Department of Computer Science and Engineering and the South Carolina Information Technology Institu

1

Web Data and Application Security 2. CSCE 813
2
Reading

• Word Wide Web Consortium, http//www.w3.org/
• Resource Description Framework (RDF),
  http//www.w3.org/RDF/
• RDF Semantics, http//www.w3.org/TR/rdf-mt/
• Workshop on Secure Web Services,
  http//sws06.univ-pau.fr/
• OWL Web Ontology Language, http//www.w3.org/TR/ow
  l-features/
• Qin and Atluri, Concept-level access control for
  the Semantic Web, http//portal.acm.org/citation.c
  fm?id968575jmpcitdlportaldlACMCFID1111111
  1CFTOKEN2222222
• Kaushik, Wijesekera, Amman, Policy-BasedDissemina
  tion of Partial Web-Ontologies,
  http//portal.acm.org/citation.cfm?id1103030dla
  cmcollCFID15151515CFTOKEN6184618
• Jain and Farkas, Secure Resource Description
  Framework an Access Control Model,
  http//www.cse.sc.edu/research/isl/Publications/RA
  CL.pdf

3
Semantic Web
From T.B. Lee
4
SMIL
5
SMIL vs. XML

• In both, document tree
• BUT
• XML has NO intended semantics, SMIL specify
  runtime behavior
• QoS (timeliness and continuity) specified using
  synchronization constructs
• ltpargt, ltseqgt, ltexclgt and others.
• No Security for SMIL

ltsmilgt ltseqgt ltpargt ltaudio srchttp//www.exa
mple.org/Audio1.rmgt ltvideo srchttp//www.exam
ple.org/Video1.rmgt lt/pargt ltpargt ltaudio
srchttp//www.example.org/Audio2.rmgt ltvideo
srchttp//www.example.org/Video2.rmgt lt/pargt lt/s
eqgt lt/smilgt
ltsmilgt
ltseqgt
ltpargt
ltpargt
Video2
Video1
Audio1
Audio2
6
Object Identity in SMIL - I
7
Object Identity in SMIL - II
8
Object Identity in SMIL - III
9
SMIL Normal Form

• SMIL Normal Form (smilNF) is of the form
• ltseqgt
• ltpargt C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n
  (s)lt/pargt
• ltpargt ..ltpargt
• ltpargt C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n
  (s)lt/pargt
• lt/seqgt
• where C i,j are audio or video, image or text
  media intervals.

10
Normalization Algorithm
SEQ
SEQ
1
2
3
A1
A2
A3
A
ltPARgt
ltPARgt
ltPARgt
B1
B2
B3
B
ltPARgt
C1
C2
C3
C
A1
B1
D1
C1
A3
B3
D3
C3
D1
D2
D3
D
A2
B2
D2
C2
Representation 1
SEQ
SEQ
1
2
3
A
B
ltPARgt
ltPARgt
ltPARgt
ltPARgt
C
A1
C3
D
B2
C2
D2
Representation 2
11
Metadata in SMIL - RBAC Example
A1
RBAC metadata decorated SMIL Normal Form
SMIL Normal Form
Permitted view for Role 1
12
The Inference Problem

• General Purpose Database
• Non-confidential data Metadata ?
• Undesired Inferences
• Semantic Web
• Non-confidential data Metadata (data and
  application semantics) Computational Power
  Connectivity ? Undesired Inferences

13
Association Graph

• Association similarity measure
• Distance of each node from the association root
• Difference of the distance of the nodes from the
  association root
• Complexity of the sub-trees originating at nodes
• Example

XML document
Association Graph
Public
Public, AC
14
Correlated Inference
Concept Generalization weighted concepts,
concept abstraction level, range of allowed
abstractions
Object. waterSource Object
basin waterSource place Object
district place address place
base Object fort base
15
Correlated Inference (cont.)
Object. waterSource Object
basin waterSource place Object
district place address place
base Object fort base
Base
Place
base
Public
Public
Water source
Water Source
16
Inference Removal

• Relational databases limit access to data
• Web inferences
• Cannot redesign public data outside of protection
  domain
• Cannot modify/refuse answer to already published
  web page
• Protection Options
• Release misleading information
• Remove information
• Control access to metadata

17
Web Metadata
18
Resource Description Framework (RDF)

• Representing information about resources in the
  World Wide Web
• Intended for machine processing
• Provides a common framework ? applications can
  share data
• Identifying things using Web identifiers (URIs)
• Describing resources in terms of simple
  properties and property values
• RDF statement (subject, property, object)

19
RDF Graph

• Individuals
• Kinds of things
• Properties of those things
• Values of those properties
• From RDF Primer,
• http//www.w3.org/RDF/

20
XML syntax for RDF

• RDF/XML sample
• lt?xml version"1.0"?gt ltrdfRDF xmlnsrdf"http//w
  ww.w3.org/1999/02/22-rdf-syntax-ns"
  xmlnscontact"http//www.w3.org/2000/10/swap/pim/
  contact"gt ltcontactPerson rdfabout"http//w
  ww.w3.org/People/EM/contactme"gt
  ltcontactfullNamegtEric Millerlt/contactfullNamegt
  ltcontactmailbox rdfresource"mailtoem_at_w3.org"/
  gt ltcontactpersonalTitlegtDr.lt/contactpersonalTit
  legt lt/contactPersongt lt/rdfRDFgt

From RDF Primer, http//www.w3.org/RDF/
21
RDF Entailment

• Meaning" of an RDF graph depends on many
  factors
• e.g., conventions within a user community,
  comments in natural language, or links to other
  content-bearing documents, etc.
• Some can be processed by machines, some not
• RDF formal semantics conclusions that machines
  can derive from an RDF graph
• Model theory
• Can transform an RDF graph into logical
  expression with the same meaning

22
RDF Schema

• Express classes and their subclasses
• Define properties and associate them with classes
• Facilitate inferencing

Studies-at
Student
University
ISA
Grad. student
23
Ontology

• Explicit specification of conceptualization
• Philosophical discipline
• Formal semantics
• Informal conceptual model
• Vocabulary used by a logical theory
• Etc.
• RDF/S, DAML OIL, OWL, etc.

24
Ontology Manipulation

• Processing
• Integration
• Federation
• Access Control

25
Metadata Security

• No security model exists for metadata
• Can we use existing security models to protect
  metadata?
• RDF/S is the Basic Framework for SW
• RDF/S supports simple inferences
• This is not true of XML XML Access control
  cannot be used to protect RDF /S data

26
RDF/S Entailment Rules

• Example RDF/S Entailment Rules (http//www.w3.org/
  TR/rdf-mt/rules )
• Rdfs2
• (aaa, rdfsdomain, xxx) (uuu, aaa, yyy) ? (uuu,
  rdftype, xxx)
• Rdfs3
• (aaa, rdfsrange, xxx) (uuu, aaa, vvv) ?(vvv,
  rdftype, xxx)
• Rdfs5
• (uuu, rdfssubPropertyOf, vvv) (vvv,
  rdfssubPropertyOf, xxx)? (uuu,rdfssubPropertyOf,
  xxx)
• Rdfs11
• (uuu, rdfssubClassOf, vvv)(vvv,
  rdfssubClassOf, xxx)?(uuu,rdfssubClassOf, xxx)

27
Example Graph Format
RDF Triples (Student, rdfssubClassOf,
Person) (University, rdfssubClassOf,
GovAgency) (studiesAt, rdfsdomain,
Student) (studiesAt, rdfsrange,University) (studi
esAt, rdfssubPropertyOf, memberAt) (John,
studiesAt, USC)
28
Example Graph Format
29
Example Graph Format
30
Example Graph Format
31
Secure RDF

• Entailed Data in RDF can cause illegal
  inferences
• (John, studiesAt, USC) S
• (studiesAt, rdfsdomain, University) S
• ? (USC, rdftype, University) S
• (USC, rdftype, University) S
• (University, rdfsubclassOf, GovAgency) S
• ? (USC, rdftype, GovAgency) TS
• Secret User can infer TS information

32
RDF Access Control

• Security Policy
• Subject
• Object Object pattern
• Access Mode
• Default policy
• Conflict Resolution
• Classification of entailed data
• Flexible granularity

33
Policy-BasedDissemination of Partial
Web-Ontologies

• Saket Kaushik
• Duminda Wijesekera
• Paul Ammann

George Mason University
Reused with the permission of D. Wijesekera
34
Outline

• Introduction
• Problem of improper disclosure
• Overview of our approach
• Modeling RDF Graphs as Trees
• Protection cases
• Formal model
• Semantics and results

35
Semantic web the problem domain

• Objects on the world wide web (WWW) are
  described by web-ontologies
• Meta-information or ontologies help in automatic
  discovery of related web-objects (URIs)
• Ontologies are concepts (or classes) related
  through properties (or binary relations) with
  individuals belonging to a concept or a property

36
E.g. A simple web-ontology
Weapons
Binary relationships
Conventional Weapons
Special Weapons
Nuclear Warhead
Rocket Launcher
Machine Gun
Delivery System
Trigger Mechanism
Size
Rounds
A weapons taxonomy
37
The problem of improper disclosure

• Ontologies may contain sensitive information
• Disclosing complete ontology is insecure
• Usual access control techniques can either
  regulate access to concepts or complete
  ontologies
• Preserving relationships between concepts while
  regulating access to concepts is an unsolved
  problem

38
Example scenario
Weapons
Sensitive portion
Conventional Weapons
Special Weapons
Requested
Nuclear Warhead
Rocket Launcher
Machine Gun
Delivery System
Trigger Mechanism
Size
Rounds
39
Example scenario
Weapons
Requirement
Conventional Weapons
Removal of sensitive portions while preserving
other relationships
Requested
Rocket Launcher
Machine Gun
Size
Rounds
40
RDF Preliminaries

• Vocabulary A set of URIs forms the vocabulary
• Each URI is an instance of an RDF Class or a
  Property.
• Axioms Triples ltS,P,Ogt form sentences, where S,P
  and O are constants in the vocabulary and P is a
  property.
• RDF Graph A set of triples is also called an RDF
  Graph.
• Extension A mapping relates each class or
  property to its extension
• Semantics The interpretation is a mapping of
  resources to their extensions

41
Overview Graphs to Trees

• We model RDF syntactic and semantic elements as
  syntactic elements.
• Each triple is encoded as a set using von
  Neumanns standard set encoding
• ltA,Bgt is A,A,B
• ltA,B,Cgt is A, A, ltB,Cgt or A, A, B,B,C
• No self-references or cycles are allowed
• Consequently, a graph is reduced to a tree

42
Overview Protection cases

• We enable two use cases
• Disclosure control over parts of ontologies
• Based on the attributes of a requester, only
  parts of an ontology are accessible
• Content obfuscation in an ontology
• Based on the attributes of a requester, only the
  ontological structure is made available, but not
  the names of sensitive concepts and properties

43
Use-case 1 (a) Remove subtree
Weapons
Conventional Weapons
Remove subtree beyond this concept
Rocket Launcher
Machine Gun
Size
Rounds
44
Use-case 1 (b) Remove branch
Weapons

Conventional Weapons

Rocket Launcher
Machine Gun
Branch identified by Conv. Weapon? M.Gun
Remove branch
Size
Rounds
45
Use-case 1 (c) Extract subtree
Extract subtree below this edge
Rocket Launcher
Size
Rounds
46
Use-case 2 (a) Node hiding
Weapons
Conventional Weapons
Special Weapons
Concept hidden
Nuclear Warhead
No Name
Rocket Launcher
Machine Gun
Delivery System
Trigger Mechanism
Size
Rounds
47
Use-case 2 (b) Node modification
Weapons
Conventional Weapons
Special Weapons
Modified
Nuclear Warhead
Obsolete Warhead
Rocket Launcher
Machine Gun
Delivery System
Trigger Mechanism
Size
Rounds
48
Formal model

• We use constraint logic programming (CLP) with
  Set constraints to write dissemination control
  policies
• Terms A set of arbitrary constants with two
  function symbols and nil
• Constraint Domain Set constraint domain that
  interprets , ?,?,? and predicates
• Constraint domain ensures axioms like
  permutativity, absorption, etc., essential for
  modeling unordered sets of triples

49
Formal Model

• Predicates are of six types
• Semantic relationships (SR) for expressing
  ontological axioms
• Tree construction predicates (TP) for
  constructing trees from the basic axioms
• Excision predicates (EP) for computing partial
  ontologies on the fly
• Modification predicates (MP) for computing cover
  stories
• Special predicates (SP)
• User Defined predicates (UP)

50
Formal Model

• TP predicate OTree constructs an ontology tree,
  while RDFInst combines ontology and its
  interpretation
• EP predicates subtree, remSubtree and remBranch
  implement excision operations
• MP predicates hideConcept and modifyConcept
  implement content obfuscation operations
• Dissemination Control Policies (DCP) Sets of
  stratified rules with following strata
• Strata 0 Definitions of all SR predicates
• Strata 1 Definitions of system-defined
  predicates TP, EP and MP
• Strata 3 Definitions of special predicates (SP)

51
Policies

• Subtree protection A DCP that only uses
  remSubtree predicate from EP predicates
• Branch protection A DCP that only uses
  remBranch predicate
• Subtree Extraction A DCP that uses subtree
  predicate
• Similarly, node hiding and node modification DCPs
  use corresponding MP predicates
• Hybrid policies can use any combination of EP and
  MP predicates

52
Example policy Subtree protection

• An attribute based control policy for protecting
  sensitive web-pages is written as
• allow(x,Y,nil) ? Suspicious(Y) (1)
• i.e., Do not disclose any information to
  requesters who satisfy the predicate Suspicious
• allow(x,Y,C) ? SecretClearance(Y), OTree(x,A)
  remSubtree(A,Agent,C) (2)
• i.e., If requester Y has secret clearance, then
  ontology rooted at x can be disclosed after
  web-pages with Agent related information have
  been removed.

53
3-valued Semantics for DCPs

• Valuations map ground atoms to T, F, -
• Immediate consequence function FP takes a
  valuation and performs the mapping
• Ground atom H is mapped to
• T if there is a ground clause instance with head
  H such that each literal in its body is satisfied
  by the appropriate input valuation
• F if there is an unsatisfied literal in the body
  of every ground clause instance having head H
• - otherwise
• FPi?(a1) FPi(FPi?(a))
• The semantics of DCP Pi is FPi?(?1)

54
Results

• Theorems
• Equality An RDF Graph rooted at node A is
  equivalent to the ontology tree T computed by
  OTree(A,T)
• Faithfulness An RDF Graph with its extension,
  rooted at node A, is equivalent to the tree T
  computed by RDFInst(A,T)
• Correctness A request request(x,Y), for document
  rooted at x, the DCP divulges only those portions
  of the requested tree that are desired to be
  disclosed to a requester with attributes Y.

55
Next ClassApplication Security