Michiharu Kudo

XML document security based on provisional authorization

The extensible markup language (XML) is a promising standard for describing semi-structured information and contents on the Internet. When XML comes to be a widespread data encoding format for Web applications, safeguarding the accuracy of the information represented in XML documents will be indispensable. In this paper, we propose a provisional authorization model that provides XML with sophisticated access control mechanism. The well-recognized need for such a system has only recently been addressed. Based on this authorization model, we present an XML access control language (XACL) that integrates security features such as authorization, non-repudiation, confidentiality, and an audit trail for XML documents. We describe our implementation, which can be used as an extension of a Web server for e-Business applications.

XML access control using static analysis

Access control policies for XML typically use regular path expressions such as XPath for specifying the objects for access control policies. However such access control policies are burdens to the engines for XML query languages. To relieve this burden, we introduce static analysis for XML access control. Given an access control policy, query expression, and an optional schema, static analysis determines if this query expression is guaranteed not to access elements or attributes that are permitted by the schema but hidden by the access control policy. Static analysis can be performed without evaluating any query expression against an actual database. Run-time checking is required only when static analysis is unable to determine whether to grant or deny access requests. A nice side-effect of static analysis is query optimization: access-denied expressions in queries can be evaluated to empty lists at compile time. We have built a prototype of static analysis for XQuery, and shown the effectiveness and scalability through experiments.

A function-based access control model for XML databases

XML documents are frequently used in applications such as business transactions and medical records involving sensitive information. Typically, parts of documents should be visible to users depending on their roles. For instance, an insurance agent may see the billing information part of a medical document but not the details of the patients medical history. Access control on the basis of data location or value in an XML document is therefore essential. In practice, the number of access control rules is on the order of millions, which is a product of the number of document types (in 1000s) and the number of user roles (in 100s). Therefore, the solution requires high scalability and performance. Current approaches to access control over XML documents have suffered from scalability problems because they tend to work on individual documents. In this paper, we propose a novel approach to XML access control through rule functions that are managed separately from the documents. A rule function is an executable code fragment that encapsulates the access rules (paths and predicates), and is shared by all documents of the same document type. At runtime, the rule functions corresponding to the access request are executed to determine the accessibility of document fragments. Using synthetic and real data, we show the scalability of the scheme by comparing the accessibility evaluation cost of two rule function models. We show that the rule functions generated on user basis is more efficient for XML databases.

Access-Condition-Table-Driven Access Control for XML Databases

Access control represented by XPath expressions allows for access restrictions on elements, attributes, and text nodes according to their locations and values in an XML document. Many XML database applications call for such node-level access control on concerned nodes at any depth. To perform such node-level access control, current approaches create heavy loads on XML database applications since these approaches incur massive costs either at runtime or for data optimization. In order to solve these problems, we introduce an access condition table (ACT), a table equivalent to an access control policy, where Boolean access conditions for accessibility checks are stored. The ACT is generated as a means of shifting the extra runtime computations to a pre-processing step. Experimental results show that the proposed ACT can handle accesses to arbitrary paths at a nearly constant speed.

PBAC: Provision-based access control model

Abstract.Over the years a wide variety of access control models and policies have been proposed, and almost all the models have assumed “grant the access request or deny it.” They do not provide any mechanism that enables us to bind authorization rules with required operations such as logging and encryption. We propose the notion of a “provisional action” that tells the user that his request will be authorized provided he (and/or the system) takes certain actions. The major advantage of our approach is that arbitrary actions such as cryptographic operations can all coexist in the access control policy rules. We define a fundamental authorization mechanism and then formalize a provision-based access control model. We also present algorithms and describe their algorithmic complexity. Finally, we illustrate how provisional access control policy rules can be specified effectively in practical usage scenarios.

Integrity Management Infrastructure for Trusted Computing

Computer security concerns have been rapidly increasing because of repeated security breaches and leakages of sensitive personal information. Such security breaches are mainly caused by an inappropriate management of the PCs, so maintaining integrity of the platform configuration is essential, and, verifying the integrity of the computer platform and software becomes more significant. To address these problems, the Trusted Computing Group (TCG) has developed various specifications that are used to measure the integrity of the platform based on hardware trust. In the trusted computing technology, the integrity data of each component running on the platform is recorded in the security chip and they are securely checked by a remote attestation. The infrastructure working group in the TCG is trying to define an Integrity Management Infrastructure in which the Platform Trust Services (PTS) is a new key component which deals with an Integrity Report. When we use the PTS in the target platform, it is a service component that collects and measures the runtime integrity of the target platform in a secure way. The PTS can also be used to validate the Integrity Reports. We introduce the notion of the Platform Validation Authority, a trusted third party, which verifies the composition of the integrity measurement of the target platform in the Integrity Reports. The Platform Validation Authority complements the role of the current Certificate Authority in the Public Key Infrastructure which attests to the integrity of the user identity as well as to related artifacts such as digital signatures. In this paper, we cover the research topics in this new area, the relevant technologies and open issues of the trusted computing, and the detail of our PTS implementation.

An Extended Logic for Analyzing Timed-Release Public-Key Protocols

A logic is presented for analyzing public key protocols which provide time-dependent confidentiality using a trusted party. The logic is developed as an extension to an existing cryptographic modal logic with time due to Coffey and Saidha. The extension is designed to help capture aspects of timed-release public key protocols that are not captured in the Coffey-Saidha logic. The explicit use of time in the logic is shown to facilitate reasoning about the correctness of an example protocol.

Bridging the gap between inter-communication boundary and internal trusted components

Despite increasing needs for the coalition-based resource sharing, establishing trusted coalition of nodes in an untrusted computing environment is a long-standing yet increasingly important issue to be solved. The Trusted virtual domain (TVD) is a new model for establishing trusted coalitions over heterogeneous and highly decentralized computing environment. The key technology to enable TVD is the integrity assurance mechanism, which allows a remote challenger to verify the configuration and state of a node. A modern computer system consists of a multi-layer stack of software, such as a hypervisor, a virtual machine, an operating system, middleware, etc. The integrity assurance of software components is established by chains of assurance from the trusted computing base (TCB) at the lowest layer, while the communication interface provided by nodes should be properly abstracted at a higher layer to support interoperable communication and the fine-grained handling of expressive messages. To fill the gap between ”secure communication between nodes” and ”secure communication between trusted components”, a notion of ”Secure Message Router (SMR)”, domain-independent, easy to verify, multi-functional communication wrapper for secure communication is introduced in this paper. The SMR provides essential features to establish TVDs : end-to-end secure channel establishment, policy-based message translation and routing, and attestability using fixed clean implementation. A virtual machine-based implementation with a Web service interface is also discussed.

Robot-Assisted Healthcare Support for an Aging Society

Eldercare is one of the most important healthcare concerns, particularly in countries whose populations are rapidly aging. This paper proposes the use of a robot system to improve the quality of life of elderly people in two ways, first by monitoring their home care services using image and sound sensors in the robots, and the second by assisting elders by understanding social situations using face authentication technology. This paper presents a concrete set of security policies to protect the privacy of the care-receiver of such home care services. An IT system architecture is also presented to monitor the data in a secure manner. Experimental results show the effectiveness and the practicality of the proposed robot system for typical home care services.

Electronic submission protocol based on temporal accountability

This paper describes various possible attacks on temporal properties such as temporal records of payment times and declarations of the closing times for electronic submissions, and explains defense measures that use a trusted third party to provide temporal accountability. The paper proposes a secure electronic submission protocol as a typical time-sensitive application and a temporal accountability logic, which is an extension of Kailars (1996) work. It analyzes the proposed protocol by applying temporal accountability logic, and describes some modifications of the protocol, which reduce the total number of flows while keeping the protocol as logically secure as the original one in terms of temporal accountability.