XML and Security Csilla Farkas farkas@cse.sc.edu http://www.cse.sc.edu/~farkas Center of Information Assurance Engineering Department of Computer Science and Engineering University of South Carolina

Web Evolution Past: Human usage HTTP Static Web pages (HTML) Current: Human and some automated usage Interactive Web pages Web Services (WSDL, SOAP, SAML) Semantic Web (RDF, OWL, RuleML, Web databases) XML technology (data exchange, data representation) Future: Semantic Web Services

XML An Extensible Markup Language (XML) document describes the structure of data XML and HTML have a similar syntax <breakfast_menu> <food> <name>Belgian Waffles</name> <price>$5.95</price> <description> Two of our famous Belgian Waffles with plenty of real maple syrup </description> <calories>650</calories> </food> … </breakfast_menu>

DTD A Document Type Definition (DTD) meta-data for XML DTD enforced by a parser Valid XML document: conforms to the DTD <!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>

XML Schema Definition (XSD) Describes structure of the XML Document <?xml version="1.0"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="note">   <xs:complexType>     <xs:sequence>       <xs:element name="to" type="xs:string"/>       <xs:element name="from" type="xs:string"/>       <xs:element name="heading" type="xs:string"/>       <xs:element name="body" type="xs:string"/>     </xs:sequence>   </xs:complexType> </xs:element> </xs:schema>

ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB?

Information Assurance Inference Control Privacy Security Trust Applications Policy making Formal models Negotiation Protocol Analysis Anonymity Access control Semantic web security Encryption Information hiding Data mining Computer epidemic Data provenance Fraud Biometrics Access Control Inference Control

Limitation of Research Syntax-based No association protection Limited handling of updates No data or application semantics No inference control

Secure XML Views - Example medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <name>Harry Green</name> UC <phone>333-4444</phone> S <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White milTag MT78 patient patient name John Smith phone 111-2222 name Harry Green phone 333-4444 View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <name>Harry Green</name> <physician>Joe White</physician> </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <name>Harry Green</name> <physician>Joe White</physician> </tag03> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <name>Harry Green</name> UC <physician>Joe White</physician> UC </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician> </medicalFiles> physician Jim Dale name John Smith physician Joe White name Harry Green View over UC data

Secure XML Views - Solution Multi-Plane DTD Graph (MPG) Minimal Semantic Conflict Graph (association preservation) Cover story Transformation rules

Multi-Plane DTD Graph MPG = DTD graph over multiple security planes <medicalFiles> <milTag> <phone> <milBaseRec> <countyRec> <patient> <physician> <name> TopSecret Secret Unclassified D,medicalFiles D, countyRec D, milBaseRec D, patient D, milTag D, name D, phone UC S TS D, physician

Transformation - Example <milBaseRec> MPG <milTag> TS MSCG <countyRec> <patient> name phone S <phone> physician <medicalFiles> Security Space Secret UC <physician> <name>

Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> name <phone> S physician <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> <phone> S  <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

Transformation - Example <milBaseRec> <milTag> TS medicalFiles <countyRec> <patient> emergencyRec <phone> S physician name <emrgRec> <medicalFiles> UC <physician> <name> Data Structure SP MPG

? Delete - Example Report P Title Data Date Temperature Images S Water Resources Concrete Location Civil Area Defense Sector P S TS ?

Delete Operations Delete entire sub-tree under a deleted node Most widely used approach Problem: blind write Delete only the viewable nodes Problem: fragmentation of XML tree Reject the delete Problem: covert channel

Different Solution – Deleted Label Basic Idea A unique domain “Del” for deleted nodes Change security classification of deleted node (o, {do  Del}) Perform after delete operation Change security clearance of users, where s = (s, {ds}) > (o, {do}) to ( (s, {ds}) , (o, {do  Del}) ) Can be preprocessed Use BLP axioms

Example - Top Secret View Report Title Data Date Temperature Images Concrete Location Defense Sector (S,{Del}) TS P Subject clearances: (TS, {})  { (TS, {}) , (S, {Del}), (P, {Del}) } (S, {})  { (S, {}), (P, {Del}) } (P, {})  { (P, {}) }

Node Association - Example MedicalDb Patient * Patient Phone Name Patient Birthdate Race Date Diagnosis Comments Phone Birthdate Name SSN Race Allergies Allergen * Date Diagnosis Physician Prescription * Comments DTD of Patient Health Record

Layered Access Control Object - Association level classification + - Node level classification

Simple Security Object  ti : (ti) = (o) t1 t4 t3 t2

Association Security Object  ti : (ti) < (o) t1 t4 t3 t2

Query Pattern FOR $x in //r LET $y := $x/d, $z := $x/a b c v1 FOR $x in //r LET $y := $x/d, $z := $x/a RETURN <answer> {$z/c} </answer> WHERE { $z/b==$y} Query Pattern

Pattern Automata Pattern Automata X = { S, Q, q0 , Qf , d } S = E  A  { pcdata, //} d is a transition function Q = {q0 , … , qn} Qf  Q, (q0 Ï Qf) Valid transitions on d are of the following form: s(qi, … ,qj)  qk If d does not contain a valid transition rule, the default new state is q0

Pattern Automata - Example = { a, b, c, //} Q = {q0, qa, qb, qc} Qf = {qa} d = { b( )  qb , c( )  qc , a(qb,qc)  qa , *(qa)  qa } a b c // Association object Pattern Automata

Application Security Security Policy: Application semantics (from syntax to semantics) External requirements Privacy Trust management Compliance checking

Future Work Role of semantics: data and application specific characteristics Access Control: dynamic, adaptable access control, federation management Collaboration: decentralized authentication, process management, contextual info, quality of service Formal Models