1 web data and application security kodali, farkas and wijesekera
TRANSCRIPT
1
Web Data and Web Data and Application SecurityApplication Security
Kodali, Farkas and WijesekeraKodali, Farkas and Wijesekera
Reading
• Word Wide Web Consortium, http://www.w3.org/• Organization for the Advancement of Structure
Information Standards, http://www.oasis-open.org/home/index.php
• Web Services Interoperability Organization, http://www.ws-i.org/
• Workshop on Secure Web Services, http://sws06.univ-pau.fr/
• Semantic Web Security, http://www.cse.sc.edu/research/isl/SSW/index.shtml
2
Web Evolution
• Past: Human usage – HTTP– Static Web pages (HTML)
• Current: Human and some automated usage – Interactive Web pages– Web Services (WSDL, SOAP, SAML)– Semantic Web (RDF, OWL, RuleML, Web databases)– XML technology (data exchange, data representation)
• Future: Semantic Web Services
3
Semantic Web
4
From: T.B. Lee
Web Services
5
From: Wikipedia
“…a software system designed to support interoperable machine-to-machine interaction over a network.” W3C
WS Components
• SOAP: An XML-based, extensible message envelope format, with "bindings" to underlying protocols
• WSDL: An XML format that allows service interfaces to be described, along with the details of their bindings to specific protocols.
• UDDI: A protocol for publishing and discovering metadata about Web services, to enable applications to find Web services, either at design time or runtime.
• WS-Security: Defines how to use XML Encryption and XML Signature in SOAP to secure message exchanges.
6
SOAP
• Simple Object Access Protocol: a protocol for exchanging XML-based messages over computer network, normally using HTTP (from W3C)
• Foundation layer of the Web services stack • Different types of messaging patterns:– Remote Procedure Call (RPC) – most popular– Service-Oriented Architecture (SOA)– RESTful Web Services
• SOAP Envelop
7
UDDI• Universal Description, Discovery, and Integration: a
platform-independent, XML-based registry for businesses worldwide to list themselves on the Internet (from OASIS)
• Support: – businesses to publish service listings– discover each other– define how the services or software applications interact
over the Internet • Components: – White Pages — address, contact, and known identifiers– Yellow Pages — industrial categorizations based on
standard taxonomies– Green Pages — technical information about services
exposed by the business
8
WS-Security• WS-Security (Web Services Security): a communications
protocol providing a means for applying security to Web Services
• From: originally by IBM, Microsoft, and VeriSign, the protocol is now officially called WSS and developed via committee in Oasis-Open
• Defines how integrity and confidentiality can be enforced on Web Services messaging
• Use of SAML and Kerberos, and certificate formats • Incorporates security features in the header of a SOAP
message, working in the application layer (different from TLS-based security)
9
WS Policy
• WS-Policy: a specification that allows web services to use XML to advertise their policies (on security, Quality of Service, etc.) and for web service consumers to specify their policy requirements
10
W3C Standard Maturation • Working Draft (WD): published for review by "the
community" • Candidate Recommendation (CR): a version of
the standard that is more firm than the WD • Proposed Recommendation (PR): the version of
the standard that has passed the prior two levels • W3C Recommendation (REC): most mature stage
of development• Later Revisions: updated by separately-published
Errata
11
WS Security Outline
12
Security on the WebData SecurityMetadata SecurityApplication Security
Future Directions
Outline
13
Security on the WebData Security
Access Control Models for Semi-Structured Data Syntactic XML
Secure XML ViewsXML Updates XML association object
XML and Semantics SMIL Inference Control
Metadata SecurityApplication Security
Future Directions
Limitation of Research
• Syntax-based• No association protection• Limited handling of updates • No data or application semantics • No inference control
14
Outline
15
Security on the WebData Security
Access Control Models for Semi-Structured Data Syntactic XML
Secure XML ViewsXML Updates XML association object
XML and Semantics SMIL Inference Control
Metadata SecurityApplication Security
Future Directions
Secure XML Views - Example
16
<medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
milTagMT78
patient
phone111-2222
phone333-4444
View over UC data
Secure XML Views - Example cont.
17
<medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
Secure XML Views - Example cont.
18
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
<medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03></medicalFiles>
Secure XML Views - Example cont.
19
<medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec></medicalFiles>
medicalFiles
countyRec
patient
nameJohn Smith
milBaseRec
physicianJim Dale
physicianJoe White
nameHarry Green
patient
View over UC data
Secure XML Views - Example cont.
20
medicalFiles
nameJohn Smith
physicianJim Dale
physicianJoe White
nameHarry Green
View over UC data
<medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician></medicalFiles>
Secure XML Views - Solution
• Multi-Plane DTD Graph (MPG)• Minimal Semantic Conflict Graph
(association preservation)• Cover story• Transformation rules
21
22
Multi-Plane DTD Graph
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec>
<patient>
<physician> <name>
TopSecret
Secret
Unclassified
D,medicalFiles
D, countyRec D, milBaseRec
D, patient D, milTag
D, name D, phone
UC
UC
UC
S
S
S
TS
TSD, physician
MPG = DTD graphover multiple
security planes
Transformation - Example
23
name phone
physician
MSCG
MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician> <name>
TS
UC
S
Security Space Secret
Transformation - Example
24MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician> <name>
TS
S
UC
<emrgRec>
SP
name
physician
MSCG
Transformation - Example
25MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician> <name>
TS
S
UC
<emrgRec>
SPMSCG
Transformation - Example
26MPG
<medicalFiles>
<milTag>
<phone>
<milBaseRec>
<countyRec><patient>
<physician> <name>
TS
S
UC SP
<emrgRec>
medicalFiles
emergencyRec
namephysician
Data Structure
Outline
27
Security on the WebData Security
Access Control Models for Semi-Structured Data Syntactic XML
Secure XML ViewsXML Updates XML association object
XML and Semantics SMIL Inference Control
Metadata SecurityApplication Security
Future Directions
28
Delete - ExampleDelete - Example
Report
Title
Data
Date
Temperature
Images
Water Resources
Concrete Location
Civil Area
Defense Sector
P
P
P
P
P
S
S
S
S
TS
?
Delete Operations• Delete entire sub-tree under a deleted node– Most widely used approach– Problem: blind write
• Delete only the viewable nodes– Problem: fragmentation of XML tree
• Reject the delete– Problem: covert channel
29
Different Solution – Deleted Label
Basic Idea • A unique domain “Del” for deleted nodes• Change security classification of deleted node (o, {do Del})
– Perform after delete operation• Change security clearance of users, where s = (s, {ds}) > (o,
{do}) to ( (s, {ds}) , (o, {do Del}) )
– Can be preprocessed• Use BLP axioms
30
31
Report
Title
Data
Date
Temperature
Images
Concrete Location
Defense Sector
(S,{Del})
(S,{Del})
TS
P
P
P
P
P
Example - Top Secret ViewExample - Top Secret View
Subject clearances:
(TS, {}) { (TS, {}) , (S, {Del}), (P, {Del}) }
(S, {}) { (S, {}), (P, {Del}) }
(P, {}) { (P, {}) }
Node Association - Example
DTD of Patient Health Record
32
MedicalDb
Patient*
Allergies
Allergen*
Phone
Birthdate
Name
SSN
Race
DateDiagnosis
Physician
Prescription
*
Comments
Patient
Phone
Name
Patient
Birthdate
Race
DateDiagnosis
Comments
Layered Access Control
33
++
-
++
+
Node levelclassification
Object - Association levelclassification
Simple Security Object
34
t1
t4t3
t2
o ti : (ti) = (o)
Association Security Object
35
t1
t4t3
t2
o ti : (ti) < (o)
Query Pattern
36
//
r
d a
b cv
1
v
1
FOR $x in //r
LET $y := $x/d, $z := $x/a
RETURN <answer> {$z/c} </answer>
WHERE { $z/b==$y}
Query Pattern
Pattern Automata
• Pattern Automata X = { , Q, q0 , Qf , }– = E A { pcdata, //}– is a transition function – Q = {q0 , … , qn}– Qf Q, (q0 Qf)
• Valid transitions on are of the following form:(qi, … ,qj) qk
• If does not contain a valid transition rule, the default new state is q0
37
Pattern Automata - Example
38
a
b c
//
Association object
= { a, b, c, //}
Q = {q0, qa, qb, qc}
Qf = {qa}
= {
b( ) qb ,
c( ) qc ,
a(qb,qc) qa ,
*(qa) qa }Pattern Automata
Outline
39
Security on the WebData Security
Access Control Models for Semi-Structured Data Syntactic XML
Secure XML ViewsXML Updates XML association object
XML and Semantics SMIL Inference Control
Metadata SecurityApplication Security
Future Directions
SMIL
40
AUDIO VIDEO
AUDIO
VIDEOAUDIO VIDEO
AUDIO
VIDEO
VIDEO after END of AUDIO
Sequential Operator “SEQ”
Parallel Operator “PAR”
Switch Operator “switch”
If Condition B= TRUE, then only AUDIO
If Condition A= TRUE, then only VIDEO SILENCE
SILENCE
VID
EO
and AU
DIO
together
SMIL vs. XML• In both, document = tree• BUT
XML has NO intended semantics, SMIL specify runtime behavior• QoS (timeliness and continuity) specified using synchronization constructs
<par>, <seq>, <excl> and others.• No Security for SMIL
41
<smil>
<seq>
Video1 Video2
Audio1 Audio2
<par> <par>
<smil>
<seq>
<par>
<audio src=“http://www.example.org/Audio1.rm”>
<video src=“http://www.example.org/Video1.rm”>
</par>
<par>
<audio src=“http://www.example.org/Audio2.rm”>
<video src=“http://www.example.org/Video2.rm”>
</par>
</seq>
</smil>
42
t t+7 t+14Audio 1Audio 2Video 1Video 2
Audio 1 Audio 2
PAR
t t+7 t+14
Video 1Audio 1Audio 2
Video 2Audio 1Video 1
Audio 2Video 2
t t+7 t+14Audio 1Audio 2Video 1Video 2 Video 1 Video 2
V1 V2
SEQ
A1 A2
SEQ
V1 V2A1 A2
SEQ SEQ
PAR
Object Identity in SMIL - IObject Identity in SMIL - I
43
t t+7 t+14Audio 1 Audio 2Video 1 Video 2
Audio 1Video 2
t t+7 t+14Audio 1 Audio 2Video 1 Video 2
Audio 2Video 1
t t+7 t+14
Video 1Audio 1 Audio 2
Video 2Audio 1Video 1
Audio 2Video 2
PAR
V1 A2
SEQ
A1 V2
SEQ
V1 A2A1 V2
SEQ SEQ
PAR
Object Identity in SMIL - IIObject Identity in SMIL - II
44
t t+7 t+14
Audio 2Audio 1Video 1 Video 2
t t+7 t+14
Audio 1Video 1
Audio 2Video 2 Video 2
Audio 2
Audio 1Video 1
SEQ
t+14
Video 1Audio 1 Audio 2
Video 2Audio 1Video 1
Audio 2Video 2
t t+7
A2 V2
PAR
A1 V1
PAR
A2 V2A1 V1
PAR PAR
SEQ
Object Identity in SMIL - IIIObject Identity in SMIL - III
SMIL Normal Form
SMIL Normal Form (smilNF) is of the form
<seq> <par> C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n (s)</par> <par> ……………………..………………<par><par> C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n (s)</par>
</seq> where C i,j are audio or video, image or text media intervals.
45
Normalization Algorithm
46
A1 A2 A3
B1 B2 B3
C1 C2 C3
D1 D2 D3
A1 A2 A3
B1 B2 B3
C1 C2 C3
D1 D2 D3
Representation 1
Representation 2
A
B
C
D
A
B
C
D
SEQ
SEQ
<P
AR
><
PA
R>
1 2 3
1 2 3
SEQ
<PAR><PAR> <PAR>
A1 B1 C1 D1
A2 B2 C2 D2
A3 B3C3 D3
SEQ
<PAR><PAR> <PAR>
A1
B2 C2 D2
C3
Metadata in SMIL - RBAC Example
47
A1
<SEQ>
<PAR> <PAR>
V1 A2 V2
<SEQ>
(r1)<PAR> <PAR>
A1 (r3)V1(r1)A2 (r2)V2
<SEQ>
<PAR> <PAR>
A1 V1 A2 (Empty)
SMIL Normal Form Permitted view for Role 1RBAC metadata decorated
SMIL Normal Form
Outline
48
Security on the WebData Security
Access Control Models for Semi-Structured Data Syntactic XML
Secure XML ViewsXML Updates XML association object
XML and Semantics SMIL Inference Control
Metadata SecurityApplication Security
Future Directions
49
The Inference ProblemThe Inference Problem
General Purpose Database:
Non-confidential data + Metadata Undesired Inferences
Semantic Web:
Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity
Undesired Inferences
Association Graph
• Association similarity measure– Distance of each node from the association root– Difference of the distance of the nodes from the
association root– Complexity of the sub-trees originating at nodes
• Example:
50
Air show
address fort
XML document: Association Graph:
address fort
Public Public, AC
Correlated Inference
51
Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base
address fortPublic
Water source base
Confidential
district basinPublic
?
Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions
Correlated Inference (cont.)
52
address fortPublic
district basinPublic
Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base
placebase
Water SourceWater source
Base
Place
Water source base
Confidential
Inference Removal • Relational databases: limit access to data• Web inferences– Cannot redesign public data outside of protection
domain– Cannot modify/refuse answer to already published web
page• Protection Options:– Release misleading information– Remove information– Control access to metadata
53
Outline
54
Security on the WebData Security
Access Control Models for Semi-Structured Data Syntactic XML
Secure XML ViewsXML Updates XML association object
XML and Semantics SMIL Inference Control
Metadata SecurityApplication Security
Future Directions
Metadata Security
• No security model exists for metadata • Can we use existing security models to protect
metadata?• RDF/S is the Basic Framework for SW• RDF/S supports simple inferences• This is not true of XML: XML Access control
cannot be used to protect RDF /S data
55
RDF/S Entailment RulesExample RDF/S Entailment Rules (http://www.w3.org/TR/rdf-
mt/#rules )• Rdfs2:
– (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy) (uuu, rdf:type, xxx)
• Rdfs3: – (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx)
• Rdfs5: – (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf,
xxx) (uuu,rdfs:subPropertyOf, xxx) • Rdfs11:
– (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf, xxx)(uuu,rdfs:subClassOf, xxx)
56
Example Graph Format
57
John USC
studiesAt
Person
University
GovAgency
Student
memberAt
studiesAt
inferred rdf:type
rdf:type
rdfs:subClassOf
rdfs:subPropertyOf
Legend
schema
instance
RDF Triples:(Student, rdfs:subClassOf, Person)(University, rdfs:subClassOf, GovAgency)(studiesAt, rdfs:domain, Student)(studiesAt, rdfs:range,University)(studiesAt, rdfs:subPropertyOf, memberAt)(John, studiesAt, USC)
Example Graph Format
58
John USC
studiesAt
Person
University
GovAgency
Student
memberAt
studiesAt
inferred rdf:type
rdf:type
rdfs:subClassOf
rdfs:subPropertyOf
Legend
schema
instance
Rdfs2 : Fact3 + Fact6 Fact7
Example Graph Format
59
John USC
studiesAt
Person
University
GovAgency
Student
memberAt
studiesAt
inferred rdf:type
rdf:type
rdfs:subClassOf
rdfs:subPropertyOf
Legend
schema
instance
Rdfs2 : Fact3 + Fact6 Fact7
Rdfs3 : Fact4+Fact6 Fact8
Example Graph Format
60
John USC
studiesAt
Person
University
GovAgency
Student
memberAt
studiesAt
inferred rdf:type
rdf:type
rdfs:subClassOf
rdfs:subPropertyOf
Legend
schema
instance
Rdfs2 : Fact3 + Fact6 Fact7
Rdfs3 : Fact4+Fact6 Fact8
Rdfs9 : Fact2 + Fact8 Fact9
Secure RDFEntailed Data in RDF can cause illegal inferences:
• (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S] (USC, rdf:type, University) [S]• (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S] (USC, rdf:type, GovAgency) [TS]
Secret User can infer TS informationSecret User can infer TS information
61
RDF Access Control
• Security Policy– Subject– Object – Object pattern – Access Mode
• Default policy• Conflict Resolution • Classification of entailed data • Flexible granularity
62
Prototype Systems• XML Access Control– Secure Views – Association-level access control – MLS/XML Delete
• Ontology Guided XML Inferences • RDF Access Control
• Future Work– Next versions – OWL access control – Application-level security
63
Secure XML Updates
64
MACParser .java
MACModel .java
NodeSecurityManager.java
FilepathAbsouteTable
UserManagement .java
UserName
NativeElementIndex.java
XMLUtil.java
Result
PathSatisfaction .java
65
Secure XML Updates - Secure XML Updates - ExampleExample
RDF Access Control Example
66