Formal verification of business workflows and role based access control systems

Proceedings - The International Conference on Emerging Security Information, Systems, and Technologies, SECURWARE 2007

Volumn , Issue , 2007, Pages 201-210

  Dury, Arnaud ^a   Boroday, Sergiy ^a   Petrenko, Alexandre ^a   Lotz, Volkmar ^b  

^a Cent de Recherche Informatique de Montreal   (Canada)

^b SAP Labs   (France)

Author keywords

[No Author keywords available]

Indexed keywords

BUSINESS WORKFLOWS; COMBINED MODELING; FORMAL VERIFICATIONS; INTERNATIONAL CONFERENCES; MODEL CHECKERS; ROLE-BASED ACCESS CONTROL; SECURITY PROPERTIES; STATE EXPLOSIONS;

ACCESS CONTROL; IDENTIFICATION (CONTROL SYSTEMS); MODEL CHECKING; SECURITY SYSTEMS; TECHNOLOGY;

CONTROL SYSTEMS;

EID: 47949104986     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SECUREWARE.2007.4385334     Document Type: Conference Paper

References (33)

1. A. Dury, S. Boroday, A. Petrenko, V. Lotz, Model Checking Access Control in Business Workflow, Technical Report CRIM-06/10-11, CRIM, Montreal, November 2006.
2. T. Ruys, "Low-Fat Recipes for Spin", SPIN Model Checking and Software Verification: Proceedings of the 7th International SPIN Workshop, Springer Verlag, 2000.
3. J.E. Tidswell, T. Jaeger, "An access control model for simplifying constraint expression", 7th ACM conference on Computer and Communications Security, 2000.
4. M. Koch, F. Parisi-Presicce, "Visual specifications of policies and their verification", Workshop on Fundamental Approaches to Software Engineering, LNCS 2621, 2003.
5. A. Schaad, J. Moffett, "A lightweight approach to specification and analysis of role-based access control extensions", 7th ACM Symposium on Access Control Models and Technologies, 2002.
6. J. Zao, H. Wee. J .Chu, D. Jackson, "RBAC schema verification using lightweight formal model and constraint analysis", ACM Symposium on Access Control Models and Technologies, 2003.
7. M. Mankai, L. Logrippo, "Access control policies: modeling and validation", Notere, Conférence sur les Nouvelles technologies de la répartition, Canada, 2005.
8. G. Hughes, T. Bultan, Automated verification of access control policies, Technical Report 2004-22, University of California, Santa Barbara, 2004.
9. S. Park, G. Kwon, "Verification of UML-based security policy model", International Conference on Computational Science and its Applications, 2005.
10. T. Ahmed, A.R. Tripathi, "Static verification of security requirements in role based systems", 8th ACM Symposium on Access Control Models and Technologies, 2003.
11. F. Hansen, V. Oleshchuk, "Conformance checking of RBAC policy and its implementation", The First Information Security Practice and Experience Conference, LNCS 3439, 2005.
12. P. Herrmann, "Formal security policy verification of distributed component-structured software", 23rd IFIP Intl. Conf. on Formal Techniques for Networked and Distributed Systems, LNCS 2767, 2003.
13. N. Nguyen, J. Rathke, "Typed static analysis for concurrent policy-based resource access control", Unpublished draft, http://www.cogs.susx.ac.uk/users/julianr/pubs/dist-access.html, 2005.
14. J. Wainer, F. de Lima Bezerra, P. Barthelmess, "Tucupi: a flexible workflow system based on overridable constraints", ACM SIG Symposium on Applied Computing, 2004.
15. Woflan tool (on-line) http://is.tm.tue.nl/research/woflan/
16. W. Janssen, R. Mateescu, S. Mauw, P. Fennema, P. Stappen, "Model checking for managers", SPIN 1999.
17. M. Koshkina, F. van Breugel, Verification of business processes for web services, Technical Report CS-2003-11, York University Department of Computer Science, 2003.
18. WSAT Tool: http://www.cs.ucsb.edu/~su/WSAT/
19. P.K. Bose, M.G. Matthews, "Dynamic change in workflow-based coordination of distributed services", International Workshop on Self-Adaptive Software, 2001.
20. N. Li, Z. Bizri, M.V. Tripunitara, "On mutually-exclusive roles and separation of duty", ACM Conference on Computer and Communications Security, 2004.
21. J. Crampton, "Specifying and enforcing constraints in role-based access control", 8th ACM Symposium on Access Control Models and Technologies, 2003.
22. J. Rubio-Loyola, J. Serrat, M. Charalambides, P. Flegkas, G. Pavlou, "A functional solution for goal-oriented policy refinement", Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06), 2006.
23. M. Covington, M. Moyer, M. Ahamad, "Generalized role-based access control for securing future applications", 23rd National Information Systems Security Conference, 2000.
24. S. Jha, N. Li, M. Tripunitara, Q. Wang, W. Winsborough, Security analysis and administrative insider threat assessment in role-based access control, CERIAS Tech Report 2005-77, Center for Education and Research in Information Assurance and Security, Purdue University, 2005.
25. N. Zhang, M. Ryan, D.P. Guelev, "Synthesising verified access control systems in XACML", ACM Workshop on Formal Methods in Security Engineering, 2004.
26. E.A. Emerson, Temporal and Modal Logic, In Handbook of Theoretical Computer Science, Volume B: Formal Models and Semantics, Elsevier, 1990.
27. E. Clarke, "Counterexample-guided abstraction refinement", Temporal Representation and Reasoning, Fourth International Conference on Temporal Logic, 2003.
28. M Nuttgens, T. Feld, V. Zimmermann, "Business Process Modeling with EPC and UML: Transformation or Integration?", Proceedings of Unified Modeling Language - Technical Aspects and Applications, 1997.
29. J. Bacon, K. Moody, W. Yao, "A model of OASIS role-based access control and its support for active security":, ACM Trans. Inf. Syst. Secur., 2002.
30. D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, R. Chandramouli, "Proposed NIST Standard for Role-Based Access Control", ACM Transactions on Information and System Security, Vol.4, 2001.
31. DP Guelev, M Ryan, PY Schobbens, Information Security, "Model-checking access control policies", pp219-230, 2004.
32. M. Drouineaud, A. Luder, K. Sohr, "A role based access control model for agent based control systems", Proceedings of the IEEE International Conference on Industrial Informatics, 2003.
33. K. Fisler, S. Krishnamurthi, L.A. Meyerovich, M.C. Tschantz, "Change management: verification and change-impact analysis of access-control policies", 27th Intl. Conf. on Software engineering, 2005.