1

1

Web Data and Application Security CSCE 813
2
Reading

• Word Wide Web Consortium, http//www.w3.org/
• Organization for the Advancement of Structure
  Information Standards, http//www.oasis-open.org/h
  ome/index.php
• Web Services Interoperability Organization,
  http//www.ws-i.org/
• Workshop on Secure Web Services,
  http//sws06.univ-pau.fr/
• Semantic Web Security, http//www.cse.sc.edu/resea
  rch/isl/SSW/index.shtml

3
Web Evolution

• Past Human usage
• HTTP
• Static Web pages (HTML)
• Current Human and some automated usage
• Interactive Web pages
• Web Services (WSDL, SOAP, SAML)
• Semantic Web (RDF, OWL, RuleML, Web databases)
• XML technology (data exchange, data
  representation)
• Future Semantic Web Services

4
Semantic Web
From T.B. Lee
5
Web Services
a software system designed to support
interoperable machine-to-machine interaction
over a network. W3C
From Wikipedia
6
WS Components

• SOAP An XML-based, extensible message envelope
  format, with "bindings" to underlying protocols
• WSDL An XML format that allows service
  interfaces to be described, along with the
  details of their bindings to specific protocols.
• UDDI A protocol for publishing and discovering
  metadata about Web services, to enable
  applications to find Web services, either at
  design time or runtime.
• WS-Security Defines how to use XML Encryption
  and XML Signature in SOAP to secure message
  exchanges.

7
SOAP

• Simple Object Access Protocol a protocol for
  exchanging XML-based messages over computer
  network, normally using HTTP (from W3C)
• Foundation layer of the Web services stack
• Different types of messaging patterns
• Remote Procedure Call (RPC) most popular
• Service-Oriented Architecture (SOA)
• RESTful Web Services
• SOAP Envelop

8
UDDI

• Universal Description, Discovery, and
  Integration a platform-independent, XML-based
  registry for businesses worldwide to list
  themselves on the Internet (from OASIS)
• Support
• businesses to publish service listings
• discover each other
• define how the services or software applications
  interact over the Internet
• Components
• White Pages address, contact, and known
  identifiers
• Yellow Pages industrial categorizations based
  on standard taxonomies
• Green Pages technical information about
  services exposed by the business

9
WS-Security

• WS-Security (Web Services Security) a
  communications protocol providing a means for
  applying security to Web Services
• From originally by IBM, Microsoft, and VeriSign,
  the protocol is now officially called WSS and
  developed via committee in Oasis-Open
• Defines how integrity and confidentiality can be
  enforced on Web Services messaging
• Use of SAML and Kerberos, and certificate formats
  
• Incorporates security features in the header of a
  SOAP message, working in the application layer
  (different from TLS-based security)

10
WS Policy

• WS-Policy a specification that allows web
  services to use XML to advertise their policies
  (on security, Quality of Service, etc.) and for
  web service consumers to specify their policy
  requirements

11
W3C Standard Maturation

• Working Draft (WD) published for review by "the
  community"
• Candidate Recommendation (CR) a version of the
  standard that is more firm than the WD
• Proposed Recommendation (PR) the version of the
  standard that has passed the prior two levels
• W3C Recommendation (REC) most mature stage of
  development
• Later Revisions updated by separately-published
  Errata

12
WS Security Outline

• Security on the Web
• Data Security
• Metadata Security
• Application Security
• Future Directions

13
Outline

• Security on the Web
• Data Security
• Access Control Models for Semi-Structured Data
• Syntactic XML
• Secure XML Views
• XML Updates XML association object
• XML and Semantics
• SMIL
• Inference Control
• Metadata Security
• Application Security
• Future Directions

14
Limitation of Research

• Syntax-based
• No association protection
• Limited handling of updates
• No data or application semantics
• No inference control

15
Outline

• Security on the Web
• Data Security
• Access Control Models for Semi-Structured Data
• Syntactic XML
• Secure XML Views
• XML Updates XML association object
• XML and Semantics
• SMIL
• Inference Control
• Metadata Security
• Application Security
• Future Directions

16
Secure XML Views - Example
medicalFiles
UC S S
John Smith UC
111-2222 S
Jim Dale UC
TS S
Harry Green UC
333-4444 S
Joe White UC
MT78 TS iles
countyRec
milBaseRec
physician Jim Dale
physician Joe White
milTag MT78
patient
patient
name John Smith
name Harry Green
phone 111-2222
phone 333-4444
View over UC data
17
Secure XML Views - Example cont.
medicalFiles

John Smith
Jim Dale
Harry
Green Joe
White
countyRec
milBaseRec
physician Jim Dale
physician Joe White
patient
patient
name John Smith
name Harry Green
View over UC data
18
Secure XML Views - Example cont.
medicalFiles

John Smith
Jim Dale
Harry Green
Joe White

countyRec
milBaseRec
physician Jim Dale
physician Joe White
patient
patient
name John Smith
name Harry Green
View over UC data
19
Secure XML Views - Example cont.
medicalFiles
UC S S
John Smith UC
Jim Dale UC
TS S Harry
Green UC Joe
White UC
countyRec
milBaseRec
physician Jim Dale
physician Joe White
patient
patient
name John Smith
name Harry Green
View over UC data
20
Secure XML Views - Example cont.
medicalFiles
John Smith
Jim Dale Harry
Green Joe White /medicalFiles
name John Smith
physician Jim Dale
physician Joe White
name Harry Green
View over UC data
21
Secure XML Views - Solution

• Multi-Plane DTD Graph (MPG)
• Minimal Semantic Conflict Graph (association
  preservation)
• Cover story
• Transformation rules

22
Multi-Plane DTD Graph
MPG DTD graph over multiple security planes
23
Transformation - Example

MPG

TS
MSCG


name
phone
S

physician

Security Space Secret
UC


24
Transformation - Example


TS


name
S

physician


MSCG
UC


SP
MPG
25
Transformation - Example


TS


S

?


MSCG
UC


SP
MPG
26
Transformation - Example


TS
medicalFiles


emergencyRec
S


physician
name

UC


SP
Data Structure
MPG
27
Outline

• Security on the Web
• Data Security
• Access Control Models for Semi-Structured Data
• Syntactic XML
• Secure XML Views
• XML Updates XML association object
• XML and Semantics
• SMIL
• Inference Control
• Metadata Security
• Application Security
• Future Directions

28
Delete - Example
29
Delete Operations

• Delete entire sub-tree under a deleted node
• Most widely used approach
• Problem blind write
• Delete only the viewable nodes
• Problem fragmentation of XML tree
• Reject the delete
• Problem covert channel

30
Different Solution Deleted Label

• Basic Idea
• A unique domain Del for deleted nodes
• Change security classification of deleted node
  (?o, do ? Del)
• Perform after delete operation
• Change security clearance of users, where ?s
  (?s, ds) (?o, do) to ( (?s,
  ds) , (?o, do ? Del) )
• Can be preprocessed
• Use BLP axioms

31
Example - Top Secret View
Subject clearances (TS, ) ? (TS, ) , (S,
Del), (P, Del) (S, ) ? (S,
), (P, Del) (P, ) ? (P, )
32
Node Association - Example

• DTD of Patient Health Record

33
Layered Access Control
34
Simple Security Object
o
? ti ?(ti) ?(o)
35
Association Security Object
o
? ti ?(ti) 36
Query Pattern

• FOR x in //r
• LET y x/d, z x/a
• RETURN z/c
• WHERE z/by

Query Pattern
37
Pattern Automata

• Pattern Automata X S, Q, q0 , Qf , d
• S E ? A ? pcdata, //
• d is a transition function
• Q q0 , , qn
• Qf ? Q, (q0 Ï Qf)
• Valid transitions on d are of the following form
• s(qi, ,qj) ? qk
• If d does not contain a valid transition rule,
  the default new state is q0

38
Pattern Automata - Example

• a, b, c, //
• Q q0, qa, qb, qc
• Qf qa
• d
• b( ) ? qb ,
• c( ) ? qc ,
• a(qb,qc) ? qa ,
• (qa) ? qa

Association object
Pattern Automata
39
Outline

• Security on the Web
• Data Security
• Access Control Models for Semi-Structured Data
• Syntactic XML
• Secure XML Views
• XML Updates XML association object
• XML and Semantics
• SMIL
• Inference Control
• Metadata Security
• Application Security
• Future Directions

40
SMIL
41
SMIL vs. XML

• In both, document tree
• BUT
• XML has NO intended semantics, SMIL specify
  runtime behavior
• QoS (timeliness and continuity) specified using
  synchronization constructs
• , , and others.
• No Security for SMIL

mple.org/Audio1.rm
ple.org/Video1.rm
srchttp//www.example.org/Audio2.rm
srchttp//www.example.org/Video2.rm
eq




Video2
Video1
Audio1
Audio2
42
Object Identity in SMIL - I
43
Object Identity in SMIL - II
44
Object Identity in SMIL - III
45
SMIL Normal Form

• SMIL Normal Form (smilNF) is of the form
• C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n
  (s)
• ..
• C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n
  (s)
• where C i,j are audio or video, image or text
  media intervals.

46
Normalization Algorithm
SEQ
SEQ
1
2
3
A1
A2
A3
A



B1
B2
B3
B

C1
C2
C3
C
A1
B1
D1
C1
A3
B3
D3
C3
D1
D2
D3
D
A2
B2
D2
C2
Representation 1
SEQ
SEQ
1
2
3
A
B




C
A1
C3
D
B2
C2
D2
Representation 2
47
Metadata in SMIL - RBAC Example
A1
RBAC metadata decorated SMIL Normal Form
SMIL Normal Form
Permitted view for Role 1
48
Outline

• Security on the Web
• Data Security
• Access Control Models for Semi-Structured Data
• Syntactic XML
• Secure XML Views
• XML Updates XML association object
• XML and Semantics
• SMIL
• Inference Control
• Metadata Security
• Application Security
• Future Directions

49
The Inference Problem

• General Purpose Database
• Non-confidential data Metadata ?
• Undesired Inferences
• Semantic Web
• Non-confidential data Metadata (data and
  application semantics) Computational Power
  Connectivity ? Undesired Inferences

50
Association Graph

• Association similarity measure
• Distance of each node from the association root
• Difference of the distance of the nodes from the
  association root
• Complexity of the sub-trees originating at nodes
• Example

XML document
Association Graph
Public
Public, AC
51
Correlated Inference
Concept Generalization weighted concepts,
concept abstraction level, range of allowed
abstractions
Object. waterSource Object
basin waterSource place Object
district place address place
base Object fort base
52
Correlated Inference (cont.)
Object. waterSource Object
basin waterSource place Object
district place address place
base Object fort base
Base
Place
base
Public
Public
Water source
Water Source
53
Inference Removal

• Relational databases limit access to data
• Web inferences
• Cannot redesign public data outside of protection
  domain
• Cannot modify/refuse answer to already published
  web page
• Protection Options
• Release misleading information
• Remove information
• Control access to metadata

54
Outline

• Security on the Web
• Data Security
• Access Control Models for Semi-Structured Data
• Syntactic XML
• Secure XML Views
• XML Updates XML association object
• XML and Semantics
• SMIL
• Inference Control
• Metadata Security
• Application Security
• Future Directions

55
Metadata Security

• No security model exists for metadata
• Can we use existing security models to protect
  metadata?
• RDF/S is the Basic Framework for SW
• RDF/S supports simple inferences
• This is not true of XML XML Access control
  cannot be used to protect RDF /S data

56
RDF/S Entailment Rules

• Example RDF/S Entailment Rules (http//www.w3.org/
  TR/rdf-mt/rules )
• Rdfs2
• (aaa, rdfsdomain, xxx) (uuu, aaa, yyy) ? (uuu,
  rdftype, xxx)
• Rdfs3
• (aaa, rdfsrange, xxx) (uuu, aaa, vvv) ?(vvv,
  rdftype, xxx)
• Rdfs5
• (uuu, rdfssubPropertyOf, vvv) (vvv,
  rdfssubPropertyOf, xxx)? (uuu,rdfssubPropertyOf,
  xxx)
• Rdfs11
• (uuu, rdfssubClassOf, vvv)(vvv,
  rdfssubClassOf, xxx)?(uuu,rdfssubClassOf, xxx)

57
Example Graph Format
RDF Triples (Student, rdfssubClassOf,
Person) (University, rdfssubClassOf,
GovAgency) (studiesAt, rdfsdomain,
Student) (studiesAt, rdfsrange,University) (studi
esAt, rdfssubPropertyOf, memberAt) (John,
studiesAt, USC)
58
Example Graph Format
59
Example Graph Format
60
Example Graph Format
61
Secure RDF

• Entailed Data in RDF can cause illegal
  inferences
• (John, studiesAt, USC) S
• (studiesAt, rdfsdomain, University) S
• ? (USC, rdftype, University) S
• (USC, rdftype, University) S
• (University, rdfsubclassOf, GovAgency) S
• ? (USC, rdftype, GovAgency) TS
• Secret User can infer TS information

62
RDF Access Control

• Security Policy
• Subject
• Object Object pattern
• Access Mode
• Default policy
• Conflict Resolution
• Classification of entailed data
• Flexible granularity

63
Prototype Systems

• XML Access Control
• Secure Views ?
• Association-level access control ?
• MLS/XML Delete ?
• Ontology Guided XML Inferences ?
• RDF Access Control ?
• Future Work
• Next versions
• OWL access control
• Application-level security

64
Secure XML Updates
PathSatisfaction .java
MACParser .java
MACModel .java
NodeSecurity Manager.java
NativeElement Index.java
Result
FilepathAbsoute Table
UserName
XMLUtil.java
UserManagement .java
65
Secure XML Updates - Example
66
RDF Access Control Example