Ehtesham Zahoor

Dynamic authorisation policies for event-based task delegation

Task delegation presents one of the business process security leitmotifs. It defines a mechanism that bridges the gap between both workflow and access control systems. There are two important issues relating to delegation, namely allowing task delegation to complete, and having a secure delegation within a workflow. Delegation completion and authorisation enforcement are specified under specific constraints. Constraints are defined from the delegation context implying the presence of a fixed set of delegation events to control the delegation execution. In this paper, we aim to reason about delegation events to specify delegation policies dynamically. To that end, we present an event-based task delegation model to monitor the delegation process. We then identify relevant events for authorisation enforcement to specify delegation policies. Moreover, we propose a technique that automates delegation policies using event calculus to control the delegation execution and increase the compliance of all delegation changes in the global policy.

DISC: A Declarative Framework for Self-Healing Web Services Composition

Web services composition design, verification and monitoring are active and widely studied research directions. Little work however has been done in integrating these related dimensions using a unified formalism. In this paper we propose a declarative event-oriented framework, called DISC, that serves as a unified framework to bridge the gap between the process design, verification and monitoring. Proposed framework allows for a composition design to accommodate various aspects such as data relationships and constraints, Web services dynamic binding, compliance regulations, security or temporal requirements and others. Then, it allows for instantiating, verifying and executing the composition design and for monitoring the process while in execution. The effect of run-time violations can also be calculated and a set of recovery actions can be taken, allowing for the self-healing Web services composition.

DISC-SeT: Handling Temporal and Security Aspects in the Web Services Composition

In this paper we propose the DISC-SeT framework to handle the representation, solution computation and verification of temporal and security requirements in the services composition. The proposed approach provides a flexible event calculus based composition design, that allows for modeling different temporal (response time, time-units and other) and security aspects (access control, confidentiality and others) for Web services with different synchronization modes. The use of a formal approach allows to reason about and verify the security and temporal requirements. Further, as the proposed approach is integrated and builds upon the DISC framework, it allows to learn from run-time security and temporal constraints violations to take recovery actions.

An Event-Based Reasoning Approach to Web Services Monitoring

In this paper, we propose an event-based framework that allows to specify and reason about the monitoring properties during composition process execution. The proposed approach is highly expressive and allows to specify monitoring properties that can be based on either functional or non-functional requirements, allows multi-level detection of any violation, allows to calculate effects of any such violation on the overall process execution and to recover from it using a set of recovery actions. The choice of a reasoning based approach allows to foresee the effects of violations and respects any functional and non-functional constraints associated with the process, when performing recovery. In addition, as the approach builds upon an event-based declarative framework called DISC, it results in an integrated approach as both composition design and monitoring framework are event-based.

A Bounded Model Checking Approach for the Verification of Web Services Composition

In this paper, we propose a bounded model-checking based approach for the verification of declarative Web services composition processes using satisfiability solving SAT. The need for the bounded model-checking approach stems from the nature of declarative processes as they are defined by only specifying the constraints that mark the boundary of the solution to the composition process. The proposed approach relies on using Event Calculus EC as the modeling formalism with a sound and complete EC to SAT encoding process. The use of EC as the modeling also formalism allows for a highly expressive approach for both the specification of composition model and for the specification of verification properties. Furthermore, as the conflict clauses returned by the SAT solver can be significantly large for complex processes and verification requirements, we propose a filtering criterion and defined patterns for identifying the clauses of interest for process verification.

A logical framework for reasoning about delegation policies in workflow management systems

Task delegation presents one of the business process security leitmotifs. It defines a mechanism that bridges the gap between workflow and access control systems. Delegation completion and authorisation enforcement are specified under specific constraints so-called events. In this article, we aim to reason about delegation events to model task delegation and to specify delegation policies using a logical framework. To that end, we propose an event-based task delegation model to control the delegation execution. We then identify relevant events responsible for the dynamic enforcement of delegation policies. Further, we define a task-oriented access control model to specify delegation constraints into authorisation policies. Finally, we propose a technique to automate the delegation policies integration. Using event calculus, we develop a reasoning tool to control the delegation execution and to increase the compliance of all delegation changes in the existing policy of the workflow.

A Formal Approach for the Verification of AWS IAM Access Control Policies

Cloud computing offers elastic, scalable and on-demand network access to a shared pool of computing resources, such as storage, computation and others. Resources can be rapidly and elastically provisioned and the users pay for what they use. One of the major challenges in Cloud computing adoption is security and in this paper we address one important security aspect, the Cloud authorization. We have provided a formal Attribute Based Access Control (ABAC) model, that is based on Event-Calculus and is able to model and verify Amazon Web Services (AWS) Identity and Access Management (IAM) policies. The proposed approach is expressive and extensible. We have provided generic Event-Calculus modes and provided tool support to automatically convert JSON based IAM policies in Event-Calculus. We have also presented performance evaluation results on actual IAM policies to justify the scalability and practicality of the approach.

Web Services Composition Verification Using Satisfiability Solving

In this paper, we propose an approach for the verification of declarative Web services composition processes using satisfiability solving. The need for the satisfiability solving approach stems from the nature of declarative processes which are defined by only specifying the constraints that mark the boundary of the solution to the composition process. As a result the state space of a declarative process can be significantly large, as the process is only partially defined and all the transitions have not been explicitly defined. Further, as the conflict clauses returned by the SAT solver can be significantly large for complex processes and verification requirements, we propose a filtering criteria and defined patterns for identifying the clauses of interest for process verification.

Formal Verification of Authorization Policies for Enterprise Social Networks Using PlusCal-2

Information security research has been a highly active and widely studied research direction. In the domain of of Enterprise Social Networks (ESNs), the security challenges are amplified as they aim to incorporate the social technologies in an enterprise setup and thus asserting greater control on information security. Further, the security challenges may not be limited to the boundaries of a single enterprise and need to be catered for a federated environment where users from different ESNs can collaborate. In this paper, we address the problem of federated authorization for the ESNs and present an approach for combining user level policies with the enterprise policies. We present the formal verification technique for ESNs and how it can be used to identify the conflicts in the policies. It allows us to bridge the gap between user-centric or enterprise-centric approaches as required by the domain of ESN. We apply our specification of ESNs on a scenario and discuss the model checking results.

AN EVENT‐BASED APPROACH FOR DECLARATIVE, INTEGRATED AND SELF‐HEALING WEB SERVICES COMPOSITION

Web services are defined to be the software systems that provide interoperable machine‐to‐machine interaction over a network. Individual services may need to be composed and the composition process design, verification and monitoring are thus active and widely studied research directions. However, the traditional approaches are both procedural (and rigid) and do not address the need of integrating these related dimensions using a unified formalism. In this paper, we propose an event‐oriented framework called DISC that is both declarative and serves as a unified framework to bridge the gap between the process design, verification and monitoring. It provides a flexible and highly expressive composition design that can accommodate various aspects such as data relationships and constraints, Web services dynamic binding, compliance regulations, security or temporal requirements etc. Furthermore, the DISC framework allows for instantiating and verifying the composition design and for monitoring the process while in execution.