Abstract
To provide fine-grained access control to data in an XML document, XML access control policy is defined based on the contents and structure of the document. In this paper, we discuss confidential information leakage problem caused by unsecure-update that modifies contents or structures of the document referred by the access control policy. In order to solve this problem, we propose an algorithm that computes update constraints of a user on some data in the document under access control policy of the user. We also propose an algorithm that decides whether a given update request of a user against an XML document is an unsecure-update under the user’s access control policy.
Chapter PDF
References
Bertino, E., Castano, S., Ferrari, E., Mesiti, M.: Specifying and Enforcing Access Control Policies for XML Document Sources. WWW Journal 3(3) (2000)
Bertino, E., Mella, G., Correndo, G., Ferrari, E.: An infrastructure for managing secure up-date operations on XML data. In: Proc. of 8th ACM Symposium on Access Control Models and Technologies (SACMAT 2003), pp. 110–122 (2003)
Chatvichienchai, S.: Detecting Confidential Data Disclosure in Updating XML Documents, Technical Report No.2006-01, Siebold University of Nagasaki (2006)
Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: A Fine-Grained Access Control System for XML Documents. In: ACM TISSEC, vol. 5(2) (2002)
Gottlob, G., Koch, C., Pichler, R.: XPath Query Evaluation: Improving Time and Space Efficiency. In: Proc. 19th IEEE International Conference on Data Engineering (ICDE 2003), pp. 379–390 (2003)
Kilpelainen, P., Mannila, H.: Ordered and unordered tree inclusion. Siam Journal on Computing, 340–356 (1995)
Kudo, M., Hada, S.: XML Document Security based on Provisional Authorization. In: Proc.7th ACM Conf. Computer and Communications Security, pp. 87–96 (2000)
OASIS XACML Technical Committee, eXtensible Access Control Markup Language (XACML) Version 2.0 (February 2005), http://www.oasis-open.org/specs/index.php#xacmlv2.0
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)
Tatarinov, I., Yves, G.Z., Halevy, A.Y., Weld, D.S.: Updating XML. In: ACM SIGMOD 2001, Santa Barbara, California, USA (May 2001)
W3C (2000). Extensible Markup Language (XML) 1.0 (2nd edn.) (October 2000), Available at: http://www.w3c.org/TR/REC-xml
W3C (1999). XML Path Language (XPath) Version 1.0. (November 1999), Available at: http://www.w3c.org/TR/xpath
W3C (2005). XML Query Language (XQuery) Version 1.0 (November 2005), Available at: http://www.w3.org/TR/xquery/
Yang, X., Li, C.: Secure XML Publishing without Information Leakage in the Presence of Data Inference. In: VLDB 2004, Toronto, Canada, pp. 96–107 (August 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chatvichienchai, S., Iwaihara, M. (2006). Detecting Information Leakage in Updating XML Documents of Fine-Grained Access Control. In: Bressan, S., Küng, J., Wagner, R. (eds) Database and Expert Systems Applications. DEXA 2006. Lecture Notes in Computer Science, vol 4080. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11827405_28
Download citation
DOI: https://doi.org/10.1007/11827405_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-37871-6
Online ISBN: 978-3-540-37872-3
eBook Packages: Computer ScienceComputer Science (R0)