Skip to main content
SpringerLink
Log in

Verification of Business Process Entailment Constraints Using SPIN

  • Conference paper
Book cover Engineering Secure Software and Systems (ESSoS 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5429))

Included in the following conference series:

Abstract

The verification of access controls is essential for providing secure systems. Model checking is an automated technique used for verifying finite state machines. The properties to be verified are usually expressed as formula in temporal logic. In this paper we present an approach to verify access control security properties of a security annotated business process model. To this end we utilise a security enhanced BPMN notation to define access control properties.

To enhance the usability the complex and technical details are hidden from the process modeller by using an automatic translation of the process model into a process meta language (Promela) based on Coloured Petri net (CPN) semantics.

The model checker SPIN is used for the process model verification and a trace file is written to provide visual feedback to the modeller on the abstraction level of the verified process model. As a proof of concept the described translation methodology is implemented as a plug-in for the free web-based BPMN modelling tool Oryx.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Zur Muehlen, M.: Organizational Management in Workflow Applications – Issues and Perspectives. Inf. Technol. and Management 5(3-4), 271–291 (2004)

    Article  Google Scholar 

  2. Cao, X., Iverson, L.: Intentional Access Management: Making Access Control Usable for End-Users. In: SOUPS 2006: Proceedings of the second symposium on Usable privacy and security, vol. 2, pp. 20–31. ACM Press, New York (2006)

    Chapter  Google Scholar 

  3. Alotaiby, F.T., Chen, J.X.: A model for team-based access control (tmac 2004). In: ITCC 2004: Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC 2004), Washington, DC, USA, p. 450. IEEE Computer Society, Los Alamitos (2004)

    Chapter  Google Scholar 

  4. Oh, S., Park, S.: Task-role-based access control model. Inf. Syst. 28(6), 533–562 (2003)

    Article  MATH  Google Scholar 

  5. Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: FMSE 2004: Proceedings of the 2004 ACM workshop on Formal methods in security engineering, pp. 45–55. ACM, New York (2004)

    Chapter  Google Scholar 

  6. Thomas, R.K.: Task-based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-oriented Authorization Management. pp. 166–181 (1997)

    Google Scholar 

  7. Schaad, A., Lotz, V., Sohr, K.: A model-checking approach to analysing organisational controls in a loan origination process. In: SACMAT 2006: ACM symposium on Access control models and technologies, pp. 139–149. ACM, New York (2006)

    Google Scholar 

  8. Jeager, T.: Managing access control complexity using metrics. In: SACMAT 2001: Proceedings of the sixth ACM symposium on Access control models and technologies, pp. 131–139. ACM Press, New York (2001)

    Google Scholar 

  9. Wolter, C., Schaad, A., Meinel, C.: Task-based entailment constraints for basic workflow patterns. In: SACMAT 2008: Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 51–60. ACM, New York (2008)

    Google Scholar 

  10. Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. In: Proc. IEEE, vol. 63, pp. 1278–1308. IEEE Computer Society Press, Los Alamitos (1975)

    Google Scholar 

  11. Tan, K., Crampton, J., Gunter, C.A.: The Consistency of Task-Based Authorization Constraints in Workflow Systems. In: CSFW, p. 155- (2004)

    Google Scholar 

  12. Wang, Q., Li, N.: Satisfiability and Resiliency in Workflow Systems. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 90–105. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  13. Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)

    Article  Google Scholar 

  14. Jensen, K., Kristensen, L., Wells, L.: Coloured Petri Nets and CPN Tools for modelling and validation of concurrent systems. International Journal on Software Tools for Technology Transfer (STTT) 9(3), 213–254 (2007)

    Article  Google Scholar 

  15. Liu, Y., Mueller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)

    Article  Google Scholar 

  16. Awad, A., Decker, G., Weske, M.: Efficient Compliance Checking Using BPMN-Q and Temporal Logic. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 326–341. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  17. Object Management Group. Business Process Modeling Notation Specification (2006), http://www.bpmn.org

  18. Holzmann, G.J.: The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley Professional, Reading (2003)

    Google Scholar 

  19. Russell, N., van der Aalst, W.M.P., ter Hofstede, A.H.M., Edmond, D.: Workflow Resource Patterns: Identification, Representation and Tool Support. In: Pastor, Ó., Falcão e Cunha, J. (eds.) CAiSE 2005. LNCS, vol. 3520, pp. 216–232. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  20. Wohed, P., van der Aalst, W.M.P., Dumas, M., ter Hofstede, A.H.M., Russell, N.: On the Suitability of BPMN for Business Process Modelling. In: Dustdar, S., Fiadeiro, J.L., Sheth, A.P. (eds.) BPM 2006. LNCS, vol. 4102, pp. 161–176. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  21. Botha, R.A., Eloff, J.H.P.: Separation of Duties for Access Control Enforcement in Workflow Environments. IBM System Journal 40(3), 666–682 (2001)

    Article  Google Scholar 

  22. Wolter, C., Schaad, A.: Modelling of Task-Based Authorization Constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  23. Sadiq, W.S., Governatori, G., Namiri, K.: Modeling Control Objectives for Business Process Compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  24. Desel, J., Reisig, W., Rozenberg, G. (eds.): Lectures on Concurrency and Petri Nets. LNCS, vol. 3098. Springer, Heidelberg (2004)

    MATH  Google Scholar 

  25. Dijkman, R.M., Dumas, M., Ouyang, C.: Formal semantics and analysis of bpmn process models. Technical report, Queensland University of Technology (2007)

    Google Scholar 

  26. Ribeiro, O.R., Fernandes, J.M.: Translating Synchronous Petri Nets into PROMELA for Verifying Behavioural Properties. In: International Symposium on Industrial Embedded Systems, SIES 2007 (2007)

    Google Scholar 

  27. Ouyang, C., Verbeek, E., van der Aalst, W.M.P., Breutel, S., Dumas, M., ter Hofstede, A.H.M.: Formal semantics and analysis of control flow in ws-bpel. Sci. Comput. Program. 67(2-3), 162–198 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  28. Yang, Y., Tan, Q., Xiao, Y., Yu, J., Liu, F.: Exploiting Hierarchical CP-Nets to Increase the Reliability of Web Services Workflow. In: SAINT 2006: Proceedings of the International Symposium on Applications on Internet, pp. 116–122. IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  29. Nakajima, Shin: Lightweight formal analysis of Web service flows. Progress in informatics: PI 2, 57–76 (2005)

    Article  Google Scholar 

  30. Fu, X., Bultan, T., Su, J.: Analysis of interacting BPEL web services. In: WWW 2004: Proceedings of the 13th international conference on World Wide Web, pp. 621–630. ACM Press, New York (2004)

    Google Scholar 

  31. Fu, X., Bultan, T., Su, J.: Model checking XML manipulating software. In: ISSTA 2004: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis, pp. 252–262. ACM, New York (2004)

    Chapter  Google Scholar 

  32. Fisteus, J.A., Fernández, L.S., Kloos, C.D.: Applying model checking to BPEL4WS business collaborations. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 826–830. Springer, Heidelberg (2006)

    Google Scholar 

  33. Xiangpeng, Z., Cerone, A., Krishnan, P.: Verifying BPEL Workflows Under Authorisation Constraints. In: Dustdar, S., Fiadeiro, J.L., Sheth, A.P. (eds.) BPM 2006. LNCS, vol. 4102, pp. 439–444. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  34. Masood, A., Bhatti, R., Ghafoor, A., Mathur, A.: Model-based Testing of Access Control Systems that Employ RBAC Policies. In: BPM 2006. LNCS, pp. 439–444. Springer, Heidelberg (2006)

    Google Scholar 

  35. Huang, W.-k., Atluri, V.: SecureFlow: A Secure Web-Enabled Workflow Management System. In: ACM Workshop on Role-Based Access Control, pp. 83–94 (1999)

    Google Scholar 

  36. Crampton, J.: A Reference Monitor for Workflow Systems with Constrained Task Execution. In: SACMAT 2005: Proceedings of the tenth ACM Symposium on Access Control Models and Technologies, pp. 38–47. ACM, New York (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SAP Research, Vincenz-Priessnitz-Str. 1, 76131, Karlsruhe, Germany

    Christian Wolter & Philip Miseldine

  2. Hasso-Plattner-Institute (HPI) for IT Systems Engineering, University of Potsdam, Germany

    Christoph Meinel

Authors
  1. Christian Wolter
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philip Miseldine
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christoph Meinel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Trento, Povo (Trento), Italy

    Fabio Massacci

  2. Department of Computer Science, James Madison University, VA 22807, Harrisonburg, USA

    Samuel T. Redwine Jr.

  3. Department of Computer Science, University of Toronto, ON, Canada

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wolter, C., Miseldine, P., Meinel, C. (2009). Verification of Business Process Entailment Constraints Using SPIN. In: Massacci, F., Redwine, S.T., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2009. Lecture Notes in Computer Science, vol 5429. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00199-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-00199-4_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-00198-7

  • Online ISBN: 978-3-642-00199-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation