Results in Workflow Resiliency: Complexity, New Formulation, and ASP Encoding
This work addresses a long-standing gap in policy analysis for secure workflows, providing theoretical insights and practical tools for researchers in security and constraint solving.
The paper resolves the complexity of static workflow resiliency by proving it is Π₂^p-complete, introduces a new notion called one-shot resiliency that remains in the third level of the polynomial hierarchy, and shows how to encode these problems into Answer Set Programming for practical solving.
First proposed by Wang and Li in 2007, workflow resiliency is a policy analysis for ensuring that, even when an adversarial environment removes a subset of workers from service, a workflow can still be instantiated to satisfy all the security constraints. Wang and Li proposed three notions of workflow resiliency: static, decremental, and dynamic resiliency. While decremental and dynamic resiliency are both PSPACE-complete, Wang and Li did not provide a matching lower and upper bound for the complexity of static resiliency. The present work begins with proving that static resiliency is $Π_2^p$-complete, thereby bridging a long-standing complexity gap in the literature. In addition, a fourth notion of workflow resiliency, one-shot resiliency, is proposed and shown to remain in the third level of the polynomial hierarchy. This shows that sophisticated notions of workflow resiliency need not be PSPACE-complete. Lastly, we demonstrate how to reduce static and one-shot resiliency to Answer Set Programming (ASP), a modern constraint-solving technology that can be used for solving reasoning tasks in the lower levels of the polynomial hierarchy. In summary, this work demonstrates the value of focusing on notions of workflow resiliency that reside in the lower levels of the polynomial hierarchy.