Protection of Relationships in XML Documents with the XML-BB Model

Since XML tends to become the main format to exchange data over the Internet, it is necessary to define a security model to control the access to the content of these documents. Several such models have already been suggested, but we claim that none of them is sufficiently expressive to properly express some basic security requirements, especially those related to entity relationships protection. To cope with these limitations, we suggest to structure the access control policy using the new concept of block. This is used to hide relationships between nodes selected in different blocks. It provides means to specify confidentiality restriction associated with some relationships. An access control model, called XML-BB (XML Block Based Access Control), that includes this concept of block is presented and a formal semantics for this model is defined.

[1]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[4]  Steven J. DeRose,et al.  XML Path Language (XPath) , 1999 .

[5]  Steven J. DeRose,et al.  XML Path Language (XPath) Version 1.0 , 1999 .

[6]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[7]  Peter C. Lockemann,et al.  Advances in Database Technology — EDBT 2000 , 2000, Lecture Notes in Computer Science.

[8]  Alban Gabillon,et al.  Regulating Access to XML documents , 2001, DBSec.

[9]  Alon Y. Halevy,et al.  Updating XML , 2001, SIGMOD '01.

[10]  Martin S. Olivier,et al.  Database and Application Security XV, IFIP TC11/WG11.3 Fifteenth Annual Working Conference on Database and Application Security, July 15-18, 2001, Niagara on the Lake, Ontario, Canada , 2002, DBSec.

[11]  Duminda Wijesekera,et al.  Regulating access to SMIL formatted pay-per-view movies , 2002, XMLSEC '02.

[12]  Csilla Farkas,et al.  Secure XML Views , 2002, DBSec.

[13]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[14]  Georg Gottlob,et al.  The complexity of XPath query evaluation , 2003, PODS.

[15]  Frédéric Cuppens,et al.  Modelling contexts in the Or-BAC model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[16]  M. Kudo,et al.  XML access control using static analysis , 2003, CCS '03.

[17]  Jacques Le Maitre,et al.  Extending xQuery with transformation operators , 2003, DocEng '03.

[18]  Peng Liu,et al.  QFilter: fine-grained run-time XML access control via NFA-based query rewriting , 2004, CIKM '04.

[19]  Joachim Hammer,et al.  Updatex---an xquery-based language for processing updates in xml , 2004 .

[20]  Luc Bouganim,et al.  Client-Based Access Control Management for XML documents , 2004, VLDB.

[21]  Alban Gabillon An authorization model for XML databases , 2004, SWS '04.

[22]  Wenfei Fan,et al.  Secure XML querying with security views , 2004, SIGMOD '04.

[23]  Elisa Bertino,et al.  Specifying and enforcing access control policies for XML document sources , 2004, World Wide Web.

[24]  Charles A. Shoniregun,et al.  Securing XML Documents , 2004, Australas. J. Inf. Syst..

[25]  Gabriel M. Kuper,et al.  Generalized XML security views , 2005, SACMAT '05.

[26]  Béatrice Finance,et al.  The case for access control on XML relationships , 2005, CIKM '05.

[27]  Alban Gabillon A Formal Access Control Model for XML Databases , 2005, Secure Data Management.

[28]  Yuqing Wu,et al.  Access control for XML: a dynamic query rewriting approach , 2005, CIKM '05.

[29]  Seog Park,et al.  An Efficient Yet Secure XML Access Control Enforcement by Safe and Correct Query Modification , 2006, DEXA.

[30]  Wenfei Fan,et al.  SMOQE: a system for providing secure access to XML , 2006, VLDB.