Fine Grained Access Control (FGAC) can be applied at lower level such as individual ... and remaining digits are confide
OFGAC For XML Documents
Observation-Based Fine Grained Access Control for XML Documents Raju Halder, Agostino Cortesi DAIS, Universit` a Ca’ Foscari Venezia, Italy {halder, cortesi}@unive.it
CISIM’2011, Kolkata, India
OFGAC For XML Documents
Outline FGAC Vs. OFGAC Need of OFGAC: Motivating Example Policy Specifications under OFGAC OFGAC Approaches for XML Collusion Attacks Multiple policies/Single abstraction Single policy/Multiple abstraction Multiple policies/Multiple abstraction Conclusions
OFGAC For XML Documents FGAC Vs. OFGAC
FGAC Vs. OFGAC I
Traditional Access Control is coarse-grained and can be applied on file/document level. Problem - Split any XML file containing data with both public and private protection requirements.
I
Fine Grained Access Control (FGAC) can be applied at lower level such as individual attribute/element level.
I
FGAC provides two views to data: private/confidential and public/non-confidential. Problem - Too restrictive and impractical in some real systems where intensional leakage of the information to some extent is allowed.
OFGAC For XML Documents FGAC Vs. OFGAC
Observation-based Fine Grained Access Control (OFGAC) I
Many applications need a partial or relaxed view of some confidential information. Example: Access of Credit Card no. (last 4 digits are non-confidential and remaining digits are confidential) by Customer-Care Personnel
I
We introduced Observation-based Fine Grained Access Control (OFGAC). Aim: Provide accessibility of sensitive information at various levels of abstractions depending on their sensitivity level.
I
OFGAC is based on the Abstract Interpretation framework.
OFGAC For XML Documents Need of OFGAC: Motivating Example
A Motivating Example
140062 John Smith Via Pasini 62 Venezia Italy 30175 +39 3897745774
IT10G 02006 02003 000011115996 Savings 50000 4023 4581 8419 7835 12/15 165
OFGAC For XML Documents Need of OFGAC: Motivating Example
Need of OFGAC: Motivating Example Bank’s Policy for Customer-Care Personnel: I
Credit Card No: “4023 4581 8419 7835”→“xxxx xxxx xxxx 7835”.
I
IBAN No: “IT10G 02006 02003 000011115996”→“ITxxx xxxxx xxxxx xxxxxxxxxxxx”.
I
Expiry dates and Secret Numbers of credit cards→fully-sensitive.
I
Deposited amounts in accounts→fully-sensitive.
FGAC mechanisms are unable to implement this scenario. One possibility: split the partial sensitive element into two sub-elements - one with private privilege and other with public.
OFGAC For XML Documents Policy Specifications under OFGAC
FGAC Policy Specifications I
I
Specified by a 5-tuple: hSubject, Object, Action, Sign, Typei. (Damiani et al., 2002) I
Subject: Identifiers or Locations of the access requests. Example: h Physicians, 159.101.*.*, *.hospital.com i.
I
Object: Uniform Resource Identifier (URI) of the elements or attributes. Example: /BankCustomers/Customer/AccountInfo/IBAN
I
Action: “read” or “write” or both.
I
Sign: “+”→“allow access”, and “-”→“forbid access”.
I
Type: DTD/instance level, local/recursive access, hard/soft etc.
Provides only two choices: either “allow” or “forbid”, we call it Binary-based FGAC Policy for XML.
OFGAC For XML Documents Policy Specifications under OFGAC
OFGAC Policy Specifications I
Specified by 5-tuple: hSubject, Object, Action, Abstraction, Typei.
I
Abstraction: Defined by the Galois Connection (℘(Dxcon ), αx , γx , Dxabs ) where αx = ℘(Dxcon ) → Dxabs and γx = Dxabs → ℘(Dxcon ).
Rule R1
Subject customer-care, 159.56.*.*, *.Unicredit.it
Object /BankCustomers/ tomer/ PersInfo
Action read
Abstraction (℘(Dxcon ), id, id, ℘(Dxcon ))
Type R
R2
customer-care, 159.56.*.*, *.Unicredit.it
/BankCustomers/ Customer/ AccountInfo/ IBAN /BankCustomers/ Customer/ AccountInfo/ type /BankCustomers/ Customer/ AccountInfo/ amount
read
con ), α abs (℘(Diban iban , γiban , Diban )
L
R3
customer-care, 159.56.*.*, *.Unicredit.it
read
con ), id, id, ℘(D con )) (℘(Dtype type
L
R4
customer-care, 159.56.*.*, *.Unicredit.it
read
con (℘(Damount ), α> , γ> , {>})
L
R5
customer-care, 159.56.*.*, *.Unicredit.it
/BankCustomers/ Customer/ CreditCardInfo/ CardNo /BankCustomers/ Customer/ CreditCardInfo/ ExpiryDate
read
con abs (℘(DCardNo ), αCardNo , γCardNo , DCardNo )
L
R6
customer-care, 159.56.*.*, *.Unicredit.it
read
con (℘(DExDate ), α> , γ> , {>})
L
Cus-
OFGAC For XML Documents Policy Specifications under OFGAC
OFGAC Policy Specifications
Abstraction Function for “IBAN” and “SecretNo”: αCardNo ({di : i ∈ [1 . . . 16]}) = ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ d13 d14 d15 d16 α> (X ) = > X = set of concrete values > = top most element of the corresponding abstract lattice.
OFGAC For XML Documents OFGAC Approaches for XML
Approaches: FGAC Vs. OFGAC Possible FGAC Approaches: View-based, NFA-based, RDBMS-based etc.
OFGACRD(op)
RDBMS
Tunable Access Control
FGACRD(p) Flattening
Mapping OFGACXML(op) XML
FGACXML(p)
Binary (0/1) Access Control
OFGAC For XML Documents OFGAC Approaches for XML
View-based OFGAC approach For each subject, separate views are generated w .r .t. the access rules associated with the subject
140062 John Smith Via Pasini 62 Venezia Italy 30175 +39 3897745774
IT*** ***** ***** ************ Savings > **** **** **** 7835 > >
OFGAC For XML Documents OFGAC Approaches for XML
View-based OFGAC approach
XML Query: Qxml = /BankCusomers/Customer /AccountInfo[@type = “Savings 00 ]
Result of XML query on the view: IT*** ***** ***** ************ Savings >
OFGAC For XML Documents OFGAC Approaches for XML
RDBMS-based OFGAC approach Table: The equivalent relational database representation of the XML code id BC1
pid null
rule -
id C1
(a) “BankCustomers” id PI1
pid C1
pid BC1
rule -
(b) “Customer ”
rule R1
id AI1
(c) “PersInfo”
pid C1
rule -
(d) “AccountInfo”
id CI1
pid C1
rule -
(e) “CreditCardInfo” id IB1
pid AI1
val IT10G 02006 02003 000011115996
rule R2
(f) “IBAN” id TP1
pid AI1
val Savings
rule R3
id AM1
(g) “type” id CN1
pid CI1
val 4023 4581 8419 7835
(i) “CardNo”
pid AI1
val 5000
rule R4
(h) “amount” rule R5
id EX1
pid CI1
val 12/15
(j) “ExpiryDate”
rule R6
OFGAC For XML Documents OFGAC Approaches for XML
RDBMS-based OFGAC approach Query in XML format: Qxml = /BankCusomers/Customer /AccountInfo[@type = “Savings 00 ]/IBAN
Query in SQL format: Qrdb =SELECT Ch No.val FROM IBAN Ch No, type Ch Tp, AccountInfo P AccInfo, Cust P Cust, BankCust P BCust WHERE (Ch No.pid = P AccInfo.id AND Ch Tp.pid = P AccInfo.id AND Ch Tp.val = “Savings 00 ) AND P AccInfo.pid = P Cust.id AND P Cust.pid = P BCust.id
Result (applying SQL query on RDBMS under OFGAC): val IT*** ***** ***** ************
OFGAC For XML Documents Collusion Attacks Multiple policies/Single abstraction
Outline FGAC Vs. OFGAC Need of OFGAC: Motivating Example Policy Specifications under OFGAC OFGAC Approaches for XML Collusion Attacks Multiple policies/Single abstraction Single policy/Multiple abstraction Multiple policies/Multiple abstraction Conclusions
OFGAC For XML Documents Collusion Attacks Multiple policies/Single abstraction
Multiple policies/Single abstraction I
n observers O1 , . . . , On under n different policies op1 , . . . , opn .
I
σopi : Concrete XML database state under policy opi .
I
] σop = α(σopi ): Abstract XML database state. i
Observer O1 Policy op1
α
Observer O2 Policy op2
α
Observer O3 Policy op3
α
OFGAC For XML Documents Collusion Attacks Multiple policies/Single abstraction
Multiple policies/Single abstraction I
I
] ] ] ] 0 Let σop = {σl] , σh] } and σop 0 = {σl 0 , σh0 } under op and op respectively. ] XML database state σop•op 0 under combined policies: ] ] ] ] ] ] ] σop•op 0 = {((σl ∪ σh ) − (σh ∩ σh0 )), (σh ∩ σh0 )}
I
After collusion, observer can infer the values belonging to the public part ((σl ∪ σh ) − (σh ∩ σh0 )). Policy op
Policy op’
op • op’
Figure: Combination of policies
OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction
Outline FGAC Vs. OFGAC Need of OFGAC: Motivating Example Policy Specifications under OFGAC OFGAC Approaches for XML Collusion Attacks Multiple policies/Single abstraction Single policy/Multiple abstraction Multiple policies/Multiple abstraction Conclusions
OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction
Single policy/Multiple abstraction: I
n different observers O1 , . . . , On under same policy op.
I
Different level of abstraction to different observers Oi .
I
The result of a query for the one with higher abstraction contains less precise information than that with lower abstraction.
α2
Observer O Policy op
Policy op
α1 Observer O Policy op
OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction
Single policy/Multiple abstraction I
Suppose D2abs is an abstraction of D1abs .
I
When O1 and O2 collude, O2 can obtain sensitive information with lower abstraction from the result of O1 .
I
But no real collusion may arise: overall information available to O1 and O2 together is at most as precise as to O1 . O1 1
D
abs
Query Q
ξ1 Policy op
Common Part O2 D2abs
Query Q
ξ2
OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction
Single policy/Multiple abstraction I
Let the sensitive values in a XML file be h5, 0, 2, 3, 1i.
I
O1 −−−−−→ h[4, 5], [0, 1], [2, 3], [2, 3], [0, 1]i
I
O2 −−−−−→ hODD, EVEN, EVEN, ODD, ODDi.
I
When O1 and O2 collude −−→ h5, 0, 2, 3, 1i , by combining the query results containing the above list.
Abstract
Abstract
infer
EVEN
0
1
ODD
2
[0,1]
3
[2,3]
[4,5]
….
[2n, 2n+1]
2n
2n+1
⊥
Figure: Combined lattice of DOM and PAR
OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction
Single policy/Multiple abstraction Definition An OFGAC under Single policy/Multiple level abstraction scenario is collusion-prone, if the OFGAC uses n different abstract domains D1abs , . . . , Dnabs for n different observers and abs abs ∃{d T i , . . . , dj } ∈ Di × · · · × Dj for {i, . . . , j} ⊆ {1, . . . , n} such that k∈{i,...,j} γ(dk ) = {e} while ∀k ∈ {i, . . . , j}, γ(dk ) 6= {e}.
Theorem Consider an OFGAC using n different abstract domains D1abs , . . . , Dnabs for n different observers under the same policy. Let DR be the reduced product of {D1abs , . . . , Dnabs }. If DR is isomorphic to γ(DR ), then the OFGAC is collusion-prone.
OFGAC For XML Documents Collusion Attacks Multiple policies/Multiple abstraction
Outline FGAC Vs. OFGAC Need of OFGAC: Motivating Example Policy Specifications under OFGAC OFGAC Approaches for XML Collusion Attacks Multiple policies/Single abstraction Single policy/Multiple abstraction Multiple policies/Multiple abstraction Conclusions
OFGAC For XML Documents Collusion Attacks Multiple policies/Multiple abstraction
Multiple policies/Multiple abstraction I
n observers O1 , . . . , On under n different policies op1 , . . . , opn .
I
] Abstract XML database state σop = αi (σopi ) for i = 1, . . . , n. i
I
Observers collude and act as the observer under combined policies, or try to infer confidential information by combining query results. Observer O1 Policy op1
α1
Observer O2 Policy op2
α2
Observer O3 Policy op3
α3
OFGAC For XML Documents Conclusions
Conclusions
I
We extended the notion of Observation-based Fine Grained Access Control (OFGAC), on top of fine grained access control, to the context of XML documents.
I
Confidential information are abstracted by their observable properties.
I
The traditional FGAC can be seen as a special case of our OFGAC.
OFGAC For XML Documents Conclusions
Suggestions Please !!!!
OFGAC For XML Documents Conclusions
Thank you for your attention !