Automated Synthesis and Ranking of Secure BPMN Orchestrators

The authors describe a formal methodology for the automatic synthesis of a secure orchestrator for a set of BPMN processes. The synthesized orchestrator is able to guarantee that all the processes that are started reach their end, and the resulting orchestrator process is secure, that is, it does not allow the disclosure of certain secret messages. The authors present an implementation of a forth and back translation from BPMN to Crypto-CCS, that permits them to exploit the previously existing PaMoChSA tool to synthesize BPMN orchestrators. Furthermore, they study the problem of ranking orchestrators based on quantitative valuations of a process, the temporal evolution of such valuations, and their security, as a function of the knowledge of the attacker.

[1]  Fabio Martinelli,et al.  Automatic Verification of Cryptographic Protocols through Compositional Analysis Techniques , 1999, TACAS.

[2]  Joseph Sifakis,et al.  On the Synthesis of Discrete Controllers for Timed Systems (An Extended Abstract) , 1995, STACS.

[3]  Stefano Bistarelli Semirings for Soft Constraint Solving and Programming , 2004, Lecture Notes in Computer Science.

[4]  Nicola Zannone,et al.  Formal Analysis of BPMN Via a Translation into COWS , 2008, COORDINATION.

[5]  Achim D. Brucker,et al.  SecureBPMN: modeling and enforcing access control requirements in business processes , 2012, SACMAT '12.

[6]  Per Håkon Meland,et al.  Threat Representation Methods for Composite Service Process Models , 2013, Int. J. Secur. Softw. Eng..

[7]  Luca Viganò,et al.  Automated Security Protocol Analysis With the AVISPA Tool , 2006, MFPS.

[8]  Fabio Martinelli,et al.  Automated Analysis of Some Security Mechanisms of SCEP , 2002, ISC.

[9]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[10]  Mark von Rosing,et al.  Business Process Model and Notation - BPMN , 2015, The Complete Business Process Handbook, Vol. I.

[11]  J. A. Martín,et al.  Synthesis of secure adaptors , 2012, J. Log. Algebraic Methods Program..

[12]  Yannick Chevalier,et al.  Automatic Composition of Services with Security Policies , 2008, 2008 IEEE Congress on Services - Part I.

[13]  Fabio Martinelli,et al.  Analysis of security protocols as open systems , 2003, Theor. Comput. Sci..

[14]  Jun Li,et al.  Securing distributed adaptation , 2002, Comput. Networks.

[15]  Vincenzo Ciancia,et al.  A tool for the synthesis of cryptographic orchestrators , 2012, MDsec '12.

[16]  Luca Compagna,et al.  Security Validation of Business Processes via Model-Checking , 2011, ESSoS.

[17]  Fabio Martinelli,et al.  A framework for automatic generation of security controller , 2012, Softw. Test. Verification Reliab..

[18]  Ernesto Pimentel,et al.  Contracts for security adaptation , 2011, J. Log. Algebraic Methods Program..