Presentation is loading. Please wait.

Presentation is loading. Please wait.

A View Based Security Framework for XML Wenfei Fan, Irini Fundulaki, Floris Geerts, Xibei Jia, Anastasios Kementsietsidis University of Edinburgh Digital.

Published byArianna Nolan Modified over 10 years ago

Similar presentations

Presentation on theme: "A View Based Security Framework for XML Wenfei Fan, Irini Fundulaki, Floris Geerts, Xibei Jia, Anastasios Kementsietsidis University of Edinburgh Digital."— Presentation transcript:

1 A View Based Security Framework for XML Wenfei Fan, Irini Fundulaki, Floris Geerts, Xibei Jia, Anastasios Kementsietsidis University of Edinburgh Digital Curation Center

2 Introduction XML data management The importance is clearly demonstrated by the wide adoption of XML related technologies in eScience projects Selective exposure of information in XML a primary concern for data providers, curators and consumers. safeguard data confidentiality, privacy and intellectual property

3 Introduction --- Security View Security View: multiple user groups who wish to query the same XML document different access policies may be imposed, specifying the portions of the document the users are granted or denied access to. Security views are necessarily virtual it is prohibitively expensive to materialize and maintain a large number of views.

4 Example: a medical records XML database The security admin could see the whole db Hospital Patient Doctor Record Diagnosis Date Name Genetics Psychiatry Record Doctor Date Name Diagnosis Name Patient Name Record Doctor Date Diagnosis Name Patient Name 'David' 'Mary' 'Angela' 'Mark'' Bill Sex Doctor David can only access the records of his patients Patient Mary can access his own medical records

5 Insurers view An insurer can only read his customers' billing info

6 Researchers View a medical researcher could retrieve the diagnosis data for research purposes, but not the information on doctors or patients.

7 System Architecture XML document T View Derivation Security Specification S Query Rewriting Query Evaluation Query Optimization Security View V R for Role U R with XSD D R Query Q R on V R Query Q T on T D R... Security View V D for Role U D with XSD D D Security View V P for Role U P with XSD D P security spec. lang. L S used by admins. view spec. lang. L V transparent to users. view query lang. L QV used by users. doc query lang. L QR transparent to users. legend Indexer Query Editor Security Spec. Editor Result Viewer security admins researchers input module output module core module optional module virtual view XML schema XSD D for document T XML data flow other data flow XML database

8 Security Specification hospital -> patient* (hospital,patient) = [visit/treatment/medication = autism] patient -> pname, visit*, parent* (patient,pname) = N (patient,visit) = N parent -> patient visit -> treatment, date (visit, treatment) = [medication] treatment -> test + medication (treatment,test) = N

9 Security Specification Classify the nodes in the XML document accessible nodes inaccessible nodes conditional accessible nodes Support inheritance overriding content-based access privilege context-dependency View derivation module schema availability the availability of an XML schema that specifies the structure of accessible data is critical to the users who can then formulate queries only over this schema.

10 View Specification hospital -> patient* (hospital, patient) = patient[visit/treatment/medication = autism] patient -> treatment*, parent* (patient, treatment) = visit/treatment[medication] (patient, parent) = parent parent -> patient (parent, patient) = patient treatment -> medication (treatment, medication) = medication

11 Query Over the View Regular XPath Query a mild extension of XPath that supports the general Kleene closure (.)* instead of the limited recursion //. Why: XPath is not closed under query rewriting i.e. for an XPath query on a recursively defined view there may not exist an equivalent XPath query on the underlying document

12 Query Over the Document Regular XPath Query However, the size of the rewritten query Q T, if directly represented in Regualar XPath, may be exponential in the size of input query Q V. We overcome this challenge by employing an automaton characterization of Q T, denoted by MFA(mixed finite state automata), which is linear in the size of Q V. Query Rewriting Module

13 MFA: Internal Query Representation hospital/patient[(parent/patient)*/visit/treatment/test and visit/treatment[medication/text()=headache]]/pname

14 Query Evaluation: HyPE We propose a novel algorithm, HyPE (Hybrid Pass Evaluation), for processing Regular XPath queries represented by MFAs. A unique feature of HyPE is that it needs only a single top-down depth-first traversal of the XML tree, during which HyPE both evaluates predicates of the input query (equivalently, AFA's of the MFA) and identifies potential answer nodes (by evaluating the NFA of the MFA). previous systems require to traverse the XML document at least twice to evaluate XPath queries.

15 HyPE: Cans (candidate answers) The potential answer nodes are collected and stored in an auxiliary structure, referred to as Cans (candidate answers), which is often much smaller than the XML document tree. A pass over Cans is needed to retrieve the real result nodes.

16 HyPE

17 SMOQE: A Reference Implementation We have developed a reference implementation, called SMOQE(Secure MOdular Query Engine), for the security framework we proposed in this paper. It is implemented in Java. demonstrated in VLDB 2006

18 Conclusion A generic, flexible view based access control framework for protecting XML data and its implementation: SMOQE able to enforce fine-grained access policies according to the structure and values of the protected XML data schema availability view derivation efficient enforcement of security constraints during XML query evaluation Query rewriting Automaton based representation Evaluation using HyPE and optimization

19 Thank you!

Download ppt "A View Based Security Framework for XML Wenfei Fan, Irini Fundulaki, Floris Geerts, Xibei Jia, Anastasios Kementsietsidis University of Edinburgh Digital."

Similar presentations

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control.

Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control.
Bottom-up Evaluation of XPath Queries Stephanie H. Li Zhiping Zou.

Bottom-up Evaluation of XPath Queries Stephanie H. Li Zhiping Zou.
Twig 2 Stack: Bottom-up Processing of Generalized-Tree-Pattern Queries over XML Documents Songting Chen, Hua-Gang Li *, Junichi Tatemura Wang-Pin Hsiung,

Twig 2 Stack: Bottom-up Processing of Generalized-Tree-Pattern Queries over XML Documents Songting Chen, Hua-Gang Li *, Junichi Tatemura Wang-Pin Hsiung,
Efficient Keyword Search for Smallest LCAs in XML Database Yu Xu Department of Computer Science & Engineering University of California, San Diego Yannis.

Efficient Keyword Search for Smallest LCAs in XML Database Yu Xu Department of Computer Science & Engineering University of California, San Diego Yannis.
CSE 6331 © Leonidas Fegaras XML and Relational Databases 1 XML and Relational Databases Leonidas Fegaras.

CSE 6331 © Leonidas Fegaras XML and Relational Databases 1 XML and Relational Databases Leonidas Fegaras.
Fine Grained Access Control in XML DataBase Systems Naveen Yajamanam April 27,2006.

Fine Grained Access Control in XML DataBase Systems Naveen Yajamanam April 27,2006.
Provenance in Open Distributed Information Systems Syed Imran Jami PhD Candidate FAST-NU.

Provenance in Open Distributed Information Systems Syed Imran Jami PhD Candidate FAST-NU.
1 CS 561 Presentation: Indexing and Querying XML Data for Regular Path Expressions A Paper by Quanzhong Li and Bongki Moon Presented by Ming Li.

1 CS 561 Presentation: Indexing and Querying XML Data for Regular Path Expressions A Paper by Quanzhong Li and Bongki Moon Presented by Ming Li.
Paper by: A. Balmin, T. Eliaz, J. Hornibrook, L. Lim, G. M. Lohman, D. Simmen, M. Wang, C. Zhang Slides and Presentation By: Justin Weaver.

Paper by: A. Balmin, T. Eliaz, J. Hornibrook, L. Lim, G. M. Lohman, D. Simmen, M. Wang, C. Zhang Slides and Presentation By: Justin Weaver.
DYNAMIC ELEMENT RETRIEVAL IN A STRUCTURED ENVIRONMENT MAYURI UMRANIKAR.

DYNAMIC ELEMENT RETRIEVAL IN A STRUCTURED ENVIRONMENT MAYURI UMRANIKAR.
1 Secure XML Querying with Security Views Wenfei Fan University of Edinburgh & Bell Laboratories Chee-Yong Chan National University of Singapore Minos.

1 Secure XML Querying with Security Views Wenfei Fan University of Edinburgh & Bell Laboratories Chee-Yong Chan National University of Singapore Minos.
1 Indexing and Querying XML Data for Regular Path Expressions A Paper by Quanzhong Li and Bongki Moon Presented by Amnon Shochot.

1 Indexing and Querying XML Data for Regular Path Expressions A Paper by Quanzhong Li and Bongki Moon Presented by Amnon Shochot.
Architecture & Data Management of XML-Based Digital Video Library System Jacky C.K. Ma Michael R. Lyu.

Architecture & Data Management of XML-Based Digital Video Library System Jacky C.K. Ma Michael R. Lyu.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
Integrated Hospital Management System. Integrated Hospital Management System software is user-friendly software. The main objectives of the system is.

Integrated Hospital Management System. Integrated Hospital Management System software is user-friendly software. The main objectives of the system is.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Indexing XML Data Stored in a Relational Database VLDB`2004 Shankar Pal, Istvan Cseri, Gideon Schaller, Oliver Seeliger, Leo Giakoumakis, Vasili Vasili.

Indexing XML Data Stored in a Relational Database VLDB`2004 Shankar Pal, Istvan Cseri, Gideon Schaller, Oliver Seeliger, Leo Giakoumakis, Vasili Vasili.
Databases & Data Warehouses Chapter 3 Database Processing.

Databases & Data Warehouses Chapter 3 Database Processing.

Similar presentations

Ads by Google