Makoto Murata
Skip Abstract Section
Abstract
Access control policies for XML typically use regular path expressions such as XPath for specifying the objects for access-control policies. However such access-control policies are burdens to the query engines for XML documents. To relieve this burden, we introduce static analysis for XML access-control. Given an access-control policy, query expression, and an optional schema, static analysis determines if this query expression is guaranteed not to access elements or attributes that are hidden by the access-control policy but permitted by the schema. Static analysis can be performed without evaluating any query expression against actual XML documents. Run-time checking is required only when static analysis is unable to determine whether to grant or deny access requests. A side effect of static analysis is query optimization: access-denied expressions in queries can be evaluated to empty lists at compile time. We further extend static analysis for handling value-based access-control policies and introduce view schemas.
- Altinel, M. and Franklin, M. J. 2000. Efficient filtering of XML documents for selective dissemination of information. In Proceedings of the 26th International Conference on Very Large Data Bases. Morgan Kaufmann, Cairo. 53--64.]] Google Scholar
- Atkinson, B. 2002. Schema centric XML canonicalization version 1.0. OASIS Committee Specification. http://uddi.org/pubs/SchemaCentricCanonicalization.htm.]]Google Scholar
- Baeza-Yates, R. A. and Navarro, G. 2002. XQL and proximal nodes. Journal of the American Society for Information Science and Technology 53, 6, 504--514.]] Google Scholar
- Barton, C., Charles, P., Goyal, D., Raghavachari, M., Fontoura, M., and Josifovski, V. 2003. An algorithm for streaming XPath processing with forward and backward axes. In Proceedings of the 19th International Conference on Data Engineering. IEEE Computer Society. 455--466.]]Google Scholar
- Bertino, E. 1992. Data hiding and security in object-oriented databases. In Proceedings of the 8th International Conference on Data Engineering. IEEE Computer Society, Tempe. 338--347.]] Google Scholar
- Bertino, E., Castano, S., Ferrari, E., and Mesiti, M. 1999. Controlled access and dissemination of XML documents. In The 2nd Workshop on Web Information and Data Management. ACM, New York. 22--27.]] Google Scholar
- Bertino, E., Castano, S., Ferrari, E., and Mesiti, M. 2001. Author-X: a Java-based system for XML data protection. In 14th IFIP Workshop on Database Security. IFIP Conference Proceedings, vol. 201. Kluwer, Academic Publ., Boston, MA. 15--26.]] Google Scholar
- Boag, S., Chamberlin, D., Fernández, M. F., Florescu, D., Robie, J., and Siméon, J. 2003. XQuery 1.0: An XML query language. W3C working draft 12 November 2003. http://www.w3.org/TR/xquery/.]]Google Scholar
- Boyer, J. 2001. Canonical XML version 1.0. W3C Recommendation. http://www.w3.org/TR/xml-c14n/.]]Google Scholar
- Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., and Yergeau, F. 2004. Extensible Markup Language (XML) 1.0. W3C Recommendation. http://www.w3.org/TR/REC-xml.]]Google Scholar
- Chan, C. Y., Felber, P., Garofalakis, M. N., and Rastogi, R. 2002. Efficient filtering of XML documents with XPath expressions. In Proceedings of the 18th International Conference on Data Engineering. 225--234.]] Google Scholar
- Clark, J. 1999. XML Transformations (XSLT) version 1.0. W3C Recommendation. http://www.w3.org/TR/xslt.]]Google Scholar
- Clark, J. and DeRose, S. 1999. XML Path Language (XPath) version 1.0. W3C Recommendation. http://www.w3.org/TR/xpath.]]Google Scholar
- Clark, J. and Murata, M. 2001. RELAX NG specification. OASIS Committee Specification. http://www.oasis-open.org/committees/relax-ng/spec-20011203.html.]]Google Scholar
- Comon, H., Dauchet, M., Gilleron, R., Jacquemard, F., Lugiez, D., Tison, S., and Tommasi, M. 1997. Tree automata techniques and applications. Available at http://www.grappa.univ-lille3.fr/tata. release October, 1st 2002.]]Google Scholar
- Damiani, E., di Vimercati, S. D. C., Paraboschi, S., and Samarati, P. 2000. Securing XML documents. In Proceedings of the 7th International Conference on Extending Database Technology (EDBT). Lecture Notes in Computer Science, vol. 1777. Springer, Konstanz. 121--135.]] Google Scholar
- Deutsch, A. and Tannen, V. 2001. Containment and integrity constraints for XPath fragments. In Proceedings of 8th International Workshop on Knowledge Representation Meets Databases.]]Google Scholar
- Draper, D., Frankhauser, P., Fernández, M., Malhotra, A., Rose, K., Rys, M., Simeon, J., and Wadler, P. 2004. XQuery 1.0 and XPath 2.0 formal semantics. W3C working draft 20 February 2004.]]Google Scholar
- Fan, W. and Libkin, L. 2002. On XML integrity constraints in the presence of DTDs. J. ACM 49, 3, 368--406.]] Google Scholar
- Fan, W., Chan, C. Y., and Garofalakis, M. N. 2004. Secure XML querying with security views. In Proceedings of the 23rd SIGMOD International Conference on Management of Data, to appear. ACM, New York.]] Google Scholar
- Fernández, M. F. and Suciu, D. 1998. Optimizing regular path expressions using graph schemas. In Proceedings of the 14th International Conference on Data Engineering. 14--23.]] Google Scholar
- Gabillon, A. and Bruno, E. 2001. Regulating access to XML documents. In Proceedings of the 15th IFIP WG 11.3 Working Conference on Database Security. 299--314.]] Google Scholar
- Godik, S. and Moses, T., Eds. 2003. Extensible access-control markup language (XACML) version 1.0. OASIS Standard http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.]]Google Scholar
- Gottlob, G., Koch, C., and Pichler, R. 2002. Efficient algorithms for processing XPath queries. In Proceedings of the 28th International Conference on Very Large Data Bases. 95--106.]]Google Scholar
- Green, T. J., Miklau, G., Onizuka, M., and Suciu, D. 2002. Processing XML streams with deterministic automata. In Proceedings of the 9th International Conference on Database Theory. Springer-Verlag, New York. 173--189.]] Google Scholar
- Hopcroft, J. E. 1971. An n log n algorithm for minimizing states in a finite automaton. Theory of Machines and Computations. 189--196.]]Google Scholar
- Hopcroft, J. E. and Ullman, J. D. 1979. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, Reading, MA.]] Google Scholar
- Hosoya, H. and Murata, M. 2002. Validation and boolean operations for attribute-element constraints. In Programming Languages Technologies for XML (PLAN-X).]]Google Scholar
- Hosoya, H. and Pierce, B. C. 2003. XDuce: A typed XML processing language. ACM Transactions on Internet Technology 3, 2, 117--148.]] Google Scholar
- Kudo, M. and Hada, S. 2000. XML document security based on provisional authorization. In Proceedings of the 7th Conference on Computer and Communications Security. ACM, New York. 87--96.]] Google Scholar
- Li, Q. and Moon, B. 2001. Indexing and querying XML data for regular path expressions. In Proceedings of the 27th International Conference on Very Large Databases. 361--370.]] Google Scholar
- Luo, B., Lee, D., Lee, W.-C., and Liu, P. 2004. QFilter: Practical and scalable XML access controls via NFA-based query filtering. Tech. rep., Penn State University. Februrary.]]Google Scholar
- Miklau, G. and Suciu, D. 2004. Containment and equivalence for a fragment of XPath. J. ACM 51, 1, 2--45.]] Google Scholar
- Murata, M. 2001. Extended path expressions for XML. In Proceedings of the 20th Symposium on Principles of database systems. Santa Barbara, CA. 126--137.]] Google Scholar
- Murata, M., Tozawa, A., Kudo, M., and Hada, S. 2003. XML access-control using static analysis. In Proceedings of the 10th ACM Conference on Computer and Communication Security. ACM Press, New York. 73--84.]] Google Scholar
- Murata, M., Lee, D., Mani, M., and Kawaguchi, K. 2005. Taxonomy of XML schema languages using formal language theory. ACM Transactions on Internet Technology 5, 4, 660--704.]] Google Scholar
- Naishin Qi, M. K. 2005. XML access-control with policy matching tree. In 10th European Symposium On Research In Computer Security.]] Google Scholar
- Neven, F. and Schwentick, T. 2003. XPath containment in the presence of disjunction, DTDs, and variables. In The 9th International Conference on Database Theory. 315--329.]] Google Scholar
- Olteanu, D., Meuss, H., Furche, T., and Bry, F. 2002. XPath: Looking forward. In Proceedings of the EDBT Workshop on XML Data Management (XMLDM). Vol. 2490. Springer, New York. 109--127.]] Google Scholar
- Papakonstantinou, Y. and Vassalos, V. 1999. Query rewriting for semistructured data. In Proceedings of the 1999 ACM SIGMOD international conference on Management of data. ACM Press, New York. 455--466.]] Google Scholar
- Rabitti, F., Bertino, E., Kim, W., and Woelk, D. 1991. A model of authorization for next-generation database systems. ACM Trans. Database Syst. 16, 1, 88--131.]] Google Scholar
- Thompson, H. S., Beech, D., Maloney, M., and Mendelsohn, N. 2001. XML Schema part 1: Structures. W3C Recommendation. http://www.w3.org/TR/xmlschema-1/.]]Google Scholar
- Wood, P. T. 2003. Containment for XPath fragments under DTD constraints. In The 9th International Conference on Database Theory. 297--311.]] Google Scholar
Index Terms
- XML access control using static analysis
Recommendations
XML access control using static analysis
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityAccess control policies for XML typically use regular path expressions such as XPath for specifying the objects for access control policies. However such access control policies are burdens to the engines for XML query languages. To relieve this burden, ...
Filtering XPath expressions for XML access control
XPath is a standard for specifying parts of XML documents and a suitable language for both query processing and access control of XML. In this paper, we use the XPath expression for representing user queries and access control for XML. And we propose an ...
XLight, An Efficient Relational Schema to Store and Query XML Data
DSDE '10: Proceedings of the 2010 International Conference on Data Storage and Data EngineeringBecause of increasing use of XML data on the internet, the need for an efficient method of storing and querying XML data is vital. So far, two major types of system for XML data management have been introduced: XML Enabled systems and XML native ...
Comments