Supporting Timing-Channel Free Computations in Multilevel Secure Object-Oriented Databases

In an earlier paper [3], Jajodia and Kogan proposed a message lter approach to enforcing mandatory security in multilevel object-oriented databases. The key idea in the message lter model is that all information exchange be permitted solely through messages and that security be enforced by a message lter component that mediates these messages. In a recent paper [8] the authors proposed a kernelized architecture for implementing the message lter model. A major complication in implementing this model arises due to timing channels intrinsic to the object-oriented model of computing. These channels arise because object-oriented \write-up" operations are abstract and arbitrarily complex (as opposed to primitive memory writes). One approach to closing these timing channels is to execute a logically sequential computation as concurrent pieces. Our earlier paper presented an execution model for managing such concurrent computations as well as a multiversion synchronization protocol to guarantee correctness with respect to the intended sequential execution. While our approach with asynchronous computations can close such channels, the scheduling strategy presented earlier was not totally secure as it may be exploited for timing channels under certain conditions. In this paper we present a revised execution model that not only guarantees correctness but is also timing channel free. We give proof outlines to support these claims.