Static Information Flow Analysis of Workflow Models

This paper proposes a framework for the detection of information leaks in workflow descriptions based on static information flow analysis. Despite the correct deployment of access control mechanisms, certain information leaks can persist, thereby undermining the compliance of workflows to policies. The framework put forward in this paper identifies leaks induced by the structure of the workflow. It consists of an adequate meta-model for workflow representation based on Petri nets and corresponding components for the transformation and analysis. A case study illustrates the application of the framework on a concrete workflow in BPEL notation.

[1]  Günter Müller,et al.  Sichere Nutzungskontrolle für mehr Transparenz in Finanzmärkten , 2009, Informatik-Spektrum.

[2]  Wil M. P. van der Aalst,et al.  Data-Flow Anti-patterns: Discovering Data-Flow Errors in Workflows , 2009, CAiSE.

[3]  Roberto Gorrieri,et al.  Structural non-interference in elementary and trace nets , 2009, Mathematical Structures in Computer Science.

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[6]  Whitfield Diffie Information security: 50 years behind, 50 years ahead , 2008, CACM.

[7]  Wil M. P. van der Aalst,et al.  WofBPEL: A Tool for Automated Analysis of BPEL Processes , 2005, ICSOC.

[8]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[9]  Roberto Gorrieri,et al.  Petri Net Security Checker: Structural Non-interference at Work , 2009, Formal Aspects in Security and Trust.

[10]  Remco M. Dijkman,et al.  Petri Net Transformations for Business Processes - A Survey , 2009, Trans. Petri Nets Other Model. Concurr..

[11]  Melanie Volkamer,et al.  Information Flow Control to Secure Dynamic Web Service Composition , 2006, SPC.

[12]  Nenad Stojanovic,et al.  Using Control Patterns in Business Processes Compliance , 2007, WISE Workshops.

[13]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[14]  Luca Viganò,et al.  Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented Architectures , 2009, 2009 International Conference on Computational Science and Engineering.

[15]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[16]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[17]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[18]  Niels Lohmann,et al.  A Feature-Complete Petri Net Semantics for WS-BPEL 2.0 , 2007, WS-FM.

[19]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[20]  Roberto Gorrieri,et al.  A Survey on Non-interference with Petri Nets , 2003, Lectures on Concurrency and Petri Nets.

[21]  Rafael Accorsi,et al.  Detective Information Flow Analysis for Business Processes , 2009, BPSC.

[22]  Rafael Accorsi,et al.  Auditing Workflow Executions against Dataflow Policies , 2010, BIS.

[23]  Xin Zhou,et al.  Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[24]  Olivia R. Liu Sheng,et al.  Formulating the Data-Flow Perspective for Business Process Management , 2006, Inf. Syst. Res..