1

Presenter: Li Yang

School of Computer Science

Florida International University

Security Enforced Mediation System

2

Outline

Introduction Background

Mediation System Our Work

Security Enforced Data Integration Related Work Future Work

3

Introduction

Pressing needs for data integration Data are scattered in multiple data sources Data sources are heterogeneous

Security is an important problem Protect digital properties Prevent unauthorized users from obtaining

unauthorized data and resources i..e. Vladimir Levin, more than $10M stolen

from citibank, 1994

4

Introduction

Attackers/Intruders/Malfeasors

Security Architecture

SecurityFeatures

orServices

Requirements& Policies

SecurityMechanisms

User

InformationInformationandandData SourcesData Sources

5

Security is an imperative condition in the context of data integration

Our system:– Integrates heterogeneous data sources– Secures system from unauthorized

accessi.e., global sensitive data, context-aware

Introduction

6

Security Enforcement – hospital system example

diagnosistreatment

<doctor, diagnosis, + read>, <doctor, treatment, + read>,<nurse, diagnosis, - read>, <nurse, treatment, + read>

<doctor, diagnosis, + read>, <doctor, treatment, + read>,<nurse, diagnosis, - read>, <nurse, treatment, + read>

1. <doctor, treatment, read>

2. <doctor, treatment, read> 3. Yes / “+”

4.<doctor, treatment, read>

5. treatment

5. treatment

Hospital

Security Specification

7

Outline

Introduction Background

Mediation System Our Work

Security Enforced Mediation System

Related Work Future Work

8

Mediation System-- Architecture

Mediation system architecture

Contributions: IEEE ISPAN04: Three-layered Mediator Architecture based on DHT

ACMMUM04: A Mediation Framework for Multimedia Delivery

Global_Mediator

Mediator_Composer

Mediator_Composer

Mediator_Composer

Source 1Source 1 Source 2Source 2 Source 3Source 3

Mediator_Connector 1

Mediator_Connector 2

Mediator_Connector n

Client

Goal: integrated query processing

Global_Mediator

Mediator_Composer

Mediator_Connector

9

Mediation System-- Exchange Model (XML)

XML and its tree structure XPath, i.e., “//record”

<record>

<id> 00000 </id>

<case>

<disease> Fever </disease>

<test> xray01.jpg</test>

</case>

<address> 123 SW 48th St, Miami, FL </address>

</record>

record

id case

disease test

address

10

Mediation System-- Execution

record

id case

address

diagnosis test

prescription

medicine

treatmentGlobal view

Local View 1 Local View 2

Offline Preparation: Generate global view Semantic mapping

between the global view and source views

23

1 4

23

id

patient

prescription

medicine treatment

case

xray

record

id case

disease test

address

Online query:1. Query against the global

schema type2. Decompose query into sub-

queries3. Sub-queries process4. return result

11

Outline

Introduction Background

Mediation System Our Work

Security Enforced Mediation System Related Work Future Work

12

Phase 1: Authentication– Users Login (Each user has a Role)

Phase 2: Authorization & Integration– User View is loaded and User can only

query against his/her view– Query is checked for security constraints– Integrate the relevant results

Security Enforced Mediation System

13

User Authentication Global Mediator

MediatorComposer

MediatorConnector

Databases

SecurityCheck

SecurityCheck

1.log in2.

authenticate

3. returnSecureVie

w4. poseQuery 5.checkQuery decomposeQu

ery 6. translateQuer

y

7. checkQuery

queryDatabases

8. returnResult9.

unifyResult10. integrateResult11.

presentResult

Security Enforced Mediation System

14

Security - Login Users have:

– Username– Password– Role associated with them

→Unauthorized users cannot log in and use our system

15

Security – Role Views

Each role has it’s own view– Example: Nurse can see everything

except for social security number→Social Security Number is not in her view

DB of Views

System Login

Nurse’s View

user = orask001

role = “nurse”

visible view

16

Security – Role Views

Role schema for a Nurse after he/she has logged in.

17

Runtime Security Check

User’s Query is checked before the query is executed to prevent accessing forbidden information

QuerySecurity Checker

Secure Query

DBAnswer

cando(nurse, //record, + read)

← workTime(sessionID) & workArea(sessionID)

& attending(nurse, record)Q= “//record”SQ=

“//record” ?

18

List of Constraints for Security Checker Context-based Constraints:

– workTime(sessionID), Information is accessed during hospital’s work time (i.e. Clinic open 8am – 5pm)

– workArea(sessionID), Information is accessed at hospital’s work area (i.e. Nurse works in workstation with IP=172.25.2.149)

Runtime Security Check

19

Relationship Constraints– attending(nurse, record), the nurse’s name

is in patient’s medical record. cando(nurse, record, + read) ←

workTime(sessionID) & workArea(sessionID) & attending(nurse, record)

– mySickRelative(user, patient), The relative is in the emergency contact of the patient.

cando(relative, patient, read) ← mySickRelative (relative, patient)

Runtime Security Check

20

History-based constraints– inHistory(user, diagnosis, read), user has read the

diagnosis

cando(user, name, -read) inHistory(user, diagnosis, read)

A user can not read patient’s name if he/she has read patient’s diagnosis

Runtime Security Check

21

Security Enforced Data Integration

Relevant distributed data are retrieved→ Data Integration

“Join” data from heterogeneous data sources by the common key (SSN).

“Run” records through Data Integration

22

Security Enhanced Data Integration

123456789 123456789

Clie N Tee

2867814

125 SW 49st

Clark

Kent

5558989

ssn

f_namel_namephone

CLINIC CONSULTATION

ssn

full_Namep_numaddress

ssn

address

phone

full_name

123456789

Clark

Kent

5558989

123456789

Clie N Tee

2867814

125 SW 49st

record

Global view

Clinic View Consultation View

Clark KentClie N Tee

125 SW 49st

55589892867814

23

Security Enforced Data Integration

24

Security Enforcement Summary

Authentication Authorization

1. Load the visible view based on the user’s role

2. Check the runtime security constraints 3. Query and integrate relevant results

25

Demo

Security ONSecurity ON Testing Technician:

1. During work hours and in work area2. View only displays patient’s tests

Testing Patient:1. Only patient’s own record is retrieved

Security OffSecurity Off Users see all the information

26

Outline

Introduction Background

Mediation System Our Work

Security Enforced Data Integration Related Work Future Work

27

View-based Access Control [Damiani02]

Query DataACR

View-based access control

ACR is stored together with D (spatially), and/or

ACR and D are first processed (temporally)

Query is safe without any further care

Each subject/role visible to only safe data for the subject/role

nurse view

receptionist view

Data source View

doctor view

View Computing

ACR

offline

userquery

answer

online

28

The Pre-Processing Approach

Query ACR Data

Pre-processing approach

ACR and Q are first processed while D is stored elsewhere

The QFilter approach [Luo04]

User’s query are rewritten such that any parts violating access control rules are pruned

answer

Data Source View

user queryQFilter

ACR

Secure query

29

Contributions & Conclusion

Hybrid Enforcement Strategy Extensibility (constraints) Less maintenance efforts Reusability (views)

Flexible and extensible security policy modeling Context-aware Different point policy specification Semantic heterogeneity

30

Outline

Introduction Background

Mediation System Our Work Related Work Future Work

31

Future Work

An extended authorization model Incorporating post events processing [Kudo00] Post events include auditing, digital signature verification

An aspect-driven approach for security policy composition Software systems evolve with the time Composition method for structuring security policies Aspect-driven framework for realization of security control

policies for mediation systems

Preliminary result: SEKE04: Enhancing mediation security by aspect-oriented approach ICECCS05: Secure software architecture design by aspect orientation

32

Acknowledgement

Dr. Raimund K. Ege Dr. Xudong He SSA Group in School of Computer

Science at Florida International University

Software Engineering Project Group: Adam,Fayaz Amirali; Raskin,Olga; Smith,Nikel Noima

NSF HRD 0317692 CREST Grant

33

Selected Publications

Li Yang, Raimund K. Ege, Dynamic integration strategy for mediation framework.  SEKE’05. Li Yang, Raimund K. Ege and Huiqun Yu, Modeling and verifying mediation framework. The

10th IEEE International Conference on the Engineering of Complex Computer Systems (ICECCS’05).

Li Yang, Raimund K. Ege and Huiqun Yu. Security specification and enforcement in heterogeneous databases. The 20th Annual ACM Symposium on Applied Computing (SAC’05), Computer Security Track, Santa Fe, New Mexico, March, 2005.

Li Yang, Raimund K. Ege and Huiqun Yu. Mediation framework modeling and verification (Abstract). The 20th Annual ACM Symposium on Applied Computing (SAC’05), Software Engineering Track Santa Fe, New Mexico, March, 2005.

Li Yang, Raimund K. Ege, Onyeka Ezenwoye and Qasem Kharma A role-based access control model for information mediation, The 2004 IEEE International Conference on Information Reuse and Integration, pages 277-282, Las Vegas, NV, 2004.

Li Yang and Raimund K. Ege and Huiqun Yu, Enhancing mediation security by aspect-oriented approach, Software Engineering and Knowledge Engineering (SEKE’04), Banff, Alberta, Canada, June, 2004.

Raimund K. Ege, Li Yang, Qasem Kharma, Xudong Ni, Three-layered mediator architecture based on DHT , International Symposium on Parallel Architectures, Algorithms, and Networks (I-SPAN), IEEE Computer Society Press, Hong Kong, May, 2004.

Li Yang and Raimund K. Ege, Modeling and verification of real-time mediation systems, Advanced Simulation Technologies Conference (ASTC), pages 61-68, Arlington, Virginia, April, 2004.

34

Thank you!

Questions or Comments