Abstract
As the XML model gets more popular, new needs arise to specify access control within XML model. Various XML access control models and enforcement methods have been proposed recently. However, by and large, these approaches either assume the support of security features from XML databases or use proprietary tools outside of databases. Since there are currently few commercial XML databases with such capabilities, the proposed approaches are not yet practical. Therefore, we explore the problem of “Is is possible to fully support XML access control in RDBMS?” We formalize XML and relational access control models using deep set operators. Then we show that the problem of XML AC atop RDBMS is amount to the problem of converting XML deep set operators into equivalent relational deep set operators. We show the conversion algebra and identify the properties to ensure the correct conversion. Finally, we present three practical implementations of XML access controls using off-the-shelf RDBMS and their performance results.
Chapter PDF
References
Bray, T., Paoli, J., Sperberg-McQueen, C.M. (eds.): Extensible Markup Language (XML) 1.0, 2nd edn. W3C Recommendation (2000)
Godik, S., Moses, T. (eds.): eXtensible Access Control Markup Language (XACML) Version 1.0 (2003)
Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: A Fine-Grained Access Control System for XML Documents. ACM TISSEC 5(2), 169–202 (2002)
Bertino, E., Ferrari, E.: Secure and Selective Dissemination of XML Documents. ACM TISSEC 5(3), 290–331 (2002)
Tan, K.L., Lee, M.L., Wang, Y.: Access Control of XML Documents in Relational Database Systems. In: IC, Las Vegas, NV (June 2001)
Barbosa, D., Freire, J., Mendelzon, A.O.: Designing Information-preserving Mapping Schemes for XML. In: VLDB, Trondheim, Norway, pp. 109–120 (2005)
Samarati, P., Bertino, E., Jajodia, S.: An Authorization Model for a Distributed Hypertext System. IEEE TKDE 8(4), 555–562 (1996)
Damiani, E., Vimercati, S.D.C.D., Paraboschi, S., Samarati, P.: Design and Implementation of an Access Control Processor for XML Documents. Computer Networks 33(6), 59–75 (2000)
Kudo, M., Hada, S.: XML Document Security Based on Provisional Authorization. In: ACM CCS, ACM Press, New York (2000)
Fundulaki, I., Marx, M.: Specifying access control policies for xml documents with xpath. In: ACM SACMAT, pp. 61–69. ACM Press, New York (2004)
Fernandez, E., Gudes, E., Song, H.: A Model of Evaluation and Administration of Security in Object-Oriented Databases. IEEE TKDE 6(2), 275–292 (1994)
Wang, J., Osborn, S.L.: A role-based approach to access control for XML databases. In: ACM SACMAT, pp. 70–77. ACM Press, New York (2004)
Bertino, E., Castano, S., Ferrari, E.: Securing XML Documents with Author-X. IEEE Internet Computing 5(3), 21–31 (2001)
Murata, M., Tozawa, A., Kudo, M., Hada, S.: XML access control using static analysis. ACM TISSEC 9(3), 292–324 (2006)
Damiani, E., di Vimercati, S.D.C., Paraboschi, S., Samarati, P.: Securing XML Documents. In: Zaniolo, C., Grust, T., Scholl, M.H., Lockemann, P.C. (eds.) EDBT 2000. LNCS, vol. 1777, pp. 121–135. Springer, Heidelberg (2000)
Cho, S., Amer-Yahia, S., Lakshmanan, L.V., Srivastava, D.: Optimizing the Secure Evaluation of Twig Queries. In: Bressan, S., Chaudhri, A.B., Lee, M.L., Yu, J.X., Lacroix, Z. (eds.) CAiSE 2002 and VLDB 2002. LNCS, vol. 2590, Springer, Heidelberg (2003)
Xiao, Y., Luo, B., Lee, D.: Security-Conscious XML Indexing. In: DASFAA, Bangkok, Thailand (2007)
Yu, T., Srivastava, D., Lakshmanan, L.V., Jagadish, H.V.: Compressed Accessibility Map: Efficient Access Control for XML. In: Bressan, S., Chaudhri, A.B., Lee, M.L., Yu, J.X., Lacroix, Z. (eds.) CAiSE 2002 and VLDB 2002. LNCS, vol. 2590, Springer, Heidelberg (2003)
Jiang, M., Fu, A.W.C.: Integration and Efficient Lookup of Compressed XML Accessibility Maps. IEEE TKDE 17(7), 939–953 (2005)
Stoica, A., Farkas, C.: Secure XML Views. In: DBSec, pp. 133–146 (2002)
Fan, W., Chan, C.Y., Garofalakis, M.: Secure XML querying with security views. In: SIGMOD, pp. 587–598 (2004)
Kuper, G., Massacci, F., Rassadko, N.: Generalized XML security views. In: SACMAT, pp. 77–84 (2005)
Murata, M., Tozawa, A., Kudo, M.: XML Access Control using Static Analysis. In: ACM CCS, Washington, DC, ACM Press, New York (2003)
Luo, B., Lee, D., Lee, W.C., Liu, P.: QFilter: Fine-Grained Run-Time XML Access Control via NFA-based Query Rewriting. In: ACM CIKM, Washington, DC, ACM Press, New York (2004)
Qi, N., Kudo, M.: Access-condition-table-driven access control for xml databases. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 17–32. Springer, Heidelberg (2004)
Qi, N., Kudo, M.: Xml access control with policy matching tree. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 3–23. Springer, Heidelberg (2005)
Mohan, S., Sengupta, A., Wu, Y.: Access control for XML: a dynamic query rewriting approach. In: CIKM, pp. 251–252 (2005)
Bouganim, L., Ngoc, F.D., Pucheral, P.: Client-Based Access Control Management for XML Documents. In: VLDB, Toronto, Canada (2004)
Bertino, E., Ferrari, E., Provenza, L.P.: Signature and Access Control Policies for XML Documents. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 1–22. Springer, Heidelberg (2003)
Carminati, B., Ferrari, E., Bertino, E.: Securing XML data in third-party distribution systems. In: CIKM, pp. 99–106 (2005)
Finance, B., Medjdoub, S., Pucheral, P.: The case for access control on XML relationships. In: CIKM, pp. 107–114 (2005)
Mohan, S., Wu, Y.: IPAC: an interactive approach to access control for semi-structured data. In: VLDB, VLDB Endowment, pp. 1147–1150 (2006)
Jajodia, S., Sandhu, R.: Toward a Multilevel Secure Relational Data Model. In: SIGMOD (May 1990)
Winslett, M., Smith, K., Qian, X.: Formal Query Languages for Secure Relational Databases. ACM TODS 19(4), 626–662 (1994)
Sandhu, R., Chen, F.: The Multilevel Relational (MLR) Data Model. ACM TISSEC 1(1) (1998)
Griffiths, P.P., Wade, B.W.: An Authorization Mechanism for a Relational Database System. ACM TODS 1(3), 242–255 (1976)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible Support for Multiple Access Control Policies. ACM TODS 26(2), 214–260 (2001)
Jajodia, S., Samarati, P., Subrahmanian, V.S., Bertino, E.: A Unified Framework for Enforcing Multiple Access Control Policies. In: ACM SIGMOD, pp. 474–485. ACM Press, New York (1997)
Gabillon, A., Bruno, E.: Regulating access to XML documents. In: DBSec, pp. 299–314 (2002)
Murthy, R., Liu, Z.H., Krishnaprasad, M., Chandrasekar, S., Tran, A.T., Sedlar, E., Florescu, D., Kotsovolos, S., Agarwal, N., Arora, V., Krishnamurthy, V.: Towards an enterprise XML architecture. In: ACM SIGMOD, pp. 953–957. ACM Press, New York (2005)
Rys, M.: XML and relational database management systems: inside Microsoft SQL Server 2005. In: ACM SIGMOD, pp. 958–962. ACM Press, New York (2005)
Nicola, M., van der Linden, B.: Native XML support in DB2 universal database. In: VLDB, pp. 1164–1174 (2005)
Beyer, K., Ozcan, F., Saiprasad, S., der Linden, B.V.: DB2/XML: designing for evolution. In: ACM SIGMOD, pp. 948–952. ACM Press, New York (2005)
Deutsch, A., Fernandez, M.F., Suciu, D.: Storing Semistructured Data with STORED. In: ACM SIGMOD, Philadephia, PA, ACM Press, New York (1998)
Shanmugasundaram, J., Tufte, K., He, G., Zhang, C., DeWitt, D., Naughton, J.: Relational Databases for Querying XML Documents: Limitations and Opportunities. In: VLDB, Edinburgh, Scotland (September 1999)
Lee, D., Chu, W.W.: Constraints-preserving Transformation from XML Document Type Definition to Relational Schema. In: Laender, A.H.F., Liddle, S.W., Storey, V.C. (eds.) ER 2000. LNCS, vol. 1920, pp. 323–338. Springer, Heidelberg (2000)
Florescu, D., Kossmann, D.: Storing and Querying XML Data Using an RDBMS. IEEE Data Eng. Bulletin 22(3), 27–34 (1999)
Yoshikawa, M., Amagasa, T., Shimura, T., Uemura, S.: XRel: A Path-Based Approach to Storage and Retrieval of XML Documents using Relational Databases. ACM TOIT 1(2), 110–141 (2001)
Lee, D., Lee, W.C., Liu, P.: Supporting XML Security Models using Relational Databases: A Vision. In: Bellahsène, Z., Chaudhri, A.B., Rahm, E., Rys, M., Unland, R. (eds.) Database and XML Technologies. LNCS, vol. 2824, Springer, Heidelberg (2003)
Schmidt, A.R., Waas, F., Kersten, M.L., Florescu, D., Manolescu, I., Carey, M.J., Busse, R.: The XML Benchmark Project. Technical Report INS-R0103, CWI (April 2001)
Qi, N., Kudo, M., Myllymaki, J., Pirahesh, H.: A function-based access control model for xml databases. In: ACM CIKM, pp. 115–122. ACM Press, New York (2005)
Luo, B., Lee, D., Lee, W.C., Liu, P.: Deep Set Operators for XQuery. In: ACM SIGMOD Workshop on XIME-P, Baltimore, MD, USA, ACM Press, New York (2005)
Berglund, A., Boag, S., Chamberlin, D., Fernández, M.F., Kay, M., Robie, J., Simeon, J.: XML Path Language (XPath) 2.0. W3C Working Draft (November 2003)
Boag, S., Chamberlin, D., Fernández, M.F., Florescu, D., Robie, J., Simeon, J.: XQuery 1.0: An XML Query Language. W3C Working Draft (November 2003)
Luo, B., Lee, D., Lee, W.C., Liu, P.: A Flexible Framework for Architecting XML Access Control Enforcement Mechanisms. In: VLDB Workshop on SDM, Toronto, Canada (2004)
Luo, B., Lee, D., Liu, P.: Pragmatic XML access control using off-the-shelf RDBMS. Technical report, Penn State University (2007)
Lu, H., et al.: What makes the differences: benchmarking XML database implementations. ACM TOIT 5(1), 154–194 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Luo, B., Lee, D., Liu, P. (2007). Pragmatic XML Access Control Using Off-the-Shelf RDBMS. In: Biskup, J., López, J. (eds) Computer Security – ESORICS 2007. ESORICS 2007. Lecture Notes in Computer Science, vol 4734. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74835-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-74835-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74834-2
Online ISBN: 978-3-540-74835-9
eBook Packages: Computer ScienceComputer Science (R0)