company logo geospatial database security nguyễn minh nhật nguyễn ngọc hương thảo lê...
TRANSCRIPT
Company
LOGO
Geospatial Database Security
Nguyễn Minh Nhật
Nguyễn Ngọc Hương Thảo
Lê Trần Hoài Thu
Nguyễn Minh Nhật
Nguyễn Ngọc Hương Thảo
Lê Trần Hoài Thu
ContentContent
PartPart0101
Basic Knowledge about GIS Is some basic information to know about GIS
Authorization in GIS DatabaseIs one of regular way to authorization about users and their privileges.
Some GIS Security ModelIs some of Security model common used.
PartPart0202
PartPart0303
2
GIS database structure
Introduction of GIS & Geospatial database
Contents of Contents of Basic GIS
3
What is GIS?
Application?
GISGeographical
Information Systems USER REAL WORLD
4
GIS: history background
This technology has developed from: Digital cartography and CAD Data Base Management Systems
1
2
3
CAD SystemCAD System DataBase Management SystemDataBase Management System
ID X,Y
123
ID ATTRIB
123
5
Geospatial Database
Database mapAttribute valuesDatabase map
Attribute values
6
GIS database structure
Introduction of GIS & Geospatial database
Contents of Contents of Basic GIS
7
Representation of Geographical Information
Many spatial databases are partitioned internally: Partitions defined spatially Partitions defined thematically Both
Tile: a geographical partition of a database
Layer: a thematic partition
8
LAYER
!(
!(!(
!(!(
!(
!(
!(
!(
!(
!(
!( !(!( !(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(Thematic Map of the Continental United States
A layer: logical grouping of geographic feature, that can also be referred to as a coverage.
9
Maps are composed of
Layers
!(
!(!(
!(!(
!(
!(
!(
!(
!(
!(
!( !(!( !(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
States
Rivers
Lakes
Roads
!(
!(!(
!(!(
!(
!(
!(
!(
!(
!(
!( !(!( !(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
!(
Capitals
LAYER
10
GIS database structure
Layers contain features or surfaces Layers are represented by:
Vector model Raster model TIN model
GIS database structure: Database map: spatial data Attribute map: non-spatial data
features
surfaces
11
Vector model: geometric objects: Points Lines Polygons
Spaghetti model and Topology model
Representing data with vector
Type Position
Point 3,2
Line 1,5; 3,5; 5,7; 8,8; 11,7
Polygon 5,3; 6,5; 7,4; 9,5; 11,3; 8,2; 5,3
12
Stores by x, y co-ordinate Represents relational
spatial data for each object Represents attribute data
Spaghetti model
13
Advantages: Simple , easy to represent
Disadvantages: Unable to represent relational spatial data
among these objects Polygons: boundary is stored twice
Spaghetti model
14
Topology model Spatial data Relational spatial data topology
Arc-Node topology Polygon-Arc topology
15
Representing data with vector
Advantage: Allowing precise representation of points,
boundaries, and linear features.
Disadvantage: The boundaries of the resultant map polygons
discrete, whereas in reality the map polygons may represent continuous gradation or gradual change
16
Representing data with raster
Raster model as image files: Composed of grid-cells (pixels)
A value attribute table (VAT) keeps track of your value classification. Add custom attributes by adding more
columns. Disadvantage?
Raster data has one or more bands. Each band has an identical grid layout
representing a different attribute.
17
Representing data with raster
Representing well indistinct boundaries Thematic information on soil types, soil moisture,
vegetation, ground temperatures
Being used as reconnaissance satellites and aerial surveys use raster-based scanners, the information (scanned images) can be directly incorporated into GIS
The higher the grid resolution, the larger the data file is going to be.
18
TIN: Triangulated Irregular Networks Representing continuous surfaces
Representing data with TIN
19
Network structure
Representing data with TIN
20
Attribute data
Features are stored in a database along with information describing them. Attributes of a street: name,
street type, length, street code, number of lanes, pavement type.
Attributes of a park: name, area, hours of operation, maintenance schedule.
21
Attribute data
ID Att1 Att2 Att3
1 X X X
2 X X X
3 X X X
….
3 4
2
1
Attribute values in a GIS are stored as relational database table. Each feature within in
GIS layer will be represented as a record in a table
22
ContentContent
PartPart0101
Basic Knowledge about GIS Is some basic information to know about GIS
Authorization in GIS DatabaseIs one of regular way to authorization about users and their privileges.
Some GIS Security ModelIs some of Security model common used.
PartPart0202
PartPart0303
23
Authorization control mechanism
The geographic access control model
Basic components of the model
Topological spatial data model (TSDM)
Why is authorization in GIS important?
Contents of Contents of Authorization in GIS
24
Why is authorization in GIS important?
Geographical data have a strategic relevance in a large variety of contexts Gathering and analyzing intelligence Protecting critical infrastructure Responding to complex emergencies Preparing for disease outbreaks and
bioterrorism Securing complex events
25
Geometric layer: Shape and location on the earth surface of
features Geometric value: set of points, set of simple
connected (or not) polylines, set of simple polygons
Topological layer: Describing the topological relations of the
feature with others features of the map Relation: {Disjoint, Touch, In, Contains, Equal,
Cross, Overlap}
Topological spatial data model (TSDM)
26
Example of a geographical database the railway network
Topological spatial data model (TSDM)
27
Topological relations among the features of the Region and the County feature types
Topological spatial data model (TSDM)
28
Geometric layerTopological layerOperators:
Feature-based operators Map-based operators Mixed operators
Topological spatial data model (TSDM)
29
Basic components of the model
Subject and object Subject: All users that interact with the system Object:
• Schema objects• Instance objects• Group objects
privileges Instances privileges Insertion privileges Schema privileges
30
Authorization sign and type Sign
• (+) A subject is authorized for a given privilege• (-) A subject is denied access to a given object under
a given privilege
Type: specifies whether an authorization can be overridden or not
• Weak authorizations• Strong authorizations
Queries and windowsGrant option: Only (+) authorizations can be delegated
Basic components of the model
31
AuthorizationAuthorization extensionCorrect authorization
The geographic access control model
32
Authorization
A tuple containing all the basic components of the model
The form: (u, p, pt, g, go, o ,t, w, q)Example:
Set A = {a8 = (Ted, selM(2,geo),+,Bob,false,M_rail,st,Milan, ┴),
a9 = (Ted, updF(0,space,+, Bod, false,Accident,wk, Milan, N=‘wrong manouevre’Name=‘X’(Accident))
}
33
Derivation over object relationshipsDerivation over privilege relationships
An authorization granting a privilege to objects with a certain dimension has to be propagated to objects with lower dimension
An authorization denying a privilege to objects with a certain dimension has to be propagated to objects with higher dimension
Derivation rule
34
Derivation rule
35
Derivation rule
36
Given an access request r = (u,p,o)An authorization: a = (u,p,pt,g,go,o,t,w,q)The access request can be satisfied if:
R depends on a strong positive authorization and on no strong negative authorization
R depends on a weak positive authorization, on no weak negative authorization and on no strong authorization.
Algorithms for access control
37
ContentContent
PartPart0101
Basic Knowledge about GIS Is some basic information to know about GIS
Authorization in GIS DatabaseIs one of regular way to authorization about users and their privileges.
Some GIS Security ModelIs some of Security model common used.
PartPart0202
PartPart0303
38
Q&A
Access control model for spatial data on web
Secure Access Control in a Multi-User Geodatabase
Analysis of Access Control Mechanisms for Spatial DB
Aspects in Security of Database System
Contents of Contents of GIS Security Model
39
Aspects in Security of Database System
Privacy
Confidential
Secrecy
Integrity
Accuracy
Granularity
Availability
Privacy
Confidential
Secrecy
Integrity
Accuracy
Granularity
Availability
40
Privacy & Secrecy
Access limit control User private access right. GIS User-level based. Problems: Non module GIS database. Module GIS database.
Access limit control User private access right. GIS User-level based. Problems: Non module GIS database. Module GIS database.
GIS Database
Aspects in Security of Database System 41
Privacy & Secrecy (cont)
GIS Database
Change 01
Change 02
Change 03
Change 04
Change 05
Change 06
Change 07
Change ….
User 01
User 02
User 03
User 04
User 05
User 06
User 07
User ….
Aspects in Security of Database System 42
Availability
Storage Structure
Data
DataImage
ApplicationWeb ServiceWeb Users Operating System
Database Management
Database Management
Aspects in Security of Database System 43
Availability (cont)
Database Restore Loss of power Disconnect. Hardware or Software errors.
Database Restore Loss of power Disconnect. Hardware or Software errors.
Packet
Aspects in Security of Database System 44
Granularity
Metadata
Aspects in Security of Database System 45
Integrity & Accuracy
Aspects in Security of Database System
Integrity & Accuracy = Can’t be tampered (added, deleted, or altered) by illegal users.
46
Confidentialy
Data Network
Data
Data
Poison Data
Data Poison Data
Data
Aspects in Security of Database System
Confidentialy = only user knows data
47
Access control model for spatial data on web
Secure Access Control in a Multi-User Geodatabase
Analysis of Access Control Mechanisms for Spatial DB
Aspects in Security of Database System
Contents of Contents of GIS Security Model
Efficient Techniques for Realizing Geo-Spatial Access Control
48
Introduction
Two possible solution to restricting access to database: SDE-based access control mechanism. View-based access control mechanism.
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control
mechanism
View-based access control
mechanism.
49
SDE-based access control mechanism
SDE (Spatial Data Engine). Function: manage unstructured spatial
data in structure RDBMS (Relational database management system)
Analysis of Access Control Mechanisms for Spatial DB
http://en.wikipedia.org/wiki/Relational_database_management_system50
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
MAPProperty
Record
51
All geospatial objects in the same map layer are stored in a table.
Each geospatial object is represented by a record of the table.
The geometric property of a geospatial object is stored as a field of the record.
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
52
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
53
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
54
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
55
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
56
Authentication: System firstly ensure log-in users are legal
Authorize: Legal users are executting permit operations on spatial objects of interest.
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
57
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control mechanism
58
SDE uses layers to store features (spatial objects)
Each layer contains one of: point, line or polygon.
Each layer is composed of business table, feature table, spatial index table, and point table
Analysis of Access Control Mechanisms for Spatial DB
SDE – Spatial data organization
59
Analysis of Access Control Mechanisms for Spatial DB
SDE – Spatial data LAYERs
60
Analysis of Access Control Mechanisms for Spatial DB
SDE – Spatial data LAYERs
61
Analysis of Access Control Mechanisms for Spatial DB
SDE – Spatial data LAYERs
62
Business table represents a feature and stores attribute properties of the feature
Analysis of Access Control Mechanisms for Spatial DB
SDE – Spatial data – Business table
63
Feature table stores shape types and boundary boxes of features in feature tables.
Analysis of Access Control Mechanisms for Spatial DB
SDE – Spatial data – Features table
64
Spatial index table contains information of the grid unit and boundary boxes of features.
Analysis of Access Control Mechanisms for Spatial DB
SDE – Spatial data – Spatial index table
65
Point table stores coordinate values of each shape in a binary type of BLOB, which is translated into spatial meanings by SDE.
Analysis of Access Control Mechanisms for Spatial DB
SDE – Spatial data – Point table
66
SDE-based access controlSDE-based access control
Authorization Map Layers FeaturesSpatial Context
SDE-based access control
67
Namely user information is stored in database and RDBMS is in charge of authenticating users
Spatial authorization must alter schemas of related tables to store authorization information (legal users and corresponding privileges) according to granularities of control
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control FOR AUTHORIZATION
68
The schema of layer tables is added fields: user and privilege
According to User’ specific authorization requirements, the fields: user and privilege will be filled.
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control FOR MAP LAYERS
69
The similar modification will be made to the schema of business tables, as each record of business tables stores properties of a single feature
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control FOR FEATURES
70
As for spatial context, for example eatures in a rectangular window of certain privilege, the authorization information is filled in feature tables on the fly. Those features falling in the window are alculated with the window rectangle and the boundary boxes stored in the feature table.
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control FOR SPATIAL CONTEXT
71
1. Certificated IDs
2. Read authorization information or intentd map layer
3. Compared legal users and privileges from layer table and intended operations
4. Decide authorizing access to the map layer or just rejecting
5. Make similar procedure to achieve permistion to specific features.
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control
72
Introduction
Analysis of Access Control Mechanisms for Spatial DB
SDE-based access control
mechanism
View-based access control
mechanism.
73
View-based access control mechanism.
Analysis of Access Control Mechanisms for Spatial DB
GIS Database
View 01
View 02
View 03
View 04
View 05
View 06
View 07
View ….
User 01
User 02
User 03
User 04
User 05
User 06
User 07
User ….
74
4 component: Database acounts Database login (authentication) Privileges View
View-based access control mechanism.
Analysis of Access Control Mechanisms for Spatial DB 75
View-based access control mechanism.
Analysis of Access Control Mechanisms for Spatial DB 76
Alternative method to grant Carol access to name and email columns:create view employee_public as select name,email from employee;
grant select on employee_public to carol;
View-based access control mechanism.
Analysis of Access Control Mechanisms for Spatial DB 77
Access control model for spatial data on web
Secure Access Control in a Multi-User GeodatabaseSecure Access Control in a Multi-User Geodatabase
Analysis of Access Control Mechanisms for Spatial DB
Aspects in Security of Database System
Contents of Contents of GIS Security Model
Efficient Techniques for Realizing Geo-Spatial Access Control
78
Problem in multi-user access:Some information need to be secret.Some Users can view, Others can’t.Other:
• Fake Users.
• Virtual Users.
Secure Access Control in a Multi-user Geodatabase
79
Aspect to security of GeoDatabase:Privacy.Confidentialy.Secrecy.Integrity.AccuracyGranularity.Availability.
Secure Access Control in a Multi-user Geodatabase
80
Three main Access Control Models:Mandatory (label-based).Discretionary (User-based)Role-Based.
Secure Access Control in a Multi-user Geodatabase
81
Mandatory (label-based).Different security levels -> users of
database have security clearances assigned.
Discretionary (User-based)Permission Access. Users can protect or
grant access rights.Role-BasedAccess control is enforced in terms of
roles.
Secure Access Control in a Multi-user Geodatabase
82
Access Control Models for Geodatabase Allow view-based access control.Access predefined sets of views, based on
authorizations.Views are built from a multi-level
database, may be updated, according to users privileges.
Secure Access Control in a Multi-user Geodatabase
83
Three new different security architectures:Single Multi-Level Database ( Multi-level
Relations).Replicated Multi-Level Database.Single Multi-level Database (Uni-level
Relations).
Secure Access Control in a Multi-user Geodatabase
84
Single Multi-Level Database ( Multi-level Relations).
Secure Access Control in a Multi-user Geodatabase
85
Replicated Multi-Level Database.
Secure Access Control in a Multi-user Geodatabase
86
Single Multi-level Database (Uni-level Relations).
Secure Access Control in a Multi-user Geodatabase
87
Access control model for spatial data on web
Secure Access Control in a Multi-User Geodatabase
Analysis of Access Control Mechanisms for Spatial DB
Aspects in Security of Database System
Contents of Contents of GIS Security Model
Efficient Techniques for Realizing Geo-Spatial Access Control
88
INTRODUCTION (1)
The use of map is crucial for correctly geo-processing data. Currently, several commercial map management systems support visualization and editing of spatial objects on Web.
Enforcing controlled access to spatial data has not been much investigated to ensure confidentiality and integrity of information.
89
INTRODUCTION (2)
Ensuring confidentiality means preventing improper disclosure of information to non-authorized users to see it.
Ensuring integrity means protecting data from unofficial modifications and thus preventing non-authorized users from inserting or modifying data in the database.
90
INTRODUCTION (3)
The model is based on the following assumptions :
Spatial data consist of objects with sharp boundaries located in a geographical space.Data are manipulated by remote users through the operations provided by a Web Map Management Service.
The goal of the system in to control the way data are accessed by users having different profiles.
The model is an extension of the classical access control model based on the notion of authorized rule.
91
INTRODUCTION (4)
The central idea is to assign an authorization a geographical scope, namely a bounded region in which the authorization is valid.
Therefore, operations that users may execute on spatial data may vary, depending on user identity and object position.
92
PRELIMINARY NOTIONS (1)
Spatial data model used is the vector model defined by the OpenGIS Consortium (OGC) based on the notion of simple spatial feature.
The architecture of Web map management applications is organized according to 3-tier architecture including Presentation, Application, Data Storage layers.
93
The Data Storage layer consists of files and database servers.
The Application layer implements the operations requested by the application.
The Presentation layer on the client side includes either HTML pages or specialized programs.
PRELIMINARY NOTIONS (2)
94
PRELIMINARY NOTIONS (3)
We assumed that features are transferred in a vector format and the geo-processing is distributed on both client and server.
95
PRELIMINARY NOTIONS (4)
96
PRELIMINARY NOTIONS (5)
The Application layer consists of 2 main services :
The Access Control Service implements the operations for authorization rules checking and administration.
The Application Service implements the application logic and access the application data.
Besides, it also includes the Authentication Service based on username/password, SSL or some complex services.
97
PRELIMINARY NOTIONS (6)
98
THE ACCESS CONTROL SYSTEM (1)
Data access is controlled through a set of authorization rules. Each authorization rule, in basic form, consist of a triple = <subject, object, privilege>.
The subject indicates who can access the data resource.
The object is a spatial feature class. The privilege is the kind of action that can be
performed by the subject on the given object.
99
THE ACCESS CONTROL SYSTEM (2)
In the model, it is not possible to define authorization rules for objects at a finer level of granularity, on single feature for example, or on feature class attributes.
Privileges used in the model :Notify : controls the execution of the operations for feature insertion and deletion.Analysis : controls the execution of the different querying operation.ViewGeometry : controls the single operation of GetFeature.ViewAttribute : controls the operation of GetFeatureInfo.
100
DEFINITIONS AND CONSTRAINTS (1)
Definition 1 (Basic authorization)
Let R be a set of roles, FC the set of feature classes, O the set of Web service operations, P the set of privileges defined as a partition over the set O. A basic authorization rule is defined as a triple <r, f, p> where r ∈ R, f ∈ FC, p ∈ P.
Example :
The rule authorizing a surveyor to notify illegal waste deposits can be expressed as follows:
<surveyor, illegal_waste_deposit, Notify>.
101
DEFINITIONS AND CONSTRAINTS (2)
Constraint 1 (Constraint on privilege dependency)
Let r be a role, fc a feature class, p1, p2…, pn privileges.We say that p1 depends on p2…pn (written as p1 → p2… ˄ pn) iff the existence of the rule: a1 = <r, fc, p1> implies the existence of the rules: a2=<r, fc,p2>,...,an = <r, fc, pn>. The rule a1 is said to be dependent on a2...an (written a1 → a2… ˄ an).
Example :
The dependency discussed above can be expressed in a simple way as follows:
Notify → ViewGeometry ˄ ViewAttributes
102
DEFINITIONS AND CONSTRAINTS (3)
Definition 2 (Authorization with window)Let Polygon denote the set of polygonal geometries. An authorization rule with window is a tuple <r,fc,p,w> where r ∈ R, fc ∈ FC, p ∈ P, w ∈ Polygon.
Constraint 2 (Constraint on authorization window)Let a1 = <r, fc, p1, w1> and a2 = <r, fc, p2, w2> be two authorizations rules defined for the same role r and feature class fc but on two different privileges p1 and p2. If p1→p2 then w1 ⊆ w2.
103
DEFINITIONS AND CONSTRAINTS (4)
Definition 3 (Authorization rule with grant option)
Let R be a set of roles, FC the set of feature classes, P the set of privileges, W the set of Polygons. An authorization is defined as a tuple : <r,fc,p,w,gr,gr_op>, where r ∈ R, f ∈ FC, p ∈ P, w ∈ W, gr ∈ R, gr_op ∈{true, false}.
Constraint 3 (Constraint on authorization rule grant)
Let a = <r1, fc, p, w , gr, true> be an authorization granted to role r1. The privilege p on feature class fc can be granted by r1 to r2 through the authorization b = <r2, fc , p, wb , r1, _> iff the window of b is contained in the window of a, that is, wb ⊆ wa.
104
DEFINITIONS AND CONSTRAINTS (5)
Definition 4 (Authorization rule consistency)
The authorization rule a = <r, fc, p, w, gr, gr_op> is consistent iff the following constraints are satisfied :
a) Constraint 1 and constraint 2 must hold, that is, for each privilege pi such that p → pi, the authorization ai = <r, fc, pi, wi , gr, _> must belong to the rule set and w ⊆ wi.
b) Constraint 3 must hold, that is, let b = <gr, fc, p, wb,_, true> be the corresponding authorization given to the grantor of a; then the relationship w ⊆ wb must hold.
105
SUMMARY (1)
Strong points :
Protect vector-based spatial data against requests issued through a Web service.
Authorizations on spatial objects can be applied on limited areas within the reference space.
106
SUMMARY (2)
Weak points :
Do not support topological representation.
Do not support multiple representation of the same feature (such as various object dimension).
Do not support both positive authorizations (giving permissions) and negative ones (specifying denials).
107
Q&A
Access control model for spatial data on web
Analysis of Access Control Mechanisms for Spatial DB
Aspects in Security of Database System
Summary of Summary of GIS Security Model
Secure Access Control in a Multi-User Geodatabase
108
References[1] Jiayuan LIN, Yu FANG, Bin CHEN, Pengei WU – Analysis of access control mechanisms for spatial database.
[2] Elisa Bertino, Micheal Gertz – Security and Privacy for Geospatial Data: Concepts and Research Directions.
[3] Elisa Bertino, Maria Luisa Damiani - A Controlled Access to Spatial Data on Web
[4] MikhailJ.Atallah, MarinaBlanton, KeithB.Frikken - Efficient Techniques for Realizing Geo-Spatial Access Control
109
[5] Sahadeb De, Caroline M. Eastman, Csilla Farkas - Secure Access Control in a Multi-user Geodatabase.
[6] Zhu Tang, Shiguang Ju, Weihe Chen - Active Authorization Rules for Enforcing RBAC with Spatial Characteristics.
[7] A.Belussi, E.Bertino, B.Catania – An Authorization Model for Geographical Maps.
[8] www.gis.com
[9] www.esri.com/casestudies
References (cont.)
110
Question?
111
112