Repairing Inconsistent XML Write-Access Control Policies

Loreto Bravo; James Cheney; Irini Fundulaki

doi:10.1007/978-3-540-75987-4_7

Repairing Inconsistent XML Write-Access Control Policies

Loreto Bravo, James Cheney, Irini Fundulaki

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

XML access control policies involving updates may contain security flaws, here called inconsistencies, in which a forbidden operation may be simulated by performing a sequence of allowed operations. This paper investigates the problem of deciding whether a policy is consistent, and if not, how its inconsistencies can be repaired. We consider policies expressed in terms of annotated DTDs defining which operations are allowed or denied for the XML trees that are instances of the DTD. We show that consistency is decidable in ptime for such policies and that consistent partial policies can be extended to unique “least-privilege” consistent total policies. We also consider repair problems based on deleting privileges to restore consistency, show that finding minimal repairs is np-complete, and give heuristics for finding repairs.

Original language	English
Title of host publication	Database Programming Languages
Subtitle of host publication	11th International Symposium, DBPL 2007, Vienna, Austria, September 23-24, 2007, Revised Selected Papers
Editors	Marcelo Arenas, MichaelI. Schwartzbach
Publisher	Springer
Pages	97-111
Number of pages	15
Volume	4797
ISBN (Electronic)	978-3-540-75987-4
ISBN (Print)	978-3-540-75986-7
DOIs	https://doi.org/10.1007/978-3-540-75987-4_7
Publication status	Published - 2007

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer Berlin Heidelberg
Volume	4797

Access to Document

10.1007/978-3-540-75987-4_7

http://dx.doi.org/10.1007/978-3-540-75987-4_7

Cite this

Bravo, L., Cheney, J., & Fundulaki, I. (2007). Repairing Inconsistent XML Write-Access Control Policies. In M. Arenas, & M. Schwartzbach (Eds.), Database Programming Languages: 11th International Symposium, DBPL 2007, Vienna, Austria, September 23-24, 2007, Revised Selected Papers (Vol. 4797, pp. 97-111). (Lecture Notes in Computer Science; Vol. 4797). Springer. https://doi.org/10.1007/978-3-540-75987-4_7

Bravo, Loreto ; Cheney, James ; Fundulaki, Irini. / Repairing Inconsistent XML Write-Access Control Policies. Database Programming Languages: 11th International Symposium, DBPL 2007, Vienna, Austria, September 23-24, 2007, Revised Selected Papers. editor / Marcelo Arenas ; MichaelI. Schwartzbach. Vol. 4797 Springer, 2007. pp. 97-111 (Lecture Notes in Computer Science).

@inproceedings{4aae7208c55640368f27a5f7a111762a,

title = "Repairing Inconsistent XML Write-Access Control Policies",

abstract = "XML access control policies involving updates may contain security flaws, here called inconsistencies, in which a forbidden operation may be simulated by performing a sequence of allowed operations. This paper investigates the problem of deciding whether a policy is consistent, and if not, how its inconsistencies can be repaired. We consider policies expressed in terms of annotated DTDs defining which operations are allowed or denied for the XML trees that are instances of the DTD. We show that consistency is decidable in ptime for such policies and that consistent partial policies can be extended to unique “least-privilege” consistent total policies. We also consider repair problems based on deleting privileges to restore consistency, show that finding minimal repairs is np-complete, and give heuristics for finding repairs.",

author = "Loreto Bravo and James Cheney and Irini Fundulaki",

year = "2007",

doi = "10.1007/978-3-540-75987-4_7",

language = "English",

isbn = "978-3-540-75986-7",

volume = "4797",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "97--111",

editor = "Marcelo Arenas and MichaelI. Schwartzbach",

booktitle = "Database Programming Languages",

address = "United Kingdom",

}

Bravo, L, Cheney, J & Fundulaki, I 2007, Repairing Inconsistent XML Write-Access Control Policies. in M Arenas & M Schwartzbach (eds), Database Programming Languages: 11th International Symposium, DBPL 2007, Vienna, Austria, September 23-24, 2007, Revised Selected Papers. vol. 4797, Lecture Notes in Computer Science, vol. 4797, Springer, pp. 97-111. https://doi.org/10.1007/978-3-540-75987-4_7

Repairing Inconsistent XML Write-Access Control Policies. / Bravo, Loreto; Cheney, James; Fundulaki, Irini.
Database Programming Languages: 11th International Symposium, DBPL 2007, Vienna, Austria, September 23-24, 2007, Revised Selected Papers. ed. / Marcelo Arenas; MichaelI. Schwartzbach. Vol. 4797 Springer, 2007. p. 97-111 (Lecture Notes in Computer Science; Vol. 4797).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Repairing Inconsistent XML Write-Access Control Policies

AU - Bravo, Loreto

AU - Cheney, James

AU - Fundulaki, Irini

PY - 2007

Y1 - 2007

N2 - XML access control policies involving updates may contain security flaws, here called inconsistencies, in which a forbidden operation may be simulated by performing a sequence of allowed operations. This paper investigates the problem of deciding whether a policy is consistent, and if not, how its inconsistencies can be repaired. We consider policies expressed in terms of annotated DTDs defining which operations are allowed or denied for the XML trees that are instances of the DTD. We show that consistency is decidable in ptime for such policies and that consistent partial policies can be extended to unique “least-privilege” consistent total policies. We also consider repair problems based on deleting privileges to restore consistency, show that finding minimal repairs is np-complete, and give heuristics for finding repairs.

AB - XML access control policies involving updates may contain security flaws, here called inconsistencies, in which a forbidden operation may be simulated by performing a sequence of allowed operations. This paper investigates the problem of deciding whether a policy is consistent, and if not, how its inconsistencies can be repaired. We consider policies expressed in terms of annotated DTDs defining which operations are allowed or denied for the XML trees that are instances of the DTD. We show that consistency is decidable in ptime for such policies and that consistent partial policies can be extended to unique “least-privilege” consistent total policies. We also consider repair problems based on deleting privileges to restore consistency, show that finding minimal repairs is np-complete, and give heuristics for finding repairs.

U2 - 10.1007/978-3-540-75987-4_7

DO - 10.1007/978-3-540-75987-4_7

M3 - Conference contribution

SN - 978-3-540-75986-7

VL - 4797

T3 - Lecture Notes in Computer Science

SP - 97

EP - 111

BT - Database Programming Languages

A2 - Arenas, Marcelo

A2 - Schwartzbach, MichaelI.

PB - Springer

ER -

Bravo L, Cheney J, Fundulaki I. Repairing Inconsistent XML Write-Access Control Policies. In Arenas M, Schwartzbach M, editors, Database Programming Languages: 11th International Symposium, DBPL 2007, Vienna, Austria, September 23-24, 2007, Revised Selected Papers. Vol. 4797. Springer. 2007. p. 97-111. (Lecture Notes in Computer Science). doi: 10.1007/978-3-540-75987-4_7

Repairing Inconsistent XML Write-Access Control Policies

Abstract

Publication series

Access to Document

Fingerprint

Cite this