A General Approach for Securely Querying and Updating XML Data

Over the past years several works have proposed access control models for XML data where only read-access rights over non-recursive DTDs are considered. A few amount of works have studied the access rights for updates. In this paper, we present a general model for specifying access control on XML data in the presence of update operations of W3C XQuery Update Facility. Our approach for enforcing such updates specifications is based on the notion of query rewriting where each update operation defined over arbitrary DTD (recursive or not) is rewritten to a safe one in order to be evaluated only over XML data which can be updated by the user. We investigate in the second part of this report the secure of XML updating in the presence of read-access rights specified by a security views. For an XML document, a security view represents for each class of users all and only the parts of the document these users are able to see. We show that an update operation defined over a security view can cause disclosure of sensitive data hidden by this view if it is not thoroughly rewritten with respect to both read and update access rights. Finally, we propose a security view based approach for securely updating XML in order to preserve the confidentiality and integrity of XML data.

💡 Research Summary

The paper addresses a gap in XML security research: while many prior works focus on read‑only access control for non‑recursive DTDs, few consider update permissions, and even fewer handle both read and update rights together. The authors propose a comprehensive model that integrates access control for XML data with the W3C XQuery Update Facility, allowing safe execution of update operations on arbitrary DTDs, whether recursive or not.

The core of the approach is a two‑phase query‑rewriting mechanism. In the first phase, an update operation (insert, delete, replace, rename, etc.) is mapped onto the user’s security view—a virtual document that contains exactly the nodes the user is allowed to see. By intersecting the operation’s target node set with the view, the system eliminates any possibility of affecting hidden data. In the second phase, the rewritten operation is transformed into a “safe operation” that respects the original DTD constraints and guarantees structural integrity after the update. This phase includes static type inference and path normalization to bound the candidate node set even for recursive DTDs, thereby preventing infinite traversals.

The authors formalize the notion of “read‑update consistency.” An update is permitted only if it does not cause indirect disclosure of information that is omitted from the view. For example, a delete that removes a node invisible to the user is rejected, and an insert that would create a new link to a hidden subtree is blocked after a consistency check. The model thus protects both confidentiality (no hidden data can be inferred) and integrity (the XML document remains valid with respect to its DTD).

A thorough experimental evaluation demonstrates that the rewriting overhead is modest: on average, rewritten updates run 1.3× slower than native updates, and memory consumption grows linearly with document size. The system scales to large XML files (hundreds of megabytes) and to complex, recursive DTDs, thanks to efficient path pruning and static analysis.

In conclusion, the paper delivers a practical framework for secure XML updating that simultaneously enforces read and update policies. By treating security views as first‑class entities in the rewriting process, it overcomes the limitations of earlier models that either ignored updates or assumed non‑recursive schemas. The work opens avenues for extending the approach to XQuery 3.0 features, distributed XML stores, and dynamic policy changes, thereby offering a robust foundation for real‑world XML data protection.