958 research outputs found
Constraint Expressions and Workflow Satisfiability
A workflow specification defines a set of steps and the order in which those
steps must be executed. Security requirements and business rules may impose
constraints on which users are permitted to perform those steps. A workflow
specification is said to be satisfiable if there exists an assignment of
authorized users to workflow steps that satisfies all the constraints. An
algorithm for determining whether such an assignment exists is important, both
as a static analysis tool for workflow specifications, and for the construction
of run-time reference monitors for workflow management systems. We develop new
methods for determining workflow satisfiability based on the concept of
constraint expressions, which were introduced recently by Khan and Fong. These
methods are surprising versatile, enabling us to develop algorithms for, and
determine the complexity of, a number of different problems related to workflow
satisfiability.Comment: arXiv admin note: text overlap with arXiv:1205.0852; to appear in
Proceedings of SACMAT 201
Relational Constraint Driven Test Case Synthesis for Web Applications
This paper proposes a relational constraint driven technique that synthesizes
test cases automatically for web applications. Using a static analysis,
servlets can be modeled as relational transducers, which manipulate backend
databases. We present a synthesis algorithm that generates a sequence of HTTP
requests for simulating a user session. The algorithm relies on backward
symbolic image computation for reaching a certain database state, given a code
coverage objective. With a slight adaptation, the technique can be used for
discovering workflow attacks on web applications.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330
Algorithms for the workflow satisfiability problem engineered for counting constraints
The workflow satisfiability problem (WSP) asks whether there exists an
assignment of authorized users to the steps in a workflow specification that
satisfies the constraints in the specification. The problem is NP-hard in
general, but several subclasses of the problem are known to be fixed-parameter
tractable (FPT) when parameterized by the number of steps in the specification.
In this paper, we consider the WSP with user-independent counting constraints,
a large class of constraints for which the WSP is known to be FPT. We describe
an efficient implementation of an FPT algorithm for solving this subclass of
the WSP and an experimental evaluation of this algorithm. The algorithm
iteratively generates all equivalence classes of possible partial solutions
until, whenever possible, it finds a complete solution to the problem. We also
provide a reduction from a WSP instance to a pseudo-Boolean SAT instance. We
apply this reduction to the instances used in our experiments and solve the
resulting PB SAT problems using SAT4J, a PB SAT solver. We compare the
performance of our algorithm with that of SAT4J and discuss which of the two
approaches would be more effective in practice
A Declarative Framework for Specifying and Enforcing Purpose-aware Policies
Purpose is crucial for privacy protection as it makes users confident that
their personal data are processed as intended. Available proposals for the
specification and enforcement of purpose-aware policies are unsatisfactory for
their ambiguous semantics of purposes and/or lack of support to the run-time
enforcement of policies.
In this paper, we propose a declarative framework based on a first-order
temporal logic that allows us to give a precise semantics to purpose-aware
policies and to reuse algorithms for the design of a run-time monitor enforcing
purpose-aware policies. We also show the complexity of the generation and use
of the monitor which, to the best of our knowledge, is the first such a result
in literature on purpose-aware policies.Comment: Extended version of the paper accepted at the 11th International
Workshop on Security and Trust Management (STM 2015
Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented Architectures (Full version)
A widespread design approach in distributed applications based on the
service-oriented paradigm, such as web-services, consists of clearly separating
the enforcement of authorization policies and the workflow of the applications,
so that the interplay between the policy level and the workflow level is
abstracted away. While such an approach is attractive because it is quite
simple and permits one to reason about crucial properties of the policies under
consideration, it does not provide the right level of abstraction to specify
and reason about the way the workflow may interfere with the policies, and vice
versa. For example, the creation of a certificate as a side effect of a
workflow operation may enable a policy rule to fire and grant access to a
certain resource; without executing the operation, the policy rule should
remain inactive. Similarly, policy queries may be used as guards for workflow
transitions.
In this paper, we present a two-level formal verification framework to
overcome these problems and formally reason about the interplay of
authorization policies and workflow in service-oriented architectures. This
allows us to define and investigate some verification problems for SO
applications and give sufficient conditions for their decidability.Comment: 16 pages, 4 figures, full version of paper at Symposium on Secure
Computing (SecureCom09
LTLf and LDLf Monitoring: A Technical Report
Runtime monitoring is one of the central tasks to provide operational
decision support to running business processes, and check on-the-fly whether
they comply with constraints and rules. We study runtime monitoring of
properties expressed in LTL on finite traces (LTLf) and in its extension LDLf.
LDLf is a powerful logic that captures all monadic second order logic on finite
traces, which is obtained by combining regular expressions and LTLf, adopting
the syntax of propositional dynamic logic (PDL). Interestingly, in spite of its
greater expressivity, LDLf has exactly the same computational complexity of
LTLf. We show that LDLf is able to capture, in the logic itself, not only the
constraints to be monitored, but also the de-facto standard RV-LTL monitors.
This makes it possible to declaratively capture monitoring metaconstraints, and
check them by relying on usual logical services instead of ad-hoc algorithms.
This, in turn, enables to flexibly monitor constraints depending on the
monitoring state of other constraints, e.g., "compensation" constraints that
are only checked when others are detected to be violated. In addition, we
devise a direct translation of LDLf formulas into nondeterministic automata,
avoiding to detour to Buechi automata or alternating automata, and we use it to
implement a monitoring plug-in for the PROM suite
- …