Robert Baird's Research Blog

X-UNITY

2010-01-10T12:06:00.000-08:00

Parkerian Hexad

2009-08-31T12:08:00.000-07:00

Parkerian Hexad - Wikipedia, the free encyclopedia

The CIA triad in my mind has always been too simplistic and taken without much thought by students and professionals. I mean sure, it's easy to understand and adds a basic structure to decompose problems by, but it is so rudimentary and broken. When you have to tack on authentication, non-repudiation, risk management, and other categories the basics of the CIA approach just break down and make the core model unstable and unusable.

I like that the Parkerian Hexad is different. Sure at the core it has problems with non-overlapping categories and atomicity. What I do like is that it is something different and Parker is at least trying. I get the distinct feeling that everyone else has just given up and accepts CIA as the token system that works alright.

I really only wanted to write about this as a note to myself since I've always had a problem with the CIA-mindset. In school no one -ever- talks about Parker, probably because they don't know or care about his work. I get that a lot of people in the security industry may not like him, and he may or may not be crazy. Who knows. I'm fascinated by the fact that there are other models out there being explored.

Graphs

2009-06-15T12:35:00.001-07:00

Investigating the prior research that has been conducted with graphs and security policy modeling, or more generally, graphs and security research, even further abstracted graph-based languages.

Keywords/ main reseach areas:

Vulnerabilty/violation
Attack graph
Transformation, morphism
State-based approach
Policy anaylsis
Code analysis
modeling interconnection networks

Darmaillacq, "Security policy testing using vulnerability exploit chaining", ICSTW'08.

Short paper (2 pages)
Looks like they just made up their security requirements (policy statements), and encoded them arbitrarily, but I don't know, perhaps this is standardized.
"test purpose" - "a sequence of events, of which occurrence during a test execution guarantees deliverance of a verdict (pass or fail)." -- doesn't handle NFRs, but enables their policy statements to be encoded in a graph that can be traversed. If you get to a specific sink node then you know that a violation has occurred.
Combines this research with an attack graph

Bahati, Bauer, "Adapting to Run-time changes in policies driving autonomic management", ICAS 2008

Has a strange reinforcement learning approach
I really only pulled this paper as an example for the use of state transition diagrams as graphs in security research.
They express the policy, then generate states that would satisfy the policy, then have violation states, then generate the graph, and see if the states are reachable. Its from an execution standpoint though, I think, not a design/architecture view.

Ahn, Xu, Zhang, "Systematic Policy Analysis for High-assurance Services in SELinux", 2008 IEEE Workshop on Policies for Distributed Systems and Networks

Probably the most relevant paper to what we're doing although its targeted to SELinux/OS specific work.
Interesting because they have XML policy representation and an architecture that automatically translates it into graph language
They have a visual representation for violations too, this paper needs a more thurough read-through

Zhao, Ma, Liu, Hi, Huang, "A Graph Transformation based Approach for Runtime Constrained Evoluation of Service-Oritend Architectures", 2009 Parallel, Distributed and Networked-based Processing

"Dynamic software architectures [4] are those architectures that modify their architecture and enact the modifcations during the system's execution. This behavior is most commonly know as run-time evoluation or dynamism. Graph-based dyamical reconfguration of architectures [12, 17, 20] provides both a formal basis and a graphical representation that is the usualy way architecture are represented."
Their graph as a service with different ports and a "channel" that connects the ports. It's pretty easy to visualize the system. The whole system has a formal backing.
SOA Evoluation gets pretty messy though, There are productions and morphisms that make the graph (even a simple example) ... well, complicated. It almost doesn't seem as if their graph is even showing the entire architecure, just a subset. The whole transformation based approach doesn't seem the exact right fit for what we are attempting to do.

Duan, Feng, Wang, Zhang, Yew, "Detecting and eliminating potential violation of sequential consistency for concurrent C/C++ programs" 2009 international symp. on code generation and optimization

This is the paper that led me down the path of looking for graphs and violation analysis, although the paper itself didn't really give me much to go on itself.
They have graphs that model executable code and some examples that detect race conditions

Shih, Tan, "Fault-tolerant maximal local-connectivity on the bubble sort graphs", 2009 sixth international conference on information technolgy: new generations

Similar to the last paper this one didn't really specifically apply to our work but I'm including it for an idea
"Interconnection network is usually modeled as a graph, in which vertices and edges correspond to processor and communication links, respectively."

Najumudheen, Mall, Samanta, "A Dependence Graph-based Test coverage analysis technique for Object-oritented programs", 2009 Sixth International Conference on Information Technology: New Generations"

Call Based Object Oritented System Dependence Graph (COSDG)
"COSDG is a directed, connected multigraph G = (V,E), consisting of a set of V of vertices and set E of edges. A vertex represents one of three categories: statement, entry, and parameter vertices. An edge represents control, data dependency, parameter dependency, method call dependency, summary, class, and inheritance." - We wouldn't need all of that but I like that they can isolate their descriptions of a system down to these fine-grained details.
Of course their reseach is more based on code coverage for testing but it could easily be adapted to explain the architecture of a system.

Wermelinger, Lopes, Fiadeiro, "A graph based architectural (re)configuration language", ESEC/FSE 2001.

I only pulled this paper because it had reconfiguration and graph in it, I'm not sure if it has anything to do with security or policy modeling.
This paper is about CommUnity but after just glancing through it I can't exactly figure out what the paper is adding. It seems to be an update of an earlier publication they had on reconfiguration and how existing approaches didn't correclty model reconfiguraiton. It doesn't exactly look like they're extending unity but instead just trying to use it in a new novel way perhaps.
"algebraic graph rewriting" -- similar to a calculus graph rewriting approach?

Survivability

2009-06-15T10:14:00.000-07:00

Jianming 2008 - A Survivable Scheme for Critical Information Systems

Need/motivation: "Potential threats include failures (usually generated internally) due to software design errors, hardware degeneration, human errors, or corrupted data, hardware malfunctions, software flaws, environmental hazards, malicious and accidental (generally are externally generated events) human acts"
"In [9], a rigorous definition of survivability was presented. The survivability specification is a six-tuple, {S, E, D, V, T, P} where: S represents the specification set, E represents the service value factors, D represents the reachable environmental states, V represents relative service values, T and P represent the set of valid transitions and service probabilities. This definition is an engineering definition of survivability."
"Survivability focuses whether services of the whole system can survive in malicious environment but not the individual components" -- services here are not WS services, but instead functional
(1) Resistance and Recognition, (2) Recovery (checkpointing), (3) Adaptation (reconfiguraiton)
[9] Knight, Strunk, Sullivan, "Towards a rigorous definition of information system survivability", IEEE DISCEX 2003

Saridakis, "Surviving Errors in Component-Based Software", 2005 EUROMICRO-SEAA

In the introduction they have a pretty good breakdown of the main challenges that survivable systems must address
"However, fault tolerance techniques are based on some form of redundancy (e.g. service replication, data replication, state checkpoints, message logging, etc.) which makes them costly. This cost as system complexity (e.g. managing a replica group or taking checkpoints), resource consumption (e.g. additional hosts are needed to execute the service replicas and additional memory to store the replicated data, the checkpoints and the logs), and time penalty during system execution (e.g. delays in service delivery due to the time overhead in replica synchronizing or in saving checkpoints and logs on the stable storage).
Their paper is a about a concept known as "graceful degradation", basically a slow step down in functionality that reduces the overall performance of a system but still keeps it online. While this is not the exact same concept as a delta-federation, it is still related to some degree.
Also "Dependable systems" - "the capability of a system to outlast runtime errors and fulfill its mission"
"In other cases (e.g. [11]), mainly inspired from military and avionics domains, survivability describes the capability of a system to adjust its execution so ... can provide functionality despite damages .. due to errors"
Paper is on an optimistic graceful degradation approach. Identificaiton, isolation, adaption, repair. Optimisic maps errors to replacement functionality designed to fix, I think.
[11] Knight, Strunk, Sullivan, "Towards a rigorous definition of information system survivability", IEEE DISCEX 2003

Krings, "Design for Survivability: A Tradeoff Space" CSIIRW 2008

Survivability vs. Adaptation
"In [3, 19] survivability was described in terms of Resistance, Recognition, Recover, and Adaptation. Adaptation implemented the mechanism to adapt the system to knowledge gained in the prior three phases. Adaptation, in general, also encompases movements in the tradeoff space.
[3] Ellison, Fisher, Linger, Lipson, Longstaff, Mead "Survivable Network Systems: An emerging discipline" Technical Report CMU
[19] Mead, Ellison, Linger, Longstaff, McHugh, "Survivable Network Analysis Method", Technical Report CMU

Knight, Strunk, Sullivan, "Towards a Rigorous Definition of Information System Survivability", DARPA Information Survivability Conference and Expo 2003

Several definitions from different sources
Survivability: "the capability of..." , "a property of..." , ".. is measured by the probability...", "...qualified by specifying the range", "... the degree to which...",
Later definition "Survivability is the ability of a network computing system to provide essential services in the presence of attacks and failures, and recover full services in a timely manner"
Faults, are masked or unmasked. Fault avoidacnce may be used and this is not (according to them) an aspect of survivabiltiy.
They claim "survivabitliy is a measurable system characteristic" -- I am not sure about this.
Example is from miltary C2 (command and control), not very specific in details but its generalized and can be adaptive, different modes of operation and different needs.
{S, E, D, V, T, P}
V is user-defiend and ranked, user's perceived service value

Survivability

2009-06-12T12:20:00.000-07:00

Breakdown
- What: System, Infrastructure, Communication, Mission
- Domain: MANETS, Business processes, Data Warehouse, Emergency Management
- Design: Patch Management, Protocol, System Architecture, Network defenses
- Metrics: QoS, Intrusion Detection, Attack statistics,
- Mechanism: Load Balancing, Redundancy, Recovery process, Checkpointing, Reconfiguration
- Approach: Centralized, Decentralized

Roundtable discussion from 2000

2009-06-11T12:49:00.000-07:00

http://www2.computer.org/portal/web/csdl/abs/html/mags/so/2000/05/s5026.htm

IEEE Security & Privacy

2009-06-11T08:42:00.000-07:00

Journal: IEEE Security & Privacy

Found this journal yesterday and started to look through it for some interesting articles. They've got two sections that would have articles every once and awhile for "Emerging Standards" and "Building Security In" that seemed interesting.

Anderson, A., "Web services policies," Security & Privacy, IEEE , vol.4, no.3, pp.84-87, May-June 2006
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=1637390&isnumber=34312

In the Emerging Standards section
They decompose a policy across different layers that build on each other: service-interface-binding, domain-binding, policy, assertion (or predicate), vocabulary
They have something called a policy envelope
For each layer they have defined they associate one or more different standards specifications that attempt to resolve the problem the layer addresses (all taken from Oasis or W3C)
Many are XML based (in fact, I think the ones they investigate might -all- be XML)
Details some of the problems with standardizations and policies, ws-desc failed to gain sufficient support and XACML standardization was blocked due to disagreements in the policy committee
Several standards cross cut their layer stratification XACML is in 3 layers for example
They bring up the issue of "if every service can shoose among increasing number of policy options, the probability of any two services having compatible policies diminishes"
Also introduces the issue of a domain, wherein a particular domain might need a different mechanism to express their policies

Gupta, Suvajit; Winstead, Joel, "Using Attack Graphs to Design Systems," Security & Privacy, IEEE , vol.5, no.4, pp.80-83, July-Aug. 2007
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4288052&isnumber=4288029

Was really only looking at this to see if there was any intersting background references to look that would establish a base for linking security (policies) and graph based modeling

Ninghui Li; JiWon Byun; Bertino, E., "A Critique of the ANSI Standard on Role-Based Access Control," Security & Privacy, IEEE , vol.5, no.6, pp.41-49, Nov.-Dec. 2007
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4402445&isnumber=4402432
and
Ferraiolo, D.; Kuhn, R.; Sandhu, R., "RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control"," Security & Privacy, IEEE , vol.5, no.6, pp.51-53, Nov.-Dec. 2007
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4402447&isnumber=4402432

I was hoping this paper would show the specification language (if there was one) but it seems more focused on the formal specification of the standard. Lots of details about flaws in the standard.

Landau, S., "Security and Privacy Landscape in Emerging Technologies," Security & Privacy, IEEE , vol.6, no.4, pp.74-77, July-Aug. 2008
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4588236&isnumber=4588217

Investigates the domains of industrail control systems (SCADA) and emergency management
Market pressure and deregulation have moved existing closed loop systems to decentralized web based interconnected systems where security is now hard to control
They talk as if NIST 800-53 is a standard, I never really thought of it as such as it seemed more like a documentation of available options
Their references to emergency management standards groups are the Oasis Emergency Mgmt TC, Homeland Security's FEMA, and the Emergency Interoparability Consortium's EDXL

From BuildSecurityIn

2009-06-10T14:59:00.000-07:00

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/tools/modeling/698-BSI.html

Security policy model is a traditional name for the combination of the

specification of the security policy—normally constraints (or properties)
specification of the behavior of the system—normally a high-level specification of the design¹
argument showing the consistency of the two—normally this means showing that a software system always stays within security constraints

This need to show consistency has been already been mentioned. In the early days (1960s, 70s, and 80s), this was often written about in terms of formal proofs. In the 1980s the concept of levels of assurance mapped to different kinds of evidence for this consistency. The legacy of this work is seen in today’s Common Criteria. However, borrowing in part from experience in safety, this concept has been generalized to one of an assurance case, which in part tries to address its own uncertainty and is intended to provide grounds for justified confidence and decision making by stakeholders.

One example of tool use is Praxis’s use of Z/Eves to formally state security policy and show the consistency of the system’s high-level design with it, using mathematical logic [Hall 2002].

Hmm...

MODSEC

2009-06-10T14:54:00.000-07:00

Workshop on Modeling Security (MODSEC)
http://www.comp.lancs.ac.uk/modsec/

Looked like there was only one paper on policies. Might be worth looking at though.

Tejeddine Mouelhi, Franck Fleurey, Benoit Baudry and Yves Le Traon. Mutating DAC And MAC Security Policies: A Generic Metamodel Based Approach

Review: Security Policies and the Software Developer

2009-06-10T13:22:00.000-07:00

Security Policies and the Software Developer
Found in: IEEE Security and Privacy
By Denis Verdon
Issue Date:July 2006
pp. 42-49

I found this by searching for "baseline security policy" on computer.org digital library, it was about halfway down the second page of results.

Link: http://www2.computer.org/portal/web/csdl/abs/html/mags/sp/2006/04/j4042.htm

This is a pretty high level article (not terribly in-depth) but glancing through it I saw it had some nice information categorized.

Different Policy Types (across all kinds of different domains) - Even though they are all "policies" they each mean and contain totally different things, and I think it would help our work a lot if we clearly state which types of policies we address:

Corporate security policy
Acceptable use policy
Privacy policy
Email policy
Information (systems) security policy
Network security policy
Secure application development policy
Incident management policy
Data classification policy
Policy exemption process

Some of these are likely unrelated to our work, but each probably has different standards and mechanisms of expression.

"To meet the research needs, public communities of interest or working groups usually sprout up, acting as clearing houses for knowledge on threats and countermeasures." they then claims there are 3 distinct groups that do research in these areas:

"de facto bodies, often evolved from loose communities of interest, such as SANS (www.sans.org);
government-sponsored bodies, such as US-CERT;
and not-for-profit or non-governmental organizations and standards bodies, such as the International Standards Organization, the IEEE, or the Center for Internet Security (www.cisecurity.org)"

Not that this classification really gets us anywhere, but I like that someone else has already stratified the areas that we would likely need to look towards. The article then goes on to look at standards that are prevalent (again I think this document is from a legal-protection viewpoint so its not totally helpful but still worth looking into).

Some of the groups they briefly review (although some of these are just best practices documents, but still, maybe that is who we should turn to for developing the baseline):

Build Security In (BSI, https://buildsecurityin.us-cert.gov)
The Open Web Application Security Project (www.owasp.org/documentation)
Microsoft Developer Network (MSDN; http://msdn.microsoft.com/security)
Sun Developer Network's Reference on Java Security (http://developers/sun.com/ techtopics/security/javasecurity/reference/techart/ index.html#2)

Baseline motivation

2009-06-10T08:45:00.001-07:00

I had taken some notes down on my iPhone the other day that I'm going to try and transcribe and expand upon here.

Why establish a baseline (either from the policy viewpoint or the delta federation?):

Vast amount of specifications, increasing in number at an increasing rate, with lots of overlapping information
Certain specifications gain popularity and are adhered to while others exhibiting the same properties are specified and never used.
By determining the common features throughout a minimum baseline of information can be established.
The baseline can then be used to determine a universal mapping between expression languages (for example the differences web services specified with WSDL or REST would become meaningless assuming an appropriate mapping could be establish with sufficient coverage across all baseline entities).
As new technologies for expression are developed they can easily be incorporated within any system using the baseline approach.

Context-Based Matching and Ranking of Web Services for Composition
Found in: IEEE Transactions on Services Computing
By Aviv Segev , Eran Toch
Accepted to July 2009 Issue (not yet published)

They have heavy use of a baseline concept in their paper, not quite the same as ours though
Theirs is a "baseline method" to classify WS information
They bring up the issue of the view of a domain, for them its the local view whereas our deltafederation would have more of a global/shared/collaborative view
Intro also brings up the difference between exploratory composition and automatic compositions. Their research is to benefit the exploratory compositions of WS which is helpful because eventually a human guides the development of the final composition.
They "assume each web service is described using a textual description, which is part of the meta-data within UDDI registries, and a WSDL document describing the syntactic properties of the service interface" - this seems to be a pretty standard and easy to understand statement
To them, their baseline method is "a simple reflection (identity function) of the original bag of tokens , extracted from the service descriptoins to a bag of tokens representing sets of words". Not quite sure what that means.
"Service analysis leads to the construction of the baseline" -- that could mean the entire baseline or the baseline of a specific service...
"often WS providers do not include tags in their service descriptions [13]"
The rest of this paper seems to be going into heavy Information Retrival analysis of the WS descriptions (inverse document frequency, term frequency, etc.). Its almost like they're building up the math for a search engine of WS.
A lot of the context mapping in their process would be accomplished by a human in our case, I think. This type of reseach certainly enhances any toolkit tasked with that type of responsability though, but ultimately the work would require a human (I'd think).

Paper review: A graph-based formalism for RBAC

2009-06-10T08:00:00.000-07:00

Koch, M., Mancini, L. V., and Parisi-Presicce, F. 2002. A graph-based formalism for RBAC. ACM Trans. Inf. Syst. Secur. 5, 3 (Aug. 2002), 332-365. DOI= http://doi.acm.org/10.1145/545186.545191

http://portal.acm.org/citation.cfm?id=545186.545191
http://doi.acm.org/10.1145/545186.545191

2002, so its not -very- recent
They list reasons/motivations for the formalism early on. (1) prove properties of a given specification (2) compare different AC models (3) predict system behavior by combining diff. policies
Formalizes RBAC using a graph transformation language [Rozenberg 1997]
Provides static and dynamic consistency conditions, and has an executable specification with existing tools
"A graph represents a state of a system... state changes are specified by graph transformation rules... a rule is given by a graph morphism" -- The CPP does not really have states or state changes, its a static analysis so I'm guessing an approach like this isn't a great match.
Just thinking here: one approach if we continue down the use of our own langague is to use transformations to build up the system 1 policy at a time. Each transformation would have to ensure the system was in compliance. Oh there are so many different options like that though. Would the graph notate the policy, or the system, or both? Would transformations show the evolution of the system as components are added/removed, the change in state as it executes, the change in policies? Or would there even need to be graph transformations? Too many questions, more background research is needed.
"The left hand side of the rule add to role contains additionally a dashed edge between the u and the r node. This dashed edge represents a negative application condition"
"The nodes of the rule add to role do not carry labels. This representation for a rule is intended as a pattern for a whole set of rules" -- this seems pretty beneficial, the ability for the language to have patterns which can be applied to specific instanciations

Edge Labels, absence of labels
Edge (connected line or dashed line)
Node names, shapes, filled or open, colors
Transformations, rules, actions, activations

Reasoning with semantics-aware access control policies for geospatial web services

2009-06-09T13:32:00.000-07:00

Ashraful Alam, Ganesh Subbiah, Bhavani M. Thuraisingham, Latifur Khan: Reasoning with semantics-aware access control policies for geospatial web services. SWS 2006: 69-76

Paper available here.

Reasons for looking at this paper:

How they specify their security policies
Semantics-aware ACP - a new type of policy? Can the CPP express it?
Sill looking for baseline, and papers that everyone in security references

Notes from paper:

Incremental policy buildup, reuse of "security blocks"
"Distinguishes between two major types of security most prevalent in WS... the first kind deals with general authorization procedures of WS users and subsequent security criteria... the second kind involves organizational protection of data from intruders or clients without access privileges."
"Not all data housed by the geospatial agencies are considered public in nature. For instance, the data might contain critical information about people, exposure of which would jeopardize their privacy. The problem is exacerbated in a data integration environment because of a lack of coherent security framework. If the trend towards on-the-fly data integration continues, Web services providers would very soon perform complicated services that require embedding or combining geospatial data with other kinds of data."
"In a very complex policy setting with hundreds of rules with intricate hierarchy of privileges, the reasoning engine will boost the security tremendously by suggesting potential security vulnerabilities in the policy repository."

Referenced papers for security background

Security whitepaper from Microsoft and IBM about web services security model. [1]
Web Service Policy Language (WSPL) [6]
GeoXACML [7] access control language for geo spatial web services
Semantic languages Rei [9], KAoS [10], Ponder [11].
OWL-S / DAML

Paper review: Modeling and Enforcement of Business Policies on Process Models with Maestro

2009-06-09T11:31:00.000-07:00

Ivan Markovic, Sukesh Jain, Mahmoud El-Gayyar, Armin B. Cremers, Nenad Stojanovic: Modeling and Enforcement of Business Policies on Process Models with Maestro. ESWC 2009: 873-877

SpringerLink

Seems to delegate the actual modeling of the business policies to "WSML Flight", another language.
The contribution of this paper is just a graphical viewer of the output of the Flight module, it seems. It is built on top of the Maestro framework.
Something about a Policy Recommender, that can somehow recommend policies to specific business processes based on an ontology framework.
Example is based on separation of duty in a financial industry.

Paper review: Contract driven cross-organizational business processes

2009-06-09T09:40:00.000-07:00

Ustun Yildiz, Olivera Marjanovic, and Claude Godart, Contract driven cross-organizational business processes, in Proceedings of the Second International Conference on Information Management and Business, IMB (V. Khandelwal and M. S. Raisinghani, eds.), (Australia), pp. 120–130, Australian Computer Society, 2006.

Online PDF available here.

They have a term "cross-organizational" that really seems to similarly refer to our concept of a Community of Interest (I think).
From abstract: process monitoring and coordination mechanism, generic contract model, event-driven infrastructure
Interesting keywords: Cross-organizational Collaboration, E-contracting, Complex Event Processing
Again, this paper is from a business perspective, (like the banking industry example Emmerich used). "interconnected in order to satisfy the mutual benefits of their owners". It is not mission directed, per se.
Cross organizational relationship is defined via a business contract (not sure if this is formalized or not) which is specified independently of the execution details.
"The contract defines in advance the business constraints that the business partners are supposed to respect when they collaborate". -- so very similar to the idea I had for the contract layer of information in the delta-federation.
They're using some sort of middleware (Complex Event Processing - CEP) to formalize event-driven applications. It has constraints, parties, operations, metrics, dates, objects.
Seems to bring in concepts from deontic logic (permission, obligation, prohibition), comparisons (equal, less than, greater than, etc.), and aggregation.
And then the paper stops, hard to see a specific addition. I guess they borrow the language, and put a middlware between the two interacting partners to monitor. That may be all they do.

Paper review: Business Process Management (BPM) standards: A survey

2009-06-08T12:13:00.000-07:00

Ryan K. L. Ko, Stephen S. G. Lee and E. W. Lee, “Business Process Management (BPM) Standards: A Survey” Business Process Management Journal, Emerald Publishing, Accepted on 2 December 2008. [To appear: Vol. 15 No. 5, 2009] [PDF]

This paper should probably be a key reference in the baseline research.

In the introduction points out the rapid growth of paradigms and methods with terms and technologies that were not well defined, and languages that duplicated features, lacked formalisms, and lacked validation on real business systems.
There is a beautiful figure that organizes the entire paper's contents (Figure 1)
Classifications of BPM standards: grapical, execution, interchange, diagnosis
van der Aalst's BPM life cycle figure - "Process Design, System Configuration, Process Enactment, Diagnosis, repeat"... we don't exactly do this, either adding the double/triple-loop mentality, or adding another step of reconfiguration into the figure.
Diagnosis standards are the closest possible thing to the research we've already conducted
Investigates the differences between BPM, Workflow Management, and Business Process Reengineering
Developed a classification process, which is pretty cool. Basic flow chart.
Unfortunately, the first decision is "Is this standard for Web Services?", if yes they categorize as a Web Service / SOA Standard (not sure if they do anything after that).
Key things they identify: BPM/SOA/B2B, Background (source), Theory/Graphical/Interchange/Execution/Diagnosis/B2bInfoExchange, Standardized (yes/no), Current Status
Each standard has brief overview/introduction, strengths/weaknesses analysis, and other sections. Takes up a lot of space overall, but consistant.
Lots of analysis of BPEL due to its influential status, due to the fact that it accomplishes so much
Section 5.8.3 - Context Aware Workflow Management Systems. Very brief duscussion, not really even going into the problems. Of course this discussion was from the viewpoint of BPM and not workflow management.

IEEE 2009 Third International Workshop on Scientific Workflows (SWF 2009)

2009-06-08T09:51:00.000-07:00

Same as with the self-tuning stuff I looked at, here are the interesting papers from the scientific workflows program:

UML_AD2EventB: An Approach to Generating Event B Specification from UML Activity Diagrams for the Workflows Specification and Verification, Ahlem Ben Younes, Leila Jemni Ben Ayed

Lots of papers about UML from Ayed according to DBLP
A Formal Approach for the Development of Automated Systems - interesting, but automated systems probably means something different than I'm thinking of
A paper on BNF encoding of UML
Not really sure what Event B is, supposedly a "formal method for system-level modeling and analysis", barely looking at it it kind of looks similar to unity

New Execution Paradigm for Data-Intensive Scientific Workflows, Mahmoud El-Gayyar, Yan Leng, Serge Shumilov, Armin Cremers

El-Gayyar's webpage - background in grid computing, possibly mashups,
Markovic, I., Sukesh, J., Elgayyar, M., and Cremers, A. "Modeling and Enforcement of Business Policies and Rules in Semantic Business Process Modeling", In Proceedings of 3rd International Conference on Adaptive Business Information Systems (ABIS), Leipzig, Germany, March 2009.
Elgayyar, M. M., Alda, S. J., and Cremers, A. B. "Towards a user-oriented environment for web services composition". In Proceedings of the 4th international Workshop on End-User Software Engineering (Leipzig, Germany, May 12 - 12, 2008). WEUSE '08. ACM, New York, NY, 81-85.
Serge Shumolov's webpage - decision support systems, hydrologic-economic stuff, ...
T. Bode, A. B. Cremers, U. Radetzki, S. Shumilov. COBIDS: A Component-Based Framework for Sharing Standardized and Non-Standardized Geo-Services. In: Proc. of the 18th International Conference Informatics for Environmental Protection (EnviroInfo 2004), pp. 292-302, Geneva, Switzerland, 2004.
Armin Cremers' webpage - its all in Deutsch, some of the paper titles are in English.
Alda, S.; Cremers, A.B.: Strategies for Component-based Self-Adaptability Model in Peer-to-Peer Architectures. Proceedings of the 4th International Symposium on Component-based Software Engineering (CBSE7). LNCS 3054, Springer, pp. 59-67. Edinburgh, Scotland., 2004.
Mügge, H.; Rho, T.; Speicher, D.; Bihler, P.; Cremers, A.B.: Programming for Context-based Adaptability - Lessons learned about OOP, SOA, and AOP. Workshop Selbstorganisierende, Adaptive, Kontextsensitive verteilte Systeme, Bern, Switzerland, 2007.
Spalka, A.; Winandy, M.; Cremers, A.B.: Multilateral Security Considerations for Adaptive Mobile Applications. Proceedings of the 2nd International Conference on E-Business and Telecommunication Networks (ICETE 2005), 2005

Business Versus Scientific Workflows: A Comparative Study, Ustun Yildiz, Adnene Guabtni, Anne H.H. Ngu

Web page for Ustun Yildiz - decentralization, information flow, orchestration in mobile computing, synchronization,
Ustun Yildiz, Olivera Marjanovic, and Claude Godart, Contract driven cross-organizational business processes, in Proceedings of the Second International Conference on Information Management and Business, IMB (V. Khandelwal and M. S. Raisinghani, eds.), (Australia), pp. 120–130, Australian Computer Society, 2006. [Review here]
Web page for Adnene Guabtni - transactional behavior in business processes,
New research term: cooperative processes
"Sphere Based Isolation for Cooperative Processes" accepted to be published in JCST, international Journal of Computer Science and Technology, Springer
"A Dynamic Workflow Management System for Coordination of Cooperative Activities" DPM'06, 1st International Workshop on Dynamic Process Management, in conjunction with the Fourth International Conference on Business Process Management BPM'06, Vienna, Austria, September 4, 2006 In Proceedings of Business Process Management Wrokshops, Springer LNCS proceeding. (electronic copy)

Also interesting from the program was:

Genesis - Dynamic Collaborative Business Process Formulation based on Business Goals and Criteria, Ryan K. L. Ko, Andre Jusuf, S.G. Lee

Ryan K. L. Ko, Stephen S. G. Lee and E. W. Lee, “Business Process Management (BPM) Standards: A Survey” Business Process Management Journal, Emerald Publishing, Accepted on 2 December 2008. [To appear: Vol. 15 No. 5, 2009] [PDF] [Review here]

Self-healing papers of interest from SERVICES-I

2009-06-08T08:08:00.000-07:00

Right now we don't really have access to these papers so here are just some thoughts on their titles and possibly links to other research each author may have done.

A Semantic Repository for Adaptive Services, Yamine Ait-Ameur

Possible author webpage link but no listing of publications.
Interesting because title has both "Semantic Repository" and "Adaptive Services". Probably a ontology (OWL-S?) language on top of an existing service description language. Adaptive services could mean anything, but its probably tied down within the service logic itself.
LinkedIn profile page - they list their application domain as "engineering", interesting.

Using Stateful Activities to Facilitate Monitoring and Repair in Workflow Choreographies, J. Eder, J. Mangler, E. Mussi, B. Pernici

A link to Barbara Pernici on DBLP - lots of data papers, QoS
This paper is probably similar to the existing checkpoint approaches used in DBMS. I'm not exactly sure what a stateful activity is but BPEL provides a mechanism to describe a scope, which in my mind could be used to describe something called a stateful activity, or a transaction.

A Practical Framework of Realizing Actuators for Autonomous Fault Management in SOA, Hyun Jung La, Soo Dong Kim

DBLP link for Hyun Jung La - Lots of "dynamic composition" papers, adapting services, product line engineering
DBLP link for Soo Dong Kim - LOTS of publications: Software Reusability, Dyamic monitors, dynamic composition
I liked the concept of "Autonomos Fault Management", mostly because the term stratifies fault management into 2 categories, autonomous being pre-defined or setup so that it can occur without human interaction, and non-automonous being the types of fault handling that requires human interaction and guidance. I have no idea what "Realizing Actuators" introduces though.
I think I found their research group's webpage, but it doens't look like they upload pdfs of the papers.

Self-Diagnosis and Self-Regulation through Performance Monitoring and Tuning, A. Noui-Mehidi

LinkedIn profile page -
Self-tuning for optimization, the only other paper I read on this was to configure a workflow engine's number of threads at runtime. Would be interesting to see if there is anything else different than this, (service oriented), but probably not.

Enforcing User-Defined Management Logic in Large Scale Systems, Srinath Perera, Dennis Gannon

Srinath Perera's webpage
Dennis Gannon's webpage
User-defined management logic sounds exactly like what the preference entries in NeWT are doing. Another phrase for something that we're doing possibly?

Policy Calculus Research

2009-06-04T13:05:00.000-07:00

Goal: explore graph based approaches to security policy expression

We have looked at Lawrence Chung's work from UT Dallas before. He dealt with the concept of "satisfiable" using soft-graphs. These were based on analyzing the non-functional requirements of a software system. I need to go back and look through his work and summarize some notes about that here:

Looking at his website it does not look like he's published anything recently.

Searching through ACM and IEEE, here are some phrases that show up:

logical attack graphs
information flow violations
security policy reconciliation
security compilers
information security
enforcement
encoding

Terms that I've been searching for:

security policy graph
security policy language
security policy expression

Found this, its a silly name but could be interesting: Symposium On Usable Privacy and Security (SOUPS 2009)

Papers that might be interesting (going to try and move more interesting towards the top of the list):

A multi-layered security architecture for modelling complex systems
- interesting because we've done multi-layered approaches before
A graph-based formalism for RBAC
Dynamic graph-based software fingerprinting - title caught my eye but not a good fit
Security policies for downgrading - possibly a new type of policy and they'd have to express their policy somehow so I thought it'd be worth looking at, its not graph based but they seem to have a policy language
A graph based approach towards network forensic analysis - just network graphs with weights and fuzzy states, probably not what we're looking for
MAC and UML for secure software design - design time, mandatory access control, and a UML based approach
Formalizing information security knowledge - they use ontologys
An algebra for composing access control policies - its not a calculus but its math based...?
Automatic generation of model based tests for a class of security policies -
Policy expression and checking in XACML, WS-Policies, and the jABC - uses XACML and has graphs
A propositional policy algebra for access control -
When Role Models Have Flaws: Static Validation of Enterprise Security Policies -
Improving Secure Communication Policy Agreements by Building Coalitions -
Modeling Context-Based Security Policies with Contextual Graphs -
Context-Based Security Policies: A New Modeling Approach -
An Ontology-based Approach to the Formalization of Information Security Policies -

University of Texas at Dallas

2009-06-04T09:49:00.000-07:00

Going through the research conducted at University of Texas at Dallas to see if there is anything good. A lot of this is the work of Dr. Bhavani Thuraisingham.

The entire group is the CyberSecurity and Emergency Prepardness Institute.

Their lab is the Security Analysis and Information Assurance Laboratory (SAIAL). I've heard of Information Assurance before (thats what ISA is all about), but Security Analysis sounds like a distinct sub-field of Security. The SAIAL lab is tempest shielded which is pretty cool.

There is also the Cyber Security Research Center (CSRC). I'm not totally sure what the difference between these 3 things.

The word "policy" doesn't appear anywhere on their research area page. Lots of hardware stuff, Information Assurance stuff, vulnerability analysis/classification, and attack research. I do like the following quote from their Graph Theoretic Problems on Web Graphs research group:

Unfortunately, the typical sequence of “attack, detect, control, and recover” often results in major damages and high costs. This makes it imperative to develop methods that will protect computer systems (especially sensitive ones) from such attacks.

If anything, I like the point they're trying to make that existing approaches just don't cut it when the stakes are high and with modern complex networked systems. This leads in to our design-time-based-approaches.

Interesting researchers:

Wei-She - ERP Security
Srinivasan Iyer - Extended Role Based Access Control for ERP Security
Jianmin Zhu - Grid Security and web Services
Ashraful Alam - Secure geospatial web services
Pavan chitumalla - Geospatial data management for emergency preparedness

Possibly interesting papers based on titles (full publication list at DBLP is extensive):

Ashraful Alam, Ganesh Subbiah, Bhavani M. Thuraisingham, Latifur Khan: Reasoning with semantics-aware access control policies for geospatial web services. SWS 2006: 69-76 [review]
Bhavani M. Thuraisingham, Latifur Khan, Murat Kantarcioglu, Sonia Chib, Jiawei Han, Sang Son: Real-Time Knowledge Discovery and Dissemination for Intelligence Analysis. HICSS 2009: 1-12
Bhavani M. Thuraisingham, Murat Kantarcioglu, Latifur Khan: Building a Geosocial Semantic Web for Military Stabilization and Reconstruction Operations. PAISI 2009: 1
Pavan Kumar Chitumalla, Douglas Harris, Bhavani M. Thuraisingham, Latifur Khan: Emergency Response Applications: Dynamic Plume Modeling and Real-Time Routing. IEEE Internet Computing 12(1): 38-44 (2008)
Ernesto Damiani, Alban Gabillon, Anne Anderson, David Staggs, Bhavani M. Thuraisingham, Marianne Winslett: Directions and trends of XML and web service security. SWS 2006: 1-2

Baseline

2009-06-01T07:31:00.000-07:00

Baseline information that has been standardized for the delta-federation work and the policy calculus work:

Collected a lot of WS --- things. Standards? Policies? Languages?

Only found a few security related specifications. But I didn't look that hard yet.

I certainly need to find some way to organize this information and to bring out the useful parts. So for each baseline-candidate I want to know (a) what it specifies (b) how its specified (c) limitations?

What it specifies (and who claims to do it)

external visible behavior (WSCL) [phrasing attributed here]
observable behavior (WSCI?)
message exchange (WSCI)
message flow
capabilities (DAML-S)
conversations - DTDs, Interactions, Transitions (WSCL)
document type definitions (W3C?)
~~accessibility guidelines~~ (WCAG)
digital message format for alerts and notifications (CAP)
soap message security (WS-Security)

How it is specified (and who again)

Ontology (DAML-S)
XML-based language (WSCI)
XML syntax (WSCL, WS-Security)

How it is used

stored/registered in UDDI tModel entries (WSCL)

Current status of standards

Member submission (OWL-S)

Other misc notes:

DAML-S is now OWL-S

Agile software development and agility

2009-05-29T13:45:00.000-07:00

I'm trying to figure out if agility is different than agile software development. To be honest, I've heard ASWD tossed around before, and it has been used as a growing buzzword for a few years now. I still don't quite know what it is.

"Agile methods generally promote a disciplined project management process that encourages frequent inspection and adaptation, a leadership philosophy that encourages teamwork, self-organization and accountability, a set of engineering best practices that allow for rapid delivery of high-quality software, and a business approach that aligns development with customer needs and company goals." [Wikipedia]

My initial thoughts are that the concepts of agility are not necessarily the same as the principles behind agile software development. Agility to me seems to be a property, something that can be stated. ASWD seems to be a process, with methods, that can be applied as a strategy.

Where did ASWD come from? There is a manifesto for agile development back from 2001. Alister Cockburn has a book titled Agile Software Development from 2002 that is highly cited (draft version 3 available here) according to Google. It addresses communication and rules for successful projects.

So then, what is agility in a software product? According to the book, "an agile process is both light and sufficient". That definition is applied to the process, not the software itself. Their example is that a 40 person team is not as agile as a 6 person team, which makes sense. I think applying the term agile to the product itself leads into a lot of what SaaS and SOA is attempting to accomplish. But again, those are paradigms, processes, shifts in development strategies.

Reflections on Software Agility and Agile Methods: Challenges, Dilemmas, and the Way Ahead, by Linda Levine, compares ASWD with differing processes such as the Capability Maturity Model CMU and the Spiral loops from Barry Bohem. Even though the paper is talking about Software Agility, it still seems to be talking about the process of generating the software, not an aspect of the software itself. For agile software I keep thinking back to our computer security class here and the definition of "good software" which was high-cohesion, low-coupling, modular, etc. Do those properties overlap with what an agile component would possess? I think its the best start to defining an agile component (if such a definition doesn't already exist).

Also from wikipedia, is this section (currently marked for deletion citing a strong bias and weasel wording):

Proponents also argue that process-oriented methods, especially methods that rely on repeatable results and that incrementally reduce waste and process variation like Six Sigma, have a tendency to limit an organisation's adaptive capacity (their "slack"), making them less able to respond to discontinuous change - i.e., less agile. It is proposed that "agile", "lean" and "evolutionary" are strategies that need to be properly understood and appropriately applied to any specific context. That is, there is a time to be "agile", a time to be "lean" and a time to be "evolutionary." Some agilists agree with this position, promoting the concept of agile methods as one set of tools that should be available to managers for use in appropriate situations, not as one-size-fits-all methods that should be forced onto all organizations. [link]

Its interesting. From that viewpoint, we wouldn't want a system that is necessarily agile, or one that is evolutionary, but some type of hybrid. The reference for that entire section is:
"Managing Agile Projects." Ed. Kevin Aguanno. Oshawa, Ontario: Multi-Media Publications Inc., 2005. ISBN 1-895186-11-0.

---

You have to go to the aerospace industry before you see the term agility applied to a tangible product. The following is taken from "Flexibility in system design and implications for aerospace systems":

Agility is another term related to the ability to respond to change. It was first introduced in manufacturing environments then broadened to encompass the extended enterprise. It is often loosely defined, and used to characterize different things in a business environment. For instance, in Pathways to Agility, Oleson [12] describes “agile strategic planning processes”, “agile automation”, and discusses the need for “agile business relationships” with suppliers and customers. He defines agility as the “ability to respond with ease to unexpected but anticipated events”. Similarly, Fricke et al. [13] define agility as the “property of a system to implement changes rapidly”, and flexibility as the “property of a system to be changed easily and without undesired effects.” “Agility” is thus used as a desired qualitative attribute for an enterprise to thrive in a hyper-competitive environment. It is difficult however to see how the definitions of flexibility and agility provided by Fricke et al. [13] differ or overlap, and to grasp the concrete content of “agility”.

13. E. Fricke, A. Schulz, S. Wenzel, H. Negele, Design for changeability of integrated systems within a hyper-competitive environment, in: INCOSE Colorado 2000 Conference, Denver, March 2000.

Disasterhelp.gov | OPEN Special Interest Group (SIG)

2009-05-29T13:02:00.000-07:00

Disasterhelp.gov | OPEN Special Interest Group (SIG)

Via the OPEN email listserv:

As a matter of interest, I will be presenting a one hours web seminar covering the steps needed to build software that can create a HazCollect Message for transmission to the NWS via DM-OPEN to the DM-OPEN Special Interest Group (SIG) using Microsoft Live meeting on May 20, 2009 from Noon Eastern time. This presentation will be useful for developers and and project managers interested in building to the DM-OPEN Non-Weather Emergency Message interface in order to broadcast Alerts through NOAA Radio. It will describe identifiable milestones for developement, as well as the steps needed to get approval for customers to use a newly developed HazCollect alerting capability.

From the Disaster Management Interoperability Services DM-OPEN group, part of the OPEN Special Interest Group (SIG). I know its not directly related to our research, but it has some overlap with regards to the OPEN Web Services stuff, and in general the standardization of interoperability.

Notes: taylor slide on decentralization.pdf

2009-05-29T12:37:00.000-07:00

Unknown, just a single slide: "SOAs, Decentralization, and the Web"
Taylor (Institute for Software Research)

Notes: medvidovic ownership.pdf

2009-05-29T12:15:00.000-07:00

Source unknown, just one slide
N Medvidovic

Decentralized ownership

Thoughts from earlier about ownership: dFed participant vs. dFed provider.

The terminology here is complex and needs to be elegantly delivered otherwise it will be totally lost on the reader.

In my head dFed participants take part in the formulation of the dFed. That is, they select which providers to include, what the workflows are, what tasks and objectives are a priority. They choose the providers.

The dFed providers expose their services for inclusion in a workflow. Providers also have concerns for things like QoS and security and availability, but we refer to those as contracts to delineate the difference from the participant concerns. Contracts are enforceable (they are being adhered to or not), participant concerns may not be so clearcut.

With that mindset dFed participants own the federation, and dFed providers own the services. Of course there are exceptions. For example, a specific type of service may only be exposed to the dFed (its a secret or a time-sensitive service only available for a crisis). It's still owned by a specific provider, but its created for the dFed participants.