No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A function-based access control model for XML databases
Abstract
XML documents are frequently used in applications such as business transactions and medical records involving sensitive information. Typically, parts of documents should be visible to users depending on their roles. For instance, an insurance agent may see the billing information part of a medical document but not the details of the patient's medical history. Access control on the basis of data location or value in an XML document is therefore essential. In practice, the number of access control rules is on the order of millions, which is a product of the number of document types (in 1000's) and the number of user roles (in 100's). Therefore, the solution requires high scalability and performance. Current approaches to access control over XML documents have suffered from scalability problems because they tend to work on individual documents. In this paper, we propose a novel approach to XML access control through rule functions that are managed separately from the documents. A rule function is an executable code fragment that encapsulates the access rules (paths and predicates), and is shared by all documents of the same document type. At runtime, the rule functions corresponding to the access request are executed to determine the accessibility of document fragments. Using synthetic and real data, we show the scalability of the scheme by comparing the accessibility evaluation cost of two rule function models. We show that the rule functions generated on user basis is more efficient for XML databases.
... Access control has security policy rules that define the access instructions for users and specify who can access what under which privileges. They are also called authorisation specifications (Gabillon 2004;Qi, Kudo et al. 2005;Di Vimercati, S.Foresti et al. 2008). The term 'privileges' which is frequently used in this topic means the right that is given to the subject to perform actions and operations on objects (Damiani, di Vimercati et al. 2005;Gollmann 2011). ...
... Many other factors such as time have been added to this syntax by various authors. These policies can relate to reading, writing and positioning privileges (Park, Costello et al. 2004;Gabillon 2005;Jo, Kim et al. 2005;Qi, Kudo et al. 2005;An and Park 2007;Di Vimercati, S.Foresti et al. 2008). ...
... Access control list (ACL) solves part of the problem by storing object rights rather than both the subject and object. Each object has a list that contains all subjects that can access it and stores the actions' values (Sandhu and Samarati 1994;Qi, Kudo et al. 2005;Gollmann 2011) . In the following section, the main access control categories are discussed. ...
... They might see the specific component as an encrypted black box, or it might be an active element that can solicit a password from the user upon a mouse click. Several other researchers have looked at data sharing in large enterprises [6,7,8]. They have suggested partially encrypted XML files, in which certain nodes and their subtrees are protected. ...
... As compared to their approach, our solution, UsiFe, considers generic filesystems, and works in user space. [7,8] look at fine grained access control in XML documents. The authors propose to lock nodes, and subtrees, and allow only a certain set of users to access them.They further extend this idea to DTD specifications and schemas. ...
... The authors propose to lock nodes, and subtrees, and allow only a certain set of users to access them.They further extend this idea to DTD specifications and schemas. [8] proposes to lock XML subtrees on the basis of structure. If each node satisfies a certain set of rules related to the structure of the tree, then the node may be locked for a certain user. ...
This paper proposes a new paradigm for the design of cryptographic
filesystems. Traditionally, cryptographic file systems have mainly
focused on encrypting entire files or directories. In this paper, we
envisage encryption at a finer granularity, i.e. encrypting parts of
files. Such an approach is useful for protecting parts of large files
that typically feature in novel applications focused on handling a large
amount of scientific data, GIS, and XML data. We extend prior work by
implementing a user level file system on Linux, UsiFe, which supports
fine grained encryption by extending the popular ext2 file system. We
further explore two paradigms in which the user is agnostic to
encryption in the underlying filesystem, and the user is aware that a
file contains encrypted content. Popular file formats like XML, PDF, and
PostScript can leverage both of these models to form the basis of
interactive applications that use fine grained access control to
selectively hide data. Lastly, we measure the performance of UsiFe, and
observe that we can support file access for partially encrypted files
with less than 15% overhead.
... In our previous research [26], a rule-based matching tree is constructed to achieve high expressiveness which managed to handle 760,000 rules. And in another previous research work [27], the rule number is extended to 2,000,000 which obviously improves scalability. The two previous approaches also share the point that they both focus on uni-subject case in which each user is specified to one subject. ...
... For example, when Alice is an employee and a manager at the same time, both rules for the employee group and the manager groups should be used to decide whether Alice can access the department information. In this paper, we extend the access control model introduced in [27] and present an access control system with highlight on multi-subject decision making. The novelty of this access control model is the high scalability and the high performance. ...
... We also proposed a policy matching tree in [26] to achieve expressiveness and scalability. Though this approach can handle almost 760,000 rules, we developed another approach [27] supporting 2,000,000 rules by converting the policy to a group of rule functions in Java. Related Java classes are compiled before runtime, then loaded to the main memory as necessary and executed for the accessibility decision of a subject. ...
XML databases involving sensitive information introduce a new challenge specific to scalable and efficient access control for data protection. However, related approaches have suffered from scalability problems because they tend to work on individual documents. In this paper, we propose a novel approach to XML access control through Java-based rule functions. A rule function is an executable code fragment that encapsulates the access control rules of a specific user or group, and is shared by all documents of the same document type. At runtime, the rule functions corresponding to the access request are loaded to the main memory and executed to determine the accessibility of document fragments. Moreover, this approach enables an efficient real-time update when the rules are updated. Using synthetic and real data, we show the scalability of the scheme by comparing the accessibility evaluation cost.
... The research focus on XML repositories is switching from providing efficient storage and query processing techniques to general data management issues, such as access control. However, existing techniques [1] [2] [3] [5] [10] are limited to hiding nodes and subtrees with a few exceptions [4]. We have introduced ACXESS a query rewrite based access control model for XML [8] [9] that is capable of dealing with structural relationships. ...
... The research focus on XML repositories is switching from providing efficient storage and query processing techniques to general data management issues, such as access control. However, existing techniques [1, 2, 3, 5, 10] are limited to hiding nodes and subtrees with a few exceptions [4]. We have introduced ACXESS a query rewrite based access control model for XML [8, 9] that is capable of dealing with structural relationships. ...
... To copy otherwise, or to republish, to post on servers or to redistribute to lists, requires a fee and/or special permission from the publisher, ACM. Existing approaches except [8, 9] either do not have the expressive power to extend access constraints to structural relationships [3, 10], or cannot implement them without view materialization [4] 1 . Moreover, all these techniques rely on DBAs to specify the exact manner in which the access constraints are implemented as a security view, rather than what the security constraints should be. ...
We propose IPAC(Interactive aPproach to Access Control for semi-structured data), a framework for XML access constraint specification and security view selection. IPAC clearly demarcates access constraint specification, access control strategy and security mechanism (implementation). It features a declarative access constraint specification language, a global access control strategy configuration unit, and an automatic security view generation and ranking tool. IPAC is the first system that assists the DBA in specifying access control strategies and access constraints on XML data, and helps the DBA in choosing the optimal plan that implements the specified strategy and access constraints accurately and efficiently.
... Access control models for XML documents are summarized inTable 1. According to the specification scheme of access control policies, existing models can be classified into two categories: XPath-based access control mod- els [1, 3, 5, 8, 9, 11, 17, 16, 6, 10, 12, 13] and DTD-based access control models [17, 4, 7]. An XPath-based access control model uses XPath expressions to specify the XML elements that a user is allowed or denied to access. ...
... Another dimension of classification is the enforcement mechanism of access control policies. Using this dimension , XML access control models can be classified into two categories: document-based-enforcement models [1, 3, 5, 8, 9, 11, 17, 16, 6] and query-based-enforcement mod- els [10, 12, 13, 4, 7]. While a document-based-enforcement model enforces access control policies by either preprocessing XML documents [1, 3, 5, 8, 9, 11, 17, 16] or postprocessing query result XML documents [6] , a query-basedenforcement model rewrites a user query q to a secure query q' using the information of access control policies during execution and then evaluates q' over the original documents, which returns all and only those XML elements among the query result of q that the user is authorized to access. ...
... Although there exist several DTD-based access control models [17, 4, 7], our work has made the following contributions. First, instead of only exposing a view DTD, we expose the full original DTD to all users supporting the argument that the availability of the original DTD is critical for interoperability and correctness of business applica- tions [5, 1, 10, 12, 13]. Second, while in [7], rewriting is needed for each input query, we introduce a graph matching based static analysis technique to determine if an input query is fully acceptable, fully rejectable, or partially acceptable queries. ...
XML is rapidly emerging as a standard for data representation and exchange over the World Wide Web and an increasing amount of sensitive business data is processed in the XML format. Therefore, it is critical to have control mechanisms to restrict a user to access only the parts of XML documents that he/she is authorized to access. In this paper, we propose the first DTD-based access control model that employs graph matching to analyze if an input query is fully acceptable, fully rejectable, or partially acceptable, and to rewrite for partially acceptable queries only if necessary, along with the features of optimization and speed-up for query rewriting by introducing an index structure.
... The substructure in policy is called the object of the policy. Only a few proposals including [11] and [13] work on authorizing user access without the use of actual data file. However, they do not efficiently consider the predicates in XPath expressions. ...
... N. Qi et al. [13] proposed a function-based model for providing expressive and scalable access control for XML databases. They presented two rule functions, ORF and SRF. ...
Access control is one of the fundamental security mechanisms in information systems. When a multi-user system uses XML documents as data storage, the need of access control to XML documents arises. Due to the hierarchical structure, XML access control is fine-grained in nature. For this criterion, instead of controlling access to the whole XML document, it is possible to limit user access to substructures of the document. One of the key problems on which XML access control is centered is to find techniques for efficient enforcement of access control policy over XML data, thus user access authorization. In general, XML access control model uses XPath expressions for specifying the substructure of the document to define policy. Authorization process needs to find the substructure which is referring from the policy in order to evaluate user access to requested data. Thus, authorization process needs to access the data file every time user requests access to data. Evaluating concurrent requests on large data slow down the data access process especially on the Internet where large number of user accesses at any given time is very common. In this paper, we use classification of user requests and the user policy, and compare them to get the authorization result. Our experiment shows that the process significantly minimizes the need of data access in the process of evaluating user access.
... The research of reference (Parmar and Shi, 2002) is based on multi-document association, and effectively solves the slow accessing problem of XML document processing. The research of reference (Qi et al., 2005) is based on the form of three tuples to map the rule functions, combined with the evaluation result returned by the rule functions, and calculate the verdict. And the reference (Li et al., 2010) is based on the attribute to discuss the relationship between access request, attribute authority, strategy and determine process, and it gives the condition of terminating the access control decision process. ...
With increasing rate of storing and sharing information in the cloud by the users, data storage brings new challenges to the Extensible Markup Language (XML) database in big data environments. The efficient retrieval of data with protection and privacy issues for accessing mass data in the cloud is more and more important. Most of existing research about XML data query and retrieval focuses on efficiency or establishing the index, and so on. However, these methods or algorithms do not take into account the data and data structure for their own safety issues. Furthermore, traditional access control rules read XML document node in a dynamic environment, relevant dynamic query-based keyword research data security and privacy protection requirements are not many. In order to improve the search efficiency with security condition, this paper examines how to generate the sub-tree of matching keywords that the user can access by the access control rules for the user's role. The corresponding algorithm is proposed to achieve safe and efficient keywords search.
... The traditional types are discretionary access control (DAC), mandatory access control (MAC), and role base access Control (RBAC) [1][2][3][4][5]. There are many other types that are non-traditional, such as function based access control and purpose based access control [6, 7]. Some of these models have been applied to provide a secure environment for XML databases. ...
In order to improve security and provide dynamic access control for XML databases, we developed trust based access control for XML databases. Trust based access control for XML databases manages the access policy depending on users’ trustworthiness and prevents unauthorized processes, malicious transactions and misuse from both outsiders and insiders. Trust scores are updated on the basis of users’ histories. Privileges are automatically modified and adjusted over time depending on user behavior. In this paper, a practical trust based access control module for XML databases is evaluated. The dynamic access control has been tested from security, scalability, and performance perspectives. The experimental results illustrate the flexibility of trust values and the scalability of the system with small to large XML databases and with various numbers of users.
... Kudo and Hada [7] presents an authorization model and an access control language that integrates security features including authorization, confidentiality etc. Damiani et al. [8] uses a five-tuple access control rule to define the actions that subjects are allowed or forbidden to apply on the objects. Qi et al. [9] proposes a model based on rule functions which can be applied on documents of the same type. Other access control model research include: new languages to specify access control policies, such as XACL [10], X-RBAC [11], XACML [12], and introducing other factors into XML AC such as trust [13], [14], update [15], [16], etc. ...
With the increasing usage of XML on information sharing over the Internet, a mechanism for defining and enforcing XML access control is demanded, such that only authorized entities can access the sets of XML data that they are allowed to. The research interests in these areas have grown significantly in recent years. Various access control enforcement solutions have been proposed, each with its inherent advantages and disadvantages. Yet, there is still no solution that can provide superior performance in all situations. In this paper, we present HyXAC, a hybrid approach to enforce XML access control. HyXAC integrates the two most popular categories of XML access control enforcement mechanisms, and earns the benefits from both. In particular, HyXAC first preprocesses user queries by rewriting queries and removing parts violating access control rules, and evaluates the re-written queries using sub-views, if they are available. In HyXAC, views are not defined on a per-role basis. Instead, a sub-view is defined for each access control rule, and roles sharing identical rules will share sub-views. Moreover, HyXAC dynamically allocates memory and secondary storage resources to materialize and cache sub-views to improve query performance. We have conducted extensive experiments, and the results show that HyXAC improves query processing efficiency while optimizes the use of system resources.
... Our work is different in that we use annotations (materialized approach), whereas Lee et al. check the accessibility of the document on-the-fly. [20] discusses a "function-based" model that translates policy rules to functions (e.g. Java methods) which are subsequently called to check the policy whenever a part of the document is accessed. ...
... Access control policies for XML documents or databases have been studied extensively over the past 10 years [1,6,8,9,12,20,21,24,26,29,32]. Most of this work focuses on high-level, declarative policies based on XPath expressions or annotated schemas; declarative policies are considered easier to maintain and analyze for vulnerabilities than the obvious alternative of storing ad hoc access control annotations directly in the database itself [13]. ...
We consider the problem of extending XML databases with fine-grained,
high-level access control policies specified using XPath expressions. Most
prior work checks individual updates dynamically, which is expensive (requiring
worst-case execution time proportional to the size of the database). On the
other hand, static enforcement can be performed without accessing the database
but may be incomplete, in the sense that it may forbid accesses that dynamic
enforcement would allow. We introduce topological characterizations of XPath
fragments in order to study the problem of determining when an access control
policy can be enforced statically without loss of precision. We introduce the
notion of fair policies that are statically enforceable, and study the
complexity of determining fairness and of static enforcement itself.
... Naizhen Qi et at. [5,7] proposed a scalable access control model for providing efficient access control for XML databases. The access control rules of a specified user or group are encoded as rule functions. ...
RFX (redundancy free XML) storage is a layered approach that provides compaction to XML. The non tree based RFX structure facilitates effective querying and maintenance of the XML databases with a substantial increase in compaction and reduced complexity. This paper presents security architecture for enforcing protection of the compact storage structure through client endorsement, consent module and selective encryption. Selective encryption is a novel technique developed for the same and plays a pivotal role in effective fortification of the RFX compact storage from intrusions.
... Whenever a user makes a request, an algorithm visits the path in the tree that matches the request, to compute the correct answer stored in the leaf. To further improve computational efficiency, the authors propose a function-based access control model that has a rule function for each authorization in the policy [17]. A rule function is a piece of executable code, which is run any time an access request matches with the rule, and returning the answer for the final user. ...
XML has become a crucial tool for data storage and exchange. In this chapter, after a brief introduction on the basic structure
of XML, we illustrate the most important characteristics of access control models. We then discuss two models for XML documents,
pointing out their main characteristics. We finally present other proposals, describing their main features and their innovation
compared to the previous two models.
... Thus, our subsequent discussion focuses more on object part. In this paper, we adopt the model proposed in [12] as the basis; other models like [39,8,34,45] can be used as well with a reasonable change. ...
As the XML model gets more popular, new needs arise to specify access control within XML model. Various XML access control models and enforcement methods have been proposed recently. However, by and
large, these approaches either assume the support of security features from XML databases or use proprietary tools outside
of databases. Since there are currently few commercial XML databases with such capabilities, the proposed approaches are not
yet practical. Therefore, we explore the problem of “Is is possible to fully support XML access control in RDBMS?” We formalize
XML and relational access control models using deep set operators. Then we show that the problem of XML AC atop RDBMS is amount to the problem of converting XML deep set operators
into equivalent relational deep set operators. We show the conversion algebra and identify the properties to ensure the correct conversion.
Finally, we present three practical implementations of XML access controls using off-the-shelf RDBMS and their performance
results.
... Access control policies for relational databases have been widely studied for example in [27]. Recently, access control models for XML have been proposed in [22], [7], [8], [30], [11], [4], [12], [17]. Traditionally, there have been two kinds of access control -Discretionary Access Control (DAC) and Mandatory Access Control (MAC). ...
There is a huge prevalence of mobile devices being connected to the Internet because of high demands for information access and dissemination. It is now well understood that XML plays a vital role as a means for information representation, exchange, and storage. Naturally, XML data is exchanged and stored as these mobile devices communicate with each other, and over the web. A major concern for one device requesting data (objects, services or raw data) from another device is security. Access control policies are important models that control access to data for authorized devices. In an XML setting, access control policies are necessary to control access to parts of XML documents. It becomes challenging in pervasive computing environment as the devices have small memory foot print, disconnection, low battery powers, etc. In this paper, we propose an XML based access control along with cryptography for secure transmission of XML data in pervasive environments.
... Qi et al. [35] propose an approach to XML access control through rule functions that are managed separately from documents. The key idea is to encode the access control rules as a set of rule functions that separately perform the actual access evaluation. ...
It is often the case that XML documents contain information of different sensitivity degrees that must be selectively shared by user communities. This paper presents the XXACF (eXtensible Role-Based XML Access Control Framework) framework for controlling access to XML documents in different environments. The proposed access control model of XXACF is described. The framework represents an improvement over the existing systems and enables defining context-sensitive access control policies on different priority and granularity levels, the enforcement of access control for different operations on XML documents, as well as different ways of access control enforcement for the same operation.
... The proposed approach exploits the inherent hierarchical nature of XML documents and employs role-based ideas to derive keys or views for different users. Qi et al. (2005) propose an approach to XML access control through rule functions that are managed separately from documents. The key idea is to encode the access control rules as a set of rule functions that separately perform the actual access evaluation. ...
Purpose
The goal of this paper is to propose a data access control framework that is used for editing MARC‐based bibliographic databases. In cases where the bibliographic record editing activities carried out in libraries are complex and involve many people with different skills and expertise, a way of managing the workflow and data quality is needed. Enforcing access control can contribute to these goals.
Design/methodology/approach
The proposed solution for data access control enforcement is based on the well‐studied standard role‐based access control (RBAC) model. The bibliographic data, for the purpose of this system, is represented using the XML language. The software architecture of the access control system is modelled using the Unified Modelling Language (UML).
Findings
The access control framework presented in this paper represents a successful application of concepts of role‐based access control to bibliographic databases. The use of XML language for bibliographic data representation provides the means to integrate this solution into many different library information systems, facilitates data exchange and simplifies the software implementation because of the abundance of available XML tools. The solution presented is not dependent on any particular XML schema for bibliographic records and may be used in different library environments. Its flexibility stems from the fact that access control rules can be defined at different levels of granularity and for different XML schemas.
Research limitations/implications
This access control framework is designed to handle XML documents. Library systems that utilise bibliographic databases in other formats not easily convertible to XML would hardly integrate the framework into their environment.
Practical implications
The use of an access control enforcement framework in a bibliographic database can significantly improve the quality of data in organisations where record editing is performed by a large number of people with different skills. The examples of access control enforcement presented in this paper are extracted from the actual workflow for editing bibliographic records in the Belgrade City Library, the largest public city library in Serbia. The software implementation of the proposed framework and its integration in the BISIS library information system prove the practical usability of the framework. BISIS is currently deployed in over 40 university, public, and specialized libraries in Serbia.
Originality/value
A proposal for enforcing access control in bibliographic databases is given, and a software implementation and its integration in a library information system are presented. The proposed framework can be used in library information systems that use MARC‐based cataloguing.
... It will be helpful for multiple users to simultaneously update the same Web site without conflict. We may have to combine existing access control mechanisms for XML data [6,8,22, 25,27] with bidirectional transformation. Access control mechanism is required for not only security but also updatability. ...
A transformation-based Web site can keep the content of a Web site consistent by furnishing a single database and a set of transformation programs, each of which generates a Web page. However, when someone notices an error or stale content on a Web page in this style of Web site con- struction, the Web site maintainer must access a possibly huge database to update the corresponding content. This paper proposes a new approach to Web site con- struction based on bidirectional transformation, together with a practical updating system, Vu-X. Because of the bidirectionality of the transformations, users can directly modify a generated Web page rather than accessing the database and the modification is automatically reflected in the database. The Vu-X system is also implemented as a Web server so that users can edit it in WYSIWYG style on their Web browsers. Since the Vu-X system employs a bidi- rectional transformation language Bi-X to describe bidirec- tional transformations, we can obtain both transformations only by specifying a transformation in one direction.
... Our work is different in that we use annotations (materialized approach), whereas Lee et al. check the accessibility of the document on-the-fly. [20] discusses a "function-based" model that translates policy rules to functions (e.g. Java methods) which are subsequently called to check the policy whenever a part of the document is accessed. ...
In this paper we investigate the feasibility and eciency of mapping XML data and access control policies onto relational and native XML databases for storage and querying. We developed a re-annotation algorithm that computes the XPath query which designates the XML nodes to be re-annotated when an update operation occurs. The algo- rithm uses XPath static analysis and our experimental results show that our re-annotation solution is on the average 7 times faster than annotat- ing the entire document.
... Pre-processing approaches check user queries and enforce access control before query evaluation, e.g. static analysis approach [41, 42], function-based approach [45], access condition table approach [43] policy matching tree [44], secure query rewrite (SQR) approach [40], etc. Meanwhile, client-based access control [6] resembles postprocessing approach. ...
In this paper, we ask whether XML access control can be supported when underlying (XML or relational) storage system does
not provide adequate security features and propose three alternative solutions —primitive, pre-processing, and post-processing. Toward that scenario, in particular, we advocate a scalable and effective pre-processing approach, called QFilter. QFilter is based on non-deterministic finite automata (NFA) and rewrites user’s queries such that parts violating access control
rules are pre-pruned. Through analysis and experimental validation, we show that (1) QFilter guarantees that only permissible portion of data is returned to the authorized users, (2) such access controls can be efficiently
enforced without relying on security features of underlying storage system, and (3) such independency makes QFilter capable of many emerging applications, such as in-network access control and access control outsourcing.
XML can supply the standard data type in information exchange format on a lot of data generated in running database or applied programs for a company by using the advantage that it can describe meaningful information directly. Therefore, as it becomes more and more necessary to manage and protect massive XML data in an efficient way, the development of safe XML access control techniques needs a new method. In this study access authorization policies are defined to design access control systems. The findings demonstrated that algorithm suggested in this study improved system performance which was low due to the complex authorization evaluation process in the existing access control techniques. It is consequently proved that the safe XML access control policy presented in this study is in an improved form as compared with the existing access control methods.
The simple structure of XML document makes it very popular as a medium of data transfer and as a data storage. With the popularity of using XML documents, the need of access control system is also increasing. Unlike ordinary documents, an XML document has hierarchical structure and this feature allows us to build an access control system considering parts of the document. Although a number of models for access control to XML documents were already proposed, this is still a research issue. Recently, the key concern is to improve the performance of authorization process. Here, in this paper we propose a general access control system framework, which specifies file level access control as well as data level access control, to a number of XML databases. Also the framework includes a new request authorization process that improves the performance of the process.
While XML has been widely adopted for information sharing over the Internet, the need for efficient XML access control naturally arise. Various XML access control enforcement mechanisms have been proposed in the research community, such as view-based approaches and pre-processing approaches. Each category of solutions has its inherent advantages and disadvantages. For instance, view based approach provides high performance in query evaluation, but suffers from the view maintenance issues. To remedy the problems, we propose a hybrid approach, namely HyXAC: Hybrid XML Access Control. HyXAC provides efficient access control and query processing by maximizing the utilization of available (but constrained) resources. HyXAC first uses the pre-processing approach as a baseline to process queries and define sub-views. In HyXAC, views are not defined in a per-role basis, instead, a sub-view is defined for each access control rule, and roles with identical rules would share the sub-view. Moreover, HyXAC dynamically allocates the available resources (memory and secondary storage) to materialize and cache sub-views to improve query performance. With intensive experiments, we have shown that HyXAC optimizes the usage of system resource, and improves the performance of query processing.
The prevalent use of XML highlights the need for a generic, flexible access-control mechanism for XML documents that supports efficient and secure query access, without revealing sensitive information to unauthorized users. The focus of access control in client/server environment is on protecting sensitive server resources by determining whether or not a client is authorized to access those resources. And then access control on the basis of data location or value in an XML document is essential. In this paper, we proposes an efficient client-based evaluator of access control rules for regulating access to XML database, and address how to increase sever throughput using access control rules functions that are management separately from the server database.
XML is rapidly emerging as a standard for data representation and exchange over the World Wide Web and an increasing amount of sensitive business data is processed in XML format. Therefore, it is critical to have control mechanisms to restrict a user to access only the parts of XML documents that she is authorized to access. In this paper, we propose the first DTD-based access control model that employs graph matching to analyze if an input query is fully acceptable, fully rejectable, or partially acceptable. In this way, there will be no further security overhead for the processing of fully acceptable and rejectable queries. For partially acceptable queries, we propose a graph-matching based authorization model for an optimized rewriting procedure in which a recursive query (query with descendant axis ‘//’) will be rewritten into an equivalent recursive one if possible and into a non-recursive one only if necessary, resulting queries that can fully take advantage of structural join based query optimization techniques. Moreover, we propose an index structure for XML element types to speed up the query rewriting procedure, a facility that is potentially useful for applications with large DTDs. Our performance study results showed that our algorithms armed with rewriting indexes are promising.
Security concerns have been rapidly increasing because of repeated security incidents such as unexpected personal information
leakage. Since XML [38] has been playing an important role in IT systems and applications, a big surge of requirements for legislative compliance
is driving enterprises to protect their XML data for secure data management as well as privacy protection, and the access
control mechanism is a central control point. In this chapter, we are concerned with fine-grained (element- and attribute-level)
access control for XML database systems, rather than with document-level access control. We use the term XML access control to address such fine-grained access control. The XML access control deals with XML data and access control policies as well as schema definitions, e.g. XML Schema [40], and queries, e.g. XQuery [36]. The scope of XML access control is not limited to a specific application but covers broader areas that involve XML-based transactional systems such as e-commerce
applications (Commerce XML [7] etc.), medical and health record applications (HL7 [16] etc.), and newspaper article distribution and applications (NewsML [17] etc.).
In this article we propose an approach which simplifies the task of DBAs in specifying the access constraints on a XML document. In the proposed methodology, for enforcing a security policy on a XML document, the DBA has to specify access constraints in terms of easy to understand Declarative Access Control Specification (DACS) language primitives. Once the constraints are specified, their corresponding security views are generated by the proposed implemented system. A working prototype based on above approach is also presented.
In this paper, we propose four concurrency control algorithms for operations that access the same XML document in a multi-user
environment. Given some key words, the search algorithm can find the elements that contain the key words. Given a path composed
of tag-names and/or attributes, the update algorithm can update the specific element of a parent element located at the end
of the path. The locking mechanism is used to maintain the serializability of instructions cross execution of multiple operations.
Only two lock types, share lock and execution lock, are used to perform concurrency control. The techniques of breadth-first
search and lock-coupling protocol are used to find the target elements when traversing an XML document. With these concurrent
techniques, the proposed algorithms allow multiple users to concurrently access the same data without any error occurrence.
Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing of information via the Web that must be accessed in a selective way, such as electronic commerce transactions, require the definition and enforcement of security controls, ensuring that information will be accessible only to authorized entities. Different approaches have been proposed that address the problem of protecting information in a Web system. However, these approaches typically operate at the file-system level, independently of the data that have to be protected from unauthorized accesses. Part of this problem is due to the limitations of HTML, historically used to design Web documents. The extensible markup language (XML), a markup language promoted by the World Wide Web Consortium (W3C), is de facto the standard language for the exchange of information on the Internet and represents an important opportunity to provide fine-grained access control. We present an access control model to protect information distributed on the Web that, by exploiting XML's own capabilities, allows the definition and enforcement of access restrictions directly on the structure and content of the documents. We present a language for the specification of access restrictions, which uses standard notations and concepts, together with a description of a system architecture for access control enforcement based on existing technology. The result is a flexible and powerful security system offering a simple integration with current solutions.
The publish/subscribe paradigm is a popular model for allowing publishers (i.e., data generators) to selectively disseminate data to a large number of widely dispersed subscribers (i.e., data consumers) who have registered their interest in specific information items. Early publish/subscribe systems have typically relied on simple subscription mechanisms, such as keyword or "bag of words" matching, or simple comparison predicates on attribute values. The emergence of XML as a standard for information exchange on the Internet has led to an increased interest in using more expressive subscription mechanisms (e.g., based on XPath expressions) that exploit both the structure and the content of published XML documents. Given the increased complexity of these new data-filtering mechanisms, the problem of effectively identifying the subscription profiles that match an incoming XML document poses a difficult and important research challenge. In this paper, we propose a novel index structure, termed XTrie, that supports the efficient filtering of XML documents based on XPath expressions. Our XTrie index structure offers several novel features that, we believe, make it especially attractive for large-scale publish/subscribe systems. First, XTrie is designed to support effective filtering based on complex XPath expressions (as opposed to simple, single-path specifications). Second, our XTrie structure and algorithms are designed to support both ordered and unordered matching of XML data. Third, by indexing on sequences of elements organized in a trie structure and using a sophisticated matching algorithm, XTrie is able to both reduce the number of unnecessary index probes as well as avoid redundant matchings, thereby providing extremely efficient filtering. Our experimental results over a wide range of XML document and XPath expression workloads demonstrate that our XTrie index structure outperforms earlier approaches by wide margins.
In this paper, our objective is to define a security model for regulating access to XML documents. Our model offers a security policy with a great expressive power. An XML document is represented by a tree. Nodes of this tree are of different type (element, attribute, text, comment...etc). The smallest protection granularity of our model is the node, that is, authorisation rules granting or denying access to a single node can be defined. The authorisation rules related to a specific XML document are first defined on a separate Authorisation sheet. This Authorisation sheet is then translated into an XSLT sheet. If a user requests access to the XML document then the XSLT processor uses the XSLT sheet to provide the user with a view of the XML document which is compatible with his rights.
XML (eXtensible Markup Language) has emerged as a prevalent standard for document representation and exchange on the Web. It is often the case that XML documents contain information of different sensitivity degrees that must be selectively shared by (possibly large) user communities. There is thus the need for models and mechanisms enabling the specification and enforcement of access control policies for XML documents. Mechanisms are also required enabling a secure and selective dissemination of documents to users, according to the authorizations that these users have. In this article, we make several contributions to the problem of secure and selective dissemination of XML documents. First, we define a formal model of access control policies for XML documents. Policies that can be defined in our model take into account both user profiles, and document contents and structures. We also propose an approach, based on an extension of the Cryptolope™ approach [Gladney and Lotspiech 1997], which essentially allows one to send the same document to all users, and yet to enforce the stated access control policies. Our approach consists of encrypting different portions of the same document according to different encryption keys, and selectively distributing these keys to the various users according to the access control policies. We show that the number of encryption keys that have to be generated under our approach is minimal and we present an architecture to support document distribution.
The Web is becoming the main information dissemination means in private and public organizations. As a consequence, several applications at both internet and intranet level need mechanisms to support a selective access to data available over the Web. In this context, developing an access control model, and related mechanisms, in terms of XML (eXtensible Markup Language) is an important step, because XML is increasingly used as the language for representing information exchanged over the Web. In this paper, we propose access control policies and an associated model for XML documents, addressing peculiar protection requirements posed by XML. A first requirement is that varying protection granularity levels should be supported to guarantee a differentiated protection of document contents. A second requirement arises from the fact that XML documents do not always conform to a predefined document type. To cope with these requirements, the proposed model supports varying protection granularity levels, ranging from a set of documents, to a single document or specific document portion(s). Moreover, it allows the Security Administrator to choose different policies for documents not covered or only partially covered by the existing access control policies for document types. An access control mechanism for the enforcement of the proposed model is finally described.
XML (eXtensible Markup Language) is becoming the most relevant standardization effort in the area of document representation through markup languages. Through XML, it is possible to define complex documents, containing information at different degrees of sensitivity. Moreover, the processes of document exchange and acquisition, which can be very frequent in Web-based information systems, are simplified and standardized. In this scenario, there is a strong need for policies to control and regulate the access and dissemination of XML documents. In the paper, we discuss main protection requirements posed by XML documents and we present a set of authorization and dissemination policies that enable both a controlled access to XML documents in a given source and the exchange of XML documents across different sources. 1 Introduction XML (eXtensible Markup Language) [11] has recently emerged as the most relevant standardization effort in the area of document representation through markup lan...
XML is widely regm'ded as a promising memm for data representation integq'ation, md exchmge. As compmfies trmmact business over the Internet, the sensitive nature of the information mmdates that access must be provided selectively, using sophisticated access control specifications. Using the specification directly to determine if a user has access to a specific XML data item cm hence be extremely inefficient. The alternative of fully materializing, for each data item, the users authorized to access it cm be space-inefficient. In this paper, we propose a space- md time-efficient solution to the access control problem for XML data. Our solution is based on a novel notion of a compressed accessibility map (CAM), which com- pactly identifies the XML data items to which a user has access, by exploiting structural locality of accessibility in tree-structured data. We present a CAM lookup algorithm for determining if a user has access to a data item; it takes time proportional to the product of the depth of the item in the XML data md logm'ithm of the CAM size.
The paper investigates XML document specifications with DTDs and integrity constraints, such as keys and foreign keys. We study the consistency problem of checking whether a given specification is meaningful: that is, whether there exists an XML document that both conforms to the DTD and satisfies the constraints. We show that DTDs interact with constraints in a highly intricate way and as a result, the consistency problem in general is undecidable. When it comes to unary keys and foreign keys, the consistency problem is shown to be NP-complete. This is done by coding DTDs and integrity constraints with linear constraints on the integers. We consider the variations of the problem (by both restricting and enlarging the class of constraints), and identify a number of tractable cases, as well as a number of additional NP-complete ones. By incorporating negations of constraints, we establish complexity bounds on the implication problem, which is shown to be coNP-complete for unary keys and foreign keys.
Information Dissemination applications are gaining increasing popularity due to dramatic improvements in communications bandwidth and ubiquity. The sheer volume of data available necessitates the use of selective approaches to dissemination in order to avoid overwhelming users with unnecessazyinfonnation. Existing mechanisms for selective dissemination typically rely on simple keyword matching or "bag of words" information retrieval techniques. The advent of XML as a standard for information exchange and the development of query languages for XML data enables the development of more sophisticated filtering mechanisms that take structure information into accouaL We have developed scval index organizations and search algorithms for performing efficient filtering of XML documents for large-scale information dissemination systems. In this paper we descnbe these techniques and examine their performance across a range of document, workload, and scale scenarios.
Access control policies for XML typically use regular path expressions such as XPath for specifying the objects for access control policies. However such access control policies are burdens to the engines for XML query languages. To relieve this burden, we introduce static analysis for XML access control. Given an access control policy, query expression, and an optional schema, static analysis determines if this query expression is guaranteed not to access elements or attributes that are permitted by the schema but hidden by the access control policy. Static analysis can be performed without evaluating any query expression against an actual database. Run-time checking is required only when static analysis is unable to determine whether to grant or deny access requests. A nice side-effect of static analysis is query optimization: access-denied expressions in queries can be evaluated to empty lists at compile time. We have built a prototype of static analysis for XQuery, and shown the effectiveness and scalability through experiments.
More and more information is distributed in XML format, both on corporate Intranets and on the global Net. In this paper an Access Control System for XML is described allowing for definition and enforcement of access restrictions directly on the structure and content of XML documents, thus providing a simple and effective way for users to protect information at the same granularity level provided by the language itself.
Access control represented by XPath expressions allows for access restrictions on elements, attributes, and text nodes according
to their locations and values in an XML document. Many XML database applications call for such node-level access control on
concerned nodes at any depth. To perform such node-level access control, current approaches create heavy loads on XML database
applications since these approaches incur massive costs either at runtime or for data optimization. In order to solve these
problems, we introduce an access condition table (ACT), a table equivalent to an access control policy, where Boolean access
conditions for accessibility checks are stored. The ACT is generated as a means of shifting the extra runtime computations
to a pre-processing step. Experimental results show that the proposed ACT can handle accesses to arbitrary paths at a nearly
constant speed.
The extensible markup language (XML) is a promising standard for describing semi-structured information and contents on the Internet. When XML comes to be a widespread data encoding format for Web applications, safeguarding the accuracy of the information represented in XML documents will be indispensable. In this paper, we propose a provisional authorization model that provides XML with sophisticated access control mechanism. The well-recognized need for such a system has only recently been addressed. Based on this authorization model, we present an XML access control language (XACL) that integrates security features such as authorization, non-repudiation, confidentiality, and an audit trail for XML documents. We describe our implementation, which can be used as an extension of a Web server for e-Business applications.
XPath is a simple language for navigating an XML tree and returning a set of answer nodes. The focus in this paper is on the com- plexity of the containment problem for various fragments of XPath. In addition to the basic operations (child, descendant, filter, and wildcard), we consider disjunction, DTDs and variables. W.r.t. variables we study two semantics: (1) the value of variables is given by an outer context; (2) the value of variables is defined existentially. We establish an almost com- plete classification of the complexity of the containment problem w.r.t. these fragments.
Much of the data exchanged over the Internet will soon be encoded
in XML, allowing for sophisticated filtering and content-based routing.
We have built a filtering engine called YFilter, which filters streaming
XML documents according to XQuery or XPath queries that involve both
path expressions and predicates. Unlike previous work, YFilter uses a
novel NFA-based execution model. We present the structures and
algorithms underlying YFilter, and show its efficiency and scalability
under various workloads
In the context of a capability-based protection system, the term “transfer” is used (here) to refer to the situation where a user receives information when he does not initially have a direct “right” to it. Two transfer methods are identified: de jure transfer refers to the case when the user acquires the direct authority to read the information; de facto transfer refers to the case when the user acquires the information (usually in the form of a copy and with the assistance of others), without necessarily being able to get the direct authority to read the information. The Take-Grant Protection Model, which already models de jure transfers, is extended with four rewriting rules to model de facto transfer. The configurations under which de facto transfer can arise are characterized. Considerable motivational discussion is included.
This specification defines the Document Object Model Level 1, a platform- and
language-neutral interface that allows programs and scripts to dynamically
access and update the content, structure and style of documents.
The Document Object Model provides a standard set of objects for
representing HTML and XML documents, a standard model of how these
objects can be combined, and a standard interface for accessing and
manipulating them. Vendors can support the DOM as an interface to their
proprietary data structures and APIs, and content authors can write
to the standard DOM interfaces rather than product-specific APIs,
thus increasing interoperability on the Web. The goal of the DOM
specification is to define a programmatic interface for XML and HTML. The DOM
Level 1 specification is separated into two parts: Core and HTML. The
Core DOM Level 1 section provides a low-level set of fundamental
interfaces that can represent any structured document, as well as
defining extended interfaces for representing an XML document. These
extended XML interfaces need not be implemented by a DOM implementation
that only provides access to HTML documents; all of the fundamental
interfaces in the Core section must be implemented. A compliant DOM
implementation that implements the extended XML interfaces is required to
also implement the fundamental Core interfaces, but not the HTML
interfaces. The HTML Level 1 section provides additional, higher-level
interfaces that are used with the fundamental interfaces defined in the
Core Level 1 section to provide a more convenient view of an HTML
document. A compliant implementation of the HTML DOM implements all
of the fundamental Core interfaces as well as the HTML interfaces.
The Folklore is replete with stories of "secure" protection systems being compromised in a matter of hours. This is quite astounding since one is not likely to claim that a system is secure without some sort of proof to support the claim. In practice, proof is not provided and one reason for this is clear: although the protection primitives are apparently quite simple, they may potentially interact in extremely complex ways. Vague and informal arguments, therefore, often overlook subtleties that an adversary can exploit. Precision is not merely desirable for protection systems, it is mandatory.
We propose a novel index structure, termed XTrie, that supports the efficient filtering of XML documents based on XPath expressions. Our XTrie index structure offers several novel features that make it especially attractive for large scale publish/subscribe systems. First, XTrie is designed to support effective filtering based on complex XPath expressions (as opposed to simple, single-path specifications). Second, our XTrie structure and algorithms are designed to support both ordered and unordered matching of XML data. Third, by indexing on sequences of element names organized in a trie structure and using a sophisticated matching algorithm, XTrie is able to both reduce the number of unnecessary index probes as well as avoid redundant matchings, thereby providing extremely efficient filtering. Our experimental results over a wide range of XML document and XPath expression workloads demonstrate that our XTrie index structure outperforms earlier approaches by wide margins
Query languages for data with irregular structure use regular path
expressions for navigation. This feature is useful for querying data
where parts of the structure is either unknown, unavailable to the user,
or changes frequently. Naive execution of regular path expressions is
inefficient however, because it ignores any structure in the data. We
describe two optimization techniques for queries with regular path
expressions. Both rely on graph schemas for specifying partial knowledge
about the data's structure. Query pruning uses this structure to
restrict navigation to only a fragment of the data; we give an efficient
algorithm for rewriting any regular path expression query into a pruned
one. Query rewriting using state extents can eliminate or reduce
navigation altogether; it is reminiscent of optimizing relational
queries using indices. There may be several ways to optimize a query
using state extents; we give a polynomial space algorithm that finds all
such optimizations. For restricted forms of regular path expressions,
the algorithm is provably efficient. We also give an efficient
approximation algorithm that works on all regular path expressions
Since the 1970s, computer systems have featured multiple applications and served multiple users, leading to heightened awareness of data security issues. System administrators and software developers focused on different kinds of access control to ensure that only authorized users were given access to certain data or resources. One kind of access control that emerged is role-based access control (RBAC). A role is chiefly a semantic construct forming the basis of access control policy. With RBAC, system administrators create roles according to the job functions performed in a company or organization, grant permissions (access authorization) to those roles, and then assign users to the roles on the basis of their specific job responsibilities and qualifications. A role can represent specific task competency, such as that of a physician or a pharmacist. Or it can embody the authority and responsibility of, say, a project supervisor. Roles define both the specific individuals allowed to access resources and the extent to which resources are accessed. For example, an operator role might access all computer resources but not change access permissions; a security officer role might change permissions but have no access to resources; and an auditor role might access only audit trails. Roles are used for system administration in such network operating systems as Novell's NetWare and Microsoft's Windows NT. This article explains why RBAC is receiving renewed attention as a method of security administration and review, describes a framework of four reference models the authors have developed to better understand RBAC and categorize different implementations, and discusses the use of RBAC to manage itself. The authors' framework separates the administration of RBAC from its access control functions.
For most index structures for XML data proposed so far, update is a problem because XML element's coordinates are expressed by absolute values. Due to the structural relationship among elements in XML documents, we have to re-compute these absolute values if the content of source data is updated. The reconstruction requires update of large portion of index files, which causes a serious problem especially when XML data content is frequently updated. In this paper, we propose an indexing structure scheme based on the Relative Region Coordinate that can effectively deal with the update problem. The main idea is that we express the coordinate of an XML element based on the region of its parent element. We present an algorithm to construct a treestructured index in which related coordinates are stored together. In consequence, our indexing scheme requires update of only a small portion of index file in case of updating. 1.
We present the design of an Identity-based CAPability protection system ICAP, which is aimed at a distributed system in a network environment. The semantics of traditional capabilities are modified to incorporate subject identities. This enables the monitoring, mediating, and recording of capability propagations to enforce security policies including the ?-property in the Bell-LaPadula model. It also supports administrative activities such as traceability. We have developed an exception list approach to achieve rapid revocation and the idea of capability propagation trees for complete revocation. A separate access control list is to represent and interpret security policy. Compared with existing capability system designs, ICAP requires much less storage and has the potential of lower cost and better real-time performance. We propose to expand Kain and Landwehr's design taxonomy of capability-based systems to cover a wider range of designs. Introduction Access control is a fundamental ...
XPath is a simple language for navigating an XML tree and returning a set of answer nodes. The focus in this paper is on the complexity of the containment problem for various fragments of XPath. In addition to the basic operations (child, descendant, filter, and wildcard), we consider disjunction, DTDs and variables. W.r.t. variables we study two semantics: (1) the value of variables is given by an outer context; (2) the value of variables is defined existentially. We establish an almost complete classification of the complexity of the containment problem w.r.t.
This chapter focuses on the problem of secure evaluation of eXtensible Markup Language (XML) twig queries, for the simple, but useful, multilevel security model. The rapid emergence of XML as a standard for data exchange over the Web has led to considerable interest in the problem of securing XML documents. In this context, query evaluation engines need to ensure that user queries only use and return XML data that the user is allowed to access. These added access control checks can considerably increase query evaluation time. Companies are using the Web as the main means of information dissemination, sparking interest in models, and efficient mechanisms for controlled access to information content over the Web. In this respect, securing XML documents is an important step, because XML is rapidly emerging as the standard for data representation and exchange over the Web.
In this paper, we ask if the traditional relational query acceleration tcclmiqucs of summary tables and covering indexes have analogs for branching path expression queries over tree- or graph-structured XML data. Our answer is yes the forward-and-backward index already proposed in the literature can be viewed as a structure analogous to a sunrotary table or covering index. We also show that it is the smallest such index that covers all branching path expression queries. While this index is very general, our experiments show that it cm be so large in practice as to offer little performance improvement over evahinting queries directly on the data. Likening the forward-and-backvard index to a covering index on all the attributes of several tables, we devise an index definition scheme to restrict the class of branching path expressions being indexed. The resulting index structures are drmnatically smaller and perform better than the full forward-and-backward index for these classes of branching path expressions. This is ronghly analogohs to the situation in nmltidimensional or OLAP workloads, in which more highly aggregated snmmary tables can service a smaller subset of queries but can do so at increased performance. We evaluate the performance of our indexes on both relational decompositions of XML and a native storage technique. As expected, the performance benefit of an index is maximized when the qnery matches the index definition.
With the advent of XML as a standard for data representation and exchange on the Internet, storing and querying XML data becomes more and more important. Several XML query languages have been proposed, and the common feature of the languages is the use of regular path expressions to query XML data. This poses a new challenge concerning indexing and searching XML data, because conventional approaches based on tree traversals may not meet the processing requirements under heavy access requests. In this paper, we propose a new system for indexing and storing XML data based on a numbering scheme for elements. This numbering scheme quickly determines the ancestor-descendant relationship between elements in the hierarchy of XML data. We also propose several algorithms for processing regular path expressions, namely, (1) ##-Join for searching paths from an element to another, (2) ##-Join for scanning sorted elements and attributes to find element-attribute pairs, and (3) ##-Join for finding Kleene-Closure on repeated paths or elements. The ##-Join algorithm is highly effective particularly for searching paths that are very long or whose lengths are unknown. Experimental results from our prototype system implementation show that the proposed algorithms can process XML queries with regular path expressions by up to an or- # This work was sponsored in part by National Science Foundation CAREER Award (IIS-9876037) and Research Infrastructure program EIA-0080123. The authors assume all responsibility for the contents of the paper. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the VLDB copyright notice and the title of the publication a...
[26] OASIS. OASIS Extensible Access Control Markup Language (XACML), Feb
- M Murata
- A Tozawa
- M Kudo
- H Satoshi
M. Murata, A. Tozawa, M. Kudo and H. Satoshi: XML Access
Control Using Static Analysis. ACM CCS, 2003.
[26] OASIS. OASIS Extensible Access Control Markup Language
(XACML), Feb. 2003. http://www.oasisopen.org/committees/xacml/docs.
[27] F. Neven and T. Schwentick: XPath containment in the
presence of disjunction, DTDs, and variables. ICDT (2003) pp.315-
329.
Core Specification A Linear Time Algorithm for Deciding Security Covering indexes for branching path queries
- A K Jones
- R J Lipton
- L Snyder
- R Kaushik
- P Bohannon
- J F Naughton
- H F Korth
Core Specification. http://www.w3.org/TR/2004/PR-DOM-Level-3-
Core-20040205 (2004)
[20] A.K. Jones, R.J. Lipton, and L. Snyder. A Linear Time
Algorithm for Deciding Security. Proc. 17th Symposium on
Foundations of Computer Science, Houston, Texas, pp. 33-41, 1976.
[21] R. Kaushik, P. Bohannon, J.F. Naughton, and H.F. Korth:
Covering indexes for branching path queries. ACM SIGMOD (2002)
pp.133-144.