%0 Journal Article %1 Luo:2011:QRI:1997885.1997932 %A Luo, Bo %A Lee, Dongwon %A Lee, Wang-Chien %A Liu, Peng %C Secaucus, NJ, USA %D 2011 %I Springer-Verlag New York, Inc. %J The VLDB Journal %K query rewriting rightsmanagment secure xml xpath %N 3 %P 397--415 %R 10.1007/s00778-010-0202-x %T QFilter: rewriting insecure XML queries to secure ones using non-deterministic finite automata %U http://dx.doi.org/10.1007/s00778-010-0202-x %V 20 %X In this paper, we ask whether XML access control can be supported when underlying (XML or relational) storage system does not provide adequate security features and propose three alternative solutions --<em>primitive</em>, <em>pre-processing</em>, and <em>post-processing</em>. Toward that scenario, in particular, we advocate a scalable and effective pre-processing approach, called QFilter. QFilter is based on non-deterministic finite automata (NFA) and rewrites user's queries such that parts violating access control rules are pre-pruned. Through analysis and experimental validation, we show that (1) QFilter guarantees that only permissible portion of data is returned to the authorized users, (2) such access controls can be efficiently enforced without relying on security features of underlying storage system, and (3) such independency makes QFilter capable of many emerging applications, such as in-network access control and access control outsourcing.

@article{Luo:2011:QRI:1997885.1997932, abstract = {In this paper, we ask whether XML access control can be supported when underlying (XML or relational) storage system does not provide adequate security features and propose three alternative solutions --<em>primitive</em>, <em>pre-processing</em>, and <em>post-processing</em>. Toward that scenario, in particular, we advocate a scalable and effective pre-processing approach, called QFilter. QFilter is based on non-deterministic finite automata (NFA) and rewrites user's queries such that parts violating access control rules are pre-pruned. Through analysis and experimental validation, we show that (1) QFilter guarantees that only permissible portion of data is returned to the authorized users, (2) such access controls can be efficiently enforced without relying on security features of underlying storage system, and (3) such independency makes QFilter capable of many emerging applications, such as in-network access control and access control outsourcing.}, acmid = {1997932}, added-at = {2012-04-26T16:59:08.000+0200}, address = {Secaucus, NJ, USA}, author = {Luo, Bo and Lee, Dongwon and Lee, Wang-Chien and Liu, Peng}, biburl = {https://www.bibsonomy.org/bibtex/2f458ba1218371056e255d29408cbd89e/sac}, description = {QFilter}, doi = {10.1007/s00778-010-0202-x}, interhash = {ca46b410e8c729c05e33f6c0754fe4f7}, intrahash = {f458ba1218371056e255d29408cbd89e}, issn = {1066-8888}, issue_date = {June 2011}, journal = {The VLDB Journal}, keywords = {query rewriting rightsmanagment secure xml xpath}, month = jun, number = 3, numpages = {19}, pages = {397--415}, publisher = {Springer-Verlag New York, Inc.}, timestamp = {2012-04-26T16:59:08.000+0200}, title = {QFilter: rewriting insecure XML queries to secure ones using non-deterministic finite automata}, url = {http://dx.doi.org/10.1007/s00778-010-0202-x}, volume = 20, year = 2011 }