Computer Science and Engineering 1
XML, RDF, WorkflowSecurity
ReadingReading
• Required:
– Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. 2002. A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. 5, 2 (May 2002), 169-202. http://dl.acm.org/citation.cfm?id=505590
– A. Stoica and C. Farkas, “Secure XML Views,” Proc. 16th IFIP WG11.3 Working Conference on Database and Application Security, 133-146, 2002. http://www.cse.sc.edu/~farkas/publications/c5.pdf
– Amit Jain and Csilla Farkas. 2006. Secure resource description framework: an access control model. In Proceedings of the eleventh ACM symposium on Access control models and technologies (SACMAT '06). ACM, New York, NY, USA, 121-129., http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=rep1&type=pdf
Computer Science and Engineering 2
3
Semantic WebSemantic Web
From: T.B. Lee
4
Secure TechnologiesSecure Technologies
Security on the WebData Security
XML Inferences
Metadata Security RDF
Application Security
5
Secure XML Views - ExampleSecure XML Views - Example
<medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
milTagMT78
patient
phone111-2222
phone333-4444
View over UC data
6
Secure XML Views - Example cont.Secure XML Views - Example cont.
<medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
7
Secure XML Views - Example cont.Secure XML Views - Example cont.
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
<medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03></medicalFiles>
8
Secure XML Views - Example cont.Secure XML Views - Example cont.
<medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
9
Secure XML Views - Example cont.Secure XML Views - Example cont.
medicalFiles
nameJohn Smith
physicianJim Dale
physicianJoe White
nameHarry Green
View over UC data
<medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician></medicalFiles>
10
Secure XML Views - SolutionSecure XML Views - Solution
• Multi-Plane DTD Graph (MPG)• Minimal Semantic Conflict Graph (association
preservation)• Cover story• Transformation rules
11
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec>
<patient>
<physician> <name>
TopSecret
Secret
Unclassified
Multi-Plane DTD GraphMulti-Plane DTD Graph
D,medicalFiles
D, countyRec D, milBaseRec
D, patient D, milTag
D, name D, phone
UC
UC
UC
S
S
S
TS
TSD, physician
MPG = DTD graphover multiple
security planes
12
Transformation - ExampleTransformation - Example
name phone
physician
MSCG
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician><name>
TS
UC
S
Security Space Secret
13
Transformation - ExampleTransformation - Example
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician><name>
TS
S
UC
<emrgRec>
SP
name
physician
MSCG
14
Transformation - ExampleTransformation - Example
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician><name>
TS
S
UC
<emrgRec>
SPMSCG
15
Transformation - ExampleTransformation - Example
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician><name>
TS
S
UC SP
<emrgRec>
medicalFiles
emergencyRec
namephysician
Data Structure
16
Node Association - ExampleNode Association - Example
DTD of Patient Health Record
MedicalDb
Patient*
Allergies
Allergen*
Phone
Birthdate
Name
SSN
Race
DateDiagnosis
Physician
Prescription
*
Comments
Patient
Phone
Name
Patient
Birthdate
Race
DateDiagnosis
Comments
17
++
-
++
+
Node levelclassification
Layered Access Control Layered Access Control
Object - Association levelclassification
18
Simple Security ObjectSimple Security Object
t1
t4t3
t2
o ti : (ti) = (o)
19
t1
t4t3
t2
o ti : (ti) < (o)
Association Security ObjectAssociation Security Object
20
Query PatternQuery Pattern
//
r
d a
b cv
1
v
1
FOR $x in //r
LET $y := $x/d, $z := $x/a
RETURN <answer> {$z/c} </answer>
WHERE { $z/b==$y}
Query Pattern
21
Pattern AutomataPattern Automata
• Pattern Automata X = { , Q, q0 , Qf , } = E A { pcdata, //} is a transition function – Q = {q0 , … , qn}– Qf Q, (q0 Qf)
• Valid transitions on are of the following form:
(qi, … ,qj) qk
• If does not contain a valid transition rule, the default new state is q0
22
Pattern Automata - Pattern Automata - ExampleExample
a
b c
//
Association object
= { a, b, c, //}
Q = {q0, qa, qb, qc}
Qf = {qa}
= {
b( ) qb ,
c( ) qc ,
a(qb,qc) qa ,
*(qa) qa }Pattern Automata
23
The Inference ProblemThe Inference Problem
General Purpose Database:
Non-confidential data + Metadata Undesired Inferences
Semantic Web:
Non-confidential data + Metadata (data and application semantics) + Computational Power +
Connectivity Undesired Inferences
24
Association GraphAssociation Graph
• Association similarity measure– Distance of each node from the association root
– Difference of the distance of the nodes from the association root
– Complexity of the sub-trees originating at nodes
• Example:
Air show
address fort
XML document: Association Graph:
address fort
Public Public, AC
25
Correlated Inference Correlated Inference
Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base
address fortPublic
Water source base
Confidential
district basinPublic
?
Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions
26
Correlated Inference (cont.)Correlated Inference (cont.)
address fortPublic
district basinPublic
Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base
placebase
Water SourceWater source
Base
Place
Water source base
Confidential
27
Inference Removal Inference Removal
• Relational databases: limit access to data
• Web inferences
– Cannot redesign public data outside of protection domain
– Cannot modify/refuse answer to already published web page
• Protection Options:
– Release misleading information
– Remove information
– Control access to metadata
28
Metadata SecurityMetadata Security
• No security model exists for metadata • Can we use existing security models to protect
metadata?• RDF/S is the Basic Framework for SW• RDF/S supports simple inferences• This is not true of XML: XML Access control cannot
be used to protect RDF /S data
29
RDF/S Entailment RulesRDF/S Entailment Rules
Example RDF/S Entailment Rules (http://www.w3.org/TR/rdf-mt/#rules )
• Rdfs2: – (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy) (uuu, rdf:type,
xxx) • Rdfs3:
– (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx)• Rdfs5:
– (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf, xxx) (uuu,rdfs:subPropertyOf, xxx)
• Rdfs11:– (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf,
xxx)(uuu,rdfs:subClassOf, xxx)
30
John USC
studiesAt
Person
University
GovAgency
Student
memberAt
studiesAt
inferred rdf:type
rdf:type
rdfs:subClassOf
rdfs:subPropertyOf
Legend
schema
instance
Example Graph FormatExample Graph Format
RDF Triples:(Student, rdfs:subClassOf, Person)(University, rdfs:subClassOf, GovAgency)(studiesAt, rdfs:domain, Student)(studiesAt, rdfs:range,University)(studiesAt, rdfs:subPropertyOf, memberAt)(John, studiesAt, USC)
31
John USC
studiesAt
Person
University
GovAgency
Student
memberAt
studiesAt
inferred rdf:type
rdf:type
rdfs:subClassOf
rdfs:subPropertyOf
Legend
schema
instance
Rdfs2 : Fact3 + Fact6 Fact7
Example Graph FormatExample Graph Format
32
John USC
studiesAt
Person
University
GovAgency
Student
memberAt
studiesAt
inferred rdf:type
rdf:type
rdfs:subClassOf
rdfs:subPropertyOf
Legend
schema
instance
Rdfs2 : Fact3 + Fact6 Fact7
Rdfs3 : Fact4+Fact6 Fact8
Example Graph FormatExample Graph Format
33
John USC
studiesAt
Person
University
GovAgency
Student
memberAt
studiesAt
inferred rdf:type
rdf:type
rdfs:subClassOf
rdfs:subPropertyOf
Legend
schema
instance
Rdfs2 : Fact3 + Fact6 Fact7
Rdfs3 : Fact4+Fact6 Fact8
Rdfs9 : Fact2 + Fact8 Fact9
Example Graph FormatExample Graph Format
34
Secure RDFSecure RDF
Entailed Data in RDF can cause illegal inferences:
• (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S] (USC, rdf:type, University) [S]• (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S] (USC, rdf:type, GovAgency) [TS]
Secret User can infer TS informationSecret User can infer TS information
35
RDF Access Control RDF Access Control
• Security Policy– Subject– Object – Object pattern – Access Mode
• Default policy• Conflict Resolution • Classification of entailed data • Flexible granularity
Business ProcessBusiness Process
• Increased complexity• Workflow specification
– Workflow correctness– Workflow security
• Automated analysis
Internet Security - Farkas36
Workflow VerificationWorkflow Verification
• Detect conflicts and anomalies• Lack of formal methods and tools
Internet Security - Farkas37
What to represent?What to represent?
• Activity-based workflow model– Design-time analysis– Implementation-time verification
• Reading: propositional logic– Activities– Basic workflow constructs– Activity “leads” to other activity
Internet Security - Farkas38
Workflow Workflow
Internet Security - Farkas39
a1
a2
a4+
WS-BPELWS-BPEL
• Language to specify business processes that are composed of Web services as well as exposed as Web services
• WS-BPEL specifications are portable -- can be carried out by every WS-BPEL compliant execution environment
Internet Security - Farkas40
Two-Level Programming Two-Level Programming ModelModel
• Programming in the large– Non-programmers implementing processes
• Flow logic
• Programming in the small– Programmers implementing low-level services
• Function logic
Internet Security - Farkas41
WS-BPEL Flow OrientedWS-BPEL Flow Oriented
• Request• Invoke• Response
• SOA and WS-BPEL
Internet Security - Farkas42
Security and WorkflowSecurity and Workflow
• Identity Management• Authorization: e.g., data access controls• Process constraints• Provenance
Internet Security - Farkas43
IssuesIssues
• Need to distinguish between functionality & security guarantees
– How to handle trust management?
• Workflows are process or data centric
– How to map to user-centric system security policies?
• Planning and enactment are complex/rich processes – How to establish security assurance of a complex
mechanism?
Internet Security - Farkas44
Next ClassNext Class
• Cloud computing
Computer Science and Engineering 45
Top Related