A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS and Sponsor Members
Edited by Robin Cover
This issue of XML Daily Newslink is sponsored by:
Sun Microsystems, Inc. http://sun.com
Headlines
- Analyst: Expect Hacker Attacks on XML Flaws
- Sensor Networks: Motes, Smart Spaces, and Beyond
- W3C Proposed Edited Recommendation: Namespaces in XML 1.0 (Third Edition)
- OMG Formulates Records-Management Standard
- OASIS CMIS F2F Meeting, Day Two
- Cascading Style Sheets: CSSOM View Module
- Incorporate External Standards Into NIEM? Not Exactly
Analyst: Expect Hacker Attacks on XML Flaws
Ellen Messmer, Network World
"One day after reports of vulnerabilities in XML libraries, Gartner analyst Neil MacDonald is warning companies not to ignore the danger of attacks that exploit those flaws: 'Hackers are moving up the stack to the application level; XML-based attacks can be expected to be the next big thing for hackers.'
Security test toolmaker Codenomicon and the Finnish Computer Emergency Response Team (CERT-FI) disclosed security risks in XML libraries that could result in successful denial-of-service attacks on applications built with them. A wide variety of applications have implemented the vulnerable XML libraries, which include those from Python Software Foundation, Sun Microsystems and Apache Software Foundation. Developers are being advised to follow instructions for remediation from vendors to prevent the exploits detailed by CERT-FI and Codenomicon... The vulnerabilities relate to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely..."
According to the CERT-FI Advisory on XML Libraries: "The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content... CERT-FI has coordinated the release of this vulnerability between the vulnerability researcher and the affected vendors."
NIST's Vulnerability Summary for CVE-2009-2625 asserts: "Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework..."
See also: the text of CERT-FI Advisory on XML libraries
Sensor Networks: Motes, Smart Spaces, and Beyond
Raja Bose, IEEE Pervasive Computing
"Sensor networks have come a long way since their humble beginnings in DARPA-funded academic research projects in the 1990s and have morphed into a significant research area in their own right. In this article we look at how sensor network research and applications have evolved and how emerging trends could determine where they're headed.
The goal of early research was to design and create tiny autonomous computers (called sensor platforms or in some cases motes) that could unobtrusively observe their environment through built-in sensors and report back to a remote base station. The primary use cases involved scattering hundreds or thousands of these sensor platforms in an area and tasking them with monitoring vehicular movement or environmental conditions and periodically reporting the data...
The Atlas Platform, developed at the Mobile and Pervasive Computing Laboratory of the University of Florida, was one of the first sensor platforms to utilize Service-Oriented Architecture (SOA) for automatic self-integration of sensors and actuators into smart spaces... the SOA paradigm in conjunction with the use of IP-based networking allows Atlas to easily integrate sensors and actuators into existing business process management and IT systems.
Another application domain where mobile phone based sensing is gaining increasing acceptance is environmental sensing, in particular pollution tracking...Mobile phones equipped with air pollution sensors and GPS are used as data-collection points for sensing and mapping pollution levels in their users' local surroundings. Data from multiple phones are fused and processed to provide a comprehensive picture of pollution in various parts of the city, at various times. Researchers can link this data with health statistics and other parameters to determine pollution effects on the local weather, incidence of airborne diseases and living conditions in specific neighborhoods..."
See also: the OGC Sensor Web Enablement WG
W3C Proposed Edited Recommendation: Namespaces in XML 1.0 (Third Edition)
Tim Bray, Dave Hollander, Andrew Layman, Richard Tobin, Henry Thompson; W3C Technical Report
Members of the W3C XML Core Working Group have published the Third Edition of Namespaces in XML 1.0 as W3C Proposed Edited Recommendation. "XML Namespaces provide a simple method for qualifying element and attribute names used in Extensible Markup Language documents by associating them with namespaces identified by URI references. The Third Edition as proposed incorporates all outstanding errata." A colored diff-marked version highlights the changes (added text, changed text, deleted text). The review period is open until 14-September-2009.
"There are several editorial changes, including a number of terminology changes and additions intended to produce greater consistency. The non-normative appendix "The Internal Structure of XML Namespaces" has been removed. The BNF has been adjusted to inter-connect properly with all editions of XML 1.0, including the fifth edition."
See also: references for Namespaces in XML
OMG Formulates Records-Management Standard
Joab Jackson, Government Computer News
The Object Management Group (OMG) has blessed a specification for records management, authored by its government domain working group as a potential standard. The OMG Board of Directors adopted the RMS specification in its meeting in San Jose, Costa Rica on 23-June-2009.
The Records Management Services Specification is published in its approved "alpha" version format as three normative parts and several non-normative parts. "A Specification for Records Management Services" is a 318-page prose document originally submitted by CA, CSC, Lockheed Martin Corporation, and Visumpoint; is is supported by U.S. National Archives and Records Administration, U.S. Department of the Interior, ARMA International, Everware-CBDI, and TethersEnd Consulting. The normative UML models in XMI format are available, along with a ZIP file containing the RMS machine-readable artifacts (WSDL and XSD files).
The specification describes a set of services that support the basic activities to be applied to a record over its life-cycle from 'set aside' to its disposition where disposition is either its destruction or transfer to another legitimate authority.
The specification's Platform Independent Model (PIM) was developed by directly evolving the CIM (Business Domain Model) of Records Management Component Services requirements document produced by an Interagency Project Team of 19 US Federal Agencies. The RMS Query Service uses XQuery: XQuery is specifically designed to abridge the tasks of defining queries and filtering data across a service-oriented architecture using XML.
Three RMS technology-specific implementations are specified: (1) PSM-1 - Web Services definition for Records Management Services in Web Service Description Language (WSDL). This is actually supplied as ten WSDL files; one for each Records Management Service. (2) PSM-2 - A Records Management Service XSD. The XSD is for use in creating XML files for import/export of Managed Records from compliant environments and to use as a basis for forming XQuery/XPath statements for the query service. (3) PSM-3 - An Attribute Profile XSD. The XSD is for capturing and communicating attribute profiles to permit flexible attribution of certain types of Records Management Objects.
"The OMG board of directors is now verifying that supporting vendors are incorporating the Records Management Services specifications into their own products, the final step of the OMG standards approval process..."
See also: the approved RMS specification
OASIS CMIS F2F Meeting, Day Two
Florent Guillaume, Blog
Oracle is hosting a F2F meeting for the OASIS Content Management Interoperability Services (CMIS) TC in their offices in Boulder, Colorado, USA. Guillaume here outlines some important changes made to the CMIS specification on the first and second day of this meeting. "There's more of course, so readers may want to follow everything in the CMIS JIRA.
The XML and XHTML property types are gone. No vendor was in support of them, and it was actually quite hard to standardize on exactly what kind of XML would be stored in such a property (well-formed? fragment? etc.). We kept the HTML property type, as many repositories still want to distinguish between "basic text" and "rich text", especially for presentation purposes. If a repository has XML or XHTML properties, it can easily expose them as Strings.
The ability to use paths to get to folders was extended to documents as well (getFolderByPath turns into getObjectByPath). For folders (where paths are well-defined), paths are retrieved through an explicit property 'cmis:path', but for documents (which may be multi-filed) we have to be more careful. Whenever a document is retrieved in the context of a folder (getChildren, getDescendants, getObjectParents), its last path segment inside that folder will be available, so that clients can determine a full path for the document—but this segment is not a real property of the document, as it may change depending on context. Finally, the 'cmis:name' property will be only a hint for the repository to choose a path segment for new objects, but the only way to be sure of an object's path is through folder's cmis:path and the aforementioned document path segment..." [More: ACLs, policies, copies, URI templates]
See also: CMIS references
Cascading Style Sheets: CSSOM View Module
Anne van Kesteren (ed), W3C Technical Report
Members of the W3C Cascading Style Sheets (CSS) Working Group have published an updated Working Draft for the CSSOM View Module. "The APIs introduced by this specification provide authors with a way to inspect and manipulate the visual view of a document. This includes getting the position of element layout boxes, obtaining the width of the viewport through script, and also scrolling an element. The CSSOM View Module also supercedes DOM Level 2 Views, and therefore defines the AbstractView and DocumentView interfaces and extensions for them.
Background: "Many of the features defined in the CSSOM View Module specification have been supported by browsers for a long period of time. The goal of this specification is to define these features in such a way that they can be implemented by all browsers in an identical way, without differences between no quirks, limited quirks and no quirks mode, as defined by HTML 5. The specification also defines a couple of new features that the CSS WG considers to be useful for authors..."
See also: the W3C CSS Working Group
Incorporate External Standards Into NIEM? Not Exactly
Gary Ham, Blog
I received e-mail asking about my ideas for incorporating external structures like IEEE 1512 or Cursor on Target (Cot) into NIEM: the cost of merging the maintenance and update process of multiple separate standards related organizations would be too high...
There are actually four cases to consider that involve the use of external standards: (1) The external standard meets the mission of an IEPD on its own, so document it as the content of the exchange and do not spend time trying to 'NIEMify' its content; examples are CAP1.1 and perhaps some of 1512). (2) The external standard is used to 'wrap' NIEM content—likely case for EDXL-DE and Cot. (3) The external standard contains components that need to be used in an IEPD in combination with NIEM components—GML, KML, and perhaps 1512 are examples. (4) The NIEM is not complete and needs extension; there are concepts that are needed in NIEM that may exist in external standards already...
For the fourth, NIEM already provides a workable solution: the use of Abstract Elements with Multiple Representations already exists for dates and units of measure. This is extended to the use of external namespaces for code lists. Why not do the exact same thing for concepts that originate in an external standard? Just: Bring in the concept, name and define it in accordance with NIEM NDR; identify the Concept as an abstract element with multiple representations; identify one of the representations as the one in the external standard using the external standard's namespace (the NDR may require that it be wrapped in a single element Adapter); identify a NIEM compliant and/or other standard representations as appropriate. My take is that (NDR-conforming) adapters make cooperation between NIEM and the external standards bodies possible without the intense combined governance that could have a negative impact on progress on all sides..."
See also: NIEM IEPDs for Federated Use of XML Standards
Sponsors
XML Daily Newslink and Cover Pages sponsored by:
IBM Corporation | http://www.ibm.com |
Microsoft Corporation | http://www.microsoft.com |
Oracle Corporation | http://www.oracle.com |
Primeton | http://www.primeton.com |
Sun Microsystems, Inc. | http://sun.com |
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: newsletter-subscribe@xml.coverpages.org
Newsletter unsubscribe: newsletter-unsubscribe@xml.coverpages.org
Newsletter help: newsletter-help@xml.coverpages.org
Cover Pages: http://xml.coverpages.org/