computer science and engineering 1 xml, rdf, workflow security

Computer Science and Engineering 1

XML, RDF, WorkflowSecurity

ReadingReading

• Required:

– Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. 2002. A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. 5, 2 (May 2002), 169-202. http://dl.acm.org/citation.cfm?id=505590

– A. Stoica and C. Farkas, “Secure XML Views,” Proc. 16th IFIP WG11.3 Working Conference on Database and Application Security, 133-146, 2002. http://www.cse.sc.edu/~farkas/publications/c5.pdf

– Amit Jain and Csilla Farkas. 2006. Secure resource description framework: an access control model. In Proceedings of the eleventh ACM symposium on Access control models and technologies (SACMAT '06). ACM, New York, NY, USA, 121-129., http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=rep1&type=pdf


http://dl.acm.org/citation.cfm?id=505590

http://www.cse.sc.edu/~farkas/publications/c5.pdf

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=rep1&type=pdf

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=rep1&type=pdf

3

Semantic WebSemantic Web

From: T.B. Lee

4

Secure TechnologiesSecure Technologies

Security on the WebData Security

XML Inferences

Metadata Security RDF

Application Security

5

Secure XML Views - ExampleSecure XML Views - Example

<medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec></medicalFiles>

medicalFiles

countyRec

patient

nameJohn Smith

milBaseRec

physicianJim Dale

physicianJoe White

nameHarry Green

milTagMT78

patient

phone111-2222

phone333-4444

View over UC data

6

Secure XML Views - Example cont.Secure XML Views - Example cont.

<medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec></medicalFiles>

medicalFiles

countyRec

patient

nameJohn Smith

milBaseRec

physicianJim Dale

physicianJoe White

nameHarry Green

patient

View over UC data

7


medicalFiles

countyRec

patient

nameJohn Smith

milBaseRec

physicianJim Dale

physicianJoe White

nameHarry Green

patient

View over UC data

<medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03></medicalFiles>

8


<medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec></medicalFiles>

medicalFiles

countyRec

patient

nameJohn Smith

milBaseRec

physicianJim Dale

physicianJoe White

nameHarry Green

patient

View over UC data

9


medicalFiles

nameJohn Smith

physicianJim Dale

physicianJoe White

nameHarry Green

View over UC data

<medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician></medicalFiles>

10

Secure XML Views - SolutionSecure XML Views - Solution

• Multi-Plane DTD Graph (MPG)• Minimal Semantic Conflict Graph (association

preservation)• Cover story• Transformation rules

11

<medicalFiles>

<milTag>

<phone>

<milBaseRec>

<countyRec>

<patient>

<physician> <name>

TopSecret

Secret

Unclassified

Multi-Plane DTD GraphMulti-Plane DTD Graph

D,medicalFiles

D, countyRec D, milBaseRec

D, patient D, milTag

D, name D, phone

UC

UC

UC

S

S

S

TS

TSD, physician

MPG = DTD graphover multiple

security planes

12

Transformation - ExampleTransformation - Example

name phone

physician

MSCG

MPG

<medicalFiles>

<milTag>

<phone>

<milBaseRec>

<countyRec><patient>

<physician><name>

TS

UC

S

Security Space Secret

13


MPG

<medicalFiles>

<milTag>

<phone>

<milBaseRec>


<physician><name>

TS

S

UC

<emrgRec>

SP

name

physician

MSCG

14


MPG

<medicalFiles>

<milTag>

<phone>

<milBaseRec>


<physician><name>

TS

S

UC

<emrgRec>

SPMSCG

15


MPG

<medicalFiles>

<milTag>

<phone>

<milBaseRec>


<physician><name>

TS

S

UC SP

<emrgRec>

medicalFiles

emergencyRec

namephysician

Data Structure

16

Node Association - ExampleNode Association - Example

DTD of Patient Health Record

MedicalDb

Patient*

Allergies

Allergen*

Phone

Birthdate

Name

SSN

Race

DateDiagnosis

Physician

Prescription

*

Comments

Patient

Phone

Name

Patient

Birthdate

Race

DateDiagnosis

Comments

17

++

-

++

+

Node levelclassification

Layered Access Control Layered Access Control

Object - Association levelclassification

18

Simple Security ObjectSimple Security Object

t1

t4t3

t2

o ti : (ti) = (o)

19

t1

t4t3

t2

o ti : (ti) < (o)

Association Security ObjectAssociation Security Object

20

Query PatternQuery Pattern

//

r

d a

b cv

1

v

1

FOR $x in //r

LET $y := $x/d, $z := $x/a

RETURN <answer> {$z/c} </answer>

WHERE { $z/b==$y}

Query Pattern

21

Pattern AutomataPattern Automata

• Pattern Automata X = { , Q, q0 , Qf , } = E A { pcdata, //} is a transition function – Q = {q0 , … , qn}– Qf Q, (q0 Qf)

• Valid transitions on are of the following form:

(qi, … ,qj) qk

• If does not contain a valid transition rule, the default new state is q0

22

Pattern Automata - Pattern Automata - ExampleExample

a

b c

//

Association object

= { a, b, c, //}

Q = {q0, qa, qb, qc}

Qf = {qa}

= {

b( ) qb ,

c( ) qc ,

a(qb,qc) qa ,

*(qa) qa }Pattern Automata

23

The Inference ProblemThe Inference Problem

General Purpose Database:

Non-confidential data + Metadata Undesired Inferences

Semantic Web:

Non-confidential data + Metadata (data and application semantics) + Computational Power +

Connectivity Undesired Inferences

24

Association GraphAssociation Graph

• Association similarity measure– Distance of each node from the association root

– Difference of the distance of the nodes from the association root

– Complexity of the sub-trees originating at nodes

• Example:

Air show

address fort

XML document: Association Graph:

address fort

Public Public, AC

25

Correlated Inference Correlated Inference

Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base

address fortPublic

Water source base

Confidential

district basinPublic

?

Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions

26

Correlated Inference (cont.)Correlated Inference (cont.)

address fortPublic

district basinPublic

Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base

placebase

Water SourceWater source

Base

Place

Water source base

Confidential

27

Inference Removal Inference Removal

• Relational databases: limit access to data

• Web inferences

– Cannot redesign public data outside of protection domain

– Cannot modify/refuse answer to already published web page

• Protection Options:

– Release misleading information

– Remove information

– Control access to metadata

28

Metadata SecurityMetadata Security

• No security model exists for metadata • Can we use existing security models to protect

metadata?• RDF/S is the Basic Framework for SW• RDF/S supports simple inferences• This is not true of XML: XML Access control cannot

be used to protect RDF /S data

29

RDF/S Entailment RulesRDF/S Entailment Rules

Example RDF/S Entailment Rules (http://www.w3.org/TR/rdf-mt/#rules )

• Rdfs2: – (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy) (uuu, rdf:type,

xxx) • Rdfs3:

– (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx)• Rdfs5:

– (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf, xxx) (uuu,rdfs:subPropertyOf, xxx)

• Rdfs11:– (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf,

xxx)(uuu,rdfs:subClassOf, xxx)

30

John USC

studiesAt

Person

University

GovAgency

Student

memberAt

studiesAt

inferred rdf:type

rdf:type

rdfs:subClassOf

rdfs:subPropertyOf

Legend

schema

instance

Example Graph FormatExample Graph Format

RDF Triples:(Student, rdfs:subClassOf, Person)(University, rdfs:subClassOf, GovAgency)(studiesAt, rdfs:domain, Student)(studiesAt, rdfs:range,University)(studiesAt, rdfs:subPropertyOf, memberAt)(John, studiesAt, USC)

31

John USC

studiesAt

Person

University

GovAgency

Student

memberAt

studiesAt

inferred rdf:type

rdf:type

rdfs:subClassOf

rdfs:subPropertyOf

Legend

schema

instance

Rdfs2 : Fact3 + Fact6 Fact7


32

John USC

studiesAt

Person

University

GovAgency

Student

memberAt

studiesAt

inferred rdf:type

rdf:type

rdfs:subClassOf

rdfs:subPropertyOf

Legend

schema

instance


Rdfs3 : Fact4+Fact6 Fact8


33

John USC

studiesAt

Person

University

GovAgency

Student

memberAt

studiesAt

inferred rdf:type

rdf:type

rdfs:subClassOf

rdfs:subPropertyOf

Legend

schema

instance


Rdfs3 : Fact4+Fact6 Fact8



34

Secure RDFSecure RDF

Entailed Data in RDF can cause illegal inferences:

• (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S] (USC, rdf:type, University) [S]• (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S] (USC, rdf:type, GovAgency) [TS]

Secret User can infer TS informationSecret User can infer TS information

35

RDF Access Control RDF Access Control

• Security Policy– Subject– Object – Object pattern – Access Mode

• Default policy• Conflict Resolution • Classification of entailed data • Flexible granularity

Business ProcessBusiness Process

• Increased complexity• Workflow specification

– Workflow correctness– Workflow security

• Automated analysis

Internet Security - Farkas36

Workflow VerificationWorkflow Verification

• Detect conflicts and anomalies• Lack of formal methods and tools


What to represent?What to represent?

• Activity-based workflow model– Design-time analysis– Implementation-time verification

• Reading: propositional logic– Activities– Basic workflow constructs– Activity “leads” to other activity


Workflow Workflow


a1

a2

a4+

WS-BPELWS-BPEL

• Language to specify business processes that are composed of Web services as well as exposed as Web services

• WS-BPEL specifications are portable -- can be carried out by every WS-BPEL compliant execution environment


Two-Level Programming Two-Level Programming ModelModel

• Programming in the large– Non-programmers implementing processes

• Flow logic

• Programming in the small– Programmers implementing low-level services

• Function logic


WS-BPEL Flow OrientedWS-BPEL Flow Oriented

• Request• Invoke• Response

• SOA and WS-BPEL


Security and WorkflowSecurity and Workflow

• Identity Management• Authorization: e.g., data access controls• Process constraints• Provenance


IssuesIssues

• Need to distinguish between functionality & security guarantees

– How to handle trust management?

• Workflows are process or data centric

– How to map to user-centric system security policies?

• Planning and enactment are complex/rich processes – How to establish security assurance of a complex

mechanism?


Next ClassNext Class

• Cloud computing


computer science and engineering 1 xml, rdf, workflow security

Documents

uc data slide

physician mscg slide

phone uc s s s ts d

physician mpg

physician data structure

harry green patient

harry green view

lee slide