XML documents are increasingly being used not only to share data but also to store it in that format, i.e. XML Databases. For this reason, it has become important to provide ways to control the way in which di erent users read and modify this data. There's been work on access control techniques for both read [1, 5{8, 10] and write [2{4] queries over XML data.

For write queries, a special type of vulnerability has been studied: the possibility that a policy speci cation enables a user to simulate a forbidden update through a sequence of allowed updates in the same policy. These \inconsistent" policies open up security problems and as such, need to be properly detected and repaired before being enforced. 1 Each element is de ned using regular expressions. We assume that all the elements that are not de ned correspond to text(#PCDATA). Consider, for example, a policy that allows a user to insert and remove elements of type sub-article but does not allow him/her to insert new journal-id elements. This policy has an inconsistency, since it is possible to add a journal-id by rst removing the element sub-article, and then inserting a new one that includes the extra journal-id. For example, it shouldn't be possible to obtain document D2 (in Figure 5) from document D0 (in Figure 2) since inserting journal-id elements is forbidden. However, this can be achieved by rst removing from D0 the sub-article element, which results in document D1 in Figure 3, and then inserting the new sub-article element shown in Figure 4 below the front element of document D1. Thus, through two allowed updates such as deleting an inserting a sub-article element, it is possible obtain a document D2 that is also the result of applying a forbidden update. <article> <front> <journal-meta> <journal-id>BMJ</journal-id> <issn>0959-8138</issn> <publisher>BMJ</publisher> </journal-meta> <article-meta> <article-id>jBMJ</article-id> <article-id>1508</article-id> <author>Freeman,George</author> <pub-date>13-4-2002</pub-date> <volume>324</volume> <issue>7342</issue> </article-meta> </front> <sub-article> <front-stub> <journal-meta> <journal-id>SMN</journal-id> <journal-id>DKE</journal-id> <issn>7225-4139</issn> <publisher>SMN</publisher> </journal-meta> </front-stub> </sub-article>

In [ 2 ] the authors de ned inconsistencies in XML access control policies for write operations, studied the problem of identifying such policies for structured DTDs, showed that nding repairs to those policies is np-complete and provided approximation algorithms to compute them. Later, in [ 4 ], authors extended those results to deal with a general kind of DTD called Chain Extended DTDs (CEDTDs for short), like the one in Fig. 1, imposing some restriction over the type of updates that were considered. For instance, it only considered updates that replaced element types belonging to a disjunction without +; or ?. Thus, in the Journal Publishing example, the only valid replace updates would be between element types front and front-stub. In this setting, the problem of repairing inconsistent policies was shown to be np-complete.

In this article, we show how an access control policy can be de ned for XML databases that conform to CEDTDs in such a way that: (i) it deals with insert, delete and replace updates between any two distinct element types, (ii) policy consistency can be checked in polynomial time, (iii) repairs to inconsistent policies can be found in polynomial time. The cost to achieve this is that it cannot express some policies that can be de ned in [ 4 ]. However, the type of policies that cannot be expressed are not common in practice.

This document is structured as follows. The de nitions of XML documents, schemas and updates are provided in Section 2. Section 3 de nes access control policies for CEDTDs. Next, in Section 4 the consistency of those policies in analyzed and for the cases in which they are inconsistent, the repair problem is studied in Section 5. Finally, the conclusions are provided in Section 6. 2

An extended DTD (EDTD) is an abstraction of the two main schema de nition languages for XML [ 9 ], namely DTDs and XSDs, and represented by a quintuple (Ele; Types; Rg; rt; ) where i) Ele is a nite set of element names ii) Types is a nite set of element types iii) rt is a distinguished element name in Ele and in Types called the root iv) is a mapping from Types to Ele such that (rt) = rt, and v) Rg de nes the element types: that is, Rg : Types ! RegTypes , where RegTypes is a set of regular expressions r over Types, considering concatenation, disjunction, element repetition and optionality, empty and string elements. Given a type A we will refer to Rg(A) as its production rule. An element type Bi that appears in the production rule of an element type A is called a subelement type of A. Given an EDTD D, we write A D B for the transitive, re exive closure of the subelement relation.

A structured EDTD is an EDTD such that its regular expressions are de ned using the grammar: str j j B1; : : : ; Bn j B1 + + Bn j B , where \;", \+" and \ " stand for concatenation, disjunction and Kleene star respectively, for the EMPTY element content, str for text values and B 2 Types. A Chain EDTDs consists of an EDTD whose regular expressions are: (i) a sequence of terms (A1 + + An)q, where q is an optional quali er of the form +; , or ?; (ii) a string str; or (iii) empty [ 11 ]. Every structured EDTD is a Chain EDTD. Example 2. The Journal Publishing Schema in Fig. 1 is a chain EDTD but it is not a structured EDTD. For example, element article contains either a front or front-stub element, optionally a body element and zero or more repetitions of sub-articles or response elements. 2 We will model an XML document as rooted unordered trees which conforms to a schema if it validates against its regular expressions. The XML document in Fig. 1 conforms to the chain EDTD in Fig. 2.

Example 3. Let t0 be the XML document shown in Figure 6(b), also represented by the tree in Figure 6(c). Let D0 be the chain EDTD rooted in A shown in Figure 6(a). Document t0 conforms to schema D0. 2 A!(B+C)+,D ,(E+F+G) B ! H,I F ! str C ! str G ! str D ! str H ! str E ! str I ! (a) CEDTD D0 <A> <B> <H>Hello</H> <I></I> </B> <C>World</C> <E>!!</E> </A> (b) Document t0

B H

I

A

C \World"

E \!!" \Hello" (c) Tree representation of t0 We consider the following updates: op ::= delete(n) j insert(n; t) j replace(n; t) j replaceVal(n; s). A delete(n) will remove node n and all its descendants. An insert(n; t) operation will add a tree t as a child node below n. A replace(n; t) operation will replace the subtree with root n by the tree t. A replaceVal(n; s) operation will replace the text value of node n with string s. An update operation is said to be valid for t and D if the result of applying it over t results in a document that conforms to D. For example, the update delete(E) would not be valid over t0, because the resulting document would not conform to D. In what follows we consider only valid updates. We denote by [[op]](t; D) the resulting XML document obtained by applying update operation op on tree t that conforms to schema D. 3

We use the notion of update access type to specify the access authorizations. De nition 1. Given a CEDTD D, a base update access type (base UAT) is an expression of the form (A; ut) where ut ::= insert(B) j delete(B) j replaceVal and A and B are types from D. 2 Intuitively, each of these UATs controls the operations that insert or delete an element of type B or operations that replace a string. The relation uat valid in D, which indicates that a base update access type uat is valid for the EDTD D, is constrained by the following inference rules:

A policy is said to be consistent if it is not possible to simulate a forbidden update through a sequence of allowed updates. More formally: De nition 6. [ 2 ] Consider a policy P de ned over schema D. An inconsistency in P for D consists of an allowed run t0 op!1 t1 : : : op!n tn and an update op0 2 [[F ]](t0; D) such that tn = [[op0]](t0; D). A policy P is consistent for D if there are no inconsistencies. 2 We say that nothing is forbidden below an element type A in a policy P de ned over D if for every Bi such that A D Bi and every (Bi; x) 2 valid(D), (Bi; x) 2 P . If A has any replace operations in valid(D), then we de ne the replace graph GAP = (VA; EA) where i) VA is the set of subelements of A and ii) (Bi; Bj ) 2 EA if there exists (A; replace(Bi; Bj )) 2 P ".

Theorem 1. A policy P de ned over a CEDTD D is consistent if and only if for every production rule: 1. If (A;insert(B))2 P " and (A;delete(B))2 P ", then nothing is forbidden below B 2. If for every i 2 [1; : : : n], if Bi is contained in a cycle in GAP then nothing is forbidden below Bi.

Proof Sketch: Policy P and schema D can be transformed into a new policy Pstruct de ned over a new structured schema Dstruct in such a way that P is consistent over D if and only if Pstruct is consistent over Dstruct. In [ 2 ] the authors identify three cases in which a policy de ned over a structured schema is consistent: insert/delete, negative-cycle and forbidden-transitivity. Because of the characteristics of Pstruct only the rst two can occur. By reversing the transformations, we get the conditions for CEDTDs that correspond to insert/delete and negative cycle inconsistencies. 2 The conditions in Theorem 1 are de ned over the expanded policy P ". In order to simplify the consistency checking problem, it is better to see how these conditions can be checked in P instead of P ".

Proposition 1. A policy P de ned over a CEDTD D is consistent if and only if for every element types A; B and C in D: 1. If B is independent in A and f(A; insert(B)); (A; delete(B))g P then nothing is forbidden below B. 2. If B and C are alternates in A and f(A; insert(B)); (A; delete(B)); (A; insert(C)); (A; delete(C))g P then nothing is forbidden below B and C. 2 It is possible to check if conditions in Proposition 1 hold for a policy using standard polynomial-time graph algorithms over the DTD. Thus, the problem of deciding policy consistency with respect to CEDTDs is in ptime. Example 9. (example 8 cont) Policy PD0 has several inconsistencies. First, by having both (A; insert(B)) and (A; delete(B)) allowed for an independent element type B under A, but forbidding (H; replaceVal). Another one is given by having (A; insert(E)), (A; delete(E)), (A; insert(F)) and (A; delete(F)) as allowed operations under alternate types E and F, but forbidding (F; replaceVal). Finally, given by having (A; insert(F)), (A; delete(F)), (A; insert(G)) and (A; delete(G)) as allowed operations under alternate types F and G, but forbidding (F; replaceVal). 5

If a policy is inconsistent, we would like to suggest possible minimal ways of modifying it in order to restore consistency. In other words, we would like to nd repairs that are as close as possible to the inconsistent policy. We would like this repairs to be more restrictive than the original, this is, a repair should provide less access to the user.

De nition 7. [ 2 ] A policy P 0 is a repair of a policy P de ned over a DTD D if and only if: i) P 0 is de ned over D, ii) P 0 is consistent, and iii) P 0 P . Furthermore a repair P 0 of P is a minimum-repair if there is no repair P 00 such that jP 0j < jP 00j.2 2 In other words a repair is a new policy over the same schema, which is consistent and contains a subset of the allowed UAT in P . For this repair to be minimal, we require that it contains the maximum number of allowed UATs or, equivalently, that a minimal number of UATs has been removed from P .

The problem of computing a minimum-repair can be solved in ptime. In what follows we describe an algorithm to do so. By Proposition 1 we have that we need to solve two types of inconsistencies:

Type 1: if B is independent in A, f(A; insert(B)); (A; delete(B))g P and something is forbidden below B.

Type 2: if B and C are alternates in A,f(A;insert(B));(A;delete(B));(A;insert(C)); (A; delete(C))g P and something is forbidden below B or below C. Because of minimality of repairs, repairs of inconsistencies of Type 1 can be solved independently by removing either (A; insert(B)) or (A; delete(B)). This is not the case for inconsistencies of Type 2, since there might be more than one such inconsistency involving shared types.

Example 10. (example 9 continued) There is an inconsistency of Type 2 between E and F since (F; replaceVal) 62 P . To solve this inconsistency, we need to forbid either (A; insert(E)),(A; delete(E)),(A; insert(F)) or (A; delete(F)). However, choosing to forbid (A; insert(E)) or (A; delete(E)) will not result in a minimal repair since element F is involved in another inconsistency of Type 2 with G since (F; replaceVal) 62 P . Thus, when there are several inconsistencies of Type 2 it 2 jP 0j denotes the cardinality of set P 0 Algorithm 1: PolicyRepair

Input : CEDTD D = (Ele; Types; Rg; rt; ), Policy P

Output : set toRemove of UATs to remove to restore consistency of P 1 (T1; T2) DetectInconsistencies(D; P ) 2 toRemove ; 3 for A 2 Types do 4 for B 2 T1(A) do 5 U either (A; insert(B)) or (A; delete(B)) (choose randomly) 6 toRemove toRemove [ fU g else

Let E be a randomly chosen element in S

S S r fEg for C 2 S do

U either (A; insert(B)) or (A; delete(B)) (choose randomly) toRemove toRemove [ fU g

S S r fCg is necessary to choose carefully to ensure that a minimal repair is found. In this case, either (A; insert(F)) or (A; delete(F)) need to be forbidden. The policy also has a inconsistency of Type 1 that can be solved by forbidding either (A; insert(B)) or (A; delete(B)) from our policy. Thus, a minimum-repair for P is P 0 = P n f(A; insert(B)); (A; delete(F))g. 2 Algorithm PolicyRepair, takes a policy P de ned over a CEDTD D and returns a set of UATs to remove from P to restore consistency. The algorithm rst calls Algorithm DetectInconsistencies that computes with the recursive Algorithm NodeInconsistency the inconsistencies of Type 1 and Type 2 and stores them in two functions T1 and T2 using depth- rst search over schema D. Function T1 : Types ! 2Types , returns for every type A the set of Types B such that f(A; insert(B)); (A; delete(B))g P and something is forbidden below B. These inconsistencies are solved by either deleting (A; insert(B)) or (A; delete(B)) (lines 46 of Algorithm PolicyRepair). Function T2 : Types ! 22Types , returns for every type A, a set of subsets of Types in such a way that if S 2 T2(A), then every B 2 S belongs to the same XOR factor below A and f(A; insert(B)); (A; delete(B))g P and something is forbidden below B. Also, if r 2 S it means there is a type C in the same XOR factor such that f(A; insert(C)); (A; delete(C))g P but everything is allowed below C. It is easy to check that in order to solve the inconsistencies of Type 2, for every S 2 T2(A) we need to delete either (A; insert(B)) or (A; delete(B)) Algorithm 2: DetectInconsistencies

Input : CEDTD D = (Ele; Types; Rg; rt; ), Policy P Output : A tuple (T1; T2) where T1 and T2 are functions that given a type they return the inconsistencies of Type 1 and Type 2 below it 1 for A 2 Types do 2 visited(A) 1 3 if there exists (A; op) 2 F(P; D) then 4 (A) = 0 else (A)

1 T1(A)

T2(A) 7 ; 8 ; 9 NodeInconsistency(D; rt; visited; ; T1; T2) 10 return (T1; T2) for every B 2 S except for r if it belongs to F or any type if it does not (see lines 7-15 of Algorithm PolicyRepair). Algorithm 3: NodeInconsistency

Input : CEDTD D, Node A, functions:visited, , T1 and T2

Result: T1(A) and T2(A) contain inconsistencies of Type 1 and Type 2 below A 1 if visited(A) < 0 then 2 for B independent in A do 3 nodeInconsistency(M GD; visited; B) 4 if (B) = 0 then 5 (A) 0 6 if (A; insert(B)) 2 P and (A; delete(B)) 2 P then 7 T1(A) = T1(A) [ fBg 8 9 10 11 12 13 else

S = S [ frg if jSj > 1 then

T2(A) T2(A) [ fSg if (A) = 1 then

(A) 1 visited(A)

1 Example 11. (example 5 continued) Algorithm DetectInconsistencies returns T1 and T2 such that:

T1(E) = fBg for E=A ; for E6=A

T2(E) = ffF; rgg for E=A ; for E6=A To solve the only inconsistency of Type 1, it chooses from either (A; insert(B)) or (A; delete(B)) and adds it to the toRemove set. Next, for sets in T2(A), it loads them into a variable S and checks if r 2 S. If such element is in the set, it means that there are cycles inside the XOR factor involving elements that do not have something forbidden below them. In this case, the algorithm erases r from S. Then the algorithm proposes to add either (A; insert(F)) or (A; delete(F)) to the toRemove set. So, by choosing one UAT from each combination shown, and changing them from allowed to forbidden, consistency is restored. 2 Even though nding a single minimum-repair can be done in polynomial time, there might an exponential number of them.

Proposition 2. Given a policy P over a CEDTD D, a minimum-repair of it can be computed with Algorithm 1 in O(n + m) where n is the number of types in D and m is the number edges in the tree that represents D. All the repairs can be computed in O(n 2n). 2 In most of the cases m is O(n) and thus a minimum repair can be found in linear time on the number of types in the DTD. In the worst case m is O(n2). Even thought computing all the repairs requires exponential time, it is also possible to show in linear time all the inconsistencies to the designer of the policy so that he can choose how to solve each of them. 6

We have provided an access control policy de nition language based in basic update access types, that simpli es the administration of authorization, since it only requires that the policy manager de nes whether the user should be able to insert or delete elements of the DTD, and automatically deduct replace authorizations from such permissions. For these type of policies, consistency checking and repair computation problems can be solved in polynomial time. We also provided e cient algorithms that, given an inconsistent policy, computes a consistent one that is as close as possible to the inconsistent one in terms of forbidden UATs.

These policies are an improvement over the ones de ned in [ 4 ], since the repair computation problem for those is np-hard. This is achieved by instead of de ning policies in terms of insert; delete and replace UATs, we here de ne policies using only insert and delete UATs and deducing from them the replace permissions. In terms of expressive power they are not comparable since we can de ne policies that they cannot and vice-versa. For example, consider a DTD with the production rule A ! B ; C and B and C containing text. A policy P = finsert(C); delete(B)g with P " = finsert(C); delete(B); replace(B; C)g cannot be expressed in policies de ned in [ 4 ] since they do not consider replace between elements that do not belong to an XOR factor. On the other hand, we cannot write a policy P for which P " = f(A; replace(B; C)); (B; replaceVal); (C; replaceVal)g even though P " is a consistent policy in [ 4 ]. We believe that the gain in expressive power outweighs the loss since being able to provide permissions for replacements outside of XOR factors is a useful feature and the policies that cannot be expressed do not seem useful in practice. Thus, the policies here introduced can be used as a simple, but powerful, way to provide consistent access control to XML databases.