Institute for Cyber Security An Attribute-Based Protection Model for JSON Documents Prosunjit Biswas, Ravi Sandhu and Ram Krishnan Department of Computer Science Department of Electrical and Computer Engineering 10th International Conference on Network and System Security September 28th, 2016 1 World-Leading Research with Real-World Impact!
Outline Summary Motivation Background JSON protection model Labeling JSON elements Implementation Q/A 2 World-Leading Research with Real-World Impact!
Summary We have presented an attribute based protection model and labeling schemes for securing JSON documents. 3 World-Leading Research with Real-World Impact!
Motivation Why JSON documents? 4 World-Leading Research with Real-World Impact!
Motivation (continuing) Why not reuse XML protection models? Features of underlying data to be protected Hierarchical relationship Semantic association Scatteredness (e.g. house-no, street, town) (e.g. phone-no, email, fax, (due to redundancy/duplicity) mobile) - Considered in XML protection models - Not considered 5 World-Leading Research with Real-World Impact!
Motivation (continuing) Existing XML models vs proposed model Labeling policies Authorization Attribute Authorization Nodes Nodes policies values policies Fig 1 (a): Existing XML Fig 1(b): Proposed JSON protection models protection model 6 World-Leading Research with Real-World Impact!
Background - JSON JSON data forms a rooted tree hierarchical structure (like XML) { “emp-rec”:{ “name”: “...”, emp-rec “con-info”:{ “email”: “...”, con-info name emp-info sen-info “work-phone”: “...” ... SSN salary email work-phone }, ... ... “emp-info”:{ ... ... “mobile”: “...”, mobile EID Salary “EID”: “...”, ... ... ... “salary”: “...” } “sen-info”: { key nodes “SSN”: “...”, “salary”: “...” ... } } Fig 2 (b): Corresponding JSON tree } Fig 2 (a): JSON data 7 World-Leading Research with Real-World Impact!
JSON protection model JSON protection model Specification of authorization policies Specification of labeling policies Content based labeling Path based labeling Fig 3: Scope of the JSON protection model 8 World-Leading Research with Real-World Impact!
JSON protection model (continuing) ULH SLH JEH uLabel sLabel Micro- JE U UL Policy JSON users elements Adapted from EAP-ABAC model [1] A Policy actions Fig 4: The Attribute-based Operational Model (AtOM) [1] Biswas, Prosunjit, Ravi Sandhu, and Ram Krishnan. "Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy." Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control. ACM, 2016. 9 World-Leading Research with Real-World Impact!
JSON protection model - examples {enterprise} emp-rec manager HR sensitive con-info {enterprise} sen-info {sensitive} employment employee enterprise email work-phone SSN salary public guest {enterprise} {enterprise} {sensitive} {sensitive} (a) (b) (c) Fig 5: (a) User-label values, (b) security-label values and (c) annotated JSON tree Example of a policy, Policy read = {(manager, sensitive), (HR, employment), (employee, enterprise), (guest,public) } 10 10 World-Leading Research with Real-World Impact!
Labeling JSON documents Specification of labeling policies Content based labeling Path based labeling Fig 6 (a): Types of labeling policies 11 11 World-Leading Research with Real-World Impact!
Labeling JSON documents (continuing) Purpose of labeling policies Restrict arbitrary labeling Propagation of labels (Assignment control) (Propagation control) Fig 6 (b): Purpose of labeling policies 12 12 World-Leading Research with Real-World Impact!
Labeling JSON documents – Assignment control Assignment controls No-restriction Senior-up Senior-down Junior-up Junior-down Fig 7 (a): Different types of Assignment controls Senior nodes Fig 7 (b): Junior-up assignment control Node i Value i Assignment Senior nodes of Node i must be assigned Junior values junior values of Value i 13 13 World-Leading Research with Real-World Impact!
Labeling JSON documents – Propagation control Propagation controls Cascading-down No-propagation One-level up One-level down Cascading-up Fig 8: Different types of propagation controls 14 14 World-Leading Research with Real-World Impact!
Labeling JSON documents – Path-based labeling model SCOPE AC PC constant set assignment propagation control control finite set SL JPath security- JSON label path LabelAssignments values Fig 9: Model for path-based labeling of JSON data Table 1: Example of path-based labeling 15 15 World-Leading Research with Real-World Impact!
Prototype implementation OpenStack Swift OpenStack Keystone JSON document Keystone data 4,5 sLabel values JSONAuth Roles as uLabel values Labeling policies Policy table plugin 3,6 1,2 1,2: User's request to keystone & responses with the credentials 3: User Request for JSON document Required changes 4,5: Request & response from object server for JSON document 6: User receive only authorized data from JSON document Fig 10: Implementation in OpenStack Cloud 16 16 World-Leading Research with Real-World Impact!
Implementation - evaluation Fig 11: Performance evaluation 17 17 World-Leading Research with Real-World Impact!
Recommend
More recommend