Skip to main content
SpringerLink
Log in

Log- and Model-Based Techniques for Security-Sensitive Tackling of Obstructed Workflow Executions

  • Chapter
  • First Online:
Transactions on Petri Nets and Other Models of Concurrency XII

Part of the book series: Lecture Notes in Computer Science ((TOPNOC,volume 10470))

Abstract

Imposing access control onto workflows considerably reduces the set of users authorized to execute the workflow tasks. Further constraints (e.g. Separation of Duties) as well as unexpected unavailability of users may finally obstruct the successful workflow execution. To still complete the execution of an obstructed workflow, we envisage a hybrid approach. We first flatten the workflow and its authorizations into a Petri net and analyse for or encode the obstruction with a corresponding “obstruction marking”. If a log is provided, we partition its traces into “successful” or “obstructed” by replaying the log on the flattened net. An obstruction should then be solved by finding its nearest match from the list of successful traces. If no log is provided, the structural theory of Petri nets shall be used to provide a minimized Parikh vector, that may violate given firing rules, but reach a complete marking and by that, complete the workflow.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    \(m_{live}\) can be computed from \(m_{obs}\) and \(\varDelta \).

  2. 2.

    https://github.com/iig-uni-freiburg/SEPIA/blob/ptcnet/res/pntd/ptcnet.pntd.

  3. 3.

    We omit the cancellation transitions here for the sake of clarity.

References

  1. Accorsi, R.: Sicherheit im Prozessmanagement. digma Zeitschrift für Datenrecht und Informationssicherheit (2013)

    Google Scholar 

  2. Basin, D.A., Burri, S.J., Karjoth, G.: Obstruction-free authorization enforcement: aligning security with business objectives. In: CSF, pp. 99–113. IEEE Computer Society (2011)

    Google Scholar 

  3. Basin, D.A., Burri, S.J., Karjoth, G.: Optimal workflow-aware authorizations. In: Atluri, V., Vaidya, J., Kern, A., Kantarcioglu, M. (eds.) SACMAT, pp. 93–102. ACM (2012)

    Google Scholar 

  4. Bishop, M.: Introduction to Computer Security. Addison-Wesley Professional, Reading (2004)

    Google Scholar 

  5. Botha, R., Eloff, J.: Separation of duties for access control enforcement in workflow environments. IBM Syst. J. 40(3), 666–682 (2001)

    Article  Google Scholar 

  6. Burri, S.J.: Modeling and enforcing workflow authorizations. Ph.D. thesis, ETH, Zürich (2012)

    Google Scholar 

  7. Carmona, J., Colom, J.M., Cortadella, J., García-Vallés, F.: Synthesis of asynchronous controllers using integer linear programming. IEEE Trans. CAD Integr. Circuits Syst. 25(9), 1637–1651 (2006)

    Google Scholar 

  8. Clark, N., Jolly, D.: Societe generale loses $7 billion in trading fraud (2008)

    Google Scholar 

  9. Cover, T., Hart, P.: Nearest neighbor pattern classification. IEEE Trans. Inform. Theory 13(1), 21–27 (1967)

    Article  MATH  Google Scholar 

  10. Crampton, J., Gutin, G.: Constraint expressions and workflow satisfiability. In: Conti, M., Vaidya, J., Schaad, A. (eds.) SACMAT, pp. 73–84. ACM (2013)

    Google Scholar 

  11. Crampton, J., Morisset, C.: An auto-delegation mechanism for access control systems. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 1–16. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22444-7_1

    Chapter  Google Scholar 

  12. Desel, J., Esparza, J.: Reachability in cyclic extended free-choice systems. TCS 114, Elsevier Science Publishers B.V. (1993)

    Google Scholar 

  13. Dijkman, R.M., Dumas, M., Ouyang, C.: Semantics and analysis of business process models in BPMN. Inf. Softw. Technol. 50(12), 1281–1294 (2008)

    Article  Google Scholar 

  14. Esparza, J., Melzer, S.: Verification of safety properties using integer programming: beyond the state equation. Formal Methods Syst. Des. 16, 159–189 (2000)

    Article  Google Scholar 

  15. Inc. Gurobi Optimization. Gurobi optimizer reference manual (2016)

    Google Scholar 

  16. Holderer, J., Accorsi, R., Müller, G.: When four-eyes become too much: a survey on the interplay of authorization constraints and workflow resilience. In: Wainwright, R.L., Corchado, J.M., Bechini, A., Hong, J. (eds.) Proceedings of the 30th Annual ACM Symposium on Applied Computing, Salamanca, Spain, 13–17 April 2015, pp. 1245–1248. ACM (2015)

    Google Scholar 

  17. Hopcroft, J.E., Tarjan, R.E.: Dividing a graph into triconnected components. SIAM J. Comput. 2(3), 135–158 (1973)

    Article  MathSciNet  MATH  Google Scholar 

  18. Leitner, M., Rinderle-Ma, S.: A systematic review on security in process-aware information systems - constitution, challenges, and future directions. Inform. Softw. Technol. 56(3), 273–293 (2014)

    Article  Google Scholar 

  19. Murata, T.: Petri nets: properties, analysis and applications. Proc. IEEE 77(4), 541–574 (1989)

    Article  Google Scholar 

  20. Accorsi, R., Holderer, J., Stocker, T., Zahoransky, R.M.: Security workflow analysis toolkit. In: Katzenbeisser, S., Lotz, V., Weippl, E.R. (eds.) Sicherheit 2014: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 7. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 19–21 März 2014, Wien, Österreich, vol. 228. LNI, pp. 433–442. GI (2014)

    Google Scholar 

  21. Rozinat, A., van der Aalst, W.M.P.: Conformance checking of processes based on monitoring real behavior. Inform. Syst. 33(1), 64–95 (2008)

    Article  Google Scholar 

  22. Silva, M., Terue, E., Colom, J.M.: Linear algebraic and linear programming techniques for the analysis of place/transition net systems. In: Reisig, W., Rozenberg, G. (eds.) ACPN 1996. LNCS, vol. 1491, pp. 309–373. Springer, Heidelberg (1998). doi:10.1007/3-540-65306-6_19

    Chapter  Google Scholar 

  23. Trope, R.L., Ressler, E.K.: Mettle fatigue: Vw’s single-point-of-failure ethics. IEEE Secur. Priv. 14(1), 12–30 (2016)

    Article  Google Scholar 

  24. van der Aalst, W.M.P.: The application of Petri nets to workflow management. J. Circuits Syst. Comput. 8(1), 21–66 (1998)

    Article  Google Scholar 

  25. van der Aalst, W.M.P.: Process Mining - Discovery Conformance and Enhancement of Business Processes. Springer, Berlin (2011)

    MATH  Google Scholar 

  26. Wang, Q., Li, N.: Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inform. Syst. Secur. 13(4), 40:1–40:35 (2010)

    Google Scholar 

  27. Wang, Q., Li, N., Chen, H.: On the security of delegation in access control systems. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 317–332. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88313-5_21

    Chapter  Google Scholar 

  28. Wolter, C., Menzel, M., Meinel, C.: Modelling security goals in business processes. In: Kühne, T., Reisig, W., Steimann, F. (eds.) Modellierung 2008, 12–14 März 2008, Berlin, vol. 127. LNI, pp. 197–212. GI (2008)

    Google Scholar 

Download references

Acknowledgments

This work has been partially supported by funds from the Spanish Ministry for Economy and Competitiveness (MINECO), the European Union (FEDER funds) under grant COMMAS (ref. TIN2013-46181-C2-1-R).

Author information

Authors and Affiliations

  1. University of Freiburg, Freiburg im Breisgau, Germany

    Julius Holderer & Günter Müller

  2. Universitat Politècnica de Catalunya, Barcelona, Spain

    Josep Carmona & Farbod Taymouri

Authors
  1. Julius Holderer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Josep Carmona
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Farbod Taymouri
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Günter Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Julius Holderer or Josep Carmona .

Editor information

Editors and Affiliations

  1. Newcastle University, Newcastle upon Tyne, United Kingdom

    Maciej Koutny

  2. LIACS, Leiden University, Leiden, The Netherlands

    Jetty Kleijn

  3. Polish Academy of Sciences, Institute of Computer Science, Warsaw, Poland

    Wojciech Penczek

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer-Verlag GmbH Germany

About this chapter

Cite this chapter

Holderer, J., Carmona, J., Taymouri, F., Müller, G. (2017). Log- and Model-Based Techniques for Security-Sensitive Tackling of Obstructed Workflow Executions. In: Koutny, M., Kleijn, J., Penczek, W. (eds) Transactions on Petri Nets and Other Models of Concurrency XII. Lecture Notes in Computer Science(), vol 10470. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-55862-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-55862-1_3

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-55861-4

  • Online ISBN: 978-3-662-55862-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation