Model checking of security-sensitive business processes

Authors:
Alessandro Armando;Serena Elisa Ponta
Affiliations:
DIST, Università di Genova, Italy;DIST, Università di Genova, Italy
Venue:
FAST'09 Proceedings of the 6th international conference on Formal Aspects in Security and Trust
Year:
2009

Citing 12
Cited 4

Role-Based Access Control Models

Computer
An action language based on causal explanation: preliminary report

AAAI '98/IAAI '98 Proceedings of the fifteenth national/tenth conference on Artificial intelligence/Innovative applications of artificial intelligence
Petri Net Theory and the Modeling of Systems

Petri Net Theory and the Modeling of Systems
Planning as Satisfiability in Nondeterministic Domains

Proceedings of the Seventeenth National Conference on Artificial Intelligence and Twelfth Conference on Innovative Applications of Artificial Intelligence
Supporting conditional delegation in secure workflow management systems

Proceedings of the tenth ACM symposium on Access control models and technologies
A model-checking approach to analysing organisational controls in a loan origination process

Proceedings of the eleventh ACM symposium on Access control models and technologies
LTL Model Checking for Security Protocols

CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Formal Verification of Business Workflows and Role Based Access Control Systems

SECUREWARE '07 Proceedings of the The International Conference on Emerging Security Information, Systems, and Technologies
SAT-based model-checking for security protocols analysis

International Journal of Information Security
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps

Proceedings of the 6th ACM workshop on Formal methods in security engineering
Verification of Business Process Entailment Constraints Using SPIN

ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
The AVISPA tool for the automated validation of internet security protocols and applications

CAV'05 Proceedings of the 17th international conference on Computer Aided Verification

On the verification of security-aware E-services

Journal of Symbolic Computation
Automated analysis of infinite state workflows with access control policies

STM'11 Proceedings of the 7th international conference on Security and Trust Management
Constraint expressions and workflow satisfiability

Proceedings of the 18th ACM symposium on Access control models and technologies
A systematic review on security in Process-Aware Information Systems - Constitution, challenges, and future directions

Information and Software Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security-sensitive business processes are business processes that must comply with security requirements (e.g. authorization constraints). In previous works it has been shown that model checking can be profitably used for the automatic analysis of security-sensitive business processes. But building a formal model that simultaneously accounts for both the workflow and the access control policy is a time consuming and error-prone activity. In this paper we present a new approach to model checking security-sensitive business processes that allows for the separate specification of the workflow and of the associated security policy while retaining the ability to carry out a fully automatic analysis of the process. To illustrate the effectiveness of the approach we describe its application to a version of the Loan Origination Process featuring an RBAC access control policy extended with delegation.