OFGAC For XML Documents

Observation-Based Fine Grained Access Control for XML Documents Raju Halder, Agostino Cortesi DAIS, Universit` a Ca’ Foscari Venezia, Italy {halder, cortesi}@unive.it

CISIM’2011, Kolkata, India

OFGAC For XML Documents

Outline FGAC Vs. OFGAC Need of OFGAC: Motivating Example Policy Specifications under OFGAC OFGAC Approaches for XML Collusion Attacks Multiple policies/Single abstraction Single policy/Multiple abstraction Multiple policies/Multiple abstraction Conclusions

OFGAC For XML Documents FGAC Vs. OFGAC

FGAC Vs. OFGAC I

Traditional Access Control is coarse-grained and can be applied on file/document level. Problem - Split any XML file containing data with both public and private protection requirements.

I

Fine Grained Access Control (FGAC) can be applied at lower level such as individual attribute/element level.

I

FGAC provides two views to data: private/confidential and public/non-confidential. Problem - Too restrictive and impractical in some real systems where intensional leakage of the information to some extent is allowed.

OFGAC For XML Documents FGAC Vs. OFGAC

Observation-based Fine Grained Access Control (OFGAC) I

Many applications need a partial or relaxed view of some confidential information. Example: Access of Credit Card no. (last 4 digits are non-confidential and remaining digits are confidential) by Customer-Care Personnel

I

We introduced Observation-based Fine Grained Access Control (OFGAC). Aim: Provide accessibility of sensitive information at various levels of abstractions depending on their sensitivity level.

I

OFGAC is based on the Abstract Interpretation framework.

OFGAC For XML Documents Need of OFGAC: Motivating Example

A Motivating Example

140062 John Smith

Via Pasini 62 Venezia Italy 30175

+39 3897745774

IT10G 02006 02003 000011115996 Savings 50000 4023 4581 8419 7835 12/15 165

OFGAC For XML Documents Need of OFGAC: Motivating Example

Need of OFGAC: Motivating Example Bank’s Policy for Customer-Care Personnel: I

Credit Card No: “4023 4581 8419 7835”→“xxxx xxxx xxxx 7835”.

I

IBAN No: “IT10G 02006 02003 000011115996”→“ITxxx xxxxx xxxxx xxxxxxxxxxxx”.

I

Expiry dates and Secret Numbers of credit cards→fully-sensitive.

I

Deposited amounts in accounts→fully-sensitive.

FGAC mechanisms are unable to implement this scenario. One possibility: split the partial sensitive element into two sub-elements - one with private privilege and other with public.

OFGAC For XML Documents Policy Specifications under OFGAC

FGAC Policy Specifications I

I

Specified by a 5-tuple: hSubject, Object, Action, Sign, Typei. (Damiani et al., 2002) I

Subject: Identifiers or Locations of the access requests. Example: h Physicians, 159.101.*.*, *.hospital.com i.

I

Object: Uniform Resource Identifier (URI) of the elements or attributes. Example: /BankCustomers/Customer/AccountInfo/IBAN

I

Action: “read” or “write” or both.

I

Sign: “+”→“allow access”, and “-”→“forbid access”.

I

Type: DTD/instance level, local/recursive access, hard/soft etc.

Provides only two choices: either “allow” or “forbid”, we call it Binary-based FGAC Policy for XML.

OFGAC For XML Documents Policy Specifications under OFGAC

OFGAC Policy Specifications I

Specified by 5-tuple: hSubject, Object, Action, Abstraction, Typei.

I

Abstraction: Defined by the Galois Connection (℘(Dxcon ), αx , γx , Dxabs ) where αx = ℘(Dxcon ) → Dxabs and γx = Dxabs → ℘(Dxcon ).

Rule R1

Subject customer-care, 159.56.*.*, *.Unicredit.it

Object /BankCustomers/ tomer/ PersInfo

Action read

Abstraction (℘(Dxcon ), id, id, ℘(Dxcon ))

Type R

R2

customer-care, 159.56.*.*, *.Unicredit.it

/BankCustomers/ Customer/ AccountInfo/ IBAN /BankCustomers/ Customer/ AccountInfo/ type /BankCustomers/ Customer/ AccountInfo/ amount

read

con ), α abs (℘(Diban iban , γiban , Diban )

L

R3

customer-care, 159.56.*.*, *.Unicredit.it

read

con ), id, id, ℘(D con )) (℘(Dtype type

L

R4

customer-care, 159.56.*.*, *.Unicredit.it

read

con (℘(Damount ), α> , γ> , {>})

L

R5

customer-care, 159.56.*.*, *.Unicredit.it

/BankCustomers/ Customer/ CreditCardInfo/ CardNo /BankCustomers/ Customer/ CreditCardInfo/ ExpiryDate

read

con abs (℘(DCardNo ), αCardNo , γCardNo , DCardNo )

L

R6

customer-care, 159.56.*.*, *.Unicredit.it

read

con (℘(DExDate ), α> , γ> , {>})

L

Cus-

OFGAC For XML Documents Policy Specifications under OFGAC

OFGAC Policy Specifications

Abstraction Function for “IBAN” and “SecretNo”: αCardNo ({di : i ∈ [1 . . . 16]}) = ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ d13 d14 d15 d16 α> (X ) = > X = set of concrete values > = top most element of the corresponding abstract lattice.

OFGAC For XML Documents OFGAC Approaches for XML

Approaches: FGAC Vs. OFGAC Possible FGAC Approaches: View-based, NFA-based, RDBMS-based etc.

OFGACRD(op)

RDBMS

Tunable Access Control

FGACRD(p) Flattening

Mapping OFGACXML(op) XML

FGACXML(p)

Binary (0/1) Access Control

OFGAC For XML Documents OFGAC Approaches for XML

View-based OFGAC approach For each subject, separate views are generated w .r .t. the access rules associated with the subject

140062 John Smith

Via Pasini 62 Venezia Italy 30175

+39 3897745774

IT*** ***** ***** ************ Savings > **** **** **** 7835 > >

OFGAC For XML Documents OFGAC Approaches for XML

View-based OFGAC approach

XML Query: Qxml = /BankCusomers/Customer /AccountInfo[@type = “Savings 00 ]

Result of XML query on the view: IT*** ***** ***** ************ Savings >

OFGAC For XML Documents OFGAC Approaches for XML

RDBMS-based OFGAC approach Table: The equivalent relational database representation of the XML code id BC1

pid null

rule -

id C1

(a) “BankCustomers” id PI1

pid C1

pid BC1

rule -

(b) “Customer ”

rule R1

id AI1

(c) “PersInfo”

pid C1

rule -

(d) “AccountInfo”

id CI1

pid C1

rule -

(e) “CreditCardInfo” id IB1

pid AI1

val IT10G 02006 02003 000011115996

rule R2

(f) “IBAN” id TP1

pid AI1

val Savings

rule R3

id AM1

(g) “type” id CN1

pid CI1

val 4023 4581 8419 7835

(i) “CardNo”

pid AI1

val 5000

rule R4

(h) “amount” rule R5

id EX1

pid CI1

val 12/15

(j) “ExpiryDate”

rule R6

OFGAC For XML Documents OFGAC Approaches for XML

RDBMS-based OFGAC approach Query in XML format: Qxml = /BankCusomers/Customer /AccountInfo[@type = “Savings 00 ]/IBAN

Query in SQL format: Qrdb =SELECT Ch No.val FROM IBAN Ch No, type Ch Tp, AccountInfo P AccInfo, Cust P Cust, BankCust P BCust WHERE (Ch No.pid = P AccInfo.id AND Ch Tp.pid = P AccInfo.id AND Ch Tp.val = “Savings 00 ) AND P AccInfo.pid = P Cust.id AND P Cust.pid = P BCust.id

Result (applying SQL query on RDBMS under OFGAC): val IT*** ***** ***** ************

OFGAC For XML Documents Collusion Attacks Multiple policies/Single abstraction

Outline FGAC Vs. OFGAC Need of OFGAC: Motivating Example Policy Specifications under OFGAC OFGAC Approaches for XML Collusion Attacks Multiple policies/Single abstraction Single policy/Multiple abstraction Multiple policies/Multiple abstraction Conclusions

OFGAC For XML Documents Collusion Attacks Multiple policies/Single abstraction

Multiple policies/Single abstraction I

n observers O1 , . . . , On under n different policies op1 , . . . , opn .

I

σopi : Concrete XML database state under policy opi .

I

] σop = α(σopi ): Abstract XML database state. i

Observer O1 Policy op1

α

Observer O2 Policy op2

α

Observer O3 Policy op3

α

OFGAC For XML Documents Collusion Attacks Multiple policies/Single abstraction

Multiple policies/Single abstraction I

I

] ] ] ] 0 Let σop = {σl] , σh] } and σop 0 = {σl 0 , σh0 } under op and op respectively. ] XML database state σop•op 0 under combined policies: ] ] ] ] ] ] ] σop•op 0 = {((σl ∪ σh ) − (σh ∩ σh0 )), (σh ∩ σh0 )}

I

After collusion, observer can infer the values belonging to the public part ((σl ∪ σh ) − (σh ∩ σh0 )). Policy op

Policy op’

op • op’

Figure: Combination of policies

OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction

Outline FGAC Vs. OFGAC Need of OFGAC: Motivating Example Policy Specifications under OFGAC OFGAC Approaches for XML Collusion Attacks Multiple policies/Single abstraction Single policy/Multiple abstraction Multiple policies/Multiple abstraction Conclusions

OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction

Single policy/Multiple abstraction: I

n different observers O1 , . . . , On under same policy op.

I

Different level of abstraction to different observers Oi .

I

The result of a query for the one with higher abstraction contains less precise information than that with lower abstraction.

α2

Observer O Policy op

Policy op

α1 Observer O Policy op

OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction

Single policy/Multiple abstraction I

Suppose D2abs is an abstraction of D1abs .

I

When O1 and O2 collude, O2 can obtain sensitive information with lower abstraction from the result of O1 .

I

But no real collusion may arise: overall information available to O1 and O2 together is at most as precise as to O1 . O1 1

D

abs

Query Q

ξ1 Policy op

Common Part O2 D2abs

Query Q

ξ2

OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction

Single policy/Multiple abstraction I

Let the sensitive values in a XML file be h5, 0, 2, 3, 1i.

I

O1 −−−−−→ h[4, 5], [0, 1], [2, 3], [2, 3], [0, 1]i

I

O2 −−−−−→ hODD, EVEN, EVEN, ODD, ODDi.

I

When O1 and O2 collude −−→ h5, 0, 2, 3, 1i , by combining the query results containing the above list.

Abstract

Abstract

infer

EVEN

0

1

ODD

2

[0,1]

3

[2,3]

[4,5]

….

[2n, 2n+1]

2n

2n+1

⊥

Figure: Combined lattice of DOM and PAR

OFGAC For XML Documents Collusion Attacks Single policy/Multiple abstraction

Single policy/Multiple abstraction Definition An OFGAC under Single policy/Multiple level abstraction scenario is collusion-prone, if the OFGAC uses n different abstract domains D1abs , . . . , Dnabs for n different observers and abs abs ∃{d T i , . . . , dj } ∈ Di × · · · × Dj for {i, . . . , j} ⊆ {1, . . . , n} such that k∈{i,...,j} γ(dk ) = {e} while ∀k ∈ {i, . . . , j}, γ(dk ) 6= {e}.

Theorem Consider an OFGAC using n different abstract domains D1abs , . . . , Dnabs for n different observers under the same policy. Let DR be the reduced product of {D1abs , . . . , Dnabs }. If DR is isomorphic to γ(DR ), then the OFGAC is collusion-prone.

OFGAC For XML Documents Collusion Attacks Multiple policies/Multiple abstraction

Outline FGAC Vs. OFGAC Need of OFGAC: Motivating Example Policy Specifications under OFGAC OFGAC Approaches for XML Collusion Attacks Multiple policies/Single abstraction Single policy/Multiple abstraction Multiple policies/Multiple abstraction Conclusions

OFGAC For XML Documents Collusion Attacks Multiple policies/Multiple abstraction

Multiple policies/Multiple abstraction I

n observers O1 , . . . , On under n different policies op1 , . . . , opn .

I

] Abstract XML database state σop = αi (σopi ) for i = 1, . . . , n. i

I

Observers collude and act as the observer under combined policies, or try to infer confidential information by combining query results. Observer O1 Policy op1

α1

Observer O2 Policy op2

α2

Observer O3 Policy op3

α3

OFGAC For XML Documents Conclusions

Conclusions

I

We extended the notion of Observation-based Fine Grained Access Control (OFGAC), on top of fine grained access control, to the context of XML documents.

I

Confidential information are abstracted by their observable properties.

I

The traditional FGAC can be seen as a special case of our OFGAC.

OFGAC For XML Documents Conclusions

Suggestions Please !!!!

OFGAC For XML Documents Conclusions

Thank you for your attention !