Detective Information Flow Analysis for Business Processes

We report on ongoing work towards a posteriori detection of illegal information flows for business processes, focusing on the challenges involved in doing so. Resembling a forensic investigation, our approach aims at analyzing the audit trails resultant from the execution of the business processes, locating informations flows that violate the (non-functional) requirements stipulated by security policies. The goal is to obtain fine-grained evidence of policy compliance with respect to information flows. Information flow (IF) characterizes the transfer of information from a classified container h to a public container l during the execution of a process [Lam73]. A “container” can be a logical or physical device, such as a process instance, network socket, or variable. An IF is labeled “illegal” whenever it violates the security policies expressing the non-functional requirements put on the execution of the process, in particular the confidentiality and noninterferability of pieces of information. Asserting that the executions of business processes do not allow illegal IF is essential in the context of regulatory compliance [KGM08], which is largely automated by business processes deployed over service-oriented architectures [AMK02]. Most of the compliance requirements, and hence security policies, is concerned with the propagation of sensitive data [BA08], such as personally identifiable information, credit card numbers and the like. However, the minority of these policies, namely those denoting safety properties [Lam77], can be enforced with access control mechanisms based on execution monitors [Sch00]. The majority of the security policies, in particular those expressing non-interference, denote hyperproperties for which mechanisms for runtime enforcement do not exist [CS08], nor are there techniques for a posteriori analysis of process executions tailored to the detection of illegal IF [Acc08]. As a result of lacking techniques for IF control (IFC), illegal IF arising from covert channels – i.e. information channels whose primary purpose is not the transmission of information, but which are misused for this purpose – and information interference – i.e. the extraction of sensitive information from a set of accumulated data items or events – may go undetected. This leads to a situation in which the executions of a process, and the process itself, may be thought as complying with the security policies, whereas a thorough analysis for illegal IF could prove the opposite: IF led to policy violations and non-compliance. Our work investigates approaches for the a posteriori analysis of IF in business processes. Resembling a forensic investigation [PBM08] and building on authentic log files recorded during processes’ execution [Acc09], our goal is to advance IFC by developing approaches