Modularity for Security-Sensitive Workflows

An established trend in software engineering insists on using components (sometimes also called services or packages) to encapsulate a set of related functionalities or data. By defining interfaces specifying what functionalities they provide or use, components can be combined with others to form more complex components. In this way, IT systems can be designed by mostly re-using existing components and developing new ones to provide new functionalities. In this paper, we introduce a notion of component and a combination mechanism for an important class of software artifacts, called security-sensitive workflows. These are business processes in which execution constraints on the tasks are complemented with authorization constraints (e.g., Separation of Duty) and authorization policies (constraining which users can execute which tasks). We show how well-known workflow execution patterns can be simulated by our combination mechanism and how authorization constraints can also be imposed across components. Then, we demonstrate the usefulness of our notion of component by showing (i) the scalability of a technique for the synthesis of run-time monitors for security-sensitive workflows and (ii) the design of a plug-in for the re-use of workflows and related run-time monitors inside an editor for security-sensitive workflows.

[1]  Letizia Tanca,et al.  What you Always Wanted to Know About Datalog (And Never Dared to Ask) , 1989, IEEE Trans. Knowl. Data Eng..

[2]  Akhil Kumar,et al.  DW-RBAC: A formal security model of delegation and revocation in workflow systems , 2007, Inf. Syst..

[3]  Jason Crampton A reference monitor for workflow systems with constrained task execution , 2005, SACMAT '05.

[4]  Andreas Oberweis,et al.  Analysis of process model reuse: Where are we now, where should we go from here? , 2014, Decis. Support Syst..

[5]  Alessandro Armando,et al.  Model Checking of Security-Sensitive Business Processes , 2009, Formal Aspects in Security and Trust.

[6]  Wil M. P. van der Aalst,et al.  Workflow Patterns , 2003, Distributed and Parallel Databases.

[7]  W. M. P. V. D. Aalsta,et al.  YAWL : yet another workflow language , 2015 .

[8]  Paul W. P. J. Grefen,et al.  Business process model repositories:framework and survey , 2009 .

[9]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[10]  OI Olivia Oanea Verification of soundness and other properties of business processes , 2007 .

[11]  Mark von Rosing,et al.  Business Process Model and Notation - BPMN , 2015, The Complete Business Process Handbook, Vol. I.

[12]  Wil M. P. van der Aalst,et al.  Workflow Verification: Finding Control-Flow Errors Using Petri-Net-Based Techniques , 2000, Business Process Management.

[13]  David A. Basin,et al.  Dynamic Enforcement of Abstract Separation of Duty Constraints , 2009, ESORICS.

[14]  Ivan Markovic,et al.  Towards a Formal Framework for Reuse in Business Process Modeling , 2007, Business Process Management Workshops.

[15]  Remco M. Dijkman,et al.  Human and automatic modularizations of process models to enhance their comprehension , 2011, Inf. Syst..

[16]  Clara Bertolissi,et al.  Automated Synthesis of Run-time Monitors to Enforce Authorization Policies in Business Processes , 2015, AsiaCCS.

[17]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[18]  Henny B. Sipma,et al.  Petri Net Analysis Using Invariant Generation , 2003, Verification: Theory and Practice.

[19]  Mathias Weske,et al.  Business Process Management: Concepts, Languages, Architectures , 2007 .

[20]  Wassiou Sitou,et al.  A Formal Model for Work Flows , 2010, 2010 8th IEEE International Conference on Software Engineering and Formal Methods.

[21]  Remco M. Dijkman,et al.  APROMORE: An advanced process model repository , 2011, Expert Syst. Appl..