Privacy query rewriting algorithm instrumented by a privacy-aware access control model

  • Said OulmakhzouneEmail author
  • Nora Cuppens-Boulahia
  • Frédéric Cuppens
  • Stéphane Morucci
  • Mahmoud Barhamgi
  • Djamal Benslimane


In this paper, we present an approach to instrument a Simple Protocol And RDF Query Language query rewriting algorithm enforcing privacy preferences. The term instrument is used to mean supplying appropriate constraints. We show how to design a real and effective instrumentation process of a rewriting algorithm using an existing privacy-aware access control model like PrivOrBAC. We take into account various dimensions of privacy preferences through the concepts of consent, accuracy, purpose, and recipient. We implement and evaluate our process of privacy enforcement based on a healthcare scenario.


Privacy-aware PrivOrBAC RDF SPARQL Rewriting algorithm 



This research work is supported by the French National Research Agency project PAIRSE under grant number ANR-09-SEGI-008.


  1. 1.
    Apache jena. (2012)
  2. 2.
    Abou ElKalam A, El Baida R, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miège A, Saurel C, Trouessin G (2003) Organization based access control. In: Proceedings of IEEE 8th international workshop on policies for distributed systems and networks (POLICY 2003), Lake Come, ItalyGoogle Scholar
  3. 3.
    Ajam N, Cuppens-Boulahia N, Cuppens F (2010) Contextual privacy management in extended role based access control mode. Data Priv Manag Auton Spontaneous Sec 121–135Google Scholar
  4. 4.
    Barhamgi M, Benslimane D, Medjahed B (2010) A query rewriting approach for web service composition. IEEE Trans Serv Comput 3(3):206–222CrossRefGoogle Scholar
  5. 5.
    Bikakis N, Gioldasis N, Tsinaraki C, Christodoulakis S. (2009) Semantic based access over XML data. Visioning and engineering the knowledge society. A web science perspective. Springer Berlin Heidelberg, pp 259–267Google Scholar
  6. 6.
    Byun C, Park S (2006) An efficient yet secure xml access control enforcement by safe and correct query modification. In: Proceedings of the 17th international conference on database and expert systems applications. Springer, pp 276–285Google Scholar
  7. 7.
    Cranor L, Hogben G, Langheinrich M, Marchiori M, Presler-Marshall M, Reagle J, Schunter M (2006) The platform for privacy preference 1.1(p3p 1.1) specification. Tech. Rep. Note 13Google Scholar
  8. 8.
    Cuppens F, Cuppens-Boulahia N (2007), vol 7, Modelling contextual security policiesGoogle Scholar
  9. 9.
    Cuppens F, Cuppens-Boulahia N, Ghorbel MB (2007) High level conflict management strategies in advanced access control models. Electron Notes Theor Comput Sci 186:3–26CrossRefGoogle Scholar
  10. 10.
    Damiani E, Fansi M, Gabillon A, Marrara S (2008) A general approach to securely querying xml. Comput Stand Interact 30(6):379–389CrossRefGoogle Scholar
  11. 11.
    Damiani E, De Capitani di Vimercati S, Paraboschi S, Samarati P (2002) A fine-grained access control system for xml documents. ACM Trans Inf Syst Secur (TISSEC) 5(2):169–202CrossRefGoogle Scholar
  12. 12.
    Damiani E, di Vimercati SDC, Paraboschi S, Samarati P (2000) Securing XML documents. In: Advances in database technology EDBT 2000. Springer, pp 121–135Google Scholar
  13. 13.
    European Commission: Directive 95/46 (1995) The processing of personal data and on the free movement of such data. Accessed at July 2012
  14. 14.
    European Commission: Directive 97/66 (1997) The processing of personal data and the protection of privacy in the telecommunications sectorGoogle Scholar
  15. 15.
    European Commission: Directive 02/58 (2002) Privacy and electronic communications. Accessed at July 2012
  16. 16.
    Fan W, Chan CY, Garofalakis M (2004) Secure XML querying with security views. In: Proceedings of the 2004 ACM SIGMOD international conference on management of data. ACM, pp 587–598Google Scholar
  17. 17.
    Ferraiolo DF, Sandhu R, Gavrila S, Kuhn DR, Chandramouli R (2001) Proposed NIST standard for role-based access control. ACM Trans Inf Syst Secur (TISSEC) 4(3)Google Scholar
  18. 18.
    Hilty M, Basin D, Pretschner A (2005) On obligations. 10th European symposium on research in computer security. 3679:98–117Google Scholar
  19. 19.
    Huey POracle database security guide : chapter 7, using oracle virtual private database to control data access. Accessed January2013
  20. 20.
    LeFevre K, Agrawal R, Ercegovac V, Ramakrishnan R, Xu Y, DeWitt D (2004) Limiting disclosure in hippocratic databases. In: Proceedings of the thirtieth international conference on very large data bases, vol 30. VLDB Endowment, pp 108–119Google Scholar
  21. 21.
    Luo B, Lee D, Lee W, Liu P (2004) Qfilter: fine-grained run-time XML access control via NFA-based query rewriting. In: Proceedings of the thirteenth ACM international conference on information and knowledge management. ACM, pp 543–552Google Scholar
  22. 22.
    Masoumzadeh A, Joshi J (2008) Purbac: purpose-aware role-based access control. On the move to meaningful internet systems: OTM. pp 1104–1121Google Scholar
  23. 23.
    Miklau G, Suciu D (2003) Controlling access to published data using cryptography. In: Proceedings of the 29th international conference on very large data bases, vol 29. VLDB Endowment, pp 898–909Google Scholar
  24. 24.
    Mohan S, Sengupta A, Wu Y (2005) Access control for XML: a dynamic query rewriting approach. In: Proceedings of the 14th ACM international conference on information and knowledge management. ACM, pp 251–252Google Scholar
  25. 25.
    Murata M, Tozawa A, Kudo M, Hada S (2006) Xml access control using static analysis. ACM Trans Inf Syst Secur (TISSEC) 9(3):292–324CrossRefGoogle Scholar
  26. 26.
    Ni Q, Trombetta A, Bertino E, Lobo J (2007) Privacy-aware role based access control. In: Proceedings of the 12th ACM symposium on Access control models and technologies. ACM, pp 41–50Google Scholar
  27. 27.
    OECD (1980) Organisation for economic co-operation and development. Protection of privacy and transborder flows of personal dataGoogle Scholar
  28. 28.
    Oulmakhzoune S, Cuppens-Boulahia N, Cuppens F, Morucci S (2010) fQuery: SPARQL query rewriting to enforce data confidentiality. In: Proceedings of the 24th IFIP WG11.3 working conference on data and applications security and privacy. Rome, ItalyGoogle Scholar
  29. 29.
    Oulmakhzoune S, Cuppens-Boulahia N, Cuppens F, Morucci S (2010) Rewriting of sparql/update queries for securing data access. International Conference on Information and Communications Security, pp 4–15Google Scholar
  30. 30.
    Oulmakhzoune S, Cuppens-Boulahia N, Cuppens F, Morucci S (2011) SPARQL query rewriting instrumented by access control model. In: 1st international symposium on data-driven process discovery and analysisGoogle Scholar
  31. 31.
    Oulmakhzoune S, Cuppens-Boulahia N, Cuppens F, Morucci S (2012) Privacy policy preferences enforced by SPARQL query rewriting. In: 7th international workshop on frontiers in availability, reliability and security (FARES 2012)Google Scholar
  32. 32.
    Samarati P (2001) Protecting respondents identities in microdata release. IEEE Trans Knowl Data Eng 13(6):1010–1027CrossRefGoogle Scholar
  33. 33.
    Stavrakantonakis I, Tsinaraki C, Bikakis N, Gioldasis N, Christodoulakis S (2010) SPARQL2XQuery 2.0: supporting semantic-based queries over XML data. In: Semantic media adaptation and personalization (SMAP), IEEE 5th international workshop on 2010. pp 76–84Google Scholar
  34. 34.
    De Capitani di Vimercati S, Marrara S, Samarati P (2005) An access control model for querying XML data. In: Proceedings of the 2005 workshop on secure web services. ACM, pp 36–42Google Scholar
  35. 35.
    Wang Q, Yu T, Li N, Lobo J, Bertino E, Irwin K, Byun J (2007) On the correctness criteria of fine-grained access control in relational databases. In: Proceedings of the 33rd international conference on very large data bases. VLDB Endowment, pp 555–566Google Scholar
  36. 36.
    Yang N, Barringer H, Zhang N (2007) A purpose-based access control model. In: Information assurance and security, 2007. IEEE Third International Symposium on IAS 2007, pp 143–148Google Scholar

Copyright information

© Institut Mines-Télécom and Springer-Verlag France 2013

Authors and Affiliations

  • Said Oulmakhzoune
    • 1
    Email author
  • Nora Cuppens-Boulahia
    • 1
  • Frédéric Cuppens
    • 1
  • Stéphane Morucci
    • 2
  • Mahmoud Barhamgi
    • 3
  • Djamal Benslimane
    • 3
  1. 1.Institut Mines-Telecom/Telecom BretagneRennesFrance
  2. 2.SWIDCesson-SevigneFrance
  3. 3.Lyon 1 UniversityCedex 622 VilleurbanneFrance

Personalised recommendations