1 web data and application security kodali, farkas and wijesekera

1

Web Data and Web Data and Application SecurityApplication Security

Kodali, Farkas and WijesekeraKodali, Farkas and Wijesekera

Reading

• Word Wide Web Consortium, http://www.w3.org/• Organization for the Advancement of Structure

Information Standards, http://www.oasis-open.org/home/index.php

• Web Services Interoperability Organization, http://www.ws-i.org/

• Workshop on Secure Web Services, http://sws06.univ-pau.fr/

• Semantic Web Security, http://www.cse.sc.edu/research/isl/SSW/index.shtml

2

Web Evolution

• Past: Human usage – HTTP– Static Web pages (HTML)

• Current: Human and some automated usage – Interactive Web pages– Web Services (WSDL, SOAP, SAML)– Semantic Web (RDF, OWL, RuleML, Web databases)– XML technology (data exchange, data representation)

• Future: Semantic Web Services

3

Semantic Web

4

From: T.B. Lee

Web Services

5

From: Wikipedia

“…a software system designed to support interoperable machine-to-machine interaction over a network.” W3C

WS Components

• SOAP: An XML-based, extensible message envelope format, with "bindings" to underlying protocols

• WSDL: An XML format that allows service interfaces to be described, along with the details of their bindings to specific protocols.

• UDDI: A protocol for publishing and discovering metadata about Web services, to enable applications to find Web services, either at design time or runtime.

• WS-Security: Defines how to use XML Encryption and XML Signature in SOAP to secure message exchanges.

6

SOAP

• Simple Object Access Protocol: a protocol for exchanging XML-based messages over computer network, normally using HTTP (from W3C)

• Foundation layer of the Web services stack • Different types of messaging patterns:– Remote Procedure Call (RPC) – most popular– Service-Oriented Architecture (SOA)– RESTful Web Services

• SOAP Envelop

7

UDDI• Universal Description, Discovery, and Integration: a

platform-independent, XML-based registry for businesses worldwide to list themselves on the Internet (from OASIS)

• Support: – businesses to publish service listings– discover each other– define how the services or software applications interact

over the Internet • Components: – White Pages — address, contact, and known identifiers– Yellow Pages — industrial categorizations based on

standard taxonomies– Green Pages — technical information about services

exposed by the business

8

WS-Security• WS-Security (Web Services Security): a communications

protocol providing a means for applying security to Web Services

• From: originally by IBM, Microsoft, and VeriSign, the protocol is now officially called WSS and developed via committee in Oasis-Open

• Defines how integrity and confidentiality can be enforced on Web Services messaging

• Use of SAML and Kerberos, and certificate formats • Incorporates security features in the header of a SOAP

message, working in the application layer (different from TLS-based security)

9

WS Policy

• WS-Policy: a specification that allows web services to use XML to advertise their policies (on security, Quality of Service, etc.) and for web service consumers to specify their policy requirements

10

W3C Standard Maturation • Working Draft (WD): published for review by "the

community" • Candidate Recommendation (CR): a version of

the standard that is more firm than the WD • Proposed Recommendation (PR): the version of

the standard that has passed the prior two levels • W3C Recommendation (REC): most mature stage

of development• Later Revisions: updated by separately-published

Errata

11

WS Security Outline

12

Security on the WebData SecurityMetadata SecurityApplication Security

Future Directions

Outline

13

Security on the WebData Security

Access Control Models for Semi-Structured Data Syntactic XML

Secure XML ViewsXML Updates XML association object

XML and Semantics SMIL Inference Control

Metadata SecurityApplication Security

Future Directions

Limitation of Research

• Syntax-based• No association protection• Limited handling of updates • No data or application semantics • No inference control

14

Outline

15






Future Directions

Secure XML Views - Example

16

<medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec></medicalFiles>

medicalFiles

countyRec

patient

nameJohn Smith

milBaseRec

physicianJim Dale

physicianJoe White

nameHarry Green

milTagMT78

patient

phone111-2222

phone333-4444

View over UC data

Secure XML Views - Example cont.

17

<medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec></medicalFiles>

medicalFiles

countyRec

patient

nameJohn Smith

milBaseRec

physicianJim Dale

physicianJoe White

nameHarry Green

patient

View over UC data


18

medicalFiles

countyRec

patient

nameJohn Smith

milBaseRec

physicianJim Dale

physicianJoe White

nameHarry Green

patient

View over UC data

<medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03></medicalFiles>


19

<medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec></medicalFiles>

medicalFiles

countyRec

patient

nameJohn Smith

milBaseRec

physicianJim Dale

physicianJoe White

nameHarry Green

patient

View over UC data


20

medicalFiles

nameJohn Smith

physicianJim Dale

physicianJoe White

nameHarry Green

View over UC data

<medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician></medicalFiles>

Secure XML Views - Solution

• Multi-Plane DTD Graph (MPG)• Minimal Semantic Conflict Graph

(association preservation)• Cover story• Transformation rules

21

22

Multi-Plane DTD Graph

<medicalFiles>

<milTag>

<phone>

<milBaseRec>

<countyRec>

<patient>

<physician> <name>

TopSecret

Secret

Unclassified

D,medicalFiles

D, countyRec D, milBaseRec

D, patient D, milTag

D, name D, phone

UC

UC

UC

S

S

S

TS

TSD, physician

MPG = DTD graphover multiple

security planes

Transformation - Example

23

name phone

physician

MSCG

MPG

<medicalFiles>

<milTag>

<phone>

<milBaseRec>

<countyRec><patient>

<physician> <name>

TS

UC

S

Security Space Secret


24MPG

<medicalFiles>

<milTag>

<phone>

<milBaseRec>


<physician> <name>

TS

S

UC

<emrgRec>

SP

name

physician

MSCG


25MPG

<medicalFiles>

<milTag>

<phone>

<milBaseRec>


<physician> <name>

TS

S

UC

<emrgRec>

SPMSCG


26MPG

<medicalFiles>

<milTag>

<phone>

<milBaseRec>


<physician> <name>

TS

S

UC SP

<emrgRec>

medicalFiles

emergencyRec

namephysician

Data Structure

Outline

27






Future Directions

28

Delete - ExampleDelete - Example

Report

Title

Data

Date

Temperature

Images

Water Resources

Concrete Location

Civil Area

Defense Sector

P

P

P

P

P

S

S

S

S

TS

?

Delete Operations• Delete entire sub-tree under a deleted node– Most widely used approach– Problem: blind write

• Delete only the viewable nodes– Problem: fragmentation of XML tree

• Reject the delete– Problem: covert channel

29

Different Solution – Deleted Label

Basic Idea • A unique domain “Del” for deleted nodes• Change security classification of deleted node (o, {do Del})

– Perform after delete operation• Change security clearance of users, where s = (s, {ds}) > (o,

{do}) to ( (s, {ds}) , (o, {do Del}) )

– Can be preprocessed• Use BLP axioms

30

31

Report

Title

Data

Date

Temperature

Images

Concrete Location

Defense Sector

(S,{Del})

(S,{Del})

TS

P

P

P

P

P

Example - Top Secret ViewExample - Top Secret View

Subject clearances:

(TS, {}) { (TS, {}) , (S, {Del}), (P, {Del}) }

(S, {}) { (S, {}), (P, {Del}) }

(P, {}) { (P, {}) }

Node Association - Example

DTD of Patient Health Record

32

MedicalDb

Patient*

Allergies

Allergen*

Phone

Birthdate

Name

SSN

Race

DateDiagnosis

Physician

Prescription

*

Comments

Patient

Phone

Name

Patient

Birthdate

Race

DateDiagnosis

Comments

Layered Access Control

33

++

-

++

+

Node levelclassification

Object - Association levelclassification

Simple Security Object

34

t1

t4t3

t2

o ti : (ti) = (o)

Association Security Object

35

t1

t4t3

t2

o ti : (ti) < (o)

Query Pattern

36

//

r

d a

b cv

1

v

1

FOR $x in //r

LET $y := $x/d, $z := $x/a

RETURN <answer> {$z/c} </answer>

WHERE { $z/b==$y}

Query Pattern

Pattern Automata

• Pattern Automata X = { , Q, q0 , Qf , }– = E A { pcdata, //}– is a transition function – Q = {q0 , … , qn}– Qf Q, (q0 Qf)

• Valid transitions on are of the following form:(qi, … ,qj) qk

• If does not contain a valid transition rule, the default new state is q0

37

Pattern Automata - Example

38

a

b c

//

Association object

= { a, b, c, //}

Q = {q0, qa, qb, qc}

Qf = {qa}

= {

b( ) qb ,

c( ) qc ,

a(qb,qc) qa ,

*(qa) qa }Pattern Automata

Outline

39






Future Directions

SMIL

40

AUDIO VIDEO

AUDIO

VIDEOAUDIO VIDEO

AUDIO

VIDEO

VIDEO after END of AUDIO

Sequential Operator “SEQ”

Parallel Operator “PAR”

Switch Operator “switch”

If Condition B= TRUE, then only AUDIO

If Condition A= TRUE, then only VIDEO SILENCE

SILENCE

VID

EO

and AU

DIO

together

SMIL vs. XML• In both, document = tree• BUT

XML has NO intended semantics, SMIL specify runtime behavior• QoS (timeliness and continuity) specified using synchronization constructs

<par>, <seq>, <excl> and others.• No Security for SMIL

41

<smil>

<seq>

Video1 Video2

Audio1 Audio2

<par> <par>

<smil>

<seq>

<par>

<audio src=“http://www.example.org/Audio1.rm”>

<video src=“http://www.example.org/Video1.rm”>

</par>

<par>

<audio src=“http://www.example.org/Audio2.rm”>

<video src=“http://www.example.org/Video2.rm”>

</par>

</seq>

</smil>

42

t t+7 t+14Audio 1Audio 2Video 1Video 2

Audio 1 Audio 2

PAR

t t+7 t+14

Video 1Audio 1Audio 2

Video 2Audio 1Video 1

Audio 2Video 2

t t+7 t+14Audio 1Audio 2Video 1Video 2 Video 1 Video 2

V1 V2

SEQ

A1 A2

SEQ

V1 V2A1 A2

SEQ SEQ

PAR

Object Identity in SMIL - IObject Identity in SMIL - I

43

t t+7 t+14Audio 1 Audio 2Video 1 Video 2

Audio 1Video 2

t t+7 t+14Audio 1 Audio 2Video 1 Video 2

Audio 2Video 1

t t+7 t+14

Video 1Audio 1 Audio 2


Audio 2Video 2

PAR

V1 A2

SEQ

A1 V2

SEQ

V1 A2A1 V2

SEQ SEQ

PAR

Object Identity in SMIL - IIObject Identity in SMIL - II

44

t t+7 t+14

Audio 2Audio 1Video 1 Video 2

t t+7 t+14

Audio 1Video 1

Audio 2Video 2 Video 2

Audio 2

Audio 1Video 1

SEQ

t+14

Video 1Audio 1 Audio 2


Audio 2Video 2

t t+7

A2 V2

PAR

A1 V1

PAR

A2 V2A1 V1

PAR PAR

SEQ

Object Identity in SMIL - IIIObject Identity in SMIL - III

SMIL Normal Form

SMIL Normal Form (smilNF) is of the form

<seq> <par> C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n (s)</par> <par> ……………………..………………<par><par> C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n (s)</par>

</seq> where C i,j are audio or video, image or text media intervals.

45

Normalization Algorithm

46

A1 A2 A3

B1 B2 B3

C1 C2 C3

D1 D2 D3

A1 A2 A3

B1 B2 B3

C1 C2 C3

D1 D2 D3

Representation 1

Representation 2

A

B

C

D

A

B

C

D

SEQ

SEQ

<P

AR

><

PA

R>

1 2 3

1 2 3

SEQ

<PAR><PAR> <PAR>

A1 B1 C1 D1

A2 B2 C2 D2

A3 B3C3 D3

SEQ

<PAR><PAR> <PAR>

A1

B2 C2 D2

C3

Metadata in SMIL - RBAC Example

47

A1

<SEQ>

<PAR> <PAR>

V1 A2 V2

<SEQ>

(r1)<PAR> <PAR>

A1 (r3)V1(r1)A2 (r2)V2

<SEQ>

<PAR> <PAR>

A1 V1 A2 (Empty)

SMIL Normal Form Permitted view for Role 1RBAC metadata decorated

SMIL Normal Form

Outline

48






Future Directions

49

The Inference ProblemThe Inference Problem

General Purpose Database:

Non-confidential data + Metadata Undesired Inferences

Semantic Web:

Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity

Undesired Inferences

Association Graph

• Association similarity measure– Distance of each node from the association root– Difference of the distance of the nodes from the

association root– Complexity of the sub-trees originating at nodes

• Example:

50

Air show

address fort

XML document: Association Graph:

address fort

Public Public, AC

Correlated Inference

51

Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base

address fortPublic

Water source base

Confidential

district basinPublic

?

Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions

Correlated Inference (cont.)

52

address fortPublic

district basinPublic

Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base

placebase

Water SourceWater source

Base

Place

Water source base

Confidential

Inference Removal • Relational databases: limit access to data• Web inferences– Cannot redesign public data outside of protection

domain– Cannot modify/refuse answer to already published web

page• Protection Options:– Release misleading information– Remove information– Control access to metadata

53

Outline

54






Future Directions

Metadata Security

• No security model exists for metadata • Can we use existing security models to protect

metadata?• RDF/S is the Basic Framework for SW• RDF/S supports simple inferences• This is not true of XML: XML Access control

cannot be used to protect RDF /S data

55

RDF/S Entailment RulesExample RDF/S Entailment Rules (http://www.w3.org/TR/rdf-

mt/#rules )• Rdfs2:

– (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy) (uuu, rdf:type, xxx)

• Rdfs3: – (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx)

• Rdfs5: – (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf,

xxx) (uuu,rdfs:subPropertyOf, xxx) • Rdfs11:

– (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf, xxx)(uuu,rdfs:subClassOf, xxx)

56

Example Graph Format

57

John USC

studiesAt

Person

University

GovAgency

Student

memberAt

studiesAt

inferred rdf:type

rdf:type

rdfs:subClassOf

rdfs:subPropertyOf

Legend

schema

instance

RDF Triples:(Student, rdfs:subClassOf, Person)(University, rdfs:subClassOf, GovAgency)(studiesAt, rdfs:domain, Student)(studiesAt, rdfs:range,University)(studiesAt, rdfs:subPropertyOf, memberAt)(John, studiesAt, USC)


58

John USC

studiesAt

Person

University

GovAgency

Student

memberAt

studiesAt

inferred rdf:type

rdf:type

rdfs:subClassOf

rdfs:subPropertyOf

Legend

schema

instance

Rdfs2 : Fact3 + Fact6 Fact7


59

John USC

studiesAt

Person

University

GovAgency

Student

memberAt

studiesAt

inferred rdf:type

rdf:type

rdfs:subClassOf

rdfs:subPropertyOf

Legend

schema

instance


Rdfs3 : Fact4+Fact6 Fact8


60

John USC

studiesAt

Person

University

GovAgency

Student

memberAt

studiesAt

inferred rdf:type

rdf:type

rdfs:subClassOf

rdfs:subPropertyOf

Legend

schema

instance


Rdfs3 : Fact4+Fact6 Fact8


Secure RDFEntailed Data in RDF can cause illegal inferences:

• (John, studiesAt, USC) [S] + (studiesAt, rdfs:domain, University) [S] (USC, rdf:type, University) [S]• (USC, rdf:type, University) [S]+ (University, rdf:subclassOf, GovAgency) [S] (USC, rdf:type, GovAgency) [TS]

Secret User can infer TS informationSecret User can infer TS information

61

RDF Access Control

• Security Policy– Subject– Object – Object pattern – Access Mode

• Default policy• Conflict Resolution • Classification of entailed data • Flexible granularity

62

Prototype Systems• XML Access Control– Secure Views – Association-level access control – MLS/XML Delete

• Ontology Guided XML Inferences • RDF Access Control

• Future Work– Next versions – OWL access control – Application-level security

63

Secure XML Updates

64

MACParser .java

MACModel .java

NodeSecurityManager.java

FilepathAbsouteTable

UserManagement .java

UserName

NativeElementIndex.java

XMLUtil.java

Result

PathSatisfaction .java

65

Secure XML Updates - Secure XML Updates - ExampleExample

RDF Access Control Example

66

1 web data and application security kodali, farkas and wijesekera

Documents

security web services

semantic web services

secure web services

web evolutionpast

web servicesfrom

semantic web security

web service consumers

samlsemantic web rdf