Enforce Mandatory Access Control Policy on XML Documents

  • Lan Li
  • Xinghao Jiang
  • Jianhua Li
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3783)


Information stored in XML documents should be protected from unauthorized access. In military or other highly secure environments, mandatory access control (MAC) policy should be enforced on the sensitive information. If we use XML documents to store or exchange information in these environments, we should also enforce MAC policy on these XML documents. In this paper, we discussed a method to enforce fine-grained MAC policy on XML documents. The model of XML document is extended to contain the security information – label. Three kinds of labels are defined to determine the labels of the nodes in XML documents. Security view of XML document under MAC policy is proposed in this paper. The operations on XML documents will be redirected to the security views which contain the proper nodes under MAC policy. Validity of the security views is also described. Four kinds of operations on XML documents are discussed in details to explain how to enforce mandatory access control. The problem of polyinstantiation caused by these operations is also discussed. At last the architecture of enforcing MAC policy on XML documents is presented.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Gummadi, A., Yoon, J.P., Shah, B., Raghavan, V.: A Bitmap-based Access Control for Restricted Views of XML Documents. In: Proc. of the 2003 ACM workshop on XML security, Fairfax, Virginia, USA, October 2003, pp. 60–68 (2003)Google Scholar
  2. 2.
    Lim, C.-H., Park, S., Son, S.H.: Access Control of XML Documents Considering Update Operations. In: Proc. of the 2003 ACM workshop on XML security, Fairfax, Virginia, USA, October 2003, pp. 49–59 (2003)Google Scholar
  3. 3.
    Elliott Bell, D., LaPadula, L.J.: Secure Computer Systems: Unified Exposition and Multics Interpretation. MITRE Corporation, Bedford, MA, USA, ESD-TR-75-306, NTIS #AD-A023588 (March 1976)Google Scholar
  4. 4.
    Bertino, E., Castano, S., Ferrari, E., Mesiti, M.: Specifying and Enforcing Access Control Policies for XML Document Sources. World Wide Web 3(3), 139–151 (2000)zbMATHCrossRefGoogle Scholar
  5. 5.
    Beritino, E., Castano, S., Ferrai, E.: Securing XML documents with Author-x. IEEE Internet Computing, 21–31 (May/June 2001)Google Scholar
  6. 6.
    Damiani, E., Vimercati, S.D.C., Paraboschi, S., Samarati, P.: Design and Implementation of Access Control Processor for XML Documents. Computer Network 33(1-6), 59–75 (2000)CrossRefGoogle Scholar
  7. 7.
    Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: A Fine-grained Access Control System for XML Documents. ACM TISSEC 5(2), 169–202 (2002)CrossRefGoogle Scholar
  8. 8.
    Tatarinov, I., Ives, Z., Halevy, A., Weld, D.: Updating XML. In: Proc. of the 2001 ACM SIGMOD International Conference on Management of Data, California, USA, May 2001, pp. 413–424 (2001)Google Scholar
  9. 9.
    Hitchens, M., Varadharajan, V.: RBAC for XML Document Stores. In: Proc. of International Conference on Information and Communications Security, Xian, China, November 2001, pp. 131–143 (2001)Google Scholar
  10. 10.
    Vuong, N.N., Smith, G., Deng, Y.: Managing Security Policies in a Distributed Environment Using eXtensible Markup Language (XML). In: Proc. of Eighth Annual Workshop on Selected Areas of Cryptography, Toronto, Canada, August 2001, pp. 405–411 (2001)Google Scholar
  11. 11.
    OASIS standard: eXtensible Access Control Markup Language (XACML) Version 1.0, February 18 (2003),
  12. 12.
    Chandramouli, R.: Application of XML Tools for Enterprise-Wide RBAC Implementation Tasks. In: Proc. of 5th ACM workshop on Role-based Access Control, Berlin, Germany, July 26-27, pp. 11–18 (2000)Google Scholar
  13. 13.
    Osborn, S., Sandhu, R., Munawer, Q.: Configuring Role -Based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM TISSEC 3(2), 85–106 (2000)CrossRefGoogle Scholar
  14. 14.
    Jajodia, S., Sandhu, R.S., Blaustein, B.T.: Solutions to the Polyinstantiation Problem. In: Information Security: An Integrated Collection of Essays, Essay 19. IEEE Computer Society Press, Los Alamitos (1995)Google Scholar
  15. 15.
    Fan, W., Chan, C.-Y., Garofalakis, M.: Secure XML querying with security views. In: Proceedings of the 2004 ACM SIGMOD internal conference on the management of data, Paris, France, June 2004, pp. 587–598 (2004)Google Scholar
  16. 16.
    World Wide Web Consortium (W3C): Extensible Markup Language (XML) 1.0 (October 2000),
  17. 17.
    World Wide Web Consortium (W3C): XML Path Language (XPath) (August 2002),
  18. 18.
    World Wide Web Consortium (W3C): XML Schema Part 0: Primer (May 2001),
  19. 19.
    Zhang, X., Park, J., Sandhu, R.: Schema based XML Security: RBAC Approach, Technical Report, IFIP WG 11.3 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Lan Li
    • 1
    • 2
  • Xinghao Jiang
    • 1
    • 2
  • Jianhua Li
    • 1
    • 2
  1. 1.School of Information Security EngineeringShanghai Jiao Tong UniversityShanghaiChina
  2. 2.Key Lab of Integrate Administration Technologies for Information SecurityShanghaiChina

Personalised recommendations