1. No category

Introduction to Web Security

Web Data and Application
Security Policies
Naren Kodali
1
Simple Security Object
o
t1
 ti : (ti) = (o)
t2
t3
t4
2
Association Security Object
o
t1
 ti : (ti) < (o)
t2
t3
t4
3
Query Pattern
/
/
FOR $x in //r
LET $y := $x/d, $z := $x/a
RETURN <answer> {$z/c} </answer>
WHERE { $z/b==$y}
r
d
v
1
a
b
c
v
1
Query Pattern
4
Pattern Automata
• Pattern Automata X = { S, Q, q0 , Qf , d }
– S = E  A  { pcdata, //}
– d is a transition function
– Q = {q0 , … , qn}
– Qf  Q, (q0  Qf)
• Valid transitions on d are of the following form:
s(qi, … ,qj)  qk
• If d does not contain a valid transition rule, the default new
state is q0
5
Pattern Automata - Example
S = { a, b, c, //}
Q = {q0, qa, qb, qc}
/
/
Qf = {qa}
d={
a
b
b( )  qb ,
c
Association object
c( )  qc ,
a(qb,qc)  qa ,
*(qa)  qa }
Pattern Automata
6
Semantic Web
From: T.B. Lee
7
SMIL
VIDEO
AUDIO
Sequential Operator “SEQ”
AUDIO
VIDEO
VIDEO
VIDEO after END of AUDIO
VIDEO and AUDIO together
AUDIO
Parallel Operator “PAR”
Switch Operator “switch”
SILENCE VIDEO
If Condition A= TRUE, then only VIDEO
If Condition B= TRUE, then only AUDIO
AUDIO SILENCE
8
SMIL vs. XML
 In both, document = tree
 BUT
XML has NO intended semantics, SMIL specify runtime behavior
•
QoS (timeliness and continuity) specified using synchronization constructs
<par>, <seq>, <excl> and others.
•
No Security for SMIL
<smil>
<seq>
<smil>
<par>
<audio src=“http://www.example.org/Audio1.rm”>
<seq>
<video src=“http://www.example.org/Video1.rm”>
</par>
<par>
<par>
<par>
<audio src=“http://www.example.org/Audio2.rm”>
<video src=“http://www.example.org/Video2.rm”>
Video1
Video2
</par>
Audio1
</seq>
</smil>
9
Audio2
Object Identity in SMIL - I
t
Audio 1Audio 2
Video 1Video 2
t+7
Audio 1
t+14
SEQ
Audio 2
A1
t
Audio 1Audio 2
Video 1Video 2
t+7
Video 1
A2
t+14
SEQ
Video 2
V1
PAR
PAR
t
Audio 1Audio 2
Video 1Video 2
V2
t+7
Audio 1
Video 1
t+14
Audio 2
Video 2
SEQ
A1
10
SEQ
A2
V1
V2
Object Identity in SMIL - II
t
Audio 1 Audio 2
Video 1 Video 2
t+7
t+14
SEQ
Audio 1
Video 2
t
t+7
A1
V2
t+14
SEQ
Audio 2
Audio 1 Audio 2
Video 1 Video 2
Video 1
A2
V1
PAR
PAR
t
Audio 1 Audio 2
Video 1 Video 2
t+7
t+14
Audio 1
Video 1
Audio 2
Video 2
SEQ
A1
11
SEQ
V2
V1
A2
Object Identity in SMIL - III
t
Audio 1 Audio 2
Video 1 Video 2
t+7
t+14
PAR
Audio 1
Video 1
t
A1
t+7
V1
t+14
PAR
Audio 2
Video 2
Audio 1 Audio 2
Video 1 Video 2
V2
A2
SEQ
SEQ
t
Audio 1 Audio 2
Video 1 Video 2
t+7
t+14
Audio 1
Video 1
PAR
Audio 2
Video 2
A1
12
PAR
V1
A2
V2
SMIL Normal Form
SMIL Normal Form (smilNF) is of the form
<seq>
<par> C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n (s)</par>
<par> ……………………..………………<par>
<par> C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n (s)</par>
</seq>
where C i,j are audio or video, image or text media intervals.
13
Normalization Algorithm
SEQ
SEQ
1
2
3
<PAR>
A
A1
A2
A3
B
B1
B2
B3
C
C1
C2
C3
<PAR>
A1
B1
C1
<PAR>
<PAR>
D1
A3
B3
C3
D
D1
D2
D3
A2
B2
Representation 1
C2
D2
SEQ
1
2
SEQ
3
<PAR>
A
A1
A2
A3
B
B1
B2
B3
<PAR>
C
C1
C2
<PAR>
<PAR>
C3
A1
D
D1
D2
D3
Representation 2
14
C3
B2
C2
D2
D3
Metadata in SMIL - RBAC Example
<SEQ>
<PAR>
A1
V1
<SEQ>
(r1)<PAR>
<PAR>
A2
V2
A1
<SEQ>
<PAR>
<PAR>
(r3)V1(r1)A2
(r2)V2
A1
<PAR>
V1 A2
(Empty)
RBAC metadata decorated
SMIL Normal Form
SMIL Normal Form
15
Permitted view for Role 1
The Inference Problem
General Purpose Database:
Non-confidential data + Metadata 
Undesired Inferences
Semantic Web:
Non-confidential data + Metadata (data and application
semantics) + Computational Power + Connectivity 
Undesired Inferences
16
Association Graph
Association similarity measure
Distance of each node from the association root
 Difference of the distance of the nodes from the association
root
 Complexity of the sub-trees originating at nodes

Example:
XML document:
Air show
Association Graph:
Public
Public, AC
fort
fort
address
17
address
Correlated Inference
Concept Generalization:
weighted concepts, concept abstraction level,
range of allowed abstractions
Public
fort
address
Public
basin
district
?
Object[].
waterSource :: Object
basin :: waterSource
place :: Object
district :: place
address :: place
base :: Object
fort :: base
Confidential
base
Water source
18
Correlated Inference (cont.)
base
Base
fort
Public
place
Object[].
waterSource :: Object
basin :: waterSource
place :: Object
district :: place
address :: place
base :: Object
fort :: base
address
Place
Public
basin
Water source
district
Water Source
Confidential
base
Water source
19
Inference Removal
 Relational databases: limit access to data
 Web inferences
 Cannot redesign public data outside of protection domain
 Cannot modify/refuse answer to already published web
page
 Protection Options:
 Release misleading information
 Remove information
 Control access to metadata
20
Web Metadata
21
Resource Description Framework
(RDF)
Representing information about resources in the World
Wide Web
Intended for machine processing
Provides a common framework  applications can
share data
Identifying things using Web identifiers (URIs)
Describing resources in terms of simple properties and
property values
RDF statement: (subject, property, object)
22
RDF Graph
•Individuals
•Kinds of things
•Properties of those
things
•Values of those
properties
From: RDF Primer,
http://www.w3.org/RDF/
23
XML syntax for RDF
RDF/XML sample:
<?xml version="1.0"?> <rdf:RDF
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:contact="http://www.w3.org/2000/10/swap/pim/contact#">
<contact:Person
rdf:about="http://www.w3.org/People/EM/contact#me">
<contact:fullName>Eric Miller</contact:fullName>
<contact:mailbox rdf:resource="mailto:[email protected]"/>
<contact:personalTitle>Dr.</contact:personalTitle>
</contact:Person> </rdf:RDF>
From: RDF Primer,
http://www.w3.org/RDF/
24
RDF Entailment
“Meaning" of an RDF graph: depends on many factors
 e.g., conventions within a user community, comments
in natural language, or links to other content-bearing
documents, etc.
 Some can be processed by machines, some not
RDF formal semantics: “conclusions” that machines can
derive from an RDF graph
 Model theory
 Can transform an RDF graph into logical expression
with the same meaning
25
RDF Schema
Express classes and their subclasses
Define properties and associate them with classes
Facilitate inferencing
Student
Studies-at
University
ISA
Grad. student
26
Ontology
Explicit specification of conceptualization
Philosophical discipline
Formal semantics
Informal conceptual model
Vocabulary used by a logical theory
Etc.
RDF/S, DAML + OIL, OWL, etc.
27
Ontology Manipulation
Processing
Integration
Federation
Access Control
28
Metadata Security
No security model exists for metadata
Can we use existing security models to protect metadata?
RDF/S is the Basic Framework for SW
RDF/S supports simple inferences
This is not true of XML: XML Access control cannot be
used to protect RDF /S data
29
RDF/S Entailment Rules
Example RDF/S Entailment Rules (http://www.w3.org/TR/rdfmt/#rules )
 Rdfs2:
 (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy)  (uuu, rdf:type,
xxx)
 Rdfs3:
 (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx)
 Rdfs5:
 (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf,
xxx) (uuu,rdfs:subPropertyOf, xxx)
 Rdfs11:
 (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf,
xxx)(uuu,rdfs:subClassOf, xxx)
30
Example Graph Format
RDF Triples:
(Student, rdfs:subClassOf, Person)
(University, rdfs:subClassOf, GovAgency)
(studiesAt, rdfs:domain, Student)
(studiesAt, rdfs:range,University)
(studiesAt, rdfs:subPropertyOf, memberAt)
(John, studiesAt, USC)
memberAt
GovAgency
Person
studiesAt
Student
University
schema
instance
studiesAt
John
Legend
rdfs:subClassOf
rdfs:subPropertyOf
rdf:type
inferred rdf:type
31
USC
Example Graph Format
memberAt
GovAgency
Person
studiesAt
Student
University
schema
instance
Rdfs2 :
Fact3 + Fact6  Fact7
studiesAt
John
Legend
rdfs:subClassOf
rdfs:subPropertyOf
rdf:type
inferred rdf:type
32
USC
Example Graph Format
memberAt
GovAgency
Person
studiesAt
Student
University
schema
instance
Rdfs3 :
Fact4+Fact6 Fact8
Rdfs2 :
Fact3 + Fact6  Fact7
studiesAt
John
Legend
rdfs:subClassOf
rdfs:subPropertyOf
rdf:type
inferred rdf:type
33
USC
Example Graph Format
memberAt
GovAgency
Person
studiesAt
Student
University
schema
instance
Rdfs9 :
Fact2 + Fact8Fact9
Rdfs3 :
Fact4+Fact6 Fact8
Rdfs2 :
Fact3 + Fact6  Fact7
studiesAt
John
Legend
rdfs:subClassOf
rdfs:subPropertyOf
rdf:type
inferred rdf:type
34
USC
Secure RDF
Entailed Data in RDF can cause illegal inferences:
 (John, studiesAt, USC) [S] +
(studiesAt, rdfs:domain, University) [S]
 (USC, rdf:type, University) [S]
 (USC, rdf:type, University) [S]+
(University, rdf:subclassOf, GovAgency) [S]
 (USC, rdf:type, GovAgency) [TS]
Secret User can infer TS information
35
RDF Access Control
Security Policy
 Subject
 Object – Object pattern
 Access Mode
Default policy
Conflict Resolution
Classification of entailed data
Flexible granularity
36
Secure XML Updates
PathSatisfaction
.java
MACParser
.java
MACModel
.java
NodeSecurity
Manager.java
FilepathAbsoute
Table
NativeElement
Index.java
UserName
Result
XMLUtil.java
UserManagement
.java
37
Secure XML Updates - Example
38
RDF Access Control Example
39
Policy-Based
Dissemination of Partial Web-Ontologies
George Mason University
Reused with the permission of D. Wijesekera
40
Outline
Introduction
 Problem of improper disclosure
Overview of our approach
 Modeling RDF Graphs as Trees
 Protection cases
Formal model
Semantics and results
41
Semantic web: the problem
domain
Objects on the world wide web (WWW) are `described’
by web-ontologies
Meta-information or ontologies help in automatic
discovery of `related’ web-objects (URIs)
Ontologies are concepts (or classes) related through
properties (or binary relations) with individuals
belonging to a concept or a property
42
E.g.: A simple web-ontology
Weapons
Special
Weapons
Conventional
Weapons
Rocket
Launcher
Size
Binary relationships
Nuclear
Warhead
Machine Gun
Delivery
System
Rounds
A weapons taxonomy
43
Trigger
Mechanism
The problem of improper
disclosure
Ontologies may contain sensitive information
 Disclosing complete ontology is insecure
Usual access control techniques can either regulate
access to concepts or complete ontologies
Preserving relationships between concepts while
regulating access to concepts is an unsolved problem
44
Example scenario
Weapons
Sensitive portion
Special
Weapons
Conventional
Weapons
Requested
Rocket
Launcher
Size
Nuclear
Warhead
Machine Gun
Delivery
System
Rounds
45
Trigger
Mechanism
Example scenario
Weapons
Requirement:
Conventional
Weapons
Removal of sensitive
portions while preserving
other relationships
Requested
Rocket
Launcher
Size
Machine Gun
Rounds
46
RDF Preliminaries
 Vocabulary: A set of URIs forms the vocabulary
 Each URI is an instance of an RDF Class or a Property.
 Axioms: Triples <S,P,O> form sentences, where S,P and O are
constants in the vocabulary and P is a property.
 RDF Graph: A set of triples is also called an RDF Graph.
 Extension: A mapping relates each class or property to its
extension
 Semantics: The interpretation is a mapping of resources to their
extensions
47
Overview: Graphs to Trees
We model RDF syntactic and semantic elements as
syntactic elements.
Each triple is encoded as a set using von Neumann’s
standard set encoding
 <A,B>
is {A,{A,B}}
 <A,B,C> is {A, {A, <B,C>}} or {A, {A, {B,{B,C}}}}
No self-references or cycles are allowed
Consequently, a graph is reduced to a tree
48
Overview: Protection cases
 We enable two use cases:
1. Disclosure control over parts of ontologies
 Based on the attributes of a requester, only parts of
an ontology are accessible
2. Content obfuscation in an ontology
 Based on the attributes of a requester, only the
ontological structure is made available, but not the
names of sensitive concepts and properties
49
Use-case 1 (a): Remove subtree
Weapons
Conventional
Weapons
Rocket
Launcher
Size
Remove subtree
beyond this concept
Machine Gun
Rounds
50
Use-case 1 (b): Remove branch
Weapons
…
Conventional
Weapons
…
Rocket
Launcher
Size
Machine Gun
Branch identified
Remove
branch
by Conv.
Weapon M.Gun
Rounds
51
Use-case 1 (c): Extract subtree
Extract subtree
below this edge
Rocket
Launcher
Size
Rounds
52
Use-case 2 (a): Node hiding
Weapons
Special
Weapons
Conventional
Weapons
Rocket
Launcher
Size
Nuclear
No Name
Warhead
Machine Gun
Delivery
System
Rounds
53
Concept hidden
Trigger
Mechanism
Use-case 2 (b): Node modification
Weapons
Special
Weapons
Conventional
Weapons
Rocket
Launcher
Size
Obsolete
Nuclear
Warhead
Machine Gun
Delivery
System
Rounds
54
Modified
Trigger
Mechanism
Formal model
We use constraint logic programming (CLP) with Set
constraints to write dissemination control policies
Terms: A set of arbitrary constants with two function
symbols {· |· } and nil
Constraint Domain: Set constraint domain that interprets
=, ≠,, and predicates
Constraint domain ensures axioms like permutativity,
absorption, etc., essential for modeling unordered sets of
triples
55
Formal Model
 Predicates: are of six types –
 Semantic relationships (SR) for expressing ontological axioms
 Tree construction predicates (TP) for constructing trees from
the basic axioms
 Excision predicates (EP) for computing partial ontologies on
the fly
 Modification predicates (MP) for computing cover stories
 Special predicates (SP)
 User Defined predicates (UP)
56
Formal Model
 TP predicate OTree constructs an ontology tree, while RDFInst
combines ontology and its interpretation
 EP predicates subtree, remSubtree and remBranch implement
excision operations
 MP predicates hideConcept and modifyConcept implement
content obfuscation operations
 Dissemination Control Policies (DCP): Sets of stratified rules
with following strata:
Strata 0: Definitions of all SR predicates
 Strata 1: Definitions of system-defined predicates – TP, EP and MP
 Strata 3: Definitions of special predicates (SP)

57
Policies
 Subtree protection – A DCP that only uses remSubtree predicate
from EP predicates
 Branch protection – A DCP that only uses remBranch predicate
 Subtree Extraction – A DCP that uses subtree predicate
 Similarly, node hiding and node modification DCPs use
corresponding MP predicates
 Hybrid policies can use any combination of EP and MP predicates
58
Example policy: Subtree
protection
An attribute based control policy for protecting sensitive
web-pages is written as
allow(x,Y,nil)  Suspicious(Y)
(1)
i.e., Do not disclose any information to requesters
who satisfy the predicate Suspicious
allow(x,Y,C)  SecretClearance(Y), OTree(x,A)
remSubtree(A,`Agent’,C)
(2)
i.e., If requester Y has secret clearance, then ontology
rooted at x can be disclosed after web-pages with
`Agent’ related information have been removed.
59
3-valued Semantics for DCPs
 Valuations map ground atoms to {T, F, ┴}
 Immediate consequence function ΦP takes a valuation and
performs the mapping:
 Ground atom H is mapped to:
T if there is a ground clause instance with head H such that each literal
in its body is satisfied by the appropriate input valuation
 F if there is an unsatisfied literal in the body of every ground clause
instance having head H
 ┴ otherwise

 ΦPi↑(α+1)= ΦPi(ΦPi↑(α))
 The semantics of DCP Pi is ΦPi↑(ω+1)
60
Results

1.
2.
3.
Theorems
Equality: An RDF Graph rooted at node A is equivalent to the
ontology tree T computed by OTree(A,T)
Faithfulness: An RDF Graph with its extension, rooted at node
A, is equivalent to the tree T computed by RDFInst(A,T)
Correctness: A request request(x,Y), for document rooted at x,
the DCP divulges only those portions of the requested tree that
are desired to be disclosed to a requester with attributes Y.
61

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz