Tree Automata for Schema-level Filtering of XML Associations

Csilla Farkas

Abstract

In this paper we present query filtering techniques based on bottom-up tree automata for XML access control. In our authorization model (RXACL), RDF statements are used to represent security objects and to express the security policy. Our model allows to express and enforce access control on XML trees and their associations. We propose a query-filtering technique that evaluate XML queries to detect disclosure of association-level security objects. A query Q discloses a security object o iff the (tree) automata corresponding to o accepts Q. We show that our schema-level method detects all possible disclosures, i.e., it is complete.

References

  1. Nott, C., Patterns: Using Business Service Choreography In Conjuction With An Enterprise Service Bus. IBM Redbooks Paper. 2004. 32.
  2. IDC, Cautious Web Services Software Adoption Continues; IDC Expects Spending to Reach $11 Billion by 2008. 2004.
  3. Gutiérrez, C., E. Fernández-Medina, and M. Piattini, Web Services Security: is the problem solved? Information Systems Security, 2004. 13(3): p. 22-31.
  4. Endrei, M., et al., 4. Service-oriented architecture approach, in Patterns: Service-Oriented Architecture and Web Services. 2004. p. 345.
  5. Endrei, M., et al., Patterns: Services Oriented Architectures and Web Services. IBM Redbook, ed. IBM. 2004.
  6. Papazoglou, M.P. and D. Georgakopoulo, Service-Oriented Computing. Communications of the ACM, 2003. 46(10): p. 25-28.
  7. Alberts, C.J., et al., Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0, in Networked Systems Survivability Program. 1999, Carnegie Mellon. Software Engineering Institute. p. 84.
  8. Smith, D.G., Common Concepts Underlying Safety, Security, and Survivability Engineering. 2003, SEI.
  9. OMG, UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms. 2004.
  10. Bass, L. and R. Kazman, Architecture Based Development, in Product Line Systems. April 1999, Carnegie Mellon. Software Engineering Institute. p. 36.
  11. Jürjens, J., Secure Systems Development with UML. 2005: Springer. 309.
  12. Yu, H., et al. Integrating Security Administration into Software Architecture Design. in International Conference on Software Engineering and Knowledge Engineering 2004. 2004. Banff, Canada.
  13. Sindre, G. and A.L. Opdahl. Eliciting Security Requirements with Misuse Cases. in 37th International Conference on Technology of Object-Oriented Languages and Systems (TOOLS-377800). 2000. Sydney, Australia.
  14. Alexander, I., Misuse Cases: Use Cases with Hostile Intent. IEEE Computer Software, 2003. 20(1): p. 58-66.
  15. Firesmith, D.G., Security Use Cases. Journal of Object Technology, 2003. 2(3): p. 53-64.
  16. Toval, A., et al., Requirements Reuse for Improving Information Systems Security: A Practitioner's Approach. Requirements Engineering Journal, 2001. 6(4): p. 205-219.
  17. Bass, L., P. Clements, and R. Kazman, Software Architecture in Practice. 2nd, ed. 2003: Addison-Wesley. 560.
  18. Ellison, R.J., et al., Security and Survivability Reasoning Frameworks and Architectural Design Tactics. 2004, SEI.
  19. Klein, M. and R. Kazman, Attribute-Based Architectural Styles, in Product Line Practice. 1999, Software Engineering Institute. p. 90.
  20. Krutchen, P., The 4+1 View Model of Software Architecture. IEEE Software, 1995: p. 42- 50.
  21. VeriSign, et al., Web Services Policy Framework (WS-Policy). 2004.
  22. Anderson, A., S. Proctor, and S. Godik, OASIS XACML profile for Web-services. 2004.
  23. Cremonini, M., et al. A XML-based Approach to Combine Firewalls and Web Services Security Specifications. in ACM Workshop on XML Security. 2003. Fairfaz VA, USA.
  24. Leune, K. and M. Papazaglou. Specification and Querying of Security Constraints in the EFSOC Framework. in International Conference on Service Oriented Computing. WillemJan van den Heuvel. New York City, USA.
  25. Deubler, M., et al. Sound Development of Secure Service-based Systems. in ICSOC'04. 2004. New York, USA: ACM.
Download


Paper Citation


in Harvard Style

Farkas C. (2005). Tree Automata for Schema-level Filtering of XML Associations . In Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005) ISBN 972-8865-25-2, pages 298-308. DOI: 10.5220/0002575502980308


in Bibtex Style

@conference{wosis05,
author={Csilla Farkas},
title={Tree Automata for Schema-level Filtering of XML Associations},
booktitle={Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)},
year={2005},
pages={298-308},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002575502980308},
isbn={972-8865-25-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)
TI - Tree Automata for Schema-level Filtering of XML Associations
SN - 972-8865-25-2
AU - Farkas C.
PY - 2005
SP - 298
EP - 308
DO - 10.5220/0002575502980308