On Process Rewriting for Business Process Security

This paper reports on ongoing work towards a framework to automatically rewrite business process models and, thereby, correctively enforce adherence to regulatory compliance and security policies. Specifically, the paper first motivates the need for rewriting mechanisms as a means to enforce a particular class of properties. Second, it describes the main building blocks of ReWrite, the framework to automatically rewriting process specifications. Third, in order to preserve the functional goals of the processes upon rewriting, a set of congruence relations is defined and their appropriateness is discussed. The presentation of the formal framework and rewriting algorithms is deferred to the full paper version.

[1]  Mathias Weske,et al.  Business Process Management: Concepts, Languages, Architectures , 2007 .

[2]  Iain D. Craig,et al.  The Java Virtual Machine , 2006 .

[3]  Martin Leucker,et al.  A brief account of runtime verification , 2009, J. Log. Algebraic Methods Program..

[4]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[5]  Eugene H. Spafford,et al.  A distributed requirements management framework for legal compliance and accountability , 2009, Comput. Secur..

[6]  Remco M. Dijkman,et al.  Petri Net Transformations for Business Processes - A Survey , 2009, Trans. Petri Nets Other Model. Concurr..

[7]  Nenad Stojanovic,et al.  Using Control Patterns in Business Processes Compliance , 2007, WISE Workshops.

[8]  Elisa Bertino,et al.  A roadmap for comprehensive online privacy policy management , 2007, CACM.

[9]  Monique Snoeck,et al.  Business Process Verification: A Petri Net Approach , 2007 .

[10]  Frank Yellin,et al.  The java virtual machine , 1996 .

[11]  Rafael Accorsi,et al.  SWAT: A Security Workflow Analysis Toolkit for Reliably Secure Process-aware Information Systems , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[12]  Wil M. P. van der Aalst,et al.  Workflow Patterns , 2003, Distributed and Parallel Databases.

[13]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[14]  Rafael Accorsi,et al.  Strong non-leak guarantees for workflow models , 2011, SAC.

[15]  Dirk Fahland,et al.  Where Did I Misbehave? Diagnostic Information in Compliance Checking , 2012, BPM.

[16]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[17]  Davide Sangiorgi,et al.  The Pi-Calculus - a theory of mobile processes , 2001 .

[18]  Petr Jancar Undecidability of Bisimilarity for Petri Nets and Some Related Problems , 1995, Theor. Comput. Sci..

[19]  Frank Leymann,et al.  Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[20]  George S. Avrunin,et al.  Patterns in property specifications for finite-state verification , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[21]  Nadia Tawbi,et al.  Corrective Enforcement: A New Paradigm of Security Policy Enforcement by Monitors , 2012, TSEC.

[22]  Edward Y. Chang,et al.  Characterization of Temporal Property Classes , 1992, ICALP.

[23]  Aditya K. Ghose,et al.  Auditing Business Process Compliance , 2007, ICSOC.

[24]  Alexander Pretschner,et al.  Usage Control in Service-Oriented Architectures , 2007, TrustBus.

[25]  Rafael Accorsi,et al.  Automatic Information Flow Analysis of Business Process Models , 2012, BPM.

[26]  Andreas Schaad,et al.  Model-driven business process security requirement specification , 2009, J. Syst. Archit..

[27]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[28]  Wil M. P. van der Aalst,et al.  Process Mining - Discovery, Conformance and Enhancement of Business Processes , 2011 .

[29]  Alexander Pretschner,et al.  On Obligations , 2005, ESORICS.

[30]  Yoshinori Sato,et al.  Automated Certification for Compliant Cloud-based Business Processes , 2011, Bus. Inf. Syst. Eng..

[31]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.