1 / 45

Secure XML Views: Access Control in Medical Records

Explore a secure access control system for medical records using XML and RDF, ensuring data security and confidentiality. Learn about Secure XML Views and how they provide a way to share sensitive information securely. Discover concepts of Semantic Web and metadata security in computer science and engineering.

ctews
Download Presentation

Secure XML Views: Access Control in Medical Records

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XML, RDF, Workflow Security Computer Science and Engineering

  2. Reading • Required: • Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. 2002. A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. 5, 2 (May 2002), 169-202.  http://dl.acm.org/citation.cfm?id=505590 • A. Stoica and C. Farkas, “Secure XML Views,” Proc. 16th IFIP WG11.3 Working Conference on Database and Application Security, 133-146, 2002. http://www.cse.sc.edu/~farkas/publications/c5.pdf • Amit Jain and Csilla Farkas. 2006. Secure resource description framework: an access control model. In Proceedings of the eleventh ACM symposium on Access control models and technologies (SACMAT '06). ACM, New York, NY, USA, 121-129., http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.792&rep=rep1&type=pdf Computer Science and Engineering

  3. Semantic Web From: T.B. Lee

  4. Secure Technologies • Security on the Web • Data Security • XML • Inferences • Metadata Security • RDF • Application Security

  5. Secure XML Views - Example medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White milTag MT78 patient patient name John Smith phone 111-2222 name Harry Green phone 333-4444 View over UC data

  6. Secure XML Views - Example cont. medicalFiles <medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

  7. Secure XML Views - Example cont. medicalFiles <medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

  8. Secure XML Views - Example cont. medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

  9. Secure XML Views - Example cont. medicalFiles <medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician> </medicalFiles> physician Jim Dale name John Smith physician Joe White name Harry Green View over UC data

  10. Secure XML Views - Solution • Multi-Plane DTD Graph (MPG) • Minimal Semantic Conflict Graph (association preservation) • Cover story • Transformation rules

  11. Multi-Plane DTD Graph <milBaseRec> D,medicalFiles UC <milTag> TopSecret S TS D, countyRec D, milBaseRec <countyRec> UC S TS D, physician <patient> D, patient D, milTag Secret <phone> UC S D, name D, phone <physician> <name> <medicalFiles> Unclassified MPG = DTD graph over multiple security planes

  12. Transformation - Example <milBaseRec> MPG <milTag> TS MSCG <countyRec> <patient> name phone S <phone> physician <medicalFiles> Security Space Secret UC <physician> <name>

  13. Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> name S <phone> physician <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

  14. Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> S <phone>  <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

  15. Transformation - Example <milBaseRec> <milTag> TS medicalFiles <countyRec> <patient> emergencyRec S <phone> physician <emrgRec> name <medicalFiles> UC <physician> <name> SP Data Structure MPG

  16. MedicalDb SSN Patient * Name Name Patient Phone Phone Birthdate Race * Diagnosis Date Patient Physician Prescription Comments Birthdate Allergies * Race Allergen Diagnosis Date Comments Node Association - Example DTD of Patient Health Record

  17. Object - Association level classification Node level classification + - + + + + Layered Access Control

  18. t1 t2 t3 t4 Simple Security Object o  ti :(ti) = (o)

  19. t1 t2 t3 t4 Association Security Object o  ti : (ti) < (o)

  20. // r d a b c v1 v1 Query Pattern FOR $x in //r LET $y := $x/d, $z := $x/a RETURN <answer> {$z/c} </answer> WHERE { $z/b==$y} Query Pattern

  21. Pattern Automata • Pattern Automata X = { S, Q, q0 , Qf , d } • S = E  A  { pcdata, //} • d is a transition function • Q = {q0 , … , qn} • Qf Q, (q0 Ï Qf) • Valid transitions on d are of the following form: s(qi, … ,qj)  qk • If d does not contain a valid transition rule, the default new state is q0

  22. // a b c Pattern Automata - Example • = { a, b, c, //} Q = {q0, qa, qb, qc} Qf = {qa} d= { b( )  qb , c( )  qc , a(qb,qc)  qa , *(qa)  qa } Association object Pattern Automata

  23. The Inference Problem General Purpose Database: Non-confidential data + Metadata Undesired Inferences Semantic Web: Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity  Undesired Inferences

  24. Air show address fort address fort Association Graph • Association similarity measure • Distance of each node from the association root • Difference of the distance of the nodes from the association root • Complexity of the sub-trees originating at nodes • Example: XML document: Association Graph: Public Public, AC

  25. Public Public ? address fort Water source base district basin Confidential Correlated Inference Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base

  26. place address fort Water source district basin base Confidential Correlated Inference (cont.) Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base Base Place base Public Public Water source Water Source

  27. Inference Removal • Relational databases: limit access to data • Web inferences • Cannot redesign public data outside of protection domain • Cannot modify/refuse answer to already published web page • Protection Options: • Release misleading information • Remove information • Control access to metadata

  28. Metadata Security • No security model exists for metadata • Can we use existing security models to protect metadata? • RDF/S is the Basic Framework for SW • RDF/S supports simple inferences • This is not true of XML: XML Access control cannot be used to protect RDF /S data

  29. RDF/S Entailment Rules Example RDF/S Entailment Rules (http://www.w3.org/TR/rdf-mt/#rules ) • Rdfs2: • (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy)  (uuu, rdf:type, xxx) • Rdfs3: • (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx) • Rdfs5: • (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf, xxx) (uuu,rdfs:subPropertyOf, xxx) • Rdfs11: • (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf, xxx)(uuu,rdfs:subClassOf, xxx)

  30. Example Graph Format • RDF Triples: • (Student, rdfs:subClassOf, Person) • (University, rdfs:subClassOf, GovAgency) • (studiesAt, rdfs:domain, Student) • (studiesAt, rdfs:range,University) • (studiesAt, rdfs:subPropertyOf, memberAt) • (John, studiesAt, USC)

  31. Example Graph Format

  32. Example Graph Format

  33. Example Graph Format

  34. Secure RDF Entailed Data in RDF can cause illegal inferences: • (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S]  (USC, rdf:type, University) [S] • (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S]  (USC, rdf:type, GovAgency) [TS] Secret User can infer TS information

  35. RDF Access Control • Security Policy • Subject • Object – Object pattern • Access Mode • Default policy • Conflict Resolution • Classification of entailed data • Flexible granularity

  36. Business Process • Increased complexity • Workflow specification • Workflow correctness • Workflow security • Automated analysis Internet Security - Farkas

  37. Workflow Verification • Detect conflicts and anomalies • Lack of formal methods and tools Internet Security - Farkas

  38. What to represent? • Activity-based workflow model • Design-time analysis • Implementation-time verification • Reading: propositional logic • Activities • Basic workflow constructs • Activity “leads” to other activity Internet Security - Farkas

  39. Workflow a2 a1 + a4 Internet Security - Farkas

  40. WS-BPEL • Language to specify business processes that are composed of Web services as well as exposed as Web services • WS-BPEL specifications are portable -- can be carried out by every WS-BPEL compliant execution environment Internet Security - Farkas

  41. Two-Level Programming Model • Programming in the large • Non-programmers implementing processes • Flow logic • Programming in the small • Programmers implementing low-level services • Function logic Internet Security - Farkas

  42. WS-BPEL Flow Oriented • Request • Invoke • Response • SOA and WS-BPEL Internet Security - Farkas

  43. Security and Workflow • Identity Management • Authorization: e.g., data access controls • Process constraints • Provenance Internet Security - Farkas

  44. Issues • Need to distinguish between functionality & security guarantees • How to handle trust management? • Workflows are process or data centric • How to map to user-centric system security policies? • Planning and enactment are complex/rich processes • How to establish security assurance of a complex mechanism? Internet Security - Farkas

  45. Next Class • Cloud computing Computer Science and Engineering

More Related