CLC number: TP311
On-line Access: 2024-08-27
Received: 2023-10-17
Revision Accepted: 2024-05-08
Crosschecked: 2018-04-04
Cited: 0
Clicked: 6051
Jia-xin Jiang, Zhi-qiu Huang, Wei-wei Ma, Yan Cao. Using information flow analysis to detect implicit information leaks for web service composition[J]. Frontiers of Information Technology & Electronic Engineering, 2018, 19(4): 494-502.
@article{title="Using information flow analysis to detect implicit information leaks for web service composition",
author="Jia-xin Jiang, Zhi-qiu Huang, Wei-wei Ma, Yan Cao",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="19",
number="4",
pages="494-502",
year="2018",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.1601371"
}
%0 Journal Article
%T Using information flow analysis to detect implicit information leaks for web service composition
%A Jia-xin Jiang
%A Zhi-qiu Huang
%A Wei-wei Ma
%A Yan Cao
%J Frontiers of Information Technology & Electronic Engineering
%V 19
%N 4
%P 494-502
%@ 2095-9184
%D 2018
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.1601371
TY - JOUR
T1 - Using information flow analysis to detect implicit information leaks for web service composition
A1 - Jia-xin Jiang
A1 - Zhi-qiu Huang
A1 - Wei-wei Ma
A1 - Yan Cao
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 19
IS - 4
SP - 494
EP - 502
%@ 2095-9184
Y1 - 2018
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.1601371
Abstract: Information leak, which can undermine the compliance of web-service-composition business processes for some policies, is one of the major concerns in web service composition. We present an automated and effective approach for the detection of implicit information leaks in business process execution language (BPEL) based on information flow analysis. We introduce an adequate meta-model for BPEL representation based on a petri net for transformation and analysis. Building on the concept of petri net place-based noninterference, the core contribution of this paper is the application of a petri net reachability graph to estimate petri net interference and thereby to detect implicit information leaks in web service composition. In addition, a case study illustrates the application of the approach on a concrete workflow in BPEL notation.
[1]Accorsi R, Wonnemann C, 2009. Detective information flow analysis for business processes. Int Conf on Business Process, Services Computing, and Intelligent Service Management, p.223-224.
[2]Accorsi R, Wonnemann C, 2010. Static information flow analysis of workflow models. Int Conf on Business Process and Service Science, p.194-205.
[3]Accorsi R, Lehmann A, Lohmann N, 2015. Information leak detection in business process models: theory, application, and tool support. Inform Syst, 47:244-257.
[4]Ahmad F, Huang H, Wang X, 2010. Petri net modeling and deadlock analysis of parallel manufacturing processes with shared-resources. J Syst Softw, 83(4):675-688.
[5]Armando A, Ranise S, 2011. Automated analysis of infinite state workflows with access control policies. 7th Int Workshop on Security and Trust Management, p.157-174.
[6]Atluri V, 2001. Security for workflow systems. Inform Secur Technol Rep, 6(2):59-68.
[7]Atluri V, Chun S, Mazzoleni P, 2001. A Chinese wall security model for decentralized workflow systems. 8th ACM Conf on Computer and Communications Security, p.48-57.
[8]Barkaoui K, Ayed R, Boucheneb H, et al., 2008. Verification of workflow processes under multilevel security considerations. 3rd Int Conf on Risks and Security of Internet and Systems, p.77-84.
[9]Bell D, 1983. Secure computer systems: a retrospective. IEEE Symp on Security and Privacy, p.161-162.
[10]Bell D, LaPadula L, 1973. Secure Computer Systems: Mathematical Foundations and Model. DTIC Document.
[11]Benatallah B, Dumas M, Maamar Z, 2002. Definition and execution of composite web services: the self-serv project. IEEE Data Eng Bull, 25(4):47-52. http://sites.computer.org/debull/A02DEC-CD.pdf
[12]Busi N, Gorrieri R, 2003. A survey on noninterference with Petri nets. ACPN: Lectures on Concurrency and Petri Nets, p.328-344.
[13]Busi N, Gorrieri R, 2009. Structural noninterference in elementary and trace nets. Math Struct Comput Sci, 19(6):1065-1090.
[14]Carminati B, Ferrari E, Hung P, 2005. Exploring privacy issues in web services discovery agencies. IEEE Secur Priv, 3(5):14-21.
[15]Denning D, 1976. A lattice model of secure information flow. Commun ACM, 19(5):236-243.
[16]Goguen J, Meseguer J, 1982. Security policies and security models. IEEE Symp on Security and Privacy, p.11-20.
[17]Hui K, Tan B, Goh C, 2006. Online information disclosure: motivators and measurements. ACM Trans Intern Technol, 6(4):415-441.
[18]Juszczyszyn K, 2003. Verifying enterprise’s mandatory access control policies with colored Petri nets. 12th IEEE Int Workshops on Enabling Technologies, p.184-189.
[19]Kagal L, Paolucci M, Srinivasan N, et al., 2004. Authorization and privacy for semantic web services. IEEE Intell Syst, 19(4):50-56.
[20]Lampson B, 1973. A note on the confinement problem. Commun ACM, 16(10):613-615.
[21]Lohmann N, Massuthe P, Stahl C, et al., 2006. Analyzing interacting BPEL processes. 4th Int Conf on Business Process Management, p.17-32.
[22]Lohmann N, Verbeek E, Dijkman R, 2009. Petri net transformations for business processes–-a survey. Trans Petri Nets Other Models Concurr, 2:46-63.
[23]Lu Y, Zhang L, Sun J, 2009. Using colored Petri nets to model and analyze workflow with separation of duty constraints. Int J Adv Manuf Technol, 40(1-2):179-192..
[24]Massacci F, Mylopoulos J, Zannone N, 2006. Hierarchical hippocratic databases with minimal disclosure for virtual organizations. VLDB J, 15(4):370-387.
[25]Myers A, Liskov B, 1997. A decentralized model for information flow control. 16th ACM Symp on Operating System Principles, p.129-142.
[26]Papazoglou M, 2012. Cloud blueprint: a model-driven approach to configuring federated clouds. 2nd Int Conf on Model and Data Engineering, p.1.
[27]Röhrig S, Knorr K, 2004. Security analysis of electronic business processes. Electron Commerce Res, 4(1-2):59-81.
[28]Sabelfeld A, Myers A, 2003. Language-based information-flow security. IEEE J Sel Areas Commun, 21(1):5-19.
[29]Shafiq B, Masood A, Joshi J, et al., 2005. A role-based access control policy verification framework for real-time systems. 10th IEEE Int Workshop on Object-Oriented Real-Time Dependable Systems, p.13-20.
[30]Singh M, 2001. Being interactive: physics of service composition. IEEE Intern Comput, 5(3):6-7.
[31]Sun H, Wang X, Yang J, et al., 2008. Authorization policy based business collaboration reliability verification. 6th Int Conf on Service-Oriented Computing, p.579-584.
[32]Tan W, Fan Y, Zhou M, 2009. A Petri net-based method for compatibility analysis and composition of web services in business process execution language. IEEE Trans Autom Sci Eng, 6(1):94-106.
[33]Tbahriti S, Ghedira C, Medjahed B, et al., 2014. Privacy-enhanced web service composition. IEEE Trans Serv Comput, 7(2):210-222.
[34]Tschantz M, Datta A, Datta A, et al., 2015. A methodology for information flow experiments. 28th IEEE Symp on Computer Security Foundations, p.554-568.
[35]Yee G, 2007. A privacy controller approach for privacy protection in web services. 4th ACM Workshop on Secure Web Services, p.44-51.
[36]Zhou C, Ju S, 2012. A Petri net based approach to covert information flow analysis. Chin J Comput, 35(8):1688-1699.
Open peer comments: Debate/Discuss/Question/Opinion
<1>