Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security and Trust Management

STM 2010: Security and Trust Management pp 194–209Cite as

InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6710))

Abstract

This paper presents InDico, an approach for the automated analysis of business processes against confidentiality requirements. InDico is motivated by the fact that in spite of the correct deployment of access control mechanisms, information leaks in automated business processes can persist due to erroneous process design. InDico employs a meta-model based on Petri nets to formalize and analyze business processes, thereby enabling the identification of leaks caused by a flawed process design.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Accorsi, R., Wonnemann, C.: Auditing workflow executions against dataflow policies. In: Abramowicz, W., Tolksdorf, R. (eds.) BIS 2010. LNBIP, vol. 47, pp. 207–217. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  2. Accorsi, R., Wonnemann, C.: Strong non-leak guarantees for workflow models. In: ACM Symposium on Applied Computing, pp. 308–314. ACM, New York (2011)

    Google Scholar 

  3. Adam, N., Atluri, V., Huang, W.: Modeling and analysis of workflows using Petri nets. Journal of Intelligent Information Systems 10(2), 131–158 (1998)

    Article  Google Scholar 

  4. Allman, E.: Complying with compliance. ACM Queue 4(7), 19–21 (2006)

    Article  Google Scholar 

  5. Atluri, V., Chung, S., Mazzoleni, P.: A Chinese Wall security model for decentralized workflow systems. In: ACM Conference on Computer and Communications Security, pp. 48–57. ACM, New York (2001)

    Google Scholar 

  6. Atluri, V., Huang, W.: An authorization model for workflows. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 44–64. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  7. Atluri, V., Huang, W.: An extended Petri net model for supporting workflows in a multilevel secure environment. In: IFIP Conference Proceedings of Database Security, vol. 79, pp. 240–258. Chapman & Hall, Boca Raton (1996)

    Google Scholar 

  8. Barletta, M., Ranise, S., Viganò, L.: Verifying the interplay of authorization policies and workflow in service-oriented architectures. In: Conference on Computational Science, vol. 3, pp. 289–296. IEEE, Los Alamitos (2009)

    Google Scholar 

  9. Breaux, T., Antón, A.: Analyzing regulatory rules for privacy and security requirements. IEEE Transactions on Software Engineering 34(1), 5–20 (2008)

    Article  Google Scholar 

  10. Brewer, D., Nash, M.: The Chinese-wall security policy. In: IEEE Symposium on Security and Privacy, pp. 206–214. IEEE, Los Alamitos (1989)

    Google Scholar 

  11. Busi, N., Gorrieri, R.: Structural non-interference in elementary and trace nets. Mathematical Structures in Computer Science 19(6), 1065–1090 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  12. Bussmann, K.D., Krieg, O., Nestler, C., Salvenmoser, S., Schroth, A., Theile, A., Trunk, D.: Wirtschaftskriminalität 2009 – Sicherheitslage in deutschen Großunternehmen. In: Martin-Luther-Universität Halle-Wittenberg and PwC AG (2009)

    Google Scholar 

  13. Focardi, R., Gorrieri, R.: A taxonomy of security properties for process algebras. Journal of Computer Security 3(1), 5–34 (1995)

    Article  Google Scholar 

  14. Frau, S., Gorrieri, R., Ferigato, C.: Petri net security checker: Structural non-interference at work. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 210–225. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  15. Hammer, M.: The process audit. Harvard Business Review 85(4), 119–142 (2007)

    MathSciNet  Google Scholar 

  16. Jensen, K.: Coloured Petri nets: A high level language for system design and analysis. In: Rozenberg, G. (ed.) APN 1990. LNCS, vol. 483, pp. 342–416. Springer, Heidelberg (1991)

    Chapter  Google Scholar 

  17. Knorr, K.: Multilevel security and information flow in Petri net workflows. In: Conference on Telecommunication Systems (2001)

    Google Scholar 

  18. Lampson, B.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)

    Article  Google Scholar 

  19. Lohmann, N.: A feature-complete petri net semantics for WS-BPEL 2.0. In: Dumas, M., Heckel, R. (eds.) WS-FM 2007. LNCS, vol. 4937, pp. 77–91. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  20. Lohmann, N., Verbeek, E., Dijkman, R.: Petri net transformations for business processes – A survey. In: Jensen, K., van der Aalst, W.M.P. (eds.) Transactions on Petri Nets and Other Models of Concurrency II. LNCS, vol. 5460, pp. 46–63. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  21. Lowis, L., Accorsi, R.: Vulnerability analysis in SOA-based business processes. IEEE Transactions on Services Computing (to appear 2010)

    Google Scholar 

  22. Müller, G., Accorsi, R., Höhn, S., Sackmann, S.: Sichere Nutzungskontrolle für mehr Transparenz in Finanzmärkten. Informatik Spektrum 33(1), 3–13 (2010)

    Article  Google Scholar 

  23. Namiri, K., Stojanovic, N.: Using control patterns in business processes compliance. In: Weske, M., Hacid, M.-S., Godart, C. (eds.) WISE Workshops 2007. LNCS, vol. 4832, pp. 178–190. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  24. Ouyang, C., Verbeek, E., van der Aalst, W.M., Breutel, S., Dumas, M., ter Hofstede, A.H.: WofBPEL: A tool for automated analysis of BPEL processes. In: Benatallah, B., Casati, F., Traverso, P. (eds.) ICSOC 2005. LNCS, vol. 3826, pp. 484–489. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  25. Pesic, M., van der Aalst, W.M.P.: Modelling work distribution mechanisms using colored Petri nets. International Journal on Software Tools for Technology Transfer 9(3-4), 327–352 (2007)

    Article  Google Scholar 

  26. Ryan, P., McLean, J., Millen, J., Gligor, V.: Non-interference: Who needs it? In: IEEE Computer Security Foundations Workshop, pp. 237–238. IEEE, Los Alamitos (2001)

    Google Scholar 

  27. Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: IEEE Computer Security Foundations Workshop, pp. 255–269. IEEE, Los Alamitos (2005)

    Google Scholar 

  28. Sun, S., Zhao, L., Nunamaker, J., Sheng, O.L.: Formulating the data-flow perspective for business process management. Information Systems Research 17(4), 374–391 (2006)

    Article  Google Scholar 

  29. Trčka, N., van der Aalst, W., Sidorova, N.: Data-flow anti-patterns: Discovering data-flow errors in workflows. In: van Eck, P., Gordijn, J., Wieringa, R. (eds.) CAiSE 2009. LNCS, vol. 5565, pp. 425–439. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  30. Wang, Q., Li, N.: Satisfiability and resiliency in workflow systems. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 90–105. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  31. Wolf, C., Harmon, P.: The state of business process management. BPTrends Report (2010), http://www.bptrends.com/

  32. Yang, P., Lu, S., Gofman, M., Yang, Z.: Information flow analysis of scientific workflows. Journal of Computer and System Sciences 76, 390–402 (2009)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Telematics, University of Freiburg, Germany

    Rafael Accorsi & Claus Wonnemann

Authors
  1. Rafael Accorsi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Claus Wonnemann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Siemens AG - Corporate Technology, Otto-Hahn-Ring 6, 81730, München, Germany

    Jorge Cuellar

  2. Computer Science Department, E.T.S. Ingenieria Informatica, University of Malaga, Campus de Teatinos, 29170, Malaga, Spain

    Javier Lopez

  3. Facultad de Informatica (UPM), Fundación IMDEA Software, Campus Montegancedo, 28660 Boadilla del Monte, Madrid, Spain

    Gilles Barthe

  4. Certifiable Trustworthy IT Systems, Karlsruhe Institute of Technology (KIT), Am Fasanengarten 5, 76131, Karlsruhe, Germany

    Alexander Pretschner

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Accorsi, R., Wonnemann, C. (2011). InDico: Information Flow Analysis of Business Processes for Confidentiality Requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds) Security and Trust Management. STM 2010. Lecture Notes in Computer Science, vol 6710. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22444-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22444-7_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22443-0

  • Online ISBN: 978-3-642-22444-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation