Skip to main content
SpringerLink
Log in

Automatic Information Flow Analysis of Business Process Models

  • Conference paper
Business Process Management (BPM 2012)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 7481))

Included in the following conference series:

Abstract

We present an automated and efficient approach for the verification of information flow control for business process models. Building on the concept of Place-based Non-Interference, the novelty is that Petri net reachability is employed to detect places in which information leaks occur. We show that the approach is sound and complete, and present its implementation, the Anica tool. Anica employs state of the art model-checking algorithms to test reachability. An extensive evaluation comprising over 550 industrial process models is carried out and shows that information flow analysis of process models can be done in milliseconds.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. van der Aalst, W.M.P.: The application of Petri nets to workflow management. Journal of Circuits, Systems and Computers 8(1), 21–66 (1998)

    Article  Google Scholar 

  2. Accorsi, R., Lowis, L., Sato, Y.: Automated certification for compliant cloud-based business processes. Bus. & Information Systems Eng. 3(3), 145–154 (2011)

    Article  Google Scholar 

  3. Accorsi, R., Wonnemann, C.: Strong non-leak guarantees for workflow models. In: ACM Symposium on Applied Computing, pp. 308–314. ACM (2011)

    Google Scholar 

  4. Accorsi, R., Wonnemann, C.: InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 194–209. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  5. Accorsi, R., Wonnemann, C., Dochow, S.: SWAT: A security workflow toolkit for reliably secure process-aware information systems. In: Conference on Availability, Reliability and Security, pp. 692–697. IEEE (2011)

    Google Scholar 

  6. Accorsi, R., Wonnemann, C., Stocker, T.: Towards forensic data flow analysis of business process logs. In: Incident Management and Forensics, pp. 94–110. IEEE (2011)

    Google Scholar 

  7. Anderson, R.: Security engineering. Wiley (2008)

    Google Scholar 

  8. Armando, A., Ranise, S.: Automated Analysis of Infinite State Workflows with Access Control Policies. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 157–174. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  9. Atluri, V., Chun, S.A., Mazzoleni, P.: A Chinese Wall security model for decentralized workflow systems. In: ACM Computer & Communication Security, pp. 48–57. ACM (2001)

    Google Scholar 

  10. Atluri, V., Warner, J.: Security for workflow systems. In: Handbook of Database Security, pp. 213–230. Springer (2008)

    Google Scholar 

  11. Attali, I., Caromel, D., Henrio, L., Aguila, F.: Secured information flow for asynchronous sequential processes. Electr. Notes Theor. Comput. Sci. 180(1), 17–34 (2007)

    Article  Google Scholar 

  12. Barkaoui, K., Ayed, R.B., Boucheneb, H., Hicheur, A.: Verification of workflow processes under multilevel security considerations. In: Risks and Security of Internet and Systems, pp. 77–84. IEEE (2008)

    Google Scholar 

  13. Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. MITRE Corporation (1973)

    Google Scholar 

  14. Busi, N., Gorrieri, R.: Structural non-interference in elementary and trace nets. Mathematical Structures in Computer Science 19(6), 1065–1090 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  15. Denning, D.E.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  16. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Communications of the ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  17. Fahland, D., Favre, C., Koehler, J., Lohmann, N., Völzer, H., Wolf, K.: Analysis on demand: Instantaneous soundness checking of industrial business process models. Data Knowl. Eng. 70(5), 448–466 (2011)

    Article  Google Scholar 

  18. Focardi, R., Gorrieri, R.: Classification of Security Properties. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 331–396. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  19. Frau, S., Gorrieri, R., Ferigato, C.: Petri Net Security Checker: Structural Non-interference at Work. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 210–225. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  20. Gorrieri, R., Vernali, M.: On Intransitive Non-interference in Some Models of Concurrency. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2011. LNCS, vol. 6858, pp. 125–151. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  21. Harris, W., Kidd, N., Chaki, S., Jha, S., Reps, T.W.: Verifying Information Flow Control over Unbounded Processes. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 773–789. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  22. Huang, H., Kirchner, H.: Formal specification and verification of modular security policy based on colored Petri nets. IEEE Trans. Dependable Sec. Comput. 8(6), 852–865 (2011)

    Article  Google Scholar 

  23. ISO/IEC Information Security Management System 27001 (2005), http://www.27000.org/iso-27001.html (last accessed in June 2012)

  24. Juszczyszyn, K.: Verifying enterprise’s mandatory access control policies with coloured Petri nets. In: Enabling Technologies, pp. 184–189. IEEE (2003)

    Google Scholar 

  25. Katt, B., Zhang, X., Hafner, M.: Towards a Usage Control Policy Specification with Petri Nets. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2009, Part II. LNCS, vol. 5871, pp. 905–912. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  26. Kovács, M., Seidl, H.: Runtime Enforcement of Information Flow Security in Tree Manipulating Processes. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 46–59. Springer, Heidelberg (2012)

    Google Scholar 

  27. Lohmann, N., Mennicke, S., Sura, C.: The Petri Net API: A collection of Petri net-related functions. In: Algorithms and Tools for Petri Nets. CEUR Workshop Proc., vol. 643, pp. 148–155. CEUR-WS.org (2010)

    Google Scholar 

  28. Lohmann, N., Verbeek, E., Dijkman, R.: Petri Net Transformations for Business Processes – A Survey. In: Jensen, K., van der Aalst, W.M.P. (eds.) ToPNoC II. LNCS, vol. 5460, pp. 46–63. Springer, Heidelberg (2009)

    Google Scholar 

  29. Lohmann, N., Wolf, K.: How to Implement a Theory of Correctness in the Area of Business Processes and Services. In: Hull, R., Mendling, J., Tai, S. (eds.) BPM 2010. LNCS, vol. 6336, pp. 61–77. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  30. Lowis, L., Accorsi, R.: Vulnerability analysis in SOA-based business processes. IEEE T. Services Computing 4(3), 230–242 (2011)

    Article  Google Scholar 

  31. Murata, T.: Petri nets: Properties, analysis and applications. Proc. IEEE 77(4), 541–580 (1989)

    Article  Google Scholar 

  32. Pfeiffer, S., Unger, S., Timmermann, D., Lehmann, A.: Secure Information Flow Awareness for Smart Wireless eHealth Systems. In: Multi-Conference on Systems, Signals and Devices. IEEE (2012)

    Google Scholar 

  33. Röhrig, S., Knorr, K.: Security analysis of electronic business processes. Electronic Commerce Research 4(1-2), 59–81 (2004)

    Article  Google Scholar 

  34. Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)

    Article  Google Scholar 

  35. Shafiq, B., Masood, A., Joshi, J., Ghafoor, A.: A role-based access control policy verification framework for real-time systems. In: Object-Oriented Real-Time Dependable Systems, pp. 13–20. IEEE (2005)

    Google Scholar 

  36. Trusted Computer Security Evaluation Criteria, DoD (1983), http://csrc.nist.gov/publications/history/dod85.pdf (last accessed in June 2012)

  37. Wolf, K.: Generating Petri Net State Spaces. In: Kleijn, J., Yakovlev, A. (eds.) ICATPN 2007. LNCS, vol. 4546, pp. 29–42. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  38. Zhang, Z.-L., Hong, F., Xiao, H.-J.: Verification of strict integrity policy via Petri nets. In: Conference on Systems and Networks Communications, p. 23 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Freiburg, Germany

    Rafael Accorsi

  2. University of Rostock, Germany

    Andreas Lehmann

Authors
  1. Rafael Accorsi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andreas Lehmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Science and Technology, Information Systems Discipline, Business Process Management Group, Queensland University of Technology, Level 5, 126 Margaret Street, 4000, Brisbane, QLD, Australia

    Alistair Barros

  2. Faculty of Industrial Engineering and Management, Technion - Israel Institute of Technology, 32000, Technion City, Haifa, Israel

    Avigdor Gal

  3. Informatics and Mathematical Modelling, Technical University of Denmark, Richard Petersens Plads, 2800, Kgs. Lynbgy, Denmark

    Ekkart Kindler

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Accorsi, R., Lehmann, A. (2012). Automatic Information Flow Analysis of Business Process Models. In: Barros, A., Gal, A., Kindler, E. (eds) Business Process Management. BPM 2012. Lecture Notes in Computer Science, vol 7481. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32885-5_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32885-5_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32884-8

  • Online ISBN: 978-3-642-32885-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation