QFilter: Rewriting insecure XML queries to secure ones using

Research output: Contribution to journalArticlepeer-review

11 Scopus citations


In this paper, we ask whether XML access control can be supported when underlying (XML or relational) storage system does not provide adequate security features and propose three alternative solutions -primitive, pre-processing, and post-processing. Toward that scenario, in particular, we advocate a scalable and effective pre-processing approach, called QFilter. QFilter is based on non-deterministic finite automata (NFA) and rewrites user's queries such that parts violating access control rules are pre-pruned. Through analysis and experimental validation, we show that (1) QFilter guarantees that only permissible portion of data is returned to the authorized users, (2) such access controls can be efficiently enforced without relying on security features of underlying storage system, and (3) such independency makes QFilter capable of many emerging applications, such as in-network access control and access control outsourcing.

Original languageEnglish (US)
Pages (from-to)397-415
Number of pages19
JournalVLDB Journal
Issue number3
StatePublished - Jun 2011

All Science Journal Classification (ASJC) codes

  • Information Systems
  • Hardware and Architecture


Dive into the research topics of 'QFilter: Rewriting insecure XML queries to secure ones using'. Together they form a unique fingerprint.

Cite this