Data and Applications Security
Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Secure Object Systems
October 1, 2010
Outline
 Background on object systems
 Discretionary security
 Multilevel security
 Objects for modeling secure applications
 Object Request Brokers
 Secure Object Request Brokers
 Secure frameworks
 Secure Multimedia and Geospatial Systems
Concepts in Object Database Systems
 Objects- every entity is an object
- Example: Book, Film, Employee, Car
 Class
- Objects with common attributes are grouped into a class
 Attributes or Instance Variables
- Properties of an object class inherited by the object instances
 Class Hierarchy
- Parent-Child class hierarchy
 Composite objects
- Book object with paragraphs, sections etc.
 Methods
- Functions associated with a class
Example Class Hierarchy
Document
Class
D1
D2
ID
Name
Author
Publisher
Method1:
Print-doc-att(ID)
Journal
Book Subclass
B1
Method2:
Print-doc(ID)
Subclass
Volume #
# of Chapters
J1
Example Composite Object
Composite
Document
Object
Section 2
Object
Section 1
Object
Paragraph 1
Object
Paragraph 2
Object
Security Issues
 Access Control on Objects, Classes, Attributes etc.
 Execute permissions on Methods
 Multilevel Security
 Security impact on class hierarchies
 Security impact on composite hierarchies
Objects and Security
Secure OODB
Persistent
data store
Secure OODA
Design and analysis
Secure OOPL
Programming
language
Secure DOM
Infrastructure
Secure Frameworks
Business objects
Secure OOT
Technologies
Secure OOM
Unified Object
Model is Evolving
Access Control
E M P C lass
Instance V ariables:
SS#, E nam e, Salary, D #
D E PT C lass
Instance V ariables:
D #, D nam e , M gr
O ID = 100
O ID = 200
1, John, 20K , 10
2, P aul, 30K , 20
O ID = 500
10, M ath, S m ith
O ID = 600
20, P h ysics, Jon es
O ID = 300
3, M ary, 40K , 20
Increase-Salary(O ID , V alue)
R ead-Salary(O ID , a m ount)
A m ount := A m ount + V alue
W rite-Salary(O ID , A m ount)
A ccess C ontrol R ules:
John has update access to E M P C lass
Jane has read access to D E P T C lass
Jane has update access to object w ith O ID = 500
M ary has execute access to Increase Salary m ethod
Access Control Hierarchies
EM P
C lass
MGR
S ubclass
A ccess C on trol R u les on C lass H ierarch y
Joh n h as u p d ate access to E M P C lass
Joh n h as read access to M G R C lass
ENG
S ubclass
A ccess C on trol R u les on A ggregate H ierarch y
Joh n h as u p d ate access to
In trod u ction an d R eferen ces
Joh n h as read access to S et of S ection s
Book
Object
References
Introduction
S et of Sections
Secure Object Relational Model
BOOK
IS B N #
B nam e
C ontents
1
X
2
Y
+ + + +
3
Z
########
A ccess C on trol R u les
Joh n h as u p d ate access to B ook ob ject w ith IS B N #1
Jan e h as read access to B ook ob ject w ith IS B N #2
Policy Enforcement
P o licy E n fo rce m en t M ech a n ism s:
Q u ery M od ification A lg orith m on ob jects
an d in stan ce variab les
R u le p rocessin g in te grated w ith m eth od
ex ecu tion for en forcin g access con trol
V isu alizin g access c on trol p olic ies on ob jects
u sin g U M L an d oth er sp ecification s
Sample Systems
E xam ple S yste m s:
S ecurity for
G em stone (originally S ervio L ogic)
O bjectstore (originally O bject D esign)
O ntos (originally O ntos Inc)
S tarburst (IB M A lm aden)
O 2 (A ltair G roup)
O R IO N (M C C )
IR IS (H P L abs)
Multilevel Security
B o ok
O b ject
R eferen c es
S ecret
In trod u ction
U n classified
S et of S ection s
T op S ecret
Some Security Properties
 Security level of an instance must dominate the level of the class
 Security level of a subclass must dominate the level of the
superclass
 Classifying associations between two objects
 Method must execute at a level that dominates the level of the
method
Multilevel Secure Object Relational Systems
BOOK
IS B N #
B n am e
C o n tents
1
X
2
Y
+ + + +
3
Z
# ## ## ## #
L evel
T o p S ecret
S ecret
U n classified
Sample MLS Object Systems
D esign A p p ro a ch es:
S O R IO N (T huraisin gh a m , M IT R E )
S O 2 (T huraising ha m , M IT R E )
M illen -L unt (M ille n a nd L u nt, S R I)
S O D A (K ee fe et al, U . o f M N )
M o rge nstern (M o rg e nstern, S R I)
U F O S (R o se nth al et al, M IT R E )
M essag e P assin g (Jajo d ia and K o ga n, G M U )
Objects for Secure Applications
O b ject M od elin g T ech n iq u e for
S ecu re D atab ase A p p lication s:
O bject M odel: M odels the static aspects
of the application and security properties
using objects
D yna m ic M odel: M odels the ac tivities
and the security properties of th e activities
F unctional M odel: G enerates th e data flow
diagra m s and the security le vels of the m eth ods
Object Modeling
SH IP C lass
R ange: U nclassified ---- Secret
U nclassified A ttributes:
ID
N am e
G roup
Secret A ttributes
C aptain
M ission
SH IP Instance
ID : Y Y Y
N am e: Florida
G roup: Z Z Z
C aptain: S m ith
M ission: A A A
Dynamic Model
C a p ta in
L e v el: U
O p era tio n a l L e v el C
S h ip
L e v el: U
M is s io n -P la n
L e v el: U
W ith U , C a n d S
a ttrib u tes
M is s io n
L e v el: U
O p era tio n a l le v el: S
R es er v e s h ip :
s ec u rity p r o b le m in fo r m a tio n flo w
fro m C to U
R es er v ed s ta tu s
C a rr y o u t m is s io n
G et m is s io n d eta ils
M is s io n d eta ils
M is s io n s ta tu s
P ro b le m : in f o r m a tio n
flo w fr o m S to C
Functional Model
S H IP
b a d s ta tu s
C A P T A IN
RESERV E
M IS S IO N P L A N
g o o d s ta tu s
GE T PLAN
M is s io n ID
p la n
EX ECU TE
M IS S IO N
s ta tu s
UML and Policies
P o lic y A : U s e r h a s R o le s
U s e r C la s s :
A ttr ib u te s o f th e U s e r
N am e
R o le C la s s :
A ttr ib u te s o f th e R o le
N am e
Age
G en d er
H as
F u n c tion s
- - - - - - -
- - - - - -
P o lic y B : U s e r
U s e r C la s s :
A ttr ib u te s o f th e U s e r
N am e
Age
G en d er
- - - - - -
M e r g e d P o lic y C : U s e r
C a r r ie s o u t A c t iv it ie s
C a r r ie s o u t A c t iv it ie s
A c ti v it y C la s s :
A ttr ib u te s o f th e A c tiv it y
N am e
D e s c r ip t i o n
C a r r ie s
out
h as R oles an d
- - - - - - -
R o le C la s s :
A ttr ib u te s o f th e R o le
N am e
F u n c tion s
- - - - - - -
U s e r C la s s :
A ttr ib u te s o f th e U s e r
H as
N am e
A c ti v it y C la s s :
Age
G en d er
A ttr ib u te s o f th e A c tiv it y
N am e
- - - - - -
C a r r ie s
out
D e s c r ip t i o n
- - - - - - -
Distributed Object Management Systems
 Integrates heterogeneous applications, systems and databases
 Every node, database or application is an object
 Connected through a Bus
 Examples of Bus include
- Object Request Brokers (Object Management Group)
- Distributed Component Object Model (Microsoft)
Object-based Interoperability
Client
Object
Server
Object
Object Request Broker
Example Object Request Broker: Object Management Group’s (OMG)
CORBA (Common Object Request Broker Architecture)
Javasoft’s RMI (Remote Method Invocation)
Clients
Java-based
Servers
RMI Business Objects
Objects and Security
Secure OODB
Persistent
data store
Secure OODA
Design and analysis
Secure OOPL
Programming
language
Secure DOM
Infrastructure
Secure Frameworks
Business objects
Secure OOT
Technologies
Secure OOM
Unified Object
Model is Evolving
Secure Object Request Brokers
S erver
C lien t
O b ject
O b ject
O b ject R eq u est B ro ker:
S ecu rity S ervic e:
E n su res secu re
co m m u n icatio n
b etw een clien t
an d server
O b ject
CORBA (Common Object Request Broker
Architecture) Security
 Security Service provides the following:
- Confidentiality
- Integrity
- Accountability
- Availability
 URLs
- http://www.javaolympus.com/J2SE/NETWORKING/CORBA/COR
BASecurity.jsp
- http://student.cosy.sbg.ac.at/~amayer/projects/corbasec/sec_ov
erview.html
- www.omg.org
OMG Security Specifications
D ata
O M G Security
Specifications
A T L A S:
Service that
supports obtainin g
authorization tokens
to access a target
syste m
C Slv2:
Service that supp orts
interoperation,
authentication,
delegation and
privile ges
C O R B A Security
Service:
P rovides basic
security for the
infrastructure
CORBA (Common Object Request Broker
Architecture) Security
 Security Service provides the following:
- Confidentiality
- Integrity
- Accountability
- Availability
 URLs
- http://www.javaolympus.com/J2SE/NETWORKING/CORBA/COR
BASecurity.jsp
- http://student.cosy.sbg.ac.at/~amayer/projects/corbasec/sec_ov
erview.html
- www.omg.org
CORBA (Common Object Request Broker
Architecture) Security - 2
 Identification and Authentication of Principles
 Authorization and Access Control
 Security Auditing
 Security of communications
 Administration of security information
 Non repudiation
Dependable Object Request Brokers
Navigation
Data Analysis Programming
Group (DAPG)
Data Links
Sensors
Sensor
Detections
Consoles
(14)
Multi-Sensor
Tracks
Technology
Future
App
provided by
Project
Data
Mgmt.
Display
Processor
&
Refresh
Channels
Data
Xchg.
MSI
App
Infrastructure Services
Real Time Operating System
Hardware
Future
App
Future
App
Integrate Security, Realtime and Fault Tolerance
Computing
Secure Frameworks
F ra m ew o rk A co n sistin g o f
C o m p o n en ts B , C , D
C o m p on en t B
F ra m ew o rk X co n sistin g o f
C o m p o n en ts Y a n d Z
C o m p on en t C
C o m p on en t Y
C o m p on en t Z
C o m p on en t D
A ccess C o n tro l o n C o m p o n en ts a n d F ra m ew o rk s:
J o h n h a s u p d a te a ccess to co m p o n en ts B , C , a n d Y
J a n e h a s u p d a te a ccess to F ra m e w o rk A a n d
rea d a ccess to F ra m ew o rk X
Directions
 Object Models
-
UML for Security applications is becoming common practice
Secure distributed object systems has gained popularity
Evolution into secure object-based middleware
Secure object-based languages
Integrating security and real-time for object systems
 Distributed Objects
-
Security cannot be an afterthought for object-based interoperability
-
Examples of EAI products are Web Sphere (IBM) and Web Logic (BEA)
Use ORBs that have implemented security services
Trends are moving towards Java based interoperability and Enterprise
Application Integration (EAI)
Security has to be incorporated into EAI products
Why Multimedia Data Management System?
 Need persistent storage for managing large quantities of multimedia
data
 A Multimedia data manager manages multimedia data such as text,
images, audio, animation, video
 Extended by a Browser to produce a Hypermedia data management
system
 Heterogeneity with respect to data types
 Numerous Applications
- Entertainment, Defense and Intelligence, Telecommunications,
Finance, Medical
Architectures:
Loose Integration
User Interface
Module for Integrating
Data Manager with File Manager
Data Manager
for Metadata
Metadata
Multimedia
File Manager
Multimedia
Files
Architectures:
Tight Integration
User Interface
MM-DBMS:
Integrated data
manager and
file manager
Multimedia
Database
Data Model:
Scenario
Example:
Object A
2000 Frames
Object
representation
4/95
8/95
5/95
Object B
3000 Frames
10/95
Multimedia Data Access: Some approaches
 Text data
- Selection with index features
- Methods: Full text scanning, Inverted files, Document clustering
 Audio/Speech data
- Pattern matching algorithms

Matching index features given for searching and ones
available in the database
 Image data
- Identifying geometric boundaries, Identifying spatial
relationships, Image clustering
 Video data
- Retrieval with metadata, Pattern matching with images
Metadata for Multimedia
 Metadata may be annotations and stored in relations
- I.e., Metadata from text, images, audio and video are extracted
as stored as text
- Text metadata may be converted to relations by tagging and
extracting concepts
 Metadata may be images of video data
- E.g., certain frames may be captured as metadata
 Multimedia data understanding
- Extracting metadata from the multimedia data
Storage Methods
 Single disk storage
- Objects belonging to different media types in same disk
 Multiple disk storage
- Objects distributed across disks

Example: individual media types stored in different disks

I.e., audio in one disk and video in another

Need to synchronize for presentation (real-time techniques)
 Multiple disks with striping
- Distribute placement of media objects in different disks

Called disk striping
Security Issues
 Access Control
 Multilevel Security
 Architecture
 Secure Geospatial Information Systems
Access Control for Multimedia Databases
 Access Control for Text, Images, Audio and Video
 Granularity of Protection
- Text

John has access to Chapters 1 and 2 but not to 3 and 4
- Images

John has access to portions of the image

Access control for pixels?
- Video and Audio

John has access to Frames 1000 to 2000

Jane has access only to scenes in US
- Security constraints

Association based constraints
E.g., collections of images are classified
MLS Security
B ook
O bject
R eferences
Introduction
S et of S ections
Introduction: L e vel = U nc lassified
S et of S ections: L e vel = T opS ecret
R eferences: L e vel = S ecre t
Example Security Architecture: Integrity Lock
T ru sted A g en t
to c o m p u te
ch eck su m s
U
n tru
S en
s orsted
M
u ltim
D ata
M ed
an ia
ag D
erata
M an ag er
C o m p u te C h e c ksu m
B a se d on sa y m u ltim e d ia d a ta v a lu e
(su c h a s vid e o ob je c t c on te n t)
S e c u rity le ve l a n d C h e c ksu m
M u ltim ed ia
D atab ase
C o m p u te C h e c ksu m
B a se d on m u ltim e d ia d a ta va lu e
a n d S e c u rity le ve l re trie ve d
fro m th e store d m u ltim e d ia d a ta b a se
Inference Control
U ser Interface M ana ger
M etadata,
C onstraints
M ultim edia
D atabase
Inference E n gine
A cts as an Inference
C ontroller
M ultim edia
D atabase
M anager
Securing Geospatial Data
 Geospatial images could be Digital Raster Images that store images
as pixels or Digital Vector Images that store images as points, lines
and polygons
 GSAM: Geospatial Authorization Model specifies subjects,
credentials, objects (e.g, points, lines, pixels etc.) and the access
that subjects have to objects
 Reference: Authorization Model for Geospatial Data; Atluri and
Chun, IEEE Transactions on Dependable and Secure Computing,
Volume 1, #4, October – December 2004.
 Bhavani M. Thuraisingham, Gal Lavee, Elisa Bertino, Jianping Fan,
Latifur Khan: Access control, confidentiality and privacy for video
surveillance databases. SACMAT 2006: 1-10
 Details will be given in one of the lectures after the mid-term.
Secure Geospatial Data Management
 Secure Geospatial data management
 References:
- Vijayalakshmi Atluri, Soon Ae Chun: An Authorization
-
Model for Geospatial Data. IEEE Trans. Dependable Sec.
Comput. 1(4): 238-254 (2004)
Elisa Bertino, Bhavani M. Thuraisingham, Michael Gertz,
Maria Luisa Damiani: Security and privacy for geospatial
data: concepts and research directions. SPRINGL 2008:619
Securing Geospatial Data
 Geospatial images could be Digital Raster Images that store images
as pixels or Digital Vector Images that store images as points, lines
and polygons
 GSAM: Geospatial Authorization Model specifies subjects,
credentials, objects (e.g, points, lines, pixels etc.) and the access
that subjects have to objects
 Reference: Authorization Model for Geospatial Data; Atluri and
Chun, IEEE Transactions on Dependable and Secure Computing,
Volume 1, #4, October – December 2004.
Framework for Geospatial Data Security
(Joint with UCDavis and Purdue U.)
DATA PRESENTATION COMPONENTS
Open
Geospatial
Consortium
Framework
Traditional GIS
GIS Web Services
Wrapper
SECURITY LAYER
Core &
Application
Schemas
Geospatial
Features
Geography
Markup
Language
Authentic
Data Publication
DAC/RBAC Policy
Specification
Policy Reasoning
Engine
Access Control
Module
Trust & Privacy
Management
Auditing
Misuse Detection
Metadata
DATA ACCESS LAYER
Geospatial Data Registration
spatial and temporal
registration of geospatial data
Geospatial
Data
Repositories
Data Integration Services
&
Data Repository Access
Example of several GIS repositories and GIS
themes/layers for Northern California (Gertz, Bertino,
Thuraisingham)
Assume a single GIS data repository that manages information about parcels (being the basic units
of geography for local government) and cadastre, including land use and zoning, environmental
areas, and municipal utility services.
Such type of repository is typically used by public sector staff to assist property owners and to
support emergency, fire, and police operations.
The latter type of usage includes identifying property structures and owners. Parcel maps in
particular can be useful to do damage assessment after a disaster.
Example (Continued)
They are also an important access point during emergencies for linking data from different GIS
repositories. While such types of geospatial are used to serve the public, e.g., through Web-based
interfaces, not all data layers are made publicly available. For example, property owner information
is not publicly accessible
A similar separation of public and private GIS data can be made for other types of themes. For
example, environmental theme layers do not make information about locations of endangered
species or nesting sites public.
Based on this type of separation of GIS data, the following question arises: “What security
mechanisms are used to specify and enforce different types of access to data in a single GIS
repository?”
In particular, “What provisions do GSI data managers have to (1) give public sector staff only
access to GIS data relevant to their function, and (2) ensure that no sensitive geospatial data (e.g.,
parcel owner information) is made publicly available?”
Ideally, GIS repositories should provide access control models and techniques similar to those
developed for traditional (relational) databases. However, the diversity of geospatial data (featurebased versus field-based) and the complexity of feature-based geospatial data complicate a coherent
and uniform access control model.
Policy Example (Bertino, Gertz, Thuraisingham)
Deny/allow policies with flexible granularity, grouping mechanisms for
protected objects, and space-related access restrictions.
Deny/allow policies will be supported through the use of positive/negative authorizations; negative
authorizations are crucial in order to support exceptions, by which, for example, an authorization is
assigned to all objects in a set but one. In our context this paradigm is complicated by the larger
options that we provide for denoting protected objects and by the presence of different object
representations and dimensions. The main mechanism that we provide to support flexible grouping
is based on the notions of object-locator and spatial window. An object-locator is a query expression
that may include predicates against properties of feature types, metadata and provenance data.
Predicates may also refer to topological relationships holding among the data objects, such as
Within and Touches. An example of a policy using Touches is the one allowing a subject, which has
access to information on a particular land parcel, to access information about all adjacent land
parcels. The query expression may also include a projection component to specify an object
representation and components. A spatial window is simply a spatial region in the reference space
and denotes the set of object that are inside the boundary of the region. By combining such two
mechanisms, one can specify sets of objects such as “all shelters occupying an area greater than
3000sf in Montgomery County”; in such case Montgomery County represents the authorization
window. The use of spatial windows is particularly important to
Policy Example (Continued)
Active policies.
These are policies that when applied to a protected object perform certain transformations on the
object, before returning it to the requester. Two relevant classes are the filtering policies and the
obfuscating policies. Filtering policies refer to policies that filter out some portions of the objects
before returning them to the users. These policies are directly supported by our object locator
mechanisms.
Obfuscating policies
These policies act like filter policies except that they do not simply select objects but perform
possibly complex computations on the feature(s) to be returned. Typical examples include
computing a lower resolution image, and distorting some vector data (but preserving topological
relationships). One can even specify policies that return incorrect data (e.g., as a honey pot in the
context of misuse detection). In our model these policies are supported by the projection component,
suitably extended with the possibility of invoking functions, of the object locator. We will provide a
library including a variety of functions to support obfuscating policies.
Policy Example (Concluded)
Context-dependent access control policies.
Under such policies, information from the environment is taken into account by the access control
module when taking decisions about access requests. Typical contextual information includes time
and subject location. Subject location information is used to specify policies allowing a subject to
access a resource only if the current location of the subject verifies certain spatial constraints.
Context-dependent access policies will be supported by the introduction of a context component, as
part of authorization rules, and by attribute-based specification of subjects in authorization rules.
Event-based access control policies.
Event-based access control policies are novel and are based on the idea that policies can be
enabled/disabled depending on the occurrence of specified events. Events can include data
modifications, very much like in database triggers, or application-dependent events, such as an
emergency. We notice that current sensor networks and intelligent appliances make it very easy for
a computer system to detect events arising in the environments. Our model will take advantage of
such capabilities.
Policy Language
 Take existing geospatial language/model and extend for security
- E.g., GML
 Take a security model/language and extend for geospatial
- E.g, XACML has been extended to Geo-XACML
 Develop from scratch
- GRDF, Secure GRDF (developed at UTDallas by Alam Ashraful
for PhD research)
Geospatial Semantic Web: GRDF
• The strength of RDF lies in the ease of composition with
which RDF based formalisms can be integrated with other
similar languages.
• On the Semantic Web, the goal is to minimize human
intervention and to make way for machines to perform rule
based automated reasoning.
• We are developing GRDF for geospatial data representation
• Why not use GML? - same reasons for using RDF and not
XML – semantics
•Secure GRDF – security extensions for GRDF
Directions
 Multimedia data security is getting some attention
 Little research on Geospatial data security
 Digital watermarking is getting some attention
 Our focus at UTD is to develop a secure geospatial semantic
web
 We have developed a system called DAGIS and
demonstrating secure interoperability
 Details will be given later
Descargar

Example: Data Mining for the NBA