Specification and Verification of Secure Business Transaction Systems

Every organization has policies, defined either implicitly or explicitly, that are intended to influence the behavior of subjects and objects associated with the organization. A policy is a rule or a set of constraints that applies to some scenario in the daily lifecycle of the organization’s activity. Business rules describe terms and conditions, service provisions, contracts and their execution. Typically, a workflow specification in an organization is driven by business rules. On the other hand, security policies set restrictions on access to resources and regulate information flow. Security policies are domain specific, restricting access to objects in that domain. A workflow specification may cut across different domains, requiring access to objects in different domains. The subjects involved in fulfilling the activities in a business workflow should have certain access rights to the objects in those domains, and should also be granted rights to let the information flow from one subject to another subject. Here is where there is a potential conflict between security and workflow policies. In this paper we provide a formal specification of security policies, business policies, and workflow schemes. The specification formalism naturally suggests a Hore style axiomatic verification approach for detecting conflicts and proving security of business transactions. A business transaction is a contract between two parties, and is governed by strict protocols satisfying business and security policies. A business transaction can be broken up into several business activities. A protocol enforces an orderly execution of an activity subject to the current rules and defines corrective measures to follow when some of the rules cannot be met in the context of performing the action. In this paper we formally specify an workflow as an extended state machine, having the syntax of Statecharts [4]. Security and business policies are specified in set theory and logic. We give semantics for policy updates, and for the application of policies in every state of