Skip to main content
SpringerLink
Log in

QFilter: rewriting insecure XML queries to secure ones using non-deterministic finite automata

  • Regular Paper
  • Published:
The VLDB Journal Aims and scope Submit manuscript

Abstract

In this paper, we ask whether XML access control can be supported when underlying (XML or relational) storage system does not provide adequate security features and propose three alternative solutions —primitive, pre-processing, and post-processing. Toward that scenario, in particular, we advocate a scalable and effective pre-processing approach, called QFilter. QFilter is based on non-deterministic finite automata (NFA) and rewrites user’s queries such that parts violating access control rules are pre-pruned. Through analysis and experimental validation, we show that (1) QFilter guarantees that only permissible portion of data is returned to the authorized users, (2) such access controls can be efficiently enforced without relying on security features of underlying storage system, and (3) such independency makes QFilter capable of many emerging applications, such as in-network access control and access control outsourcing.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Ayyagari, P., Mitra, P., Lee, D., Liu, P., Lee, W.C.: Incremental adaptation of xpath access control views. In: ASIACCS ’07: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 105–116 (2007)

  2. Berglund, A., Boag, S., Chamberlin, D., Fernández, M.F., Kay, M., Robie, J., Siméon, J.: XML Path Language (XPath) 2.0. W3C Working Draft (2003). http://www.w3.org/TR/xpath20

  3. Bertino E., Castano S., Ferrari E.: Securing xml documents with author-x. IEEE Int. Comput. 5(3), 21–31 (2001)

    Article  Google Scholar 

  4. Bertino E., Ferrari E.: Secure and selective dissemination of XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 290–331 (2002)

    Article  Google Scholar 

  5. Boag, S., Chamberlin, D., Fernández, M.F., Florescu, D., Robie, J., Simeon, J.: XQuery 1.0: An XML Query Language. W3C Working Draft (2003). http://www.w3.org/TR/xquery

  6. Bouganim, L., Ngoc, F.D., Pucheral, P.: Client-based access control management for XML documents. In: VLDB. Toronto, Canada (2004)

  7. Bravo, L., Cheney, J., Fundulaki, I.: Accon: checking consistency of xml write-access control policies. In: Proceedings of the 11th International Conference on Extending Database Technology, pp. 715–719 (2008)

  8. Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0, 5th edn. (2008)

  9. Cho, S., Amer-Yahia, S., Lakshmanan, L.V., Srivastava, D.: Optimizing the secure evaluation of Twig queries. In: VLDB. Hong Kong, China (2002)

  10. Choi, B.: What are real dtds like? In: WebDB (2002)

  11. Cuppens, F., Cuppens-Boulahia, N., Sans, T.: Protection of relationships in xml documents with the xml-bb model. In: First International Conference on Information Systems Security (ICISS), pp. 148–163 (2005)

  12. Damiani E., De Capitani di Vimercati S., Paraboschi S., Samarati P.: A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(2), 169–202 (2002)

    Article  Google Scholar 

  13. Damiani, E., Fansi, M., Gabillon, A., Marrara, S.: Securely updating xml. In: Knowledge-Based Intelligent Information and Engineering Systems, 11th International Conference (KES), pp. 1098–1106 (2007)

  14. Damiani E., Fansi M., Gabillon A., Marrara S.: A general approach to securely querying xml. Comput. Stand. Interfaces 30(6), 379–389 (2008)

    Article  Google Scholar 

  15. Damiani, E., di Vimercati, S.D.C., Paraboschi, S., Samarati, P.: Securing xml documents. In: 7th International Conference on Extending Database Technology, pp. 121–135 (2000)

  16. Damiani E., Vimercati S.D.C.D., Paraboschi S., Samarati P.: Design and implementation of an access control processor for XML documents. Comput. Netw. 33(6), 59–75 (2000)

    Article  Google Scholar 

  17. Diao, Y., Franklin, M.J.: High-performance XML filtering: an overview of YFilter. IEEE Data Eng. Bulletin (2003)

  18. Fan, W., Chan, C.Y., Garofalakis, M.: Secure xml querying with security views. In: SIGMOD ’04: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, pp. 587–598. ACM Press, New York, (2004). http://doi.acm.org/10.1145/1007568.1007634

  19. Fernandez E., Gudes E., Song H.: A model of evaluation and administration of security in object-oriented databases. IEEE Trans. Knowl. Data Eng. (TKDE) 6(2), 275–292 (1994)

    Article  Google Scholar 

  20. Finance, B., Medjdoub, S., Pucheral, P.: The case for access control on xml relationships. In: 14th ACM International Conference on Information and Knowledge Management, pp. 107–114 (2005)

  21. Fundulaki, I., Maneth, S.: Formalizing xml access control for update operations. In: 12th ACM Symposium on Access Control Models and Technologies, pp. 169–174 (2007)

  22. Fundulaki, I., Marx, M.: Specifying access control policies for xml documents with xpath. In: Ninth ACM Symposium on Access Control Models and Technologies, pp. 61–69 (2004)

  23. Gabillon, A.: An authorization model for xml databases. In: 2004 Workshop on Secure Web Service, pp. 16–28 (2004)

  24. Gabillon, A., Bruno, E.: Regulating access to xml documents. In: Das’01: Proceedings of the Fifteenth Annual Working Conference on Database and Application Security, pp. 299–314. Kluwer Academic Publishers, Norwell (2002)

  25. Godik, S., Moses, T. (Eds): eXtensible Access Control Markup Language (XACML) Version 1.0. OASIS Specification Set (2003). http://www.oasis-open.org/committees/xacml/repository/

  26. Hopcroft J.E., Motwani R., Ullman J.D.: Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, Reading (2007)

    Google Scholar 

  27. Jiang M., Fu A.W.C.: Integration and efficient lookup of compressed xml accessibility maps. IEEE Trans. Knowl. Data Eng. 17(7), 939–953 (2005)

    Article  Google Scholar 

  28. Kudo, M., Hada, S.: XML document security based on provisional authorization. In: ACM Conference on Computer and Communications Security (CCS) (2000)

  29. Kuper, G., Massacci, F., Rassadko, N.: Generalized xml security views. In: the Tenth ACM Symposium on Access Control Models and Technologies, pp. 77–84 (2005)

  30. Kuper G., Massacci F., Rassadko N.: Generalized xml security views. Int. J. Inf. Secur. 8(3), 173–203 (2009)

    Article  Google Scholar 

  31. Lee, D., Lee, W.C., Liu, P.: Supporting XML security models using relational databases: a vision. In: XML Database Symposium (XSym). Berlin, Germany (2003)

  32. Lee J.G., Whang K.Y., Han W.S., Song I.Y.: The dynamic predicate: integrating access control with query processing in xml databases. VLDB J. 16(3), 371–387 (2007)

    Article  Google Scholar 

  33. Li, F., Luo, B., Liu, P., Lee, D., Mitra, P., Lee, W.C., Chu, C.H.: In-broker access control: towards efficient end-to-end performance of information brokerage systems. In: IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, pp. 252–259 (2006)

  34. Luo, B., Lee, D., Liu, P.: Pragmatic XML access control using off-the-shelf RDBMS. In: 12th European Symposium On Research in Computer Security (ESORICS). Dresden, Germany (2007)

  35. Luo, B., Lee, D., Lee, W.C., Liu, P.: QFilter: fine-grained run-time XML access control via NFA-based query rewriting. In: ACM CIKM. Washington (2004)

  36. Luo, B., Lee, D., Lee, W.C., Liu, P.: Deep set operators for XQuery. In: Second International Workshop on XQuery Implementation, Experience and Perspectives (XIME-P). Baltimore (2005)

  37. Mealy G.H.: A method for synthesizing sequential circuits. Bell Syst. Tech. J. 34, 1045–1079 (1955)

    MathSciNet  Google Scholar 

  38. Mella G., Ferrari E., Bertino E., Koglin Y.: Controlled and cooperative updates of xml documents in byzantine and failure-prone distributed systems. ACM Trans. Inf. Syst. Secur. 9(4), 421–460 (2006)

    Article  Google Scholar 

  39. Mohan, S., Klinginsmith, J., Sengupta, A., Wu, Y.: Acxess—access control for xml with enhanced security specifications. In: 22nd International Conference on Data Engineering, p. 171 (2006)

  40. Mohan, S., Sengupta, A., Wu, Y.: Access control for xml: a dynamic query rewriting approach. In: 14th ACM International Conference on Information and Knowledge Management, pp. 251–252 (2005)

  41. Murata, M., Tozawa, A., Kudo, M.: XML access control using static analysis. In: ACM Conference on Computer and Communications Security (CCS). Washington (2003)

  42. Murata M., Tozawa A., Kudo M., Hada S.: Xml access control using static analysis. ACM Trans. Inf. Syst. Secur. 9(3), 292–324 (2006)

    Article  Google Scholar 

  43. Qi, N., Kudo, M.: Access-condition-table-driven access control for xml databases. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS, Lecture Notes in Computer Science, vol. 3193, pp. 17–32. Springer (2004)

  44. Qi, N., Kudo, M.: Xml access control with policy matching tree. In: ESORICS 2005, 10th European Symposium on Research in Computer Security, pp. 3–23 (2005)

  45. Qi, N., Kudo, M., Myllymaki, J., Pirahesh, H.: A function-based access control model for xml databases. In: 14th ACM International Conference on Information and Knowledge Management, pp. 115–122 (2005)

  46. Rabitti F., Bertino E., Kim W., Woelk D.: A model of authorization for next-generation database systems. ACM Trans. Database Syst. (TODS) 16(1), 89–131 (1991)

    Article  Google Scholar 

  47. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Comput. 29(2) (1996)

  48. Schmidt, A.R., Waas, F., Kersten, M.L., Florescu, D., Manolescu, I., Carey, M.J., Busse, R.: The XML Benchmark Project. Tech. Rep. INS-R0103, CWI (2001)

  49. Simeon, J., Fernandez, M.: Galax V 0.3.5 (2004). http://db.bell-labs.com/galax/

  50. Stoica, A., Farkas, C.: Secure xml views. In: Gudes, E., Shenoi, S. (eds.) DBSec, IFIP Conference Proceedings, vol. 256, pp. 133–146. Kluwer (2002)

  51. De Capitani di Vimercati, S., Marrara, S., Samarati, P.: An access control model for querying xml data. In: Workshop on Secure web services, pp. 36–42 (2005)

  52. Xiao, Y., Luo, B., Lee, D.: Security-conscious XML indexing. In: International Conference on Database Systems for Advanced Applications (DASFAA). Bangkok, Thailand (2007)

  53. Yu, T., Srivastava, D., Lakshmanan, L.V., Jagadish, H.V.: Compressed accessibility map: efficient access control for XML. In: VLDB. Hong Kong, China (2002)

  54. Zhang H., Zhang N., Salem K., Zhuo D.: Compact access control labeling for efficient secure xml query evaluation. Data Knowl. Eng. 60(2), 326–344 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The University of Kansas, Lawrence, KS, USA

    Bo Luo

  2. The Pennsylvania State University, University Park, PA, USA

    Dongwon Lee, Wang-Chien Lee & Peng Liu

Authors
  1. Bo Luo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dongwon Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wang-Chien Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bo Luo.

Additional information

This paper is extend from earlier conference version [35].

Rights and permissions

Reprints and permissions

About this article

Cite this article

Luo, B., Lee, D., Lee, WC. et al. QFilter: rewriting insecure XML queries to secure ones using non-deterministic finite automata. The VLDB Journal 20, 397–415 (2011). https://doi.org/10.1007/s00778-010-0202-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00778-010-0202-x

Keywords

Search

Navigation