Slide 1

XML Access Control Koukis Dimitris Padeleris Pashalis Slide 2 Presentation Overview Access Control Definition and implementation problems General Ideas for Access Control Two Implementations : ACP XACL A size reduction method. Slide 3 Why do we need Access Control in XML Documents? It provides a way to give privileges specific to : Users and User Groups Locations Symbolic names (e.x. Domains) It defines privileges for every object and group of objects on XML Slide 4 Implementation Problems Storing and transmitting over a network all the access control data of a single object can introduce a serious overhead. Parsing the access control data and taking decisions needs a lot of computing power Slide 5 Implementation Problems (cont) There are more than one policies, and conflict resolution implementations each with its advantages and disadvantages. Decision for the most powerful privilege when there are more than one. Default decisions when conflict resolution fails Current Implementations do not provide a well defined access control model. Slide 6 General Ideas of Access Control Implementations User access data can be stored : Inside the XML document. The DTD of the document provides the syntax for the access information. The XML parser must understand the meaning of access data. Slide 7 General Ideas of Access Control Implementations (cont) User access data can be stored : In a separate file associated with the XML document. The file can be parsed be a separated parser. The file has a predefined syntax. Slide 8 ACP: An XML Access control implementation Slide 9 ACP: An XML Access control implementation. Provides an implementation that solves some of the previously mentioned problems. Uses the idea of separate file for the access data, this file is called XML Access Sheet or XAS Defines a syntax for XAS. Supports a XAS for the DTD and another for the document. Supports user,group,location and domain access control. Slide 10 Syntax of the XAS (subject, object, action, sign, type) Subject A tuple with the information of the user (user/group, location, symbolic name) User/goup is defined as a DAG with the public group as the source and the user names as the sinks. Location is defined by an IP address Symbolic name is defined by a domain name Slide 11 Syntax of the XAS (subject, object, action, sign, type) Object Xpath expression, points to an object or a set of objects in the XML document. The action is granted or denied to this object Slide 12 Syntax of the XAS (subject, object, action, sign, type) Action Read, write, delete, insert, etc. Only read is well defined in the ACP. Read is the most common case in XML documents. Write, etc, actions cat be supported by extending the read model. Slide 13 Syntax of the XAS (subject, object, action, sign, type) Sign (+/-) grand or deny the Action. Slide 14 Syntax of the XAS (subject, object, action, sign, type) Type Defines the strength of the tuple. If recursive or local. If it is overridden by another tuple Values in descending strength: LDH, RDH, L, RL,LD,RD,LS, RS Slide 15 A closer look on type ACP specifies that : Instance level are stronger than DTD level privileges. Local (object specific) privileges are stronger than recursive ones. You can override the Instance>DTD order by defining a Soft or a Hard type. Slide 16 Type and Conflict resolution Type provides a way to identify which policy is the correct for an XML object. The default policy used for ACP : Local > Recursive Instance level XAS > DTD level XAS Hard keyword > (no keyword) > Soft keyword Policy can be changed without effecting the rest of the model. Slide 17 Example of a XAS Tuple (Subject, Object, Action, Sign, Type) (group/user, location, domain)Grand/DenyRead/Write etc.Xpath QueryLDH, RDH, L, etc Public,*,*.ics.forth.gr/department//nameRead+L Nick, 139.91.157.52,*/department//nameRead-RDH RDH is Stronger than L so Nick cannot read the names Slide 18 Example of a XAS file,department.xml:/department//name,Read,+,L>,dtd.xml:/department//name,Read,-,RDH> XAS entries: CSD George All fields in an XML document XML document: Result: All users from domain name *.ics.forth.gr except Nick when connected from location 139.91.157.52 can read the field of the departmant.xml document Slide 19 The ACP computations cycle Compute View Algorithm XAS XML document DTD parsing DOM tree loosening Loose DTD User Request unpacking transformed XML document Slide 20 Compute View Algorithm Input DOM tree of the document View request Returns DOM tree for the requested view that complies with the subjects permissions Four steps 1. Initial Label sets the access labels on DOM tree 2. Set Label applies the access policy 3. Get Final Label propagates the privileges from parent to child 4. Prune removes all tree nodes except of those signed + Slide 21 The ACP computations cycle Compute View Algorithm XAS XML document DTD parsing DOM tree loosening Loose DTD User Request unpacking transformed XML document Slide 22 XML Access Control Language Slide 23 Improves semantics of ACP Defines policy also for updates ( write / delete ) Access information are stored at DTD or instance level Same functioning as ACP Slide 24 XACL tuple syntax (Subject, Object, Action, Conditions) Slide 25 XACL tuple syntax (cont) (Subject, Object, Action, Conditions) Subject represent user/initiator Contains uid role group Slide 26 XACL tuple syntax (cont) (Subject, Object, Action, Conditions) Describes the element or set of elements in XML Document Identified by XPath expressions Slide 27 XACL tuple syntax (cont) (Subject, Object, Action, Conditions) Specifies if action is granted or denied read / write / create / delete Also can contain a provisional action Executed before or after specific action Success of failure i.e. log, encrypt Slide 28 XACL tuple syntax (cont) (Subject, Object, Action, Conditions) Represents an logical expression that should be true in order action to be granted Example : User can access specific data before 23/4/1998 before Today 23/4/1998 Slide 29 XACL Policy The policy element represents the way access is computed Specify propagation No Up Down Specify conflict resolution Denial Grant Nothing Default policy Slide 30 XACL Example Alice 123456789 Alice Slide 31 Access Evaluation Access evaluator takes an access request Initiator must provide subject, object, action Two types : Query vs Execution Produces an decision Contains results for each action in request Slide 32 Access Evaluation Algorithm 1. Matching 1. Conflict resolution 2. Propagation 3. Apply Default Policy 4. Select only one decision 5. Request Execution Slide 33 Access Evaluation Example Alice Alice Slide 34 ACP vs. XACL ACP Provides an external file for the access control data. Access control data can refer to the DTD or the XML document. Predefines the syntax of the XAS Only read operations are completely defined in the ACP model. Flexible policy model easily reformed Policy resolution based on the type of each XML tuple. Slide 35 ACP vs. XACL (cont) XACL Access control data stored inside the XML document Access control data in XML format DTD definition of the access control data (policy block) required XML parser must understand the meaning of the policy block. Read, write, delete, etc operations are fully supported by the model. Provisional actions are supported. Policy resolution method is defined for each document inside the policy block. Slide 36 ACP vs. XACL XACL is better defined and more flexible than ACP. More functionality provided without introducing external files. XACL uses XML to define everything,while ACP predefines the syntax of the XAS More flexible policy resolution Slide 37 Compressed Accessibility Map Slide 38 CAM: Problem Definition Efficient evaluating a stated access control policy over XML documents Require large amount of space! Proposed solution: Compressed Accessibility Map Lookup algorithm Key : Locality Slide 39 Accessibility Map CAM Projection of XML document tree for each user, consisting of accessible nodes Different types of access CAM : exploit structural locality Keep only crucial nodes Slide 40 Locality Data items grouped together have similar accessibility properties on a per-user basis Find regions of uniform accessibility of descendants A nodes label represent accessibility about Node itself : s ( s+, s-) Descendants : d ( d+, d- ) Slide 41 Accessible Node Induced label of a node 1. Label of node 2. If ancestor (d+,s+) then (d+,s+) 3. If ancestor (d-, s-) then (d-, s-) 4. If ancestor (d-, s+) then 1. If descendant (d-,s+) or (d+,s+) then (d-,s+) 2. Else (d-,s-) 5. If there is no labeled ancestor then undefined Slide 42 Accessible Node (contd) In previous definition, ancestor and descendants label should not be induced but original A node is accessible if Has an induced label ( d+, s+) or (d-, s+) Induced label undefined and has an accessible child node Else inaccessible Slide 43 Optimal CAM In a optimal CAM no redundant labels are retained There are several equivalent labelings The order in which redundant nodes are deleted is not clear Slide 44 Example (d-,s+) (d+,s+) (d-,s+) Accessible nodes Not Accessible nodes Slide 45 Experimental Verification Synthetic XML Data Large accessibility ration good compression CAM size increases slower than accessibility map. File System Data (Unix like) (simulation) Efficient for huge fs (good compression) Compression ration increases linear to number of unit regions Slide 46 Conclusion Access Control solutions ACP XACL Provide a way to grant different privileges to different users XACL is newer and more expressive Theory is ok, implementation? Slide 47 References XML Access Control Language: Provisional Authorization for XML Documents A Fine-Grained Access Control System for XML Documents Design and Implementation of an Access Control Processor for XML Documents Compressed Accessibility Map: Efficient Access Control for XML