Lee,et al.  Scientific workflow management and the Kepler system , 2006, Concurr. Comput. Pract. Exp..

[16]  Matthew R. Pocock,et al.  Taverna: a tool for the composition and enactment of bioinformatics workflows , 2004, Bioinform..

[17]  Vijayalakshmi Atluri,et al.  Inter-instance authorization constraints for secure workflow management , 2006, SACMAT '06.

[18]  Jason Maassen,et al.  Programming Scientific and Distributed Workflow with Triana Services , 2004 .

[19]  Shiyong Lu,et al.  RECOMBFLOW: a scientific workflow environment for Intragenomic Gene Conversion analysis in bacterial genomes, including the pathogen Streptococcus pyogenes , 2009, Int. J. Bioinform. Res. Appl..

[20]  Ravi Sandhu,et al.  Transaction control expressions for separation of duties , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[21]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[22]  Günther Pernul,et al.  Towards security semantics in workflow management , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[23]  Paul T. Groth,et al.  Recording and using provenance in a protein compressibility experiment , 2005, HPDC-14. Proceedings. 14th IEEE International Symposium on High Performance Distributed Computing, 2005..

[24]  Patrick C. K. Hung,et al.  A Secure Workflow Model , 2003, ACSW.

[25]  G. M. J. Pluimakers Some notes on authorization and transaction management in distributed database systems , 1988, Comput. Secur..

[26]  Carmem S. Hara,et al.  Querying and Managing Provenance through User Views in Scientific Workflows , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[27]  Paul T. Groth,et al.  Security Issues in a SOA-Based Provenance System , 2006, IPAW.

[28]  Vijayalakshmi Atluri,et al.  An Authorization Model for Workflows , 1996, ESORICS.

[29]  Gregor von Laszewski,et al.  Swift: Fast, Reliable, Loosely Coupled Parallel Computation , 2007, 2007 IEEE Congress on Services (Services 2007).

[30]  Yong Zhao,et al.  Chimera: a virtual data system for representing, querying, and automating data derivation , 2002, Proceedings 14th International Conference on Scientific and Statistical Database Management.

[31]  Gail-Joon Ahn,et al.  Injecting RBAC to secure a Web-based workflow system , 2000, RBAC '00.

[32]  Vijayalakshmi Atluri,et al.  SecureFlow: a secure Web-enabled workflow management system , 1999, RBAC '99.

[33]  Elisa Bertino,et al.  A Semantic-Based Execution Model for Multilevel Secure Workflows , 2000, J. Comput. Secur..

[34]  Jhp Eloff,et al.  exA security interpretation of the workflow reference model , 1998 .

[35]  Daniel S. Katz,et al.  Pegasus: A framework for mapping complex scientific workflows onto distributed systems , 2005, Sci. Program..

[36]  Michael Gertz,et al.  Handbook of Database Security - Applications and Trends , 2007, Handbook of Database Security.

[37]  John A. McDermid,et al.  Refactoring service‐based systems: how to avoid trusting a workflow service , 2006, Concurr. Comput. Pract. Exp..

[38]  James Frew,et al.  Lineage retrieval for scientific data processing: a survey , 2005, CSUR.

[39]  Ehud Gudes,et al.  Modeling, Specifying and Implementing Workflow Security in Cyberspace , 1999, J. Comput. Secur..

[40]  Paul T. Groth,et al.  The requirements of recording and using provenance in e- Science experiments , 2005 .

[41]  C. R. Ramakrishnan,et al.  Modeling and analysis of interactions in virtual enterprises , 1999, Proceedings Ninth International Workshop on Research Issues on Data Engineering: Information Technology for Virtual Enterprises. RIDE-VE'99.

[42]  Cláudio T. Silva,et al.  Managing Rapidly-Evolving Scientific Workflows , 2006, IPAW.

[43]  Akhil Kumar,et al.  W-RBAC - A Workflow Security Model Incorporating Controlled Overriding of Constraints , 2003, Int. J. Cooperative Inf. Syst..