Computer Science and Engineering 1 XML, RDF, Workflow Security

Reading Required: –Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. 5, 2 (May 2002), –A. Stoica and C. Farkas, “Secure XML Views,” Proc. 16th IFIP WG11.3 Working Conference on Database and Application Security, , –Amit Jain and Csilla Farkas Secure resource description framework: an access control model. In Proceedings of the eleventh ACM symposium on Access control models and technologies (SACMAT '06). ACM, New York, NY, USA, , p1&type=pdf p1&type=pdf Computer Science and Engineering 2

3 Semantic Web From: T.B. Lee

4 Secure Technologies  Security on the Web  Data Security  XML  Inferences  Metadata Security  RDF  Application Security

5 Secure XML Views - Example UC S John Smith UC S Jim Dale UC TS S Harry Green UC S Joe White UC MT78 TS medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green milTag MT78 patient phone phone View over UC data

6 Secure XML Views - Example cont. John Smith Jim Dale Harry Green Joe White medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data

7 Secure XML Views - Example cont. medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data John Smith Jim Dale Harry Green Joe White

8 Secure XML Views - Example cont. UC S John Smith UC Jim Dale UC TS S Harry Green UC Joe White UC medicalFiles countyRec patient name John Smith milBaseRec physician Jim Dale physician Joe White name Harry Green patient View over UC data

9 Secure XML Views - Example cont. medicalFiles name John Smith physician Jim Dale physician Joe White name Harry Green View over UC data John Smith Jim Dale Harry Green Joe White

10 Secure XML Views - Solution Multi-Plane DTD Graph (MPG) Minimal Semantic Conflict Graph (association preservation) Cover story Transformation rules

11 TopSecret Secret Unclassified Multi-Plane DTD Graph D,medicalFiles D, countyRecD, milBaseRec D, patientD, milTag D, nameD, phone UC S S S TS D, physician MPG = DTD graph over multiple security planes

12 Transformation - Example namephone physician MSCG MPG TS UC S Security Space Secret

13 Transformation - Example MPG TS S UC SP name physician MSCG

14 Transformation - Example MPG TS S UC  SP MSCG

15 Transformation - Example MPG TS S UC SP medicalFiles emergencyRec name physician Data Structure

16 Node Association - Example DTD of Patient Health Record MedicalDb Patient * Allergies Allergen * Phone Birthdate Name SSN Race DateDiagnosis Physician Prescription * Comments Patient Phone Name Patient Birthdate Race DateDiagnosis Comments

Node level classification Layered Access Control Object - Association level classification

18 Simple Security Object t1t1 t4t4 t3t3 t2t2 o  t i : (t i ) = (o)

19 t1t1 t4t4 t3t3 t2t2 o  t i : (t i ) < (o) Association Security Object

20 Query Pattern / r da bc v1v1 v1v1 FOR $x in //r LET $y := $x/d, $z := $x/a RETURN {$z/c} WHERE { $z/b==$y} Query Pattern

21 Pattern Automata Pattern Automata X = { , Q, q 0, Q f,  } –  = E  A  { pcdata, //} –  is a transition function –Q = {q 0, …, q n } –Q f  Q, (q 0  Q f ) Valid transitions on  are of the following form:  (q i, …,q j )  q k If  does not contain a valid transition rule, the default new state is q 0

22 Pattern Automata - Example Pattern Automata - Example a bc / Association object  = { a, b, c, //} Q = {q 0, q a, q b, q c } Q f = {q a }  = { b( )  q b, c( )  q c, a(q b,q c )  q a, *(q a )  q a } Pattern Automata

23 The Inference Problem General Purpose Database: Non-confidential data + Metadata  Undesired Inferences Semantic Web: Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity  Undesired Inferences

24 Association Graph Association similarity measure –Distance of each node from the association root –Difference of the distance of the nodes from the association root –Complexity of the sub-trees originating at nodes Example: Air show address fort XML document: Association Graph: address fort Public Public, AC

25 Correlated Inference Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base address fort Public Water source base Confidential district basin Public ? Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions

26 Correlated Inference (cont.) address fort Public district basin Public Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base place base Water Source Water source Base Place Water source base Confidential

27 Inference Removal Relational databases: limit access to data Web inferences –Cannot redesign public data outside of protection domain –Cannot modify/refuse answer to already published web page Protection Options: –Release misleading information –Remove information –Control access to metadata

28 Metadata Security No security model exists for metadata Can we use existing security models to protect metadata? RDF/S is the Basic Framework for SW RDF/S supports simple inferences This is not true of XML: XML Access control cannot be used to protect RDF /S data

29 RDF/S Entailment Rules Example RDF/S Entailment Rules ( mt/#rules ) Rdfs2: –(aaa, rdfs:domain, xxx) + (uuu, aaa, yyy)  (uuu, rdf:type, xxx) Rdfs3: –(aaa, rdfs:range, xxx) + (uuu, aaa, vvv)  (vvv, rdf:type, xxx) Rdfs5: –(uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf, xxx)  (uuu,rdfs:subPropertyOf, xxx) Rdfs11: –(uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf, xxx)  (uuu,rdfs:subClassOf, xxx)

30 Example Graph Format RDF Triples: (Student, rdfs:subClassOf, Person) (University, rdfs:subClassOf, GovAgency) (studiesAt, rdfs:domain, Student) (studiesAt, rdfs:range,University) (studiesAt, rdfs:subPropertyOf, memberAt) (John, studiesAt, USC)

31 Example Graph Format

32 Example Graph Format

33 Example Graph Format

34 Secure RDF Entailed Data in RDF can cause illegal inferences: (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S]  (USC, rdf:type, University) [S] (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S]  (USC, rdf:type, GovAgency) [TS] Secret User can infer TS information

35 RDF Access Control Security Policy –Subject –Object – Object pattern –Access Mode Default policy Conflict Resolution Classification of entailed data Flexible granularity

Business Process Increased complexity Workflow specification –Workflow correctness –Workflow security Automated analysis Internet Security - Farkas 36

Workflow Verification Detect conflicts and anomalies Lack of formal methods and tools Internet Security - Farkas 37

What to represent? Activity-based workflow model –Design-time analysis –Implementation-time verification Reading: propositional logic –Activities –Basic workflow constructs –Activity “leads” to other activity Internet Security - Farkas 38

Workflow Internet Security - Farkas 39 a1 a2 a4 +

WS-BPEL Language to specify business processes that are composed of Web services as well as exposed as Web services WS-BPEL specifications are portable -- can be carried out by every WS-BPEL compliant execution environment Internet Security - Farkas 40

Two-Level Programming Model Programming in the large –Non-programmers implementing processes Flow logic Programming in the small –Programmers implementing low-level services Function logic Internet Security - Farkas 41

WS-BPEL Flow Oriented Request Invoke Response SOA and WS-BPEL Internet Security - Farkas 42

Security and Workflow Identity Management Authorization: e.g., data access controls Process constraints Provenance Internet Security - Farkas 43

Issues Need to distinguish between functionality & security guarantees –How to handle trust management? Workflows are process or data centric –How to map to user-centric system security policies? Planning and enactment are complex/rich processes – How to establish security assurance of a complex mechanism ? Internet Security - Farkas 44

Next Class Cloud computing Computer Science and Engineering 45