Presentation is loading. Please wait.

Presentation is loading. Please wait.

XML Access Control Koukis Dimitris Padeleris Pashalis.

Published byOsborne Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "XML Access Control Koukis Dimitris Padeleris Pashalis."— Presentation transcript:

1 XML Access Control Koukis Dimitris Padeleris Pashalis

2 Presentation Overview Access Control Definition and implementation problems General Ideas for Access Control Two Implementations : ACP XACL A size reduction method.

3 Why do we need Access Control in XML Documents? It provides a way to give privileges specific to : Users and User Groups Locations Symbolic names (e.x. Domains) It defines privileges for every object and group of objects on XML

4 Implementation Problems Storing and transmitting over a network all the access control data of a single object can introduce a serious overhead. Parsing the access control data and taking decisions needs a lot of computing power

5 Implementation Problems (cont) There are more than one policies, and conflict resolution implementations each with its advantages and disadvantages. Decision for the most powerful privilege when there are more than one. Default decisions when conflict resolution fails Current Implementations do not provide a well defined access control model.

6 General Ideas of Access Control Implementations User access data can be stored : Inside the XML document. The DTD of the document provides the syntax for the access information. The XML parser must understand the meaning of access data.

7 General Ideas of Access Control Implementations (cont) User access data can be stored : In a separate file associated with the XML document. The file can be parsed be a separated parser. The file has a predefined syntax.

8 ACP: An XML Access control implementation

9 ACP: An XML Access control implementation. Provides an implementation that solves some of the previously mentioned problems. Uses the idea of “separate file” for the access data, this file is called “XML Access Sheet” or XAS Defines a syntax for XAS. Supports a XAS for the DTD and another for the document. Supports user,group,location and domain access control.

10 Syntax of the XAS (subject, object, action, sign, type) Subject A tuple with the information of the user (user/group, location, symbolic name) User/goup is defined as a DAG with the “public” group as the source and the user names as the sinks. Location is defined by an IP address Symbolic name is defined by a domain name

11 Syntax of the XAS (subject, object, action, sign, type) Object Xpath expression, points to an object or a set of objects in the XML document. The action is granted or denied to this object

12 Syntax of the XAS (subject, object, action, sign, type) Action Read, write, delete, insert, etc. Only read is well defined in the ACP. Read is the most common case in XML documents. Write, etc, actions cat be supported by extending the read model.

13 Syntax of the XAS (subject, object, action, sign, type) Sign (+/-) grand or deny the Action.

14 Syntax of the XAS (subject, object, action, sign, type) Type Defines the strength of the tuple. If recursive or local. If it is overridden by another tuple Values in descending strength: LDH, RDH, L, RL,LD,RD,LS, RS

15 A closer look on type ACP specifies that : Instance level are stronger than DTD level privileges. Local (object specific) privileges are stronger than recursive ones. You can override the Instance>DTD order by defining a Soft or a Hard type.

16 Type and Conflict resolution Type provides a way to identify which policy is the correct for an XML object. The default policy used for ACP : Local > Recursive Instance level XAS > DTD level XAS Hard keyword > (no keyword) > Soft keyword Policy can be changed without effecting the rest of the model.

17 Example of a XAS Tuple (Subject, Object, Action, Sign, Type) (group/user, location, domain)Grand/DenyRead/Write etc.Xpath QueryLDH, RDH, L, etc Public,*,*.ics.forth.gr/department//nameRead+L Nick, 139.91.157.52,*/department//nameRead-RDH RDH is Stronger than L so Nick cannot read the names

18 Example of a XAS file,department.xml:/department//name,Read,+,L>,dtd.xml:/department//name,Read,-,RDH> XAS entries: …… CSD … … George … All fields in an XML document XML document: Result: All users from domain name *.ics.forth.gr except Nick when connected from location 139.91.157.52 can read the field of the departmant.xml document

19 The ACP computations cycle Compute View Algorithm XAS XML document DTD parsing DOM tree loosening Loose DTD User Request unpacking transformed XML document

20 Compute View Algorithm Input DOM tree of the document View request Returns DOM tree for the requested view that complies with the subjects permissions Four steps 1. Initial Label  sets the access labels on DOM tree 2. Set Label  applies the access policy 3. Get Final Label  propagates the privileges from parent to child 4. Prune  removes all tree nodes except of those signed “+”

21 The ACP computations cycle Compute View Algorithm XAS XML document DTD parsing DOM tree loosening Loose DTD User Request unpacking transformed XML document

22 XML Access Control Language

23 Improves semantics of ACP Defines policy also for updates ( write / delete ) Access information are stored at DTD or instance level Same functioning as ACP

24 XACL tuple syntax (Subject, Object, Action, Conditions)

25 XACL tuple syntax (cont) (Subject, Object, Action, Conditions) Subject represent user/initiator Contains uid role group

26 XACL tuple syntax (cont) (Subject, Object, Action, Conditions) Describes the element or set of elements in XML Document Identified by XPath expressions

27 XACL tuple syntax (cont) (Subject, Object, Action, Conditions) Specifies if action is granted or denied read / write / create / delete Also can contain a provisional action Executed before or after specific action Success of failure i.e. log, encrypt

28 XACL tuple syntax (cont) (Subject, Object, Action, Conditions) Represents an logical expression that should be true in order action to be granted Example : User can access specific data before 23/4/1998 before Today 23/4/1998

29 XACL Policy The policy element represents the way access is computed Specify propagation No Up Down Specify conflict resolution Denial Grant Nothing Default policy

30 XACL Example Alice 123456789 Alice

31 Access Evaluation Access evaluator takes an access request Initiator must provide subject, object, action Two types : Query vs Execution Produces an decision Contains results for each action in request

32 Access Evaluation Algorithm 1. Matching 1. Conflict resolution 2. Propagation 3. Apply Default Policy 4. Select only one decision 5. Request Execution

33 Access Evaluation Example Alice Alice

34 ACP vs. XACL ACP Provides an external file for the access control data. Access control data can refer to the DTD or the XML document. Predefines the syntax of the XAS Only read operations are completely defined in the ACP model. Flexible policy model easily reformed Policy resolution based on the type of each XML tuple.

35 ACP vs. XACL (cont) XACL Access control data stored inside the XML document Access control data in XML format DTD definition of the access control data (policy block) required XML parser must understand the meaning of the policy block. Read, write, delete, etc operations are fully supported by the model. Provisional actions are supported. Policy resolution method is defined for each document inside the policy block.

36 ACP vs. XACL XACL is better defined and more flexible than ACP. More functionality provided without introducing external files. XACL uses XML to define everything,while ACP predefines the syntax of the XAS More flexible policy resolution

37 Compressed Accessibility Map

38 CAM: Problem Definition Efficient evaluating a stated access control policy over XML documents Require large amount of space! Proposed solution: Compressed Accessibility Map Lookup algorithm Key : Locality

39 Accessibility Map  CAM Projection of XML document tree for each user, consisting of accessible nodes Different types of access CAM : exploit structural locality Keep only “crucial” nodes

40 Locality Data items grouped together have similar accessibility properties on a per-user basis Find regions of uniform accessibility of descendants A node’s label represent accessibility about Node itself : s ( s+, s-) Descendants : d ( d+, d- )

41 Accessible Node Induced label of a node 1. Label of node 2. If ancestor (d+,s+) then (d+,s+) 3. If ancestor (d-, s-) then (d-, s-) 4. If ancestor (d-, s+) then 1. If descendant (d-,s+) or (d+,s+) then (d-,s+) 2. Else (d-,s-) 5. If there is no labeled ancestor then undefined

42 Accessible Node (contd) In previous definition, ancestor and descendant’s label should not be induced but original A node is accessible if Has an induced label ( d+, s+) or (d-, s+) Induced label undefined and has an accessible child node Else inaccessible

43 Optimal CAM In a optimal CAM no redundant labels are retained There are several equivalent labelings The order in which redundant nodes are deleted is not clear

44 Example (d-,s+) (d+,s+) (d-,s+) Accessible nodes Not Accessible nodes

45 Experimental Verification Synthetic XML Data Large accessibility ration  good compression CAM size increases slower than accessibility map. File System Data (Unix like) (simulation) Efficient for huge fs (good compression) Compression ration increases linear to number of unit regions

46 Conclusion Access Control solutions ACP XACL Provide a way to grant different privileges to different users XACL is newer and more expressive Theory is ok, implementation?

47 References XML Access Control Language: Provisional Authorization for XML Documents A Fine-Grained Access Control System for XML Documents Design and Implementation of an Access Control Processor for XML Documents Compressed Accessibility Map: Efficient Access Control for XML

Download ppt "XML Access Control Koukis Dimitris Padeleris Pashalis."

Similar presentations

XML-XSL Introduction SHIJU RAJAN SHIJU RAJAN Outline Brief Overview Brief Overview What is XML? What is XML? Well Formed XML Well Formed XML Tag Name.

XML-XSL Introduction SHIJU RAJAN SHIJU RAJAN Outline Brief Overview Brief Overview What is XML? What is XML? Well Formed XML Well Formed XML Tag Name.
XML: Extensible Markup Language

XML: Extensible Markup Language
Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control.

Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control.
Bottom-up Evaluation of XPath Queries Stephanie H. Li Zhiping Zou.

Bottom-up Evaluation of XPath Queries Stephanie H. Li Zhiping Zou.
Fast Algorithms For Hierarchical Range Histogram Constructions

Fast Algorithms For Hierarchical Range Histogram Constructions
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Fine Grained Access Control in XML DataBase Systems Naveen Yajamanam April 27,2006.

Fine Grained Access Control in XML DataBase Systems Naveen Yajamanam April 27,2006.
1 CS 561 Presentation: Indexing and Querying XML Data for Regular Path Expressions A Paper by Quanzhong Li and Bongki Moon Presented by Ming Li.

1 CS 561 Presentation: Indexing and Querying XML Data for Regular Path Expressions A Paper by Quanzhong Li and Bongki Moon Presented by Ming Li.
Xyleme A Dynamic Warehouse for XML Data of the Web.

Xyleme A Dynamic Warehouse for XML Data of the Web.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
Compressed Accessibility Map: Efficient Access Control for XML Ting Yu : University of Illinois Divesh Srivastava : AT&T Labs Laks V.S. Lakshmanan : University.

Compressed Accessibility Map: Efficient Access Control for XML Ting Yu : University of Illinois Divesh Srivastava : AT&T Labs Laks V.S. Lakshmanan : University.
File Systems and Databases

File Systems and Databases
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
1 Extending PRIX for Similarity-based XML Query Group Members: Yan Qi, Jicheng Zhao, Dan Situ, Ning Liao.

1 Extending PRIX for Similarity-based XML Query Group Members: Yan Qi, Jicheng Zhao, Dan Situ, Ning Liao.
1 Indexing and Querying XML Data for Regular Path Expressions A Paper by Quanzhong Li and Bongki Moon Presented by Amnon Shochot.

1 Indexing and Querying XML Data for Regular Path Expressions A Paper by Quanzhong Li and Bongki Moon Presented by Amnon Shochot.
Storing and Querying Ordered XML Using a Relational Database System By Khang Nguyen Based on the paper of Igor Tatarinov and Statis Viglas.

Storing and Querying Ordered XML Using a Relational Database System By Khang Nguyen Based on the paper of Igor Tatarinov and Statis Viglas.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Multimedia Information Systems CS 4570. Outlines Introduction to DMBS Relational database and SQL B + - tree index structure.

Multimedia Information Systems CS Outlines Introduction to DMBS Relational database and SQL B + - tree index structure.

Similar presentations

Ads by Google