Secure Resource Description Framework: an Access Control Model

Transcription

1 Secure Resource Description Framework: an Access Control Model Amit Jain Center for Information Assurance Engineering Department of Computer Science & Engineering University of South Carolina Columbia, SC ABSTRACT In this paper we propose an access control model for the Resource Description Framework (RDF). We argue that existing access control models, like the ones developed for securing extensible Markup Language (XML) documents, do not provide sufficient protection for RDF. Our model is based on RDF data semantics and incorporates RDF and RDF Schema (RDFS) entailments. RDF protection objects are represented as RDF-patterns (triples). The flexible security granularity allows to express restrictions on a single resource, property, or value, or any combination of these. RDF-patterns are mapped to RDF and RDFS statements to determine their security requirements. We develop methods to assign security classification to entailed statements and to detect unauthorized inferences. We propose a twolevel conflict resolution strategy. Simple conflict resolution addresses the problem when more than one pattern can be mapped to the same RDF statement, resulting in conflicting classification. Inference conflict resolution is used on entailed statements for their security requirements and generated inconsistencies. Keywords: RDF, RDFS, Entailment, Access Control, Conflict Resolution Csilla Farkas Center for Information Assurance Engineering Department of Computer Science & Engineering University of South Carolina Columbia, SC farkas@engr.sc.edu 1. INTRODUCTION The World Wide Web is rapidly changing from primarily human usage to machine readable and lately, machine understandable Web. The Resource Description Framework (RDF) [13] provides machine understandable description of resources, their properties and relationships, thus supporting inter-operation between applications. The RDF data model is syntax neutral. It describes data semantics using three object types: resources, properties, and values. Resources define all things being described by RDF expressions. Properties represent characteristics (attributes) of the resources. RDF statements link together specific resources with their named properties and values. RDF can be conceptualized as directed labeled graph, where each node is a resource or a literal, and edges are properties. Only object nodes can be literal. Several commercial and academic efforts target the development of RDF repositories. The Tap knowledge base project [8] is an academic project to build a semantic knowledge database in RDF. Kowari metastore [23], developed by Tucana Tech Inc., is an open source project that claims to store more than 350 million RDF triples. Semagix Inc. [20] is a commercial company building anti-money-laundering and national security applications based on semantic connectivity and association among the data entities. Semagix Inc. uses RDF metabase to store metadata and build ontologies. As these applications are becoming more-and-more widely used, the need to develop authorization framework for RDF increases. Currently XML is the most widely used syntax for representing RDF data. This leads naturally to the approach to use existing XML access control models to secure RDF. Several access control models have been developed for XML [2], [5], [14]. While these models provide fine grained authorization frameworks, the identification of the protection objects is based on XML syntax and structure only. While this approach may be sufficient for XML documents, it is not satisfactory for RDF for several reasons. First, the same RDF statements can be represented in several different syntactic ways (see Figure 1 for an example). This requires that different XML access control policies must be developed for each XML representation. Second, new RDF statements may be generated from the explicitly stored ones via RDF and RDFS entailments. Therefore, mechanisms that 1) assign security classifications to the newly generated statements and 2) check for unauthorized inferences, need to be developed. Current access control models do not address these problems. Finin et al. [17] proposed a policy based access control model for RDF data in a RDF store. The model provides control over the different action modes possible on the RDF store, like inserting a set of triples into the store, deleting a triple, and querying whether or not a triple is in the store. The authors define a set of policy rules, enforced by a policy engine to reach the authorization decisions. Kaushik et al. [12] proposes a constraint logic programming based policy language for securing full or partial ontologies. While their methods can be applied to RDF/S databases, they do not consider RDF/S entailments. To the

2 <rdf:description rdf:about=" <racl:studiesat rdf:resource=" <rdfs:type rdf:resource=" </rdf:description> <racl:student rdf:about=" <racl:studiesat rdf:resource=" </racl:student> Figure 1: Two different XML representation of the same RDF statement authors best knowledge there is no work that addresses the access control needs of RDF/S. In this paper we incorporate the works on RDF specifications, in particular RDF entailment [9], to develop an access control model that is suitable for RDF. The main technical contribution of our work is to develop methods to specify RDF security objects, address the security impact of RDF and RDFS entailment, and provide conflict resolution strategies. We distinguish between explicitly stored (extensional) RDF statements and entailed (intentional) RDF statements. We propose the concept of RDF-pattern that represents RDF triples. Intuitively, a pattern may represent any elements of the (resource, property, value) triple. Each element may be a constant (i.e., a particular value (class)) or a variable (i.e., ranges over the values (classes)). Each RDFpattern is associated with a security classification. RDF patterns are mapped to RDF statements to determine the security classifications of the statement. If more than one pattern can be mapped to the same RDF statement, the most restrictive classification is selected. We define a subsumption relation between RDF-patterns and require that subsuming patterns have to be at most as restrictive as their subsumed patterns. Our conflict resolution strategy ensures that the security labeling is always deterministic and consistent. We also address the scenario where the entailment rules may generate new statements. We propose a procedure to automatically assign classification to a new statement as the lowest-upper bound of the labels of the statements, used to generate the new statement. After this assignment, the new statement is evaluated to detect unauthorized inferences. If the security classification of the newly generated statement is strictly dominated by the security classification based on mapping an RDF-pattern to the new statement, then there is an unauthorized inference. That is, a high security statement could be exposed from lower security statements using the entailment rules. We implemented our procedures to map RDF-patterns and their security labels to RDF triples and to generate new triples via entailment, using Java for the development and Jess as the inferencing engine. Jena [4] is used as the RDF API to access the RDF Schema and Instance models. We have also implemented the conflict resolution strategies during the policy mapping and generation of Security Cover. Second level conflict resolution strategy during the mapping of policy to the entailed statements to discover unauthorized inferences and policy inconsistencies is currently being implemented. The organization of the paper is as follows. We give the proposed authorization framework and its components for RDF data in Section 2. It provides the details on the RDF entailment procedure and conflict resolution. Implementation details are given in Section 3. We finally conclude and give future work in Section RDF AUTHORIZATION MODEL RDF is used to represent meta data about data. It is conceptualized as directed, labeled graph. Intuitively, RDF Schema defines the vocabulary for the nodes and edges of the RDF instance. Figure 2 shows an example of RDF instance and its schema in RDF graph representation. Other RDF representation formats are also available e.g., RDF/XML serialization syntax recommended by W3C [1] and N3 notation [15]. In this section we propose an Access Control Model for RDF/S using the triple representation format. The main focus of this work is to define security objects. We use label-based (multilevel) access control. However, our definition of protection object is applicable to other access control models, like discretionary (DAC) or role-based access control (RBAC). Our intuition for RDF protection objects relies on its similarity to the object-oriented data model (e.g., class hierarchies) as well as to entity-relational data model (e.g., entities described by their properties and relationships to each other). Several access control models have been developed for these domains (see [21], [18], [22], [11], [19] for representative examples). Additional works address the problems of inference and aggregation control (see [6], [3], [16]). In addition many access control models have also been proposed [2], [5], [14] to protect XML data. However, as we showed in the Introduction, none of these approaches are fully applicable to protect RDF data. We develop methods to map RDF security objects to RDF instances and schema. We show how to assign security classification to existing data as well as new data items, entailed by RDF and RDFS entailment rules, and detect unauthorized inferences. Finally, we propose conflict resolution strategies and default classification. 2.1 RDF Security Object The abstract RDF syntax is a set of triples, called the RDF graph [13]. RDF triples include the set R (set of resources), PR (set of properties), U (set of URI references), B(set of blank nodes), L (set of Literals) and the RDF/S language primitives set CT R. The following holds for these sets: R = U B, PR U and P, B and L are pairwise disjoint. We start with the definition of an RDF-pattern. We use RDF pattern to represent RDF/S data, metadata and security object. Definition 2.1. [RDF Pattern] An RDF pattern is a triple represented as [r, p, v], where each component of the pattern is either A data constant such that r R, p PR, and v R L or A variable represented as a symbol starting with?

3 Person memberof Gov Agency belongsto String employeeof Faculty Student studiesat University locatedin City John studiesat USC locatedin Cola Mark employeeof Jill playssoftball Duke locatedin Durham LEGEND RDF Property Sub Class, Sub Property RDF Instance Mapping Figure 2: Example RDF Schema and Instance Data If all components of the triple are data constants, we say that it is a ground RDF-pattern. RDF and RDFS statements are ground patterns. Since each pattern may have data constants or variables, we need a method to compare them. We define the subsumption relation between RDF-patterns. For this, we need the concept of pattern mapping. Definition 2.2. [Pattern Mapping] Let t = [r, p, v] and t = [r, p, v ] be the RDF patterns. The pattern mapping ν : t t, where r,p,v and r,p, v are either variables or data constants, is defined as: ν maps a variable to another variable or to a constant ν maps a constant e in D T (data instances) to the same constant. ν maps a constant e in S T (schema element) to 1. The same schema constant e or 2. Another constants e i such that one of the following holds: [e i, rdf : type, e], [e i, rdfs : subpropertyof, e] or [e i, rdfs : subclassof, e] [ν(r), ν(p), ν(v)] = [r, p, v ] Definition 2.3. [RDF-pattern subsumption] Let t = [r, p, v] and t = [r, p, v ] be two RDF-patterns. We say that t subsumes t, denoted as t t, iff ν : t t. Subsumption is reflexive, transitive and anti-symmetric. In our authorization model each RDF pattern is associated with a security label. We propose a pattern mapping and security label assignment from the RDF patterns to the RDF and RDFS triples to identify security objects. Now, we can define our security objects. Definition 2.4. [RDF Security Object] Let S T be the RDFS schema and D T be the corresponding RDF instance, both represented as a set of (ground) triples. Let K T = S T D T. An RDF security object s is defined as a pair (t, sl), where t K T, sl SL, and SL is the set of security labels. Clearly, assigning security labels to data instances (triples in K T) is error prone and tedious. Furthermore, this approach does not addresses the security violations of RDF/S entailment.we propose the concept of security patterns to define security classification for a group of triples. We define a label assignment method to RDF/S database where security labels are associated with RDF patterns. We use pattern mapping to identify RDF/S database triples that conform to specific pattern. Such triples inherit the security label of the pattern. More specifically we define security label assignment as follows:

4 Definition 2.5. [Security Label Assignment] If there exist a pattern mapping such that ν : pt t and pt has a security label sl then create the security object (t,sl) Definition 2.6. [Security Cover] Given a set S of security objects of the form (t,sl), an S is 1. Minimal, that is no two pairs (t,sl) and (t, sl ) exist such that t=t and sl sl 2. There is no pair (t,sl) where sl is empty Definition 2.7. [RDF Security Policy] Let SP be the set of pairs (pt,sl),where pt is an RDF pattern and sl is a security label. The security policy is SP pt default such that pt default is ([?x 1,?x 2,?x 3], sl def ) and sl def is the default security label. Moreover given two pairs (t, sl) and (t, sl ), where t t. Then sl sl must hold, where is the dominance relation. Intuitively, the security policy defines the security requirements for the RDF/S statements in the database and statements entailed from the RDF/S database. In addition, the default policy also guarantees that no RDF/S statement remains unclassified. 2.2 Generating Security Cover A Security Cover S is the set of all the RDF security objects derived from the RDF security policy after applying the mapping ν, such that S = s 1, s 2,... s n. It is created by applying pattern mapping and security label assignment from policy to the triples in the RDF/S database as described in Algorithm 1. The first property of our security model is: Theorem 2.1. Algorithm 1 1. Generates a Security Cover 2. Is secure (i.e., if there is a mapping from a pattern to the triple, then the security label of the triple dominates the security label of the pattern.) and Algorithm 1: Algorithm to Compute Security Cover input : Security Policy SP={sp i,..., sp n} ([x 1, x 2, x 3], sl def ) where sp i = (pt i, sl i), RDF database D T S T ={t i,... t k }, sl max (security label dominating all labels i.e., sl max sl for all labels, sl SL) output: Security Cover S = s 1, s 2,... s n where s i = (t i, sl i), i = 1,... k 1 for i = 1 to n do 2 Read pattern pt i from sp i 3 For all t j in RDF database 4 Find Pattern mapping ν : pt i t j 5 if ν(pt i) does not exist then 6 i = i else Generate s i = (t j, sl i) if (t j, sl j) S then if sl j = sl def then Remove (t j, sl j) from S S = S s i else if sl i > sl j then Remove (t j, sl j) from S S = S s i else S = S s i 18 for i = 1 to k do 19 if (t i, sl i) S and sl i = sl def then 20 Replace sl i with sl max 3. Is least restrictive (i.e., if a triple has a label which was not generated by the default pattern, then there must exist a pattern mapping from a pattern to the triple such that the security label of the pattern dominates the security label of the triple.) PROOF SKETCH: Trivially follows from Algorithm 1. Note that given a security policy and an RDF database, multiple classification of a RDF/S statement is possible. The security object labeling restrictions on the given policy ensure that more specific object specifications will have more restrictive classifications.

5 Example: For example, the RDF-pattern [Student, studentof, University] may be classified at Public level, while the pattern corresponding to a specific student [John, studentof, USC] may be classified as Secret. The first pattern would be mapped to ([Student, studentof, University],Public) and ([John,studentOf,USC],Secret) while the second pattern would be mapped to just ([John, studentof, USC],Secret). There would not be any mapping from the second pattern to ([Student, studentof, University],Public). Finally, the default labeling ensures that there is no RDF statement remaining without security label. In this paper we adopted the most restrictive approach, that is, statements without security labels are classified at the highest level. Entailed statements are classified based on the security classification of the statements used for the entailment. Our model allows patterns of the forms defined in Table 1, where any of the [r,p,v] can be a variable or a data constant as defined above. 2.3 RDF Entailment In this paper we address entailment rules defined in the RDF Semantics [9]. Table 2 summarizes the entailment rules represented as Horn-clause constraints, and our proposal to assign security classifications to the newly generated RDF/S statements. The symbol sl represents the security label of the generated statement (head of the rule), symbols sl 1 and sl 2 represent the security labels of the statements in the body of the rule and LUB means the Lowest-Upper Bound. Definition 2.8. [Entailment Rules] An RDF/RDFS entailment rule is expressed as Horn-clause constraint of the form x 1,..., x m(b 1... b n) q where n 1 and x 1,..., x m are the free variables in b 1... b n. Each b i is an RDF triple of the form [r,p,v], where r, p, and v are either variables, constants, or RDF/S axioms, e.g., rdf:type, rdfs:subclassof. Left side of the rule (b 1... b n) is called rule body and the right side (q) is called rule head. We require that the rules are range restricted so that all the variables occurring in the head must also occur in the body. Definition 2.9. [Entailment] Let x 1,..., x m(b 1... b n) q be an RDF entailment rule R, where each b i and q are of the form [r, p, v] for all i = 1,..., n. Let K T define the RDF/S database. We say that R entails the RDF/S triple t = [r, p, v],if 1. there exists a pattern mapping γ that preserves all constants (i.e., γ(c) = c) and equalities (i.e., if γ([x 1, y 1, z 1]) = [r 1, p 1, v 1] and γ([x 1, y 2, z 2]) = [r 2, p 2, v 2] then r 2 = r 1 2. γ(b i) K T, (i = 1,... n), and 3. γ(q) = [r, p, v] Algorithm 2: Algorithm to Compute RDF/S database closure using RDF/S Entailment input : Security Policy SP, Entailment Rule Set R = R i... R n, R i = b 1... b n, Security Cover S = s i... s n, s i = (t i, sl i) output: RDF/S Extended Security Cover S E where E is the set of inferred triples and their security labels, Set of triples with security violations I 1 while No more changes occur do 2 foreach R i R do 3 Apply R i on S as follows; /* Entailed triples generation */ 4 if there is a mapping γ from b 1,..., b n to t 1,..., t n such that γ(b 1) = t 1,..., γ(b n) = t n then 5 generate t = γ(q); 6 let sl 1,..., sl n be the security labels of t 1,..., t n, generate sl as LUB[sl 1,..., sl n]; 7 generate (t,sl); /* verify conflicting security labeling */ 8 if there is a pair (t,sl ) in S then 9 if sl > sl then 10 Inference security violation; /* a higher security object could be entailed from objects with lower security classification */ 11 Generate Warning and I = I (t, sl ); else S = S (t, sl); /* Policy Verification */ if there is a ν from a pt to t such that ν : pt i t then create pair (t, sl i) where sl i is the security label of pt i; if sl i > sl then Security Violation ; Algorithm 2 shows the security label assignment for newly generated statements via the entailment rules. The second property of our security model follows:

6 Table 1: RDF Patterns Security Pattern Interpretation Example [r, p, v] All elements of the triple are specified as constants [John,studentOf,USC] [r,?x, v] Subject and object are specified as constants [John,?x,USC] and property a variable. [r, p,?x] Subject and property are specified as constants [John, studentof,?x] and object is variable [?x, p, v] Property and object are specified as constants [?x,studentof,usc] and subject is variable [r,?x,?y] Subject is specified as constant and property [John,?x,?y] & objects as variable [?x, p,?y] Property is specified as constant and subject [?x,studentof,?y] & object as variable [?x,?y, v] Object is specified as constant and subject & [?x,?y, USC] property are variables [?x,?y,?z] All elements are variables Theorem 2.2. Alg 2 1. generates a cover of all entailed RDF/S triples 2. generates only entailed RDF/S triples 3. is secure (i.e., the security label of a newly generated triple dominates the security label of triples used in entailment) 4. is least restrictive (i.e., if the security label of a newly generated triple is l and the security labels of triples used in the entailment are l i, l j then there is no security label l such that l l i, l l q and l < l 5. is conflict free PROOF SKETCH: 1-2 Algorithm 2 uses process similar to the Chase process as described in [3] to apply entailment rules, represented as Horn clause constraints. 1-2 follows from the properties of pattern mapping and the Horn clause constraints. 3 The entailed triple is correctly assigned a security label as the least upper bound of the security labels of all the used triples and hence dominates all of them. 4 Since the entailed triples has the least upper bound of the used triples, this is the lowest security label possible without any security violation. 5 If generated pair is (t, sl), then this algorithm checks for existence of a pair (t, sl ) in the security cover such that sl > sl. This points to a security violation and a warning is generated, making the algorithm, conflict free. The policy verification which leaves no triple in the cover with a default security label also adds to the conflict free property of the algorithm. 2.4 Conflict Resolution We distinguish between two levels of conflict resolution. Simple conflict resolution addresses the problem that there might be several RDF-patterns that can be mapped to a particular RDF/S statement. This could result in different security labels for the same RDF statement. Clearly, this is undesired. In this case, we choose the most restrictive classification or the lowest upper bound of the security labels that can be assigned to the statement. We also require that subsuming patterns have less restrictive security classifications than the more specific, subsumed patterns. The rational behind this policy is that general patterns can define access restrictions on a set of statements, while exceptions can be represented by the more specific patterns. Based on the more restrictive take precedence resolution, the exception will be correctly classified at the higher level. Algorithm 1 addresses these issues. The second level conflict resolution, called Inference conflict resolution, addresses potential inconsistencies that occur due to newly entailed RDF/S statements. Table 2 shows the automatically assigned security classifications to the entailed statements. However, it may occur that a security pattern from the policy may also be mapped to the newly generated statement. The following options can be evaluated: 1. The automatically generated security label is the same as the security label of the mapped RDF-pattern. This does not represent any security problem and the labeling is consistent. 2. The automatically generated security label dominates the security label of the mapped RDF-pattern. This does not represent any security problem, i.e., the statement can be entailed from statements that are classified higher than the new statement requires. The security label of the new statement should be changed to the label required by the security pattern mapping, i.e., the less restricting label. 3. The automatically generated security label is domi-

7 SN Rules Security Label rdf1 x, y, z(x, y, z) (y, rdf : type, rdf : Property) sl = sl 1 rdf2 x, y, z(x, y, z) ( : a, rdf : type, rdf : XMLLiteral) sl = sl 1 where z is a typed XML Literal rdfs1 x, y, z(x, y, z) ( : m, rdf : type, rdfs : Literal) where z is a plain sl = sl 1 literal and :m is a blank node allocated to z rdfs2 x, y, z, z1(x, y, z) (y, rdfs : domain, z1) (x, rdf : type, z1) sl = rdfs3 x, y, z, z1(x, y, z) (y, rdfs : range, z1) (z, rdf : type, z1) sl = rdfs4a x, y, z(x, y, z) (x, rdf : type, rdfs : Resource) sl = sl 1 rdfs4b x, y, z(x, y, z) (z, rdf : type, rdfs : Resource) sl = sl 1 rdfs5 x, y, z(x, rdfs : subpropertyof, y) (y, rdfs : subpropertyof, z) sl = (x, rdfs : subpropertyof, z) rdfs6 x(x, rdf : type, rdf : Property) (x, rdfs : subpropertyof, x) sl = sl 1 rdfs7 x, y, z, z1(x, y, z) (y, rdfs : subpropertyof, z1) (x, z1, z) sl = rdfs8 x(x, rdf : type, rdfs : Class) (x, rdfs : subclassof, rdfs : sl = sl 1 Resource) rdfs9 x, y, z(x, rdf : type, y) (y, rdfs : subclassof, z) (x, rdf : type, z) sl = rdfs10 x(x, rdf : type, rdfs : Class) (x, rdfs : subclassof, x) sl = sl 1 rdfs11 x, y, z(x, rdfs : subclassof, y) (y, rdfs : subclassof, z) sl = (x, rdfs : subclassof, z) rdfs12 x(x, rdf : type, rdfs : ContainerMembershipP roperty) (x, rdfs : sl = sl 1 subp ropertyof, rdfs : member) rdfs13 x(x, rdf : type, rdfs : Datatype) (x, rdfs : subclassof, rdfs : Literal) sl = sl 1 Table 2: Inference Rules from W3C recommendation and security label assignment nated by the security label of the mapped RDF-pattern. This is a security violation via unauthorized inference. That is an RDF statement can be inferred from statements that has lower security classifications than the inferred statement requires. In this case inference channel removal is required and security policy needs to be fixed. 3. IMPLEMENTATION We have developed a prototype for RACL. The UML diagram, shown in Figure 3, shows the high level architecture of our implementation and Figure 4 shows a screenshot of our RACL module. It depicts the three stages of the system namely Policy to RDF DB Mapping, RDF Inferencing and Consistency Checking & Conflict Resolution. We have used Java J2SE as the development platform. Java SWING is used to create the user interface. Jena 2.1 [4] developed by HP is being used as the RDF API to provide programming environment with Java. Jena provides the ability to access and modify RDF and RDFS models. JESS [7] is being used as the rule engine to implement the RDF/S inferencing. After pattern mapping is done, JESS engine saves the security labeled triples(security objects) as JESS facts. RDF/S entailment rules written as JESS rules are fired by the inferencing engine to do the inferencing. Several JESS functions are written to do the security label generation for the entailed statements using the security labels of the used statements. The entailed triples are saved as JESS facts. We have successfully implemented the first and second stages of the prototype. We re currently working on implementing the third stage. We are working on finding the policy conflicts by mapping the security policy to the entailed database and integrating these modules. We are also working on experimenting with large RDF data sets stored in RDF native databases like Kowari [23]. 4. CONCLUSION AND FUTURE WORK This paper presents our initial attempt to secure RDF data. Our motivation was that existing access control models for XML do not provide adequate security. In particular, they do not address data semantics and RDF entailment. We propose an approach to secure RDF using RDF-patterns. Each pattern is associated with an RDF instance (D T) and schema (S T), and a security classification. RDF-patterns are mapped to the statements in D T and S T to determine security classifications for the statements. Entailed statements are classified based on the security classifications of the statements used in the entailment as well as by mapping RDF-patterns to the newly generated statements. We also provide default classification of RDF statements not covered by the security objects. We propose a two-level conflict resolution strategy. Simple conflict resolution addresses inconsistencies that may occur due to the mapping of more than one pattern to the same RDF statement. Inference conflict resolution detects unauthorized inferences, where a higher security statement can be inferred from lower security statements. We are currently implementing our system, using open source software tools. Future work includes formalizing our conflict resolution strate-

8 Policy to RDF DB Mapping RDF Inferencing Consistency Checking & Conflict Resolution Create Policy P Instance I Rules R Map G to P & Assign Sec Labels Policy P Mapping P, I, S to RDF DB Schema S RDF Inferencing RDF TripleBase Closure G with labels C Inconsistency & Conflict Checking (YES) IF C=C Policy is Safe (NO) Do Conflict Resolution Level:1 Do Conflict Resolution Level:2 & Fix the policy RDF Triple Base K0 with labels C Figure 3: UML diagram showing system architecture for RDF access control gies, and properties of our access control model. In particular, we will address the completeness and consistency properties and compare our model to the flexible authorization framework proposed by Jajodia et al. [10]. We will also complete and evaluate our implementation from the perspectives of security and performance. 5. REFERENCES [1] D. Beckett. W3C recommendation, RDF/XML syntax specification. February [2] E. Bertino, S. Castano, E. Ferrari, and M. Mesiti. Specifying and enforcing access control policies for XML document sources. World Wide Web, 3(3): , May [3] A. Brodsky, C. Farkas, and S. Jajodia. Secure databases: Constraints, inference channels, and monitoring disclosure. IEEE Trans. Knowledge and Data Eng., November, [4] J. Caroll. Jena a semantic web framework for java. [5] E. Damiani, S. D. C. di Vimercati, S. Paraboschi, and P. Samarati. A fine-grained access control system for XML documents. ACM Transactions on Information and System Security TISSEC, 5(2): , [6] S. Dawson, S. C. di Vimercati, and P. Samarati. Specification and enforcement of classification and inference constraints. In Proc. of the 20th IEEE Symposium on Security and Privacy, Oakland, CA, May [7] E. Friedman-Hill. Jess, the rule engine for the javatm platform. [8] R. Guha, R. McCool, A. Sundarajan, and K. Joly. TAP: Building the semantic web. [9] P. Hayes and B. McBride. W3C recommendation, RDF semantics. February [10] S. Jajodia, P. Samarati, M. L. Sapino, and V. Subrahmanian. Flexible support for multiple access control policies. ACM Transactions on Database Systems, 26(4): , [11] S. Jajodia, P. Samarati, V. S. Subrahmanian, and E. Bertino. A unified framework for enforcing multiple access control policies. In Proceedings of the 1997 ACM SIGMOD international conference on Management of data, pages ACM Press, [12] S. Kaushik, D. Wijesekera, and P. Ammann. Policy-based dissination of partial web-ontologies. In SWS 05: Proceedings of the 2005 workshop on Secure

9 Figure 4: Screenshot of RACL Implementation web services, pages 43 52, New York, NY, USA, ACM Press. [13] G. Klyne and J. Carroll. W3C recommendation, RDF concepts and abstract syntax. February [14] M. Kudo and S. Hada. XML document security based on provisional authorization. In Proceedings of the 7th ACM Conference on Computer and Communications Security, Athens, Greece, pages 87 96, November [15] T.-B. Lee. Primer: Getting into RDF & Semantic Web using N3. October [16] D. Marks, A. Motro, and S. Jajodia. Enhancing the controlled disclosure of sensitive information. In Proc. European Symp. on Research in Computer Security, Springer-Verlag Lecture Notes in Computer Science, Vol. 1146, pages , systems. IEEE Trans. Knowl. Data Eng., 9(4): , [19] R. Sandhu, E. J. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2):38 47, February [20] A. Sheth. Semagix inc. [21] P. Stachour and B. Thuraisingham. Design of LDV: A multilevel secure relational database management system. IEEE Trans. Knowledge and Data Eng., 2(2): , June [22] M. B. Thuraisingham. Mandatory security in object-oriented database systems. In OOPSLA 89: Conference proceedings on Object-oriented programming systems, languages and applications, pages ACM Press, [23] D. Wood. Kowari-metastore. [17] P. Reddivari, T. Finin, and A. Joshi. Policy based Access Control for a RDF Store. In Proceedings of the Policy Management for the Web Workshop, A WWW 2005 Workshop, pages W3C, May [18] P. Samarati, E. Bertino, A. Ciampichetti, and S. Jajodia. Information flow control in object-oriented