Title: Department of Computer Science and Engineering and the South Carolina Information Technology Institu
1Web Data and Application Security 2. CSCE 813
2Reading
- Word Wide Web Consortium, http//www.w3.org/
- Resource Description Framework (RDF),
http//www.w3.org/RDF/ - RDF Semantics, http//www.w3.org/TR/rdf-mt/
- Workshop on Secure Web Services,
http//sws06.univ-pau.fr/ - OWL Web Ontology Language, http//www.w3.org/TR/ow
l-features/ - Qin and Atluri, Concept-level access control for
the Semantic Web, http//portal.acm.org/citation.c
fm?id968575jmpcitdlportaldlACMCFID1111111
1CFTOKEN2222222 - Kaushik, Wijesekera, Amman, Policy-BasedDissemina
tion of Partial Web-Ontologies,
http//portal.acm.org/citation.cfm?id1103030dla
cmcollCFID15151515CFTOKEN6184618 - Jain and Farkas, Secure Resource Description
Framework an Access Control Model,
http//www.cse.sc.edu/research/isl/Publications/RA
CL.pdf
3Semantic Web
From T.B. Lee
4SMIL
5SMIL vs. XML
- In both, document tree
- BUT
- XML has NO intended semantics, SMIL specify
runtime behavior - QoS (timeliness and continuity) specified using
synchronization constructs - ltpargt, ltseqgt, ltexclgt and others.
- No Security for SMIL
ltsmilgt ltseqgt ltpargt ltaudio srchttp//www.exa
mple.org/Audio1.rmgt ltvideo srchttp//www.exam
ple.org/Video1.rmgt lt/pargt ltpargt ltaudio
srchttp//www.example.org/Audio2.rmgt ltvideo
srchttp//www.example.org/Video2.rmgt lt/pargt lt/s
eqgt lt/smilgt
ltsmilgt
ltseqgt
ltpargt
ltpargt
Video2
Video1
Audio1
Audio2
6Object Identity in SMIL - I
7Object Identity in SMIL - II
8Object Identity in SMIL - III
9SMIL Normal Form
- SMIL Normal Form (smilNF) is of the form
- ltseqgt
- ltpargt C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n
(s)lt/pargt - ltpargt ..ltpargt
- ltpargt C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n
(s)lt/pargt - lt/seqgt
- where C i,j are audio or video, image or text
media intervals. -
10Normalization Algorithm
SEQ
SEQ
1
2
3
A1
A2
A3
A
ltPARgt
ltPARgt
ltPARgt
B1
B2
B3
B
ltPARgt
C1
C2
C3
C
A1
B1
D1
C1
A3
B3
D3
C3
D1
D2
D3
D
A2
B2
D2
C2
Representation 1
SEQ
SEQ
1
2
3
A
B
ltPARgt
ltPARgt
ltPARgt
ltPARgt
C
A1
C3
D
B2
C2
D2
Representation 2
11Metadata in SMIL - RBAC Example
A1
RBAC metadata decorated SMIL Normal Form
SMIL Normal Form
Permitted view for Role 1
12The Inference Problem
- General Purpose Database
- Non-confidential data Metadata ?
- Undesired Inferences
- Semantic Web
- Non-confidential data Metadata (data and
application semantics) Computational Power
Connectivity ? Undesired Inferences
13Association Graph
- Association similarity measure
- Distance of each node from the association root
- Difference of the distance of the nodes from the
association root - Complexity of the sub-trees originating at nodes
- Example
XML document
Association Graph
Public
Public, AC
14Correlated Inference
Concept Generalization weighted concepts,
concept abstraction level, range of allowed
abstractions
Object. waterSource Object
basin waterSource place Object
district place address place
base Object fort base
15Correlated Inference (cont.)
Object. waterSource Object
basin waterSource place Object
district place address place
base Object fort base
Base
Place
base
Public
Public
Water source
Water Source
16Inference Removal
- Relational databases limit access to data
- Web inferences
- Cannot redesign public data outside of protection
domain - Cannot modify/refuse answer to already published
web page - Protection Options
- Release misleading information
- Remove information
- Control access to metadata
17Web Metadata
18Resource Description Framework (RDF)
- Representing information about resources in the
World Wide Web - Intended for machine processing
- Provides a common framework ? applications can
share data - Identifying things using Web identifiers (URIs)
- Describing resources in terms of simple
properties and property values - RDF statement (subject, property, object)
19RDF Graph
- Individuals
- Kinds of things
- Properties of those things
- Values of those properties
- From RDF Primer,
- http//www.w3.org/RDF/
20XML syntax for RDF
- RDF/XML sample
- lt?xml version"1.0"?gt ltrdfRDF xmlnsrdf"http//w
ww.w3.org/1999/02/22-rdf-syntax-ns"
xmlnscontact"http//www.w3.org/2000/10/swap/pim/
contact"gt ltcontactPerson rdfabout"http//w
ww.w3.org/People/EM/contactme"gt
ltcontactfullNamegtEric Millerlt/contactfullNamegt
ltcontactmailbox rdfresource"mailtoem_at_w3.org"/
gt ltcontactpersonalTitlegtDr.lt/contactpersonalTit
legt lt/contactPersongt lt/rdfRDFgt
From RDF Primer, http//www.w3.org/RDF/
21RDF Entailment
- Meaning" of an RDF graph depends on many
factors - e.g., conventions within a user community,
comments in natural language, or links to other
content-bearing documents, etc. - Some can be processed by machines, some not
- RDF formal semantics conclusions that machines
can derive from an RDF graph - Model theory
- Can transform an RDF graph into logical
expression with the same meaning
22RDF Schema
- Express classes and their subclasses
- Define properties and associate them with classes
- Facilitate inferencing
Studies-at
Student
University
ISA
Grad. student
23Ontology
- Explicit specification of conceptualization
- Philosophical discipline
- Formal semantics
- Informal conceptual model
- Vocabulary used by a logical theory
- Etc.
- RDF/S, DAML OIL, OWL, etc.
24Ontology Manipulation
- Processing
- Integration
- Federation
- Access Control
25Metadata Security
- No security model exists for metadata
- Can we use existing security models to protect
metadata? - RDF/S is the Basic Framework for SW
- RDF/S supports simple inferences
- This is not true of XML XML Access control
cannot be used to protect RDF /S data
26RDF/S Entailment Rules
- Example RDF/S Entailment Rules (http//www.w3.org/
TR/rdf-mt/rules ) - Rdfs2
- (aaa, rdfsdomain, xxx) (uuu, aaa, yyy) ? (uuu,
rdftype, xxx) - Rdfs3
- (aaa, rdfsrange, xxx) (uuu, aaa, vvv) ?(vvv,
rdftype, xxx) - Rdfs5
- (uuu, rdfssubPropertyOf, vvv) (vvv,
rdfssubPropertyOf, xxx)? (uuu,rdfssubPropertyOf,
xxx) - Rdfs11
- (uuu, rdfssubClassOf, vvv)(vvv,
rdfssubClassOf, xxx)?(uuu,rdfssubClassOf, xxx)
27Example Graph Format
RDF Triples (Student, rdfssubClassOf,
Person) (University, rdfssubClassOf,
GovAgency) (studiesAt, rdfsdomain,
Student) (studiesAt, rdfsrange,University) (studi
esAt, rdfssubPropertyOf, memberAt) (John,
studiesAt, USC)
28Example Graph Format
29Example Graph Format
30Example Graph Format
31Secure RDF
- Entailed Data in RDF can cause illegal
inferences - (John, studiesAt, USC) S
- (studiesAt, rdfsdomain, University) S
- ? (USC, rdftype, University) S
- (USC, rdftype, University) S
- (University, rdfsubclassOf, GovAgency) S
- ? (USC, rdftype, GovAgency) TS
- Secret User can infer TS information
32RDF Access Control
- Security Policy
- Subject
- Object Object pattern
- Access Mode
- Default policy
- Conflict Resolution
- Classification of entailed data
- Flexible granularity
33Policy-BasedDissemination of Partial
Web-Ontologies
- Saket Kaushik
- Duminda Wijesekera
- Paul Ammann
George Mason University
Reused with the permission of D. Wijesekera
34Outline
- Introduction
- Problem of improper disclosure
- Overview of our approach
- Modeling RDF Graphs as Trees
- Protection cases
- Formal model
- Semantics and results
35Semantic web the problem domain
- Objects on the world wide web (WWW) are
described by web-ontologies - Meta-information or ontologies help in automatic
discovery of related web-objects (URIs) - Ontologies are concepts (or classes) related
through properties (or binary relations) with
individuals belonging to a concept or a property
36E.g. A simple web-ontology
Weapons
Binary relationships
Conventional Weapons
Special Weapons
Nuclear Warhead
Rocket Launcher
Machine Gun
Delivery System
Trigger Mechanism
Size
Rounds
A weapons taxonomy
37The problem of improper disclosure
- Ontologies may contain sensitive information
- Disclosing complete ontology is insecure
- Usual access control techniques can either
regulate access to concepts or complete
ontologies - Preserving relationships between concepts while
regulating access to concepts is an unsolved
problem
38Example scenario
Weapons
Sensitive portion
Conventional Weapons
Special Weapons
Requested
Nuclear Warhead
Rocket Launcher
Machine Gun
Delivery System
Trigger Mechanism
Size
Rounds
39Example scenario
Weapons
Requirement
Conventional Weapons
Removal of sensitive portions while preserving
other relationships
Requested
Rocket Launcher
Machine Gun
Size
Rounds
40RDF Preliminaries
- Vocabulary A set of URIs forms the vocabulary
- Each URI is an instance of an RDF Class or a
Property. - Axioms Triples ltS,P,Ogt form sentences, where S,P
and O are constants in the vocabulary and P is a
property. - RDF Graph A set of triples is also called an RDF
Graph. - Extension A mapping relates each class or
property to its extension - Semantics The interpretation is a mapping of
resources to their extensions
41Overview Graphs to Trees
- We model RDF syntactic and semantic elements as
syntactic elements. - Each triple is encoded as a set using von
Neumanns standard set encoding - ltA,Bgt is A,A,B
- ltA,B,Cgt is A, A, ltB,Cgt or A, A, B,B,C
- No self-references or cycles are allowed
- Consequently, a graph is reduced to a tree
42Overview Protection cases
- We enable two use cases
- Disclosure control over parts of ontologies
- Based on the attributes of a requester, only
parts of an ontology are accessible - Content obfuscation in an ontology
- Based on the attributes of a requester, only the
ontological structure is made available, but not
the names of sensitive concepts and properties
43Use-case 1 (a) Remove subtree
Weapons
Conventional Weapons
Remove subtree beyond this concept
Rocket Launcher
Machine Gun
Size
Rounds
44Use-case 1 (b) Remove branch
Weapons
Conventional Weapons
Rocket Launcher
Machine Gun
Branch identified by Conv. Weapon? M.Gun
Remove branch
Size
Rounds
45Use-case 1 (c) Extract subtree
Extract subtree below this edge
Rocket Launcher
Size
Rounds
46Use-case 2 (a) Node hiding
Weapons
Conventional Weapons
Special Weapons
Concept hidden
Nuclear Warhead
No Name
Rocket Launcher
Machine Gun
Delivery System
Trigger Mechanism
Size
Rounds
47Use-case 2 (b) Node modification
Weapons
Conventional Weapons
Special Weapons
Modified
Nuclear Warhead
Obsolete Warhead
Rocket Launcher
Machine Gun
Delivery System
Trigger Mechanism
Size
Rounds
48Formal model
- We use constraint logic programming (CLP) with
Set constraints to write dissemination control
policies - Terms A set of arbitrary constants with two
function symbols and nil - Constraint Domain Set constraint domain that
interprets , ?,?,? and predicates - Constraint domain ensures axioms like
permutativity, absorption, etc., essential for
modeling unordered sets of triples
49Formal Model
- Predicates are of six types
- Semantic relationships (SR) for expressing
ontological axioms - Tree construction predicates (TP) for
constructing trees from the basic axioms - Excision predicates (EP) for computing partial
ontologies on the fly - Modification predicates (MP) for computing cover
stories - Special predicates (SP)
- User Defined predicates (UP)
50Formal Model
- TP predicate OTree constructs an ontology tree,
while RDFInst combines ontology and its
interpretation - EP predicates subtree, remSubtree and remBranch
implement excision operations - MP predicates hideConcept and modifyConcept
implement content obfuscation operations - Dissemination Control Policies (DCP) Sets of
stratified rules with following strata - Strata 0 Definitions of all SR predicates
- Strata 1 Definitions of system-defined
predicates TP, EP and MP - Strata 3 Definitions of special predicates (SP)
51Policies
- Subtree protection A DCP that only uses
remSubtree predicate from EP predicates - Branch protection A DCP that only uses
remBranch predicate - Subtree Extraction A DCP that uses subtree
predicate - Similarly, node hiding and node modification DCPs
use corresponding MP predicates - Hybrid policies can use any combination of EP and
MP predicates
52Example policy Subtree protection
- An attribute based control policy for protecting
sensitive web-pages is written as - allow(x,Y,nil) ? Suspicious(Y) (1)
- i.e., Do not disclose any information to
requesters who satisfy the predicate Suspicious - allow(x,Y,C) ? SecretClearance(Y), OTree(x,A)
remSubtree(A,Agent,C) (2) - i.e., If requester Y has secret clearance, then
ontology rooted at x can be disclosed after
web-pages with Agent related information have
been removed.
533-valued Semantics for DCPs
- Valuations map ground atoms to T, F, -
- Immediate consequence function FP takes a
valuation and performs the mapping - Ground atom H is mapped to
- T if there is a ground clause instance with head
H such that each literal in its body is satisfied
by the appropriate input valuation - F if there is an unsatisfied literal in the body
of every ground clause instance having head H - - otherwise
- FPi?(a1) FPi(FPi?(a))
- The semantics of DCP Pi is FPi?(?1)
54Results
- Theorems
- Equality An RDF Graph rooted at node A is
equivalent to the ontology tree T computed by
OTree(A,T) - Faithfulness An RDF Graph with its extension,
rooted at node A, is equivalent to the tree T
computed by RDFInst(A,T) - Correctness A request request(x,Y), for document
rooted at x, the DCP divulges only those portions
of the requested tree that are desired to be
disclosed to a requester with attributes Y.
55Next ClassApplication Security