Full Text:   <2198>

Summary:  <1647>

CLC number: TP311

On-line Access: 2024-08-27

Received: 2023-10-17

Revision Accepted: 2024-05-08

Crosschecked: 2018-04-04

Cited: 0

Clicked: 5990

Citations:  Bibtex RefMan EndNote GB/T7714

 ORCID:

Jia-xin Jiang

http://orcid.org/0000-0001-6185-4438

-   Go to

Article info.
Open peer comments

Frontiers of Information Technology & Electronic Engineering  2018 Vol.19 No.4 P.494-502

http://doi.org/10.1631/FITEE.1601371


Using information flow analysis to detect implicit information leaks for web service composition


Author(s):  Jia-xin Jiang, Zhi-qiu Huang, Wei-wei Ma, Yan Cao

Affiliation(s):  College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 210016, China; more

Corresponding email(s):   jiangjiaxin@nuaa.edu.cn, zqhuang@nuaa.edu.cn, maweiwei@nuaa.edu.cn, caoyan926@nuaa.edu.cn

Key Words:  Information flow analysis, Business process execution language, Petri net, Interference


Jia-xin Jiang, Zhi-qiu Huang, Wei-wei Ma, Yan Cao. Using information flow analysis to detect implicit information leaks for web service composition[J]. Frontiers of Information Technology & Electronic Engineering, 2018, 19(4): 494-502.

@article{title="Using information flow analysis to detect implicit information leaks for web service composition",
author="Jia-xin Jiang, Zhi-qiu Huang, Wei-wei Ma, Yan Cao",
journal="Frontiers of Information Technology & Electronic Engineering",
volume="19",
number="4",
pages="494-502",
year="2018",
publisher="Zhejiang University Press & Springer",
doi="10.1631/FITEE.1601371"
}

%0 Journal Article
%T Using information flow analysis to detect implicit information leaks for web service composition
%A Jia-xin Jiang
%A Zhi-qiu Huang
%A Wei-wei Ma
%A Yan Cao
%J Frontiers of Information Technology & Electronic Engineering
%V 19
%N 4
%P 494-502
%@ 2095-9184
%D 2018
%I Zhejiang University Press & Springer
%DOI 10.1631/FITEE.1601371

TY - JOUR
T1 - Using information flow analysis to detect implicit information leaks for web service composition
A1 - Jia-xin Jiang
A1 - Zhi-qiu Huang
A1 - Wei-wei Ma
A1 - Yan Cao
J0 - Frontiers of Information Technology & Electronic Engineering
VL - 19
IS - 4
SP - 494
EP - 502
%@ 2095-9184
Y1 - 2018
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/FITEE.1601371


Abstract: 
Information leak, which can undermine the compliance of web-service-composition business processes for some policies, is one of the major concerns in web service composition. We present an automated and effective approach for the detection of implicit information leaks in business process execution language (BPEL) based on information flow analysis. We introduce an adequate meta-model for BPEL representation based on a petri net for transformation and analysis. Building on the concept of petri net place-based noninterference, the core contribution of this paper is the application of a petri net reachability graph to estimate petri net interference and thereby to detect implicit information leaks in web service composition. In addition, a case study illustrates the application of the approach on a concrete workflow in BPEL notation.

使用信息流分析检测Web服务组合隐性信息泄露

摘要:信息泄露会破坏Web服务组合业务流程对某些策略的遵从性,是Web服务组合中的一个主要问题。提出一种基于信息流分析的有效的自动化方法用于检测业务流程执行语言(BPEL)中的隐性信息泄露。引入Petri网元模型对BPEL进行转换和分析。以Petri网中基于库所的无干扰性概念为基础,使用Petri网可达图分析Petri网干扰性,检测Web服务组合中的隐性信息泄露,并通过一个案例说明该方法在具体BPEL工作流中的应用。

关键词:信息流分析;业务流程执行语言;Petri网;干扰性

Darkslateblue:Affiliate; Royal Blue:Author; Turquoise:Article

Reference

[1]Accorsi R, Wonnemann C, 2009. Detective information flow analysis for business processes. Int Conf on Business Process, Services Computing, and Intelligent Service Management, p.223-224.

[2]Accorsi R, Wonnemann C, 2010. Static information flow analysis of workflow models. Int Conf on Business Process and Service Science, p.194-205.

[3]Accorsi R, Lehmann A, Lohmann N, 2015. Information leak detection in business process models: theory, application, and tool support. Inform Syst, 47:244-257.

[4]Ahmad F, Huang H, Wang X, 2010. Petri net modeling and deadlock analysis of parallel manufacturing processes with shared-resources. J Syst Softw, 83(4):675-688.

[5]Armando A, Ranise S, 2011. Automated analysis of infinite state workflows with access control policies. 7th Int Workshop on Security and Trust Management, p.157-174.

[6]Atluri V, 2001. Security for workflow systems. Inform Secur Technol Rep, 6(2):59-68.

[7]Atluri V, Chun S, Mazzoleni P, 2001. A Chinese wall security model for decentralized workflow systems. 8th ACM Conf on Computer and Communications Security, p.48-57.

[8]Barkaoui K, Ayed R, Boucheneb H, et al., 2008. Verification of workflow processes under multilevel security considerations. 3rd Int Conf on Risks and Security of Internet and Systems, p.77-84.

[9]Bell D, 1983. Secure computer systems: a retrospective. IEEE Symp on Security and Privacy, p.161-162.

[10]Bell D, LaPadula L, 1973. Secure Computer Systems: Mathematical Foundations and Model. DTIC Document.

[11]Benatallah B, Dumas M, Maamar Z, 2002. Definition and execution of composite web services: the self-serv project. IEEE Data Eng Bull, 25(4):47-52. http://sites.computer.org/debull/A02DEC-CD.pdf

[12]Busi N, Gorrieri R, 2003. A survey on noninterference with Petri nets. ACPN: Lectures on Concurrency and Petri Nets, p.328-344.

[13]Busi N, Gorrieri R, 2009. Structural noninterference in elementary and trace nets. Math Struct Comput Sci, 19(6):1065-1090.

[14]Carminati B, Ferrari E, Hung P, 2005. Exploring privacy issues in web services discovery agencies. IEEE Secur Priv, 3(5):14-21.

[15]Denning D, 1976. A lattice model of secure information flow. Commun ACM, 19(5):236-243.

[16]Goguen J, Meseguer J, 1982. Security policies and security models. IEEE Symp on Security and Privacy, p.11-20.

[17]Hui K, Tan B, Goh C, 2006. Online information disclosure: motivators and measurements. ACM Trans Intern Technol, 6(4):415-441.

[18]Juszczyszyn K, 2003. Verifying enterprise’s mandatory access control policies with colored Petri nets. 12th IEEE Int Workshops on Enabling Technologies, p.184-189.

[19]Kagal L, Paolucci M, Srinivasan N, et al., 2004. Authorization and privacy for semantic web services. IEEE Intell Syst, 19(4):50-56.

[20]Lampson B, 1973. A note on the confinement problem. Commun ACM, 16(10):613-615.

[21]Lohmann N, Massuthe P, Stahl C, et al., 2006. Analyzing interacting BPEL processes. 4th Int Conf on Business Process Management, p.17-32.

[22]Lohmann N, Verbeek E, Dijkman R, 2009. Petri net transformations for business processes–-a survey. Trans Petri Nets Other Models Concurr, 2:46-63.

[23]Lu Y, Zhang L, Sun J, 2009. Using colored Petri nets to model and analyze workflow with separation of duty constraints. Int J Adv Manuf Technol, 40(1-2):179-192..

[24]Massacci F, Mylopoulos J, Zannone N, 2006. Hierarchical hippocratic databases with minimal disclosure for virtual organizations. VLDB J, 15(4):370-387.

[25]Myers A, Liskov B, 1997. A decentralized model for information flow control. 16th ACM Symp on Operating System Principles, p.129-142.

[26]Papazoglou M, 2012. Cloud blueprint: a model-driven approach to configuring federated clouds. 2nd Int Conf on Model and Data Engineering, p.1.

[27]Röhrig S, Knorr K, 2004. Security analysis of electronic business processes. Electron Commerce Res, 4(1-2):59-81.

[28]Sabelfeld A, Myers A, 2003. Language-based information-flow security. IEEE J Sel Areas Commun, 21(1):5-19.

[29]Shafiq B, Masood A, Joshi J, et al., 2005. A role-based access control policy verification framework for real-time systems. 10th IEEE Int Workshop on Object-Oriented Real-Time Dependable Systems, p.13-20.

[30]Singh M, 2001. Being interactive: physics of service composition. IEEE Intern Comput, 5(3):6-7.

[31]Sun H, Wang X, Yang J, et al., 2008. Authorization policy based business collaboration reliability verification. 6th Int Conf on Service-Oriented Computing, p.579-584.

[32]Tan W, Fan Y, Zhou M, 2009. A Petri net-based method for compatibility analysis and composition of web services in business process execution language. IEEE Trans Autom Sci Eng, 6(1):94-106.

[33]Tbahriti S, Ghedira C, Medjahed B, et al., 2014. Privacy-enhanced web service composition. IEEE Trans Serv Comput, 7(2):210-222.

[34]Tschantz M, Datta A, Datta A, et al., 2015. A methodology for information flow experiments. 28th IEEE Symp on Computer Security Foundations, p.554-568.

[35]Yee G, 2007. A privacy controller approach for privacy protection in web services. 4th ACM Workshop on Secure Web Services, p.44-51.

[36]Zhou C, Ju S, 2012. A Petri net based approach to covert information flow analysis. Chin J Comput, 35(8):1688-1699.

Open peer comments: Debate/Discuss/Question/Opinion

<1>

Please provide your name, email address and a comment





Journal of Zhejiang University-SCIENCE, 38 Zheda Road, Hangzhou 310027, China
Tel: +86-571-87952783; E-mail: cjzhang@zju.edu.cn
Copyright © 2000 - 2024 Journal of Zhejiang University-SCIENCE