Upload
dinah-fox
View
220
Download
4
Tags:
Embed Size (px)
Citation preview
References
• QFilter:Fine-Grained Run-Time XML Access control via NFA-based Query rewriting
Bo luo,D.Lee,Wang-chienLee,P.Lee
• XML Access control using static Analysis
Murata ,Tozawa,Kudo
Introduction
• XML has emerged as the language to exchange data over web.
• XML provides for fine granularity of information retrieval because the elements of an XML document can be retrieved by XML queries directly and independently.
• Fine granularity requires mechanisms to control the access at varying levels of the document.
• XML Access control ensures only authorised
users can access only authorised portion of XML data.
Post Processing Approach
• Intermediate answers are calculated as usual
• Then, ACR prunes out unsafe data.• Suitable when ACR and data are stored separately in some distributed
environment• Can be implemented by XML data
filtering package(YFilter)
Pre-Processing Approach• Primitive Approach satisfies two goals
Non-view based
Independent on underlying XML
engine• But, rewritten-query Q’ is not the most
efficient one
Pre-Processing-QFilter
• QFilter reads as input query Q,Acces control rules ACR,schema S,then returns a modified query Q’ as output:
Q’=QFilter(Q,ACR,S)
• QFilter has three types of operations:
1.Accept:Q’=Q
2.Deny:Q’={ }
3.Rewrite
QFilter Construction• QFilter captures ACR as NFA(Non-
deterministic Finite Automata).
• Given Q ,quickly determine if it is Accepted,Denied,Rewrited.
Experimental results
• Efficient in terms of query execution time
• Scalable to the number of access control
rules specified in the system.
INTRODUCTION
• Static Analysis is performed at compile time(when query expression is created rather than each time it is evaluated).
• Run-time checking is required only when static analysis is unable to grant or deny access requests without examining the actual databases.
• Key Idea: To use automata for representing and comparing queries, access control policies and schemas.
Introduction(conti…)
Static Analysis has Two Phases:
First Phase:-We create query automata
access control automata,schema automata.
Second phase:-We compare these
Automata While applying the rules .
Introduction(cont’d)
• Schema :Schema is a description of permissible XML documents.
A schema is a 5-tuple G=(N,∑E, ,∑A,S,P) N is a finite set of non-terminals ∑E is a finite set of element names ∑A is a finite set of attribute names S is a subset of ∑E X N, P is a set of production rules X->r.A where X Є N, r is a regular expression over ∑E XN A is a subset of ∑A .
Syntax of Access control policy
• Ex :
Role: Docter
+R,/record
Role: Intern
+R, /record
-R, //comment
Static Analysis
• Static Analysis has four steps: 1) creating schema automata from schemas 2)creating access control automata from
access control policies 3)creating query automata from XQuery queries 4)comparison of schema automata ,query automata, and access control automata.
Creating Access control Automata(cont’d)
• For the role Intern ,this policy contains a grant rule and a denial rule,both of which propagate downward.The grant rule contains an XPath
/record,while the denial rule contains an XPath
//comment.Thus
Comparison of Automata The path expression r is always-granted if every path
accepted by both the schema automaton and query automaton is accepted by the access control
automaton .
The path expression is always-denied if no path is accepted by all of the schema automaton ,query automaton and access control automaton.
The path expression is statically indeterminateif it is neither always-granted, or always-denied.
Experimental Results
• Query optimization
• Static Analysis frequently makes run-time checks unnecessary.
Conclusion• QFilter is Superior to Post- processing
primitive, no access control approach. • Static Analysis can handle only two cases
i.e., either access fully granted or access fully denied. QFilter is superior to Static-Analysis .