Abstract
The specification of distributed service-oriented applications spans several levels of abstraction, e.g., the protocol for exchanging messages, the set of interface functionalities, the types of the manipulated data, the workflow, the access policy, etc. Many (even executable) specification languages are available to describe each level in separation. However, these levels may interact in subtle ways (for example, the control flow may depend on the values of some data variables) so that a precise abstraction of the application amounts to more than the sum of its per level components. This problem is even more acute in the design phase when automated analysis techniques may greatly help the difficult task of building “correct” applications faced by designers. To alleviate this kind of problems, this paper introduces a framework for the formal specification and automated analysis of distributed service-oriented applications in two levels: one for the workflow and one for the authorization policies. The former allows one to precisely describe the control and data parts of an application with their mutual dependencies. The latter focuses on the specification of the criteria for granting or denying third-party applications the possibility to access shared resources or to execute certain interface functionalities. These levels can be seen as abstractions of one or of several levels of specification mentioned above. The novelty of our proposal is the possibility to unambiguously specify the—often subtle—interplay between the workflow and policy levels uniformly in the same framework. Additionally, our framework allows us to define and investigate verification problems for service-oriented applications (such as executability and invariant checking) and give sufficient conditions for their decidability. These results are non-trivial because their scope of applicability goes well beyond the case of finite state spaces allowing for applications manipulating variables ranging over infinite domains. As proof of concept, we show the suitability and flexibility of our approach on two quite different examples inspired by industrial case studies.
Similar content being viewed by others
References
Armando A, Ponta SE (2009) Model checking of security-sensitive business processes. submitted
Armando A, Ranise S, Rusinowitch M (2003) A rewriting approach to satisfiability procedures. Inf Comput 183(2): 140–164
AVANTSSAR (2008) Deliverable 5.1: problem cases and their trust and security requirements. Available at http://www.avantssar.eu
Balbiani P, Chevalier Y, El Houri M (2008) A logical approach to dynamic role-based access control. In: Proceedings of AIMSA’08, LNCS 5253. Springer
Balbiani P, Chevalier Y, El Houri M (2009) An attribute based framework to express dynamic evolution of services in a distributed environment. submitted
Barletta M, Ranise S, Viganò L (2009) Verifying the interplay of authorization policies and workflow in service-oriented architectures. In: Proceedings of the 2009 international symposium on secure computing (SecureCom 2009), vol. 3 of 2009 international conference on computational science and engineering (CSE 2009). IEEE Computer Society Press, pp 289–299. http://doi.ieeecomputersociety.org/10.1109/CSE.2009.172
Becker MY (2009) Specification and analysis of dynamic authorisation policies. In: Proceedings of the 22nd IEEE computer security foundations symposium (CSF). IEEE Computer Society Press
Becker MY, Fournet C, Gordon AD Security policy assertion language (SecPAL). http://research.microsoft.com/en-us/projects/SecPAL/
Becker MY, Nanz S (2009) A logic for state-modifying authorization policies. ACM transactions on information and system security (TISSEC)
Beckert B, Hoare T, Hähnle R, Smith DR, Green C, Ranise S, Tinelli C, Ball T, Rajamani SK (2006) Intelligent systems and formal methods in software engineering. IEEE Intell Syst 21(6): 71–81
Bérard B, Fribourg L (1999) Reachability analysis of (timed) petri nets using real arithmetic. In: Proceedings of 10th international conference on concurrency theory (CONCUR’99) LNCS 1664. Springer
Bertino E, Crampton J, Paci F (2006) Access control and authorization constraints for WS-BPEL. In: Proceedings of ICWS’06. IEEE Computer Society Press, pp 275–284
Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58: 118–149
Biere A, Heljanko K, Junttila TA, Latvala T, Schuppan V (2006) Linear encodings of bounded ltl model checking. Logical methods comput Sci 2(5)
Bonatti P, di Vimercati SDC, Samarati P (2002) An algebra for composing access control policies. ACM Trans Inf Syst Secur 5(1): 1–35
Börger E, Grädel E, Gurevich Y (1997) The classical decision problem. Springer, Berlin
Bradley AR, Manna Z (2009) Property-directed incremental invariant generation. Formal aspects of computing. To appear
Calvi A, Ranise S, Viganò L (2010) Automated validation of security-sensitive web services specified in bpel and rbac. In: Proceedings of 1st workshop on software service (satellite of SYNASC symposium). Timisoara, Sept. 23–25 (2010). To appear in IEEE Comp. Society
Chang C-C, Keisler JH (1990) Model theory. North-Holland, Amsterdam
Christensen E, Curbera F, Meredith G, Weerawarana S Web services description language (WSDL) 1.1. Available at http://www.w3.org/TR/wsdl
DeTreville J (2002) Binder, a logic-based security language. In: IEEE symposium on security and privacy. IEEE Computer Society Press
Deutsch A, Sui L, Vianu V, Zhou D (2006) Verification of Communicating data-driven web services. In: Proceedings of PODS’06. ACM Press
Dougherty DJ, Fisler K, Krishnamurthi S (2006) Specifying and reasoning about dynamic access-control policies. In: Proceedings of IJCAR’06, LNCS 4130. Springer, pp 632–646
Enderton HB (1972) A mathematical introduction to logic. Academic Press, New York
Ernits J, Roo R, Jacky J, Veanes M (2009) Model-based testing of web applications using NModel. In: TESTCOM/FATES. Springer-Verlag
Esparza J, Nielsen M (1994) Decidability issues for petri nets—a survey. EATCS Bull (52)
Fast Home Page. http://www.lsv.ens-cachan.fr/Software/fast.
Ferraiolo D, Kuhn D (1992) Role-based access control. In: Proceedings of 15th NIST-NCSC national computer security conference. pp 554–563
Fischer J, Majumdar R (2008) A theory of role composition. In: International conference on web services (ICWS ’08). IEEE Comp. Society
Flanagan C, Qaader S (2002) Predicate abstraction for software verification. In: Proceedings of the symposium on principles of programming languages (POPL’02). ACM Press, pp 191–202
Ge Y, de Moura L (2009) Complete instantiation for quantified formulas in satisfiabiliby modulo theories. In: Proceedings of computer aided verification (CAV). pp 306–320
Ghilardi S (2004) Model theoretic methods in combined constraint satisfiability. J Autom Reason 33(3–4)
Ghilardi S, Nicolini E, Ranise S, Zucchelli D (2008) Towards SMT model-checking of array-based Systems. In: Proceedings of the 4th international joint conference on automated reasoning (IJCAR 08). Springer, pp 67–82
Ghilardi S, Ranise S (2009) Goal directed invariant synthesis for model checking modulo theories. In: 18th international conference on automated reasoning with analytic tableaux and related methods (TABLEAUX 09). Springer, pp 173–188
Gurevich Y, Neeman I Distributed-knowledge authorization language (DKAL). http://research.microsoft.com/~gurevich/DKAL.htm
Jensen K, Kristensen L, Wells L (2007) Coloured petri nets and CPN tools for modelling and validation of concurrent systems. Int J Softw Tools Technol Transf 9: 213–254
Lahiri SK, Bryant RE (2007) Predicate abstraction with indexed predicates. ACM Trans Comput Log 9(1)
Li N, Mitchell JC (2006) Understanding SPKI/SDSI using first-order logic. Int J Inf Secur 5(1): 48–64
Manna Z, Pnueli A (1995) Temporal verification of reactive systems: safety. Springer, New York
Marconi A, Pistore M, Traverso P (2008) Automated composition of web services: the astro approach. IEEE Data Eng Bull 31(3): 23–26
OASIS business process execution language for Web Services specification V1.1. Available at. http://dev2dev.bea.com/technologies/webservices/BPEL4WS.jsp
OASIS Committee draft (2007) Web services business process execution language v. 2.0
Paci F, Bertino E, Crampton J (2008) An access control framework for WS-BPEL. Int J Web Serv Res 5(3): 20–43
Reisig W (1991) Petri nets and algebraic specifications. Theor Comput Sci 80(1): 1–34
Rybina T, Voronkov A (2003) A logical reconstruction of reachability. In: Proceedings of PSI’03, LNCS 2890. Springer, pp 222–237
Schaad A, Moffett J, Jacob J (2001) The role-based access control system of a european bank: a case study and discussion. In: Proceedings of 6th ACM symposium on access control models and technologies. ACM Press
Schaad A, Sohr K, Drouineaud M (2007) A workflow-based model-checking approach to inter- and intra-analysis of organisational controls in service-oriented business processes. J Inf Assur Secur 2(1)
Sebastiani R (2007) Lazy satisfiability modulo theories. J Satisfiability Boolean Model Comput 3: 141–224
Stahl C (2005) A petri net semantics for BPEL. Technical Report 188, Humbolt-Universität zu Berlin
Stoller SD, Yang P, Ramakrishnan C, Gofman MI (2007) Efficient policy analysis for administrative role-based access control. In: Proceedings of 20th IEEE computer security foundations workshop (CSFW)
Tinelli C, Zarba CG (2005) Combining non-stably infinite theories. J Autom Reason 34(3)
Tools4bpel Home Page. http://www2.informatik.hu-berlin.de/top/tools4bpel
Tsai WT, Liu X, Chen Y (2005) Distributed policy specification and enforcement in service-oriented business systems. In: ICEBE ’05: Proceedings of the IEEE international conference on e-business engineering. IEEE Computer Society, Washington, DC, USA, pp 10–17
Tsai WT, Liu X, Chen Y, Paul R (2005) Simulation verification and validation by dynamic policy enforcement. In: ANSS ’05: Proceedings of the 38th annual Symposium on Simulation. IEEE Computer Society, Washington, DC, USA, pp 91–98
Tsai W-T, Zhou X, Wei X (2008) A policy enforcement framework for verification and control of service collaboration. Inf Syst E-Bus Manag 6(1): 83–107
van der Aalst WMP (1998) The application of Petri nets to workflow management. J circuits syst comput 8(1): 21–66
Veanes M, Bjoerner N, Raschke A (2008) An SMT approach to bounded reachability analysis of model programs. In: Proceedings of FORTE’08, LNCS 5048. Springer
Yices Home Page. http://yices.csl.sri.com
Z3 Home Page. http://research.microsoft.com/en-us/um/redmond/projects/z3/
Zhang N, Ryan MD, Guelev D (2005) Evaluating access control policies through model checking. In: Proceedings of ISC’05, LNCS 3650. Springer, pp 446–460
Author information
Authors and Affiliations
Corresponding author
Additional information
Part of this work was carried out while S. Ranise was employed at the Department of Computer Science of the University of Verona.
Rights and permissions
About this article
Cite this article
Barletta, M., Ranise, S. & Viganò, L. A declarative two-level framework to specify and verify workflow and authorization policies in service-oriented architectures. SOCA 5, 105–137 (2011). https://doi.org/10.1007/s11761-010-0073-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11761-010-0073-4