1. Data and Applications Security Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Secure Object Systems
November 2011

2. Outline Background on object systems Discretionary security
Multilevel security
Objects for modeling secure applications
Object Request Brokers
Secure Object Request Brokers
Secure frameworks
Secure Multimedia and Geospatial Systems

3. Concepts in Object Database Systems
Objects- every entity is an object
Example: Book, Film, Employee, Car
Class
Objects with common attributes are grouped into a class
Attributes or Instance Variables
Properties of an object class inherited by the object instances
Class Hierarchy
Parent-Child class hierarchy
Composite objects
Book object with paragraphs, sections etc.
Methods
Functions associated with a class

4. Example Class HierarchyID
Name
Author
Publisher
Document
Class D1 D2
Method1:
Method2:
Print-doc-att(ID)
Print-doc(ID)
Journal
Subclass
Book Subclass
# of Chapters
Volume # B1 J1

5. Example Composite Object
Document
Object
Section 2
Object
Section 1
Object
Paragraph 1
Object
Paragraph 2
Object

6. Security Issues Access Control on Objects, Classes, Attributes etc.
Execute permissions on Methods
Multilevel Security
Security impact on class hierarchies
Security impact on composite hierarchies

7. Objects and Security Secure OODB Secure OODA Secure DOM Persistent
Design and analysis
Infrastructure
data store
Secure OOPL
Programming
Secure Frameworks
language
Business objects
Secure OOT
Technologies
Secure OOM
Unified Object
Model is Evolving

8. Access Control

9. Access Control Hierarchies

10. Secure Object Relational Model

11. Policy Enforcement

12. Sample Systems

13. Multilevel Security

14. Some Security Properties
Security level of an instance must dominate the level of the class
Security level of a subclass must dominate the level of the superclass
Classifying associations between two objects
Method must execute at a level that dominates the level of the method

15. Multilevel Secure Object Relational Systems

16. Sample MLS Object Systems

17. Objects for Secure Applications

18. Object Modeling

19. Dynamic Model

20. Functional Model

21. UML and Policies

22. Distributed Object Management Systems
Integrates heterogeneous applications, systems and databases
Every node, database or application is an object
Connected through a Bus
Examples of Bus include
Object Request Brokers (Object Management Group)
Distributed Component Object Model (Microsoft)

23. Object-based Interoperability
Server
Client
Object
Object
Object Request Broker
Example Object Request Broker: Object Management Group’s (OMG)
CORBA (Common Object Request Broker Architecture)

24. Javasoft’s RMI (Remote Method Invocation)
RMI Business Objects
Clients
Java-based Servers

25. Objects and Security Secure OODB Secure OODA Secure DOM Persistent
Design and analysis
Infrastructure
data store
Secure OOPL
Programming
Secure Frameworks
language
Business objects
Secure OOT
Technologies
Secure OOM
Unified Object
Model is Evolving

26. Secure Object Request Brokers

27. CORBA (Common Object Request Broker Architecture) Security
Security Service provides the following:
Confidentiality
Integrity
Accountability
Availability
URLs
BASecurity.jsp
erview.html

28. OMG Security Specifications

29. CORBA (Common Object Request Broker Architecture) Security
Security Service provides the following:
Confidentiality
Integrity
Accountability
Availability
URLs
BASecurity.jsp
erview.html

30. CORBA (Common Object Request Broker Architecture) Security - 2
Identification and Authentication of Principles
Authorization and Access Control
Security Auditing
Security of communications
Administration of security information
Non repudiation

31. Dependable Object Request Brokers
Navigation
Data Analysis Programming
Display
Consoles
Data Links
Processor
Group (DAPG)
(14)
&
Sensors
Refresh
Channels
Sensor
Multi-Sensor
Detections
Tracks
Technology provided by Project
Integrate Security, Real- time and Fault Tolerance Computing
Future
Future
Future
App
App
App
Data
MSI
Mgmt.
Data
App
Xchg.
Infrastructure Services
Real Time Operating System
Hardware

32. Secure Frameworks

33. Directions Object Models
UML for Security applications is becoming common practice
Secure distributed object systems has gained popularity
Evolution into secure object-based middleware
Secure object-based languages
Integrating security and real-time for object systems
Distributed Objects
Security cannot be an afterthought for object-based interoperability
Use ORBs that have implemented security services
Trends are moving towards Java based interoperability and Enterprise Application Integration (EAI)
Examples of EAI products are Web Sphere (IBM) and Web Logic (BEA)
Security has to be incorporated into EAI products

34. Why Multimedia Data Management System?
Need persistent storage for managing large quantities of multimedia data
A Multimedia data manager manages multimedia data such as text, images, audio, animation, video
Extended by a Browser to produce a Hypermedia data management system
Heterogeneity with respect to data types
Numerous Applications
Entertainment, Defense and Intelligence, Telecommunications, Finance, Medical

35. Architectures: Loose Integration
User Interface
Module for Integrating
Data Manager with File Manager
Data Manager for Metadata
Multimedia
File Manager
Multimedia
Files
Metadata

36. Architectures: Tight Integration
User Interface
MM-DBMS:
Integrated data manager and file manager
Multimedia Database

37. Example: Data Model: Scenario Object A 2000 Frames
Object representation
Object A 2000 Frames
4/95
8/95
5/95
10/95
Object B
3000 Frames

38. Multimedia Data Access: Some approaches
Text data
Selection with index features
Methods: Full text scanning, Inverted files, Document clustering
Audio/Speech data
Pattern matching algorithms
Matching index features given for searching and ones available in the database
Image data
Identifying geometric boundaries, Identifying spatial relationships, Image clustering
Video data
Retrieval with metadata, Pattern matching with images

39. Metadata for Multimedia
Metadata may be annotations and stored in relations
I.e., Metadata from text, images, audio and video are extracted as stored as text
Text metadata may be converted to relations by tagging and extracting concepts
Metadata may be images of video data
E.g., certain frames may be captured as metadata
Multimedia data understanding
Extracting metadata from the multimedia data

40. Storage Methods Single disk storage
Objects belonging to different media types in same disk
Multiple disk storage
Objects distributed across disks
Example: individual media types stored in different disks
I.e., audio in one disk and video in another
Need to synchronize for presentation (real-time techniques)
Multiple disks with striping
Distribute placement of media objects in different disks
Called disk striping

41. Security Issues Access Control Multilevel Security Architecture
Secure Geospatial Information Systems

42. Access Control for Multimedia Databases
Access Control for Text, Images, Audio and Video
Granularity of Protection
Text
John has access to Chapters 1 and 2 but not to 3 and 4
Images
John has access to portions of the image
Access control for pixels?
Video and Audio
John has access to Frames 1000 to 2000
Jane has access only to scenes in US
Security constraints
Association based constraints
E.g., collections of images are classified

43. MLS Security
Problem is that we may not know what may be learned from mining
Can’t “Classify everything”; as some is open source or may have large benefits to being accessible
This is the opposite of statistical queries – we are concerned about preventing generalities from specifics, rather then specifics from generalities – but conceptually similar.
Not the same as induction – data mining finds “rules” that are generally true (high confidence and support), but not necessarily exact.

44. Example Security Architecture: Integrity Lock
Problem is that we may not know what may be learned from mining
Can’t “Classify everything”; as some is open source or may have large benefits to being accessible
This is the opposite of statistical queries – we are concerned about preventing generalities from specifics, rather then specifics from generalities – but conceptually similar.
Not the same as induction – data mining finds “rules” that are generally true (high confidence and support), but not necessarily exact.

45. Inference Control
Problem is that we may not know what may be learned from mining
Can’t “Classify everything”; as some is open source or may have large benefits to being accessible
This is the opposite of statistical queries – we are concerned about preventing generalities from specifics, rather then specifics from generalities – but conceptually similar.
Not the same as induction – data mining finds “rules” that are generally true (high confidence and support), but not necessarily exact.

46. Securing Geospatial Data
Geospatial images could be Digital Raster Images that store images as pixels or Digital Vector Images that store images as points, lines and polygons
GSAM: Geospatial Authorization Model specifies subjects, credentials, objects (e.g, points, lines, pixels etc.) and the access that subjects have to objects
Reference: Authorization Model for Geospatial Data; Atluri and Chun, IEEE Transactions on Dependable and Secure Computing, Volume 1, #4, October – December 2004.
Bhavani M. Thuraisingham, Gal Lavee, Elisa Bertino, Jianping Fan, Latifur Khan: Access control, confidentiality and privacy for video surveillance databases. SACMAT 2006: 1-10
Details will be given in one of the lectures after the mid-term.

47. Secure Geospatial Data Management
References:
Vijayalakshmi Atluri, Soon Ae Chun: An Authorization Model for Geospatial Data. IEEE Trans. Dependable Sec. Comput. 1(4): (2004)
Elisa Bertino, Bhavani M. Thuraisingham, Michael Gertz, Maria Luisa Damiani: Security and privacy for geospatial data: concepts and research directions. SPRINGL 2008:6- 19

48. Securing Geospatial Data
Geospatial images could be Digital Raster Images that store images as pixels or Digital Vector Images that store images as points, lines and polygons
GSAM: Geospatial Authorization Model specifies subjects, credentials, objects (e.g, points, lines, pixels etc.) and the access that subjects have to objects
Reference: Authorization Model for Geospatial Data; Atluri and Chun, IEEE Transactions on Dependable and Secure Computing, Volume 1, #4, October – December 2004.

49. Framework for Geospatial Data Security (Joint with UCDavis and Purdue U.)

50. Example of several GIS repositories and GIS themes/layers for Northern California (Gertz, Bertino, Thuraisingham)
Assume a single GIS data repository that manages information about parcels (being the basic units of geography for local government) and cadastre, including land use and zoning, environmental areas, and municipal utility services.
Such type of repository is typically used by public sector staff to assist property owners and to support emergency, fire, and police operations.
The latter type of usage includes identifying property structures and owners. Parcel maps in particular can be useful to do damage assessment after a disaster.

51. Example (Continued)
They are also an important access point during emergencies for linking data from different GIS repositories. While such types of geospatial are used to serve the public, e.g., through Web-based interfaces, not all data layers are made publicly available. For example, property owner information is not publicly accessible
A similar separation of public and private GIS data can be made for other types of themes. For example, environmental theme layers do not make information about locations of endangered species or nesting sites public.
Based on this type of separation of GIS data, the following question arises: “What security mechanisms are used to specify and enforce different types of access to data in a single GIS repository?”
In particular, “What provisions do GSI data managers have to (1) give public sector staff only access to GIS data relevant to their function, and (2) ensure that no sensitive geospatial data (e.g., parcel owner information) is made publicly available?”
Ideally, GIS repositories should provide access control models and techniques similar to those developed for traditional (relational) databases. However, the diversity of geospatial data (feature-based versus field-based) and the complexity of feature-based geospatial data complicate a coherent and uniform access control model.

52. Policy Example (Bertino, Gertz, Thuraisingham)
Deny/allow policies with flexible granularity, grouping mechanisms for protected objects, and space-related access restrictions.
Deny/allow policies will be supported through the use of positive/negative authorizations; negative authorizations are crucial in order to support exceptions, by which, for example, an authorization is assigned to all objects in a set but one. In our context this paradigm is complicated by the larger options that we provide for denoting protected objects and by the presence of different object representations and dimensions. The main mechanism that we provide to support flexible grouping is based on the notions of object-locator and spatial window. An object-locator is a query expression that may include predicates against properties of feature types, metadata and provenance data. Predicates may also refer to topological relationships holding among the data objects, such as Within and Touches. An example of a policy using Touches is the one allowing a subject, which has access to information on a particular land parcel, to access information about all adjacent land parcels. The query expression may also include a projection component to specify an object representation and components. A spatial window is simply a spatial region in the reference space and denotes the set of object that are inside the boundary of the region. By combining such two mechanisms, one can specify sets of objects such as “all shelters occupying an area greater than 3000sf in Montgomery County”; in such case Montgomery County represents the authorization window. The use of spatial windows is particularly important to

53. Policy Example (Continued)
Active policies.
These are policies that when applied to a protected object perform certain transformations on the object, before returning it to the requester. Two relevant classes are the filtering policies and the obfuscating policies. Filtering policies refer to policies that filter out some portions of the objects before returning them to the users. These policies are directly supported by our object locator mechanisms.
Obfuscating policies
These policies act like filter policies except that they do not simply select objects but perform possibly complex computations on the feature(s) to be returned. Typical examples include computing a lower resolution image, and distorting some vector data (but preserving topological relationships). One can even specify policies that return incorrect data (e.g., as a honey pot in the context of misuse detection). In our model these policies are supported by the projection component, suitably extended with the possibility of invoking functions, of the object locator. We will provide a library including a variety of functions to support obfuscating policies.

54. Policy Example (Concluded)
Context-dependent access control policies.
Under such policies, information from the environment is taken into account by the access control module when taking decisions about access requests. Typical contextual information includes time and subject location. Subject location information is used to specify policies allowing a subject to access a resource only if the current location of the subject verifies certain spatial constraints. Context-dependent access policies will be supported by the introduction of a context component, as part of authorization rules, and by attribute-based specification of subjects in authorization rules.
Event-based access control policies.
Event-based access control policies are novel and are based on the idea that policies can be enabled/disabled depending on the occurrence of specified events. Events can include data modifications, very much like in database triggers, or application-dependent events, such as an emergency. We notice that current sensor networks and intelligent appliances make it very easy for a computer system to detect events arising in the environments. Our model will take advantage of such capabilities.

55. Policy Language
Take existing geospatial language/model and extend for security
E.g., GML
Take a security model/language and extend for geospatial
E.g, XACML has been extended to Geo-XACML
Develop from scratch
GRDF, Secure GRDF (developed at UTDallas by Alam Ashraful for PhD research)

56. Geospatial Semantic Web: GRDF
The strength of RDF lies in the ease of composition with which RDF based formalisms can be integrated with other similar languages.
On the Semantic Web, the goal is to minimize human intervention and to make way for machines to perform rule based automated reasoning.
We are developing GRDF for geospatial data representation
Why not use GML? - same reasons for using RDF and not XML – semantics
Secure GRDF – security extensions for GRDF
On the Semantic Web, the goal is to minimize human intervention and to make way for machines to perform rule based automated reasoning. In our case (i.e., for GRDF concepts), rules are codified in OWL, which is the ontology language to define terms for Semantic Web applications.

57. Directions Multimedia data security is getting some attention
Little research on Geospatial data security
Digital watermarking is getting some attention
Our focus at UTD is to develop a secure geospatial semantic web
We have developed a system called DAGIS and demonstrating secure interoperability
Details will be given later