Verification of Business Process Entailment Constraints Using SPIN

The verification of access controls is essential for providing secure systems. Model checking is an automated technique used for verifying finite state machines. The properties to be verified are usually expressed as formula in temporal logic. In this paper we present an approach to verify access control security properties of a security annotated business process model. To this end we utilise a security enhanced BPMN notation to define access control properties. To enhance the usability the complex and technical details are hidden from the process modeller by using an automatic translation of the process model into a process meta language (Promela) based on Coloured Petri net (CPN) semantics. The model checker SPIN is used for the process model verification and a trace file is written to provide visual feedback to the modeller on the abstraction level of the verified process model. As a proof of concept the described translation methodology is implemented as a plug-in for the free web-based BPMN modelling tool Oryx.

[1]  Jason Crampton,et al.  The consistency of task-based authorization constraints in workflow , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[2]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[3]  Andreas Schaad,et al.  A model-checking approach to analysing organisational controls in a loan origination process , 2006, SACMAT '06.

[4]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..

[5]  Antonio Cerone,et al.  Verifying BPEL Workflows Under Authorisation Constraints , 2006, Business Process Management.

[6]  Wil M. P. van der Aalst,et al.  Workflow Resource Patterns: Identification, Representation and Tool Support , 2005, CAiSE.

[7]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[8]  Carlos Delgado Kloos,et al.  Applying model checking to BPEL4WS business collaborations , 2005, SAC '05.

[9]  Jim X. Chen,et al.  A model for team-based access control (TMAC 2004) , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[10]  Andreas Schaad,et al.  Task-based entailment constraints for basic workflow patterns , 2008, SACMAT '08.

[11]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[12]  Remco M. Dijkman,et al.  Formal semantics and automated analysis of BPMN process models , 2007 .

[13]  Shin Nakajima,et al.  The SPIN Model Checker : Primer and Reference Manual , 2004 .

[14]  Joachim Biskup,et al.  Computer Security - ESORICS 2007, 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24-26, 2007, Proceedings , 2007, ESORICS.

[15]  Feng Liu,et al.  Exploiting hierarchical CP-nets to increase the reliability of Web services workflow , 2006, International Symposium on Applications and the Internet (SAINT'06).

[16]  Lars Michael Kristensen,et al.  Coloured Petri Nets and CPN Tools for modelling and validation of concurrent systems , 2007, International Journal on Software Tools for Technology Transfer.

[17]  Xiang Fu,et al.  Analysis of interacting BPEL web services , 2004, WWW '04.

[18]  Xiang Cao,et al.  Intentional access management: making access control usable for end-users , 2006, SOUPS '06.

[19]  Mathias Weske,et al.  Efficient Compliance Checking Using BPMN-Q and Temporal Logic , 2008, BPM.

[20]  Wil M. P. van der Aalst,et al.  Formal semantics and analysis of control flow in WS-BPEL , 2007, Sci. Comput. Program..

[21]  Vijayalakshmi Atluri,et al.  SecureFlow: a secure Web-enabled workflow management system , 1999, RBAC '99.

[22]  Ying Liu,et al.  A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[23]  João M. Fernandes,et al.  Translating Synchronous Petri Nets into PROMELA for Verifying Behavioural Properties , 2007, 2007 International Symposium on Industrial Embedded Systems.

[24]  Michael zur Muehlen,et al.  Organizational Management in Workflow Applications - Issues and Perspectives , 2004, Inf. Technol. Manag..

[25]  Jason Crampton A reference monitor for workflow systems with constrained task execution , 2005, SACMAT '05.

[26]  Xiang Fu,et al.  Model checking XML manipulating software , 2004, ISSTA '04.

[27]  Shin Nakajima,et al.  Lightweight formal analysis of Web service flows , 2005 .

[28]  A. Ghafoor,et al.  Model-based Testing of Access Control Systems that Employ RBAC Policies , 2005 .

[29]  Ninghui Li,et al.  Satisfiability and Resiliency in Workflow Systems , 2007, ESORICS.

[30]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[31]  Andreas Schaad,et al.  Modeling of Task-Based Authorization Constraints in BPMN , 2007, BPM.

[32]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[33]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[34]  Trent Jeager Managing access control complexity using metrices , 2001 .

[35]  王豐堅,et al.  一個在工作流程系統管理系統中基於Task-Role-Based Access Control Model的代理程序框架 , 2007 .

[36]  Wolfgang Reisig,et al.  Lectures on Concurrency and Petri Nets , 2003, Lecture Notes in Computer Science.

[37]  Wil M. P. van der Aalst,et al.  On the Suitability of BPMN for Business Process Modelling , 2006, Business Process Management.