Secure XML Database Access with Views SecReT’09 Benoit Groz (joint work with Anne-Cécile Caron,Yves Roos, Sławek Staworko, Sophie Tison) Mostrare 10 juillet 2009 B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 1 / 19
Securing databases with views Many ways to enforce access control for XML. Among others: Checking the queries: ◮ statically ⇒ may reject proper queries and access [Oasis project: XACML] ◮ dynamically ⇒ incurs costly runtime security check [Murata et al. CCS’03] B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 3 / 19
Securing databases with views Many ways to enforce access control for XML. Among others: Checking the queries: ◮ statically ⇒ may reject proper queries and access [Oasis project: XACML] ◮ dynamically ⇒ incurs costly runtime security check [Murata et al. CCS’03] Annotating the data: ◮ annotating the data, or materializing the view ⇒ expensive maintenance [Damiani et al. EDBT’00, Cho et al. VLDB’02] ◮ annotating the DTD with Non-materialized view Rewriting queries from the view to the document [Fan et al. SIGMOD’04, Vercammen et al, Rassadko et al ... ] B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 3 / 19
Outline Non-materialized views and query rewriting 1 Comparing Access Control Policies 2 B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 4 / 19
Visibilium omnium... et invisibilium “Whoever wishes to keep a secret must hide the fact that he possesses one”. attributed to Johann Wolfgang von Goethe B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 5 / 19
Overview Hidden part User part View derivation DTD D View Schema D v Annotation A (specifies hidden elements) Query Q document t Q’ Query rewriting Answer Answer to query Q = evaluation of Q ′ on the original document t B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 6 / 19
Framework: XML XML document=tree. No data-values. <projects> <project> <name> projects </name> . . . project project </project> <project> name name stable license dev license . . . </project> src src bin doc free doc free </projects> B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 7 / 19
RegularXPath We use Regular XPath queries Query q 1 = ⇓ ∗ / ⇓ :: doc n 0 document t projects Ans ( q 1 , t ) = { n 11 , n 14 } n 1 n 2 project project n 3 n 4 n 8 n 5 n 6 n 7 name name stable license dev license n 9 n 10 n 11 n 12 n 13 n 14 n 15 src src bin doc free doc free “get all documentations” B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 8 / 19
RegularXPath We use Regular XPath queries Query q 2 = n 0 document t projects ⇓ :: project [ ⇓ :: stable ] / ⇓ :: name n 1 n 2 project project n 3 n 4 n 8 n 5 n 6 n 7 Ans ( q 2 , t ) = { n 3 } name name stable license dev license n 9 n 10 n 11 n 12 n 13 n 14 n 15 src src bin doc free doc free “get names of stable projects” B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 8 / 19
Access control for XML projects document t project project project name name name stable license stable license dev license src src propr src bin doc free bin doc doc free We wish to hide: whether a project is stable or in-development the binaries the sources for non-free projects B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 9 / 19
DTD and Annotation projects document t project project project name name name stable license stable license dev license src src propr src bin doc free bin doc doc free Example projects → project ∗ stable → src , bin , doc A 0 ( stable , src ) = [ ⇑ ∗ :: project / ⇓ ∗ :: free ] project → name , ( stable | dev ) , license A 0 ( project , stable ) = false A 0 ( stable , doc ) = true A 0 ( project , dev ) = false dev → src , doc A 0 ( dev , src ) = [ ⇑ ∗ :: project / ⇓ ∗ :: free ] license → free | propr A 0 ( dev , doc ) = true B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 9 / 19
The security view projects document t project project project name name name stable license stable license dev license src src propr src bin doc free bin doc doc free projects View A ( t ) project project project name name name license doc license license src doc src doc propr free free B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 9 / 19
Annotating the DTDs ⊲ annotation as a function A : Σ × Σ → { true , false , [ f ] } . Example projects → project ∗ stable → src , bin , doc A 0 ( stable , src ) = [ ⇑ ∗ :: project / ⇓ ∗ :: free ] project → name , ( stable | dev ) , license A 0 ( project , stable ) = false A 0 ( stable , doc ) = true A 0 ( project , dev ) = false dev → src , doc A 0 ( dev , src ) = [ ⇑ ∗ :: project / ⇓ ∗ :: free ] license → free | propr A 0 ( dev , doc ) = true B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 10 / 19
Annotating the DTDs ⊲ annotation as a function A : Σ × Σ → { true , false , [ f ] } . Example projects → project ∗ stable → src , bin , doc A 0 ( stable , src ) = [ ⇑ ∗ :: project / ⇓ ∗ :: free ] project → name , ( stable | dev ) , license A 0 ( project , stable ) = false A 0 ( stable , doc ) = true A 0 ( project , dev ) = false dev → src , doc A 0 ( dev , src ) = [ ⇑ ∗ :: project / ⇓ ∗ :: free ] license → free | propr A 0 ( dev , doc ) = true Proposition This model of annotation is equivalent to defining accessible elements with a X Reg filter f A acc such that : = f A ∀ n ∈ N t . n accessible wrt. A ⇐ ⇒ ( t , n ) | acc B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 10 / 19
Rewriting Queries Theorem: Regular XPath is closed under query rewriting There exists a function Rewrite such that : ∀ t . Ans ( Q , A ( t )) = Ans ( Rewrite ( Q , A ) , t ) Moreover, Rewrite ( Q , A ) is computable in time O ( | A |∗| Q | ) . B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 11 / 19
Rewriting Queries Theorem: Regular XPath is closed under query rewriting There exists a function Rewrite such that : ∀ t . Ans ( Q , A ( t )) = Ans ( Rewrite ( Q , A ) , t ) Moreover, Rewrite ( Q , A ) is computable in time O ( | A |∗| Q | ) . Proof. Translate the base axes using f A acc : acc ]) ∗ / self [ f A Rewrite ( ⇑ , A ) = self [ f A acc ] / ( ⇑ [ ¬ f A acc ] . Rewrite the query inductively. B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 11 / 19
Rewriting Queries Hidden part User part Q’=Rewrite( Q , A ) document t Query Q Answer projects document t project project project name name name stable license stable license dev license src src propr src bin doc free bin doc doc free B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 12 / 19
Rewriting Queries Hidden part User part Q ′ = ⇓ :: project [ license / free ] / ⇓ :: ∗ / ⇓ :: src Q = ⇓ :: project / ⇓ :: src Q’=Rewrite( Q , A ) Query Q document t Answer projects document t project project project name name name stable license stable license dev license src src propr src bin doc free bin doc doc free B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 12 / 19
Outline Non-materialized views and query rewriting 1 Comparing Access Control Policies 2 B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 13 / 19
Comparing access control policies Definition Two annotations A 1 and A 2 over DTD D are equivalent iff they hide the same nodes: A 1 ≡ D A 2 iff ∀ t ∈ L ( D ) . A 1 ( t ) = A 2 ( t ) B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 14 / 19
Comparing access control policies Definition Two annotations A 1 and A 2 over DTD D are equivalent iff they hide the same nodes: A 1 ≡ D A 2 iff ∀ t ∈ L ( D ) . A 1 ( t ) = A 2 ( t ) Proposition Testing equivalence of annotations is EXPTIME -complete. Proof. This problem is polynomially equivalent to the problem of equivalence of X Reg filters over a DTD. B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 14 / 19
Comparing Access control policies Definition A 1 and A 2 annotations over DTD D . A 1 is 1 -restriction of A 2 in the presence of D , denoted A 1 � D 1 A 2 iff ∀ t ∈ L ( D ) . N A 1 ( t ) ⊆ N A 2 ( t ) Intuition: The simplest way for comparing two annotations: A 1 is more “restrictive” than A 2 if it shows no element hidden by A 2 . Proposition Testing 1-restriction is EXPTIME -complete. B. Groz, S. Staworko et al (Mostrare) Secure XML Database Access with Views 10 juillet 2009 15 / 19
Recommend
More recommend