Abstract
In this paper we evaluate security methods for eXtensible Markup Language (XML) and the Resource Description Framework (RDF). We argue that existing models are insufficient to provide high assurance security for future Web-based applications. We begin with a brief overview of XML access control models, where the protection objects are identified by the XML syntax. However, these approaches are limited to handle updates and structural modifications of the XML documents. We argue that XML security methods must be based on the intended meaning of XML and the semantics of the application using XML. We identify two promising research directions to extend the XML model with semantics. The first approach incorporates traditional database concepts, like key and integrity constraints, in the XML model. The second approach aims to associate XML documents with metadata supporting Web-based applications. We propose the development of security models based on these semantics-oriented approaches to achieve high assurance. Further, we investigate the security needs of Web metadata, like RDF, RDFS, and OWL. In particular, we study the security risks of unwanted inferences and data aggregation, supported by these languages.
Chapter PDF
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Kowari-metastore. http://www.kowari.org.
B. Aleman-Meza, C. Halaschek, J. B. Arpinar, and A. Sheth. Context-aware semantic association ranking. In Proceedings of the First International Work-shop on Semantic Web and Databases, pages 33–50. LSDIS Lab, University of Georgia, 2003.
K. Anyanwu and A. Sheth. p-Queries: Enabling Querying for Semantic Associations on the Semantic Web. In WWW’ 03: Proceedings of the 12th international conference on World Wide Web, pages 690–699, New York, NY, USA, 2003. ACM Press.
B. Atkinson, G. Della-Libera, S. Hada, and M. Hondo. Web Services Security (WS-Security). http://www-106.ibm.com/developerworks/webservices/library/ws-secure/, April 2002.
T. Bellwood, L. Clment, and C. von Riegen. Universal Description, Discovery and Integration (UDDI) V3.0. http://uddi.org/pubs/uddi-v3.0.1-20031014.pdf, October 2003. OASIS Specification.
E. Bertino, M. Braun, S. Castano, E. Ferrari, and M. Mesiti. Author-X: A Java-based System for XML Data Protection. In Proc. IFIP WG11.3 Working Conference on Database Security, The Netherlands, August 2000.
E. Bertino, S. Castano, and E. Ferrari. Securing XML Documents with Author-X. IEEE Internet Computing, 5(3):21–31, 2001.
E. Bertino, S. Castano, E. Ferrari, and M. Mesiti. Controlled Access and Dissemination of XML Documents. In Proc. of 2nd ACM Workshop on Web Information and Data Management, pages 22–27, Kansas City, 1999.
E. Bertino, S. Castano, E. Ferrari, and M. Mesiti. Specifying and enforcing access control policies for XML document sources. World Wide Web, 3(3): 139–151, 2000.
P. Buneman, S. Davidson, W. Fan, C. Hara, and W.-C. Tan. Reasoning about keys for XML. Information Systems, 28(8): 1037–1063, 2003.
E. Christensen, F. Curbera, G. Meredith, and S. Weerawarana. Web Services Description Language (WSDL) 1.1. http://www.w3.org/TR/wsdl, March 2001.
E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati. A fine-grained Access Control System for XML documents. ACM Trans. Inf. Syst. Secur., 5(2): 169–202, 2002.
E. Damiani, S. D. C. di Vimercati, S. Paraboschi, and P. Samarati. Design and Implementation of an Access Control Processor for XML Documents. In 9th World Wide Web Conference, The Netherlands, 2000.
E. Damiani, S. D. C. di Vimercati, S. Paraboschi, and P. Samarati. Securing XML Documents. In Conference on Extending Database Technology, Prague, March 2002.
W. Fan and L. Libkin. On XML integrity constraints in the presence of DTDs. J. ACM, 49(3):368–406, 2002.
W. Fan and J. Simeon. Integrity Constraints for XML. In Symposium on Principles of Database Systems, pages 23–34, 2000.
C. Farkas and A. Stoica. Correlated Data Inference in Ontology Guided XML Security Engine. In Proc. of IFIP WG 11.3 Working Group Conference on Data and Application Security, 2003.
V. Gowadia and C. Farkas. RDF metadata for XML Access Control. In Proceedings of the 2003 ACM workshop on XML security, pages 39–48. ACM Press, 2003.
V. Gowadia and C. Farkas. Tree automata for Schema-level Filtering of XML Associations. Journal of Research and Practice in Information Technology, page In Press, 2005.
E. Hung, Y. Deng, and V. S. Subrahmanian. TOSS: an extension of TAX with Ontologies and similarity queries. In SIGMOD’ 04: Proceedings of the 2004 ACM SIGMOD international conference on Management of data, pages 719–730, New York, NY, USA, 2004. ACM Press.
H. V. Jagadish, L. V. S. Lakshmanan, D. Srivastava, and K. Thompson. TAX: A Tree Algebra for XML. In Proceedings of DBPL’01, pages 149–164, 2001.
S. Jajodia, M. Kudo, and V. S. Subrahmanian. Provisional Authorizations. In Proc. 1st Workshop on Security and Privacy in E-Commerce, 2000.
N. Kodali, C. Farkas, and D. Wijesekera. An Authorization Model for Multimedia Digital Libraries. Journal of Digital Libraries, 4:139–155, 2004.
N. Kodali, C. Farkas, and D. Wijesekera. Enforcing Semantics Aware Security in Multimedia Surveillance. Journal on Data Semantics (Springer LNCS) (Invited), 2:199–221, 2005.
M. Kudo and S. Hada. XML document security based on provisional authorization. In CCS’ 00: Proceedings of the 7th ACM conference on Computer and communications security, pages 87–96, New York, NY, USA, 2000. ACM Press.
M. Kudo and S. Hada. Access Control Model with Provisional Actions. In IEICE Trans. Fundamentals, 2001.
S. Liu, J. Mei, A. Yue, and Z. Lin. XSDL: Making XML Semantics Explicit. In Proc. of Semantic Web and Databases, Second International Workshop, pages 64–83, Toronto, Canada, August 2004.
N. Mitra. SOAP Version 1.2 Part 0: Primer. http://www.w3.org/TR/2003/REC-soap12-part0-20030624/, June 2003.
M. Murata, A. Tozawa, M. Kudo, and S. Hada. XML Access Control using Static Analysis. In CCS’ 03: Proceedings of the 10th ACM conference on Computer and communications security, pages 73–84. ACM Press, 2003.
L. Qin and V. Atluri. Concept-level Access Control for the Semantic Web. In Proceedings of the 2003 ACM workshop on XML security, pages 94–103. ACM Press, 2003.
P. Reddivari, T. Finin, and A. Joshi. Policy based Access Control for a RDF Store. In Proceedings of the Policy Management for the Web Workshop, A WWW 2005 Workshop, pages 78–83. W3C, May 2005.
D. Roy. Multilevel XML Data Model. Master’s thesis, University of South Carolina, Columbia, July 2005.
A. Sheth, B. Aleman-Mezal, I. B. Arpinar, C. Halaschek, C. Ramakrishnan, C. Bertram, Y. Warke, D. Avant, F. S. Arpinar, K. Anyanwu, and K. Kochut. Semantic Association Identification and Knowledge Discovery for National Security Applications. Special Issue of JOURNAL OF DATABASE MANAGEMENT on Database Technology for Enhancing National Security, Ed. Lina Zhou. (Invited paper)., August 2003.
A. Sheth, C. Bertram, D. Avant, B. Hammond, K. Kochut, and Y. Warke. Managing semantic content for the web. IEEE Internet Computing, 6(4):80–87, 2002.
A. Stoica and C. Farkas. Secure XML Views. In Proc. of IFIP WG11.3 Working Group Conference on Database and Application Security, 2002.
A. Stoica and C. Farkas. Ontology guided Security Engine. Journal of Intelligent Information Systems, 23:209–223, 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Farkas, C., Gowadia, V., Jain, A., Roy, D. (2005). From XML to RDF: Syntax, Semantics, Security, and Integrity (Invited Paper). In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds) Security Management, Integrity, and Internal Control in Information Systems. IICIS 2004. IFIP International Federation for Information Processing, vol 193. Springer, Boston, MA. https://doi.org/10.1007/0-387-31167-X_3
Download citation
DOI: https://doi.org/10.1007/0-387-31167-X_3
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29826-9
Online ISBN: 978-0-387-31167-8
eBook Packages: Computer ScienceComputer Science (R0)