1 / 63

Web Data and Application Security Csilla Farkas farkas@cse.sc cse.sc/~farkas

Web Data and Application Security Csilla Farkas farkas@cse.sc.edu http://www.cse.sc.edu/~farkas Center of Information Assurance Engineering Department of Computer Science and Engineering University of South Carolina. Web Evolution. Past: Human usage HTTP Static Web pages (HTML)

andrewmatthews
Download Presentation

Web Data and Application Security Csilla Farkas farkas@cse.sc cse.sc/~farkas

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Data and Application Security Csilla Farkas farkas@cse.sc.edu http://www.cse.sc.edu/~farkas Center of Information Assurance Engineering Department of Computer Science and Engineering University of South Carolina

  2. Web Evolution • Past: Human usage • HTTP • Static Web pages (HTML) • Current: Human and some automated usage • Interactive Web pages • Web Services (WSDL, SOAP, SAML) • Semantic Web (RDF, OWL, RuleML, Web databases) • XML technology (data exchange, data representation) • Future: Semantic Web Services

  3. Outline • Security on the Web • Data Security • Metadata Security • Application Security • Future Directions

  4. ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB?

  5. Fraud Information hiding Privacy Negotiation Protocol Analysis Access control Applications Access Control Data provenance Biometrics Semantic web security Security Trust Data mining Encryption Computer epidemic Anonymity Policy making Inference Control Formal models Inference Control Information Assurance

  6. Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions

  7. Limitation of Research • Syntax-based • No association protection • Limited handling of updates • No data or application semantics • No inference control

  8. Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions

  9. Secure XML Views - Example medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White milTag MT78 patient patient name John Smith phone 111-2222 name Harry Green phone 333-4444 View over UC data

  10. Secure XML Views - Example cont. medicalFiles <medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

  11. Secure XML Views - Example cont. medicalFiles <medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

  12. Secure XML Views - Example cont. medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

  13. Secure XML Views - Example cont. medicalFiles <medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician> </medicalFiles> physician Jim Dale name John Smith physician Joe White name Harry Green View over UC data

  14. Secure XML Views - Solution • Multi-Plane DTD Graph (MPG) • Minimal Semantic Conflict Graph (association preservation) • Cover story • Transformation rules

  15. Multi-Plane DTD Graph <milBaseRec> D,medicalFiles UC <milTag> TopSecret S TS D, countyRec D, milBaseRec <countyRec> UC S TS D, physician <patient> D, patient D, milTag Secret <phone> UC S D, name D, phone <physician> <name> <medicalFiles> Unclassified MPG = DTD graph over multiple security planes

  16. Transformation - Example <milBaseRec> MPG <milTag> TS MSCG <countyRec> <patient> name phone S <phone> physician <medicalFiles> Security Space Secret UC <physician> <name>

  17. Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> name S <phone> physician <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

  18. Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> S <phone>  <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

  19. Transformation - Example <milBaseRec> <milTag> TS medicalFiles <countyRec> <patient> emergencyRec S <phone> physician <emrgRec> name <medicalFiles> UC <physician> <name> SP Data Structure MPG

  20. Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML Updates XML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions

  21. Report P Title P Data P Date P Temperature ? P Images S Water Resources S Concrete Location S Civil Area S TS Defense Sector Delete - Example

  22. Delete Operations • Delete entire sub-tree under a deleted node • Most widely used approach • Problem: blind write • Delete only the viewable nodes • Problem: fragmentation of XML tree • Reject the delete • Problem: covert channel

  23. Different Solution – Deleted Label Basic Idea • A unique domain “Del” for deleted nodes • Change security classification of deleted node (o, {do  Del}) • Perform after delete operation • Change security clearance of users, where s = (s, {ds}) > (o, {do}) to ( (s, {ds}) , (o, {do  Del}) ) • Can be preprocessed • Use BLP axioms

  24. Report P Title P Data P Date P Temperature P Images (S,{Del}) Concrete Location (S,{Del}) Defense Sector TS Example - Top Secret View Subject clearances: (TS, {})  { (TS, {}) , (S, {Del}), (P, {Del}) } (S, {})  { (S, {}), (P, {Del}) } (P, {})  { (P, {}) }

  25. MedicalDb SSN Patient * Name Name Patient Phone Phone Birthdate Race * Diagnosis Date Patient Physician Prescription Comments Birthdate Allergies * Race Allergen Diagnosis Date Comments Node Association - Example DTD of Patient Health Record

  26. Object - Association level classification Node level classification + - + + + + Layered Access Control

  27. t1 t2 t3 t4 Simple Security Object o  ti :(ti) = (o)

  28. t1 t2 t3 t4 Association Security Object o  ti : (ti) < (o)

  29. // r d a b c v1 v1 Query Pattern FOR $x in //r LET $y := $x/d, $z := $x/a RETURN <answer> {$z/c} </answer> WHERE { $z/b==$y} Query Pattern

  30. Pattern Automata • Pattern Automata X = { S, Q, q0 , Qf , d } • S = E  A  { pcdata, //} • d is a transition function • Q = {q0 , … , qn} • Qf Q, (q0 Ï Qf) • Valid transitions on d are of the following form: s(qi, … ,qj)  qk • If d does not contain a valid transition rule, the default new state is q0

  31. // a b c Pattern Automata - Example • = { a, b, c, //} Q = {q0, qa, qb, qc} Qf = {qa} d= { b( )  qb , c( )  qc , a(qb,qc)  qa , *(qa)  qa } Association object Pattern Automata

  32. Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions

  33. Parallel Operator “PAR” VIDEO AUDIO AUDIO Sequential Operator “SEQ” VIDEO and AUDIO together VIDEO AUDIO VIDEO VIDEO after END of AUDIO Switch Operator “switch” VIDEO SILENCE If Condition A= TRUE, then only VIDEO AUDIO SILENCE If Condition B= TRUE, then only AUDIO SMIL

  34. SMIL vs. XML • In both, document = tree • BUT XML has NO intended semantics, SMIL specify runtime behavior • QoS (timeliness and continuity) specified using synchronization constructs <par>, <seq>, <excl> and others. • No Security for SMIL <smil> <seq> <par> <audio src=“http://www.example.org/Audio1.rm”> <video src=“http://www.example.org/Video1.rm”> </par> <par> <audio src=“http://www.example.org/Audio2.rm”> <video src=“http://www.example.org/Video2.rm”> </par> </seq> </smil> <smil> <seq> <par> <par> Video2 Video1 Audio1 Audio2

  35. t t+7 t+14 SEQ Audio 1 Audio 2 Audio 1 Audio 2 Video 1 Video 2 A1 A2 t t+7 t+14 SEQ Audio 1 Audio 2 Video 1 Video 2 Video 1 Video 2 V1 V2 PAR PAR t t+7 t+14 SEQ SEQ Audio 1 Audio 2 Audio 1 Audio 2 Video 1 Video 2 Video 1 Video 2 V1 V2 A1 A2 Object Identity in SMIL - I

  36. t t+7 t+14 SEQ Audio 1 Audio 2 Audio 1 Video 1 Video 2 Video 2 A1 V2 t t+7 t+14 SEQ Audio 2 Audio 1 Audio 2 Video 1 Video 1 Video 2 A2 V1 Audio 1 PAR Audio 2 Video 1 Video 2 PAR t t+7 t+14 SEQ SEQ Audio 1 Audio 2 Video 1 Video 2 V1 A2 A1 V2 Object Identity in SMIL - II

  37. t t+7 t+14 PAR Audio 1 Audio 2 Audio 1 Video 1 Video 2 Video 1 A1 V1 t t+7 t+14 PAR Audio 2 Audio 1 Audio 2 Video 2 Video 1 Video 2 V2 A2 Audio 1 SEQ Audio 2 Video 1 Video 2 SEQ t t+7 t+14 PAR PAR Audio 1 Audio 2 Video 1 Video 2 A2 V2 V1 A1 Object Identity in SMIL - III

  38. SMIL Normal Form SMIL Normal Form (smilNF) is of the form <seq> <par> C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n (s)</par> <par> ……………………..………………<par> <par> C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n (s)</par> </seq> where C i,j are audio or video, image or text media intervals.

  39. A1 A2 A3 B1 B2 B3 C1 C2 C3 D1 D2 D3 Normalization Algorithm SEQ SEQ 1 2 3 A1 A2 A3 A <PAR> <PAR> <PAR> B1 B2 B3 B <PAR> C1 C2 C3 C A1 B1 D1 C1 A3 B3 D3 C3 D1 D2 D3 D A2 B2 D2 C2 Representation 1 SEQ SEQ 1 2 3 A B <PAR> <PAR> <PAR> <PAR> C A1 C3 D B2 C2 D2 Representation 2

  40. <SEQ> <SEQ> <SEQ> <PAR> <PAR> (r1)<PAR> <PAR> <PAR> <PAR> (Empty) V1 A2 V2 A1 (r3)V1 (r1)A2 (r2)V2 A1 V1 A2 Metadata in SMIL - RBAC Example A1 RBAC metadata decorated SMIL Normal Form SMIL Normal Form Permitted view for Role 1

  41. Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions

  42. The Inference Problem General Purpose Database: Non-confidential data + Metadata Undesired Inferences Semantic Web: Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity  Undesired Inferences

  43. Air show address fort address fort Association Graph • Association similarity measure • Distance of each node from the association root • Difference of the distance of the nodes from the association root • Complexity of the sub-trees originating at nodes • Example: XML document: Association Graph: Public Public, AC

  44. Public Public ? address fort Water source base district basin Confidential Correlated Inference Concept Generalization: weighted concepts, concept abstraction level, range of allowed abstractions Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base

  45. place address fort Water source district basin base Confidential Correlated Inference (cont.) Object[]. waterSource :: Object basin :: waterSource place :: Object district :: place address :: place base :: Object fort :: base Base Place base Public Public Water source Water Source

  46. Inference Removal • Relational databases: limit access to data • Web inferences • Cannot redesign public data outside of protection domain • Cannot modify/refuse answer to already published web page • Protection Options: • Release misleading information • Remove information • Control access to metadata

  47. Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • Metadata Security • Application Security • Future Directions

  48. Metadata Security • No security model exists for metadata • Can we use existing security models to protect metadata? • RDF/S is the Basic Framework for SW • RDF/S supports simple inferences • This is not true of XML: XML Access control cannot be used to protect RDF /S data

  49. RDF/S Entailment Rules Example RDF/S Entailment Rules (http://www.w3.org/TR/rdf-mt/#rules ) • Rdfs2: • (aaa, rdfs:domain, xxx) + (uuu, aaa, yyy)  (uuu, rdf:type, xxx) • Rdfs3: • (aaa, rdfs:range, xxx) + (uuu, aaa, vvv) (vvv, rdf:type, xxx) • Rdfs5: • (uuu, rdfs:subPropertyOf, vvv) + (vvv, rdfs:subPropertyOf, xxx) (uuu,rdfs:subPropertyOf, xxx) • Rdfs11: • (uuu, rdfs:subClassOf, vvv)+(vvv, rdfs:subClassOf, xxx)(uuu,rdfs:subClassOf, xxx)

  50. Example Graph Format • RDF Triples: • (Student, rdfs:subClassOf, Person) • (University, rdfs:subClassOf, GovAgency) • (studiesAt, rdfs:domain, Student) • (studiesAt, rdfs:range,University) • (studiesAt, rdfs:subPropertyOf, memberAt) • (John, studiesAt, USC)

More Related