Security Policies for WFMS with Rich Business Logic - A Model Suitable for Analysis
This work addresses security policy validation for online service systems with rich business logic, representing an incremental improvement in expressiveness and analysis over existing models.
The paper tackles the problem of specifying and validating security policies for workflows with complex business logic by introducing a formal metamodel that can be translated into colored Petri nets for analysis, demonstrating feasibility through an online banking example and addressing state-space explosion via fractioning.
This paper introduces a formal metamodel for the specification of security policies for workflows in online service systems designed to be suitable for the modeling and analysis of complex business-related rules as well as traditional access control. A translation of the model into a colored Petri net is shown and an example of policy for an online banking system is described. By writing predicates for querying the resulting state-space of the Petri net, a connection between the formalized model and a higher-level description of the security policy can be made, indicating the feasibility of the intended method for validating such descriptions. Thanks to the independent nature among tasks related to different business services, represented by restrictions in the information flow within the metamodel, the state-space may be fractioned for analysis, avoiding the state-space explosion problem. Related existing models are discussed, pointing the gain in expressiveness of business rules and the analysis of insecure state paths rather than simply insecure states in the proposed model. The successful representation and analysis of the policy from the example combined with reasonings for the general case attest the adequacy of the proposed approach for its intended application.