research-article

Results in Workflow Resiliency: Complexity, New Formulation, and ASP Encoding

Author:

Philip W. L. FongAuthors Info & Claims

CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

Pages 185 - 196

https://doi.org/10.1145/3292006.3300038

Published: 13 March 2019 Publication History

Abstract

First proposed by Wang and Li in 2007, workflow resiliency is a policy analysis for ensuring that, even when an adversarial environment removes a subset of workers from service, a workflow can still be instantiated to satisfy all the security constraints. Wang and Li proposed three notions of workflow resiliency: static, decremental, and dynamic resiliency. While decremental and dynamic resiliency are both PSPACE-complete, Wang and Li did not provide a matching lower and upper bound for the complexity of static resiliency. The present work begins with proving that static resiliency is $¶i^p_2$-complete, thereby bridging a long-standing complexity gap in the literature. In addition, a fourth notion of workflow resiliency, one-shot resiliency, is proposed and shown to remain in the third level of the polynomial hierarchy. This shows that sophisticated notions of workflow resiliency need not be PSPACE-complete. Lastly, we demonstrate how to reduce static and one-shot resiliency to Answer Set Programming (ASP), a modern constraint-solving technology that can be used for solving reasoning tasks in the lower levels of the polynomial hierarchy. In summary, this work demonstrates the value of focusing on notions of workflow resiliency that reside in the lower levels of the polynomial hierarchy.

References

[1]

Vijayalakshmi Atluri and Wei-kuang Huang. 1996. An Authorization Model for Workflows. In Proceedings of the 4th European Symposium on Research in Computer Security (ESORICS'96). Rome, Italy, 44--64. http://dl.acm.org/citation. cfm?id=646646.699195

Digital Library

[2]

Robert W. Baldwin. 1990. Naming and Grouping Privileges to Simplify Security Management in Large Databases. In Proceedings of the 1990 IEEE Symposium on Security and Privacy (S&P'90). Oakland, CA, USA, 116--132.

[3]

Elisa Bertino, Elena Ferrari, and Vijay Atluri. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security 18, 1 (Feb. 1999), 65--104.

Digital Library

[4]

Gerhard Brewka, Martin Diller, Georg Heissenberger, Thomas Linsbichler, and Stefan Woltran. 2017. Solving Advanced Argumentation Problems with Answer- Set Programming. In Proceedings of the 31st AAAI Conference on Artificial Intelligence (AAAI'2017). San Francisco, CA, USA, 1077--1083.

Digital Library

[5]

David Cohen, Jason Crampton, Andrei Gagarin, Gregory Gutin, and Mark Jones. 2014. Iterative Plan Construction for theWorkflow Satisfiability Problem. Journal of Artificial Intelligence Research 51 (2014), 555--577.

Digital Library

[6]

D. Cohen, J. Crampton, A. Gagarin, G. Gutin, and M. Jones. 2016. Algorithms for the workflow satisfiability problem engineered for counting constraints. Journal of Combinatorial Optimization 32, 1 (July 2016), 3--24.

Digital Library

[7]

Jason Crampton. 2005. A reference monitor for workflow systems with constrained task execution. In Proceedings of the tenth ACM symposium on Access control models and technologies (SACMAT'05). Stockholm, Sweden, 38--47.

Digital Library

[8]

Jason Crampton and Gregory Gutin. 2013. Constraint Expressions and Workflow Satisfiability. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies (SACMAT'2013). Amsterdam, The Netherlands, 73--84.

Digital Library

[9]

Jason Crampton, Gregory Gutin, and Daniel Karapetyan. 2015. Valued Workflow Satisfiability Problem. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies (SACMAT'2015). Vienna, Astria, 3--13.

Digital Library

[10]

Jason Crampton, Gregory Gutin, Daniel Karapetyan, and Rémi Watrigant. 2017. The bi-objective workflow satisfiability problem and workflow resiliency. Journal of Computer Security 25, 1 (2017), 83--115.

[11]

Jason Crampton, Gregory Gutin, Martin Koutecký, and RémiWatrigant. 2017. Parameterized Resiliency Problems via Integer Linear Programming. In Proceedings of the 10th International Conference on Algorithms and Complexity (CIAC'2017) (LNCS), Vol. 10236. Athens, Greece, 164--176.

[12]

Jason Crampton, Gregory Gutin, and RémiWatrigant. {n. d.}. On the Satisfiability of Workflows with Release Points. In Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies (SACMAT'2017). Indianapolis, IN, USA, 207--217.

Digital Library

[13]

Jason Crampton, Gregory Gutin, and Rémi Watrigant. 2016. Resiliency Policies in Access Control Revisited. In Proceedings of the 21st ACM Symposium on Access Control Models and Technologies (SACMAT'2016). Shanghai, China, 101--111.

Digital Library

[14]

Jason Crampton, Gregory Gutin, and Anders Yeo. 2012. On the parameterized complexity of the workflow satisfiability problem. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS'2012). Raleigh, North Carolina, USA, 857--868.

Digital Library

[15]

Jason Crampton, Gregory Gutin, and Anders Yeo. 2013. On the Parameterized Complexity and Kernelization of the Workflow Satisfiability Problem. ACM Transactions on Information and System Security 16, 1 (June 2013), 4:1--31.

Digital Library

[16]

Ronald de Haan and Stefan Szeider. 2014. Fixed-Parameter Tractable Reductions to SAT. In Proceedings of the 17th International Conference on Theory and Applications of Satisfiability Testing (SAT'2014) (LNCS), Vol. 8561. Springer, Vienna, Austria, 85--102.

[17]

Ronald de Haan and Stefan Szeider. 2014. The Parameterized Complexity of Reasoning Problems Beyond NP. Vienna, Austria, 82--91.

Digital Library

[18]

Ronald de Haan and Stefan Szeider. 2017. Parameterized complexity classes beyond para-NP. J. Comput. System Sci. 87 (2017), 16--57.

[19]

Thomas Eiter, Wolfgang Faber, Michael Fink, and Stefan Woltran. 2007. Complexity Results for Answer Set Programming with Bounded Predicate Arities and Implications. Annals of Mathematics and Artificial Intelligence 51, 2 (2007), 123--165.

Digital Library

[20]

Thomas Eiter and Georg Gottlob. 1995. On the Computational Cost of Disjunctive Logic Programming: Propositional Case. Annals of Mathematics and Artificial Intelligence 15 (1995), 289--323.

[21]

Rodney G. Downey Michael R. Fellows. 2013. Fundamentals of Parameterized Complexity. Springer.

[22]

Martin Gebser, Roland Kaminski, Benjamin Kaufmann, and Torsten Schaub. 2013. Answer Set Solving in Practice. Morgan and Claypool Publishers.

[23]

Michael Gelfond and Vladimir Lifschitz. 1988. The Stable Model Semantics for Logic Programming. In Proceedings of the Fifth International Conference and Symposium on Logic Programming (ICLP). Seattle, WA, USA, 1070--1080.

[24]

Edith Hemaspaandra, Lane A. Hemaspaandra, Till Tantau, and Osamu Watanabe. 2010. On the complexity of kings. Theoretical Computer Science 411 (2010), 783--798.

Digital Library

[25]

Arif Akram Khan and Philip W. L. Fong. 2012. Satisfiability and Feasibility in a Relationship-based Workflow Authorization Model. In Proceedings of the 17th European Symposium on Research in Computer Security (ESORICS'2012) (LNCS), Vol. 7459. Springer, Pisa, Italy, 109--126.

[26]

Ker-I Ko and Chih-Long Lin. 1995. On the Complexity of Min-Max Optimization Problems and Their Approximation. In Minimax and Applications, Ding-Zhu Du and Panos M. Pardalos (Eds.). Springer, 219--239.

[27]

Ninghui Li, Mahesh Tripunitara, and Qihua Wang. 2006. Resiliency Policies in Access Control. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS'2006). Alexandria, VA, USA, 113--123.

Digital Library

[28]

Ninghui Li, Qihua Wang, and Mahesh Tripunitara. 2009. Resiliency Policies in Access Control. ACM Transactions on Information and System Security 12, 4 (April 2009), 1--34.

Digital Library

[29]

John C. Mace, Charles Morisset, and Aad van Moorsel. 2014. Quantitative Workflow Resiliency. In Proceedings of the 19th European Symposium on Research in Computer Security (ESORICS'2014) (LNCS), Vol. 8712. Wroclaw, Poland, 344--361.

Digital Library

[30]

John C. Mace, Charles Morisset, and Aad van Moorsel. 2015. Impact of Policy Design on Workflow Resiliency Computation Time. In Proceedings of the 12th International Conference on Quantitative Evaluation of Systems (QEST'2015) (LNCS), Vol. 9259. Madrid, Spain, 244--259.

Digital Library

[31]

John C. Mace, Charles Morisset, and Aad van Moorsel. 2015. Resiliency Variance in Workflows with Choice. In Proceedings of the 7th International Workshop on Software Engineering for Resilient Systems (SERENE'2015) (LNCS), Vol. 9274. Paris, France, 128--143.

Digital Library

[32]

Pooya Mehregan and Philip W. L. Fong. 2016. Policy Negotiation for Co-owned Resources in Relationship-Based Access Control. In Proceedings of the 21st ACM Symposium on Access Control Models and Technologies (SACMAT'2016). Shanghai, China, 125--136.

Digital Library

[33]

Potassco {n. d.}. Potassco, the Potsdam Answer Set Solving Collection. https: //potassco.org/

[34]

Chiaki Sakama and Tjitze Rienstra. 2017. Representing Argumentation Frameworks in Answer Set Programming. Fundamenta Informaticae 155 (2017), 261-- 292.

[35]

Jerry H. Saltzer and Mike D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept. 1975), 1278--1308.

[36]

Marcus Schaefer and Christopher Umans. 2002. Completeness in the polynomialtime hierarchy: A compendium. SIGACT News 33, 3 (Sept. 2002), 32--49.

[37]

Kaijun Tan, Jason Crampton, and Carl A. Gunter. 2004. The Consistency of Task-Based Authorization Constraints inWorkflow Systems. In Proceedings of the 17th IEEEWorkshop on Computer Security Foundations (CSFW'04). IEEE Computer Society, Washington, DC, USA, 155--169.

Digital Library

[38]

Roshan K. Thomas and Ravi S. Sandhu. 1998. Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Authorization Management. In Proceedings of the 11th IFIP WG11.3 Working Conference on Database and Application Security (DAS'98). Lake Tahoe, California, USA, 166-- 181. http://dl.acm.org/citation.cfm?id=646115.679940

Digital Library

[39]

Qihua Wang and Ninghui Li. 2007. Satisfiability and Resiliency in Workflow Systems. In Proceedings of the 12th European Symposium on Research in Computer Security (ESORICS'2007) (LNCS), Vol. 4734. Springer, Dresden, Germany, 90--105.

Digital Library

[40]

Qihua Wang and Ninghui Li. 2010. Satisfiability and Resiliency in Workflow Authorization Systems. ACM Transactions on Information and System Security 13, 4 (Dec. 2010), 40:1--35.

Digital Library

Cited By

Abdelgawad MRay IVasquez T(2023)Workflow Resilience for Mission Critical SystemsStabilization, Safety, and Security of Distributed Systems10.1007/978-3-031-44274-2_37(498-512)Online publication date: 30-Sep-2023
https://doi.org/10.1007/978-3-031-44274-2_37
Zavatteri MViganò L(2019)Last man standing: Static, decremental and dynamic resiliency via controller synthesisJournal of Computer Security10.3233/JCS-18124427:3(343-373)Online publication date: 10-Jun-2019
https://doi.org/10.3233/JCS-181244

Index Terms

Results in Workflow Resiliency: Complexity, New Formulation, and ASP Encoding
1. Security and privacy
  1. Security services
    1. Access control

Recommendations

Satisfiability and resiliency in workflow systems
ESORICS'07: Proceedings of the 12th European conference on Research in Computer Security

We propose the role-and-relation-based access control (R²BAC) model for workflow systems. In R²BAC, in addition to a user's role memberships, the user's relationships with other users help determine whether the user is allowed to perform a certain step ...
Quantitative Workflow Resiliency
Computer Security - ESORICS 2014
Abstract
A workflow is resilient when the unavailability of some users does not force to choose between a violation of the security policy or an early termination of the workflow. Although checking for the resiliency of a workflow is a well-studied problem,...
Local Fast Failover Routing With Low Stretch

Network failures are frequent and disruptive, and can significantly reduce the throughput even in highly connected and regular networks such as datacenters. While many modern networks support some kind of local fast failover to quickly reroute flows ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

March 2019

373 pages

ISBN:9781450360999

DOI:10.1145/3292006

General Chairs:
Gail-Joon Ahn
Arizona State University, USA
,
Bhavani Thuraisingham
University of Texas at Dallas, USA
,
Program Chairs:
Murat Kantarcioglu
University of Texas at Dallas, USA
,
Ram Krishnan
University of Texas at San Antonio, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CODASPY '19

Sponsor:

SIGSAC

CODASPY '19: Ninth ACM Conference on Data and Application Security and Privacy

March 25 - 27, 2019

Texas, Richardson, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
117
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Abdelgawad MRay IVasquez T(2023)Workflow Resilience for Mission Critical SystemsStabilization, Safety, and Security of Distributed Systems10.1007/978-3-031-44274-2_37(498-512)Online publication date: 30-Sep-2023
https://doi.org/10.1007/978-3-031-44274-2_37
Zavatteri MViganò L(2019)Last man standing: Static, decremental and dynamic resiliency via controller synthesisJournal of Computer Security10.3233/JCS-18124427:3(343-373)Online publication date: 10-Jun-2019
https://doi.org/10.3233/JCS-181244

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents