Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science and Engineering 1 XML, RDF, Workflow Security.

Published byNickolas Blankenship Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Science and Engineering 1 XML, RDF, Workflow Security."— Presentation transcript:

1 Computer Science and Engineering 1 XML, RDF, Workflow Security

2 Reading Required: –Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. 2002. A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. 5, 2 (May 2002), 169- 202. http://dl.acm.org/citation.cfm?id=505590http://dl.acm.org/citation.cfm?id=505590 –A. Stoica and C. Farkas, “Secure XML Views,” Proc. 16th IFIP WG11.3 Working Conference on Database and Application Security, 133-146, 2002. http://www.cse.sc.edu/~farkas/publications/c5.pdfhttp://www.cse.sc.edu/~farkas/publications/c5.pdf –Amit Jain and Csilla Farkas. 2006. Secure resource description framework: an access control model. In Proceedings of the eleventh ACM symposium on Access control models and technologies (SACMAT '06). ACM, New York, NY, USA, 121-129., http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=re p1&type=pdf http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=re p1&type=pdf Computer Science and Engineering 2

3 3 Semantic Web From: T.B. Lee

4 4 Secure Technologies  Security on the Web  Data Security  XML  Inferences  Metadata Security  RDF  Application Security

5 5 Secure XML Views - Example UC S John Smith UC 111-2222 S Jim Dale UC TS S Harry Green UC 333-4444 S Joe White UC MT78 TS medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green milTag MT78 patient phone 111-2222 phone 333-4444 View over UC data

6 6 Secure XML Views - Example cont. John Smith Jim Dale Harry Green Joe White medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data

7 7 Secure XML Views - Example cont. medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data John Smith Jim Dale Harry Green Joe White

8 8 Secure XML Views - Example cont. UC S John Smith UC Jim Dale UC TS S Harry Green UC Joe White UC medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data

9 9 Secure XML Views - Example cont. medicalFiles name John Smith physician Jim Dale physician Joe White name Harry Green View over UC data John Smith Jim Dale Harry Green Joe White

10 10 Secure XML Views - Solution Multi-Plane DTD Graph (MPG) Minimal Semantic Conflict Graph (association preservation) Cover story Transformation rules

11 11 TopSecret Secret Unclassified Multi-Plane DTD Graph D,medicalFiles D, countyRecD, milBaseRec D, patientD, milTag D, nameD, phone UC S S S TS D, physician MPG = DTD graph over multiple security planes

12 12 Transformation - Example namephone physician MSCG MPG TS UC S Security Space Secret

13 13 Transformation - Example MPG TS S UC SP name physician MSCG

14 14 Transformation - Example MPG TS S UC  SP MSCG

15 15 Transformation - Example MPG TS S UC SP medicalFiles emergencyRec name physician Data Structure

16 16 Node Association - Example DTD of Patient Health Record MedicalDb Patient * Allergies Allergen * Phone Birthdate Name SSN Race DateDiagnosis Physician Prescription * Comments Patient Phone Name Patient Birthdate Race DateDiagnosis Comments

17 17 + + - + + + Node level classification Layered Access Control Object - Association level classification

18 18 Simple Security Object t1t1 t4t4 t3t3 t2t2 o  t i : (t i ) = (o)

19 19 t1t1 t4t4 t3t3 t2t2 o  t i : (t i ) < (o) Association Security Object

20 20 Query Pattern / r da bc v1v1 v1v1 FOR $x in //r LET $y := $x/d, $z := $x/a RETURN {$z/c} WHERE { $z/b==$y} Query Pattern

21 21 Pattern Automata Pattern Automata X = { , Q, q 0, Q f,  } –  = E  A  { pcdata, //} –  is a transition function –Q = {q 0, …, q n } –Q f  Q, (q 0  Q f ) Valid transitions on  are of the following form:  (q i, …,q j )  q k If  does not contain a valid transition rule, the default new state is q 0

22 22 Pattern Automata - Example Pattern Automata - Example a bc / Association object  = { a, b, c, //} Q = {q 0, q a, q b, q c } Q f = {q a }  = { b( )  q b, c( )  q c, a(q b,q c )  q a, *(q a )  q a } Pattern Automata

23 23 The Inference Problem General Purpose Database: Non-confidential data + Metadata  Undesired Inferences Semantic Web: Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity  Undesired Inferences

24 24 Association Graph Association similarity measure –Distance of each node from the association root –Difference of the distance of the nodes from the association root –Complexity of the sub-trees originating at nodes Example: Air show address fort XML document: Association Graph: address fort Public Public, AC

25 25 Correlated Inference Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base address fort Public Water source base Confidential district basin Public ? Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions

26 26 Correlated Inference (cont.) address fort Public district basin Public Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base place base Water Source Water source Base Place Water source base Confidential

27 27 Inference Removal Relational databases: limit access to data Web inferences –Cannot redesign public data outside of protection domain –Cannot modify/refuse answer to already published web page Protection Options: –Release misleading information –Remove information –Control access to metadata

28 28 Metadata Security No security model exists for metadata Can we use existing security models to protect metadata? RDF/S is the Basic Framework for SW RDF/S supports simple inferences This is not true of XML: XML Access control cannot be used to protect RDF /S data

29 29 RDF/S Entailment Rules Example RDF/S Entailment Rules (http://www.w3.org/TR/rdf- mt/#rules ) Rdfs2: –(aaa, rdfs:domain, xxx) + (uuu, aaa, yyy)  (uuu, rdf:type, xxx) Rdfs3: –(aaa, rdfs:range, xxx) + (uuu, aaa, vvv)  (vvv, rdf:type, xxx) Rdfs5: –(uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf, xxx)  (uuu,rdfs:subPropertyOf, xxx) Rdfs11: –(uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf, xxx)  (uuu,rdfs:subClassOf, xxx)

30 30 Example Graph Format RDF Triples: (Student, rdfs:subClassOf, Person) (University, rdfs:subClassOf, GovAgency) (studiesAt, rdfs:domain, Student) (studiesAt, rdfs:range,University) (studiesAt, rdfs:subPropertyOf, memberAt) (John, studiesAt, USC)

31 31 Example Graph Format

32 32 Example Graph Format

33 33 Example Graph Format

34 34 Secure RDF Entailed Data in RDF can cause illegal inferences: (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S]  (USC, rdf:type, University) [S] (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S]  (USC, rdf:type, GovAgency) [TS] Secret User can infer TS information

35 35 RDF Access Control Security Policy –Subject –Object – Object pattern –Access Mode Default policy Conflict Resolution Classification of entailed data Flexible granularity

36 Business Process Increased complexity Workflow specification –Workflow correctness –Workflow security Automated analysis Internet Security - Farkas 36

37 Workflow Verification Detect conflicts and anomalies Lack of formal methods and tools Internet Security - Farkas 37

38 What to represent? Activity-based workflow model –Design-time analysis –Implementation-time verification Reading: propositional logic –Activities –Basic workflow constructs –Activity “leads” to other activity Internet Security - Farkas 38

39 Workflow Internet Security - Farkas 39 a1 a2 a4 +

40 WS-BPEL Language to specify business processes that are composed of Web services as well as exposed as Web services WS-BPEL specifications are portable -- can be carried out by every WS-BPEL compliant execution environment Internet Security - Farkas 40

41 Two-Level Programming Model Programming in the large –Non-programmers implementing processes Flow logic Programming in the small –Programmers implementing low-level services Function logic Internet Security - Farkas 41

42 WS-BPEL Flow Oriented Request Invoke Response SOA and WS-BPEL Internet Security - Farkas 42

43 Security and Workflow Identity Management Authorization: e.g., data access controls Process constraints Provenance Internet Security - Farkas 43

44 Issues Need to distinguish between functionality & security guarantees –How to handle trust management? Workflows are process or data centric –How to map to user-centric system security policies? Planning and enactment are complex/rich processes – How to establish security assurance of a complex mechanism ? Internet Security - Farkas 44

45 Next Class Cloud computing Computer Science and Engineering 45

Download ppt "Computer Science and Engineering 1 XML, RDF, Workflow Security."

Similar presentations

Dr. Leo Obrst MITRE Information Semantics Information Discovery & Understanding Command & Control Center February 6, 2014February 6, 2014February 6, 2014.

Dr. Leo Obrst MITRE Information Semantics Information Discovery & Understanding Command & Control Center February 6, 2014February 6, 2014February 6, 2014.
CH-4 Ontologies, Querying and Data Integration. Introduction to RDF(S) RDF stands for Resource Description Framework. RDF is a standard for describing.

CH-4 Ontologies, Querying and Data Integration. Introduction to RDF(S) RDF stands for Resource Description Framework. RDF is a standard for describing.
Provenance in Open Distributed Information Systems Syed Imran Jami PhD Candidate FAST-NU.

Provenance in Open Distributed Information Systems Syed Imran Jami PhD Candidate FAST-NU.
Computer Science and Engineering 1 What these organizations have in common? American Education Services, PA United States Marine Corps / Penn State University.

Computer Science and Engineering 1 What these organizations have in common? American Education Services, PA United States Marine Corps / Penn State University.
Dr. Jim Bowring Computer Science Department College of Charleston CSIS 690 (633) May Evening 2009 Semantic Web Principles and Practice Class 5: 27 May.

Dr. Jim Bowring Computer Science Department College of Charleston CSIS 690 (633) May Evening 2009 Semantic Web Principles and Practice Class 5: 27 May.
Dr. Alexandra I. Cristea RDF.

Dr. Alexandra I. Cristea RDF.
COMP 6703 eScience Project Semantic Web for Museums Student : Lei Junran Client/Technical Supervisor : Tom Worthington Academic Supervisor : Peter Strazdins.

COMP 6703 eScience Project Semantic Web for Museums Student : Lei Junran Client/Technical Supervisor : Tom Worthington Academic Supervisor : Peter Strazdins.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation
More RDF CS 431 – 20040310 Carl Lagoze – Cornell University Acknowledgements: Eric Miller Dieter Fensel.

More RDF CS 431 – Carl Lagoze – Cornell University Acknowledgements: Eric Miller Dieter Fensel.
The RDF meta model: a closer look Basic ideas of the RDF Resource instance descriptions in the RDF format Application-specific RDF schemas Limitations.

The RDF meta model: a closer look Basic ideas of the RDF Resource instance descriptions in the RDF format Application-specific RDF schemas Limitations.
From SHIQ and RDF to OWL: The Making of a Web Ontology Language

From SHIQ and RDF to OWL: The Making of a Web Ontology Language
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
TAPP-09 23/02/2009Giorgos Flouris1 On Explicit Provenance Management in RDF/S Graphs Institute of Computer Science Foundation for Research and Technology.

TAPP-09 23/02/2009Giorgos Flouris1 On Explicit Provenance Management in RDF/S Graphs Institute of Computer Science Foundation for Research and Technology.
RDF Semantics by Patrick Hayes W3C Recommendation Presented by Jie Bao RPI Sept 4, 2008 Part 1 of RDF/OWL Semantics Tutorial.

RDF Semantics by Patrick Hayes W3C Recommendation Presented by Jie Bao RPI Sept 4, 2008 Part 1 of RDF/OWL Semantics Tutorial.
Web Explanations for Semantic Heterogeneity Discovery Pavel Shvaiko 2 nd European Semantic Web Conference (ESWC), 1 June 2005, Crete, Greece work in collaboration.

Web Explanations for Semantic Heterogeneity Discovery Pavel Shvaiko 2 nd European Semantic Web Conference (ESWC), 1 June 2005, Crete, Greece work in collaboration.
Practical RDF Chapter 1. RDF: An Introduction

Practical RDF Chapter 1. RDF: An Introduction
CSCE 548 Secure Software Development Web Application Security.

CSCE 548 Secure Software Development Web Application Security.
Logics for Data and Knowledge Representation

Logics for Data and Knowledge Representation
Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

Similar presentations

Ads by Google