Correctness Criteria for Multilevel Secure Transactions

The benefits of distributed systems and shared database resources are widely recognized, but they often cannot be exploited by users who must protect their data by using label-based access controls. In particular, users of label-based data need to read and write data at different security levels within a single database transaction, which is not currently possible without violating multilevel security constraints. The paper presents a formal model of multilevel transactions which provide this capability. We define four ACIS (atomicity, consistency, isolation, and security) correctness properties of multilevel transactions. While atomicity, consistency and isolation are mutually achievable in standard single-site and distributed transactions, we show that the security requirements of multilevel transactions conflict with some of these goals. This forces trade-offs to be made among the ACIS correctness properties, and we define appropriate partial correctness properties. Due to such trade-offs, an important problem is to design multilevel transaction execution protocols which achieve the greatest possible degree of correctness. These protocols must provide a variety of approaches to making trade-offs according to the differing priorities of various users. We present three transaction execution protocols which achieve a high degree of correctness. These protocols exemplify the correctness trade-offs proven in the paper, and offer realistic implementation options.

[1]  S. Jajodia,et al.  A model of atomicity for multilevel transactions , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[3]  Maintaining Multilevel Transaction Atomicity in MLS Database Systems with Kernelized Architecture , 1992, DBSec.

[4]  Oliver Costich,et al.  A multilevel transaction problem for multilevel secure database systems and its solution for the replicated architecture , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Sushil Jajodia,et al.  Alternative correctness criteria for concurrent execution of transactions in multilevel secure databases , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Ira B. Greenberg,et al.  Single-level multiversion schedulers for multilevel secure database systems , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[7]  Wei-Tek Tsai,et al.  Multiversion concurrency control for multilevel secure database systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Oliver Costich Transaction Processing Using an Untrusted Scheduler in a Multilevel Database with Replicated Architecture , 1991, DBSec.

[9]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[10]  Kenneth P. Smith Execution ordering for multilevel secure rules , 1994, Proceedings of IEEE International Workshop on Research Issues in Data Engineering: Active Databases Systems.

[11]  Sushil Jajodia,et al.  Transaction processing in multilevel-secure databases using replicated architecture , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Andreas Reuter,et al.  Transaction Processing: Concepts and Techniques , 1992 .