1 i Fundulaki, University of Pennsylvania, October 2003 Privacy-Conscious Management of User-Centric Data for Converged Networks Irini Fundulaki, Arnaud Sahuguet, Rick Hull, Daniel Lieuwen Bell-Laboratories
Dec 19, 2015
111Irini Fundulaki, University of Pennsylvania, October 2003
Privacy-Conscious Management ofUser-Centric Data
for Converged Networks
Irini Fundulaki, Arnaud Sahuguet, Rick Hull, Daniel Lieuwen
Bell-Laboratories
222Irini Fundulaki, University of Pennsylvania, October 2003
Convergence of Networks
• The convergence of the networks “converged services”
– Many devices, many services, many ways to combine them
– Different roles we have lead to even more ways to combine them
• End-users want a services-centric view of converged services, not a network-centric view
Family members andfriends sharing devices
SS7 Class 5
Switch
Wireline phone Wirelessphone/data
MSCHLR
AAA
Enterpriseintranet
Calendar
Publicinternet
Lucent Exchange
Addressbook
WiFiNetwork
333Irini Fundulaki, University of Pennsylvania, October 2003
Current Work by third parties
• Converged Services cannot be successful without user
profile data management
– Industry leaders are demanding it!
• Telecom : T-Mobile, Vodafone, Orange, …
• Software : Microsoft, Sun, …
– Standard bodies already identified this problem and working on
the data models, standards, interfaces for user profile
management
• Liberty Alliance : Ericson, France Telecom, Nokia, Sun, Sony,
Vodafone – and many many others - OASIS standard body
• 3GPP (3rd Generation Consortium)
• OMA (Open Mobile Alliance) : Lucent, IBM, Intel, Microsoft,
Motorola, Nokia – and others
444Irini Fundulaki, University of Pennsylvania, October 2003
“Reach Me” Example
1.Irini wants to seeArnaud’s presence andcalendar information
InternetNetwork
“ReachMe” Server
9-11 Meeting with Jeff Jaffee
11-12 Meeting with Rick Hull
Arnaud’s Calendar
Lucent ExchangeLucent Exchange Presence ServerPresence Server
SS7
2.ReachMe Server sendsqueries to the related sources
Privacy-ConsciousPrivacy-ConsciousManagement of UserManagement of UserProfile DataProfile Data
3.ReachMe Server asks forcalendar from Lucent Exchange
4.ReachMe Server asksfor presence info from the Presence Server
555Irini Fundulaki, University of Pennsylvania, October 2003
Key Points in User Profile Data Management
• Data is found in heterogeneous sources– Inter/Intranet Data Sources
• Corporate network• Netscape/Yahoo! Profile
– Network Data Sources• Mobile Phone• Palm Pilot
– Presence Servers• SDHLR• WiFi• Instant Messaging• Telephone On/Off Hook
• Data cannot be seen by everybody : Privacy-conscious data management
Jabber Netscape Lucent Ex. Palm Pilot Presence Info
Identity Info
Address book,Calendar
Arnaud Rick Rick
Bharat
Arnaud Rick Bharat
Lucent
Arnaud
666Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : Share your data, keep your
secrets
777Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : The Objectives• Objective : Objective : Allow individuals to share their profile data in a
secure and controlled way with other individuals or applications through a single point of access
– Single Point of access Data integration, replication & synchronization
– Controlled Data Access Control • ChallengesChallenges :
– Data integration :
1. How to hide heterogeneity from requestors/applications?
2. How to provide a single point of access?
users/applications must be unaware of where the data is located
– Access Control :
1. How to express requestee preferences about when and by whom data can be accessed?
2. How to perform access control efficiently ?
888Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : The Solution (1)
• Data integration :Data integration : Mediator/Wrapper ArchitectureMediator/Wrapper Architecture
1. How to hide heterogeneity from requestors/applications?
• Schema hides heterogeneities of data source schemas
• Wrappers translate source data into instances of the
schema
XML Schema inspired from schemas of standard bodies (3GPP/GUP) and Liberty Alliance
Source data is translated into XML data
2. How to provide a single point of access?• Describe sources in terms of the mediator schema
• Multiple modes : – Materialization (e.g. caching) – Virtual (query mediation data shipping)– Referrals (query shipping)
Local As View Source Descriptions User-Centric Metadata
999Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : The Solution (1)
• Data integration :Data integration : Mediator/Wrapper ArchitectureMediator/Wrapper Architecture
1. How to hide heterogeneity from requestors/applications?
• Schema hides heterogeneities of data source schemas
• Wrappers translate source data into instances of the
schema
XML Schema inspired from schemas of standard bodies (3GPP/GUP) and Liberty Alliance
Source data is translated into XML data
2. How to provide a single point of access?• Describe sources in terms of the mediator schema
• Multiple modes : – Materialization (e.g. caching) – Virtual (query mediation data shipping)– Referrals (query shipping)
Local As View Source Descriptions User-Centric Metadata
101010Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : The Solution (1)
• Access ControlAccess Control
1. How to enable requestee preferences about when and by whom data can be accessed?
• Access control model similar to state of the art models for XML access control
• User-centric access control rules
– A user defines access control rules for her profile data
2. How to perform efficiently access control ?
• Static analysis of access control policies and queries
• “Query Transformation” to obtain the query that the user is allowed to ask
111111Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : Overview
GUPster Server
1. Irini asks for Arnaud’s calendar and presence information
3. Request sent to Lucent Exchange
4. Answers sent to GUPster
5. Answersreturned to Irini
Arnaud’s access control policy
‘Irini cannot see my presence’‘Irini can see my calendar’
Arnaud’s metadata
“Presence info from Jabber”“Calendar from Lucent Exchange’
Access Control : Irini can see only calendarInfo (part of requested data)
Query Rewriting:Get the calendar infofrom Lucent Exchange
GUPster Schema
121212Irini Fundulaki, University of Pennsylvania, October 2003
Presentation Outline
• XSQuirrel Language
• Keep your Secrets : Access Control in GUPster
• How is it all done?
– The Architecture
• Conclusions and Future Work
131313Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel Language• What do we need to do ?
– Metadata : specify the view of the user profile document that resides in each source
– Access Control : specify the view of the user profile data a requestor is allowed/denied to access
– Query Language : specify the view of the user profile data a requestor wants to access
We need a view specification language that allows to : – project on more than one branches of an XML document– retain the original document structure
141414Irini Fundulaki, University of Pennsylvania, October 2003
Example (1)Query : «The first and last names of Arnaud’s contact entries andtheir job title»
<MyGup> <AddressBook> <Contact> <CommonName> <AnalyzedName> <PersonalTitle>Dr</PersonalTitle> <FN>Irini</FN> <LN>Fundulaki</LN> </AnalyzedName> </CommonName> <EmploymentIdentity> <JobTitle>PostDoc</JobTitle> <Organization>Bell Labs</Organization> </EmploymentIdentity> </Contact> <AddressBook></MyGup>
XML Document
151515Irini Fundulaki, University of Pennsylvania, October 2003
Example (1)Query : «The first and last names of Arnaud’s contact entries andtheir job title»
<MyGup> <AddressBook> <Contact> <CommonName> <AnalyzedName> <PersonalTitle>Dr</PersonalTitle> <FN>Irini</FN> <LN>Fundulaki</LN> </AnalyzedName> </CommonName> <EmploymentIdentity> <JobTitle>PostDoc</JobTitle> <Organization>Bell Labs</Organization> </EmploymentIdentity> </Contact> <AddressBook></MyGup>
XML Document
<MyGup> <AddressBook> <Contact> <CommonName> <AnalyzedName> <FN>Irini</FN> <LN>Fundulaki</LN> </AnalyzedName> </CommonName> <EmploymentIdentity> <JobTitle>PostDoc</JobTitle> </EmploymentIdentity> </Contact> <AddressBook></MyGup>
Result XML Document
161616Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel syntaxQuery : «The first and last names of Arnaud’s contact entries andtheir job title»
\MyGup\AddressBook\Contact\(AnalyzedName\(FN # LN)
# EmploymentIdentity\JobTitle))
XSQuirrel Expression for our query
• Concise Syntax
• Operator # allows one to project on more than one
branches of the XML tree
191919Irini Fundulaki, University of Pennsylvania, October 2003
XQuery Expression for our query(2)
FOR $a IN document(‘arnaud_sahuguet.xml’)/MyGup[AddressBook[Contact
[AnalyzedName[FN|LN] or EmploymentIdentity[JobTtitle]]]]
RETURN <MyGup> {
FOR $b IN $a/AddressBook
RETURN <AddressBook>{
FOR $c IN $b/Contact
RETURN <Contact> {
FOR $d IN $c/AnalyzedName
RETURN <AnalyzedName> {
$d/(FN|LN)
}</AnalyzedName>
FOR $e IN $c/EmploymentIdentity
RETURN <EmploymentIdentity> {
RETURN $e/JobTitle
}</EmploymentIdentity>
}</Contact>
}</AddressBook>
}</MyGup
The query returns the emptyanswer if none of the requested nodes exist in the document
202020Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel vs XPath 1.0?
• It is not possible to express with XPath 1.0 the projection
as described previously :
– We can project on more than one branches of the tree
(using the union operator) but we lose the document
structure
– We obtain sets of nodes, instead of trees
• XSQuirrel : A simple projection language for XMLXSQuirrel : A simple projection language for XML
212121Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel Semantics and Closure Properties
• The result of the evaluation of an XSQuirrel expression p on a document D, is a projected document * p(D) which contains:
– the nodes designated by all the XPath expressions (E(p)) in the XSQuirrel expression
– their descendant nodes
– and all their ancestor nodes up to the root
* projected document is a term borrowed from [Marian&Simeon03]
For data integration
• Closure Properties : Intersection
Union
Complement*
Composition
For access control
222222Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel ExampleMyGup
AddressBook
Contact
‘Fundulaki’
AnalyzedName
EmploymentIdentity
LN FN JobTitle
‘Irini’ ‘Post Doc’
p :\MyGup\(AddressBook\Contact\AnalyzedName # Calendar)
Calendar
vevent
created description
09/01 Meeting with Rick
owner
A.S
232323Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel ExampleMyGup
AddressBook
‘Fundulaki’
AnalyzedName
EmploymentIdentity
LN FN JobTitle
‘Irini’ ‘Post Doc’
Calendar
vevent
created description
09/01 Meeting with Rick
owner
A.S
Contact
E(p) = {/MyGup/AddressBook/Contact/AnalyzedName /MyGup/Calendar}
p :\MyGup\(AddressBook\Contact\AnalyzedName # Calendar)
242424Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel Fragment
• XSQuirrel Fragment– XSQuirrel location paths (locpath), Projection Paths
(projpath), XPath location paths (xpath), Filter Expressions (fexpr)
• locpath ‘\’ locpath | locpath ‘\’ locpath | locpath ‘\’ prpath | locpath[fexpr] | label
• Projpath ‘(’ locpath ‘#’ locpath ‘)’
• fexpr ‘[’ xpath | xpath ‘]’ | ‘[’ xpath and xpath ‘] ’ | ‘[’ xpath = value ‘] ’
• xpath xpath ‘/ ’ xpath | label | .
– Axis ‘\’ specifies the tree structure
– ‘#’ is the projection operator
252525Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel Operators
• Intersection
– Intersection of two XSQuirrel expressions p and q, is the XSQuirrel
expression t = p xsq q which returns a subdocument of both p(D) and
q(D)
– Algorithm to compute p xsq q is based on string matching for XPath
expressions considering only the ‘/’ axis
– (p xsq q)(D) p(D) D q(D)
• Union
– Union of two XSQuirrel expressions p and q, is the XSQuirrel expression
t = p xsq q which returns a subdocument of D, that ‘contains’ p(D)
and q(D)
– Algorithm to compute p xsq q is based on string matching for XPath
expressions considering only the ‘/’ axis
– (p xsq q)(D) p(D) D q(D)
262626Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel Operators
• Complement
– The complement of an XSQuirrel expression is defined always w.r.t. a schema
– Given a schema S, the XSQuirrel expression which describes the schema is defined by the set of absolute root to leaf XPath expressions (E(S))
– Given an XSQuirrel expression, its complement is defined as :
• E( p) = E(S) – { t E(S) s.t. r E(p), t r }
– E( p) (E(p)) (if p has no filters)A
B
C
D
E F
G
H
JI
E(S) = { /A/B/C/D/E, /A/B/C/D/F, /A/G/H/I, /A/G/H/J}
E(p) = { /A/B/C/D, /A/G/H/I }
E( p) = {/A/G/H/J }
272727Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel IntersectionMyGup
AddressBook
‘Fundulaki’
AnalyzedName
EmploymentIdentity
LN FN JobTitle
‘Irini’ ‘Post Doc’
Calendar
vevent
created description
09/01 Meeting with Rick
owner
A.S
Contact
p : \MyGup\AddressBook\Contact\AnalyzedName\LN
q : \MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)
Preferences
282828Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel IntersectionMyGup
AddressBook
‘Fundulaki’
AnalyzedName
EmploymentIdentity
LN FN JobTitle
‘Irini’ ‘Post Doc’
Calendar
vevent
description
09/01 Meeting with Rick
owner
A.S
created
p : \MyGup\AddressBook\Contact\AnalyzedName\LN
q : \MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)
ContactPreferences
292929Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel Intersection
p : \MyGup\AddressBook\Contact\AnalyzedName\LN
q : \MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)
MyGup
AddressBook
‘Fundulaki’
AnalyzedName
EmploymentIdentity
LN FN JobTitle
‘Irini’ ‘Post Doc’
Calendar
vevent
created description
09/01 Meeting with Rick
owner
A.S
p xsq q = \MyGup\AddressBook\Contact\AnalyzedName\LN
ContactPreferences
303030Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel UnionMyGup
AddressBook
‘Fundulaki’
AnalyzedName
EmploymentIdentity
LN FN JobTitle
‘Irini’ ‘Post Doc’
Calendar
vevent
description
09/01 Meeting with Rick
owner
A.S
created
p : \MyGup\AddressBook\Contact\AnalyzedName\LN
q : \MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)
ContactPreferences
313131Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel UnionMyGup
AddressBook
‘Fundulaki’
AnalyzedName
EmploymentIdentity
LN FN JobTitle
‘Irini’ ‘Post Doc’
Calendar
vevent
description
09/01 Meeting with Rick
owner
A.S
created
p : \MyGup\AddressBook\Contact\AnalyzedName\LN
q : \MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)
ContactPreferences
323232Irini Fundulaki, University of Pennsylvania, October 2003
XSQuirrel UnionMyGup
AddressBook
‘Fundulaki’
AnalyzedName
EmploymentIdentity
LN FN JobTitle
‘Irini’ ‘Post Doc’
Calendar
vevent
description
09/01 Meeting with Rick
owner
A.S
created
p : \MyGup\AddressBook\Contact\AnalyzedName\LN
q : \MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)
pxsq q=\MyGup\(AddressBook\Contact\AnalyzedName # Calendar\vevent)
ContactPreferences
333333Irini Fundulaki, University of Pennsylvania, October 2003
Keep your Secrets : Access Control in GUPster
343434Irini Fundulaki, University of Pennsylvania, October 2003
Privacy : Problem Statement
• Data D related to user U is stored in a data store
• Policy P determines access control
• A request R to access the data D is received, with a request context C (e.g., identity of the requestor, purpose of the request, time of day etc.).
• What should be returned?
– Yes (requestor is allowed to see the requested data)
– No (requestor is not allowed to see the requested data)
– Part (requestor is allowed to see part of the requested data) along with an expression specifying the authorized data
353535Irini Fundulaki, University of Pennsylvania, October 2003
Privacy : Problem Statement
• Data D related to user U is stored in a data store
• Policy P determines access control
• A request R to access the data D is received, with a request context C (e.g., identity of the requestor, purpose of the request, time of day etc.).
• What should be returned?
– Yes (requestor is allowed to see the requested data)
– No (requestor is not allowed to see the requested data)
– Part (requestor is allowed to see part of the requested data) along with an expression specifying the authorized data
363636Irini Fundulaki, University of Pennsylvania, October 2003
Privacy : Problem Statement
• Data D related to user U is stored in a data store
• Policy P determines access control
• A request R to access the data D is received, with a request context C (e.g., identity of the requestor, purpose of the request, time of day etc.).
• What should be returned?
– Yes (requestor is allowed to see the requested data)
– No (requestor is not allowed to see the requested data)
– Part (requestor is allowed to see part of the requested data) along with an expression specifying the authorized data
373737Irini Fundulaki, University of Pennsylvania, October 2003
Access Control Rules in GUPster
• Objective : We want to express facts such as : ‘who is allowed/denied to access what data and under which conditions (optional)’
– Who : users or computer applications (requestor)
– Access : read
– What : XML documents or document fragments (resource)
• Specified by XSQuirrel expressions
– Conditions : Conditions on context data (e.g. time of day, etc.)
• Access Control Rules are User-Centric !
• Access Control Rules are only positive (we specify only what one is allowed to see)
383838Irini Fundulaki, University of Pennsylvania, October 2003
Access Control Rules : Examples
1. Arnaud allows Rick to read his address book and calendar information
(condition is empty in this case)
(‘Rick’, read, \MyGup\(Addressbook #Calendar) )
2. Arnaud does not allow Irini to read his presence from jabber and calendar
information before 9am and after 5pm
– So, he allows Irini to read his presence and calendar information from
9am to 5pm
(‘Irini’, read, \MyGup\(Calendar#JabberInfo), between 9am and 5pm)
3. Arnaud allows Irini to see his contact entries (except their employment
identity)
– So, he allows her their analysed names
(‘Irini’, read, \MyGup\AddressBook\Contact\AnalyzedName)
393939Irini Fundulaki, University of Pennsylvania, October 2003
Requests in GUPster
• Objective : We want to express facts such as ‘Requestor requires access to requestee’s resources under conditions’
– Requestor : users or computer applications
– Access : read
– Resource : XML documents or document fragments
• Specified by XSQuirrel expressions
– Conditions : Conditions on context data (e.g. time of day, etc.)
• Example :
– Irini wants to read Arnaud’s address book and his presence information at 8am
( ‘Irini’, read, \MyGup\(AddressBook # JabberInfo), time :8am)
414141Irini Fundulaki, University of Pennsylvania, October 2003
Evaluating Requests • When a request DR matches a rule R?
– DR’s requestor matches R’s requestor
– DR’s action matches R’s action
– DR’s resource «matches» R’s resource (XSQuirrel expressions)
• Their intersection is not the empty query
– DR’s data evaluates R’s condition to true
• Authorized View (AV)
– Given a set of access control rules (ACR) for a requestor s, the authorized
view for s is defined by AV = xsq ACR’s resources
– Given a query, the requestor is allowed to see the resource specified by q
xsq AV
Static Analysis of Access Control :
Evaluation of requests against rules is done at the level
of the query and not at the level of the actual data
424242Irini Fundulaki, University of Pennsylvania, October 2003
Evaluating Requests : Example
• Request : Irini wants to see Arnaud’s address book and presence
information at 10am
( ‘Irini’, read, \MyGup\(AddressBook # JabberInfo), 10am )
• Rules:
1. (‘Irini, read, \MyGup\(Calendar # JabberInfo) )
2. (‘Irini’, read, \MyGup\AddressBook\Contact\AnalyzedName
• Authorized View : q xsq (p1 xsq p2)
AR : /MyGup/(AddressBook/Contact/AnalyzedName # JabberInfo)
p1
p2
q
434343Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : The Architecture
444444Irini Fundulaki, University of Pennsylvania, October 2003
GUPster Server
MySQLdatabase
Access Control Module Data IntegrationModule
Sun XACMLModule
Privacy ShieldModule XQuery
Engine
Lucent Exchange
SOAP
SOAP
Java Swing Client
454545Irini Fundulaki, University of Pennsylvania, October 2003
Some Examples
464646Irini Fundulaki, University of Pennsylvania, October 2003
GUPster Server
1. Irini asks for Arnaud’s Jabber presence information
2. Check Arnaud’s preferences
1. Coworkers can seeonly Arnaud’s Jabber presence
1. Coworkers can seeonly Arnaud’s Jabber presence
Irini is in Arnaud’scoworkers group
Arnaud said:
GUPster (AC):Irini can see the requested data
3. Request sent to Jabber
4. Answers sent to GUPster
5. Answersreturned to Irini
GUPster (DI) :Rewrites the request
474747Irini Fundulaki, University of Pennsylvania, October 2003
GUPster Server
1. Irini asks for Arnaud’s profile information
GUPster (AC):Irini cannot seethe requested data
3. No access to requesteddata allowed
2. Check Arnaud’s preferences
1. Coworkers can seeonly Arnaud’s presence information
1. Coworkers can seeonly Arnaud’s presence information
Irini is in Arnaud’scoworkers group(and no other)
Arnaud said:
484848Irini Fundulaki, University of Pennsylvania, October 2003
GUPster (DI) :Rewrites the authorizedpart of the query
2. Check Arnaud’s preferences
GUPster Server
1. Irini asks for Arnaud’s contact entries
Arnaud said:GUPster (AC) :Irini can part of the requested data
4. Answers sent to GUPster
5. Answersreturned to Irini
3. Request sent to Lucent for first names and “Message Accounts” of contact entries
1. Irini can see only the first names and “Message Accounts” of Arnaud’s contact entries
1. Irini can see only the first names and “Message Accounts” of Arnaud’s contact entries
494949Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : Key Innovations
• Flexible reference architecture for privacy-conscious user profile data access
– Provides unified access to distributed data
– Permits different data distributions for different users
– Supports privacy shield through extensible rules technology
• XSQuirrel: Targeted XML query language
– Enables simple, direct queries against profile data
– XPath < XSQuirrel << XQuery
– Related to an implementation-level construct in [Marian&Simeon03]
505050Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : Status• Basic architecture in place
– GUPster server
• Data integration (current focus on virtual approach)
• Access control
– “Surround” for user preferences
– Preliminary preferences provisioning interface
• Data sources currently supported
– Lucent Exchange, Lucid, Buddy Bell, Jabber, SDHLR, native XML
– Wrappers for Exchange, Lucid, Jabber; translator for SDHLR
• XSQuirrel query engines and tools
– GUPster server query engine based on Galax
– Wrapper for Lucent Exchange based on go-mono.com (a C# XPath engine)
515151Irini Fundulaki, University of Pennsylvania, October 2003
GUPster : The Future
• Objectives that will make users happier :
– Synchronization
• E.g., to enable synchronizing of address book in Lucent Exchange and with subset in cell phone
– Data Update via GUPster
• E.g., modify my various buddy lists (Jabber, Buddy Bell, Palm) from one place
• Objectives that we make us (researchers) happier :
– Extend access control with
• conditions involving target data
• rule chaining
– XSQuirrel : richer fragment for XSquirrel