secure xml querying with security views
DESCRIPTION
Secure XML Querying with Security Views. Wenfei Fan University of Edinburgh & Bell Laboratories Chee-Yong Chan National University of Singapore Minos Garofalakis Bell Laboratories. The need for XML security. Data in XML format: Business information: confidential - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/1.jpg)
1
Secure XML Querying with Security Views
Wenfei Fan
University of Edinburgh & Bell Laboratories
Chee-Yong Chan
National University of Singapore
Minos Garofalakis
Bell Laboratories
![Page 2: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/2.jpg)
2
The need for XML security
Data in XML format: Business information: confidential Health-care data: Patient Privacy Act, …
Access control: multiple groups simultaneously query the same XML document each user group has a different access-control policy
Enforcement of access-control policies:
XML Query Engine
user group 1 user group n. . .inaccessibleaccessible
![Page 3: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/3.jpg)
3
Secure XML querying
For each user group of an XML document T, specify a access-control policy S, enforce S: for any query Q posted by the group over the
document T, Q(T) consists of only data accessible wrt S
Access control for XML: How to specify access policies at various levels of granularity? How to efficiently enforce those access policies?
XML Query Engine
user group
inaccessible
accessible
Q Q(T)
XML document T
![Page 4: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/4.jpg)
4
Example: an XML document of patients
Document DTD D hospital patient*
patient SSN, name, record*
record date, diagnosis, treatment
treatment (trial + regular)
trial trName, treatment*
regular tname, bill
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
DTD graph
Access-control policies over docs of D: Doctors in the hospital are granted
access to all the data in the docs Insurance company is allowed to
access billing information only
![Page 5: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/5.jpg)
5
Access-control policy for syndrome surveillance
patients: accessible to only those who are diagnosed to have a certain disease “DIS” (a constant)
records:
– only with diagnosis = “DIS”
– part of “DIS” records: date, diagnosis, treatment, tname
– denied from seeing whether a patient is in a clinical trail or not (trial, regular, trName)
– denied from accessing billing information
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
X
X X
X
![Page 6: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/6.jpg)
6
Challenge: Access-control specification
various levels of granularity: restricting access to entire subtrees or specific elements
conditional access: e.g., a patient is accessible if and only if it has a descendant diagnosis = “DIS”
overriding: e.g., tname overrides the accessibility of its parent regular
inheritance: e.g., SSN and name inherit the accessibility of patient
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
conditionally accessible
![Page 7: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/7.jpg)
7
Challenge: access-control enforcement
should not imply any drastic degradation in performance
Example: an XPath query Q posed by a syndrome surveillance group over a document T
//patient[name=`Joe’]//tname
access control requirement:
Q(T) {accessible tname}
enforcement: ensure that– all and only those Joe’s having a
descendant diagnosis = “DIS”, – all and only those records with
diagnosis = “DIS”
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
conditionally accessible
![Page 8: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/8.jpg)
8
Challenge: schema availability
One needs schema information to facilitate query formulation and optimization
How to define a schema (DTD) characterizing all and only the accessible information, without security breach?
How to automatically derive such a DTD from the document DTD and an access-control specification?
XML DTD is far more complicated than its relational counterpart – recursive, nondeterministic
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
conditionally accessible
![Page 9: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/9.jpg)
9
Previous proposals/standards for XML security
Dozens of models have been proposed for XML: XACML, XACL, …
Specifying and enforcing access-control at a physical level– annotate data nodes in an XML document with accessibility,
and check accessibility at runtime (with optimizations for tree-pattern queries and tree/DAG DTDs), or
– materialize a view consisting of accessible data
Problems:– costly (time, space): multiple accessibility annotations/views– error-prone: integrity maintenance becomes a problem when
the underlying data or access policy is updated
No support for schema availability: either deny access to any schema information, or expose the entire document DTD --
security breach
![Page 10: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/10.jpg)
10
A seemingly plausible model
annotate data nodes with accessibility check accessibility at runtime, and expose the document DTD D
Example: permissible XPath queries: Q1://patient[name=`Joe’]/record
/treatment/*/tname Q2://patient[name=`Joe’]/
record /treatment//tname
Security breach: from the document DTD it follows that if Q2(T) – Q1(T) is nonempty then Joe is involved in a clinical trial
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
![Page 11: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/11.jpg)
11
Our security model for XML
Security administrator: specifies a access-control policy for each group by extending the document DTD with XPath qualifiers
Derivation module: automatically derives a security-view definition from each policy: view DTD and mapping via XPath
Query translation module: rewrite and optimize queries over views to equivalent queries over the underlying document
XML document
specification 1
specification k
specification n
derivation module
Security view k(view DTD, xpath( ))
Security view n(view DTD, xpath( ))
Security view 1(view DTD, xpath( ))
query
Optimizer
Rewriter
query query
query translation module
![Page 12: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/12.jpg)
12
Overcome the limitations of previous proposals
Specification and enforcement: at the conceptual (schema) level– no need to update the underlying XML data – no need to materialize views or perform runtime check
Schema availability: view schema is automatically derived– characterizing accessible data – exposing necessary schema information only
XML document
specification 1
specification k
specification n
derivation module
Security view k(view DTD, xpath( ))
Security view n(view DTD, xpath( ))
Security view 1(view DTD, xpath( ))
query
Optimizer
Rewriter
query query
query translation module
![Page 13: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/13.jpg)
13
Access-control specification
DTD D : element type definitions A
::= PCDATA | | A1, …, Ak | A1 + … + Ak | A*
Specification S = (D, access( )): a mapping access( ) from the edges in the document DTD { Y, N, [q] }.
For each A , for each B in , define Access(A, B) as – Y: accessible (true)– N: inaccessible (false)– [q]: XPath qualifier, conditional: accessible iff [q] holds
XPath fragment:
p ::= | A | * | // | p/p | p p | p[q]
q ::= p | p = “c” | q1 q2 | q1 q2 | q
Access policy Document DTD
= + XPath qualifiers
![Page 14: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/14.jpg)
14
Example: access policy S for syndrome surveillance
access(hospital, patient) = [//diagnose = “DIS”] -- [q1]
access(patient, record) = [diagnose = “DIS”] -- [q2]
access(treatment, trial) = N
access(treatment, regular) = N
access(regular, tname) = Y
conditionally accessible
overriding: if access(A, B) = Y (N), then the B children of A override the accessibility of A
inheritance: if access(A, B) is not explicitly defined, then the B children of A inherit the accessibility of A
content-based: conditional accessibility via XPath qualifiers
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
[q1]
[q2]
![Page 15: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/15.jpg)
15
Properties of the specification language
XML tree of the document DTD: the accessibility of each data node is uniquely defined by an access specification– relative to the path from root– a qualifier at a node a
constrains the entire subtree rooted at a,
e.g., [q2] constrains tname various levels of granularity: entire
subtrees or specific elements schema level: the underlying XML
data is not touched; efficient, easy to specify and maintain
conditionally accessible
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
[q1]
[q2]
![Page 16: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/16.jpg)
16
Enforce access control – security views
XML security view: = (Dv, xpath( )) with respect to an access policy S = (D, access( )),
Dv: view DTD, exposed to the user and characterizing the accessible information (of document DTD D) wrt S
Schema availability: to facilitate query formulation xpath( ): mapping from instances of D to instances of Dv
defined in terms of XPath queries and view DTD Dv
– for each A in Dv, for each B in , xpath(A, B) = p
– p: generates B children of an A element in a view
p ::= | A | * | // | p/p | p p | p[q]
q ::= p | p = “c” | q1 q2 | q1 q2 | q
![Page 17: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/17.jpg)
17
Example: view DTD for syndrome surveillance
= (Dv, xpath( )) with respect to access policy S = (D, access( ))
*
treatment
tname*
hospital
SSN
patient
name record*
diagnosisdate
Document DTD D
View DTD Dv
Hide trial, trName, regular, bill Expose accessible information
only
*
treatment
tname
*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
[q1]
[q2]
![Page 18: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/18.jpg)
18
Example: view definition for syndrome surveillance
xpath( ): maps edges in view DTD Dv to paths in document DTD D
hospital patient*
xpath(hospital,patient) = hospital/patient [q1][q1]: [//diagnose=“DIS”]
semantics:• top-down construction• preserving qualifiers in a
specification
patient patient patient patient
hospital
SSN recordname patient SSN, name, record*
xpath(patient, SSN) = SSN, /* name */
xpath(patient, record) = record [q2]
[q2]: [diagnose=“DIS”]
![Page 19: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/19.jpg)
19
DTD-directed construction of security views
record date, diagnosis, treatment
xpath(record, date) = date
/* diagnosis, treatment */ patient patient patient patient
hospital
treatment tname*
xpath(treatment, tname) = //tname
DTD-directed construction
view DTD conformance Never materialized
the construction strategy is just to give the semantics
SSN recordname
date treatmentdiagnosis
tnametreatment
tname
*
trial
trName
regular
bill
tname
![Page 20: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/20.jpg)
20
Derivation of security-view definition
XML security views are far more intriguing than relational views multiple XPath queries vs. a single SQL query DTD vs. relational schema
One needs an algorithm to compute a security-view definition: Input: an access policy S = (D, access( )) Output: a security-view definition = (Dv, xpath( ))
– sound: accessible information only
– complete: all the accessible data (structure preserving)
– DTD-conformant: conforming to the view DTD
efficient: O(|S|2) time generic: recursive/nondeterministic document DTDs
![Page 21: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/21.jpg)
21
Algorithm: deriving a security-view definition
Top-down traversal of the document DTD D short-cutting/renaming (via dummy) inaccessible element types normalizing the view DTD Dv and reducing dummy types
*
hospital
patient*
hospital
patient [q1]
xpath(hospital,patient) = hospital/patient[q1]
SSN name record
*SSN name record
*[q2]
xpath(patient, record) = record[q2]
treatmentdiagnosisdatetreatment
diagnosisdate
xpath(record, treatment) = treatment
![Page 22: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/22.jpg)
22
deriving a security-view definition
recursive and non-deterministic productions
xpath(treatment, dummy2) = regular xpath(treatment, dummy1) = trail
treatment
tname*
treatment
tname*
dummy1
trName
regular
bill
dummy2trial
reducing dummy element types:
(dummy1/treatment)* / dummy2 / tname dummy2/tname)
(dummy1/treatment)* / dummy2 / tname tname*
xpath(treatment, tname) = //tname
treatment
tname*
![Page 23: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/23.jpg)
23
Enforce access control via query rewriting
security views are virtual: not materialized Efficiency: no extra costs to support multiple security views over
the same large document simultaneously Consistency/integrity: updating the underlying data introduces
no difficulties/overhead
XML document
Security view k(view DTD, xpath( ))
query
Optimizer
Rewriter
query translation module
Query translation: one needs an efficient algorithm to rewrite queries over a security view to equivalent and efficient queries over the underlying document
![Page 24: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/24.jpg)
24
algorithm rewrite
Input: = (Dv, xpath( )) (security view wrt S = (D, access( ))),
and – an XPath query Qv over the view (Dv)
Output: an equivalent XPath query Qt over the document– for any XML document T of D, Qt(T) = Qv((T))
Dynamic programming:
for any subquery Qv’ of Qv, any node A in view-DTD graph Dv
rewrite Qv’ at A by incorporating xpath(A, _) Qt’ (A)
efficient: O(|Qv| | |2 ) time a practical class of XPath (with union, descendant, qualifiers)
vs. tree-pattern queries studied in previous security models
![Page 25: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/25.jpg)
25
Example: query rewriting for syndrome surveillance
Qv = // patient[name=“Joe”] // tname over the view*
treatment
tname*
hospital
SSN
patient
name record*
diagnosisdate
xpath(hospital, patient) [name = “Joe”] /xpath(patient, record) /
xpath(record,treatment) /
xpath(treatment, tname)
*
treatment
tname*
trial
trName
hospital
SSN
patient
name record*
diagnosisdate
regular
bill
[q1]
[q2] Qt = /hospital/patient[name = “Joe” and //diagnosis = “DIS”] /record[diagnosis = “DIS”] /treatment // tname equivalent query over document
![Page 26: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/26.jpg)
26
Query optimization with structural constraints
Optimize Qt = rewrite(, Qv) by leveraging the document DTD D
Q = A[B] // E[F] //H A [B and C] // H // F[G] / H
Q’ = A /B / E / F / H
A
B C
E
GF
H
DTD graph
disjunction: exclusive constraints
A [B and C] empty-set
exclusive constraint: an A element cannot have both B and C children at the same time
conjunction: existence (nonexistence)constraints
// F[G] / H empty-set
non-existence constraint: a F element does not have a G child
A[B] // E[F] // H A /B / E / F / H
exclusive constraint: B and C do not coexist under an A element
![Page 27: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/27.jpg)
27
Example: heuristic for XPath containment
Q = // *[C] //E // E Q’ = A /B / E Q1 Q2 Q2 if Q1 Q2
// *[C] //E // E // E A /B / E
A
B
C E
DTD graph
*heuristic for XPath containment (NP-hard for
small fragments in the presence of DTDs) image graph: evaluation of sub-queries over
DTD graph containment test: extension of simulation
– Q1 Q2 if image(Q1) is simulated by image(Q2)
– qualifiers: inverse simulation effective: preliminary experimental study (speedup up to a factor of 2)
A
B
[C] E
image graphfor // *[C] //E
A
B
E
image graphfor // E
![Page 28: Secure XML Querying with Security Views](https://reader035.vdocument.in/reader035/viewer/2022062314/5681329c550346895d993b05/html5/thumbnails/28.jpg)
28
Summary
security views: the first model for specifying/enforcing XML
security at a schema level and providing schema availability – a fine-grained access-control specification language– an effective enforcement framework via security views
• view DTD: characterizing accessible information• algorithm for deriving security-view definitions
• algorithms for query rewriting/optimization: no need to
materialize views or to perform runtime security checks future work:
– reasoning about security views (soundness, completeness, DTD conformance – subsume XPath satisfiability with DTDs)
– inference control in the presence of external knowledge
A practical solution for securing XML querying