Possibilistic information flow security of workflow management systems

Publikation

Thomas Bauereiß; Dieter Hutter

In: First International Workshop on Graphical Models for Security. International Workshop on Graphical Models for Security (GramSec-2014), located at European Joint Conferences on Theory and Practice of Software, April 5-13, Grenoble, France, EPTCS, Vol. 148, Electronic Proceedings in Theoretical Computer Science, 2014.

Zusammenfassung

In workflows and business processes, there are often security requirements on both the data, i.e. confidentiality and integrity, and the process, e.g. separation of duty. Graphical notations exist for specifying both workflows and associated security requirements. We present an approach for formally verifying that a workflow system satisfies such security requirements. For this purpose, we define the semantics of a workflow as a state-event system and formalise security properties in a trace-based way, i.e. on an abstract level without depending on details of enforcement mechanisms such as Role-Based Access Control (RBAC). This formal model then allows us to build upon wellknown verification techniques for information flow control. We describe how a compositional verification methodology for possibilistic information flow can be adapted to verify that a specification of a distributed workflow management system satisfies security requirements on both data and processes.

Projekte

MORES - Modelling and Refinement of Security Requirements on Data and Processes

WorkflowSecurity_TR.pdf (pdf, 346 KB )

Possibilistic information flow security of workflow management systems

Zusammenfassung

Projekte

Folgen Sie uns auf:

Herausgeber

Newsletter

Standorte