Model Checking of Security-Sensitive Business Processes

Armando, Alessandro; Ponta, Serena Elisa

doi:10.1007/978-3-642-12459-4_6

Cited by 34 publications

(31 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Intuitively, formal verification amounts to check whether possible executions of the business process model satisfy some desired properties, like generic correctness criteria (such as deadlock freedom or executability of activities) or domaindependent constraints. To enable formal verification and other forms of reasoning support, business process models are translated into an equivalent formal representation, which typically relies on variants of Petri nets [1], transition systems [2], or process algebras [19]. Properties are then formalized using temporal logics, using model checking techniques to actually carry out verification tasks [9].…”

Section: Introductionmentioning

confidence: 99%

Verification of Artifact-Centric Systems: Decidability and Modeling Issues

Solomakhin

Montali

Tessaris

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Artifact-centric business processes have recently emerged as an approach in which processes are centred around the evolution of business entities, called artifacts, giving equal importance to control-flow and data. The recent Guard-State-Milestone (GSM) framework provides means for specifying business artifacts lifecycles in a declarative manner, using constructs that match how executive-level stakeholders think about their business. However, it turns out that formal verification of GSM is undecidable even for very simple propositional temporal properties. We attack this challenging problem by translating GSM into a well-studied formal framework. We exploit this translation to isolate an interesting class of "state-bounded" GSM models for which verification of sophisticated temporal properties is decidable. We then introduce some guidelines to turn an arbitrary GSM model into a state-bounded, verifiable model.

show abstract

Section: Introductionmentioning

confidence: 99%

Verification of Artifact-Centric Systems: Decidability and Modeling Issues

Solomakhin

Montali

Tessaris

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…1 Charlie's message contains all the documents to support his request and it is suitably signed. Upon reception of the request, Ed has appropriate support for checking the signature of the document and comparing it with the identity of the sender of the request: if the signature and the identity of the requester do not match, then the request is immediately refused and the sender is acknowledged of this fact; otherwise, Ed starts to consider the content of the request for the car registration.…”

Section: A Running Example: Car Registration Officementioning

confidence: 99%

A declarative two-level framework to specify and verify workflow and authorization policies in service-oriented architectures

Barletta

Ranise

Viganò

2010

SOCA

View full text Add to dashboard Cite

The specification of distributed service-oriented applications spans several levels of abstraction, e.g., the protocol for exchanging messages, the set of interface functionalities, the types of the manipulated data, the workflow, the access policy, etc. Many (even executable) specification languages are available to describe each level in separation. However, these levels may interact in subtle ways (for example, the control flow may depend on the values of some data variables) so that a precise abstraction of the application amounts to more than the sum of its per level components. This problem is even more acute in the design phase when automated analysis techniques may greatly help the difficult task of building "correct" applications faced by designers. To alleviate this kind of problems, this paper introduces a framework for the formal specification and automated analysis of distributed service-oriented applications in two levels: one for the workflow and one for the authorization policies. The former allows one to precisely describe the control and data parts of an application with their mutual dependencies. The latter focuses on the specification of the criteria for granting or denying third-party applications the possibility to access shared resources or to execute certain interface functionalities. These levels can be seen as abstractions of one or of several levels of specification mentioned above. The novelty of our proposal is the possibility to unambiguously specify the-often subtle-interplay between the workflow and policy levels uniformly in the same framework. Additionally, our framework allows us to define and investigate verification problems for service-oriented applications (such as executability and invariant checking) and give sufficient conditions for their decidability. These results are non-trivial because their scope of applicability goes well beyond the case of finite state spaces allowing for applications manipulating variables ranging over infinite domains. As proof of concept, we show the suitability and flexibility of our approach on two quite different examples inspired by industrial case studies.

show abstract

“…SATMC has been used to model check BPs against high-level authorization requirements [10]. Moreover, SATMC lies at the core of a Security Validation prototype for BPs developed by the Product Security Research unit at SAP.…”

Section: Success Storiesmentioning

confidence: 99%

SATMC: A SAT-Based Model Checker for Security-Critical Systems

Armando

Carbone

Compagna³

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We present SATMC 3.0, a SAT-based bounded model checker for security-critical systems that stems from a successful combination of encoding techniques originally developed for planning with techniques developed for the analysis of reactive systems. SATMC has been successfully applied in a variety of application domains (security protocols, securitysensitive business processes, and cryptographic APIs) and for different purposes (design-time security analysis and security testing). SATMC strikes a balance between general purpose model checkers and security protocol analyzers as witnessed by a number of important success stories including the discovery of a serious man-in-the-middle attack on the SAML-based Single Sign-On (SSO) for Google Apps, an authentication flaw in the SAML 2.0 Web Browser SSO Profile, and a number of attacks on PKCS#11 Security Tokens. SATMC is integrated and used as back-end in a number of research prototypes (e.g., the AVISPA Tool, Tookan, the SPaCIoS Tool) and industrial-strength tools (e.g., the Security Validator plugin for SAP NetWeaver BPM).

show abstract

Model Checking of Security-Sensitive Business Processes

Cited by 34 publications

References 13 publications

Verification of Artifact-Centric Systems: Decidability and Modeling Issues

Verification of Artifact-Centric Systems: Decidability and Modeling Issues

A declarative two-level framework to specify and verify workflow and authorization policies in service-oriented architectures

SATMC: A SAT-Based Model Checker for Security-Critical Systems

Contact Info

Product

Resources

About