XML access control using static analysis

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

XML access control using static analysis

Full text

Pdf (358 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 10th ACM conference on Computer and communications security table of contents

Washington D.C., USA

SESSION: Access control table of contents

Pages: 73 - 84

Year of Publication: 2003

ISBN:1-58113-738-9

Authors

Makoto Murata	IBM Tokyo Research Lab/IUJ Research Institute, Shimotsuruma, Yamato-shi, Kanagawa-ken, Japan
Akihiko Tozawa	IBM Tokyo Research Lab, Shimotsuruma, Yamato-shi, Kanagawa-ken, Japan
Michiharu Kudo	IBM Tokyo Research Lab, Shimotsuruma, Yamato-shi, Kanagawa-ken, Japan
Satoshi Hada	IBM Tokyo Research Lab, Shimotsuruma, Yamato-shi, Kanagawa-ken, Japan

Sponsor

ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 17, Downloads (12 Months): 102, Citation Count: 28

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/948109.948122 What is a DOI?

ABSTRACT

Access control policies for XML typically use regular path expressions such as XPath for specifying the objects for access control policies. However such access control policies are burdens to the engines for XML query languages. To relieve this burden, we introduce static analysis for XML access control. Given an access control policy, query expression, and an optional schema, static analysis determines if this query expression is guaranteed not to access elements or attributes that are permitted by the schema but hidden by the access control policy. Static analysis can be performed without evaluating any query expression against an actual database. Run-time checking is required only when static analysis is unable to determine whether to grant or deny access requests. A nice side-effect of static analysis is query optimization: access-denied expressions in queries can be evaluated to empty lists at compile time. We have built a prototype of static analysis for XQuery, and shown the effectiveness and scalability through experiments.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Elisa Bertino, Data Hiding and Security in Object-Oriented Databases, Proceedings of the Eighth International Conference on Data Engineering, p.338-347, February 03-07, 1992
	2	Elisa Bertino , Silvana Castano , Elena Ferrari , Marco Mesiti, Controlled access and dissemination of XML documents, Proceedings of the 2nd international workshop on Web information and data management, p.22-27, November 02-06, 1999, Kansas City, Missouri, United States [doi>10.1145/319759.319770]
	3	Elisa Bertino , M. Braun , Silvana Castano , Elena Ferrari , Marco Mesiti, Author-X: A Java-Based System for XML Data Protection, Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security: Data and Application Security, Development and Directions, p.15-26, August 21-23, 2000
	4	S. Boag, D. Chamberlin, M. F. Fernandez, D. Florescu, J. Robie, and J. Simeon. XQuery 1.0: An XML query language. W3C working draft 16 august 2002. http://www.w3.org/TR/xquery/, August 2002.
	5	T. Bray, J. Paoli, and C. M. Sperberg-McQueen. Extensible Markup Language (XML) 1.0. W3C Recommendation. http://www.w3.org/TR/REC-xml, February 1998.
	6	J. Clark and S. DeRose. XML Path Language (XPath) version 1.0. W3C Recommendation. http://www.w3.org/TR/xpath, Nov 1999.
	7	J. Clark and M. Murata (Eds). "RELAX NG Specification". OASIS Committee Specification, Dec. 2001.
	8	J. Clark (Eds). "XML Transformations (XSLT) Version 1.0". W3C Recommendation, Nov. 1999. http://www.w3.org/TR/xslt.
	9	H. Comon, M. Dauchet, R. Gilleron, F. Jacquemard, D. Lugiez, S. Tison, and M. Tommasi. Tree automata techniques and applications. Available at http://www.grappa.univ-lille3.fr/tata, 1997.
	10	Ernesto Damiani , Sabrina De Capitani di Vimercati , Stefano Paraboschi , Pierangela Samarati, Securing XML Documents, Proceedings of the 7th International Conference on Extending Database Technology: Advances in Database Technology, p.121-135, March 27-31, 2000
	11	A. Deutsch and V. Tannen. Containment of regular path expressions under integrity constraints. In KRDB, 2001.
	12	D. Draper, P. Fankhauser, M. Fernandez, A. Malhotra, K. Rose, M. Rys, J. Simeon, and P. Wadler. XQuery 1.0 and XPath 2.0 formal semantics. W3C working draft 16 august 2002, August 2002.
	13	Wenfei Fan , Leonid Libkin, On XML integrity constraints in the presence of DTDs, Journal of the ACM (JACM), v.49 n.3, p.368-406, May 2002 [doi>10.1145/567112.567117]
	14	Mary F. Fernandez , Dan Suciu, Optimizing Regular Path Expressions Using Graph Schemas, Proceedings of the Fourteenth International Conference on Data Engineering, p.14-23, February 23-27, 1998
	15	Alban Gabillon , Emmanuel Bruno, Regulating access to XML documents, Proceedings of the fifteenth annual working conference on Database and application security, p.299-314, July 15-18, 2001, Niagara, Ontario, Canada
	16	S. Godik and T. Moses (Eds). "eXtensible Access Control Markup Language (XACML) Version 1.0". OASIS Standard, Feb. 2003.
	17	J. E. Hopcroft. An n log n algorithm for minimizing states in a finite automaton. Theory of Machines and Computations, 1971.
	18	John E. Hopcroft , Jeffrey D. Ullman, Introduction To Automata Theory, Languages, And Computation, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1990
	19	H. Hosoya and M. Murata. Validation and boolean operations for attribute-element constraints. In Programming Languages Technologies for XML (PLAN-X), October 2002.
	20	Haruo Hosoya , Benjamin C. Pierce, XDuce: A Typed XML Processing Language (Preliminary Report), Selected papers from the Third International Workshop WebDB 2000 on The World Wide Web and Databases, p.226-244, May 18-19, 2000
	21	Michiharu Kudo , Satoshi Hada, XML document security based on provisional authorization, Proceedings of the 7th ACM conference on Computer and communications security, p.87-96, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352613]
	22	J. Marsh (Eds). XML Base. W3C Recommendation, June 2001. http://www.w3.org/TR/2001/REC-xmlbase-20010627/.
	23	Gerome Miklau , Dan Suciu, Containment and equivalence for an XPath fragment, Proceedings of the twenty-first ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, June 03-05, 2002, Madison, Wisconsin [doi>10.1145/543613.543623]
	24	M. Murata, D. Lee, and M. Mani. "Taxonomy of XML Schema Languages using Formal Language Theory". In Extreme Markup Languages, Aug. 2001. http://www.idealliance.org/papers/extreme02/titles.html.
	25	Frank Neven , Thomas Schwentick, XPath Containment in the Presence of Disjunction, DTDs, and Variables, Proceedings of the 9th International Conference on Database Theory, p.315-329, January 08-10, 2003
	26	Dan Olteanu , Holger Meuss , Tim Furche , François Bry, XPath: Looking Forward, Proceedings of the Worshops XMLDM, MDDE, and YRWS on XML-Based Data Management and Multimedia Engineering-Revised Papers, p.109-127, March 24-28, 2002
	27	Yannis Papakonstantinou , Vasilis Vassalos, Query rewriting for semistructured data, ACM SIGMOD Record, v.28 n.2, p.455-466, June 1999
	28	Fausto Rabitti , Elisa Bertino , Won Kim , Darrell Woelk, A model of authorization for next-generation database systems, ACM Transactions on Database Systems (TODS), v.16 n.1, p.88-131, March 1991 [doi>10.1145/103140.103144]
	29	W3C. "XML Schema". W3C Recommendation, May 2001.
	30	Peter T. Wood, Containment for XPath Fragments under DTD Constraints, Proceedings of the 9th International Conference on Database Theory, p.300-314, January 08-10, 2003

CITED BY 28

	Elisa Bertino , Ravi Sandhu, Database Security-Concepts, Approaches, and Challenges, IEEE Transactions on Dependable and Secure Computing, v.2 n.1, p.2-19, January 2005
	Wenfei Fan , Chee-Yong Chan , Minos Garofalakis, Secure XML querying with security views, Proceedings of the 2004 ACM SIGMOD international conference on Management of data, June 13-18, 2004, Paris, France
	Mingfei Jiang , Ada Wai-Chee Fu, Integration and Efficient Lookup of Compressed XML Accessibility Maps, IEEE Transactions on Knowledge and Data Engineering, v.17 n.7, p.939-953, July 2005
	Béatrice Finance , Saïda Medjdoub , Philippe Pucheral, The case for access control on XML relationships, Proceedings of the 14th ACM international conference on Information and knowledge management, October 31-November 05, 2005, Bremen, Germany
	Bo Luo , Dongwon Lee , Wang-Chien Lee , Peng Liu, QFilter: fine-grained run-time XML access control via NFA-based query rewriting, Proceedings of the thirteenth ACM international conference on Information and knowledge management, November 08-13, 2004, Washington, D.C., USA
	Gleb Naumovich , Paolina Centonze, Static analysis of role-based access control in J2EE applications, ACM SIGSOFT Software Engineering Notes, v.29 n.5, September 2004
	Li Qin , Vijayalakshmi Atluri, Concept-level access control for the Semantic Web, Proceedings of the 2003 ACM workshop on XML security, October 31-31, 2003, Fairfax, Virginia
	Irini Fundulaki , Maarten Marx, Specifying access control policies for XML documents with XPath, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
	Gabriel Kuper , Fabio Massacci , Nataliya Rassadko, Generalized XML security views, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
	Barbara Carminati , Elena Ferrari, AC-XML documents: improving the performance of a web access control module, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
	Naizhen Qi , Michiharu Kudo , Jussi Myllymaki , Hamid Pirahesh, A function-based access control model for XML databases, Proceedings of the 14th ACM international conference on Information and knowledge management, October 31-November 05, 2005, Bremen, Germany
	Belén Vela , Eduardo Fernández-Medina , Esperanza Marcos , Mario Piattini, Model driven development of secure XML databases, ACM SIGMOD Record, v.35 n.3, p.22-27, September 2006
	Makoto Murata , Akihiko Tozawa , Michiharu Kudo , Satoshi Hada, XML access control using static analysis, ACM Transactions on Information and System Security (TISSEC), v.9 n.3, p.292-324, August 2006
	Paolina Centonze , Gleb Naumovich , Stephen J. Fink , Marco Pistoia, Role-Based access control consistency validation, Proceedings of the 2006 international symposium on Software testing and analysis, July 17-20, 2006, Portland, Maine, USA
	Padmapriya Ayyagari , Prasenjit Mitra , Dongwon Lee , Peng Liu , Wang-Chien Lee, Incremental adaptation of XPath access control views, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
	Fengjun Li , Bo Luo , Peng Liu , Dongwon Lee , Chao-Hsien Chu, Automaton segmentation: a new approach to preserve privacy in xml information brokering, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Irini Fundulaki , Sebastian Maneth, Formalizing XML access control for update operations, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
	M. Pistoia , S. Chandra , S. J. Fink , E. Yahav, A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Systems Journal, v.46 n.2, p.265-288, April 2007
	Marco Pistoia , Stephen J. Fink , Robert J. Flynn , Eran Yahav, When Role Models Have Flaws: Static Validation of Enterprise Security Policies, Proceedings of the 29th International Conference on Software Engineering, p.478-488, May 20-26, 2007
	L. Seitz , E. Rissanen , T. Sandholm , B. S. Firozabadi , O. Mulmo, Policy Administration Control and Delegation Using XACML and Delegent, Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing, p.49-54, November 13-14, 2005
	Jae-Gil Lee , Kyu-Young Whang , Wook-Shin Han , Il-Yeol Song, The dynamic predicate: integrating access control with query processing in XML databases, The VLDB Journal — The International Journal on Very Large Data Bases, v.16 n.3, p.371-387, July 2007
	Jong P. Yoon, Presto Authorization: A Bitmap Indexing Scheme for High-Speed Access Control to XML Documents, IEEE Transactions on Knowledge and Data Engineering, v.18 n.7, p.971-987, July 2006
	Jianhua Feng , Na Ta , Guoliang Li , Yu Liu , Dapeng Lv, A framework of semantic cache for secure XML query answering: an interesting joint and novel perspective, Proceedings of the 2nd international conference on Scalable information systems, June 06-08, 2007, Suzhou, China
	Ernesto Damiani , Majirus Fansi , Alban Gabillon , Stefania Marrara, A general approach to securely querying XML, Computer Standards & Interfaces, v.30 n.6, p.379-389, August, 2008
	Mustafa M. Kocatürk , Taflan İ. Gündem, A Fine-Grained Access Control System Combining MAC and RBACK Models for XML, Informatica, v.19 n.4, p.517-534, December 2008
	Dong-Xi Liu, CSchema: a downgrading policy language for XML access control, Journal of Computer Science and Technology, v.22 n.1, p.44-53, January 2007
	Kyu II Kim , Won Gil Choi , Eun Ju Lee , Ung Mo Kim, RBAC-based access control for privacy protection in pervasive environments, Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, January 15-16, 2009, Suwon, Korea
	Jian-Hua Feng , Guo-Liang Li , Na Ta, A semantic cache framework for secure XML queries, Journal of Computer Science and Technology, v.23 n.6, p.988-997, November 2008