UMR 5205
Secure and Privacy-preserving
execution model for Data Services
Mahmoud Barhamgi, Djamal Benslimane, Said Oulmakhzoune,
Nora Cuppens-Boulahia, Frederic Cuppens, Michael Mrissa, and Hajer Taktak
CAiSE 2013 – Valencia, Spain
Context : the PAIRSE Project
2
PAIRSE Project
Autonomous data sources are exported as Data Web Services
Queries are resolved by service composition
Services = Parameterized RDF Views
RDF Query Rewriting
Service-based Query Processing
DB DB DB DB
SaSnSi
Sb
Modeling Services as RDF views
over Domain Ontologies
+
Annotating the Service Descriptions
with the Defined Views
Ontologies
Annotated WS
descriptions
Service
Registry
Composition
Plan Generation
RDF Query
Rewriting
Privacy-preserving
Composition
Execution
Composition
P2P Service
Discovery
Peer Structure
Virtual Organization
VO1
Virtual
Organization
VO2
Virtual
Organization
VO3
peer
peer
peer
peer
DHT
DHT
DHT
map
ping
s
mappings
mappings
Hybrid P2P
Network
SPARQL Query
Results
Client
Data Services
Data Sources
CAiSE conference, Valencia, Spain – 19/06/2013
Outline of the presentation
Motivating example
Scenario from the PAIRSE project
Challenges and existing solutions
Overview of our originality
Proposed approach
Presentation of the model
RDF view rewriting
Privacy and security enforcement
Composition and execution model
Implementation
Discussion and future work
Lieu de la présentation - 17/11/2003 3
Motivating Example
4
Query: What are the names and dates of birth DoB of all patients admitted
at the NetCare medical center
Query issuer (data recipient): Alice, nurse at the Cardiology department
Purpose: Medical treatment
Services: S1($center, ?name, ?DoB)
Query = S1(“NetCare”, ?name,?Dob)
Security & privacy constraints:
Nurses may be only allowed to access the information of patients from their own
departments.
Physicians may be only allowed to access the information of their own patients
Patients must be consented (e.g., Bob and Sue have different preferences about
the disclosure of their ages).
…..
CAiSE conference, Valencia, Spain – 19/06/2013
Challenges & Existing solutions
5
Challenge: Enable service providers to locally enforce their security and
privacy policies without changing the implementation of their
services
Existing approaches:
S&P constraints are handled at the DBMS level
Queries are rewritten to include the different constraints before their execution by
the DBMS
May not be applicable to data services that access and manage DBMS-less data
sources (XML files, silos of legacy applications, external Web services, etc)
S&P constraints are handled at the application level
Not always applicable: often services are provided as black boxes (e.g., by
AquaLogic),
Not advisable: often leads to privacy leaks
CAiSE conference, Valencia, Spain – 19/06/2013
Proposed Approach
Privacy-preserving service execution model
6
Model Overview
RDF View & Contextual
information Extraction
RDF View
Rewriting
Service-based
View Rewriting
Privacy and Security
EnforcementS
Composition
Si
Security & Privacy
Policies WSDL-S
(Si)WSDL-S
(Si)WSDL-S
(Si)
Refers to
Service
Consumer
Si invocation
request
Privacy-sanitized
response
S
Si
S
S
Si’
s C
onve
nti
onal
Invo
cati
on
Service
Registry
Si’s RDF View,
<Recipient, purpose>
The Invocation Process of Si at the service provider side
RDF View with
S&P constraints
Service description
file WSDL
CAiSE conference, Valencia, Spain – 19/06/2013
Presentation of the Model
7
Data Services are modeled as ‘‘Parameterized RDF Views’’ over domain
ontologies.
(a) (b)
o:Patient
P
rdf:type
o:ha
sDis
ease o:hasN
ame
?y
?z
o:hasDoB
C
o:admittedIn
rdf:type
$x
o:na
me
o:Center
"Diabetes"
PREFIX o:<http://hospital.fr/>
S1($x,?y,?z):-
?C rdf:type o:Center
?C o:name ?x
?P rdf:type o:Patient
?P o:admittedIn ?C
?P o:hasName ?y
?P o:hasDoB ?z
?P o:hasDisease “Diabetes”
CAiSE conference, Valencia, Spain – 19/06/2013
Presentation of the Model
8
Security and privacy policies: expressed in OrBAC and PrivOrBAC models over
domain ontologies
Permission(org, r, a, d, c), Permission(org, r, p, a, d, c)
Examples:
SecRule-1= Permission(NetCare, Nurse, Read, o:hasName, SameDepartment),
SecRule-2= Permission(NetCare, Nurse, Read, o:hasDoB, SameDepartment),
SecRule-3= Permission(NetCare, Nurse, Read, o:hasDisease, SameDepartment),
SameDepartment:- o:Patient(P), o:hasName(P,name), o:treatedIn(P,D), o:Department(D),
o:employedIn(recipient,D), o:composedOf(NetCare,D)
PrivRule-1= Permission(NetCare,Nurse,Medical_Treatment,Read,o:hasName,Consent),
PrivRule-2= Permission(NetCare,Nurse,Medical_Treatment,Read,o:hasDoB,Consent),
PrivRule-3= Permission(NetCare,Nurse,Medical_Treatment,Read,o:hasDisease,Consent),
rdf:type
Prp:Preferences
p:hasPurpose
p:hasRecipient
T
p:h
asT
arg
et
p:hasDecision
p:propertyName
rdf:type
p:Target
o:PatientPrdf:type
“Medical
Treatment”
“Nurse”
“o:hasName”
“Yes”
p:hasPreferencesPREFIX o:<http://hospital.fr/>
PREFIX p:<http://privacypolicy.fr/>
Consent:- ?P rdf:type o:Patient,
?P p:hasPreferences ?Pr,
?Pr rdf:type p:Preferences,
?Pr p:hasPurpose “Medical_Treatement”,
?Pr p:hasRecipient “Nurse”,
?Pr p:hasTarget ?T,
?T rdf:type p:Target,
?T p:propertyName “o:hasName”,
?T p:hasDecision “Yes”
CAiSE conference, Valencia, Spain – 19/06/2013
RDF view rewriting to include S&P constraints
9
o:Patient
P
rdf:type
o:ha
sDis
ease o
:hasN
ame
?y
?z
o:hasDoB
C
o:admittedIn
rdf:type
$x
o:n
ame
(a)
rdf:type
P1p:Preferences
p:hasPurpose
p:hasRecipient
T1
p:hasTarget
p:hasDecision
p:propertyName
"HealthCare"
"Nurse"
"hasName"
?w
rdf:type
P2p:Preferences
p:hasPurpose
p:hasRecipient
T2
p:hasTarget
p:hasDecision
p:propertyName
"HealthCare"
"Nurse"
"hasDoB"
?q
rdf:type
P3p:Preferences
p:hasPurpose
p:hasRecipient
T3
p:hasTarget
p:hasDecision
p:propertyName
"HealthCare"
"Nurse"
"dName"
?u
rdf:type
P4p:Preferences
p:hasPurpose
p:hasRecipient
T4
p:hasTarget
p:hasDecision
p:propertyName
"HealthCare"
"Nurse"
"hasDisease"
?r
p:ha
sPre
fere
nces
(c)
o:Center
rdf:typep:Target
rdf:type
p:Target
rdf:type
p:Target
rdf:type
p:Target
Const1 =
"Diabetes"
D
o:Departmentrdf:type o:dName
Const2 = "cardiology"
o:composedOf o:treatedIn
o:PatientP
rdf:type
o:ha
sDis
ease o
:hasN
ame
?y
?z
o:hasDoB
Co:admittedInrdf:type
$x
o:n
ame
o:Center
Const1 =
"Diabetes"
D
o:Departmentrdf:type o:dName
Const2 = "cardiology"
o:composedOf o:treatedIn
o:PatientP
rdf:type
o:ha
sDis
ease
o:h
asNam
e
?y
?z
o:hasDoB
Co:admittedInrdf:type
$x
o:n
ame
o:Center
Const1 =
"Diabetes"
(b)
CAiSE conference, Valencia, Spain – 19/06/2013
RDF view rewriting in terms of data services
10
RDF query rewriting algorithm [Barhamgi et al, TSC 2010]:
Available services:
Vextended($x,?y,?z,?w,?q,?u,?r):- S1($x,?y,?z)$ ˄ const1="Diabetes"
˄ S2($y,?x,const2) ˄ const2="cardiology"
˄ S3($y,"HealthCare","Nurse","hasName",?w)
˄ S3($y,"HealthCare","Nurse","hasDoB",?q)
˄ S3($y,"HealthCare","Nurse","dName",?u)
˄ S3($y,"HealthCare","Nurse","hasDisease",?r)
o:Patient
P
rdf:type
o:h
asNam
e
$a
C
rdf:type
?c
o:n
ame
D
o:Department
rdf:type
o:d
Nam
e
o:composedOf o:treatedIn
o:Center
?b
rdf:type
Rp:Preferences
p:hasPurpose
p:hasRecipient
T
p:h
asT
arg
et
p:hasDecision
p:propertyName
?e
rdf:type
p:Target
$d
$c
$b
o:PatientPrdf:type
o:h
asNam
e
$a
(a) (b)Service S2 Service S3
CAiSE conference, Valencia, Spain – 19/06/2013
Privacy & security enforcement
11
S1
Begin
Composition Execution Plan
S2
S3
(x, y, z, di)S3
S3
S3
Join Filter
(x, y, z, di, dep)
(x, y, z, di, w)
(x, y, z, di, u)
(x, y, z, di, q)
(x, y, z, di, r)
(x, y, z, di, dep,
w, u, q, r)Select Select
(x, y, z, di, dep,
w, u, q, r)Project
End(y, z)
dep="Cardiology" di="Diabetes"
Semantics of Filter operator For each tuple t T
For i = 1 to n /* n is the number of columns in T */
if const(t[i]) = true Then tp [i] = t[i]
else tp [i] = null
Discard all tuples that are null in all columns in Tp
CAiSE conference, Valencia, Spain – 19/06/2013
Privacy-preserving composition execution model
12
y
Bob
John
z
1940
Null
The output of the Join operator The output of the Filter operator
The output of Select(const2= "cardiology")
The output of Project(y, z)
t1
t2
t3
t4
t5
t1
t2
t3
t4
t5
t1
t2
t3
t1
t2
y
Bob
x
John
Sue
Andy
Stacy
z
1940
1983
1977
1990
1980
w
Yes
Yes
Yes
Yes
Yes
u
Yes
q
Yes
YesNo
YesYes
NoYes
YesYes
r
Yes
Yes
No
Yes
Yes
cardiology
cardiology
cardiology
cardiology
Surgery
NetCare
NetCare
NetCare
NetCare
NetCare
Diabetes
Diabetes
Diabetes
Diabetes
Diabetes
y
Bob
x
John
Sue
Andy
Stacy
z
1940
Null
1977
1990
1980
w
Yes
Yes
Yes
Yes
Yes
u
Yes
q
Yes
YesNo
YesYes
NoYes
YesYes
r
Yes
Yes
No
Yes
Yes
cardiology
cardiology
cardiology
Null
Surgery
NetCare
NetCare
NetCare
NetCare
NetCare
Diabetes
Diabetes
Null
Diabetes
Diabetes
y
Bob
x
John
Sue
z
1940
Null
1977
w
Yes
const2
Yes
Yes
u
Yes
q
Yes
YesNo
YesYes
r
Yes
Yes
No
cardiology
cardiology
cardiology
NetCare
NetCare
NetCare
Diabetes
Diabetes
Null
const1 const2const1 const2
The output of Select(const1= "Diabetes")
t1
t2
y
Bob
x
John
z
1940
Null
w
Yes
Yes
u
Yes
q
Yes
YesNo
r
Yes
Yes
cardiology
cardiology
NetCare
NetCare
Diabetes
Diabetes
const1 const2const1
CAiSE conference, Valencia, Spain – 19/06/2013
Implementation
13
Model integrated into AXIS 2.0:
AXIS 2.0
OUT
HandlerIN
Handler
Transport
Sender
AXIS
Internal
Processing
OutFlow
Transport
Listner
InFlow
AXIS
Internal
Processing
Service Consumer
SOAP Message SOAP Message
OUT Handler
OUT Message
Interception
RDF View
Extraction
RDF View
Modification
RDF View
Rewriting
Composition
Execution
Results
FilteringOUT Message
Construction
WSDL-S
Files Privacy & Security
PoliciesPrivacy & Security
PoliciesPrivacy & Security
Policies
Privacy sanitized
output message
Composition
CAiSE conference, Valencia, Spain – 19/06/2013
Conclusion and Future Work
Privacy and security
Respects architectural constraints
Operates at the service host
Several perspectives
Additional decoupling
Develop a generic solution for any data concern?
For any protection algorithm?
Aspect-oriented programming?
At the composition level
How to compose services with protected data?
14 CAiSE conference, Valencia, Spain – 19/06/2013
Thank You !
Questions, answers, discussion…
Contact : [email protected]
CAiSE conference, Valencia, Spain – 19/06/2013 15
Top Related