sabrina kirrane insight viva presentation

Linked Data with Access Control

PhD Viva

Sabrina Kirrane

Background & Problem Statement

1.1

Publishing and Consuming Linked Data

RDB2RDF

RDB2RDF

RDB2RDFInterface

Research Questions

1. When relational data is exposed as RDF, how can we ensure the original access control policies are applied to the RDF data?

2. Beyond triple level access control, what rules are necessary to support existing access control models and to simplify access control specification and maintenance?

3. What adjustments need to be made to SPARQL queries, to ensure that only authorised data is returned?

4. What components are required to support the specification, enforcement and administration of access control for the Linked Data Web?

Access Control EntitiesUsers e.g. JBloggs, MRyanRoles e.g. manager, supervisorGroups e.g. humanResources, salesAttributes e.g. (employer, NUIG), (policyNumber, 565656)

Create, Read, Update, Delete

Triples

The 28th International Conference on Logic Programming, ICLP 2012.

The 2nd Joint International Semantic Technology Conference, JIST 2012.

Associating Permissions with RDF Zimmermann, A., Lopes, N., Polleres, A., Straccia, U. 2012.A general framework for representing, reasoning andquerying with annotated semantic web data.

Allows domain specific meta data to be attached to triplesFuzzy:joeBloggs :worksFor :westportCars [ 0.5 ]Temporal:joeBloggs :worksFor :westportCars [ 2010, 2012 ]Provenance:joeBloggs :worksFor :westportCars [ :employeeDetails ]Access Control:joeBloggs :worksFor :westportCars [ [Read] [Update] [Delete] ] Supports both merging and inference domain operator = disjunction⊗ domain operator = conjunction



Lifting both Data and Policies

EmployeeID

Name Salary

JBloggs Joe Bloggs 60000

ID Type Entity Access

HR Role Employee Read

Use RDB2RDF to Extract details of all employees and the roles that can access their data

Employee Permissions

prefix :<http://urq.deri.org/enterprise#>

:JBloggs rdf:type foaf:Person [ [HR] [] [] ];foaf:name "Joe Bloggs" [ [HR] []

[] ];:salary 60000 [ [HR] [] [] ].

prefix :<http://urq.deri.org/enterprise#>FOR Id, Name, Salary, RoleFROM PermissionsForEmployeeCONSTRUCT {:{ $Id } a foaf:Person [{ $Role }][][]] ; foaf:name "{ $Name } " [{ $Role }][][]]; :salary { $Salary } [{ $Role }][][]].}

EmployeeID

Name Salary RoleID

JBloggs Joe Bloggs 60000 HR

PermissionsForEmployee



Evaluating Triple Based Access ControlObjectiveExamine the performance overhead associated with access control

DatasetEnterprise Software Applications

Document Management SystemTimesheet System

Datasets of increasing size

Records 9990 17692 33098 63909

Triples 62296 123920 247160 493648

File size(MB) 7.6 14.9 29.9 59.6



Overhead associated with access control

Evaluation Results and LimitationsPerformance Improvement for 2+ Triple Patterns



Known Limitations

Research Questions





What rules are necessary for access control over RDF data?

Discretionary Access Control (DAC)• Central access control policy • Users are allowed to override the central policy • Users can pass their access rights on to others (known as

delegation)

28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.

12th International Semantic Web Conference, ISWC 2013.

DAC for the RDF Data Model

Ability to delegate access rights to othersgrant/revokeData and Schema based authorisationstriple(s), subject, object, property, named graph – RDF Quad PatternRDFS/OWL, Authorisation hierarchiesAccess Rights tightly coupled with operations select, construct, ask, describeinsert, delete, insert/deletedrop, create, copy, move, addConflict Resolutiondenial takes precedenceexplicit over implicitexploit hierarchiesIntegrity Constrainsensure the create, copy, move, add permissions are assigned to named graphs



Access Control EntitiesUsers e.g. joeBloggs, johnSmithRoles e.g. manager, supervisorGroups e.g. humanResources, salesAttributes e.g. (employer, NUIG), (policyNumber, 565656)

Create, Read, Update, DeleteSelect, Construct, Ask, Describe, Insert, Delete, Delete/InsertCreate, Copy, Move, Add, Drop

TripleRDF Quad Patterns 28th IFIP TC-11 International Information Security and Privacy Conference,

SEC 2013. 12th International Semantic Web Conference, ISWC 2013.

Redundant

Redundant

What rules are necessary to support DAC over RDF data?Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S.

Flexible support for multiple access control policies. 2001.



Hierarchical DataSystem Components

Hierarchical Data System Components



Users/Groups

Roles

Access Rights

Resources

Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S.Flexible support for multiple access control policies. 2001.

What rules are necessary to support DAC over RDF data?Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S.

Flexible support for multiple access control policies. 2001.



Graph Based DataSystem Components

Graph Based Data System Components



Subjects

Access Rights

Resources

Authorisations<Sub, AR, Sign, Res, Type, By>Propagation RulesAuthx ← Authy ᴧ GraphPattern

Conflict Resolution PoliciesAuthx ← Authx > Authy

Integrity ConstraintsError ← Authx

Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S.Flexible support for multiple access control policies. 2001.

What rules are necessary to support DAC over RDF data?



Evaluating Graph Based Access ControlObjectiveOverhead associated with access control over increasing: • datasets• authorisationsDatasetBerlin SPARQL Benchmark DatasetQuery and authorisation generator

Datasets of increasing size

Authorisation sets of increasing size

Quads 250223 500258 1000109 2000164

4000936

File size(MB) 24.5 49 98 195 391

Quads 60000 120000 240000 480000 960000

File size(MB) 6.5 13 26 53 105

Evaluation Results and LimitationsRules over increasing

authorisations 60000 – 960000Select queries over increasing

triples 250223 – 4000936



• all quads (?S ?P ?O ?G) • a particular graph (?S ?P ?O G1) • all quads of type (?S rdf:type bsbm:Offer ?G)• all classes (?S rdf:type rdf:Class) • all properties (?S rdf:type rdf:Property)

• Classes to all instances of that class • Properties to all instances of that

property• Instance to properties associated with

that instance

Known Limitations

• Need access to all quad patterns to execute the query• Access Control correctness an open issue

Research Questions





SPARQL 1.1 Query Categories

SPARQL Queries• Basic graph patterns and aggregates• Negation and subqueries

SPARQL Updates• Insert/delete• Insert and Delete• Graph based update operations

Rewriting SPARQL BGPs & Aggregates

:MRyan :salary ?o :Employee

SELECT ?id ?name ?salaryWHERE { GRAPH ?g {?id foaf:name ?name . ?id :salary ?salary } }

SELECT ?id ?name ?salaryWHERE { GRAPH ?g {?id foaf:name ?name . ?id :salary ?salaryFILTER NOT EXISTS { GRAPH :Employee { ?id foaf:name ?name . ?id :salary ?salary FILTER(?id = :MRyan) } } } }

Rewriting SPARQL Subqueries and Filters:MRyan :worksFor ?o :OrgStructure

SELECT DISTINCT ?employee ?managerWHERE { GRAPH ?g { ?x foaf:name ?employee . ?y foaf:name ?manager{ SELECT ?x ?y WHERE { GRAPH :OrgStructure { ?x :worksFor ?y } } }} }

SELECT DISTINCT ?employee ?managerWHERE { GRAPH ?g { ?x foaf:name ?employee . ?y foaf:name ?manager{ SELECT ?x ?y WHERE { GRAPH :OrgStructure { ?x :worksFor ?yFILTER NOT EXISTS {GRAPH :OrgStructure { ?x :worksFor ?yFILTER ( ?x = :MRyan ) } } } } } } }

Rewriting SPARQL Update Queries

DELETE/INSERT• Apply SELECT query rewriting strategy DELETE DATA and INSERT DATA. • Remove unauthorised quads from the queryCLEAR and DROP. • DELETE from target graphADD and LOAD. • INSERT into target graphCOPY.• DELETE from the destination graph• INSERT into destination graphMOVE. • DELETE from the destination graph • INSERT into destination graph• DELETE from the source graph

Access Control Correctness

Correctness criteria for fine-grained access control inrelational databases. 2007.Wang, Q., Yu, T., Li, N., Lobo, J., Bertino, E., Irwin, K., Byun, J.-W.

Secure - does not return information which has not been authorisedSound - does not return invalid resultsMaximum - returns as much information as possible without

violating thesecure and sound constraints State 1

State 2

Holds?

Holds?

Access Control Correctness

Evaluating Query Rewriting CorrectnessObjective

Compare the results returned by our query rewriting algorithm to the results

returned by a standard SPARQL query over a filtered dataset• Basic graph patterns and aggregates• Negation and subqueries• Insert/delete • Insert and delete• Graph based update operationsDataset Automatically generate a set of authorisations from all 2^4 possiblecombinations (of constants and variables) for each quad in the BSBM dataset Systematically generate queries for each of the 19104 RDF quad

patterns

As SPARQL queries are based on basic graph pattern matching, if we can prove correctness for all possible authorisations over the different query types, the data itself is irrelevant

Evaluating Query Rewriting CorrectnessResultsThe proposed query rewriting algorithm is secure, sound and maximum for:• Basic graph patterns and aggregates• Negation and subqueries• Insert/delete • Insert and delete• Graph based update operations

ExceptionIn the case of property paths the query rewriting algorithm is not

maximum

ExampleFILTER NOT EXISTS {GRAPH ?g { ?employee :worksFor+ ?managerFILTER ( ?employee = :MRyan ) } }

Performance Evaluation

Triple Updates Graph Updates

Queries Negation

Tim

e in

mill

isec

on

ds

Tim

e in

mill

isec

on

ds

Tim

e in

mill

isec

on

ds

Tim

e in

mill

isec

on

ds

Known Limitations

Research Questions




4. What components are required to support the specification, enforcement and administration of access control for the LDW?

Publishing and Consuming Linked Data

RDB2RDF

RDB2RDF

Linked Data Authorisation Architecture

RDB2RDF

RDB2RDF

Extract both data and permissions

Enforce access control policies

Source the individual PDFs

Conclusions


Use RDB2RDF to extract and associate permissions with triples


The graph based authorisation flexible framework•Authorisations•Propagation rules •Conflict resolution policies •Integrity constraints

Conclusions3. What adjustments need to be made to SPARQL

queries, to ensure that only authorised data is returned?

Query rewriting strategy•FILTER NOT EXISTS expressions•Remove triples from insert and delete data queries•Rewrite update queries as INSERT/DELETE queries

4. What components are required to support the specification, enforcement and administration of access control for the LDW?

The Linked Data Authorisation Architecture includes:•Authorisation Interface•Query Engine•Authorisation Framework

Linked Data with Access Control Next Steps

Privacy• Reasoning over privacy policiesContext Awareness• Reasoning over contextual data• Efficient reasoning over streaming dataUsability & Understandability• Graph based data clustering and visualisation techniques

o examine the interplay between authorisations and ruleso determine the impact of new authorisations

Explanations & Negotiation• Potential security impact associated with explanations