Modelling and verifying dynamic access control policies in workflow-based healthcare systems

Access control system is an important component to protect patients’ information from abuse in a health care system. It is a major concern in the management, design, and development of healthcare systems. Designing access control policies for healthcare systems is complicated due to the dynamic and inherent complexity of the tasks performed by the healthcare personnel. Permissions in access control systems are usually granted on the basis of static policies. However, static policies are not enough to cope with various situations such as emergencies. Most often, the Break-the-glass mechanism is used to bypass static policies to handle emergency situations. Since healthcare systems are critical systems, where errors can be very costly in terms of lives, quality of life, and/or dollars, it is crucial to identify discrepancies between policy specifications and their intended function to implement correctly a flexible access control system. Formal verifications are necessary for exhaustive verification and validation of policy specifications to ensure that the policy specifications truly encapsulate the desires of the policy authors. We present a verifiable framework to enact a dynamic access control model by integrating the ANSI/INCTIS RBAC Reference Model in a workflow and an approach for property verifications of the access control model. Access control policies are expressed by the formal semantics of a model checker and properties are verified by the DiVinE model checker

Algorithms for the workflow satisfiability problem engineered for counting constraints

The workflow satisfiability problem (WSP) asks whether there exists an assignment of authorized users to the steps in a workflow specification that satisfies the constraints in the specification. The problem is NP-hard in general, but several subclasses of the problem are known to be fixed-parameter tractable (FPT) when parameterized by the number of steps in the specification. In this paper, we consider the WSP with user-independent counting constraints, a large class of constraints for which the WSP is known to be FPT. We describe an efficient implementation of an FPT algorithm for solving this subclass of the WSP and an experimental evaluation of this algorithm. The algorithm iteratively generates all equivalence classes of possible partial solutions until, whenever possible, it finds a complete solution to the problem. We also provide a reduction from a WSP instance to a pseudo-Boolean SAT instance. We apply this reduction to the instances used in our experiments and solve the resulting PB SAT problems using SAT4J, a PB SAT solver. We compare the performance of our algorithm with that of SAT4J and discuss which of the two approaches would be more effective in practice

A model-checking approach to analysing organisational controls in a loan origination process

Demonstrating the safety of a system (ie. avoiding the undesired propagation of access rights or indirect access through some other granted resource) is one of the goals of access control research, e.g. [1-4]. However, the flexibility required from enterprise resource management (ERP) systems may require the implementation of seemingly contradictory requirements (e.g. tight access control but at the same time support for discretionary delegation of workflow tasks and rights). To aid in the analysis of safety problems in workflow-based ERP system, this paper presents a model-checking based approach for automated analysis of delegation and revocation functionalities. This is done in the context of a real-world banking workflow requiring static and dynamic separation of duty properties. We derived information about the workflow from BPEL specifications and ERP business object repositories. This was captured in a SMV specification together with a definition of possible delegation and revocation scenarios. The required separation properties were translated into a set of LTL-based constraints. In particular, we analyse the interaction between delegation and revocation activities in the context of dynamic separation of duty policies

Consistance et protection des données dans les systèmes collaboratifs par les méthodes formelles

Le développement de logiciels complexes ou de contenus multimédias implique de nos jours plusieurs personnes de plus en plus géographiquement dispersées à travers le monde qui collaborent à travers des systèmes d’édition collaborative. Le but principal de cette collaboration est l’amélioration de la productivité et la réduction du temps et des coûts de développement. L’un des défis majeurs de ces outils d’édition collaborative est d’assurer la convergence et la fiabilité des données partagées. Pour répondre à ce défi, plusieurs approches existent dans la littérature parmi lesquelles, nous avons l’approche multiversions (MV), l’approche des types de données commutatives répliquées (CRDT) et l’approche de la transformée opérationnelle (OT). La première se base sur le principe du copier, modifier et fusionner et utilise un serveur central chargé de la fusion des différentes copies provenant des sites participant à la collaboration. Les modifications effectuées par chaque site sur sa copie ne sont fusionnées à la copie centrale qu’à la demande de l’utilisateur. La difficulté majeure de cette approche est le coût lié au stockage des diverses versions sur le serveur, l’utilisation d’estampilles pour ordonner les opérations lors de la fusion. Ce qui la rend difficilement utilisable dans un contexte d’environnement distribué. La deuxième approche considère que toutes les opérations sont commutatives donc pouvant être exécutées dans un ordre quelconque. Quant à la dernière approche, elle s’appuie sur une transformation des opérations reçues des sites distants par rapport à celles qui leur sont concurrentes. Dans cette approche, un algorithme de transformation inclusive (IT) est utilisé afin d’assurer la convergence des copies, mais la plupart des algorithmes proposés dans la littérature ne satisfont pas les critères de convergence. En plus de la cohérence, la fiabilité des données reste un autre défi dans les systèmes collaboratifs. Pour faire face à ce défi, plusieurs applications encapsulent, dans leur code source, des fonctionnalités transverses telles que celles de sécurité afin de répondre aux exigences de confidentialité et d’intégrité des données. Dans la littérature, la programmation orientée aspect (AOP) est l’une des approches utilisées afin d’assurer la modularité, la maintenabilité et la réutilisation des composants d’un logiciel. Une des difficultés de ce paradigme de programmation est l’assurance qu’une propriété de sécurité reste satisfaite après le tissage entre le programme de base et tous les aspects encapsulant les préoccupations transverses. Ce qui implique de trouver des techniques automatiques de vérification des propriétés de sécurité une fois le tissage fait. Dans le registre de la fiabilité des données, le contrôle d’accès joue un rôle prépondérant. Ainsi, en ce qui concerne le partage de contenus multimédias publiés sur le Web, il est nécessaire de collaborer pour les alimenter, mais un des défis majeurs est de les rendre fiables.----------ABSTRACT: Complex software and Web content development involve nowadays multiple programmers located in different areas working together on the same development project using collaborative systems in order to achieve efficiency, improve productivity and reduce development time. One of the key challenge in such a development environment is ensuring the convergence and the reliability of the shared data or content. In the literature, many approaches have been proposed to face this challenge. Among those approaches, we have multi-version (MV), commutative replication data type (CRDT) and operational transformation (OT) approach. The first approach is based on the "copy, modify and merge" principle and uses a central server to merge the updates from the different sites participating in the collaboration. The local updates of a specific site are merged only on demand. The key drawback of this approach is the storage cost of the various versions on the server and the overhead due to the generation of stamps for the operations ordering. Thus, this drawback makes this approach difficult to use in the context of a distributed collaborative environment. The second approach preconizes that all the operations are commutative so that they can be executed in any given order. The latter approach is based on the transformation of all the operations received from the remote sites against their concurrent operations before being merged. In this approach, an inclusive transformation algorithm is used in order to ensure the convergence criteria. Unfortunately, most of the proposed algorithms in the literature do not satisfy the convergence criteria. Beside the convergence, the reliability of the data remains another challenge in the collaborative systems. In order to face this challenge, many programs encapsulate crosscutting concerns (e.g. security, logging) for data confidentiality and integrity purposes. In the literature, aspect-oriented programming (AOP) is one the approaches used to better modularize the separation of concerns in order to make easier the maintenance and the reuse of the software components. However, one challenge of this paradigm is the insurance that a given property such as security one remains satisfied after the weaving of the base program and the aspects. Thus, we may find automated way to verify such security properties in the woven program. Concerning data reliability, access control is one of the major piece of the puzzle. Thus, in the Web content publication, one challenge is to collaborate in order to produce them and the other key challenge is to make them reliable

SECURITY POLICY ENFORCEMENT IN APPLICATION ENVIRONMENTS USING DISTRIBUTED SCRIPT-BASED CONTROL STRUCTURES

Business processes involving several partners in different organisations impose demanding requirements on procedures for specification, execution and maintenance. A framework referred to as business process management (BPM) has evolved for this purpose over the last ten years. Other approaches, such as service-oriented architecture (SOA) or the concept of virtual organisations (VOs), assist in the definition of architectures and procedures for modelling and execution of so-called collaborative business processes (CBPs). Methods for the specification of business processes play a central role in this context, and, several standards have emerged for this purpose. Among these, Web Services Business Process Execution Language (WS-BPEL, usually abbreviated BPEL) has evolved to become the de facto standard for business process definition. As such, this language has been selected as the foundation for the research in this thesis. Having a broadly accepted standard would principally allow the specification of business processes in a platform-independent manner, including the capability to specify them at one location and have them executed at others (possibly spread across different organisations). Though technically feasible, this approach has significant security implications, particularly on the side that is to execute a process. The research project focused upon these security issues arising when business processes are specified and executed in a distributed manner. The central goal has been the development of methods to cope with the security issues arising when BPEL as a standard is deployed in such a way exploiting the significant aspect of a standard to be platform-independent The research devised novel methods for specifying security policies in such a manner that the assessment of compliance with these policies is greatly facilitated such that the assessment becomes suited to be performed automatically. An analysis of the securityrelevant semantics of BPEL as a specification language was conducted that resulted in the identification of so-called security-relevant semantic patterns. Based on these results, methods to specify security policy-implied restrictions in terms of such semantic patterns and to assess the compliance of BPEL scripts with these policies have been developed. These methods are particularly suited for assessment of remotely defined BPEL scripts since they allow for pre-execution enforcement of local security policies thereby mitigating or even removing the security implications involved in distributed definition and execution of business processes. As initially envisaged, these methods are comparatively easy to apply, as they are based on technologies customary for practitioners in this field. The viability of the methods proposed for automatic compliance assessment has been proven via a prototypic implementation of the essential functionality required for proof-of-concept.Darmstadt Node of the NRG Network at University of Applied Sciences Darmstad

Robuste und kontextbezogene Ausführung mobiler Aktivitäten in Prozessumgebungen

IT-Trendanalysten sehen das Thema "Mobilität" als eine wichtige Säule nachhaltiger IT-Lösungen. Der Trend in Richtung mobiler IT-Anwendungen wird maßgeblich durch Millenials getrieben, d.h. Menschen die mit dem digitalen Zeitalter aufgewachsen sind. Diese erwarten insbesondere auch eine Integration von Smart-Mobilgeräten in bestehende IT-Lösungen. In Bezug auf Prozess-Management-Technologie bedeutet dieser Trend, dass Smart-Mobilgeräte in IT-gestützte Arbeits- bzw. Prozessabläufe nahtlos integriert werden können müssen. Insbesondere sollten sowohl einzelne Aktivitäten (d.h. Prozessschritte) als auch ganze Prozessfragmente (d.h. Ausschnitte eines Prozesses) auf Smart-Mobilgeräten ausführbar sein. Die vorliegende Arbeit adressiert eine solche Integration von Prozess-Management-Technologie und Smart-Mobilgeräten. Konkret wird untersucht, wie ausgewählte Aktivitäten eines Prozesses robust und kontextbezogen auf Smart-Mobilgeräten ausgeführt werden können und welche weitergehenden Anforderungen sich für mobil ausgeführte Aktivitäten im Vergleich zur Ausführung von Aktivitäten auf stationären Systemen ergeben. Da Smart-Mobilgeräte beschränkte Ressourcen besitzen und das Risiko eines Ausfalls höher als bei stationären Systemen ist, erfordern diese Aspekte tiefergehende Untersuchungen. Darüber hinaus erfordert die Unterstützung mobiler Aktivitäten eine technische Umgebung, in der Prozesse ausgeführt werden (sog. Prozessumgebung). Die Arbeit zeigt, dass die nahtlose Integration von Smart-Mobilgeräten in eine Prozessumgebung einen mobilen Kontext (d.h. Attribute wie z.B. Ausführungsort, Geräteeigenschaften und Netzverbindung) erfordert. Auf dessen Basis wird ein umfassendes Rahmenwerk eingeführt, mit dem sich mobile Aktivitäten robust und kontextbezogen in einer Prozessumgebung ausführen lassen. Das Rahmenwerk fußt auf fünf technischen Säulen, deren Konzepte die robuste und kontextbezogene Ausführung bewerkstelligen. Darüber hinaus wird gezeigt, wie sich die vorgestellte Lösung in existierende Prozess-Management-Technologie integrieren lässt. Insgesamt eröffnet eine robuste und kontextbezogene Ausführung mobiler Aktivitäten in einer Prozessumgebung neue Perspektiven für die Einbindung von Endanwendern in ihre Prozesse