xml security views
play

XML Security Views Queries, Updates, and Schema Beno t Groz - PowerPoint PPT Presentation

Aug 30, 2022 •160 likes •926 views

XML Security Views Queries, Updates, and Schema Beno t Groz University of Lille, Mostrare INRIA PhD defense, October 2012 Beno t Groz (Mostrare) XML Security Views PhD defense, October 2012 1 / 45 Talk Outline Context 1

  1. XML Security Views Queries, Updates, and Schema Benoˆ ıt Groz University of Lille, Mostrare INRIA PhD defense, October 2012 Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 1 / 45

  2. Talk Outline Context 1 Motivations XML framework Problems presented Modelization 2 Alignments VPAs Determinacy and Query rewriting 3 Definition, hardness results A restriction: interval bounded-queries Our results View update 4 Deterministic schema 5 Glushkov relations and determinism Problem statement Algorithm to decide determinism Summary Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 2 / 45

  3. Outline Context 1 Motivations XML framework Problems presented Modelization 2 3 Determinacy and Query rewriting 4 View update 5 Deterministic schema Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 3 / 45

  4. Context: Protecting data March 2011: an attack retrieved huge mailing lists from Epsilon, a leading online marketing company. April 2011: Sony’s PlayStation network : 100 million customer accounts compromised including street numbers, email, and passwords. June 2011: CitiBank communicated a breach into 1% of its credit card accounts (200.000 customers). March 2012: 1.500.000 card numbers compromised as a result of unauthorized access into GlobalPayment processing system. Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 4 / 45

  5. Context: XML constellation Purpose: large-scale electronic publishing usability over the Internet compatibility with SGML facilitating automatic processing of the documents Features: document model: a document = a tree Languages to manipulate the document: Query and Transformation languages: XPath, XQuery, XQUF, XSLT Schema languages: DTD, RelaxNG, XML Schema, Schematron Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 5 / 45

  6. Our project The Source side: The View side: the hidden part what the user sees Definition of view V Access Schema View schema specification View document XML document t t ′ = V iew ( V , t ) ? Query Q 1 over Query Q real document over the view Source update u s View update u v Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 6 / 45

  7. Our project Project: Develop techniques for XML security views. Originally: techniques to reason about XML security views. ... but the problem addressed are general database problems: can find application in any system using views, and more... Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 7 / 45

  8. XML document XMLDocument Tree representation bib <bib> <book> paper <author> Abiteboul </author> book book . . . . . . <author> Vianu </author> <title> Foundations. . . </title> author author title </book> <book> Abiteboul Vianu Foundations. . . . . . </book> <paper> . . . </paper> </bib> labeled ordered unranked trees Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 8 / 45

  9. XML document XMLDocument Tree representation bib <bib> <book> paper <author> Abiteboul </author> book book . . . . . . <author> Vianu </author> <title> Foundations. . . </title> author author title </book> <book> Abiteboul Vianu Foundations. . . . . . </book> <paper> . . . </paper> </bib> labeled ordered unranked trees Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 8 / 45

  10. XML document XMLDocument Tree representation bib <bib> <book> paper <author> Abiteboul </author> book book . . . . . . <author> Vianu </author> <title> Foundations. . . </title> author author title </book> <book> Abiteboul Vianu Foundations. . . . . . </book> <paper> . . . </paper> </bib> labeled ordered unranked trees Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 8 / 45

  11. XML document XMLDocument Tree representation bib <bib> <book> paper <author> Abiteboul </author> book book . . . . . . <author> Vianu </author> <title> Foundations. . . </title> author author title </book> <book> Abiteboul Vianu Foundations. . . . . . </book> <paper> . . . </paper> </bib> labeled ordered unranked trees Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 8 / 45

  12. DTD DTD D tree t satisfying D bib bib → ( book + paper ) ∗ paper book → author ∗ , title book book . . . . . . author → # PCDATA title → # PCDATA author author title Abiteboul Vianu Foundations. . . Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 9 / 45

  13. XPath Definition Query: function t �→ Q ( t ) ⊆ Nodes ( t ) Several XPath languages: XPath 1.0, XPath 2.0, XPath 3.0 ... Researchers very often focus on the navigational core. Core XPath 1.0 ⊂ Conditional XPath ⊂ Regular XPath [Marx EDBT’04] . Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 10 / 45

  14. XPath House of Windsor king K queen king N N king king duke king duke K K queen queen king king king queen king Q Regular XPath: path expressions with transitive closure and filters N ⇓ ∗ :: duke K ( ⇓ :: king / ⇓ :: queen ) ∗ Q ( ⇓ :: king / ⇓ :: queen ) ∗ / self::[ ⇒ :: king / ⇒ :: king ] Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 11 / 45

  15. XPath House of Windsor king K queen king N N king king duke king duke K K queen queen king king king queen king Q Regular XPath: path expressions with transitive closure and filters N ⇓ ∗ :: duke K ( ⇓ :: king / ⇓ :: queen ) ∗ Q ( ⇓ :: king / ⇓ :: queen ) ∗ / self::[ ⇒ :: king / ⇒ :: king ] Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 11 / 45

  16. XPath House of Windsor king K queen king N N king king duke king duke K K queen queen king king king queen king Q Regular XPath: path expressions with transitive closure and filters N ⇓ ∗ :: duke K ( ⇓ :: king / ⇓ :: queen ) ∗ Q ( ⇓ :: king / ⇓ :: queen ) ∗ / self::[ ⇒ :: king / ⇒ :: king ] Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 11 / 45

  17. XQUF Update language based on XQuery (thereby on XPath) for $ x in ⇓ ∗ :: duke return delete node $ x , insert node <other>...</other> before $ x king king queen queen king king king king other queen king other duke queen king duke . . . . . . Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 12 / 45

  18. (Security) views Security views are simple views defined in [Fan et al.’04 and ’07]. Operations: hide or rename nodes. Example Storing successive versions of papers, hiding old versions DTD D 0 : docs → paper ∗ paper → name , version version → number , files , prev prev → version | ε Q 0 = ⇓ :: paper / (self ∪ ⇓ :: name ∪ ⇓ :: version / ⇓ :: files ) Here, security view = pair ( D 0 , Q 0 ) Nodes selected by Q 0 (plus root) are visible, others are hidden. Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 13 / 45

  19. (Security) views What happens when the parent of a visible node n is hidden? Two approaches: forbid this (upward-closed queries) = ⇒ makes things simpler or n gets adopted by its closest visible ancestor = ⇒ more expressive � � docs docs � � paper paper � � � name files name version � number files prev version files number V iew ( Q 0 , t ) A document t � D 0 Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 14 / 45

  20. (Security) views What happens when the parent of a visible node n is hidden? Two approaches: forbid this (upward-closed queries) = ⇒ makes things simpler or n gets adopted by its closest visible ancestor = ⇒ more expressive � � docs docs � � paper paper � � � name files name version � number files prev version files number V iew ( Q 0 , t ) A document t � D 0 Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 14 / 45

  21. 3 selected pieces PB 1 (Queries): Determinacy and Query rewriting PB 2 (Updates): The view update problem PB 3 (Schema): check if a schema is “correct” w.r.t. W3C specifications Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 15 / 45

  22. Outline 1 Context Modelization 2 Alignments VPAs Determinacy and Query rewriting 3 View update 4 Deterministic schema 5 Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 16 / 45

  23. Queries, Views, and Updates as Alignment languages Representing a query with alignments Q 0 = ⇓ :: paper / (self ∪ ⇓ :: name ∪ ⇓ :: version / ⇓ :: files ) ( docs , docs ) ( paper , paperle ) ( name , name ) ( version , ε ) ( number , ε ) ( files , files ) ( prev , ε ) ( version , ε ) ( files , ε ) ( number , ε ) One alignment in Q 0 Queries only select: alphabet= { ( a , β ) | a ∈ Σ , β = a or β = ε } Views select or rename: alphabet= { ( a , β ) | a ∈ Σ , β ∈ Σ ∪ { ε }} Benoˆ ıt Groz (Mostrare) XML Security Views PhD defense, October 2012 17 / 45

Recommend

Views 2 Designing the user interface Roy Scholten hi Views . Views 2 Views 2 have you heard

Views 2 Designing the user interface Roy Scholten hi Views . Views 2 Views 2 have you heard

Views 2 Designing the user interface Roy Scholten hi Views . Views 2 Views 2 have you heard of it? Views 2 have you heard of it? (views 1) Problem: How to avoid the humongous scrolling form of death? ping Huh? Inventory round 1:

952 views • 76 slides
Disclaimers My personal views and opinions may not represent the position(s) of my employers.

Disclaimers My personal views and opinions may not represent the position(s) of my employers.

How to stop worrying about Application Container Security (v2) Brian Andrzejewski Information System Security Architect Twitter: @DevSecOpsGeer LinkedIn: https://www.linkedin.com/in/bandrzej Disclaimers My personal views and opinions may

526 views • 24 slides
Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr-University, Bochum Security Researcher

550 views • 40 slides
HL7 2.x Security Hacking medical devices Anirudh Duggal Disclaimer: All the views/ research

HL7 2.x Security Hacking medical devices Anirudh Duggal Disclaimer: All the views/ research

HL7 2.x Security Hacking medical devices Anirudh Duggal Disclaimer: All the views/ research done and presented is of my own and does not reflect my employer. Do not try this on a live environment. This can harm someone. #whoAmI Graduate

1.23k views • 46 slides
Security Will Martin World Bank Washington DC 2 December, 2011 The views expressed in this

Security Will Martin World Bank Washington DC 2 December, 2011 The views expressed in this

Agricultural Trade Policies &amp; Food Security Will Martin World Bank Washington DC 2 December, 2011 The views expressed in this presentation are those of the author only and not necessarily those of the World Bank Road Map Why do high

687 views • 31 slides
This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting Revoking Views Database Systems SQL Insertion Attacks Michael Pound Further Reading The Manga Guide to Databases, Chapter 5 Database

285 views • 7 slides
Lets Play Applanting... Ajit Hatti (Co-Founder) Null Open Security Community HELLO From

Lets Play Applanting... Ajit Hatti (Co-Founder) Null Open Security Community HELLO From

Lets Play Applanting... Ajit Hatti (Co-Founder) Null Open Security Community HELLO From INDIA (Technically) Disclaimer Personal Research Personal Views Doesn't represents views of my Employer. Vulnerabilities discussed in the paper

1.1k views • 36 slides
Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania IBM PLDay 09 2 2 Pennsylvania yanks voter site after data leak Passport applicant finds massive privacy breach Privacy issue

728 views • 40 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Disclaimer ! The%presenta6on%itself,%and%the%views% and%opinions%expressed%by%the%presenter%

Disclaimer ! The%presenta6on%itself,%and%the%views% and%opinions%expressed%by%the%presenter%

What%remains?%What%are%(really)%new? June%13,%2013 Shin%Adachi,% CISSP,&amp;CISM,&amp;CISA,&amp;PMP Lead%Security%Analyst,%NTT%I CoChair,%Educa6on%Commi8ee,%FIRST NTT%Innova7on%Ins7tute,%Inc. %Forum%of%Incident%Response%and%Security%Teams

451 views • 12 slides
Job Quality The views expressed in this presentation are the views of the presenter and do not

Job Quality The views expressed in this presentation are the views of the presenter and do not

Job Quality The views expressed in this presentation are the views of the presenter and do not necessarily represent the views of the Federal Reserve Bank of Boston or the Federal Reserve System. Strategies for improving employment outcomes

657 views • 9 slides
CS-5630 / CS-6630 Visualization Views Alexander Lex alex@sci.utah.edu [xkcd] Multiple Views

CS-5630 / CS-6630 Visualization Views Alexander Lex alex@sci.utah.edu [xkcd] Multiple Views

CS-5630 / CS-6630 Visualization Views Alexander Lex alex@sci.utah.edu [xkcd] Multiple Views Eyes over Memory: Trade-off of display space and working memory Linked Views Multiple Views that are simultaneously visible and lined together

358 views • 35 slides
Generic Views on Data Types Problem Towards a solution Generic Views Detour into GH The

Generic Views on Data Types Problem Towards a solution Generic Views Detour into GH The

Introduction Generic Views on Data Types Problem Towards a solution Generic Views Detour into GH The influence of S. Holdermans 1 J. Jeuring 1 oh 2 A. Rodriguez 1 A. L views Formal definition Validity Implementation 1 Department of

677 views • 56 slides
Tradeoff between Performance and Security Alessandro Aldini University of Urbino Carlo Bo

Tradeoff between Performance and Security Alessandro Aldini University of Urbino Carlo Bo

Tradeoff between Performance and Security Alessandro Aldini University of Urbino Carlo Bo Italy Foundations of Security Analysis and Design (FOSAD) 3 September 2011, Bertinoro Outline Introduction 1 Motivation Different Views of

865 views • 64 slides
Counting (on) views Page views on Wikipedia Christian Aistleitner christian@quelltextlich.at

Counting (on) views Page views on Wikipedia Christian Aistleitner christian@quelltextlich.at

Counting (on) views Page views on Wikipedia Christian Aistleitner christian@quelltextlich.at Linz, Austria FOSDEM, Brussels 1 st February 2014 Daily per article counts [SGS] C. Aistleitner Counting (on) views Page views on Wikipedia

301 views • 17 slides
(Regulatory) views on Biomarker defined Subgroups Norbert Benda Disclaimer: Views expressed in

(Regulatory) views on Biomarker defined Subgroups Norbert Benda Disclaimer: Views expressed in

(Regulatory) views on Biomarker defined Subgroups Norbert Benda Disclaimer: Views expressed in this presentation are the author's personal views and not necessarily the views of BfArM Biomarker defined subgroups Using (genetic) biomarkers to

682 views • 23 slides
BY- Rahul Sahasrabuddhe 0 VIEWS EXPRESSED IN THIS PRESENTATION ARE STRICTLY MY PERSONAL

BY- Rahul Sahasrabuddhe 0 VIEWS EXPRESSED IN THIS PRESENTATION ARE STRICTLY MY PERSONAL

PRACTICAL ASPECTS OF MERGERS AND AMALGAMATIONS WIRC OF ICSI February 20, 2017 BY- Rahul Sahasrabuddhe 0 VIEWS EXPRESSED IN THIS PRESENTATION ARE STRICTLY MY PERSONAL VIEWS AND NEED NOT NECESSARILY BE VIEWS OF ANY OF MY PAST OR

463 views • 42 slides
The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the views of the PCAOB, the members of the Board, or the Boards staff. The PCAOB makes no

310 views • 27 slides
The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the views of the PCAOB, the members of the Board, or the Boards staff. The PCAOB makes no

383 views • 13 slides
The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the views of the PCAOB, the members of the Board, or the Boards staff. The PCAOB makes no

306 views • 19 slides
The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the views of the PCAOB, the members of the Board, or the Boards staff. The PCAOB makes no

280 views • 24 slides
The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the views of the PCAOB, the members of the Board, or the Boards staff. The PCAOB makes no

123 views • 11 slides
The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the views of the PCAOB, the members of the Board, or the Boards staff. The PCAOB makes no

904 views • 56 slides
The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members

The views expressed in these slides are solely the views of the Investor Advisory Group members who prepared them and do not necessarily reflect the views of the PCAOB, the members of the Board, or the Boards staff. The PCAOB makes no

512 views • 39 slides

More recommend