InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements

This paper presents InDico, an approach for the automated analysis of business processes against confidentiality requirements. InDico is motivated by the fact that in spite of the correct deployment of access control mechanisms, information leaks in automated business processes can persist due to erroneous process design. InDico employs a meta-model based on Petri nets to formalize and analyze business processes, thereby enabling the identification of leaks caused by a flawed process design.

[1]  Olivia R. Liu Sheng,et al.  Formulating the Data-Flow Perspective for Business Process Management , 2006, Inf. Syst. Res..

[2]  Ninghui Li,et al.  Satisfiability and Resiliency in Workflow Systems , 2007, ESORICS.

[3]  Theo Dimitrakos,et al.  Formal Aspects in Security and Trust, Fourth International Workshop, FAST 2006, Hamilton, Ontario, Canada, August 26-27, 2006, Revised Selected Papers , 2007, Formal Aspects in Security and Trust.

[4]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[5]  Eric Allman Complying with Compliance , 2006, QUEUE.

[6]  Wil M. P. van der Aalst,et al.  Transactions on Petri Nets and Other Models of Concurrency II, Special Issue on Concurrency in Process-Aware Information Systems , 2009, Trans. Petri Nets and Other Models of Concurrency.

[7]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[8]  M. Hammer The process audit. , 2007, Harvard business review.

[9]  Rafael Accorsi,et al.  Auditing Workflow Executions against Dataflow Policies , 2010, BIS.

[10]  Wil M. P. van der Aalst,et al.  Modelling work distribution mechanisms using Colored Petri Nets , 2007, International Journal on Software Tools for Technology Transfer.

[11]  Grzegorz Rozenberg Advances in Petri Nets 1990 , 1989, Lecture Notes in Computer Science.

[12]  Vijayalakshmi Atluri,et al.  An Extended Petri Net Model for Supporting Workflows in a Multilevel Secure Environment , 1996, DBSec.

[13]  Niels Lohmann,et al.  A Feature-Complete Petri Net Semantics for WS-BPEL 2.0 , 2007, WS-FM.

[14]  Vijayalakshmi Atluri,et al.  An Authorization Model for Workflows , 1996, ESORICS.

[15]  Lutz Lowis,et al.  Vulnerability Analysis in SOA-Based Business Processes , 2011, IEEE Transactions on Services Computing.

[16]  Elisa Bertino,et al.  Computer Security — ESORICS 96 , 1996, Lecture Notes in Computer Science.

[17]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[18]  Vijayalakshmi Atluri,et al.  A Chinese wall security model for decentralized workflow systems , 2001, CCS '01.

[19]  Luca Viganò,et al.  Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented Architectures , 2009, 2009 International Conference on Computational Science and Engineering.

[20]  Gosse Bouma,et al.  Mapping Metadata for SWHi: Aligning Schemas with Library Metadata for a Historical Ontology , 2007, WISE Workshops.

[21]  Fabio Casati,et al.  Service-Oriented Computing - ICSOC 2005, Third International Conference, Amsterdam, The Netherlands, December 12-15, 2005, Proceedings , 2005, ICSOC.

[22]  Kurt Jensen,et al.  Coloured Petri nets: A high level language for system design and analysis , 1991, Applications and Theory of Petri Nets.

[23]  Wil M. P. van der Aalst,et al.  WofBPEL: A Tool for Automated Analysis of BPEL Processes , 2005, ICSOC.

[24]  Shiyong Lu,et al.  Information flow analysis of scientific workflows , 2010, J. Comput. Syst. Sci..

[25]  Günter Müller,et al.  Sichere Nutzungskontrolle für mehr Transparenz in Finanzmärkten , 2010, Informatik-Spektrum.

[26]  Wil M. P. van der Aalst,et al.  Data-Flow Anti-patterns: Discovering Data-Flow Errors in Workflows , 2009, CAiSE.

[27]  Rafael Accorsi,et al.  Strong non-leak guarantees for workflow models , 2011, SAC.

[28]  Roberto Gorrieri,et al.  Structural non-interference in elementary and trace nets , 2009, Mathematical Structures in Computer Science.

[29]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[30]  Roberto Gorrieri,et al.  Petri Net Security Checker: Structural Non-interference at Work , 2009, Formal Aspects in Security and Trust.

[31]  Remco M. Dijkman,et al.  Petri Net Transformations for Business Processes - A Survey , 2009, Trans. Petri Nets Other Model. Concurr..

[32]  Nenad Stojanovic,et al.  Using Control Patterns in Business Processes Compliance , 2007, WISE Workshops.

[33]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[34]  Joachim Biskup,et al.  Computer Security - ESORICS 2007, 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24-26, 2007, Proceedings , 2007, ESORICS.

[35]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[36]  Jonathan K. Millen,et al.  Non-interference, who needs it? , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[37]  Vijayalakshmi Atluri,et al.  Modeling and Analysis of Workflows Using Petri Nets , 1998, Journal of Intelligent Information Systems.