A General Approach to Securely Querying XML

Ernesto Damiani, Majirus Fansi, Alban Gabillon, Stefania Marrara


Access control models for XML data can be classified in two major categories: node filtering and query rewriting systems. The first category includes approaches that use access policies to compute secure user view on XML data sets. User queries are then evaluated on those views. In the second category of approaches, authorization rules are used to transform user queries to be evaluated against the original XML dataset. The aim of this paper is to describe a general query rewriting technique to securely querying XML. The model specification is given using a Finite State Automata, ensuring generality and easiness of stan- dardization w.r.t. specific implementation techniques


  1. Bouganim L., Ngoc F. D., Pucheral P.: Client-Based Access Control Management for XML documents. In Proc. of the 30th VLDB Conference, 2004.
  2. Bray T., Paoli J., Sperberg-McQueen C. M.: eXtensible Markup Language (XML) 1.0 (2nd Ed). W3C Recommendation, 2000
  3. Byun C. W., Park S.: An Efficient Yet Secure XML Access Control Enforcement by Safe and Correct Query Modification. In Proc. of the 17th International Conference on Database and Expert Systems Applications (DEXA), 2006.
  4. Clark J., DeRose S.: XML Path Language (XPath). W3C Recommendation, 1999. http://www.w3.org/TR/xpath.
  5. Cuppens F., Cuppens-Boulahia N., Sans T.: Protection of relationships in xml documents with the xml-bb model. In Proc. of ICISS2005.
  6. Damiani E., De Capitani di Vimercati S., Paraboschi S. Samarati P.: Securing XML Documents. In Proc. of the 2000 International Conference on Extending Database Technology (EDBT2000).
  7. Damiani E., De Capitani di Vimercati S., Paraboschi S., Samarati P.: A fine-grained access control system for XML documents. In ACM Trans. Inf. Syst. Secur., Vol. 5(2). ACM Press, New York (2002) 169-202.
  8. Damiani E., Fansi M., Gabillon A., Marrara S.: A General Approach to Securely Querying XML. In Note del Polo - Ricerca - Università degli Studi di Milano, Dipartimento di Tecnologie dell'Informazione Polo Didattico e di Ricerca di Crema, No. 102, 2007.
  9. De Capitani di Vimercati S. and Marrara S. and Samarati P.: An access control for querying xml data. In Proc. of SWS05 workshop.
  10. Fan W. and Chan C. and Garofalakis M.: Secure XML Querying with security views. In Proc. of SIGMOD 2004 Conference.
  11. Fan W., Geerts F., Jia X. Kementsietsidis A.: SMOQE: A System for Providing Secure Access to XML. In Proc. of the 32nd VLDB Conference, 2006.
  12. Finance B., Medjdoub S., Pucheral P.: The Case for access control on xml relationships. In Proc. of CIKM 2005.
  13. Gabillon A., Bruno E.: Regulating Access to XML documents. In Proc. of the 15th Annual IFIP WG 11.3 Working Conference on Database Security, 2001.
  14. Gabillon A.: A formal access control model for XMl databases. In Proc. of the 2005 VLDB Workshop on Secure Data Management (SDM).
  15. Gottlob G., Koch C., Pichler R.: The Complexity of XPath Query Evaluation. In Proc. of the 22nd ACM SIGACT SIGMOD SIGART Symposium on Principles of Database Systems (PODS-02). ACM Press, San Diego (2003)179-190.
  16. Kodali N., Wijesekera D.: Regulating access to SMIL formatted pay-per-view movies. In Proc. of the 2002 ACM workshop on XML security.
  17. Kudo M., Hada S.: XML document security based on provisional authorization. In Proc. of ACM CCS 2000.
  18. Kuper G., Massaci F., Rassadko N.: Generalized xml security views. In Proc. of the 10th SACMAT, 2005.
  19. Luo B., Lee D., Lee W., Liu P.: QFilter: Fine-Grained run-time XML Access Control via NFA-based Query Rewriting. In Proc. of CIKM 2004.
  20. Mohan S., Sengupta A., Wu Y., Klinginsmith J.: Access Control for XML - a dynamic query rewriting approach. In Pro c. of VLDB 2005 Conference.
  21. Murata M., Tozawa A., Kudo M.: XML Access Control using Static Analysis. In Proc. of CCS 2003.
  22. NIST, The Extensible Configuration Checklist Description Format (XCCDF), http://nvd.nist.gov/scap/xccdf/xccdf.cfm
  23. OASIS, eXtensible Access Control Markup Language (XACML), http://www.oasisopen.org/committees/xacml/
  24. Stoica A., Farkas C.: Secure XML Views. In Proc. of the 16th IFIP WG11.3 Working Conference on Database and Application Security, 2002.
  25. W3C, Web Services Policy 1.2 - Framework (WS-Policy), http://www.w3.org/Submission/WS-Policy/

Paper Citation

in Harvard Style

Damiani E., Fansi M., Gabillon A. and Marrara S. (2007). A General Approach to Securely Querying XML . In Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007) ISBN 978-972-8865-96-2, pages 115-122. DOI: 10.5220/0002417301150122

in Bibtex Style

author={Ernesto Damiani and Majirus Fansi and Alban Gabillon and Stefania Marrara},
title={A General Approach to Securely Querying XML},
booktitle={Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)},

in EndNote Style

JO - Proceedings of the 5th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2007)
TI - A General Approach to Securely Querying XML
SN - 978-972-8865-96-2
AU - Damiani E.
AU - Fansi M.
AU - Gabillon A.
AU - Marrara S.
PY - 2007
SP - 115
EP - 122
DO - 10.5220/0002417301150122