Upload
sabrina-kirrane
View
150
Download
1
Embed Size (px)
Citation preview
Research Questions
1. When relational data is exposed as RDF, how can we ensure the original access control policies are applied to the RDF data?
2. Beyond triple level access control, what rules are necessary to support existing access control models and to simplify access control specification and maintenance?
3. What adjustments need to be made to SPARQL queries, to ensure that only authorised data is returned?
4. What components are required to support the specification, enforcement and administration of access control for the Linked Data Web?
Access Control EntitiesUsers e.g. JBloggs, MRyanRoles e.g. manager, supervisorGroups e.g. humanResources, salesAttributes e.g. (employer, NUIG), (policyNumber, 565656)
Create, Read, Update, Delete
Triples
The 28th International Conference on Logic Programming, ICLP 2012.
The 2nd Joint International Semantic Technology Conference, JIST 2012.
Associating Permissions with RDF Zimmermann, A., Lopes, N., Polleres, A., Straccia, U. 2012.A general framework for representing, reasoning andquerying with annotated semantic web data.
Allows domain specific meta data to be attached to triplesFuzzy:joeBloggs :worksFor :westportCars [ 0.5 ]Temporal:joeBloggs :worksFor :westportCars [ 2010, 2012 ]Provenance:joeBloggs :worksFor :westportCars [ :employeeDetails ]Access Control:joeBloggs :worksFor :westportCars [ [Read] [Update] [Delete] ] Supports both merging and inference domain operator = disjunction⊗ domain operator = conjunction
The 28th International Conference on Logic Programming, ICLP 2012.
The 2nd Joint International Semantic Technology Conference, JIST 2012.
Lifting both Data and Policies
EmployeeID
Name Salary
JBloggs Joe Bloggs 60000
ID Type Entity Access
HR Role Employee Read
Use RDB2RDF to Extract details of all employees and the roles that can access their data
Employee Permissions
prefix :<http://urq.deri.org/enterprise#>
:JBloggs rdf:type foaf:Person [ [HR] [] [] ];foaf:name "Joe Bloggs" [ [HR] []
[] ];:salary 60000 [ [HR] [] [] ].
prefix :<http://urq.deri.org/enterprise#>FOR Id, Name, Salary, RoleFROM PermissionsForEmployeeCONSTRUCT {:{ $Id } a foaf:Person [{ $Role }][][]] ; foaf:name "{ $Name } " [{ $Role }][][]]; :salary { $Salary } [{ $Role }][][]].}
EmployeeID
Name Salary RoleID
JBloggs Joe Bloggs 60000 HR
PermissionsForEmployee
The 28th International Conference on Logic Programming, ICLP 2012.
The 2nd Joint International Semantic Technology Conference, JIST 2012.
Evaluating Triple Based Access ControlObjectiveExamine the performance overhead associated with access control
DatasetEnterprise Software Applications
Document Management SystemTimesheet System
Datasets of increasing size
Records 9990 17692 33098 63909
Triples 62296 123920 247160 493648
File size(MB) 7.6 14.9 29.9 59.6
The 28th International Conference on Logic Programming, ICLP 2012.
The 2nd Joint International Semantic Technology Conference, JIST 2012.
Overhead associated with access control
Evaluation Results and LimitationsPerformance Improvement for 2+ Triple Patterns
The 28th International Conference on Logic Programming, ICLP 2012.
The 2nd Joint International Semantic Technology Conference, JIST 2012.
Research Questions
1. When relational data is exposed as RDF, how can we ensure the original access control policies are applied to the RDF data?
2. Beyond triple level access control, what rules are necessary to support existing access control models and to simplify access control specification and maintenance?
3. What adjustments need to be made to SPARQL queries, to ensure that only authorised data is returned?
4. What components are required to support the specification, enforcement and administration of access control for the Linked Data Web?
What rules are necessary for access control over RDF data?
Discretionary Access Control (DAC)• Central access control policy • Users are allowed to override the central policy • Users can pass their access rights on to others (known as
delegation)
28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.
12th International Semantic Web Conference, ISWC 2013.
DAC for the RDF Data Model
Ability to delegate access rights to othersgrant/revokeData and Schema based authorisationstriple(s), subject, object, property, named graph – RDF Quad PatternRDFS/OWL, Authorisation hierarchiesAccess Rights tightly coupled with operations select, construct, ask, describeinsert, delete, insert/deletedrop, create, copy, move, addConflict Resolutiondenial takes precedenceexplicit over implicitexploit hierarchiesIntegrity Constrainsensure the create, copy, move, add permissions are assigned to named graphs
28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.
12th International Semantic Web Conference, ISWC 2013.
Access Control EntitiesUsers e.g. joeBloggs, johnSmithRoles e.g. manager, supervisorGroups e.g. humanResources, salesAttributes e.g. (employer, NUIG), (policyNumber, 565656)
Create, Read, Update, DeleteSelect, Construct, Ask, Describe, Insert, Delete, Delete/InsertCreate, Copy, Move, Add, Drop
TripleRDF Quad Patterns 28th IFIP TC-11 International Information Security and Privacy Conference,
SEC 2013. 12th International Semantic Web Conference, ISWC 2013.
Redundant
Redundant
What rules are necessary to support DAC over RDF data?Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S.
Flexible support for multiple access control policies. 2001.
28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.
12th International Semantic Web Conference, ISWC 2013.
Hierarchical DataSystem Components
Hierarchical Data System Components
28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.
12th International Semantic Web Conference, ISWC 2013.
Users/Groups
Roles
Access Rights
Resources
Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S.Flexible support for multiple access control policies. 2001.
What rules are necessary to support DAC over RDF data?Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S.
Flexible support for multiple access control policies. 2001.
28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.
12th International Semantic Web Conference, ISWC 2013.
Graph Based DataSystem Components
Graph Based Data System Components
28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.
12th International Semantic Web Conference, ISWC 2013.
Subjects
Access Rights
Resources
Authorisations<Sub, AR, Sign, Res, Type, By>Propagation RulesAuthx ← Authy ᴧ GraphPattern
Conflict Resolution PoliciesAuthx ← Authx > Authy
Integrity ConstraintsError ← Authx
Jajodia, S., Samarati, P., Sapino, M. L., Subrahmanian, V. S.Flexible support for multiple access control policies. 2001.
What rules are necessary to support DAC over RDF data?
28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.
12th International Semantic Web Conference, ISWC 2013.
Evaluating Graph Based Access ControlObjectiveOverhead associated with access control over increasing: • datasets• authorisationsDatasetBerlin SPARQL Benchmark DatasetQuery and authorisation generator
Datasets of increasing size
Authorisation sets of increasing size
Quads 250223 500258 1000109 2000164
4000936
File size(MB) 24.5 49 98 195 391
Quads 60000 120000 240000 480000 960000
File size(MB) 6.5 13 26 53 105
Evaluation Results and LimitationsRules over increasing
authorisations 60000 – 960000Select queries over increasing
triples 250223 – 4000936
28th IFIP TC-11 International Information Security and Privacy Conference, SEC 2013.
12th International Semantic Web Conference, ISWC 2013.
• all quads (?S ?P ?O ?G) • a particular graph (?S ?P ?O G1) • all quads of type (?S rdf:type bsbm:Offer ?G)• all classes (?S rdf:type rdf:Class) • all properties (?S rdf:type rdf:Property)
• Classes to all instances of that class • Properties to all instances of that
property• Instance to properties associated with
that instance
Known Limitations
• Need access to all quad patterns to execute the query• Access Control correctness an open issue
Research Questions
1. When relational data is exposed as RDF, how can we ensure the original access control policies are applied to the RDF data?
2. Beyond triple level access control, what rules are necessary to support existing access control models and to simplify access control specification and maintenance?
3. What adjustments need to be made to SPARQL queries, to ensure that only authorised data is returned?
4. What components are required to support the specification, enforcement and administration of access control for the Linked Data Web?
SPARQL 1.1 Query Categories
SPARQL Queries• Basic graph patterns and aggregates• Negation and subqueries
SPARQL Updates• Insert/delete• Insert and Delete• Graph based update operations
Rewriting SPARQL BGPs & Aggregates
:MRyan :salary ?o :Employee
SELECT ?id ?name ?salaryWHERE { GRAPH ?g {?id foaf:name ?name . ?id :salary ?salary } }
SELECT ?id ?name ?salaryWHERE { GRAPH ?g {?id foaf:name ?name . ?id :salary ?salaryFILTER NOT EXISTS { GRAPH :Employee { ?id foaf:name ?name . ?id :salary ?salary FILTER(?id = :MRyan) } } } }
Rewriting SPARQL Subqueries and Filters:MRyan :worksFor ?o :OrgStructure
SELECT DISTINCT ?employee ?managerWHERE { GRAPH ?g { ?x foaf:name ?employee . ?y foaf:name ?manager{ SELECT ?x ?y WHERE { GRAPH :OrgStructure { ?x :worksFor ?y } } }} }
SELECT DISTINCT ?employee ?managerWHERE { GRAPH ?g { ?x foaf:name ?employee . ?y foaf:name ?manager{ SELECT ?x ?y WHERE { GRAPH :OrgStructure { ?x :worksFor ?yFILTER NOT EXISTS {GRAPH :OrgStructure { ?x :worksFor ?yFILTER ( ?x = :MRyan ) } } } } } } }
Rewriting SPARQL Update Queries
DELETE/INSERT• Apply SELECT query rewriting strategy DELETE DATA and INSERT DATA. • Remove unauthorised quads from the queryCLEAR and DROP. • DELETE from target graphADD and LOAD. • INSERT into target graphCOPY.• DELETE from the destination graph• INSERT into destination graphMOVE. • DELETE from the destination graph • INSERT into destination graph• DELETE from the source graph
Access Control Correctness
Correctness criteria for fine-grained access control inrelational databases. 2007.Wang, Q., Yu, T., Li, N., Lobo, J., Bertino, E., Irwin, K., Byun, J.-W.
Secure - does not return information which has not been authorisedSound - does not return invalid resultsMaximum - returns as much information as possible without
violating thesecure and sound constraints State 1
State 2
Holds?
Holds?
Evaluating Query Rewriting CorrectnessObjective
Compare the results returned by our query rewriting algorithm to the results
returned by a standard SPARQL query over a filtered dataset• Basic graph patterns and aggregates• Negation and subqueries• Insert/delete • Insert and delete• Graph based update operationsDataset Automatically generate a set of authorisations from all 2^4 possiblecombinations (of constants and variables) for each quad in the BSBM dataset Systematically generate queries for each of the 19104 RDF quad
patterns
As SPARQL queries are based on basic graph pattern matching, if we can prove correctness for all possible authorisations over the different query types, the data itself is irrelevant
Evaluating Query Rewriting CorrectnessResultsThe proposed query rewriting algorithm is secure, sound and maximum for:• Basic graph patterns and aggregates• Negation and subqueries• Insert/delete • Insert and delete• Graph based update operations
ExceptionIn the case of property paths the query rewriting algorithm is not
maximum
ExampleFILTER NOT EXISTS {GRAPH ?g { ?employee :worksFor+ ?managerFILTER ( ?employee = :MRyan ) } }
Performance Evaluation
Triple Updates Graph Updates
Queries Negation
Tim
e in
mill
isec
on
ds
Tim
e in
mill
isec
on
ds
Tim
e in
mill
isec
on
ds
Tim
e in
mill
isec
on
ds
Research Questions
1. When relational data is exposed as RDF, how can we ensure the original access control policies are applied to the RDF data?
2. Beyond triple level access control, what rules are necessary to support existing access control models and to simplify access control specification and maintenance?
3. What adjustments need to be made to SPARQL queries, to ensure that only authorised data is returned?
4. What components are required to support the specification, enforcement and administration of access control for the LDW?
Conclusions
1. When relational data is exposed as RDF, how can we ensure the original access control policies are applied to the RDF data?
Use RDB2RDF to extract and associate permissions with triples
2. Beyond triple level access control, what rules are necessary to support existing access control models and to simplify access control specification and maintenance?
The graph based authorisation flexible framework•Authorisations•Propagation rules •Conflict resolution policies •Integrity constraints
Conclusions3. What adjustments need to be made to SPARQL
queries, to ensure that only authorised data is returned?
Query rewriting strategy•FILTER NOT EXISTS expressions•Remove triples from insert and delete data queries•Rewrite update queries as INSERT/DELETE queries
4. What components are required to support the specification, enforcement and administration of access control for the LDW?
The Linked Data Authorisation Architecture includes:•Authorisation Interface•Query Engine•Authorisation Framework
Linked Data with Access Control Next Steps
Privacy• Reasoning over privacy policiesContext Awareness• Reasoning over contextual data• Efficient reasoning over streaming dataUsability & Understandability• Graph based data clustering and visualisation techniques
o examine the interplay between authorisations and ruleso determine the impact of new authorisations
Explanations & Negotiation• Potential security impact associated with explanations