Possibilistic Information Flow Control for Workflow Management Systems

In workflows and business processes, there are often security requirements on both the data, i.e. confidentiality and integrity, and the process, e.g. separation of duty. Graphical notations exist for specifying both workflows and associated security requirements. We present an approach for formally verifying that a workflow satisfies such security requirements. For this purpose, we define the semantics of a workflow as a state-event system and formalise security properties in a trace-based way, i.e. on an abstract level without depending on details of enforcement mechanisms such as Role-Based Access Control (RBAC). This formal model then allows us to build upon well-known verification techniques for information flow control. We describe how a compositional verification methodology for possibilistic information flow can be adapted to verify that a specification of a distributed workflow management system satisfies security requirements on both data and processes.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

Parameterized abstractions used for proof-planning

In order to cope with large case studies arising from the application of formal methods in an industrial setting, this paper presents new techniques to support hierarchical proof planning. Following the paradigm of difference reduction, proofs are obtained by removing syntactical differences between parts of the formula to be proven step by step. To guide this manipulation we introduce dynamic abstractions of terms. These abstractions are parameterized by the individual goals of the manipulation and are especially designed to ease the proof search based on heuristics. The hierarchical approach and thus the decomposition of the original goal into several subgoals enables the use of different abstractions or different parameters of an abstraction within the proof search. In this paper we will present one of these dynamic abstractions together with heuristics to guide the proof search in the abstract space

Using rippling to prove the termination of algorithms

When proving theorems by explicit induction the used induction orderings are synthesized from the recursion orderings underlying the definition principles for functions and predicates. In order to guarantee the soundness of a generated induction scheme the well-foundedness of the used recursion orderings has to be proved. In this paper we present a method to synthesize appropriate measure functions in order to prove the termination of algorithms. We use Walthers\u27 estimation-calculus as a "black-box procedure\u27; in these explicit proofs. Thus, we inherit both, the flexibility of an explicit representation of the termination proof as well as the in-built knowledge concerning the count ordering

Proceedings of the 2nd International Workshop on Security in Mobile Multiagent Systems

This report contains the Proceedings of the Second Workshop on Security on Security of Mobile Multiagent Systems (SEMAS2002). The Workshop was held in Montreal, Canada as a satellite event to the 5th International Conference on Autonomous Agents in 2001. The far reaching influence of the Internet has resulted in an increased interest in agent technologies, which are poised to play a key role in the implementation of successful Internet and WWW-based applications in the future. While there is still considerable hype concerning agent technologies, there is also an increasing awareness of the problems involved. In particular, that these applications will not be successful unless security issues can be adequately handled. Although there is a large body of work on cryptographic techniques that provide basic building-blocks to solve specific security problems, relatively little work has been done in investigating security in the multiagent system context. Related problems are secure communication between agents, implementation of trust models/authentication procedures or even reflections of agents on security mechanisms. The introduction of mobile software agents significantly increases the risks involved in Internet and WWW-based applications. For example, if we allow agents to enter our hosts or private networks, we must offer the agents a platform so that they can execute correctly but at the same time ensure that they will not have deleterious effects on our hosts or any other agents / processes in our network. If we send out mobile agents, we should also be able to provide guarantees about specific aspects of their behaviour, i.e., we are not only interested in whether the agents carry out-out their intended task correctly. They must defend themselves against attacks initiated by other agents, and survive in potentially malicious environments. Agent technologies can also be used to support network security. For example in the context of intrusion detection, intelligent guardian agents may be used to analyse the behaviour of agents on a firewall or intelligent monitoring agents can be used to analyse the behaviour of agents migrating through a network. Part of the inspiration for such multi-agent systems comes from primitive animal behaviour, such as that of guardian ants protecting their hill or from biological immune systems

Preface Volume 63

AbstractThis volume contains the Proceedings of the First Workshop on Security of Mobile Multiagent Systems (SEMAS'2001). The Workshop was held in Montreal, Canada on May 29, 2001, as satellite event to the 5th International Conference on Autonomous Agents 2001The far reaching influence of the Internet has resulted in an increased interest in agent technologies, which are poised to play a key role in the implementation of successful Internet and WWW-based applications in the future. While there is still considerable hype concerning agent technologies, there is also an increasing awareness of the problems involved. Although there is a large body of work on cryptographic techniques that provide basic building-blocks to solve specific security problems, relatively little work has been done in investigating security in the multiagent system context. The introduction of mobile software agents significantly increases the risks involved in Internet and WWW-based applications. The aim of this workshop was to bring together people from the two relevant research fields, software security and agent-oriented programming. This volume covers actual research papers on security protocols and security policies to enforce security of mobile or multiagent systems but also introduces ideas how to use mobile agents to ensure security of a distributed system.The papers in this volume were reviewed by the program committee consisting, besides editor, of Sahin Albayrak(Technical University Berlin)David Basin(Department of Computer Science, University of Freiburg)Ciaran Bryce(University of Geneve)Hans-Juergen Buerckert(German Research Center for Artificial Intelligence, DFKI)Guenther Karjoth(IBM Research Zuerich)Luc Moreau(Department of Computer Science, University of Southhampton)Volker Roth(Fraunhofer Gesellschaft IGD, Darmstadt)Helmut Schwigon(Bundesamt fuer Sicherheit in der Informationstechnik, BonnVipin Swarup(The MITRE Corp., Boston)Christian Tschudin(Uppsala University)Jan Vitek(Purdue University)This volume will be published as volume 63 in the series Electronic Notes in Theoretical Computer Science (ENTCS). This series is published electronically through the facilities of Elsevier Science B.V. and its auspices. The volumes in the ENTCS series can be accessed at the URL http://www.elsevier.nl/locate/entcsWe are very grateful to the following persons, whose help has been crucial for the success of CMCS'2000: Adele E. Howe, for her help with the organization of the Workshop as satellite event of AA'2001 and Mike Mislove, one of the Managing Editors of the ENTCS series, for his assistance with the use of the ENTCS style files.December 15, 2001 Dieter Hutte

Information Flow Analysis Based Security Checking of Health Service Composition Plans

In this paper, we present an approach to solve the problem of provably secure execution of semantic web service composition plans. The integrated components of this approach include our OWL-S service matchmaker, OWLSMX, the service composition planner, OWLS-XPlan, and the security checker module for formally verifying the compliance of the created composition plan to be executed with given data and service security policies using type-based information flow analysis. We demonstrate this approach by means of its application to a use case scenario of health service composition planning

A Method for Patching Interleaving-Replay Attacks in Faulty Security Protocols

AbstractThe verification of security protocols has attracted a lot of interest in the formal methods community, yielding two main verification approaches: i) state exploration, e.g. FDR [Gavin Lowe. Breaking and fixing the needham-schroeder public-key protocol using FDR. In TACAs'96: Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems, pages 147–166, London, UK, 1996. Springer-Verlag] and OFMC [A.D. Basin, S. Mödersheim, and L. Viganò. An on-the-fly model-checker for security protocol analysis. In D. Gollmann and E. Snekkenes, editors, ESORICS'03: 8th European Symposium on Research in Computer Security, number 2808 in Lecture Notes in Computer Science, pages 253–270, Gjøvik, Norway, 2003. Springer-Verlag]; and ii) theorem proving, e.g. the Isabelle inductive method [Lawrence C. Paulson. The inductive approach to verifying cryptographic protocols. Journal in Computer Security, 6(1-2):85–128, 1998] and Coral [G. Steel, A. Bundy, and M. Maidl. Attacking the asokan-ginzboorg protocol for key distribution in an ad-hoc bluetooth network using coral. In H. König, M. Heiner, and A. Wolisz, editors, IFIP TC6 /WG 6.1: Proceedings of 23rd IFIP International Conference on Formal Techniques for Networked and Distributed Systems, volume 2767, pages 1–10, Berlin, Germany, 2003. FORTE 2003 (work in progress papers)]. Complementing formal methods, Abadi and Needham's principles aim to guide the design of security protocols in order to make them simple and, hopefully, correct [M. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering, 22(1):6–15, 1996]. We are interested in a problem related to verification but far less explored: the correction of faulty security protocols. Experience has shown that the analysis of counterexamples or failed proof attempts often holds the key to the completion of proofs and for the correction of a faulty model. In this paper, we introduce a method for patching faulty security protocols that are susceptible to an interleaving-replay attack. Our method makes use of Abadi and Needham's principles for the prudent engineering practice for cryptographic protocols in order to guide the location of the fault in a protocol as well as the proposition of candidate patches. We have run a test on our method with encouraging results. The test set includes 21 faulty security protocols borrowed from the Clark-Jacob library [J. Clark and J. Jacob. A survey of authentication protocol literature: Version 1.0. Technical report, Department of Computer Science, University of York, November 1997. A complete specification of the Clark-Jacob library in CAPSL is available at http://www.cs.sri.com/millen/capsl/]