Download presentation
Presentation is loading. Please wait.
1
XML and Security Csilla Farkas farkas@cse.sc.edu
Center of Information Assurance Engineering Department of Computer Science and Engineering University of South Carolina
2
Web Evolution Past: Human usage HTTP Static Web pages (HTML)
Current: Human and some automated usage Interactive Web pages Web Services (WSDL, SOAP, SAML) Semantic Web (RDF, OWL, RuleML, Web databases) XML technology (data exchange, data representation) Future: Semantic Web Services
3
XML An Extensible Markup Language (XML) document describes the structure of data XML and HTML have a similar syntax <breakfast_menu> <food> <name>Belgian Waffles</name> <price>$5.95</price> <description> Two of our famous Belgian Waffles with plenty of real maple syrup </description> <calories>650</calories> </food> … </breakfast_menu>
4
DTD A Document Type Definition (DTD) meta-data for XML
DTD enforced by a parser Valid XML document: conforms to the DTD <!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>
5
XML Schema Definition (XSD)
Describes structure of the XML Document <?xml version="1.0"?> <xs:schema xmlns:xs=" <xs:element name="note"> <xs:complexType> <xs:sequence> <xs:element name="to" type="xs:string"/> <xs:element name="from" type="xs:string"/> <xs:element name="heading" type="xs:string"/> <xs:element name="body" type="xs:string"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
6
ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB?
7
Information Assurance
Inference Control Privacy Security Trust Applications Policy making Formal models Negotiation Protocol Analysis Anonymity Access control Semantic web security Encryption Information hiding Data mining Computer epidemic Data provenance Fraud Biometrics Access Control Inference Control
8
Limitation of Research
Syntax-based No association protection Limited handling of updates No data or application semantics No inference control
9
Secure XML Views - Example
medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone> </phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <name>Harry Green</name> UC <phone> </phone> S <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White milTag MT78 patient patient name John Smith phone name Harry Green phone View over UC data
10
Secure XML Views - Example cont.
medicalFiles <medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <name>Harry Green</name> <physician>Joe White</physician> </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data
11
Secure XML Views - Example cont.
medicalFiles <medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <name>Harry Green</name> <physician>Joe White</physician> </tag03> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data
12
Secure XML Views - Example cont.
medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <name>Harry Green</name> UC <physician>Joe White</physician> UC </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data
13
Secure XML Views - Example cont.
medicalFiles <medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician> </medicalFiles> physician Jim Dale name John Smith physician Joe White name Harry Green View over UC data
14
Secure XML Views - Solution
Multi-Plane DTD Graph (MPG) Minimal Semantic Conflict Graph (association preservation) Cover story Transformation rules
15
Multi-Plane DTD Graph MPG = DTD graph over multiple security planes
<medicalFiles> <milTag> <phone> <milBaseRec> <countyRec> <patient> <physician> <name> TopSecret Secret Unclassified D,medicalFiles D, countyRec D, milBaseRec D, patient D, milTag D, name D, phone UC S TS D, physician
16
Transformation - Example
<milBaseRec> MPG <milTag> TS MSCG <countyRec> <patient> name phone S <phone> physician <medicalFiles> Security Space Secret UC <physician> <name>
17
Transformation - Example
<milBaseRec> <milTag> TS <countyRec> <patient> name <phone> S physician <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG
18
Transformation - Example
<milBaseRec> <milTag> TS <countyRec> <patient> <phone> S <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG
19
Transformation - Example
<milBaseRec> <milTag> TS medicalFiles <countyRec> <patient> emergencyRec <phone> S physician name <emrgRec> <medicalFiles> UC <physician> <name> Data Structure SP MPG
20
? Delete - Example Report P Title Data Date Temperature Images S
Water Resources Concrete Location Civil Area Defense Sector P S TS ?
21
Delete Operations Delete entire sub-tree under a deleted node
Most widely used approach Problem: blind write Delete only the viewable nodes Problem: fragmentation of XML tree Reject the delete Problem: covert channel
22
Different Solution – Deleted Label
Basic Idea A unique domain “Del” for deleted nodes Change security classification of deleted node (o, {do Del}) Perform after delete operation Change security clearance of users, where s = (s, {ds}) > (o, {do}) to ( (s, {ds}) , (o, {do Del}) ) Can be preprocessed Use BLP axioms
23
Example - Top Secret View
Report Title Data Date Temperature Images Concrete Location Defense Sector (S,{Del}) TS P Subject clearances: (TS, {}) { (TS, {}) , (S, {Del}), (P, {Del}) } (S, {}) { (S, {}), (P, {Del}) } (P, {}) { (P, {}) }
24
Node Association - Example
MedicalDb Patient * Patient Phone Name Patient Birthdate Race Date Diagnosis Comments Phone Birthdate Name SSN Race Allergies Allergen * Date Diagnosis Physician Prescription * Comments DTD of Patient Health Record
25
Layered Access Control
Object - Association level classification + - Node level classification
26
Simple Security Object
ti : (ti) = (o) t1 t4 t3 t2
27
Association Security Object
ti : (ti) < (o) t1 t4 t3 t2
28
Query Pattern FOR $x in //r LET $y := $x/d, $z := $x/a
b c v1 FOR $x in //r LET $y := $x/d, $z := $x/a RETURN <answer> {$z/c} </answer> WHERE { $z/b==$y} Query Pattern
29
Pattern Automata Pattern Automata X = { S, Q, q0 , Qf , d }
S = E A { pcdata, //} d is a transition function Q = {q0 , … , qn} Qf Q, (q0 Ï Qf) Valid transitions on d are of the following form: s(qi, … ,qj) qk If d does not contain a valid transition rule, the default new state is q0
30
Pattern Automata - Example
= { a, b, c, //} Q = {q0, qa, qb, qc} Qf = {qa} d = { b( ) qb , c( ) qc , a(qb,qc) qa , *(qa) qa } a b c // Association object Pattern Automata
31
Application Security Security Policy:
Application semantics (from syntax to semantics) External requirements Privacy Trust management Compliance checking
32
Future Work Role of semantics: data and application specific characteristics Access Control: dynamic, adaptable access control, federation management Collaboration: decentralized authentication, process management, contextual info, quality of service Formal Models
Similar presentations
