630 likes | 645 Views
This comprehensive study explores existing and future security mechanisms for the web's next generation, focusing on data, application, and metadata security. It examines topics like fraud detection, privacy, access control, and encryption, discussing limitations and proposing future directions. The text delves into secure XML views as an example, showcasing strategies like multi-plane DTD graphs and semantic conflict resolution for effective data protection.
E N D
Web Data and Application Security Csilla Farkas farkas@cse.sc.edu http://www.cse.sc.edu/~farkas Center of Information Assurance Engineering Department of Computer Science and Engineering University of South Carolina
Web Evolution • Past: Human usage • HTTP • Static Web pages (HTML) • Current: Human and some automated usage • Interactive Web pages • Web Services (WSDL, SOAP, SAML) • Semantic Web (RDF, OWL, RuleML, Web databases) • XML technology (data exchange, data representation) • Future: Semantic Web Services
Outline • Security on the Web • Data Security • Metadata Security • Application Security • Future Directions
ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB?
Fraud Information hiding Privacy Negotiation Protocol Analysis Access control Applications Access Control Data provenance Biometrics Semantic web security Security Trust Data mining Encryption Computer epidemic Anonymity Policy making Inference Control Formal models Inference Control Information Assurance
Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions
Limitation of Research • Syntax-based • No association protection • Limited handling of updates • No data or application semantics • No inference control
Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions
Secure XML Views - Example medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White milTag MT78 patient patient name John Smith phone 111-2222 name Harry Green phone 333-4444 View over UC data
Secure XML Views - Example cont. medicalFiles <medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data
Secure XML Views - Example cont. medicalFiles <medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data
Secure XML Views - Example cont. medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data
Secure XML Views - Example cont. medicalFiles <medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician> </medicalFiles> physician Jim Dale name John Smith physician Joe White name Harry Green View over UC data
Secure XML Views - Solution • Multi-Plane DTD Graph (MPG) • Minimal Semantic Conflict Graph (association preservation) • Cover story • Transformation rules
Multi-Plane DTD Graph <milBaseRec> D,medicalFiles UC <milTag> TopSecret S TS D, countyRec D, milBaseRec <countyRec> UC S TS D, physician <patient> D, patient D, milTag Secret <phone> UC S D, name D, phone <physician> <name> <medicalFiles> Unclassified MPG = DTD graph over multiple security planes
Transformation - Example <milBaseRec> MPG <milTag> TS MSCG <countyRec> <patient> name phone S <phone> physician <medicalFiles> Security Space Secret UC <physician> <name>
Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> name S <phone> physician <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG
Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> S <phone> <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG
Transformation - Example <milBaseRec> <milTag> TS medicalFiles <countyRec> <patient> emergencyRec S <phone> physician <emrgRec> name <medicalFiles> UC <physician> <name> SP Data Structure MPG
Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML Updates XML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions
Report P Title P Data P Date P Temperature ? P Images S Water Resources S Concrete Location S Civil Area S TS Defense Sector Delete - Example
Delete Operations • Delete entire sub-tree under a deleted node • Most widely used approach • Problem: blind write • Delete only the viewable nodes • Problem: fragmentation of XML tree • Reject the delete • Problem: covert channel
Different Solution – Deleted Label Basic Idea • A unique domain “Del” for deleted nodes • Change security classification of deleted node (o, {do Del}) • Perform after delete operation • Change security clearance of users, where s = (s, {ds}) > (o, {do}) to ( (s, {ds}) , (o, {do Del}) ) • Can be preprocessed • Use BLP axioms
Report P Title P Data P Date P Temperature P Images (S,{Del}) Concrete Location (S,{Del}) Defense Sector TS Example - Top Secret View Subject clearances: (TS, {}) { (TS, {}) , (S, {Del}), (P, {Del}) } (S, {}) { (S, {}), (P, {Del}) } (P, {}) { (P, {}) }
MedicalDb SSN Patient * Name Name Patient Phone Phone Birthdate Race * Diagnosis Date Patient Physician Prescription Comments Birthdate Allergies * Race Allergen Diagnosis Date Comments Node Association - Example DTD of Patient Health Record
Object - Association level classification Node level classification + - + + + + Layered Access Control
t1 t2 t3 t4 Simple Security Object o ti :(ti) = (o)
t1 t2 t3 t4 Association Security Object o ti : (ti) < (o)
// r d a b c v1 v1 Query Pattern FOR $x in //r LET $y := $x/d, $z := $x/a RETURN <answer> {$z/c} </answer> WHERE { $z/b==$y} Query Pattern
Pattern Automata • Pattern Automata X = { S, Q, q0 , Qf , d } • S = E A { pcdata, //} • d is a transition function • Q = {q0 , … , qn} • Qf Q, (q0 Ï Qf) • Valid transitions on d are of the following form: s(qi, … ,qj) qk • If d does not contain a valid transition rule, the default new state is q0
// a b c Pattern Automata - Example • = { a, b, c, //} Q = {q0, qa, qb, qc} Qf = {qa} d= { b( ) qb , c( ) qc , a(qb,qc) qa , *(qa) qa } Association object Pattern Automata
Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions
Parallel Operator “PAR” VIDEO AUDIO AUDIO Sequential Operator “SEQ” VIDEO and AUDIO together VIDEO AUDIO VIDEO VIDEO after END of AUDIO Switch Operator “switch” VIDEO SILENCE If Condition A= TRUE, then only VIDEO AUDIO SILENCE If Condition B= TRUE, then only AUDIO SMIL
SMIL vs. XML • In both, document = tree • BUT XML has NO intended semantics, SMIL specify runtime behavior • QoS (timeliness and continuity) specified using synchronization constructs <par>, <seq>, <excl> and others. • No Security for SMIL <smil> <seq> <par> <audio src=“http://www.example.org/Audio1.rm”> <video src=“http://www.example.org/Video1.rm”> </par> <par> <audio src=“http://www.example.org/Audio2.rm”> <video src=“http://www.example.org/Video2.rm”> </par> </seq> </smil> <smil> <seq> <par> <par> Video2 Video1 Audio1 Audio2
t t+7 t+14 SEQ Audio 1 Audio 2 Audio 1 Audio 2 Video 1 Video 2 A1 A2 t t+7 t+14 SEQ Audio 1 Audio 2 Video 1 Video 2 Video 1 Video 2 V1 V2 PAR PAR t t+7 t+14 SEQ SEQ Audio 1 Audio 2 Audio 1 Audio 2 Video 1 Video 2 Video 1 Video 2 V1 V2 A1 A2 Object Identity in SMIL - I
t t+7 t+14 SEQ Audio 1 Audio 2 Audio 1 Video 1 Video 2 Video 2 A1 V2 t t+7 t+14 SEQ Audio 2 Audio 1 Audio 2 Video 1 Video 1 Video 2 A2 V1 Audio 1 PAR Audio 2 Video 1 Video 2 PAR t t+7 t+14 SEQ SEQ Audio 1 Audio 2 Video 1 Video 2 V1 A2 A1 V2 Object Identity in SMIL - II
t t+7 t+14 PAR Audio 1 Audio 2 Audio 1 Video 1 Video 2 Video 1 A1 V1 t t+7 t+14 PAR Audio 2 Audio 1 Audio 2 Video 2 Video 1 Video 2 V2 A2 Audio 1 SEQ Audio 2 Video 1 Video 2 SEQ t t+7 t+14 PAR PAR Audio 1 Audio 2 Video 1 Video 2 A2 V2 V1 A1 Object Identity in SMIL - III
SMIL Normal Form SMIL Normal Form (smilNF) is of the form <seq> <par> C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n (s)</par> <par> ……………………..………………<par> <par> C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n (s)</par> </seq> where C i,j are audio or video, image or text media intervals.
A1 A2 A3 B1 B2 B3 C1 C2 C3 D1 D2 D3 Normalization Algorithm SEQ SEQ 1 2 3 A1 A2 A3 A <PAR> <PAR> <PAR> B1 B2 B3 B <PAR> C1 C2 C3 C A1 B1 D1 C1 A3 B3 D3 C3 D1 D2 D3 D A2 B2 D2 C2 Representation 1 SEQ SEQ 1 2 3 A B <PAR> <PAR> <PAR> <PAR> C A1 C3 D B2 C2 D2 Representation 2
<SEQ> <SEQ> <SEQ> <PAR> <PAR> (r1)<PAR> <PAR> <PAR> <PAR> (Empty) V1 A2 V2 A1 (r3)V1 (r1)A2 (r2)V2 A1 V1 A2 Metadata in SMIL - RBAC Example A1 RBAC metadata decorated SMIL Normal Form SMIL Normal Form Permitted view for Role 1
Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions
The Inference Problem General Purpose Database: Non-confidential data + Metadata Undesired Inferences Semantic Web: Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity Undesired Inferences
Air show address fort address fort Association Graph • Association similarity measure • Distance of each node from the association root • Difference of the distance of the nodes from the association root • Complexity of the sub-trees originating at nodes • Example: XML document: Association Graph: Public Public, AC
Public Public ? address fort Water source base district basin Confidential Correlated Inference Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base
place address fort Water source district basin base Confidential Correlated Inference (cont.) Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base Base Place base Public Public Water source Water Source
Inference Removal • Relational databases: limit access to data • Web inferences • Cannot redesign public data outside of protection domain • Cannot modify/refuse answer to already published web page • Protection Options: • Release misleading information • Remove information • Control access to metadata
Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • Metadata Security • Application Security • Future Directions
Metadata Security • No security model exists for metadata • Can we use existing security models to protect metadata? • RDF/S is the Basic Framework for SW • RDF/S supports simple inferences • This is not true of XML: XML Access control cannot be used to protect RDF /S data
RDF/S Entailment Rules Example RDF/S Entailment Rules (http://www.w3.org/TR/rdf-mt/#rules ) • Rdfs2: • (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy) (uuu, rdf:type, xxx) • Rdfs3: • (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx) • Rdfs5: • (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf, xxx) (uuu,rdfs:subPropertyOf, xxx) • Rdfs11: • (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf, xxx)(uuu,rdfs:subClassOf, xxx)
Example Graph Format • RDF Triples: • (Student, rdfs:subClassOf, Person) • (University, rdfs:subClassOf, GovAgency) • (studiesAt, rdfs:domain, Student) • (studiesAt, rdfs:range,University) • (studiesAt, rdfs:subPropertyOf, memberAt) • (John, studiesAt, USC)