Secure Querying of Recursive XML Views: A Standard XPath-based Technique

Most state-of-the art approaches for securing XML documents allow users to access data only through authorized views defined by annotating an XML grammar (e.g. DTD) with a collection of XPath expressions. To prevent improper disclosure of confidential information, user queries posed on these views need to be rewritten into equivalent queries on the underlying documents. This rewriting enables us to avoid the overhead of view materialization and maintenance. A major concern here is that query rewriting for recursive XML views is still an open problem. To overcome this problem, some works have been proposed to translate XPath queries into non-standard ones, called Regular XPath queries. However, query rewriting under Regular XPath can be of exponential size as it relies on automaton model. Most importantly, Regular XPath remains a theoretical achievement. Indeed, it is not commonly used in practice as translation and evaluation tools are not available. In this paper, we show that query rewriting is always possible for recursive XML views using only the expressive power of the standard XPath. We investigate the extension of the downward class of XPath, composed only by child and descendant axes, with some axes and operators and we propose a general approach to rewrite queries under recursive XML views. Unlike Regular XPath-based works, we provide a rewriting algorithm which processes the query only over the annotated DTD grammar and which can run in linear time in the size of the query. An experimental evaluation demonstrates that our algorithm is efficient and scales well.Comment: (2011

A General Approach for Securely Querying and Updating XML Data

Over the past years several works have proposed access control models for XML data where only read-access rights over non-recursive DTDs are considered. A few amount of works have studied the access rights for updates. In this paper, we present a general model for specifying access control on XML data in the presence of update operations of W3C XQuery Update Facility. Our approach for enforcing such updates specifications is based on the notion of query rewriting where each update operation defined over arbitrary DTD (recursive or not) is rewritten to a safe one in order to be evaluated only over XML data which can be updated by the user. We investigate in the second part of this report the secure of XML updating in the presence of read-access rights specified by a security views. For an XML document, a security view represents for each class of users all and only the parts of the document these users are able to see. We show that an update operation defined over a security view can cause disclosure of sensitive data hidden by this view if it is not thoroughly rewritten with respect to both read and update access rights. Finally, we propose a security view based approach for securely updating XML in order to preserve the confidentiality and integrity of XML data.Comment: No. RR-7870 (2012

Optimized trusted information sharing

As the digital world expands the building of trust and the retention of privacy in information sharing becomes paramount. A major impediment to information sharing is a lack of trust between the parties, based on security and privacy concerns, as well as information asymmetry. Several technological solutions have been proposed to solve this problem, including our\u27s: a trusted enclave with a Continuous Compliance Assurance (CCA) mechanism. Of the work surrounding these proposed solutions, no attention has been directed toward studying the issues of performance surrounding processing of this nature. Studies have shown that ignoring the performance of a system can lead to ineffectiveness (i.e. disabling certain features), and can be severely detrimental to system adoption.;To ensure that our trusted enclave and CCA mechanism are viable solutions to the trusted information sharing problem, we have built a prototype CCA mechanism and a test bed. The test bed has allowed us to identify problem areas within our prototype. One such area is compliance verification, which utilizes the XPath language in order to test XML encoded information for compliance to regulatory and corporate policies. The compliance verification problem can be described as the answering of multiple queries over a single XML document. We proposed and tested multiple state-of-the-art algorithmic as well as system-based improvements to XPath evaluation, in order to better the overall performance of this aspect of our system. We integrated each of the improvements into our prototype mechanism and have observed the results. Our experiments have taught us much about the problem of compliance verification, and has led us in new directions as we continue to search for a solution

Safe Data Sharing and Data Dissemination on Smart Devices

The erosion of trust put in traditional database servers, the growing interest for different forms of data dissemination and the concern for protecting children from suspicious Internet content are different factors that lead to move the access control from servers to clients. Several encryption schemes can be used to serve this purpose but all suffer from a static way of sharing data. In a precedent paper, we devised smarter client-based access control managers exploiting hardware security elements on client devices. The goal pursued is being able to evaluate dynamic and personalized access control rules on a ciphered XML input document, with the benefit of dissociating access rights from encryption. In this demonstration, we validate our solution using a real smart card platform and explain how we deal with the constraints usually met on hardware security elements (small memory and low throughput). Finally, we illustrate the generality of the approach and the easiness of its deployment through two different applications: a collaborative application and a parental control application on video streams

Nástroj pro penetrační testování webových aplikací

Abstract As hackers become more skilled and sophisticated and with cyber-attacks becoming the norm, it is more important than ever before to undertake regular vulnerability scans and penetration testing to identify vulnerabilities and ensure on a regular basis that the cyber controls are working. In this thesis the importance and working of penetration testing and web application based penetration testing are discussed, followed by comparison and information’s about various testing tools and techniques and their advantages and disadvantages. The next section of the thesis mainly focuses on the past, current and future state of penetration testing in the computer systems and application security, importance of General Data Protection Regulation (GDPR) and Content Management system (CMS) followed by the main goal of the thesis which explains the existing solutions in automated tools for vulnerability detection of web application their techniques, positive and negative results of the conducted tests and their merits and demerits. In the next section, based on the comparison of various existing tools selecting appropriate algorithm for discussing the importance of scanning the ports which are usually focused in very few existing web application tools, the following section practically demonstrate the scanning of ports which gives information regarding, the state of ports to understand the service information running on the server. Finally the result of the experiment will be compared with the existing web application tools.Abstraktní Vzhledem k tomu, že se hackeři stávají zkušenějšími a sofistikovanějšími a kybernetické útoky se stávají normou, je důležitější než kdy jindy provádět pravidelné kontroly zranitelnosti a penetrační testování, aby bylo možné identifikovat zranitelná místa a pravidelně zajišťovat fungování kybernetických kontrol. V této práci je diskutován význam a fungování penetračního testování a penetračního testování založeného na webových aplikacích, následuje srovnání a informace o různých testovacích nástrojích a technikách a jejich výhodách a nevýhodách. Další část práce se zaměřuje především na minulý, současný a budoucí stav penetračního testování v počítačových systémech a zabezpečení aplikací, význam nařízení o obecné ochraně údajů (GDPR) a redakčního systému (CMS) následovaného hlavním cílem práce, která vysvětluje stávající řešení v automatizovaných nástrojích pro zjišťování zranitelnosti webové aplikace, jejich techniky, pozitivní a negativní výsledky provedených testů a jejich přednosti a nedostatky. V další části, založené na srovnání různých existujících nástrojů, které vybírají vhodný algoritmus pro diskusi o důležitosti skenování portů, které jsou obvykle zaměřeny na velmi málo stávajících webových aplikací, následující část prakticky demonstruje skenování portů, které poskytují informace týkající se, stav portů pro pochopení informací o službě běžících na serveru. Nakonec bude výsledek experimentu porovnán s existujícími nástroji webové aplikace.460 - Katedra informatikyvelmi dobř

Net Neutrality Value Pack using Network Data Analytics

The advent of mobile internet and the phenomenal growth of the use of smart phones has brought data onto the forefront, creating newer revenue streams for the operators. The data/Internet connection now needs to cater to diverse traffic, just as a city must manage the flow of various vehicles and pedestrians on its streets. In the data world, usage of data ranges across various applications like streaming-video, real time gaming, B2B & M2M applications. Such diverse customers often blame their operators for throttling data flows to the phones or computers. This causes significant delays and losses in data transmission. Any lapses of providing connectivity and continuity to network will create a large number of dissatisfied customers and unwarranted reduction of customer base. Network neutrality is an idea, that all operators should treat all data that travel over their networks fairly, without improper discrimination in favor of particular apps, sites or services. However it is a complex, controversial topic and is an important part of a free and open Internet. It aims at enabling access, choice, and transparency of Internet offerings, there by empowering users to benefit from full access to services, applications, and content available on the Internet. Implementing network neutrality legitimately without discrimination in favor of particular applications, sites or services have been a challenge faced by operators globally. This paper describes a Net Neutrality value pack using the Smart Profile Server (SPS). SPS is an enterprise application which forms the middleware to collect & analyze the network data to build and expose a data model having network traffic info w.r.t. session throughput, speed classification, page reloads etc. for a given customer/subscriber at a given time & location using the analytic database (DB). This data model can be either exposed as a REST [1] based interface as a smart profile view with fine grain access control or tied to 3rd party dashboard tools to act as a window to subscribers & regulation agencies to determine if the operator is truly net neutral

Hybrid approach for XML access control (HyXAC)

While XML has been widely adopted for sharing and managing information over the Internet, the need for efficient XML access control naturally arise. Various access control models and mechanisms have been proposed in the research community, such as view-based approaches and preprocessing approaches. All categories of solutions have their inherent advantages and disadvantages. For instance, view based approach provides high performance in query evaluation, but suffers from the view maintenance issues. To remedy the problems, we propose a hybrid approach, namely HyXAC: Hybrid XML Access Control. HyXAC provides efficient access control and query processing by maximizing the utilization of available (but constrained) resources. HyXAC uses pre-processing approach as a baseline to process queries and define sub-views. It dynamically allocates the available resources (memory and secondary storage) to materialize sub-views to improve query performance. Dynamic and fine-grained view management is introduced to utilize cost-effectiveness analysis for optimal query performance. Fine-grained view management also allows sub-views to be shared across multiple roles to eliminate the redundancies in storage