This Article 
 Bibliographic References 
 Add to: 
Secure Abstraction Views for Scientific Workflow Provenance Querying
October-December 2010 (vol. 3 no. 4)
pp. 322-337
Artem Chebotko, University of Texas - Pan American, Edinburg
Shiyong Lu, Wayne State University, Detroit
Seunghan Chang, Wayne State University, Detroit
Farshad Fotouhi, Wayne State University, Detroit
Ping Yang, Binghamton University, Binghamton
Provenance has become increasingly important in scientific workflows and services computing to capture the derivation history of a data product, including the original data sources, intermediate data products, and the steps that were applied to produce the data product. In many cases, both scientific results and the used protocol are sensitive and effective access control mechanisms are essential to protect their confidentiality. In this paper, we propose: 1) a formal scientific workflow provenance model as the basis for querying and access control for workflow provenance; 2) a security model for fine-grained access control for multilevel provenance and an algorithm for the derivation of a full security specification based on inheritance, overriding, and conflict resolution; 3) a formalization of the notion of security views and an algorithm for security view derivation; and 4) a formalization of the notion of secure abstraction views and an algorithm for its computation. A prototype called SecProv has been developed, and experiments show the effectiveness and efficiency of our approach.

[1] L. Zhang, J. Zhang, and H. Cai, Services Computing. Springer-Verlag, 2007.
[2] Y. Simmhan, B. Plale, and D. Gannon, "Karma2: Provenance Management for Data-Driven Workflows," Int'l J. Web Services Research, vol. 5, no. 2, pp. 1-22, 2008.
[3] W.T. Tsai, X. Wei, Y. Chen, R.A. Paul, J.Y. Chung, and D. Zhang, "Data Provenance in SOA: Security, Reliability, and Integrity," Service Oriented Computing and Applications, vol. 1, no. 4, pp. 223-247, 2007.
[4] Y. Simmhan, B. Plale, and D. Gannon, "A Survey of Data Provenance in E-Science," SIGMOD Record, vol. 34, no. 3, pp. 31-36, 2005.
[5] R. Bose and J. Frew, "Lineage Retrieval for Scientific Data Processing: A Survey," ACM Computer Surveys, vol. 37, no. 1, pp. 1-28, 2005.
[6] S. Miles, P.T. Groth, M. Branco, and L. Moreau, "The Requirements of Using Provenance in E-Science Experiments," J. Grid Computing, vol. 5, no. 1, pp. 1-25, 2007.
[7] V. Atluri and J. Warner, "Security for Workflow Systems," Handbook of Database Security Applications and Trends, pp. 213-230, Springer, 2007.
[8] R.A. Botha and J.H.P. Eloff, "Separation of Duties for Access Control Enforcement in Workflow Environments," End-to-End Security, vol. 40, no. 3, pp. 666-682, 2001.
[9] "Workflow Security Considerations," White Paper wFMC-TC-1019, Workflow Management Coalition, Feb. 1998.
[10] J. Alhiyafi, C. Sabesan, S. Lu, and J.L. Ram, "RECOMBFLOW: A Scientific Workflow Environment for Intragenomic Gene Conversion Analysis in Bacterial Genomes, Including the Pathogen Streptococcus Pyogenes," Int'l J. Bioinformatics Research and Applications, vol. 5, no. 1, pp. 1-19, 2009.
[11] R. Martinho, D. Domingos, and A. Rito-Silvas, "Supporting Authentication Requirements in Workflows," Proc. Eighth Int'l Conf. Enterprise Information Systems: Databases and Information Systems Integration, pp. 181-188, 2006.
[12] J. Warner and V. Atluri, "Inter-Instance Authorization Constraints for Secure Workflow Management," Proc. 11th ACM Symp. Access Control Models and Technologies, pp. 190-199, 2006.
[13] W. Huang and V. Atluri, "Analysing the Safety of Workflow Authorization Models," Proc. IFIP TC11 WG 11.3 12th Int'l Working Conf. Database Security XII, pp. 43-57, 1999.
[14] S. Wu, A. Sheth, J. Miller, and Z. Luo, "Authorization and Access Control of Application Data in Workflow Systems," J. Intelligent Information Systems, vol. 18, no. 1, pp. 71-94, 2002.
[15] P. Hung and K. Karlapalem, "A Secure Workflow Model," Proc. Australasian Information Security Workshop Conf. ACSW Frontiers, 2003.
[16] S. Kandala and R. Sandhu, "Secure Role-Based Workflow Models," Proc. 15th Ann. Working Conf. Database and Application Security, pp. 45-58, 2001.
[17] V. Atluri, W. Huang, and E. Bertino, "A Semantic-Based Execution Model for Multilevel Secure Workflows," J. Computer Security, vol. 8, no. 1, pp. 3-41, 2000.
[18] E. Bertino, E. Ferrari, and V. Atluri, "The Specification and Enforcement of Authorization Constraints in Workflow Management Systems," ACM Trans. Information and System Security, vol. 2, no. 1, pp. 65-104, 1999.
[19] J. Wainer, P. Barthelmess, and A. Kumar, "W_RBAC—A Workflow Security Model Incorporating Controlled Overriding of Constraints," Int'l J. Cooperative Information Systems, vol. 12, no. 4, pp. 455-485, 2003.
[20] H. Davulcu, M. Kifer, L. Pokorny, C. Ramakrishnan, I. Ramakrishnan, and S. Dawson, "Modeling and Analysis of Interactions in Virtual Enterprises," Proc. Ninth Int'l Workshop Research Issues on Data Eng., 1999.
[21] R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, "Role-Based Access Control Models," Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
[22] M. Kang, J. Park, and J. Froscher, "Access Control Mechanisms for Inter-Organizational Workflow," Proc. Sixth ACM Symp. Access Control Models and Technologies, pp. 66-74, 2001.
[23] E. Gudes, M. Olivier, and R. Riet, "Modelling, Specifying and Implementing Workflow Security in Cyberspace," J. Computer Security, vol. 7, no. 4, pp. 287-315, 1999.
[24] W. Huang and V. Atluri, "SecureFlow: A Secure Web-Enabled Workflow Management System," Proc. Fourth ACM Workshop Role-Based Access Control, pp. 83-94, 1999.
[25] D. Long, J. Baker, and F. Fung, "A Prototype Secure Workflow Server," Proc. 15th Ann. Computer Security Applications Conf., pp. 129-133, 1999.
[26] M. zur Muehlen and M. Rosemann, "Workflow-Based Process Monitoring and Controlling—Technical and Organizational Issues," Proc. 33rd Ann. Hawaii Int'l Conf. System Sciences, 2000.
[27] H. Chivers and J. McDermid, "Refactoring Service-Based Systems: How to Avoid Trusting a Workflow Service," Concurrency and Computation: Practice and Experience, vol. 18, no. 10, pp. 1255-1275, 2006.
[28] B. Ludäscher, I. Altintas, C. Berkley, D. Higgins, E. Jaeger, M. Jones, E.A. Lee, J. Tao, and Y. Zhao, "Scientific Workflow Management and the Kepler System," Concurrency and Computation: Practice and Experience, vol. 18, no. 10, pp. 1039-1065, 2006.
[29] T.M. Oinn et al., "Taverna: Lessons in Creating a Workflow Environment for the Life Sciences," Concurrency and Computation: Practice and Experience, vol. 18, no. 10, pp. 1067-1100, 2006.
[30] J. Freire, C.T. Silva, S.P. Callahan, E. Santos, C.E. Scheidegger, and H.T. Vo, "Managing Rapidly-Evolving Scientific Workflows," Proc. Int'l Provenance and Annotation Workshop (IPAW), 2006.
[31] E. Deelman, G. Singh, M.-H. Su, J. Blythe, Y. Gil, C. Kesselman, G. Mehta, K. Vahi, G.B. Berriman, J. Good, A. Laity, J.C. Jacob, and D.S. Katz, "Pegasus: A Framework for Mapping Complex Scientific Workflows onto Distributed Systems," Scientific Programming J., vol. 13, no. 3, pp. 219-237, 2005.
[32] Y. Zhao, M. Hategan, B. Clifford, I. Foster, G. von Laszewski, I. Raicu, T. Stef-Praun, and M. Wilde, "Swift: Fast, Reliable, Loosely Coupled Parallel Computation," Proc. Int'l Workshop Scientific Workflows (SWF) in conjunction with Int'l Conf. Services Computing (SCC), 2007.
[33] "The Provenance Challenge Series," , 2010.
[34] V. Tan, P. Groth, S. Miles, S. Jiang, S. Munroe, S. Tsasakou, and L. Moreau, "Security Issues in a SOA-Based Provenance System," Proc. Third Int'l Provenance and Annotation Workshop, 2006.
[35] U. Braun and A. Shinna, "A Security Model for Provenance," Technical Report TR-04-06, Harvard Univ., Jan. 2006.
[36] S.B. Davidson and J. Freire, "Provenance and Scientific Workflows: Challenges and Opportunities," Proc. SIGMOD, pp. 1345-1350, 2008.
[37] W. van der Aalst, "Inheritance of Interorganizational Workflows: How to Agree or Disagree without Loosing Control?" Information Technology and Management J., vol. 2, no. 3, pp. 195-231, 2002.
[38] C. Lin, S. Lu, X. Fei, D. Pai, and J. Hua, "A Task Abstraction and Mapping Approach to the Shimming Problem in Scientific Workflows," Proc. Int'l Conf. Services Computing (SCC), pp. 284-291, 2009.
[39] A. Michlmayr, F. Rosenberg, P. Leitner, and S. Dustdar, "Service Provenance in QoS-Aware Web Service Runtimes," Proc. Int'l Conf. Web Services (ICWS), pp. 115-122, 2009.
[40] K. Xu, Y. Wang, and C. Wu, "Service Provenance Based Abstraction of Grid Application Knowledge," Proc. Second Int'l Conf. Semantics, Knowledge, and Grid, pp. 50-53, 2006.
[41] P.T. Groth, S. Miles, and L. Moreau, "A Model of Process Documentation to Determine Provenance in Mash-Ups," ACM Trans. Internet Technology, vol. 9, no. 1, 2009.
[42] Provenance Aware Service Oriented Architecture (PASOA) Project, http:/, 2010.
[43] W.T. Tsai, X. Wei, D. Zhang, R. Paul, Y. Chen, and J.Y. Chung, "A New SOA Data-Provenance Framework," Proc. Eighth Int'l Symp. Autonomous Decentralized Systems, pp. 105-112, 2007.
[44] S.M.S. Cruz, P.M. Barros, P.M. Bisch, M.L.M. Campos, and M. Mattoso, "Provenance Services for Distributed Workflows," Proc. Int'l Symp. Cluster Computing and the Grid (CCGRID), pp. 526-533, 2008.
[45] C. Lin, S. Lu, X. Fei, A. Chebotko, D. Pai, Z. Lai, F. Fotouhi, and J. Hua, "A Reference Architecture for Scientific Workflow Management Systems and the VIEW SOA Solution," IEEE Trans. Services Computing, vol. 2, no. 1, pp. 79-92, Jan.-Mar. 2009.
[46] P. Groth, S. Miles, W. Fang, S.C. Wong, K.-P. Zauner, and L. Moreau, "Recording and Using Provenance in a Protein Compressibility Experiment," Proc. Int'l Symp. High Performance Distributed Computing (HPDC), 2005.
[47] P. Groth, S. Jiang, S. Miles, S. Munroe, V. Tan, S. Tsasakou, and L. Moreau, "An Architecture for Provenance Systems Executive Summary," technical report, Univ. of Southampton, Feb. 2006.
[48] A. Chebotko, S. Lu, X. Fei, and F. Fotouhi, "RDFProv: A Relational RDF Store for Querying and Managing Scientific Workflow Provenance," to be published in Data and Knowledge Eng., vol. 69, no. 8, pp. 836-865, 2010.
[49] Open Provenance Model, http:/, 2010.
[50] O. Biton, S. Cohen-Boulakia, S. Davidson, and C. Hara, "Querying and Managing Provenance through User Views in Scientific Workflows," Proc. 24th IEEE Int'l Conf. Data Eng. (ICDE), pp. 1072-1081, 2008.
[51] O. Biton, S.B. Davidson, S. Khanna, and S. Roy, "Optimizing User Views for Workflows," Proc. 12th Int'l Conf. Database Theory (ICDT), pp. 310-323, 2009.
[52] M. Kifer, A. Bernstein, and P.M. Lewis, Database Systems: An Application Oriented Approach. Addison-Wesley, 2006.
[53] R. Elmasri and S.B. Navathe, Fundamentals of Database Systems. Addison-Wesley, 2004.
[54] A. Chebotko, S. Chang, S. Lu, F. Fotouhi, and P. Yang, "Scientific Workflow Provenance Querying with Security Views," Proc. Int'l Conf. Web-Age Information Management, pp. 349-356, 2008.
[55] R.S. Sandhu and Q. Munawer, "The ARBAC99 Model for Administration of Roles," Proc. 15th Ann. Computer Security Applications Conference (ACSAC), pp. 229-238, 1999.
[56] S. Oh and R.S. Sandhu, "A Model for Role Administration Using Organization Structure," Proc. Seventh ACM Symp. Access Control Models and Technologies, pp. 155-162, 2002.
[57] J. Crampton and G. Loizou, "Administrative Scope: A Foundation for Role-Based Administrative Models," ACM Trans. Information and System Security, vol. 6, no. 2, pp. 201-231, 2003.
[58] SecProv, , 2010.
[59] J. Wei, L. Singaravelu, and C. Pu, "Guarding Sensitive Information Streams through the Jungle of Composite Web Services," Proc. Int'l Conf. Web Services (ICWS), pp. 455-462, 2007.
[60] N. Russell, A. ter Hofstede, D. Edmond, and W. van der Aalst, "Workflow Data Patterns," Technical Report FIT-TR-2004-01, Queensland Univ. of Tech nology, 2004.
[61] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "A Fine-Grained Access Control System for XML Documents," ACM Trans. Information and System Security, vol. 5, no. 2, pp. 169-202, 2002.

Index Terms:
Scientific workflows, provenance, access control, security, abstraction, secure querying.
Artem Chebotko, Shiyong Lu, Seunghan Chang, Farshad Fotouhi, Ping Yang, "Secure Abstraction Views for Scientific Workflow Provenance Querying," IEEE Transactions on Services Computing, vol. 3, no. 4, pp. 322-337, Oct.-Dec. 2010, doi:10.1109/TSC.2010.38
Usage of this product signifies your acceptance of the Terms of Use.