11 Irini Fundulaki, University of Pennsylvania, October 2003 1 Privacy-Conscious Management of...

111Irini Fundulaki, University of Pennsylvania, October 2003

Privacy-Conscious Management ofUser-Centric Data

for Converged Networks

Irini Fundulaki, Arnaud Sahuguet, Rick Hull, Daniel Lieuwen

Bell-Laboratories


Convergence of Networks

• The convergence of the networks “converged services”

– Many devices, many services, many ways to combine them

– Different roles we have lead to even more ways to combine them

• End-users want a services-centric view of converged services, not a network-centric view

Family members andfriends sharing devices

SS7 Class 5

Switch

Wireline phone Wirelessphone/data

MSCHLR

AAA

Enterpriseintranet

Calendar

Publicinternet

Lucent Exchange

Addressbook

WiFiNetwork


Current Work by third parties

• Converged Services cannot be successful without user

profile data management

– Industry leaders are demanding it!

• Telecom : T-Mobile, Vodafone, Orange, …

• Software : Microsoft, Sun, …

– Standard bodies already identified this problem and working on

the data models, standards, interfaces for user profile

management

• Liberty Alliance : Ericson, France Telecom, Nokia, Sun, Sony,

Vodafone – and many many others - OASIS standard body

• 3GPP (3rd Generation Consortium)

• OMA (Open Mobile Alliance) : Lucent, IBM, Intel, Microsoft,

Motorola, Nokia – and others


“Reach Me” Example

1.Irini wants to seeArnaud’s presence andcalendar information

InternetNetwork

“ReachMe” Server

9-11 Meeting with Jeff Jaffee

11-12 Meeting with Rick Hull

Arnaud’s Calendar

Lucent ExchangeLucent Exchange Presence ServerPresence Server

SS7

2.ReachMe Server sendsqueries to the related sources

Privacy-ConsciousPrivacy-ConsciousManagement of UserManagement of UserProfile DataProfile Data

3.ReachMe Server asks forcalendar from Lucent Exchange

4.ReachMe Server asksfor presence info from the Presence Server


Key Points in User Profile Data Management

• Data is found in heterogeneous sources– Inter/Intranet Data Sources

• Corporate network• Netscape/Yahoo! Profile

– Network Data Sources• Mobile Phone• Palm Pilot

– Presence Servers• SDHLR• WiFi• Instant Messaging• Telephone On/Off Hook

• Data cannot be seen by everybody : Privacy-conscious data management

Jabber Netscape Lucent Ex. Palm Pilot Presence Info

Identity Info

Address book,Calendar

Arnaud Rick Rick

Bharat

Arnaud Rick Bharat

Lucent

Arnaud


GUPster : Share your data, keep your

secrets


GUPster : The Objectives• Objective : Objective : Allow individuals to share their profile data in a

secure and controlled way with other individuals or applications through a single point of access

– Single Point of access Data integration, replication & synchronization

– Controlled Data Access Control • ChallengesChallenges :

– Data integration :

1. How to hide heterogeneity from requestors/applications?

2. How to provide a single point of access?

users/applications must be unaware of where the data is located

– Access Control :

1. How to express requestee preferences about when and by whom data can be accessed?

2. How to perform access control efficiently ?


GUPster : The Solution (1)

• Data integration :Data integration : Mediator/Wrapper ArchitectureMediator/Wrapper Architecture


• Schema hides heterogeneities of data source schemas

• Wrappers translate source data into instances of the

schema

XML Schema inspired from schemas of standard bodies (3GPP/GUP) and Liberty Alliance

Source data is translated into XML data

2. How to provide a single point of access?• Describe sources in terms of the mediator schema

• Multiple modes : – Materialization (e.g. caching) – Virtual (query mediation data shipping)– Referrals (query shipping)

Local As View Source Descriptions User-Centric Metadata



• Data integration :Data integration : Mediator/Wrapper ArchitectureMediator/Wrapper Architecture


• Schema hides heterogeneities of data source schemas

• Wrappers translate source data into instances of the

schema

XML Schema inspired from schemas of standard bodies (3GPP/GUP) and Liberty Alliance

Source data is translated into XML data

2. How to provide a single point of access?• Describe sources in terms of the mediator schema

• Multiple modes : – Materialization (e.g. caching) – Virtual (query mediation data shipping)– Referrals (query shipping)

Local As View Source Descriptions User-Centric Metadata



• Access ControlAccess Control

1. How to enable requestee preferences about when and by whom data can be accessed?

• Access control model similar to state of the art models for XML access control

• User-centric access control rules

– A user defines access control rules for her profile data

2. How to perform efficiently access control ?

• Static analysis of access control policies and queries

• “Query Transformation” to obtain the query that the user is allowed to ask


GUPster : Overview

GUPster Server

1. Irini asks for Arnaud’s calendar and presence information

3. Request sent to Lucent Exchange

4. Answers sent to GUPster

5. Answersreturned to Irini

Arnaud’s access control policy

‘Irini cannot see my presence’‘Irini can see my calendar’

Arnaud’s metadata

“Presence info from Jabber”“Calendar from Lucent Exchange’

Access Control : Irini can see only calendarInfo (part of requested data)

Query Rewriting:Get the calendar infofrom Lucent Exchange

GUPster Schema


Presentation Outline

• XSQuirrel Language

• Keep your Secrets : Access Control in GUPster

• How is it all done?

– The Architecture

• Conclusions and Future Work


XSQuirrel Language• What do we need to do ?

– Metadata : specify the view of the user profile document that resides in each source

– Access Control : specify the view of the user profile data a requestor is allowed/denied to access

– Query Language : specify the view of the user profile data a requestor wants to access

We need a view specification language that allows to : – project on more than one branches of an XML document– retain the original document structure


Example (1)Query : «The first and last names of Arnaud’s contact entries andtheir job title»

<MyGup> <AddressBook> <Contact> <CommonName> <AnalyzedName> <PersonalTitle>Dr</PersonalTitle> <FN>Irini</FN> <LN>Fundulaki</LN> </AnalyzedName> </CommonName> <EmploymentIdentity> <JobTitle>PostDoc</JobTitle> <Organization>Bell Labs</Organization> </EmploymentIdentity> </Contact> <AddressBook></MyGup>

XML Document


Example (1)Query : «The first and last names of Arnaud’s contact entries andtheir job title»

<MyGup> <AddressBook> <Contact> <CommonName> <AnalyzedName> <PersonalTitle>Dr</PersonalTitle> <FN>Irini</FN> <LN>Fundulaki</LN> </AnalyzedName> </CommonName> <EmploymentIdentity> <JobTitle>PostDoc</JobTitle> <Organization>Bell Labs</Organization> </EmploymentIdentity> </Contact> <AddressBook></MyGup>

XML Document

<MyGup> <AddressBook> <Contact> <CommonName> <AnalyzedName> <FN>Irini</FN> <LN>Fundulaki</LN> </AnalyzedName> </CommonName> <EmploymentIdentity> <JobTitle>PostDoc</JobTitle> </EmploymentIdentity> </Contact> <AddressBook></MyGup>

Result XML Document


XSQuirrel syntaxQuery : «The first and last names of Arnaud’s contact entries andtheir job title»

\MyGup\AddressBook\Contact\(AnalyzedName\(FN # LN)

# EmploymentIdentity\JobTitle))

XSQuirrel Expression for our query

• Concise Syntax

• Operator # allows one to project on more than one

branches of the XML tree


XQuery Expression for our query(2)

FOR $a IN document(‘arnaud_sahuguet.xml’)/MyGup[AddressBook[Contact

[AnalyzedName[FN|LN] or EmploymentIdentity[JobTtitle]]]]

RETURN <MyGup> {

FOR $b IN $a/AddressBook

RETURN <AddressBook>{

FOR $c IN $b/Contact

RETURN <Contact> {

FOR $d IN $c/AnalyzedName

RETURN <AnalyzedName> {

$d/(FN|LN)

}</AnalyzedName>

FOR $e IN $c/EmploymentIdentity

RETURN <EmploymentIdentity> {

RETURN $e/JobTitle

}</EmploymentIdentity>

}</Contact>

}</AddressBook>

}</MyGup

The query returns the emptyanswer if none of the requested nodes exist in the document


XSQuirrel vs XPath 1.0?

• It is not possible to express with XPath 1.0 the projection

as described previously :

– We can project on more than one branches of the tree

(using the union operator) but we lose the document

structure

– We obtain sets of nodes, instead of trees

• XSQuirrel : A simple projection language for XMLXSQuirrel : A simple projection language for XML


XSQuirrel Semantics and Closure Properties

• The result of the evaluation of an XSQuirrel expression p on a document D, is a projected document * p(D) which contains:

– the nodes designated by all the XPath expressions (E(p)) in the XSQuirrel expression

– their descendant nodes

– and all their ancestor nodes up to the root

* projected document is a term borrowed from [Marian&Simeon03]

For data integration

• Closure Properties : Intersection

Union

Complement*

Composition

For access control


XSQuirrel ExampleMyGup

AddressBook

Contact

‘Fundulaki’

AnalyzedName

EmploymentIdentity

LN FN JobTitle

‘Irini’ ‘Post Doc’

p :\MyGup\(AddressBook\Contact\AnalyzedName # Calendar)

Calendar

vevent

created description

09/01 Meeting with Rick

owner

A.S


XSQuirrel ExampleMyGup

AddressBook

‘Fundulaki’

AnalyzedName

EmploymentIdentity

LN FN JobTitle


Calendar

vevent

created description


owner

A.S

Contact

E(p) = {/MyGup/AddressBook/Contact/AnalyzedName /MyGup/Calendar}

p :\MyGup\(AddressBook\Contact\AnalyzedName # Calendar)


XSQuirrel Fragment

• XSQuirrel Fragment– XSQuirrel location paths (locpath), Projection Paths

(projpath), XPath location paths (xpath), Filter Expressions (fexpr)

• locpath ‘\’ locpath | locpath ‘\’ locpath | locpath ‘\’ prpath | locpath[fexpr] | label

• Projpath ‘(’ locpath ‘#’ locpath ‘)’

• fexpr ‘[’ xpath | xpath ‘]’ | ‘[’ xpath and xpath ‘] ’ | ‘[’ xpath = value ‘] ’

• xpath xpath ‘/ ’ xpath | label | .

– Axis ‘\’ specifies the tree structure

– ‘#’ is the projection operator


XSQuirrel Operators

• Intersection

– Intersection of two XSQuirrel expressions p and q, is the XSQuirrel

expression t = p xsq q which returns a subdocument of both p(D) and

q(D)

– Algorithm to compute p xsq q is based on string matching for XPath

expressions considering only the ‘/’ axis

– (p xsq q)(D) p(D) D q(D)

• Union

– Union of two XSQuirrel expressions p and q, is the XSQuirrel expression

t = p xsq q which returns a subdocument of D, that ‘contains’ p(D)

and q(D)

– Algorithm to compute p xsq q is based on string matching for XPath

expressions considering only the ‘/’ axis

– (p xsq q)(D) p(D) D q(D)


XSQuirrel Operators

• Complement

– The complement of an XSQuirrel expression is defined always w.r.t. a schema

– Given a schema S, the XSQuirrel expression which describes the schema is defined by the set of absolute root to leaf XPath expressions (E(S))

– Given an XSQuirrel expression, its complement is defined as :

• E( p) = E(S) – { t E(S) s.t. r E(p), t r }

– E( p) (E(p)) (if p has no filters)A

B

C

D

E F

G

H

JI

E(S) = { /A/B/C/D/E, /A/B/C/D/F, /A/G/H/I, /A/G/H/J}

E(p) = { /A/B/C/D, /A/G/H/I }

E( p) = {/A/G/H/J }


XSQuirrel IntersectionMyGup

AddressBook

‘Fundulaki’

AnalyzedName

EmploymentIdentity

LN FN JobTitle


Calendar

vevent

created description


owner

A.S

Contact

p : \MyGup\AddressBook\Contact\AnalyzedName\LN

q : \MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)

Preferences


XSQuirrel IntersectionMyGup

AddressBook

‘Fundulaki’

AnalyzedName

EmploymentIdentity

LN FN JobTitle


Calendar

vevent

description


owner

A.S

created



ContactPreferences


XSQuirrel Intersection



MyGup

AddressBook

‘Fundulaki’

AnalyzedName

EmploymentIdentity

LN FN JobTitle


Calendar

vevent

created description


owner

A.S

p xsq q = \MyGup\AddressBook\Contact\AnalyzedName\LN

ContactPreferences


XSQuirrel UnionMyGup

AddressBook

‘Fundulaki’

AnalyzedName

EmploymentIdentity

LN FN JobTitle


Calendar

vevent

description


owner

A.S

created



ContactPreferences



AddressBook

‘Fundulaki’

AnalyzedName

EmploymentIdentity

LN FN JobTitle


Calendar

vevent

description


owner

A.S

created



ContactPreferences



AddressBook

‘Fundulaki’

AnalyzedName

EmploymentIdentity

LN FN JobTitle


Calendar

vevent

description


owner

A.S

created



pxsq q=\MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)

ContactPreferences


Keep your Secrets : Access Control in GUPster


Privacy : Problem Statement

• Data D related to user U is stored in a data store

• Policy P determines access control

• A request R to access the data D is received, with a request context C (e.g., identity of the requestor, purpose of the request, time of day etc.).

• What should be returned?

– Yes (requestor is allowed to see the requested data)

– No (requestor is not allowed to see the requested data)

– Part (requestor is allowed to see part of the requested data) along with an expression specifying the authorized data




















Access Control Rules in GUPster

• Objective : We want to express facts such as : ‘who is allowed/denied to access what data and under which conditions (optional)’

– Who : users or computer applications (requestor)

– Access : read

– What : XML documents or document fragments (resource)

• Specified by XSQuirrel expressions

– Conditions : Conditions on context data (e.g. time of day, etc.)

• Access Control Rules are User-Centric !

• Access Control Rules are only positive (we specify only what one is allowed to see)


Access Control Rules : Examples

1. Arnaud allows Rick to read his address book and calendar information

(condition is empty in this case)

(‘Rick’, read, \MyGup\(Addressbook #Calendar) )

2. Arnaud does not allow Irini to read his presence from jabber and calendar

information before 9am and after 5pm

– So, he allows Irini to read his presence and calendar information from

9am to 5pm

(‘Irini’, read, \MyGup\(Calendar#JabberInfo), between 9am and 5pm)

3. Arnaud allows Irini to see his contact entries (except their employment

identity)

– So, he allows her their analysed names

(‘Irini’, read, \MyGup\AddressBook\Contact\AnalyzedName)


Requests in GUPster

• Objective : We want to express facts such as ‘Requestor requires access to requestee’s resources under conditions’

– Requestor : users or computer applications

– Access : read

– Resource : XML documents or document fragments

• Specified by XSQuirrel expressions

– Conditions : Conditions on context data (e.g. time of day, etc.)

• Example :

– Irini wants to read Arnaud’s address book and his presence information at 8am

( ‘Irini’, read, \MyGup\(AddressBook # JabberInfo), time :8am)


Evaluating Requests • When a request DR matches a rule R?

– DR’s requestor matches R’s requestor

– DR’s action matches R’s action

– DR’s resource «matches» R’s resource (XSQuirrel expressions)

• Their intersection is not the empty query

– DR’s data evaluates R’s condition to true

• Authorized View (AV)

– Given a set of access control rules (ACR) for a requestor s, the authorized

view for s is defined by AV = xsq ACR’s resources

– Given a query, the requestor is allowed to see the resource specified by q

xsq AV

Static Analysis of Access Control :

Evaluation of requests against rules is done at the level

of the query and not at the level of the actual data


Evaluating Requests : Example

• Request : Irini wants to see Arnaud’s address book and presence

information at 10am

( ‘Irini’, read, \MyGup\(AddressBook # JabberInfo), 10am )

• Rules:

1. (‘Irini, read, \MyGup\(Calendar # JabberInfo) )

2. (‘Irini’, read, \MyGup\AddressBook\Contact\AnalyzedName

• Authorized View : q xsq (p1 xsq p2)

AR : /MyGup/(AddressBook/Contact/AnalyzedName # JabberInfo)

p1

p2

q


GUPster : The Architecture


GUPster Server

MySQLdatabase

Access Control Module Data IntegrationModule

Sun XACMLModule

Privacy ShieldModule XQuery

Engine

Lucent Exchange

SOAP

SOAP

Java Swing Client


Some Examples


GUPster Server

1. Irini asks for Arnaud’s Jabber presence information

2. Check Arnaud’s preferences

1. Coworkers can seeonly Arnaud’s Jabber presence

1. Coworkers can seeonly Arnaud’s Jabber presence

Irini is in Arnaud’scoworkers group

Arnaud said:

GUPster (AC):Irini can see the requested data

3. Request sent to Jabber



GUPster (DI) :Rewrites the request


GUPster Server

1. Irini asks for Arnaud’s profile information

GUPster (AC):Irini cannot seethe requested data

3. No access to requesteddata allowed


1. Coworkers can seeonly Arnaud’s presence information

1. Coworkers can seeonly Arnaud’s presence information

Irini is in Arnaud’scoworkers group(and no other)

Arnaud said:


GUPster (DI) :Rewrites the authorizedpart of the query


GUPster Server

1. Irini asks for Arnaud’s contact entries

Arnaud said:GUPster (AC) :Irini can part of the requested data



3. Request sent to Lucent for first names and “Message Accounts” of contact entries

1. Irini can see only the first names and “Message Accounts” of Arnaud’s contact entries

1. Irini can see only the first names and “Message Accounts” of Arnaud’s contact entries


GUPster : Key Innovations

• Flexible reference architecture for privacy-conscious user profile data access

– Provides unified access to distributed data

– Permits different data distributions for different users

– Supports privacy shield through extensible rules technology

• XSQuirrel: Targeted XML query language

– Enables simple, direct queries against profile data

– XPath < XSQuirrel << XQuery

– Related to an implementation-level construct in [Marian&Simeon03]


GUPster : Status• Basic architecture in place

– GUPster server

• Data integration (current focus on virtual approach)

• Access control

– “Surround” for user preferences

– Preliminary preferences provisioning interface

• Data sources currently supported

– Lucent Exchange, Lucid, Buddy Bell, Jabber, SDHLR, native XML

– Wrappers for Exchange, Lucid, Jabber; translator for SDHLR

• XSQuirrel query engines and tools

– GUPster server query engine based on Galax

– Wrapper for Lucent Exchange based on go-mono.com (a C# XPath engine)


GUPster : The Future

• Objectives that will make users happier :

– Synchronization

• E.g., to enable synchronizing of address book in Lucent Exchange and with subset in cell phone

– Data Update via GUPster

• E.g., modify my various buddy lists (Jabber, Buddy Bell, Palm) from one place

• Objectives that we make us (researchers) happier :

– Extend access control with

• conditions involving target data

• rule chaining

– XSQuirrel : richer fragment for XSquirrel

Date post:	19-Dec-2015
Category:	Documents
View:	213 times
Download:	1 times

11 Irini Fundulaki, University of Pennsylvania, October 2003 1 Privacy-Conscious Management of...

Documents