Affiliations: Center for Secure Information Systems & Department of Information and Software Systems Engineering, George Mason University, Fairfax, Virginia 22030, U.S.A.
Note: [1] The work of both authors was partially supported by the National Security Agency through contract MDA904-92-C-5140. We are grateful to Pete Sell, Howard Stainer, and Mike Ware for making this work possible.
Abstract: This paper presents a kernelized architecture (i.e., an architecture in which no subject is exempted from the simple-security and ⋆-properties) for multilevel secure (mls) object-oriented database management systems (DBMS’s) which support write-up. Relational mls DBMS’s typically do not allow write-up, due to integrity problems arising from the blind nature of write-up operations in these systems. In object-oriented DBMS’s, on the other hand, sending messages upwards in the security lattice does not present an integrity problem because such messages will be processed by appropriate methods in the destination object. However, supporting write-up operations in object-oriented systems is complicated by the fact that such operations are no longer primitive; but can be arbitrarily complex and therefore can take arbitrary amounts of processing time. We focus on support for remote procedure call (RPC) based write-up operations. Dealing with the timing of such write-up operations consequently has broad implications on confidentiality (due to the possibility of signaling channels), integrity, and performance. We present an asynchronous computational model for mls object-oriented databases, which achieves the conflicting goals of confidentiality, integrity, and efficiency (performance). This requires concurrent computations to be generated within a user session, and for them to be scheduled so the net effect is logically that of a sequential (RPC-based) computation. Our work utilizes an underlying message filter security model to enforce mandatory confidentiality. We demonstrate how our computational model can be implemented within the framework of a kernelized architecture. In doing so, we present various intra-session and inter-session concurrency schemes. The intra-session schemes are concerned with the scheduling and management of concurrent computations generated within a user session, and we present conservative as well as aggressive scheduling algorithms. The inter-session schemes provide the traditional concurrency control functions of managing shared access to database objects, across user sessions.
