Skip to main content
SpringerLink
Log in

Generalized XML security views

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We investigate a generalization of the notion of XML security view introduced by Stoica and Farkas (Proceedings of the 16th International Conference on Data and Applications Security (IFIP’02). IFIP Conference Proceedings, vol. 256, pp. 133–146. Kluwer, Dordrecht, 2002) and later refined by Fan et al. (Proceedings of the ACM SIG- MOD International Conference on Management of Data (SIGMOD’04), pp. 587–598. ACM Press, New York, 2004). The model consists of access control policies specified over DTDs with XPath expressions for data-dependent access control. We provide the notion of security views characterizing information accessible to authorized users. This is a trans- formed DTD schema that can be used by users for query formulation. We develop an algorithm to materialize an authorized version of the document from the view and an algorithm to construct the view from an access control specification. We show that our view construction combined with materialization produces the same result as the direct application of the DTD access specification on the document. We also propose a number of generalizations of possible security policies and show how they affect view construction algorithm. Finally, we provide an evaluation of our system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. XMark—An XML Benchmark Project. http://monetdb.cwi.nl/xml/index.html

  2. Alon N., Milo T., Neven F., Suciu D., Vianu V.: Typechecking xml views of relational databases. ACM Trans. Comput. Log. 4(3), 315–354 (2003)

    Article  MathSciNet  Google Scholar 

  3. Anutariya, C., Chatvichienchai, S., Iwaihara, M., Wuwongse, V., Kambayashi, Y.: A rule-based XML access control model. In: RuleML, pp. 35–48 (2003)

  4. Benedikt, M., Chan, C., Fan, W., Rastogi, R., Zheng, S., Zhou, A.: DTD-directed publishing with attribute translation grammars. In: Proceedings of the 28th Conference on Very Large Data Bases (VLDB’02) (2002)

  5. Benedikt, M., Fan, W., Kuper, G.M.: Structural properties of XPath fragments. In: Proceedings of the 13th International Conference on Database Theory (ICDT’03) (2003)

  6. Bertino E., Jajodia S., Samarati P.: A flexible authorization mechanism for relational data management systems. ACM Trans. Inf. Syst. (TOIS) 17(2), 101–140 (1999)

    Article  Google Scholar 

  7. Bertino, E., Braun, M., Castano, S., Ferrari, E., Mesiti, M.: Author-X: A Java-based system for XML data protection. In: Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security, pp. 15–26. Kluwer, , Dordrecht (2001)

  8. Bertino E., Carminati B., Ferrari E., Thuraisingham B., Gupta A.: Selective and authentic third-party distribution of XML documents. IEEE Trans. Knowl. Data Eng. (TKDE) 16(10), 1263–1278 (2004)

    Article  Google Scholar 

  9. Bertino E., Ferrari E.: Secure and selective dissemination of XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 290–331 (2002)

    Article  Google Scholar 

  10. Bouganim, L., Ngoc, F.D., Pucheral, P.: Client-based access control management for xml documents. In: Proceedings of the 30th Conference on Very Large Data Bases (VLDB’04), pp. 84–95 (2004)

  11. Boulahia-Cuppens, N., Cuppens, F., Gabillon, A., Yazdanian, K.: Multiview model for object-oriented database. In: Proceedings of the Annual Computer Security Applications Conference, pp. 222–231 (1993)

  12. Bray, T., Paoli, J., Sperberg-McQueen, C.M.: Extensible Markup Language (XML) 1.0. W3C, February 1998

  13. Carminati, B., Ferrari, E., Bertino, E.: Securing XML data in third-party distribution systems. In: Proceedings of the Fourteenth International Conference on Information and Knowledge Management (CIKM), pp. 99–106. ACM Press, Bremen (2005)

  14. Cho, S., Amer-Yahia, S., Lakshmanan, L.V.S., Srivastava, D.: Optimizing the secure evaluation of twig queries. In: Proceedings of the 28th Conference on Very Large Data Bases (VLDB’02), pp. 490–501 (2002)

  15. Clark, J., DeRose, S.: XML path language (XPath) version 1.0. w3c recommendation, November 1999. http://www.w3.org/TR/xpath

  16. Crampton, J.: Applying hierarchical and role-based access control to XML documents. In: Proceedings of ACM Workshop on Secure Web Services (SWS’04). ACM Press, Fairfax (2004)

  17. Damiani E., De Capitani di Vimercati S., Paraboschi S., Samarati P.: A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(2), 169–202 (2002)

    Article  Google Scholar 

  18. Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Design and implementation of an access control processor for XML documents. In: Proceedings of the 9th International Conference on World Wide Web (WWW’00), pp. 59–75. North-Holland, Amsterdam (2000)

  19. Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Fine grained access control for SOAP e-services. In: Proceedings of the 10th International Conference on World Wide Web (WWW’01), pp. 504–513. ACM Press, New York (2001)

  20. DeCapitanidi Vimercati S., Samarati P.: Access control: Policies, models, and mechanism. In: Focardi, R., Gorrieri, F.(eds) Foundations of Security Analysis and Design—Tutorial Lectures. Lecture Notes in Computer Science, vol. 2171, Springer, Heidelberg (2001)

    Google Scholar 

  21. Fallside, D.C., Walmsley, P.: XML Schema Part 0: Primer, 2nd edn. W3C Recommendation. http://www.w3.org/TR/xmlschema-0/, 2004

  22. Fan, W., Chan, C.-Y., Garofalakis, M.: Secure XML querying with security views. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data (SIGMOD’04), pp. 587–598. ACM Press, New York (2004)

  23. Gabillon, A., Bruno, E.: Regulating access to XML documents. In: Proceedings of the IFIP TC11/WG11.3 Fifteenth Annual Working Conference on Database and Application Security, pp. 299–314. Kluwer, Niagara (2001)

  24. Geuer-Pollmann, C.: XML pool encryption. In: Proceedings of the 1st ACM Workshop On XML Security (XMLSEC’02), pp. 1–9. ACM Press, Fairfax (2002)

  25. Goel, S.K., Clifton, C., Rosenthal, A.: Derived access control specification for XML. In: Proceedings of the 2nd ACM Workshop On XML Security (XMLSEC’03), pp. 1–14. ACM Press, New York (2003)

  26. Gottlob, G., Koch, C., Pichler, R.: Efficient algorithm for processing XPath queries. In: Proceedings of the 28th Conference on Very Large Data Bases (VLDB’02) (2002)

  27. Gottlob G., Koch C., Pichler R.: Efficient algorithms for processing XPath queries. ACM Trans. Database Syst. 30(2), 444–491 (2005)

    Article  MathSciNet  Google Scholar 

  28. Gowadia, V., Farkas, C.: RDF metadata for XML access control. In: Proceedings of the 2nd ACM Workshop On XML Security (XMLSEC), pp. 39–48. ACM Press, Fairfax (2003)

  29. Jammalamadaka, R.C., Mehrotra, S.: Querying encrypted XML documents. In: Proceedings of the 10th International Database Engineering and Applications Symposium (IDEAS), pp. 129–136. IEEE Computer Society, Washington (2006)

  30. Jiang M., Fu A.W.-C.: Integration and efficient lookup of compressed XML accessibility maps. IEEE Trans. Knowl. Data Eng. (TKDE) 17(7), 939–953 (2005)

    Article  Google Scholar 

  31. Kudo, M., Hada, S.: XML access control language: Provisional authorization for XML documents. http://www.trl.ibm.com/projects/xml/xacl/xacl-spec.html (2000)

  32. Kudo, M., Hada, S.: XML document security based on provisional authorization. In: Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS), pp. 87–96. ACM Press, New York (2000)

  33. Kuper, G., Massacci, F., Rassadko, N.: Generalized XML security views. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 77–84. ACM Press, New York (2005)

  34. Lunt, T.F., Schell, R.R., Shockley, W.R., Heckman, M., Warren, D.: A near-term design for the SeaView multilevel database system. In: Proceedings of IEEE Symposium on Security and Privacy (SSP-88), pp. 234–244. IEEE Computer Society Press, Washington (1988)

  35. Lunt T.F., Denning D.E., Schell R.R., Mark H., Shockley W.R.: The SeaView security model. IEEE Trans. Softw. Eng. (TOSE) 16(6), 593–607 (1990)

    Article  Google Scholar 

  36. Luo, B., Lee, D., Lee, W.-C., Liu, P.: QFilter: Fine-grained run-time XML access control via NFA-based query rewriting. In: Proceedings of the thirteenth ACM international conference on Information and knowledge management (CIKM’04), pp. 543–552. ACM Press, New York (2004)

  37. Miklau, G., Suciu, D.: Controlling access to published data using cryptography. In: Proceedings of the 29th Conference on Very Large Data Bases (VLDB’03), pp. 898–909, September (2003)

  38. Mohan, S., Sengupta, A., Wu, Y., Klinginsmith, J.: Access control for XML—a dynamic query rewriting approach. In: Proceedings of the 32th Conference on Very Large Data Bases (VLDB’06), pp. 1–12. VLDB Endowment, Seoul, Korea (2006)

  39. Murata, M., Tozawa, A., Kudo, M., Hada, S.: XML access control using static analysis. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS’03), pp. 73–84. ACM Press, New York (2003)

  40. Qi, N., Kudo, M.: XML access control with policy matching tree. In: Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS’05). Lecture Notes in Computer Science, vol. 3679, pp. 3–23. Springer, Heidelberg (2005)

  41. Qian, X.: View-based access control with high assurance. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy (SSP’96), p. 85. IEEE Computer Society, Washington (1996)

  42. Schrefl, M., Grun, K., Dorn, J.: Semcrypt—ensuring privacy of electronic documents through semantic-based encrypted query processing. In: Proceedings of the 21st International Conference on Data Engineering Workshops (ICDEW’05), p. 1191. IEEE Computer Society, Washington (2005)

  43. Stachour P.D., Thuraisingham B.: Design of LDV: a multilevel secure relational database management system. IEEE Trans. Knowl. Data Eng. (TKDE) 2(2), 190–209 (1990)

    Article  Google Scholar 

  44. Stoica, A.G., Farkas, C.: Secure XML views. In: Proceedings of the 16th International Conference on Data and Applications Security (IFIP’02). IFIP Conference Proceedings, vol. 256, pp. 133–146. Kluwer, Dordrecht (2002)

  45. Vercammen, R., Hidders, J., Paredaens, J.: Query translation for XPath-based security views. In: Proceedings of EDBT Workshops, pp. 250–263 (2006)

  46. Wang, H. (Wendy), Lakshmanan, L.V.S.: Efficient secure query evaluation over encrypted XML databases. In: Proceedings of the 32th Conference on Very Large Data Bases (VLDB’06), pp. 127–138. VLDB Endowment, Seoul, Korea (2006)

  47. Wang, J., Osborn, S.L.: A role-based approach to access control for XML databases. In: Proceedings of the 9th ACM symposium on Access control models and technologies (SACMAT’04), pp. 70–77. ACM Press, New York (2004)

  48. Wilson, J.: Views as the security objects in a multilevel secure relational database management system, pp. 70–84. IEEE Computer Society Press, Washington (1988)

  49. Yang, X., Li, C.: Secure XML publishing without information leakage in the presence of data inference. In: Proceedings of the 30th Conference on Very Large Data Bases (VLDB’04), pp. 96–107 (2004)

  50. Yang, Y., Ng, W., Lau, H.L., Cheng, J.: An efficient approach to support querying secure outsourced XML information. Lecture Notes in Computer Science, vol. 4001/2006, pp. 157–171. Springer, Berlin/Heidelberg (2006)

  51. Yu T., Srivastava D., Lakshmanan L.V.S., Jagadish H.V.: A compressed accessibility map for XML. ACM Trans. Database Syst. (TODS) 29(2), 363–402 (2004)

    Article  Google Scholar 

  52. Zhang, H., Zhang, N., Salem, K., Zhuo, D.: Compact access control labeling for efficient secure XML query evaluation. In: Proceedings of the 21st International Conference on Data Engineering Workshops (ICDEW’05), p. 1275 (2005)

Download references

Author information

Authors and Affiliations

  1. The University of Trento, via Sommarive, 14, 38050, Povo (Trento), Italy

    Gabriel Kuper, Fabio Massacci & Nataliya Rassadko

Authors
  1. Gabriel Kuper
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabio Massacci
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nataliya Rassadko
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nataliya Rassadko.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kuper, G., Massacci, F. & Rassadko, N. Generalized XML security views. Int. J. Inf. Secur. 8, 173–203 (2009). https://doi.org/10.1007/s10207-008-0074-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-008-0074-x

Keywords

Search

Navigation