Abstract
We investigate a generalization of the notion of XML security view introduced by Stoica and Farkas (Proceedings of the 16th International Conference on Data and Applications Security (IFIP’02). IFIP Conference Proceedings, vol. 256, pp. 133–146. Kluwer, Dordrecht, 2002) and later refined by Fan et al. (Proceedings of the ACM SIG- MOD International Conference on Management of Data (SIGMOD’04), pp. 587–598. ACM Press, New York, 2004). The model consists of access control policies specified over DTDs with XPath expressions for data-dependent access control. We provide the notion of security views characterizing information accessible to authorized users. This is a trans- formed DTD schema that can be used by users for query formulation. We develop an algorithm to materialize an authorized version of the document from the view and an algorithm to construct the view from an access control specification. We show that our view construction combined with materialization produces the same result as the direct application of the DTD access specification on the document. We also propose a number of generalizations of possible security policies and show how they affect view construction algorithm. Finally, we provide an evaluation of our system.
Similar content being viewed by others
References
XMark—An XML Benchmark Project. http://monetdb.cwi.nl/xml/index.html
Alon N., Milo T., Neven F., Suciu D., Vianu V.: Typechecking xml views of relational databases. ACM Trans. Comput. Log. 4(3), 315–354 (2003)
Anutariya, C., Chatvichienchai, S., Iwaihara, M., Wuwongse, V., Kambayashi, Y.: A rule-based XML access control model. In: RuleML, pp. 35–48 (2003)
Benedikt, M., Chan, C., Fan, W., Rastogi, R., Zheng, S., Zhou, A.: DTD-directed publishing with attribute translation grammars. In: Proceedings of the 28th Conference on Very Large Data Bases (VLDB’02) (2002)
Benedikt, M., Fan, W., Kuper, G.M.: Structural properties of XPath fragments. In: Proceedings of the 13th International Conference on Database Theory (ICDT’03) (2003)
Bertino E., Jajodia S., Samarati P.: A flexible authorization mechanism for relational data management systems. ACM Trans. Inf. Syst. (TOIS) 17(2), 101–140 (1999)
Bertino, E., Braun, M., Castano, S., Ferrari, E., Mesiti, M.: Author-X: A Java-based system for XML data protection. In: Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security, pp. 15–26. Kluwer, , Dordrecht (2001)
Bertino E., Carminati B., Ferrari E., Thuraisingham B., Gupta A.: Selective and authentic third-party distribution of XML documents. IEEE Trans. Knowl. Data Eng. (TKDE) 16(10), 1263–1278 (2004)
Bertino E., Ferrari E.: Secure and selective dissemination of XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 290–331 (2002)
Bouganim, L., Ngoc, F.D., Pucheral, P.: Client-based access control management for xml documents. In: Proceedings of the 30th Conference on Very Large Data Bases (VLDB’04), pp. 84–95 (2004)
Boulahia-Cuppens, N., Cuppens, F., Gabillon, A., Yazdanian, K.: Multiview model for object-oriented database. In: Proceedings of the Annual Computer Security Applications Conference, pp. 222–231 (1993)
Bray, T., Paoli, J., Sperberg-McQueen, C.M.: Extensible Markup Language (XML) 1.0. W3C, February 1998
Carminati, B., Ferrari, E., Bertino, E.: Securing XML data in third-party distribution systems. In: Proceedings of the Fourteenth International Conference on Information and Knowledge Management (CIKM), pp. 99–106. ACM Press, Bremen (2005)
Cho, S., Amer-Yahia, S., Lakshmanan, L.V.S., Srivastava, D.: Optimizing the secure evaluation of twig queries. In: Proceedings of the 28th Conference on Very Large Data Bases (VLDB’02), pp. 490–501 (2002)
Clark, J., DeRose, S.: XML path language (XPath) version 1.0. w3c recommendation, November 1999. http://www.w3.org/TR/xpath
Crampton, J.: Applying hierarchical and role-based access control to XML documents. In: Proceedings of ACM Workshop on Secure Web Services (SWS’04). ACM Press, Fairfax (2004)
Damiani E., De Capitani di Vimercati S., Paraboschi S., Samarati P.: A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(2), 169–202 (2002)
Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Design and implementation of an access control processor for XML documents. In: Proceedings of the 9th International Conference on World Wide Web (WWW’00), pp. 59–75. North-Holland, Amsterdam (2000)
Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Fine grained access control for SOAP e-services. In: Proceedings of the 10th International Conference on World Wide Web (WWW’01), pp. 504–513. ACM Press, New York (2001)
DeCapitanidi Vimercati S., Samarati P.: Access control: Policies, models, and mechanism. In: Focardi, R., Gorrieri, F.(eds) Foundations of Security Analysis and Design—Tutorial Lectures. Lecture Notes in Computer Science, vol. 2171, Springer, Heidelberg (2001)
Fallside, D.C., Walmsley, P.: XML Schema Part 0: Primer, 2nd edn. W3C Recommendation. http://www.w3.org/TR/xmlschema-0/, 2004
Fan, W., Chan, C.-Y., Garofalakis, M.: Secure XML querying with security views. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data (SIGMOD’04), pp. 587–598. ACM Press, New York (2004)
Gabillon, A., Bruno, E.: Regulating access to XML documents. In: Proceedings of the IFIP TC11/WG11.3 Fifteenth Annual Working Conference on Database and Application Security, pp. 299–314. Kluwer, Niagara (2001)
Geuer-Pollmann, C.: XML pool encryption. In: Proceedings of the 1st ACM Workshop On XML Security (XMLSEC’02), pp. 1–9. ACM Press, Fairfax (2002)
Goel, S.K., Clifton, C., Rosenthal, A.: Derived access control specification for XML. In: Proceedings of the 2nd ACM Workshop On XML Security (XMLSEC’03), pp. 1–14. ACM Press, New York (2003)
Gottlob, G., Koch, C., Pichler, R.: Efficient algorithm for processing XPath queries. In: Proceedings of the 28th Conference on Very Large Data Bases (VLDB’02) (2002)
Gottlob G., Koch C., Pichler R.: Efficient algorithms for processing XPath queries. ACM Trans. Database Syst. 30(2), 444–491 (2005)
Gowadia, V., Farkas, C.: RDF metadata for XML access control. In: Proceedings of the 2nd ACM Workshop On XML Security (XMLSEC), pp. 39–48. ACM Press, Fairfax (2003)
Jammalamadaka, R.C., Mehrotra, S.: Querying encrypted XML documents. In: Proceedings of the 10th International Database Engineering and Applications Symposium (IDEAS), pp. 129–136. IEEE Computer Society, Washington (2006)
Jiang M., Fu A.W.-C.: Integration and efficient lookup of compressed XML accessibility maps. IEEE Trans. Knowl. Data Eng. (TKDE) 17(7), 939–953 (2005)
Kudo, M., Hada, S.: XML access control language: Provisional authorization for XML documents. http://www.trl.ibm.com/projects/xml/xacl/xacl-spec.html (2000)
Kudo, M., Hada, S.: XML document security based on provisional authorization. In: Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS), pp. 87–96. ACM Press, New York (2000)
Kuper, G., Massacci, F., Rassadko, N.: Generalized XML security views. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 77–84. ACM Press, New York (2005)
Lunt, T.F., Schell, R.R., Shockley, W.R., Heckman, M., Warren, D.: A near-term design for the SeaView multilevel database system. In: Proceedings of IEEE Symposium on Security and Privacy (SSP-88), pp. 234–244. IEEE Computer Society Press, Washington (1988)
Lunt T.F., Denning D.E., Schell R.R., Mark H., Shockley W.R.: The SeaView security model. IEEE Trans. Softw. Eng. (TOSE) 16(6), 593–607 (1990)
Luo, B., Lee, D., Lee, W.-C., Liu, P.: QFilter: Fine-grained run-time XML access control via NFA-based query rewriting. In: Proceedings of the thirteenth ACM international conference on Information and knowledge management (CIKM’04), pp. 543–552. ACM Press, New York (2004)
Miklau, G., Suciu, D.: Controlling access to published data using cryptography. In: Proceedings of the 29th Conference on Very Large Data Bases (VLDB’03), pp. 898–909, September (2003)
Mohan, S., Sengupta, A., Wu, Y., Klinginsmith, J.: Access control for XML—a dynamic query rewriting approach. In: Proceedings of the 32th Conference on Very Large Data Bases (VLDB’06), pp. 1–12. VLDB Endowment, Seoul, Korea (2006)
Murata, M., Tozawa, A., Kudo, M., Hada, S.: XML access control using static analysis. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS’03), pp. 73–84. ACM Press, New York (2003)
Qi, N., Kudo, M.: XML access control with policy matching tree. In: Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS’05). Lecture Notes in Computer Science, vol. 3679, pp. 3–23. Springer, Heidelberg (2005)
Qian, X.: View-based access control with high assurance. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (SSP’96), p. 85. IEEE Computer Society, Washington (1996)
Schrefl, M., Grun, K., Dorn, J.: Semcrypt—ensuring privacy of electronic documents through semantic-based encrypted query processing. In: Proceedings of the 21st International Conference on Data Engineering Workshops (ICDEW’05), p. 1191. IEEE Computer Society, Washington (2005)
Stachour P.D., Thuraisingham B.: Design of LDV: a multilevel secure relational database management system. IEEE Trans. Knowl. Data Eng. (TKDE) 2(2), 190–209 (1990)
Stoica, A.G., Farkas, C.: Secure XML views. In: Proceedings of the 16th International Conference on Data and Applications Security (IFIP’02). IFIP Conference Proceedings, vol. 256, pp. 133–146. Kluwer, Dordrecht (2002)
Vercammen, R., Hidders, J., Paredaens, J.: Query translation for XPath-based security views. In: Proceedings of EDBT Workshops, pp. 250–263 (2006)
Wang, H. (Wendy), Lakshmanan, L.V.S.: Efficient secure query evaluation over encrypted XML databases. In: Proceedings of the 32th Conference on Very Large Data Bases (VLDB’06), pp. 127–138. VLDB Endowment, Seoul, Korea (2006)
Wang, J., Osborn, S.L.: A role-based approach to access control for XML databases. In: Proceedings of the 9th ACM symposium on Access control models and technologies (SACMAT’04), pp. 70–77. ACM Press, New York (2004)
Wilson, J.: Views as the security objects in a multilevel secure relational database management system, pp. 70–84. IEEE Computer Society Press, Washington (1988)
Yang, X., Li, C.: Secure XML publishing without information leakage in the presence of data inference. In: Proceedings of the 30th Conference on Very Large Data Bases (VLDB’04), pp. 96–107 (2004)
Yang, Y., Ng, W., Lau, H.L., Cheng, J.: An efficient approach to support querying secure outsourced XML information. Lecture Notes in Computer Science, vol. 4001/2006, pp. 157–171. Springer, Berlin/Heidelberg (2006)
Yu T., Srivastava D., Lakshmanan L.V.S., Jagadish H.V.: A compressed accessibility map for XML. ACM Trans. Database Syst. (TODS) 29(2), 363–402 (2004)
Zhang, H., Zhang, N., Salem, K., Zhuo, D.: Compact access control labeling for efficient secure XML query evaluation. In: Proceedings of the 21st International Conference on Data Engineering Workshops (ICDEW’05), p. 1275 (2005)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kuper, G., Massacci, F. & Rassadko, N. Generalized XML security views. Int. J. Inf. Secur. 8, 173–203 (2009). https://doi.org/10.1007/s10207-008-0074-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-008-0074-x