477 research outputs found
On the Parameterized Complexity and Kernelization of the Workflow Satisfiability Problem
A workflow specification defines a set of steps and the order in which those
steps must be executed. Security requirements may impose constraints on which
groups of users are permitted to perform subsets of those steps. A workflow
specification is said to be satisfiable if there exists an assignment of users
to workflow steps that satisfies all the constraints. An algorithm for
determining whether such an assignment exists is important, both as a static
analysis tool for workflow specifications, and for the construction of run-time
reference monitors for workflow management systems. Finding such an assignment
is a hard problem in general, but work by Wang and Li in 2010 using the theory
of parameterized complexity suggests that efficient algorithms exist under
reasonable assumptions about workflow specifications. In this paper, we improve
the complexity bounds for the workflow satisfiability problem. We also
generalize and extend the types of constraints that may be defined in a
workflow specification and prove that the satisfiability problem remains
fixed-parameter tractable for such constraints. Finally, we consider
preprocessing for the problem and prove that in an important special case, in
polynomial time, we can reduce the given input into an equivalent one, where
the number of users is at most the number of steps. We also show that no such
reduction exists for two natural extensions of this case, which bounds the
number of users by a polynomial in the number of steps, provided a
widely-accepted complexity-theoretical assumption holds
Constraint Expressions and Workflow Satisfiability
A workflow specification defines a set of steps and the order in which those
steps must be executed. Security requirements and business rules may impose
constraints on which users are permitted to perform those steps. A workflow
specification is said to be satisfiable if there exists an assignment of
authorized users to workflow steps that satisfies all the constraints. An
algorithm for determining whether such an assignment exists is important, both
as a static analysis tool for workflow specifications, and for the construction
of run-time reference monitors for workflow management systems. We develop new
methods for determining workflow satisfiability based on the concept of
constraint expressions, which were introduced recently by Khan and Fong. These
methods are surprising versatile, enabling us to develop algorithms for, and
determine the complexity of, a number of different problems related to workflow
satisfiability.Comment: arXiv admin note: text overlap with arXiv:1205.0852; to appear in
Proceedings of SACMAT 201
Algorithms for the workflow satisfiability problem engineered for counting constraints
The workflow satisfiability problem (WSP) asks whether there exists an
assignment of authorized users to the steps in a workflow specification that
satisfies the constraints in the specification. The problem is NP-hard in
general, but several subclasses of the problem are known to be fixed-parameter
tractable (FPT) when parameterized by the number of steps in the specification.
In this paper, we consider the WSP with user-independent counting constraints,
a large class of constraints for which the WSP is known to be FPT. We describe
an efficient implementation of an FPT algorithm for solving this subclass of
the WSP and an experimental evaluation of this algorithm. The algorithm
iteratively generates all equivalence classes of possible partial solutions
until, whenever possible, it finds a complete solution to the problem. We also
provide a reduction from a WSP instance to a pseudo-Boolean SAT instance. We
apply this reduction to the instances used in our experiments and solve the
resulting PB SAT problems using SAT4J, a PB SAT solver. We compare the
performance of our algorithm with that of SAT4J and discuss which of the two
approaches would be more effective in practice
Resiliency Policies in Access Control Revisited
International audienceResiliency is a relatively new topic in the context of access control. Informally, it refers to the extent to which a multi-user computer system, subject to an authorization policy, is able to continue functioning if a number of authorized users are unavailable. Several interesting problems connected to resiliency were introduced by Li, Wang and Tripunitara [13], many of which were found to be intractable. In this paper, we show that these resiliency problems have unexpected connections with the workflow satisfiability problem (WSP). In particular, we show that an instance of the resiliency checking problem (RCP) may be reduced to an instance of WSP. We then demonstrate that recent advances in our understanding of WSP enable us to develop fixed-parameter tractable algorithms for RCP. Moreover, these algorithms are likely to be useful in practice, given recent experimental work demonstrating the advantages of bespoke algorithms to solve WSP. We also generalize RCP in several different ways, showing in each case how to adapt the reduction to WSP. Li et al also showed that the coexistence of resiliency policies and static separation-of-duty policies gives rise to further interesting questions. We show how our reduction of RCP to WSP may be extended to solve these problems as well and establish that they are also fixed-parameter tractable
Tight lower bounds for the Workflow Satisfiability Problem based on the Strong Exponential Time Hypothesis
The Workflow Satisfiability Problem (WSP) asks whether there exists an
assignment of authorized users to the steps in a workflow specification,
subject to certain constraints on the assignment. The problem is NP-hard even
when restricted to just not equals constraints. Since the number of steps
is relatively small in practice, Wang and Li (2010) introduced a
parametrisation of WSP by . Wang and Li (2010) showed that, in general, the
WSP is W[1]-hard, i.e., it is unlikely that there exists a fixed-parameter
tractable (FPT) algorithm for solving the WSP. Crampton et al. (2013) and Cohen
et al. (2014) designed FPT algorithms of running time and
for the WSP with so-called regular and user-independent
constraints, respectively. In this note, we show that there are no algorithms
of running time and for the two
restrictions of WSP, respectively, with any , unless the Strong
Exponential Time Hypothesis fails
- …