ABSTRACT
XML documents are frequently used in applications such as business transactions and medical records involving sensitive information. Typically, parts of documents should be visible to users depending on their roles. For instance, an insurance agent may see the billing information part of a medical document but not the details of the patient's medical history. Access control on the basis of data location or value in an XML document is therefore essential. In practice, the number of access control rules is on the order of millions, which is a product of the number of document types (in 1000's) and the number of user roles (in 100's). Therefore, the solution requires high scalability and performance. Current approaches to access control over XML documents have suffered from scalability problems because they tend to work on individual documents. In this paper, we propose a novel approach to XML access control through rule functions that are managed separately from the documents. A rule function is an executable code fragment that encapsulates the access rules (paths and predicates), and is shared by all documents of the same document type. At runtime, the rule functions corresponding to the access request are executed to determine the accessibility of document fragments. Using synthetic and real data, we show the scalability of the scheme by comparing the accessibility evaluation cost of two rule function models. We show that the rule functions generated on user basis is more efficient for XML databases.
- M. Altinel and M. Franklin: Efficient filtering of XML documents forselective dissemination of information. VLDB (2000) pp.53--64. Google ScholarDigital Library
- E. Bertino, S. Castano, E. Ferrari, and M. Mesiti: Controlled access and dissemination of XML documents. ACM WIDM (1999) pp.22--27. Google ScholarDigital Library
- E. Bertino, S. Castano, E. Ferrari, and M. Mesiti: Specifying and Enforcing Access Control Policies for XML document Sources. World Wide Web Journal (2000), Vol. 3, No. 3, pp. 139--151. Google ScholarDigital Library
- E. Bertino and E. Ferrari: Secure and selective dissemination of XML documents. ACM TISSEC (2002) pp.290--331. Google ScholarDigital Library
- M. Bishop, and L. Snyder. The transfer of information and authority in a protection system. Proc. 17th ACM Symposium on Operating Systems Principles, 1979. Google ScholarDigital Library
- S. Boag, D. Chamberlin, M. F. Fernandez, D. Florescu, J. Robie, and J. Simeon: XQuery 1.0: An XML query language, W3C Working Draft 12 November 2003. http://www.w3.org/TR/xquery/.Google Scholar
- T. Bray, J. Paoli, and C. M. Sperberg-McQueen: Extensible Markup Language (XML) 1.0. W3C Recommendation. http://www.w3g.org/TR/REC-xml (Feb. 1998).Google Scholar
- C.-Y. Chan, P. Felber, M. Garofalakis, and R. Rastogi: Efficient filtering of XML documents with XPath expressions. ICDE (2002) pp.235--244. Google ScholarDigital Library
- S. Cho, S. Amer-Yahia, L.V.S. Lakshmanan, and D. Srivastava: Optimizing the secure evaluation of twig queries. VLDB (2000) pp.490--501. Google ScholarDigital Library
- J. Clark and S. DeRose: XML Path Language (XPath) version 1.0. W3C Recommendation. Available at http://www.w3g.org/TR/xpath, 1999.Google Scholar
- E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati: Design and Implementation of an Access Control Processor for XML documents. WWW 9 (2000). Google ScholarDigital Library
- E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati: A Fine-Grained Access Control System for XML Documents. ACM TISSEC (2002) pp.169--202. Google ScholarDigital Library
- A. Deutsch and V. Tannen: Containment of regular path expressions under integrity constraints. KRDB (2001).Google Scholar
- Y. Diao, P. Fischer, M. Franklin, and R. To.: YFilter: Efficient and scalable filtering of XML documents. Demo at ICDE (2002) pp.341. Google ScholarDigital Library
- W. Fan and L. Libkin: On XML integrity constraints in the presence of DTDs. Symposium on Principles of Database Systems (2001) pp.114--125. Google ScholarDigital Library
- M.F. Fernandez and D. Suciu: Optimizing regular path expressions using graph schemas. ICDE (1998) pp.14--23. Google ScholarDigital Library
- A. Gabillon and E. Bruno: Regulating Access to XML Documents. Working Conference on Database and Application Security (2001) pp.219--314. Google ScholarDigital Library
- L. Gong: A Secure Identity-Based Capability System. Proc. IEEE Symposium on Security and Privacy, pp.56--65, 1989.Google Scholar
- A.L. Hors, P.L. Hegaret, L. Wood, G. Nicol, J. Robie, M. Champion, and S. Byrne: Document Object Model (DOM) Level 3 Core Specification. http://www.w3.org/TR/2004/PR-DOM-Level-3-Core-20040205 (2004)Google Scholar
- A.K. Jones, R.J. Lipton, and L. Snyder. A Linear Time Algorithm for Deciding Security. Proc. 17th Symposium on Foundations of Computer Science, Houston, Texas, pp. 33--41, 1976.Google ScholarDigital Library
- R. Kaushik, P. Bohannon, J.F. Naughton, and H.F. Korth: Covering indexes for branching path queries. ACM SIGMOD (2002) pp.133--144. Google ScholarDigital Library
- D.D. Kha, M. Yoshikawa, and S. Uemura: An XML Indexing Structure with Relative Region Coordinate. ICDE (2001) pp.313--320. Google ScholarDigital Library
- M. Kudo and S. Hada: XML Document Security based on Provisional Authorization. ACM CCS (2000) pp.87--96. Google ScholarDigital Library
- Q. Li and B. Moon: Indexing and Querying XML Data for Regular Path Expressions. VLDB (2001) pp.361--370. Google ScholarDigital Library
- M. Murata, A. Tozawa, M. Kudo and H. Satoshi: XML Access Control Using Static Analysis. ACM CCS, 2003. Google ScholarDigital Library
- OASIS. OASIS Extensible Access Control Markup Language (XACML), Feb. 2003. http://www.oasis-open.org/committees/xacml/docs.Google Scholar
- F. Neven and T. Schwentick: XPath containment in the presence of disjunction, DTDs, and variables. ICDT (2003) pp.315--329. Google ScholarDigital Library
- N. Qi and M. Kudo: Access-condition-table-driven access control for XML databases. ESORICS (2004).Google Scholar
- R.S. Sandhu, E. J. Coyne, H.L. Feinstein, and C.E. Youman. Role-Based Access Control Models. IEEE Computer, Volume 29, No 2, pp.38--47, February 1996. Google ScholarDigital Library
- T. Yu, D. Srivastava, L.V.S. Lakshmanan, and H.V. Jagadish: Compressed Accessibility Map: Efficient Access Control for XML. VLDB (2002) pp.478--489. Google ScholarDigital Library
Index Terms
- A function-based access control model for XML databases
Recommendations
Function-Based Access Control (FBAC): From Access Control Matrix to Access Control Tensor
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security ThreatsThe misuse of legitimate access to data is a serious information security concern for both organizations and individuals. From a security engineering viewpoint, this might be due to the failure of access control. Inspired by Functional Encryption, we ...
Access control system to XML databases: a framework
IMSA '07: Proceedings of the Eleventh IASTED International Conference on Internet and Multimedia Systems and ApplicationsThe simple structure of XML document makes it very popular as a medium of data transfer and as a data storage. With the popularity of using XML documents, the need of access control system is also increasing. Unlike ordinary documents, an XML document ...
ClientBased access control evaluator for XML databases
CIT'09: Proceedings of the 3rd International Conference on Communications and information technologyThe prevalent use of XML highlights the need for a generic, flexible access-control mechanism for XML documents that supports efficient and secure query access, without revealing sensitive information to unauthorized users. The focus of access control ...
Comments