Last man standing: Static, decremental and dynamic resiliency via controller synthesis

J. Comput. Secur. Pub Date : 2019-06-10 DOI:10.3233/JCS-181244

Matteo Zavatteri, L. Viganò

{"title":"Last man standing: Static, decremental and dynamic resiliency via controller synthesis","authors":"Matteo Zavatteri, L. Viganò","doi":"10.3233/JCS-181244","DOIUrl":null,"url":null,"abstract":"The workﬂow satisﬁability problem is the problem of ﬁnding an assignment of users to tasks (i.e., a plan) so that all authorization constraints are satisﬁed. The workﬂow resiliency problem is a dynamic workﬂow satisﬁability problem coping with the absence of users. If a workﬂow is resilient, it is of course satisﬁable, but the vice versa does not hold. There are three levels of resiliency: in static resiliency, up to k users might be absent before the execution starts and never become available for that execution; in decremental resiliency, up to k users might be absent before or during execution and, again, they never become available for that execution; in dynamic resiliency, up to k users might be absent before executing any task and they may in general turn absent and available continuously, before or during the execution. Much work has been carried out to address static resiliency, little for decremental resiliency and, to the best of our knowledge, for dynamic resiliency no exact approach that returns a dynamic execution plan if and only if a workﬂow is resilient has been provided so far. In this paper, we tackle workﬂow resiliency via extended game automata . We provide three encodings (having polynomial-time complexity) from workﬂows to extended game automata to model each kind of resiliency as an instantaneous game and we use Uppaal-TIGA to synthesize a winning strategy (i.e., a controller) for such a game. If a controller exists, then the workﬂow is resilient (as the controller’s strategy corresponds to a dynamic plan). If it doesn’t, then the workﬂow is breakable . The approach that we propose is correct because it corresponds to a reachability problem for extended game automata (TCTL model checking). Moreover, we have developed Erre , the ﬁrst tool for workﬂow resiliency that relies on a controller synthesis approach for the three kinds of resiliency. Thanks to Erre , our approach is thus also fully-automated from analysis to simulation.","PeriodicalId":142580,"journal":{"name":"J. Comput. Secur.","volume":"61 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-06-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"J. Comput. Secur.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3233/JCS-181244","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

The workﬂow satisﬁability problem is the problem of ﬁnding an assignment of users to tasks (i.e., a plan) so that all authorization constraints are satisﬁed. The workﬂow resiliency problem is a dynamic workﬂow satisﬁability problem coping with the absence of users. If a workﬂow is resilient, it is of course satisﬁable, but the vice versa does not hold. There are three levels of resiliency: in static resiliency, up to k users might be absent before the execution starts and never become available for that execution; in decremental resiliency, up to k users might be absent before or during execution and, again, they never become available for that execution; in dynamic resiliency, up to k users might be absent before executing any task and they may in general turn absent and available continuously, before or during the execution. Much work has been carried out to address static resiliency, little for decremental resiliency and, to the best of our knowledge, for dynamic resiliency no exact approach that returns a dynamic execution plan if and only if a workﬂow is resilient has been provided so far. In this paper, we tackle workﬂow resiliency via extended game automata . We provide three encodings (having polynomial-time complexity) from workﬂows to extended game automata to model each kind of resiliency as an instantaneous game and we use Uppaal-TIGA to synthesize a winning strategy (i.e., a controller) for such a game. If a controller exists, then the workﬂow is resilient (as the controller’s strategy corresponds to a dynamic plan). If it doesn’t, then the workﬂow is breakable . The approach that we propose is correct because it corresponds to a reachability problem for extended game automata (TCTL model checking). Moreover, we have developed Erre , the ﬁrst tool for workﬂow resiliency that relies on a controller synthesis approach for the three kinds of resiliency. Thanks to Erre , our approach is thus also fully-automated from analysis to simulation.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

最后一个人:静态，递减和动态弹性通过控制器合成

工作流可满足性问题是找到用户对任务(例如，一个计划)的分配以便满足所有授权约束的问题。工作流弹性问题是指在用户缺席的情况下，动态工作流的满意度问题。如果工作流是弹性的，那么它当然是可满足的，但反之则不成立。有三种级别的弹性:在静态弹性中，在执行开始之前可能有多达k个用户缺席，并且永远无法用于该执行;在递减弹性中，在执行之前或执行期间可能缺席多达k个用户，并且它们永远不会在执行中可用;在动态弹性中，在执行任何任务之前，可能会有多达k个用户缺席，并且在执行之前或执行期间，这些用户通常会缺席并持续可用。在解决静态弹性方面已经做了很多工作，而在增量弹性方面做得很少，而且据我们所知，在动态弹性方面，目前还没有提供了当且仅当工作流具有弹性时返回动态执行计划的确切方法。在本文中，我们通过扩展游戏自动机来解决工作流弹性问题。我们提供了从工作流到扩展游戏自动机的三种编码(具有多项式时间复杂度)，将每种弹性建模为瞬时游戏，我们使用Uppaal-TIGA来合成这种游戏的制胜策略(即控制器)。如果存在一个控制器，那么工作流是有弹性的(因为控制器的策略对应于一个动态计划)。如果没有，那么工作流是可破坏的。我们提出的方法是正确的，因为它对应于扩展游戏自动机(TCTL模型检查)的可达性问题。此外，我们还开发了Erre，这是工作流弹性的第一个工具，它依赖于三种弹性的控制器综合方法。多亏了Erre，我们的方法从分析到模拟都是全自动的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

J. Comput. Secur.

自引率

0.00%

发文量

期刊最新文献

Data privacy in the Internet of Things based on anonymization: A review A mutation-based approach for the formal and automated analysis of security ceremonies StegEdge: Privacy protection of unknown sensitive attributes in edge intelligence via deception IsaNet: A framework for verifying secure data plane protocols A review on cloud security issues and solutions