Abstract
This paper presents InDico, an approach for the automated analysis of business processes against confidentiality requirements. InDico is motivated by the fact that in spite of the correct deployment of access control mechanisms, information leaks in automated business processes can persist due to erroneous process design. InDico employs a meta-model based on Petri nets to formalize and analyze business processes, thereby enabling the identification of leaks caused by a flawed process design.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Accorsi, R., Wonnemann, C.: Auditing workflow executions against dataflow policies. In: Abramowicz, W., Tolksdorf, R. (eds.) BIS 2010. LNBIP, vol. 47, pp. 207–217. Springer, Heidelberg (2010)
Accorsi, R., Wonnemann, C.: Strong non-leak guarantees for workflow models. In: ACM Symposium on Applied Computing, pp. 308–314. ACM, New York (2011)
Adam, N., Atluri, V., Huang, W.: Modeling and analysis of workflows using Petri nets. Journal of Intelligent Information Systems 10(2), 131–158 (1998)
Allman, E.: Complying with compliance. ACM Queue 4(7), 19–21 (2006)
Atluri, V., Chung, S., Mazzoleni, P.: A Chinese Wall security model for decentralized workflow systems. In: ACM Conference on Computer and Communications Security, pp. 48–57. ACM, New York (2001)
Atluri, V., Huang, W.: An authorization model for workflows. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 44–64. Springer, Heidelberg (1996)
Atluri, V., Huang, W.: An extended Petri net model for supporting workflows in a multilevel secure environment. In: IFIP Conference Proceedings of Database Security, vol. 79, pp. 240–258. Chapman & Hall, Boca Raton (1996)
Barletta, M., Ranise, S., Viganò, L.: Verifying the interplay of authorization policies and workflow in service-oriented architectures. In: Conference on Computational Science, vol. 3, pp. 289–296. IEEE, Los Alamitos (2009)
Breaux, T., Antón, A.: Analyzing regulatory rules for privacy and security requirements. IEEE Transactions on Software Engineering 34(1), 5–20 (2008)
Brewer, D., Nash, M.: The Chinese-wall security policy. In: IEEE Symposium on Security and Privacy, pp. 206–214. IEEE, Los Alamitos (1989)
Busi, N., Gorrieri, R.: Structural non-interference in elementary and trace nets. Mathematical Structures in Computer Science 19(6), 1065–1090 (2009)
Bussmann, K.D., Krieg, O., Nestler, C., Salvenmoser, S., Schroth, A., Theile, A., Trunk, D.: Wirtschaftskriminalität 2009 – Sicherheitslage in deutschen Großunternehmen. In: Martin-Luther-Universität Halle-Wittenberg and PwC AG (2009)
Focardi, R., Gorrieri, R.: A taxonomy of security properties for process algebras. Journal of Computer Security 3(1), 5–34 (1995)
Frau, S., Gorrieri, R., Ferigato, C.: Petri net security checker: Structural non-interference at work. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 210–225. Springer, Heidelberg (2009)
Hammer, M.: The process audit. Harvard Business Review 85(4), 119–142 (2007)
Jensen, K.: Coloured Petri nets: A high level language for system design and analysis. In: Rozenberg, G. (ed.) APN 1990. LNCS, vol. 483, pp. 342–416. Springer, Heidelberg (1991)
Knorr, K.: Multilevel security and information flow in Petri net workflows. In: Conference on Telecommunication Systems (2001)
Lampson, B.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)
Lohmann, N.: A feature-complete petri net semantics for WS-BPEL 2.0. In: Dumas, M., Heckel, R. (eds.) WS-FM 2007. LNCS, vol. 4937, pp. 77–91. Springer, Heidelberg (2008)
Lohmann, N., Verbeek, E., Dijkman, R.: Petri net transformations for business processes – A survey. In: Jensen, K., van der Aalst, W.M.P. (eds.) Transactions on Petri Nets and Other Models of Concurrency II. LNCS, vol. 5460, pp. 46–63. Springer, Heidelberg (2009)
Lowis, L., Accorsi, R.: Vulnerability analysis in SOA-based business processes. IEEE Transactions on Services Computing (to appear 2010)
Müller, G., Accorsi, R., Höhn, S., Sackmann, S.: Sichere Nutzungskontrolle für mehr Transparenz in Finanzmärkten. Informatik Spektrum 33(1), 3–13 (2010)
Namiri, K., Stojanovic, N.: Using control patterns in business processes compliance. In: Weske, M., Hacid, M.-S., Godart, C. (eds.) WISE Workshops 2007. LNCS, vol. 4832, pp. 178–190. Springer, Heidelberg (2007)
Ouyang, C., Verbeek, E., van der Aalst, W.M., Breutel, S., Dumas, M., ter Hofstede, A.H.: WofBPEL: A tool for automated analysis of BPEL processes. In: Benatallah, B., Casati, F., Traverso, P. (eds.) ICSOC 2005. LNCS, vol. 3826, pp. 484–489. Springer, Heidelberg (2005)
Pesic, M., van der Aalst, W.M.P.: Modelling work distribution mechanisms using colored Petri nets. International Journal on Software Tools for Technology Transfer 9(3-4), 327–352 (2007)
Ryan, P., McLean, J., Millen, J., Gligor, V.: Non-interference: Who needs it? In: IEEE Computer Security Foundations Workshop, pp. 237–238. IEEE, Los Alamitos (2001)
Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: IEEE Computer Security Foundations Workshop, pp. 255–269. IEEE, Los Alamitos (2005)
Sun, S., Zhao, L., Nunamaker, J., Sheng, O.L.: Formulating the data-flow perspective for business process management. Information Systems Research 17(4), 374–391 (2006)
Trčka, N., van der Aalst, W., Sidorova, N.: Data-flow anti-patterns: Discovering data-flow errors in workflows. In: van Eck, P., Gordijn, J., Wieringa, R. (eds.) CAiSE 2009. LNCS, vol. 5565, pp. 425–439. Springer, Heidelberg (2009)
Wang, Q., Li, N.: Satisfiability and resiliency in workflow systems. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 90–105. Springer, Heidelberg (2007)
Wolf, C., Harmon, P.: The state of business process management. BPTrends Report (2010), http://www.bptrends.com/
Yang, P., Lu, S., Gofman, M., Yang, Z.: Information flow analysis of scientific workflows. Journal of Computer and System Sciences 76, 390–402 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Accorsi, R., Wonnemann, C. (2011). InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds) Security and Trust Management. STM 2010. Lecture Notes in Computer Science, vol 6710. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22444-7_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-22444-7_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22443-0
Online ISBN: 978-3-642-22444-7
eBook Packages: Computer ScienceComputer Science (R0)