Information leak detection in business process models: Theory, application, and tool support

Information Systems

Volumn 47, Issue , 2015, Pages 244-257

  Accorsi, Rafael ^a   Lehmann, Andreas ^b   Lohmann, Niels ^b  

^a UNIVERSITY OF FREIBURG   (Germany)

^b UNIVERSITY OF ROSTOCK   (Germany)

Author keywords

Automated analysis; Business process security; Software and process engineering

Indexed keywords

AUTOMATED ANALYSIS; BUSINESS PROCESS; BUSINESS PROCESS MODEL; INFORMATION LEAK DETECTIONS; TOOL SUPPORT;

EID: 84908220797     PISSN: 03064379     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.is.2013.12.006     Document Type: Article

References (57)

1. R. Accorsi, A. Lehmann, Automatic information flow analysis of business process models, in: BPM 2012, Lecture Notes in Computer Science, vol. 7481, Springer, Heidelberg, Germany, 2012, pp. 172-187.
2. L. Lowis, and R. Accorsi Vulnerability analysis in SOA-based business processes IEEE Trans. Serv. Comput. 4 3 2011 230 242
3. ISO/IEC, ISO/IEC Information Security Management System 27001, 2005 〈 www.27000.org/iso-27001.htm 〉.
4. DoD, Trusted computer security evaluation criteria, 1983 〈 http://csrc.nist.gov/publications/histroy/dod85.pdf 〉.
5. A. Armando, and S. Ranise Automated analysis of infinite state workflows with access control policies C. Meadows, C. Fernandez-Gago, Security and Trust Management, Lecture Notes in Computer Science vol. 7170 2012 Springer Berlin, Heidelberg 157 174
6. V. Atluri, S.A. Chun, P. Mazzoleni, A Chinese wall security model for decentralized workflow systems, in: Proceedings of the 8th ACM Conference on Computer and Communications Security, CCS '01, ACM, New York, NY, USA, 2001, pp. 48-57.
7. K. Barkaoui, R. Ben Ayed, H. Boucheneb, A. Hicheur, Verification of workflow processes under multilevel security considerations, in: Third International Conference on Risks and Security of Internet and Systems, 2008. CRiSIS '08, 2008, pp. 77-84.
8. W.R. Harris, N.A. Kidd, S. Chaki, S. Jha, T. Reps, Verifying information flow control over unbounded processes, in: Proceedings of the 2nd World Congress on Formal Methods, FM '09, Springer-Verlag, Berlin, Heidelberg, 2009, pp. 773-789.
9. M. Kovács, and H. Seidl Runtime enforcement of information flow security in tree manipulating processes G. Barthe, B. Livshits, R. Scandariato, Engineering Secure Software and Systems, Lecture Notes in Computer Science vol. 7159 2012 Springer Berlin, Heidelberg 46 59
10. S. Röhrig, and K. Knorr Security analysis of electronic business processes Electron. Commer. Res. 4 2004 59 81
11. D.E. Denning, and P.J. Denning Certification of programs for secure information flow Commun. ACM 20 7 1977 504 513
12. N. Lohmann, H. Verbeek, R.M. Dijkman, Petri net transformations for business processes - a survey, in: Lecture Notes in Computer Science, ToPNoC II, vol. 5460, 2009, pp. 46-63.
13. N. Busi, and R. Gorrieri Structural non-interference in elementary and trace nets Math. Struct. Comput. Sci. 19 6 2009 1065 1090
14. R. Accorsi, C. Wonnemann, Strong non-leak guarantees for workflow models, in: W.C. Chu, W.E. Wong, M.J. Palakal, C.-C. Hung (Eds.), SAC, ACM, USA, 2011, pp. 308-314.
15. R. Accorsi, C. Wonnemann, S. Dochow, SWAT: A security workflow toolkit for reliably secure process-aware information systems, in: ARES 2011, IEEE, USA, 2011, pp. 692-697.
16. S. Frau, R. Gorrieri, C. Ferigato, Petri net security checker: structural non-interference at work, in: FAST 2008, Lecture Notes in Computer Science, vol. 5491, Springer, Heidelberg, 2008, pp. 210-225.
17. T. Murata Petri nets properties, analysis and applications Proc. IEEE 77 4 1989 541 580
18. K. Wolf Generating Petri net state spaces J. Kleijn, A. Yakovlev, ICATPN 2007, Lecture Notes in Computer Science vol. 4546 2007 Springer Heidelberg 29 42
19. A. Lehmann, N. Lohmann, Modeling wizard for confidential business processes, in: R. Accorsi, R. Matulevicius (Eds.), 1st Joint International Workshop on Security in Business Processes (SBP'12), Tallinn, 3 September 2012, Proceedings, 2012, LNBIP, 10.1007/978-3-642-36285-9-67.
20. B. Lampson A note on the confinement problem Commun. ACM 16 10 1973 613 615
21. F. Gallegos, and S. Senft Information Technology Control and Audit 2004 Auerbach Publications Boca Raton, USA
22. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage Hey, you, get off of my cloud exploring information leakage in third-party compute clouds E. Al-Shaer, S. Jha, A.D. Keromytis, ACM Conference on Computer and Communications Security 2009 ACM USA 199 212
23. M. Pearce, S. Zeadally, and R. Hunt Virtualization issues, security threats, and solutions ACM Comput. Surv. 45 2 2013 17:1 17:39
24. S. Chen, R. Wang, X. Wang, K. Zhang, Side-channel leaks in web applications: a reality today, a challenge tomorrow, in: IEEE Symposium on Security and Privacy, IEEE, USA, 2010, pp. 191-206.
25. S. Subashini, and V. Kavitha A survey on security issues in service delivery models of cloud computing J. Netw. Comput. Appl. 34 1 2011 1 11
26. A. Shabtai, Y. Elovici, and L. Rokach A Survey of Data Leakage Detection and Prevention Solutions 2012 Springer New York, USA
27. R. Accorsi, On process rewriting for business process security, in: International Symposium on Data-driven Process Discovery and Analysis, CEUR Workshop Proceedings, CEUR-WS.org, vol. 1027, 2013, pp. 111-126.
28. R. Accorsi, and C. Wonnemann Indico information flow analysis of business processes for confidentiality requirements J. Cuéllar, J. Lopez, G. Barthe, A. Pretschner, STM, Lecture Notes in Computer Science vol. 6710 2010 Springer 194 209
29. D.E. Denning A lattice model of secure information flow Commun. ACM 19 5 1976 236 243
30. M. Benantar Access Control Systems 2006 Springer New York, USA
31. R.J. Anderson Security engineering - a guide to building dependable distributed systems 2nd ed. 2008 Wiley Indianapolis, USA
32. J. Biskup Security in Computing Systems - Challenges, Approaches and Solutions 2009 Springer Heidelberg, Germany
33. W.M.P.v.d. Aalst The application of Petri nets to workflow management J. Circuits Syst. Comput. 8 1 1998 21 66
34. R. Focardi, and R. Gorrieri Classification of security properties (Part i: Information flow) R. Focardi, R. Gorrieri, FOSAD, Lecture Notes in Computer Science vol. 2171 2000 Springer Heidelberg, Germany 331 396
35. A. Sabelfeld, and A.C. Myers Language-based information-flow security IEEE J. Selected Areas Commun. 21 1 2003 5 19
36. R. Gorrieri, and M. Vernali On intransitive non-interference in some models of concurrency A. Aldini, R. Gorrieri, Foundations of Security Analysis and Design VI, Lecture Notes in Computer Science vol. 6858 2011 Springer Berlin, Heidelberg 125 151
37. N. Lohmann, K. Wolf, How to implement a theory of correctness in the area of business processes and services, in: R. Hull, J. Mendling, S. Tai (Eds.), Business Process Management, 8th International Conference, BPM 2010, Hoboken, NJ, USA, September 14-16, 2010, Proceedings, Lecture Notes in Computer Science, vol. 6336, Springer-Verlag, 2010, pp. 61-77.
38. N. Lohmann, S. Mennicke, C. Sura, The Petri Net API: a collection of Petri net-related functions, in: M. Schwarick, M. Heiner (Eds.), Proceedings of the 17th German Workshop on Algorithms and Tools for Petri Nets (AWPN 2010), Cottbus, Germany, October 7-8, 2010, CEUR Workshop Proceedings, CEUR-WS.org, vol. 643, 2010, pp. 148-155.
39. D. Fahland, C. Favre, J. Koehler, N. Lohmann, H. Völzer, and K. Wolf Analysis on demand instantaneous soundness checking of industrial business process models Data Knowl. Eng. 70 5 2011 448 466
40. V. Atluri, and J. Warner Security for workflow systems M. Gertz, S. Jajodia, Handbook of Database Security 2008 Springer US 213 230
41. I. Attali, D. Caromel, L. Henrio, and F.L. Del Aguila Secured information flow for asynchronous sequential processes Electron. Notes Theor. Comput. Sci. 180 1 2007 17 34
42. B. Shafiq, A. Masood, J. Joshi, A. Ghafoor, A role-based access control policy verification framework for real-time systems, in: Proceedings of the 10th IEEE International Workshop on Object-Oriented Real-Time Dependable Systems, WORDS '05, IEEE Computer Society, Washington, DC, USA, 2005, pp. 13-20.
43. H. Sun, X. Wang, J. Yang, Y. Zhang, Authorization policy based business collaboration reliability verification, in: A. Bouguettaya, I. Krüger, T. Margaria (Eds.), International Conference on Service-Oriented Computing, Lecture Notes in Computer Science, vol. 5364, 2008, pp. 579-584.
44. H. Sun, J. Yang, W. Zhao, and S. Nepal SOAC-Net a model to manage service-based business process authorization L.E. Moser, M. Parashar, P.C.K. Hung, IEEE International Conference on Services Computing 2012 IEEE USA 376 383
45. Z.-L. Zhang, F. Hong, H.-J. Xiao, Verification of strict integrity policy via Petri nets, in: International Conference on Systems and Networks Communications, 2006. ICSNC '06, 2006, p. 23.
46. H. Huang, and H. Kirchner Formal specification and verification of modular security policy based on colored Petri nets IEEE Trans. Dependable Secur. Comput. 8 2011 852 865
47. Y. Lu, L. Zhang, and J. Sun Using colored Petri nets to model and analyze workflow with separation of duty constraints J. Adv. Manuf. Technol. 40 2009 179 192
48. B. Katt, X. Zhang, and M. Hafner Towards a usage control policy specification with Petri nets R. Meersman, T.S. Dillon, P. Herrero, OTM Conferences (2), Lecture Notes in Computer Science vol. 5871 2009 Springer 905 912
49. R. Accorsi, L. Lowis, and Y. Sato Automated certification for compliant cloud-based business processes Bus. Inf. Syst. Eng. 3 3 2011 145 154
50. D.E. Bell, L.J. LaPadula, Secure Computer Systems: Mathematical Foundations, Technical Report, MITRE Corporation, March 1973.
51. K. Juszczyszyn, Verifying enterprise's mandatory access control policies with coloured Petri nets, in: Proceedings of the Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003. WET ICE 2003, 2003, pp. 184-189.
52. R. Accorsi, and C. Wonnemann Detective information flow analysis for business processes W. Abramowicz, L.A. Maciaszek, R. Kowalczyk, A. Speck, Business Process, Services Computing and Intelligent Service Management, Lecture Notes in Informatics (LNI), Gesellschaft für Informatik vol. 147 2009 223 224
53. S. Pfeiffer, S. Unger, D. Timmermann, A. Lehmann, Secure information flow awareness for smart wireless ehealth systems, in: 2012 9th International Multi-Conference on Systems, Signals and Devices (SSD), 2012, pp. 1-6.
54. R. Accorsi, and T. Stocker On the exploitation of process mining for security audits the conformance checking case S. Ossowski, P. Lecca, SAC 2012 ACM USA 1709 1716
55. E. Best, P. Darondeau, R. Gorrieri, On the decidability of non interference over unbounded Petri nets, in: K. Chatzikokolakis, V. Cortier (Eds.), International Workshop on Security Issues in Concurrency of EPTCS, vol. 51, 2010, pp. 16-33.
56. A. Valmari, Stubborn sets for reduced state space generation, in: APN, Lecture Notes in Computer Science, vol. 483, Springer, Heidelberg, Germany, 1990, pp. 491-515.
57. E. Best, and P. Darondeau Deciding selective declassification of Petri nets P. Degano, J.D. Guttman, Conference on Principles of Security and Trust, Lecture Notes in Computer Science vol. 7215 2012 Springer Heidelberg, Germany 290 308