An engineering process for security patterns application in component based models

International audienceSecurity engineering with patterns is currently a very active area of research. Security patterns - an adaptation of Design Patterns to security - capture experts' experience in order to solve recurrent security problems in a structured and reusable way. In this paper, our objective is to describe an engineering process, called SCRIP (SeCurity patteRn Integration Process), which provides guidelines for integrating security patterns into component-based models. SCRIP defines activities and products to integrate security patterns in the whole development process, from UML component modeling until aspect code generation. The definition of SCRIP has been made using the OMG standard Software and System Process Engineering Meta-model (SPEM). We are developing a CASE tool to support that process

Business process specification, verification, and deployment in a mono-cloud, multi-edge context

© 2020, ComSIS Consortium. All rights reserved. Despite the prevalence of cloud and edge computing, ensuring the satisfaction of time-constrained business processes, remains challenging. Indeed, some cloud/edge-based resources might not be available when needed leading to delaying the execution of these processes’ tasks and/or the transfer of these processes’ data. This paper presents an approach for specifying, verifying, and deploying time-constrained business processes in a mono-cloud, multi-edge context. First, the specification and verification of processes happen at design-time and run-time to ensure that these processes’ tasks and data are continuously placed in a way that would mitigate the violation of time constraints. This mitigation might require moving tasks and/or data from one host to another to reduce time latency, for example. A host could be either a cloud, an edge, or any. Finally, the deployment of processes using a real case-study allowed to confirm the benefits of the early specification and verification of these processes in mitigating time constraints violations

Formal specification and verification of cloud resource allocation using timed petri-nets

© Springer Nature Switzerland AG 2018. Context: Known for its resource elasticity and pay-per-use model, more and more organizations are adopting cloud computing to support the execution of their business processes. To support organizations meet their financial restrictions, cloud providers offer different time-based pricing strategies. Objective: The proposed approach aims at assisting business process designers identify necessary cloud resources with respect to temporal and financial restrictions on business processes. The former minimizes the search time for cloud resources while the latter minimizes the cost of leasing these resources. Method: The proposed approach considers 2 inputs, a time-constrained business process specification and a list of allocated cloud resources, and then confirms whether this process has the necessary cloud resources, satisfies the temporal and financial restrictions, and is deadlock-free. To this end, the specification is automatically translated into a Temporal Petri-Net. Results: The implementation on a real case study has shown that the proposed approach ensures a proper matching between process activities and cloud resources

A time interval-based approach for business process fragmentation over cloud and edge resources

This paper presents an approach for fragmenting business processes over 2 types of complementary platforms referred to as cloud resources and edge resources. Fragmentation caters to the separate needs and requirements of business processes’ owners. Indeed, some owners prioritize the security of their fragmented processes over availability while others prioritize the reliability of their fragmented processes over performance. Despite its benefits, fragmentation raises many concerns like how to reduce communication delays between disparate fragments and how to maintain acceptable loads over all the distributed resources. To identify the necessary cloud and edge resources that would accommodate fragmented business processes, the approach resorts to Allen’s time algebra allowing to simultaneously reason over both resources’ availability-time intervals and processes’ use-time intervals. This reasoning covers a good range of time relations like overlaps, during, and meets, is aware of resources’ properties like limited-but-extensible, and satisfies business processes’ requirements like data freshness. The fragmentation approach, in this paper, is illustrated with a banking case-study, validated through a system developed on top of Google Colaboratory, and evaluated through a set of real experiments

Optimal Cost for Time-Aware Cloud Resource Allocation in Business Process

Cloud Computing infrastructures are being increasingly used for running business process activities due to its high performance level and low operating cost. The enterprise QoS requirements are diverse and different resources are offered by Cloud providers in various QoS-based pricing strategies. Furthermore, business process activities are constrained by hard timing constraints and if they are not executed correctly the enterprise will pay penalties costs. Therefore, finding the optimal Cloud resources allocation for a business process becomes a highly challenging problem. While optimizing the Cloud resource allocation cost, it is important to respect activities QoS requirements and temporal constraints and Cloud pricing strategies constraints. The aim of the present paper is to offer a method that assists users finding the optimal pricing strategy for Cloud resource used by business process activities. Basically, we use a binary/(0-1) linear program with an objective function under a set of constraints. In order to show its feasibility, our approach has been implemented and the results of our experiments highlight the effectiveness of our proposed solution

Software agents meet internet of things

The last few years have seen a rapid democratization of things to the extent that they have become omnipresent in our surroundings and daily lives. Many buzzwords like smart cities, smart homes, and smart wrists exemplify thing democratization. Unfortunately, Internet of Things (IoT) adoption is slowing down due to first, the nature of things being usually “passive” and second, the multiplicity of things\u27 development tools and communication standards. Both are impacting the quality of IoT applications and undermining the capabilities that these applications could offer to users. In this position paper, we discuss the “agentification” of things, using norms and commitments, as a means to address their passive nature. At the conceptual level, norms ensure that things operate in accordance to users\u27 best interests. Also, at the operational level, commitments ensure that things will not deviate from the prescribed norms and hence, avoid violations that could lead to penalties. An architecture supporting thing agentification along with some ongoing efforts are discussed in this paper

Toward a correct and optimal time-aware cloud resource allocation to business processes

© 2020 Elsevier B.V. Cloud is an increasingly popular computing paradigm that provides on-demand services to organizations for deploying their business processes over the Internet as it reduces their needs to plan ahead for provisioning resources. Cloud providers offer competitive pricing strategies (e.g., on-demand, reserved, and spot) specified based on temporal constraints to accommodate organizations’ changing and last-minute demands. Despite their varieties and benefits to optimize business process deployment cost, using those pricing strategies can lead to violating time constraints and exceeding budget constraints due to inappropriate decisions when allocating cloud resources to business processes. In this paper, we present an approach to guarantee a correct and optimal time-aware allocation of cloud resources to business processes. Correct because time constraints on these processes are not violated. And, optimal because the deployment cost of these processes is minimized. For this purpose, our approach uses timed automata to formally verify the matching between business processes’ temporal constraints and cloud resources’ time availabilities and linear programming to optimize deployment costs. Experiments demonstrate the technical doability of our proposed approach

Restriction-based fragmentation of business processes over the cloud

© 2019 John Wiley & Sons, Ltd. Despite the elasticity and pay-per-use benefits of cloud computing (aka fifth utility computing), organizations adopting clouds could be locked into single cloud providers, which is not always a “pleasant” experience when these providers stop operations. This is a serious concern for those organizations that who would like to deploy (core) business processes on the cloud along with tapping into these two benefits. To address the lock-into concern, this paper proposes an approach for decomposing business processes into fragments that would run over multiple clouds and hence multiple providers. To develop fragments, the approach considers both restrictions over owners of business processes and potential competition among cloud providers. On the one hand, restrictions apply to each task in a business process and are specialized into budget to allocate, deadline to meet, and exclusivity to request. On the other hand, competition leads cloud providers to offer flexible pricing policies that would cater to the needs and requirements of each process owner. A policy handles certain clouds\u27 properties referred to as limitedness, non-renewability, and non-shareability that impact the availability of cloud resources and hence the whole fragmentation. For instance, a non-shareable resource could delay other processes should the current process do not release this resource on time. During fragmentation, interactions between owners of processes and providers of clouds happen according to two strategies referred to as global and partial. The former collects offers about cloud resources from all providers, while the latter collects such details from particular providers. To evaluate these strategies\u27 pros and cons, a system implementing them, as well as demonstrating the technical feasibility of the fragmentation approach using credit-application case study, is also presented in the paper. The system extends BPMN2-modeler Eclipse plugin and supports interactions of processes\u27 owners with clouds\u27 providers that result to identifying the necessary fragments with focus on cost optimization

Model driven simulation of elastic OCCI cloud resources

International audienceDeploying a cloud configuration in a real cloud platform is mostly cost-and time-consuming, as large number of cloud resources have to be rent for the time needed to run the configuration. Thereafter, cloud simulation tools are used as a cheap alternative to test Cloud configuration. However, most of existing cloud simulation tools require extensive technical skills and does not support simulation of any kind of cloud resources. In this context, using a model-driven approach can be helpful as it allows developers to efficiently describe their needs at a high level of abstraction. To do, we propose, in this article, a Model-Driven Engineering (MDE) approach based on the OCCI (Open Cloud Computing Interface) standard metamodel and CloudSim toolkit. We firstly extend OCCI metamodel for supporting simulation of any kind of cloud resources. Afterward, to illustrate the extensibility of our approach, we enrich the proposed metamodel by new simulation capabilities. As proof of concept, we study the elasticity and pricing strategies of Amazon Web Services (AWS). This article benefits from OCCIware Studio to design an OCCI simulation extension and to provide a simulation designer for designing cloud configurations to be simulated. We detail the approach process from defining an OCCI simulation extension until the generation and the simulation of the OCCI cloud configurations. Finally, we validate the proposed approach by providing a realistic experimentation to study its usability, the resources coverage rate and the cost. The results is compared with the ones computed from AWS

Specifying and Monitoring Non-functional Properties

This thesis focuses on the implementation and the control of non-functional safety properties during system execution. More concretely, it describes the development process of such properties, starting with the formal specification, the verification, and the runtime enforcement of the specified properties to avoid any undesired behavior. This thesis starts by studying and classifying the approaches on the specification and runtime verification of non-functional safety properties. When examining these approaches, the following observations are made. First, the non-functional properties are generally ignored in the early phases of the software development process. They are often addressed after the functional part is implemented, which has negative effects on the quality of the code. The approaches that use UML for modeling these properties cannot verify the absence of contradictions between the specified properties. In addition, UML lacks means to express various types of non-functional properties, such as temporal properties. Second, runtime verification approaches monitor the execution of the application at runtime and detect violations of the specified properties. However, just detecting the violation is not sufficient for critical applications. These approaches should enforce these properties and avoid the misbehavior of the system by skipping the execution of undesired events. Third, in current approaches the code for enforcing non-functional properties is mostly not encapsulated in separated modules. The implementation cuts across the functional application code. This lack of modularity leads to serious problems related to the quality of code and the possibility of changing those properties. The thesis shows a generic and holistic approach, called Seven-pro that combines formal methods and aspect-oriented programming for specifying and runtime enforcing non-functional safety properties. Seven-pro covers the whole development process of non-functional properties and avoids the gap between the specification and the implementation by automatically generating aspects from a high-level specification. The generated aspects will be integrated, in a modular way, in the functional application code for enforcing the formally specified properties at runtime. In addition, this thesis shows how Seven-pro covers different types of non-functional properties in distributed applications. This approach is applied to structural, qualitative and quantitative behavioral non-functional properties. This thesis presents three applications for the supported types of properties. In the context of structural properties, Seven-pro is applied for specifying and enforcing architectural properties of distributed object-oriented applications that are characterized by dynamic software architectures. Seven-pro uses a combination of Z notation and Petri nets to specify (a) the architectural styles with their architectural invariants, (b) the reconfiguration operations with their pre- and post-conditions, and (c) the coordination protocols describing the execution order of the reconfiguration operations. A verification step is performed to verify the consistency of the specification and the preservation of the architectural style after a reconfiguration of the architecture. After that, the Z and Petri nets specifications are automatically translated to AspectJ aspects to verify – before each reconfiguration operation – that all related architectural properties are satisfied. In the context of qualitative behavioral properties, Seven-pro is applied for specifying and enforcing static and dynamic separation of duties and different types and characteristics of delegation policies on top of role-based access control. In the specification phase, TemporalZ, a combination of Z notation and linear temporal logic, is used for formally specifying the supported policies. In the verification phase, the absence of contradictions between the specified policies is verified. In the implementation phase, the aspect language Alpha is extended with a new library for supporting the specified properties. In addition, TemporalZ specifications are automatically translated to Alpha aspects to control the access permissions according to the specified policies. In the context of quantitative behavioral properties, Seven-pro is applied for specifying and enforcing temporal properties in Web service compositions. To support both relative and absolute timed properties, a new formal language called XTUS-Automata is proposed which extends timed automata with the constructs of the XTUS language. After formally verifying the absence of deadlocks in timed automata specifications and verifying other properties related to the XTUS language, the XTUS-Automata specifications are automatically translated to AO4BPEL aspects