Secure XML querying with security views

The prevalent use of XML highlights the need for a generic, flexible access-control mechanism for XML documents that supports efficient and secure query access, without revealing sensitive information unauthorized users. This paper introduces a novel paradigm for specifying XML security constraints and investigates the enforcement of such constraints during XML query evaluation. Our approach is based on the novel concept of security views, which provide for each user group (a) an XML view consisting of all and only the information that the users are authorized to access, and (b) a view DTD that the XML view conforms to. Security views effectively protect sensitive data from access and potential inferences by unauthorized user, and provide authorized users with necessary schema information to facilitate effective query formulation and optimization. We propose an efficient algorithm for deriving security view definitions from security policies (defined on the original document DTD) for different user groups. We also develop novel algorithms for XPath query rewriting and optimization such that queries over security views can be efficiently answered without materializing the views. Our algorithms transform a query over a security view to an equivalent query over the original document, and effectively prune query nodes by exploiting the structural properties of the document DTD in conjunction with approximate XPath containment tests. Our work is the first to study a flexible, DTD-based access-control model for XML and its implications on the XML query-execution engine. Furthermore, it is among the first efforts for query rewriting and optimization in the presence of general DTDs for a rich a class of XPath queries. An empirical study based on real-life DTDs verifies the effectiveness of our approach.

[1]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[2]  Gao Jun,et al.  QUERY REWRITING FOR SEMI-STRUCTURED DATA , 2002 .

[3]  Alin Deutsch,et al.  Reformulation of XML Queries and Constraints , 2003, ICDT.

[4]  Steven J. DeRose,et al.  XML Path Language (XPath) , 1999 .

[5]  Charles A. Shoniregun,et al.  Securing XML Documents , 2004, Australas. J. Inf. Syst..

[6]  Satoshi Hada,et al.  XML Access Control Language : Provisional Authorization for XML Documents , 2000 .

[8]  Takao Asano,et al.  A Theoretical Framework of Hybrid Approaches to MAX SAT , 1997, ISAAC.

[9]  Dan Suciu,et al.  Containment and equivalence for an XPath fragment , 2002, PODS.

[10]  Laks V. S. Lakshmanan,et al.  Minimization of tree pattern queries , 2001, SIGMOD '01.

[11]  Prakash V. Ramanan,et al.  Efficient algorithms for minimizing tree pattern queries , 2002, SIGMOD '02.

[12]  Dan Suciu,et al.  Data on the Web: From Relations to Semistructured Data and XML , 1999 .

[13]  Yannis Papakonstantinou,et al.  Query rewriting for semistructured data , 1999, SIGMOD '99.

[14]  Elisa Bertino,et al.  Secure and selective dissemination of XML documents , 2002, TSEC.

[15]  Dan Suciu,et al.  Index Structures for Path Expressions , 1999, ICDT.

[16]  Makoto Murata,et al.  XML access control using static analysis , 2006, TSEC.

[17]  Alin Deutsch,et al.  Physical Data Independence, Constraints, and Optimization with Universal Plans , 1999, VLDB.

[18]  Thomas Schwentick,et al.  XPath Containment in the Presence of Disjunction, DTDs, and Variables , 2003, ICDT.

[19]  Dan Suciu,et al.  SilkRoute: A framework for publishing relational data in XML , 2002, TODS.

[20]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[21]  C. M. Sperberg-McQueen,et al.  eXtensible Markup Language (XML) 1.0 (Second Edition) , 2000 .

[22]  J W Ballard,et al.  Data on the web? , 1995, Science.

[23]  Nicolás Marín,et al.  Review of Data on the Web: from relational to semistructured data and XML by Serge Abiteboul, Peter Buneman, and Dan Suciu. Morgan Kaufmann 1999. , 2003, SGMD.

[24]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[25]  Dan Suciu,et al.  Optimizing regular path expressions using graph schemas , 1998, Proceedings 14th International Conference on Data Engineering.

[26]  C. M. Sperberg-McQueen,et al.  Extensible markup language , 1997 .

[27]  Dan Suciu,et al.  Controlling Access to Published Data Using Cryptography , 2003, VLDB.

[28]  Laks V. S. Lakshmanan,et al.  Optimizing the Secure Evaluation of Twig Queries , 2002, VLDB.