Web Data and Application Security Csilla Farkas farkas@cse.sc.edu http://www.cse.sc.edu/~farkas Center of Information Assurance Engineering Department of Computer Science and Engineering University of South Carolina

Web Evolution Past: Human usage HTTP Static Web pages (HTML) Current: Human and some automated usage Interactive Web pages Web Services (WSDL, SOAP, SAML) Semantic Web (RDF, OWL, RuleML, Web databases) XML technology (data exchange, data representation) Future: Semantic Web Services

Outline Security on the Web Data Security Metadata Security Application Security Future Directions

ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB?

Information Assurance Inference Control Privacy Security Trust Applications Policy making Formal models Negotiation Protocol Analysis Anonymity Access control Semantic web security Encryption Information hiding Data mining Computer epidemic Data provenance Fraud Biometrics Access Control Inference Control

Outline Security on the Web Data Security Access Control Models for Semi-Structured Data Syntactic XML Secure XML Views XML Updates XML association object XML and Semantics SMIL Inference Control Metadata Security Application Security Future Directions

Limitation of Research Syntax-based No association protection Limited handling of updates No data or application semantics No inference control

Outline Security on the Web Data Security Access Control Models for Semi-Structured Data Syntactic XML Secure XML Views XML Updates XML association object XML and Semantics SMIL Inference Control Metadata Security Application Security Future Directions

Secure XML Views - Example medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <name>Harry Green</name> UC <phone>333-4444</phone> S <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White milTag MT78 patient patient name John Smith phone 111-2222 name Harry Green phone 333-4444 View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <name>Harry Green</name> <physician>Joe White</physician> </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <name>Harry Green</name> <physician>Joe White</physician> </tag03> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <name>Harry Green</name> UC <physician>Joe White</physician> UC </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician> </medicalFiles> physician Jim Dale name John Smith physician Joe White name Harry Green View over UC data

Secure XML Views - Solution Multi-Plane DTD Graph (MPG) Minimal Semantic Conflict Graph (association preservation) Cover story Transformation rules

Multi-Plane DTD Graph MPG = DTD graph over multiple security planes <medicalFiles> <milTag> <phone> <milBaseRec> <countyRec> <patient> <physician> <name> TopSecret Secret Unclassified D,medicalFiles D, countyRec D, milBaseRec D, patient D, milTag D, name D, phone UC S TS D, physician

Transformation - Example <milBaseRec> MPG <milTag> TS MSCG <countyRec> <patient> name phone S <phone> physician <medicalFiles> Security Space Secret UC <physician> <name>

Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> name <phone> S physician <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> <phone> S  <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

Transformation - Example <milBaseRec> <milTag> TS medicalFiles <countyRec> <patient> emergencyRec <phone> S physician name <emrgRec> <medicalFiles> UC <physician> <name> Data Structure SP MPG

Outline Security on the Web Data Security Access Control Models for Semi-Structured Data Syntactic XML Secure XML Views XML Updates XML association object XML and Semantics SMIL Inference Control Metadata Security Application Security Future Directions

? Delete - Example Report P Title Data Date Temperature Images S Water Resources Concrete Location Civil Area Defense Sector P S TS ?

Delete Operations Delete entire sub-tree under a deleted node Most widely used approach Problem: blind write Delete only the viewable nodes Problem: fragmentation of XML tree Reject the delete Problem: covert channel

Different Solution – Deleted Label Basic Idea A unique domain “Del” for deleted nodes Change security classification of deleted node (o, {do  Del}) Perform after delete operation Change security clearance of users, where s = (s, {ds}) > (o, {do}) to ( (s, {ds}) , (o, {do  Del}) ) Can be preprocessed Use BLP axioms

Example - Top Secret View Report Title Data Date Temperature Images Concrete Location Defense Sector (S,{Del}) TS P Subject clearances: (TS, {})  { (TS, {}) , (S, {Del}), (P, {Del}) } (S, {})  { (S, {}), (P, {Del}) } (P, {})  { (P, {}) }

Node Association - Example MedicalDb Patient * Patient Phone Name Patient Birthdate Race Date Diagnosis Comments Phone Birthdate Name SSN Race Allergies Allergen * Date Diagnosis Physician Prescription * Comments DTD of Patient Health Record

Layered Access Control Object - Association level classification + - Node level classification

Simple Security Object  ti : (ti) = (o) t1 t4 t3 t2

Association Security Object  ti : (ti) < (o) t1 t4 t3 t2

Query Pattern FOR $x in //r LET $y := $x/d, $z := $x/a b c v1 FOR $x in //r LET $y := $x/d, $z := $x/a RETURN <answer> {$z/c} </answer> WHERE { $z/b==$y} Query Pattern

Pattern Automata Pattern Automata X = { S, Q, q0 , Qf , d } S = E  A  { pcdata, //} d is a transition function Q = {q0 , … , qn} Qf  Q, (q0 Ï Qf) Valid transitions on d are of the following form: s(qi, … ,qj)  qk If d does not contain a valid transition rule, the default new state is q0

Pattern Automata - Example = { a, b, c, //} Q = {q0, qa, qb, qc} Qf = {qa} d = { b( )  qb , c( )  qc , a(qb,qc)  qa , *(qa)  qa } a b c // Association object Pattern Automata

Outline Security on the Web Data Security Access Control Models for Semi-Structured Data Syntactic XML Secure XML Views XML Updates XML association object XML and Semantics SMIL Inference Control Metadata Security Application Security Future Directions

SMIL AUDIO VIDEO SILENCE VIDEO and AUDIO together VIDEO after END of AUDIO Sequential Operator “SEQ” Parallel Operator “PAR” Switch Operator “switch” If Condition B= TRUE, then only AUDIO If Condition A= TRUE, then only VIDEO SILENCE VIDEO and AUDIO together

SMIL vs. XML In both, document = tree BUT XML has NO intended semantics, SMIL specify runtime behavior QoS (timeliness and continuity) specified using synchronization constructs <par>, <seq>, <excl> and others. No Security for SMIL <smil> <seq> <par> <audio src=“http://www.example.org/Audio1.rm”> <video src=“http://www.example.org/Video1.rm”> </par> <audio src=“http://www.example.org/Audio2.rm”> <video src=“http://www.example.org/Video2.rm”> </seq> </smil> <smil> <seq> <par> <par> Video2 Video1 Audio1 Audio2

Object Identity in SMIL - I Audio 1 Audio 2 Video 1 Video 2 PAR V1 V2 SEQ A1 A2

Object Identity in SMIL - II Audio 1 Audio 2 Video 1 Video 2 PAR V1 A2 SEQ A1 V2

Object Identity in SMIL - III Audio 2 Audio 1 Video 1 Video 2 SEQ A2 V2 PAR A1 V1

SMIL Normal Form SMIL Normal Form (smilNF) is of the form <seq> <par> C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n (s)</par> <par> ……………………..………………<par> <par> C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n (s)</par> </seq> where C i,j are audio or video, image or text media intervals.

Normalization Algorithm SEQ SEQ 1 2 3 A A1 A2 A3 <PAR> <PAR> <PAR> B B1 B2 B3 <PAR> C C1 C2 C3 A1 B1 D1 C1 A3 B3 D3 C3 D D1 D2 D3 A2 B2 D2 Representation 1 C2 SEQ SEQ 1 2 3 A A1 A2 A3 B1 B2 B3 C1 C2 C3 D1 D2 D3 B <PAR> <PAR> <PAR> <PAR> C A1 C3 D B2 C2 D2 Representation 2

Metadata in SMIL - RBAC Example <SEQ> <PAR> V1 A2 V2 (r1)<PAR> A1 (r3)V1 (r1)A2 (r2)V2 (Empty) A1 RBAC metadata decorated SMIL Normal Form SMIL Normal Form Permitted view for Role 1

Outline Security on the Web Data Security Access Control Models for Semi-Structured Data Syntactic XML Secure XML Views XML Updates XML association object XML and Semantics SMIL Inference Control Metadata Security Application Security Future Directions

Non-confidential data + Metadata  The Inference Problem General Purpose Database: Non-confidential data + Metadata  Undesired Inferences Semantic Web: Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity  Undesired Inferences

Association Graph Association similarity measure Example: Distance of each node from the association root Difference of the distance of the nodes from the association root Complexity of the sub-trees originating at nodes Example: XML document: Association Graph: Public Air show address fort Public, AC address fort

Correlated Inference Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base address fort Public Water source base Confidential district basin ?

Correlated Inference (cont.) Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base Base Place place base Public address fort Public Water source district basin Water Source Water source base Confidential f

Inference Removal Relational databases: limit access to data Web inferences Cannot redesign public data outside of protection domain Cannot modify/refuse answer to already published web page Protection Options: Release misleading information Remove information Control access to metadata

Outline Security on the Web Data Security Access Control Models for Semi-Structured Data Syntactic XML Secure XML Views XML Updates XML association object XML and Semantics SMIL Inference Control Metadata Security Application Security Future Directions

Metadata Security No security model exists for metadata Can we use existing security models to protect metadata? RDF/S is the Basic Framework for SW RDF/S supports simple inferences This is not true of XML: XML Access control cannot be used to protect RDF /S data

RDF/S Entailment Rules Example RDF/S Entailment Rules (http://www.w3.org/TR/rdf-mt/#rules ) Rdfs2: (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy)  (uuu, rdf:type, xxx) Rdfs3: (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx) Rdfs5: (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf, xxx) (uuu,rdfs:subPropertyOf, xxx) Rdfs11: (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf, xxx)(uuu,rdfs:subClassOf, xxx)

Example Graph Format RDF Triples: (Student, rdfs:subClassOf, Person) (University, rdfs:subClassOf, GovAgency) (studiesAt, rdfs:domain, Student) (studiesAt, rdfs:range,University) (studiesAt, rdfs:subPropertyOf, memberAt) (John, studiesAt, USC)

Example Graph Format

Example Graph Format

Example Graph Format

Secure RDF Entailed Data in RDF can cause illegal inferences: (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S]  (USC, rdf:type, University) [S] (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S]  (USC, rdf:type, GovAgency) [TS] Secret User can infer TS information

RDF Access Control Security Policy Subject Object – Object pattern Access Mode Default policy Conflict Resolution Classification of entailed data Flexible granularity

Prototype Systems XML Access Control Secure Views  Association-level access control  MLS/XML Delete  Ontology Guided XML Inferences  RDF Access Control  Future Work Next versions OWL access control Application-level security

Secure XML Updates Result NodeSecurity Manager.java NativeElement PathSatisfaction .java MACParser .java MACModel .java NodeSecurity Manager.java NativeElement Index.java Result FilepathAbsoute Table UserName XMLUtil.java UserManagement .java

Secure XML Updates - Example

RDF Access Control Example

Outline Security on the Web Data Security Access Control Models for Semi-Structured Data Syntactic XML Secure XML Views XML Updates XML association object XML and Semantics SMIL Inference Control Metadata Security Application Security Future Directions

Application Security Security Policy: Application semantics (from syntax to semantics) External requirements Privacy Trust management Compliance checking

Future Work Role of semantics: data and application specific characteristics Access Control: dynamic, adaptable access control, federation management Collaboration: decentralized authentication, process management, contextual info, quality of service Formal Models

Conclusions Need: Collaboration between security experts and application developers