Modeling and enforcing secure object flows in process-driven SOAs: An integrated model-driven approach

Software and Systems Modeling

Volumn 13, Issue 2, 2014, Pages 513-548

  Hoisl, Bernhard ^a,b   Sobernig, Stefan ^a   Strembeck, Mark ^a,b  

^a VIENNA UNIVERSITY OF ECONOMICS AND BUSINESS   (Austria)

^b Secure Business Austria Research (SBA Research)   (Austria)

Author keywords

Model driven development; Process modeling; Secure object flows; Security engineering; Service oriented architecture; SoaML; UML; Web services

Indexed keywords

ELECTRONICS INDUSTRY; INFORMATION SERVICES; MODELING LANGUAGES; PROCESS ENGINEERING; WEB SERVICES;

MODEL DRIVEN DEVELOPMENT; OBJECT FLOW; PROCESS MODELING; SECURITY ENGINEERING; SOAML;

SERVICE ORIENTED ARCHITECTURE (SOA);

EID: 84899976809     PISSN: 16191366     EISSN: 16191374     Source Type: Journal    
DOI: 10.1007/s10270-012-0263-y     Document Type: Article

References (97)

1. Apache Software Foundation (ASF): Apache Axis2. http://axis. apache. org/axis2/java/core/ (2012).
2. Apache Software Foundation (ASF): Apache ODE. http://ode. apache. org (2012).
3. Apache Software Foundation (ASF): Apache Rampart-Axis2 Security Module. http://axis. apache. org/axis2/java/rampart/ (2012).
4. Axenath, B., Kindler, E., Rubin, V.: AMFIBIA: a meta-model for the integration of business process modelling aspects. In: Leymann, F., Reisig, W., Thatte, S., van der Aalst, W. (eds.) The Role of Business Processes in Service Oriented Architectures, Dagstuhl Seminar Proceedings (2006).
5. Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Transact. Softw. Eng. Methodol. (TOSEM) 15(1), 39-91 (2006).
6. Baumgrass, A., Baier, T., Mendling, J., Strembeck, M.: Conformance checking of RBAC policies in process-aware information systems. In: Proceedings of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Business Information Processing (LNBIP), vol. 100. Springer, Berlin (2011).
7. Cannon, J., Byers, M.: Compliance deconstructed. ACM Queue 4(7), 30-37 (2006).
8. Committee on National Security Systems (CNSS): National Information Assurance (IA): glossary. http://www. cnss. gov/Assets/pdf/cnssi_4009. pdf (2010).
9. Damianides, M.: How does SOX change IT? J. Corp. Account. Finance 15(6), 35-41 (2004).
10. Eclipse Foundation: Eclipse IDE. http://www. eclipse. org (2012).
11. Eclipse Foundation: Eclipse model development tools (MDT). http://www. eclipse. org/modeling/mdt/ (2012).
12. Eclipse Foundation: Eclipse Papyrus. http://www. eclipse. org/modeling/mdt/papyrus/ (2012).
13. Elvesæter, B., Berre, A.-J., Sadovykh, A.: Specifying services using the service oriented architecture modeling language (SoaML)-a baseline for specification of cloud-based services. In: Proceedings of the 1st International Conference on Cloud Computing and Services Science (CLOSER'11), pp. 276-285. SciTePress (2011).
14. Elvesæter, B., Carrez, C., Mohagheghi, P., Berre, A.-J., Johnsen, S., Solberg, A.: Model-driven service engineering with SoaML. In: Service Engineering-European Research Results, pp. 25-54. Springer, Berlin (2011).
15. Fink, T., Koch, M., Pauls, K.: An MDA approach to access control specifications using MOF and UML profiles. In: Electronic Notes in Theoretical Computer Science, pp. 161-179 (2006).
16. International Organization for Standardization (ISO): Information technology: security techniques-code of practice for information security management, ISO/IEC 27002: 2005, Stage: 90. 92. http://www. iso. org/iso/iso_catalogue/catalogue_tc/catalogue_detail. htm?csnumber=50297 (2008).
17. International Organization for Standardization (ISO): Information technology: security techniques-information security management systems-requirements, ISO/IEC 27001: 2005, Stage: 90. 92. http://www. iso. org/iso/iso_catalogue/catalogue_tc/catalogue_detail. htm?csnumber=42103 (2008).
18. International Organization for Standardization (ISO): Information technology-security techniques-information security management systems-overview and vocabulary, ISO/IEC 27000: 2009, Stage: 60. 60. http://www. iso. org/iso/iso_catalogue/catalogue_tc/catalogue_detail. htm?csnumber=41933 (2009).
19. Foster, H., Gönczy, L., Koch, N., Mayer, P., Montangero, C., Varró, D. UML extensions for service-oriented systems. In: Wirsing, M., Hölzl, M. (eds.) Rigorous Software Engineering for Service-Oriented Systems, Lecture Notes in Computer Science (LNCS), pp. 35-60. Springer, Berlin (2011).
20. Gilmore, S., Gönczy, L., Koch, N., Mayer, P., Tribastone, M., Varró, D.: Non-functional properties in the model-driven development of service-oriented systems. Softw. Syst. Model. 10(3), 287-311 (2011).
21. Hafner, M., Alam, M., Breu, R.: Towards a MOF/QVT-based domain architecture for model driven security. In: Proceedings of the 9th International Conference on Model Driven Engineering Languages and Systems (MODELS 2006), Lecture Notes in Computer Science (LNCS), pp. 275-290. Springer, Berlin (2006).
22. Hafner, M., Breu, R.: Security Engineering for Service-Oriented Architectures, 1st edn. Springer, Berlin (2009).
23. Hafner, M., Breu, R., Agreiter, B., Nowak, A.: SECTET: an extensible framework for the realization of secure inter-organizational workflows. Internet Res. 16(5), 491-506 (2006).
24. Hafner, M., Memon, M., Alam, M.: Modeling and enforcing advanced access control policies in healthcare systems with SECTET. In: Giese, H. (ed.) Models in Software Engineering, pp. 132-144. Springer, Berlin (2008).
25. Hentrich, C., Zdun, U.: A pattern language for process execution and integration design in service-oriented architectures. In: Noble, J., Johnson, R. (eds.) Transactions on Pattern Languages of Programming I, Lecture Notes in Computer Science (LNCS), pp. 136-191. Springer, Berlin (2009).
26. Hoisl, B., Sobernig, S.: Integrity and confidentiality annotations for service interfaces in SoaML models. In: Proceedings of the International Workshop on Security Aspects of Process-aware Information Systems (SAPAIS2011), pp. 673-679. IEEE (2011).
27. Hoisl, B., Strembeck, M.: Modeling support for confidentiality and integrity of object flows in activity models. In: Proceedings of the 14th International Conference on Business Information Systems (BIS2011), Lecture Notes in Business Information Processing (LNBIP), pp. 278-289. Springer, Berlin (2011).
28. Hoisl, B., Strembeck, M.: A UML extension for the model-driven specification of audit rules. In: Proceedings of the 2nd International Workshop on Information Systems Security Engineering (WISSE), Lecture Notes in Business Information Processing (LNBIP). Springer, Berlin (2012).
29. Huhns, M., Singh, M.: Service-oriented computing: key concepts and principles. IEEE Internet Comput. 9, 75-81 (2005).
30. Hummer, W., Gaubatz, P., Strembeck, M., Zdun, U., Dustdar, S.: An integrated approach for identity and access management in a SOA context. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT) (2011).
31. Jensen, M., Feja, S.: A security modeling approach for web-service-based business processes. In: Proceedings of the 16th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems, pp. 340-347. IEEE (2009).
32. Jürjens, J.: UMLsec: extending UML for secure systems development. In: Proceedings of the 5th International Conference on The Unified Modeling Language, pp. 412-425. Springer, Berlin (2002).
33. Jürjens, J.: Secure Systems Development with UML. Springer, Berlin (2005).
34. Kim, S., Burger, D., Carrington, D.: An MDA approach towards integrating formal and informal modeling languages. In: Proceedings of the International Symposium of Formal Methods Europe, Lecture Notes in Computer Science (LNCS), vol. 3582, pp. 448-464. Springer, Berlin (2005).
35. Kopp, O., Martin, D., Wutke, D., Leymann, F.: The difference between graph-based and block-structured business process modelling languages. Enterp. Model. Inf. Syst. 4(1), 3-13 (2009).
36. Mayer, P.: Model-driven development for service-oriented computing-transformers. http://mdd4soa. eu/transformers/ (2008).
37. Mayer, P.: MDD4SOA-model-driven development for service-oriented architectures. PhD thesis, Ludwig Maximilian University of Munich, Faculty of Mathematics, Computer Science and Statistics (2010).
38. Mayer, P., Koch, N., Schröder, A., Knapp, A.: The UML4SOA profile. http://www. uml4soa. eu/wp-content/uploads/uml4soa. pdf (2010).
39. Mayer, P., Schröder, A., Koch, N.: MDD4SOA: model-driven service orchestration. In: Proceedings of the 12th International IEEE Enterprise Distributed Object Computing Conference, pp. 203-212. IEEE (2008).
40. Memon, M., Hafner, M., Breu, R.: SECTISSIMO: a platform-independent framework for security services. In: Proceedings of the Modeling Security Workshop in Association with MODELS 2008 (2008).
41. Mendling, J., Lassen, K., Zdun, U.: On the transformation of control flow between block-oriented and graph-oriented process modeling languages. Int. J. Business Process Integr. Manag. 3(2), 96-108 (2008).
42. Mens, T., van Gorp, P.: A taxonomy of model transformation. Electron. Notes Theor. Comput. Sci. 152, 125-142 (2006).
43. Mishra, S., Weistroffer, H.: A framework for integrating Sarbanes-Oxley compliance into the systems development process. Commun. Assoc. Inf. Systems (CAIS) 20(1), 712-727 (2007).
44. Nakamura Y., Tatsubori M., Imamura T., Ono K.: Model-driven security based on a web services security architecture. In: Proceedings of the IEEE International Conference on Services Computing, pp. 7-15. IEEE (2005).
45. National Institute of Standards and Technology (NIST): An Introduction to Computer Security: The NIST Handbook. Special Publication 800-12. http://csrc. nist. gov/publications/nistpubs/800-12/handbook. pdf (1995).
46. National Institute of Standards and Technology (NIST): Data Encryption Standard (DES). Federal Information Processing Standards Publication 46-3. http://csrc. nist. gov/publications/fips/fips46-3/fips46-3. pdf (1999).
47. National Institute of Standards and Technology (NIST): Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197. http://csrc. nist. gov/publications/fips/fips197/fips-197. pdf (2001).
48. National Institute of Standards and Technology (NIST): Secure Hash Standard (SHS). Federal Information Processing Standards Publication 180-3. http://csrc. nist. gov/publications/fips/fips180-3/fips180-3_final. pdf (2008).
49. National Institute of Standards and Technology (NIST): Recommended Security Controls for Federal Information Systems and Organizations. NIST Special Publication 800-53, Revision 3. http://csrc. nist. gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010. pdf (2009).
50. National Security Agency (NSA): Information assurance technical framework. http://handle. dtic. mil/100. 2/ADA393328 (2000).
51. No Magic, Inc.: MacigDraw. https://www. magicdraw. com (2012).
52. Object Management Group: OMG Business Process Model and Notation (BPMN) Specification, Version 2. 0, formal/2011-01-03. http://www. omg. org/spec/BPMN (2011).
53. Object Management Group: OMG Meta Object Facility (MOF) Core Specification, Version 2. 4. 1, formal/2011-08-07. http://www. omg. org/mof (2011).
54. Object Management Group: Meta Object Facility (MOF) 2. 0 Query/View/Transformation Specification, Version 1. 1, formal/2011-01-01. http://www. omg. org/spec/QVT (2011).
55. Object Management Group: OMG MOF 2 XMI Mapping Specification, Version 2. 4. 1, formal/2011-08-09. http://www. omg. org/spec/XMI (2011).
56. Object Management Group: OMG Object Constraint Language (OCL) Specification, Version 2. 2, formal/2010-02-01. http://www. omg. org/spec/OCL (2010).
57. Object Management Group: OMG Object Constraint Language (OCL) Specification, Version 2. 3. 1, formal/2012-01-01. http://www. omg. org/spec/OCL (2012).
58. Object Management Group: OMG Service oriented architecture Modeling Language (SoaML) Specification, Version 1. 0 Beta 2, ptc/2009-12-09. http://www. omg. org/spec/SoaML (2009).
59. Object Management Group: OMG Unified Modeling Language (OMG UML): superstructure, Version 2. 4. 1, formal/2011-08-06. http://www. omg. org/spec/UML (2011).
60. Object Management Group: OMG Unified Modeling Language (OMG UML): infrastructure, Version 2. 4. 1, formal/2011-08-05. http://www. omg. org/spec/UML (2011).
61. Organization for the Advancement of Structured Information Standards (OASIS): Web Services Business Process Execution Language, Version 2. 0. http://docs. oasis-open. org/wsbpel/2. 0/OS/wsbpel-v2. 0-OS. pdf (2007).
62. Organization for the Advancement of Structured Information Standards (OASIS): Reference Architecture Foundation for Service Oriented Architecture, Version 1. 0. http://docs. oasis-open. org/soa-rm/soa-ra/v1. 0/soa-ra-cd-02. pdf (2009).
63. Organization for the Advancement of Structured Information Standards (OASIS): WS-SecurityPolicy 1. 3. http://docs. oasis-open. org/ws-sx/ws-securitypolicy/v1. 3/os/ws-securitypolicy-1. 3-spec-os. pdf (2009).
64. Papazoglou, M., Traverso, P., Dustdar, S., Leymann, F.: Service-oriented computing: state of the art and research challenges. IEEE Comput. 40, 38-45 (2007).
65. Reznik, J., Ritter, T., Schreiner, R., Lang, U.: Model driven development of security aspects. Electron. Notes Theo. Comput. Sci. 163, 65-79 (2007).
66. Rodríguez, A., Fernández-Medina, E., Trujillo, J., Piattini, M.: Secure business process model specification through a UML 2. 0 activity diagram profile. Decis. Support Syst. 51(3), 446-465 (2011).
67. Rodríguez, A., García-Rodríguez de Guzmán, I., Fernández-Medina, E., Piattini, M.: Semi-formal transformation of secure business processes into analysis class and use case models: an MDA approach. Inform. Softw. Technol. 52, 945-971 (2010).
68. Sánchez, Ó., Molina, F., García-Molina, J., Toval, A.: ModelSec: a generative architecture for model-driven security. J. Univ. Comput. Sci. 15(15), 2957-2980 (2009).
69. Sandhu, R.: On five definitions of data integrity. In: Proceedings of the IFIP WG11. 3 Working Conference on Database Security VII (1993).
70. Scheer, A.-W.: ARIS: Business Process Modeling. Springer, Berlin (2000).
71. Schefer, S., Strembeck, M.: Modeling process-related duties with extended UML activity and interaction diagrams. In: Proceedings of the International Workshop on Flexible Workflows in Distributed Systems, Electronic Communications of the EASST (2011).
72. Schefer, S., Strembeck, M.: Modeling support for delegating roles, tasks, and duties in a process-related RBAC context. In: Proceedings of the International Workshop on Information Systems Security Engineering (WISSE), Lecture Notes in Business Information Processing (LNBIP), vol. 83. Springer, Berlin (2011).
73. Schefer, S., Strembeck, M., Mendling, J.: Checking satisfiability aspects of binding constraints in a business process context. In: Proceedings of the Workshop on Workflow Security Audit and Certification (WfSAC), Lecture Notes in Business Information Processing (LNBIP), vol. 100. Springer, Berlin (2011).
74. Schefer, S., Strembeck, M., Mendling, J., Baumgrass, A.: Detecting and resolving conflicts of mutual-exclusion and binding constraints in a business process context. In: Proceedings of the 19th International Conference on Cooperative Information Systems (CoopIS), Lecture Notes in Computer Science (LNCS), vol. 7044. Springer, Berlin (2011).
75. Schefer-Wenzl, S., Strembeck, M.: An approach for consistent delegation in process-aware information systems. In: Proceedings of the 15th International Conference on Business Information Systems (BIS), Lecture Notes in Business Information Processing (LNBIP). Springer, Berlin (2012).
76. Schefer-Wenzl, S., Strembeck, M.: Modeling context-aware RBAC models for business processes in ubiquitous computing environments. In: Proceedings of the 3rd International Conference on Mobile, Ubiquitous and Intelligent Computing (MUSIC) (2012).
77. Schmidt, D.: Model-driven engineering: guest editor's introduction. IEEE Comput. 39(2), 25-31 (2006).
78. Schmidt, H., Jürjens, J.: Connecting security requirements analysis and secure design using patterns and UMLsec. In: Proceedings of the 23rd International Conference on Advanced Information Systems Engineering (CAiSE), Lecture Notes in Computer Science (LNCS), pp. 367-382. Springer, Berlin (2011).
79. Selic, B.: The pragmatics of model-driven development. IEEE Softw. 20(5), 19-25 (2003).
80. Sendall, S., Kozaczynski, W.: Model transformation: the heart and soul of model-driven software development. IEEE Softw. 20(5), 42-45 (2003).
81. Sobernig, S., Zdun, U.: Invocation assembly lines: patterns of invocation and message processing in object remoting middleware. In: Kelly, A., Weiss, M. (eds.) Proceedings of 14th Annual European Conference on Pattern Languages of Programming (EuroPLoP 2009), CEUR-WS. org, vol. 566. (2009).
82. Stahl, T., Völter, M.: Model-Driven Software Development. Wiley, New York (2006).
83. Steinberg, D., Budinsky, F., Paternostro, M., Merks, E.: EMF: Eclipse Modeling Framework. Addison-Wesley, Boston (2008).
84. Strembeck, M., Mendling, J.: Generic algorithms for consistency checking of mutual-exclusion and binding constraints in a business process context. In: Proceedings of the 18th International Conference on Cooperative Information Systems (CoopIS), Lecture Notes in Computer Science (LNCS), vol. 6426. Springer, Berlin (2010).
85. Strembeck, M., Mendling, J.: Modeling process-related RBAC models with extended UML activity models. Inform. Softw. Technol. 53(5), 456-483 (2011).
86. Tatsubori, M., Imamura, T., Nakamura, Y.: Best-practice patterns and tool support for configuring secure web services messaging. In: Proceedings of the IEEE International Conference on Web Services, pp. 244-251. IEEE (2004).
87. Warner, J., Atluri, V.: Inter-instance authorization constraints for secure workflow management. In: Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT) (2006).
88. Wenzel, S.: CARiSMA. http://vm4a003. itmc. tu-dortmund. de/carisma/web/doku. php (2012).
89. Wolter, C., Menzel, M., Meinel, C.: Modelling security goals in business processes. In Modellierung 2008, Lecture Notes in Informatics (LNI), pp. 197-212 (2008).
90. Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Systems Archit. 55(4), 211-223 (2009).
91. Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) Proceedings of the 5th International Conference on Business Process Management (BPM), volume 4714 of Lecture Notes in Computer Science (LNCS), pp. 64-79. Springer, Berlin (2007).
92. World Wide Web Consortium (W3C): Web Services Description Language (WSDL) 1. 1. http://www. w3. org/TR/wsdl (2001).
93. World Wide Web Consortium (W3C): Web Services Policy 1. 5, Attachment. http://www. w3. org/TR/ws-policy-attach/ (2007).
94. World Wide Web Consortium (W3C): Web Services Policy 1. 5, Framework. http://www. w3. org/TR/ws-policy/ (2007).
95. Zdun, U.: Patterns of component and language integration. In: Manolescu, D., Völter, M., Noble, J. (eds.) Pattern Languages of Program Design 5 (2006).
96. Zdun, U., Dustdar, S.: Model-driven and pattern-based integration of process-driven SOA models. Int. J. Business Process Integr. Manag. (IJBPIM) 2(2), 109-119 (2007).
97. Zdun, U., Hentrich, C., Dustdar, S.: Modeling process-driven and service-oriented architectures using patterns and pattern primitives. ACM Transact. Web 1(3), 14: 1-14: 44 (2007).