Graph Matching Based Authorization Model for Efficient Secure XML Querying

Transcription

1 Graph Matching Based Authorization Model for Efficient Secure XML Querying Seunghan Chang 1, Artem Chebotko 1, Shiyong Lu, and Farshad Fotouhi Department of Computer Science, Wayne State University, 5143 Cass Ave., Detroit, MI 48202, USA {chang, artem, shiyong, Abstract XML is rapidly emerging as a standard for data representation and exchange over the World Wide Web and an increasing amount of sensitive business data is processed in the XML format. Therefore, it is critical to have control mechanisms to restrict a user to access only the parts of XML documents that he/she is authorized to access. In this paper, we propose the first DTD-based access control model that employs graph matching to analyze if an input query is fully acceptable, fully rejectable, or partially acceptable, and to rewrite for partially acceptable queries only if necessary, along with the features of optimization and speed-up for query rewriting by introducing an index structure. 1. Introduction XML (extensible Markup Language) [14] is rapidly emerging as a standard for data representation and exchange over the Web. As a result, the problem of secure querying of XML documents becomes more and more important, particularly in business, in which it is critical to protect various trading and financial information and to ensure that sensitive business information can be accessed by only users who are authorized to access them. umerous access control models have been proposed for secure querying of XML documents. These models can be largely classified into two categories: XPath-based access control models and DTD-based access control models. While the former is applicable to XML documents with or without schema information, the latter is particulary appealing when the DTDs (Document Type Definition) [14] for XML documents are available since access control policies can be naturally integrated with the structure of XML documents. To understand DTD-based access control models better and motivate our research, consider the following example: 1 Contributed equally. Suppose in a university, the transcript information of all students is stored as XML documents that conform to the DTD depicted by the graph shown in Figure 1(a). Based on the DTD graph, an access control policy for a group of users can be specified by associating edges in the document DTD graph with security annotations including Y,, or an XPath qualifier [q] corresponding to accessible, inaccessible, and conditionally accessible element types, respectively. For example, one possible access control policy is specified in Figure 1(b), which imposes the following restrictions to access: (1) To access the transcript information of a student, the user has to be from the same department that the student is majored in. (2) The user cannot access a student s SS and past majored program. (3) The user cannot access the information of a student regarding the courses he/she has taken. (4) The user cannot access a student s test result information. To enforce these security constraints into XML documents, several DTD-based access control models [17, 4, 7] have been proposed, however, there has been no work on the static analysis for determining the security of an input query to support efficient secure XML querying. Among these models the most promising DTD-based model is the security view approach proposed by Fan et al. [7]. However, in this approach, the original DTD is hidden from the user, who is provided with only a view of the DTD, called DTD view. In contrast, we expose the full original DTD to all users supporting the argument that the availability of the original DTD is critical for interoperability and correctness of business applications. Moreover, while rewriting is needed for each input query in [7], we introduce a graph matching based static analysis technique to determine if an input query is fully acceptable, fully rejectable, or partially acceptable. Rewriting is necessary only for partially acceptable queries. Although similar static analysis technique has been proposed by Murata et al. [12] in the context of XPathbased access control, to our best knowledge, we are the first to propose the static analysis technique for DTD-based access control models. The main contributions of this paper are as follows. We propose:

2 Transcripts Transcripts q : [./Person/Major/Dept = $dept] Transcript? Transcript? Person History TestResult Person History TestResult ame ID SS Major Semester CumGPA Test ame ID SS Major Semester CumGPA Test Y Dept Prog Term Class GPA Tame TScore Dept Prog Term Class GPA Tame TScore Cum Credit Grade Cum Credit Grade (a) DTD graph for Transcripts.dtd (b) Security specification graph Figure 1. DTD graph, and security specification graph 1. The first DTD-based access control model that employs graph matching to analyze if an input query is fully acceptable, fully rejectable, or partially acceptable. 2. An authorization model that optimizes the rewriting procedure in the sense that a recursive query (query with descendant axis // ) will be rewritten into an equivalent recursive one if possible, resulting queries that can fully take advantage of structural join based query optimization techniques. 3. An index structure for XML element types to speed up the query rewriting procedure, a useful facility for applications with large DTDs Related Work Access control models for XML documents are summarized in Table 1. According to the specification scheme of access control policies, existing models can be classified into two categories: XPath-based access control models [1, 3, 5, 8, 9, 11, 17, 16, 6, 10, 12, 13] and DTD-based access control models [17, 4, 7]. An XPath-based access control model uses XPath expressions to specify the XML elements that a user is allowed or denied to access. One advantage of using XPath for the specification of access control policies is that XPath is a standard XML query language with well-defined syntax and semantics. In the meanwhile, a DTD-based access control model uses DTD security annotations to specify the XML element types that a user is allowed or denied to access. Another dimension of classification is the enforcement mechanism of access control policies. Using this dimension, XML access control models can be classified into two categories: document-based-enforcement models [1, 3, 5, 8, 9, 11, 17, 16, 6] and query-based-enforcement models [10, 12, 13, 4, 7]. While a document-based-enforcement model enforces access control policies by either preprocessing XML documents [1, 3, 5, 8, 9, 11, 17, 16] or postprocessing query result XML documents [6], a query-basedenforcement model rewrites a user query q to a secure query q using the information of access control policies during execution and then evaluates q over the original documents, which returns all and only those XML elements among the query result of q that the user is authorized to access. In this paper, we take a DTD-based approach in which access control policies are specified as security annotations over DTDs. Although there exist several DTD-based access control models [17, 4, 7], our work has made the following contributions. First, instead of only exposing a view DTD, we expose the full original DTD to all users supporting the argument that the availability of the original DTD is critical for interoperability and correctness of business applications [5, 1, 10, 12, 13]. Second, while in [7], rewriting is needed for each input query, we introduce a graph matching based static analysis technique to determine if an input query is fully acceptable, fully rejectable, or partially acceptable queries. Rewriting is necessary only for partially acceptable queries. Third, while in [7], each recursive query will be rewritten into an equivalent non-recursive one which can be inefficient, our rewriting procedure only does so when necessary and thus produces more efficient queries. Finally, we propose an index structure for XML element types to speed up query rewriting procedure, a facility that is potentially useful for applications with large DTDs. 2. Security Specification In this paper, a DTD D is a triple (Ele, P, root), where Ele is a finite set of element types; root is a distinguished

3 Table 1. Classification of XML access control models Specification XPath DTD XML data Query XML data Query Enforcement Preprocessing Postprocessing Preprocessing Postprocessing [1, 3, 5, 8, 9, 11, 17, 16] [6] [10, 12, 13] [17] /A [4, 7] type in Ele, called the root type; and P is a function that defines the element types, such that for any A in Ele, P (A) is a regular expression of the form: γ ::= str ɛ B 1 B 1 B 1? B 1,..., B n B 1... B n, where str denotes P CDAT A, ɛ is the empty word, B i is an element type in Ele that is referred to as a subelement type of A;, and? denote zero or many, one or many and zero or one occurrences of the subelement type under the element type, respectively;, and denote concatenation and disjunction, respectively. We refer to A γ or A P (A) as the production of A. We assume that a DTD D is non-recursive, such that P (A) contains no A directly or indirectly. A class of XPath [15] queries used in this paper is defined as follows: p ::= ɛ l p/p //p p p p[q], where ɛ, l, and denote the empty path, a label (in Ele), and a wildcard, respectively;, / and // stand for union, child-axis and descedant-or-self(or recursive)-axis, respectively; and finally, q in p[q] is called a qualifier and defined by : q ::= p p = c q q q q q, where c is a constant, p is as defined above, and, and denote disjunction, conjunction and negation. To specify an access control policy for a user role we use the notion of a security specification S which is an extension of a DTD D associating security annotations with productions of D. Here we define a security specification as follows. Definition 2.1 (Security Specification) A security specification S is a tuple (r, D, ann), where: r is a role in a system, D is a DTD of XML documents, ann is a partial mapping from an element type A in Ele and its subelement type B in P (A) to a security annotation α, which we concisely denote as A α B, and α is defined as α ::= Y [q], where [q] is a qualifier. Values Y, [q] and indicate that the B children of A elements in an instantiation of D are accessible, conditionally accessible and inaccessible, respectively. If A α B is not explicitly defined, then B inherits the accessibility of A. On the other hand, if A α B is explicitly defined it may override the accessibility of A. Example 2.2 (Security specification for Transcripts.dtd) Transcripts q Transcript : q = [./Person/Major/Dept = $dept], Transcript TestResult?, Person SS, History Major, Major Y Dept, Semester Class Additionally, we define a security specification graph G S as a DTD graph with security annotations on its edges as defined in S. When it is clear from the context, we shall use the security specification and its security specification graph interchangeably, referred to as S and G S, respectively. For instance, the security specification graph for Transcripts.dtd is shown in Figure 1(b). 3. Deriving Authorization Model To efficiently enforce an access control policy defined by a security specification, we derive authorization model from a security specification graph G S. The definition of our authorization model is as follows. Definition 3.1 (Authorization Model) An authorization model A is a tuple (G A, P t, I i, I a ), where G A is an authorization graph, P t is a predicate table, I i and I a are rewriting indexes for inaccessible and accessible nodes, respectively. Authorization graph G A is a fully annotated security specification graph, derived from security specification graph G S, such that every edge in G A is annotated with Y or, every node in G A is classified as accessible or inaccessible node and inaccessible leaf nodes are recursively pruned. Predicate table P t is a set of tuples, such that each tuple (e, p) relates an edge e in G A and its predicate p. Rewriting index I i (I a ) is a hash table that for each inaccessible (accessible) node n in G A, contains an XPath query q that retrieves all accessible information under n. The algorithm deriveauthorizationgraph that constructs authorization graph G A and predicate table P t is presented in Figure 2. First (lines 05-06), the algorithm copies security specification graph G S to authorization graph G A and creates a virtual parent r of G A s root r and edge r Y r, since the root is always considered as accessible. Second (lines 07-10), it creates predicate table P t by placing edges and their corresponding predicates in the table and replaces all predicate annotations with Y annotations in G A. Third (lines 11-38), the algorithm fully annotates

4 01 Algorithm: deriveauthorizationgraph 02 Input: security specification graph G S 03 Output: authorization graph G A, predicate table P t 04 Begin 05 G A = G S 06 Let root r of G A has a virtual parent r and r Y r 07 While p α c: p α c G A α = predicate do 08 place tuple (p c, α) in P t 09 change p α c to p Y c 10 End While 11 α While n, p i, c: n, p i, c G A p i n α = Y predicate 12 n β c β = undef do 13 Y If p 1, p 2: p 1 n p2 n p1 p 2 then 14 clone node n to a new node n 15 For each p i n do / split the incoming edges of n / 16 add p i n into G A 17 delete p i n from GA 18 End For 19 For each n α c i do / copy outgoing edges of n / 20 If α = nodef then 21 change n α c i to n Y c i 22 add n ci into G A 23 Else 24 add n α ci into G A 25 End If 26 End For 27 Else 28 Y If p i : p i n then 29 For each n α c i α = nodef do 30 change n α c i to n Y c i 31 End For 32 Else / all n s incoming edges are annotated with / 33 For each n α c i α = nodef do 34 change n α c i to n c i 35 End For 36 End If 37 End If 38 End While 39 While l, p,! l c: l, p, c G A p l do 40 / while there exists leaf l with at least one incoming edge with / 41 delete all p i n from GA 42 If n has no incoming edges then 43 delete n from G A ; 44 End If 45 End While 46 While there exists leaf l in G A that is not a leaf in G S do 47 delete l from G A 48 End While 49 Return G A, P t 50 End Algorithm Figure 2. Algorithm deriveauthorizationgraph G A, such that when node n in G A with all incoming edges annotated and at least one outgoing edge with no annotation is found, the algorithm proceeds depending on the following three cases: Case 1 (lines 13-27). If node n has incoming edges with both Y and annotations, then n is cloned to a new node n, n s incoming edges with annotations p i n are replaced with pi n, n s outgoing edges n c i with no annotations are annotated with Y n Y c i and cloned as n ci, and all the other outgoing edges n α c i are cloned as n α ci. In other words, the incoming edges are split between n and n, such that n retains edges with Y annotations and n gets edges with annotations. ote that in the following we denote nodes n and n as an accessible node and an inaccessible node with the same label n. Case 2 (lines 28-32). If all n s incoming edges are annotated with Y, then all outgoing edges with empty annotations are annotated with Y. Case 3 (lines 32-36). If all n s incoming edges are annotated with, then all outgoing edges with empty annotations are annotated with. After all edges are annotated, G A may still have leaf nodes that have incoming edges with both and Y annotations because the algorithm does not split leaf nodes (Case 1). Fourth (lines 39-48), the algorithm simplifies fully annotated G A by recursively removing incoming edges of leaf nodes with annotations and pruning leaf nodes whose all incoming edges have been removed until G A has no more inaccessible leaf nodes. After this simplification, G A only has accessible and/or inaccessible nodes, while all leaf nodes are accessible. Finally (line 49), G A and P t are returned. 01 Algorithm: createrewritingindexes 02 Input: authorization graph G A, predicate table P t 03 Output: query rewriting indexes I i and I a all nodes in G A 04 Begin 05 For each leaf l in G A do I a (l) = /l End For 06 While non-indexed node n G A and every n s child is indexed do 07 For each child c i of n do 08 If n c i P t then 09 p = [ P t (n c i ) ] 10 If p has relative path(s) then add./c i to path End If 11 Else p = End If 12 If c i is an accessible and c i I a then q i = /n p I a(c i) 13 Else c i I i then q i = /n p I i(c i) End If 14 End For 15 If n is an accessible node then I a (n) = S i (q i) 16 Else I i (n) = S i (q i) End If 17 End While 18 Return I i, I a 19 End Algorithm Figure 3. Algorithm createrewritingindexes The algorithm createrewritingindexes that creates rewriting indexes I i and I a is shown in Figure 3. First (line 05), createrewritingindexes creates the I a index entries for every leaf node. Then (lines 06-17), it creates index entries for the other nodes, processing nodes whose all children already have entries, until all nodes have the entries. This order allows reusing the previously computed index entries and thus simplifies the algorithm (e.g., we had a recursive algorithm originally) and saves computations. To create a query index entry for an accessible (inaccessible) node n, the algorithm computes the union of queries of the form /n p I i/a (c i ) for each child c i of n and assigns it to I a(i) (n), where p is a predicate for edge n c i P t if

5 Transcripts Transcript Person History ame ID Major Major Semester CumGPA Dept Prog Term GPA (a) Authorization graph Edge Predicate (Transcripts, Transcript) Transcipts/Transcript/Person/Major/Dept = $dept (1) Predicate table P t Element Rewriting Query Person /(/ame /ID /Major/(/Det Prog))) Semester /(/Term /GPA) History /(/Major/Dept /Semester/(/Term /GPA) /CumGPA) /(/Person/(/ame /ID /Major/(/Det Transcript Prog)) /History/(/Major/Dept /Semester /(/Term /GPA) /CumGPA)) /(Transcript/(/Person/(/ame /ID /Major/ Transcripts (/Det Prog))) /History/(/Major/Dept /( /Semester/Term /GPA) /CumGPA))) (2) Rewriting indexes I i and I a (b) Predicate table and rewriting indexes Figure 4. Authorization model derived from the security specification for Transcripts.dtd any. ote that a predicate n c i P t specifies an access to c i and thus, may include XPath paths relative to c i ; in this case, the algorithm changes such paths to be relative to n by adding./c i in front of each relative path. ote that an authorization model, similarly to a security specification, is only computed once for a particular security specification. Example 3.2 (Authorization model) Given the security specification graph G S in Figure 1(b), algorithm deriveauthorizationmodel computes (G A, P t, I i, I a ) as follows. The deriveauthorizationgraph algorithm assigns G S to authorization graph G A and makes the root Transcripts accessible by adding Transcripts Transcripts. The predicate./p erson/major/dept Y = $dept on the edge Transcripts Transcript is inserted into predicate table P t and the edge is annotated with Y. The algorithm selects the edge Transcript Person and annotates it with Y, since the edge Transcripts Transcript has the Y security annotation. The edge Transcript History is similarly annotated with Y. deriveauthorizationgraph splits the Major node, since it has two incoming edges with Y and annotations (Person Y Major and History Major) and its outgoing edge Major Prog has no annotation. The resulting authorization graph is shown in Figure 4(a), where all the nodes are accessible, except for the rectangle node Major. The predicate table is presented in Figure 4(b). The output of the createrewritingindexes algorithm is presented in Figure 4(b). 4. XPath Query Verification and Rewriting Given a user query and a precomputed authorization model, the final step of our security enforcement mechanism is to check and rewrite the query into a secure XPath query that can retrieve only authorized XML data. To achieve this goal, we design algorithm enforcesecurity as shown in Figure 5. Our algorithm employs the notion of XPath query graph which is derived from a DTD and contains the set of all possible paths for the user query in any valid XML document that conforms to the DTD. To construct an XPath query graph, we use the GetXP- Graph algorithm proposed in [2]. ote that predicates in an XPath query are different from predicates in an authorization model and are used as edge labels in the XPath query graph. The availability of such a graph allows us to efficiently match it with the authorization graph to determine user accessible information. 01 Algorithm: enforcesecurity 02 Input: authorization model (G A, P t, I i, I a ), DTD graph G D, XPath query q 03 Output: secure query 04 Begin 05 Let τ(q) denotes the last node test in XPath query q 06 If τ(q) and τ(q) / I a and τ(q) / I i then Return ø End If 07 G q = GetXPGraph(G D, q) /GetXPGraph is presented in [2] / 08 / ote that the predicates in q corresponds to the edge labels in G q / 09 Let L be the set of all the leaves in G q 10 If L > 1 and for each element l i L, l i / I a and l i / I i then 11 Return ø /fully rejectable/ End If 12 If for each l L, l is a leaf in both G D and G A, and 13 no edge in G q has a predicate entry in P t then Return q End If 14 G q = G q G A 15 Recursively remove each leaf l in G q and l / L 16 Let L be the set of all the leaves in G q 17 If l L and L = 1 and no edge in G q has a entry in Pt then 18 Replace τ(q) in q with I i(l), I a(l) or I i(l) I a(l) depending 19 on if l in G q matches accessible, inaccessible or both nodes in G A 20 Return q /partially acceptable with substitution from the indexes / 21 Else /rewriting/ 22 Let ρ = n 1[p 1]/n 2[p 2]/.../n k [p k ] denotes a path in G q 23 where n 1,..., n k are node labels and p 1,..., p k are edge labels 24 For each distinct path ρ i in G q do 25 For any edge n j n j1 P t, j = 1..k 1 do 26 add predicate P t (n j n j1 ) to ρ i after n j1 27 End For 28 Replace n k in ρ i with I i (l), I a (l) or I i (l) I a (l) 29 End For 30 Return S i ρ i /partially acceptable with rewriting/ 31 End If 32 End Algorithm Figure 5. Algorithm enforcesecurity The input of the enforcesecurity algorithm includes an authorization model (G A, P t, I i, I a ), a DTD graph G D and a user XPath query q. The output is a secure (rewritten)

6 query that may be empty if q only asks for XML data that is not authorized by G A. First (lines 05-06), the algorithm checks if the last node test τ(q) in q is not a and τ(q) is not in I a or I i. In other words, τ(q) should be an element name and should not appear in G A since all G A s nodes have entries in the indexes. If this is the case, q must be simply rejected and the empty ø value must be returned. Second (lines 07-08), the algorithm constructs XPath query graph G q. Third (lines 09-11), since G q may have many leaf nodes (e.g., when τ(q) is a ), the algorithm checks if none of the leaves have entries in the indexes, then the query must be rejected. Fourth (lines 12-13), if all the leaves in G q are leaves in G D and G A (and leaves of G A are always accessible), and there are no predicates in P t to be inserted in the query, q is a fully acceptable query and returned as it is without rewriting. Fifth (line 14), it constructs the intersection graph of G q and G A, such that all nodes and edges that are in both G q and G A are copied to a new graph G q preserving the predicate labels on G q s edges. Finally (lines 17-31), after the above simple checks and the construction of the intersection graph, the algorithm proceeds with the rewriting of the query since at least partial information is accessible to the user: If G q has only one leaf l and no edge in G q has a predicate entry in P t, then the algorithm accepts the query (lines 17-20). Otherwise, if G q has multiple leaves (in this case, each leaf requires a unique replacement from the indexes) or G q s edges have predicates in P t (in this case the predicates must be added to the query), the algorithm rewrite the query by enumerating all paths in G q, replacing leaves (last node tests) with the index(es) entries and adding predicates from P t to corresponding nodes. The union of the obtained queries (paths) is returned as a secure query. Example 4.1 (Fully rejectable query) Query Q1 = //T estresult is fully rejectable, because the output test node TestResult does not exist in the authorization graph (see Figure 4(a)). Example 4.2 (Partially acceptable query) Query Q2 = //P rog whose XPath query graph is acceptable. The query is rewritten with /T ranscripts/t ranscript[./p erson/major/dept = $dept]/p erson/major/p rog. History was removed from the query. 5. Conclusions ote that the path to Prog through In this paper, we proposed: (i) the first DTD-based access control model that employs graph matching to analyze if an input query is fully acceptable, fully rejectable, or partially acceptable, and to rewrite for partially acceptable queries only if necessary, (ii) an authorization model that optimizes the rewriting procedure in the sense that a recursive query (query with descendant axis // ) will be rewritten into an equivalent recursive one if possible and into a non-recursive one only if necessary, resulting queries that can fully take advantage of structural join based query optimization techniques, and (iii) an index structure for XML element types to speed up the query rewriting procedure, a facility that is potentially useful for applications with large DTDs. References [1] E. Bertino and E. Ferrari. Secure and selective dissemination of XML documents. TISSEC, 5(3): , [2] S. Bottcher and R. Steinmetz. A DTD graph based XPath query subsumption test. In XSym, [3] L. Bouganim, F. D. goc, and P. Pucheral. Client-based access control management for XML documents. In VLDB, [4] S. Cho, S. Amer-Yahia, L. V. Lakshmanan, and D. Srivastava. Optimizing the secure evaluation of twig queries. In VLDB, [5] E. Damiani, S. D. Vimercati, S. Paraboschi, and P. Samarati. A fine-grained access control system for XML documents. TISSEC, 5(2): , [6] Y. Diao, E. Altinel, M. J. Franklin, H. Zhang, and P. Fischer. Path sharing and predicate evaluation for high-performance XML filtering. TODS, 28(4): , [7] W. Fan, C.-Y. Chan, and M. Garofalakis. Secure XML querying with security views. In SIGMOD, [8] A. Gabillon and E. Bruno. Regulating access to XML documents. In DBSec, [9] M. Kudo and S. Hada. XML document security based on provisional authorization. In CCS, [10] B. Luo, D. Lee, W.-C. Lee, and P. Liu. Qfilter: fine-grained run-time XML access control via FA-based query rewriting. In CIKM, [11] G. Miklau and D. Suciu. Controlling access to published data using cryptography. In VLDB, [12] M. Murata, A. Tozawa, and M. Kudo. XML access control using static analysis. In CCS, [13]. Qi, M. Kudo, J. Myllymaki, and H. Pirahesh. A functionbased access control model for XML databases. In CIKM, [14] W3C. Extensible Markup Language (XML) 1.0 (Fourth Edition), August REC-xml/. [15] W3C. XML Path Language (XPath) 2.0, ovember [16] J. Wang and S. L. Osborn. A role-based approach to access control for XML databases. In SACMAT, [17] T. Yu, D. Srivastava, L. V. S. Lakshmanan, and H. V. Jagadish. Compressed accessibility map: efficient access control for XML. In VLDB, 2002.