Martin S. Olivier

A taxonomy for secure object-oriented databases

This paper proposes a taxonomy for secure object-oriented databases in order to clarify the issues in modeling and implementing such databases. It also indicates some implications of the various choices one may make when designing such a database. Most secure database models have been designed for relational databases. The object-oriented database model is more complex than the relational model. For these reasons, models for secure object-oriented databases are more complex than their relational counterparts. Furthermore, since views of the object-oriented model differ, each security model has to make some assumptions about the object-oriented model used for its particular database. A number of models for secure object-oriented databases have been proposed. These models differ in many respects, because they focus on different aspects of the security problem, or because they make different assumptions about what constitutes a secure database or because they make different assumptions about the object-oriented model. The taxonomy proposed in this paper may be used to compare the various models: Models that focus on specific issues may be positioned in the broader context with the aid of the taxonomy. The taxonomy also identifies the major aspects where security models may differ and indicates some alternatives available to the system designer for each such design choice. We show some implications of using specific alternatives. Since differences between models for secure object-oriented databases are often subtle, a formal notation is necessary for a proper comparison. Such a formal notation also facilitates the formal derivation of restrictions that apply under specific conditions. The formal approach also gives a clear indication about the assumptions made by us—given as axioms—and the consequences of those assumptions (and of design choices made by the model designer)—given as theorems.

Modelling, specifying and implementing workflow security in Cyberspace

Workflow Management (WFM) Systems automate traditional processes where information flows between individuals. WFM systems have two major implications for security. Firstly, since the description of a workflow process explicitly states when which function is to be performed by whom, security specifications may be automatically derived from such descriptions. Secondly, the derived security specifications have to be enforced. The paper considers the issues that need to be addressed by a secure workflow system. In particular it addresses the requirement that security for workflow systems need to be specified at the workflow level, and not at the level of the underlying components, such as the database or networks. One reason why it is necessary to consider security at this level is the dynamic nature of workflow systems, with access restrictions depending on the state of the workflow process. In addition, workflow systems may handle many instances of a given workflow specification and needs to be able to protect the instances according to the requirements posed by each. The intention of this paper is to provide an orderly framework for these concepts and to discuss a more generalized implementation architecture which can be based on existing technologies of the Web and Object-oriented systems. The framework is based on three levelsc Modelling, Specification and Implementations each level refines the concepts of the level above it. Modelling is illustrated by using a notion of Alter-Egos and a workflow modelling tool known as COLOR-X. How these and related concepts may be formally specified are considered in the second part of the paper. The specification is based on the formal language Z. The implementation section considers protocols, standards and architectures that may be used to realize such a secure workflow system. Since the implementation does not use any specific system but only very general components, it can be realized on various platforms.

Specifying application-level security in workflow systems

A workflow process involves the execution of a set of related activities over time to perform a specific task. Security requires that such activities may only be performed by authorised subjects. In order to enforce such requirements, access to the underlying data objects has to be controlled. We refer to such access control as level 1 access control. In addition, when an individual is authorised to perform an activity, access should be limited to the time that the activity is being performed: Access to activity information before an activity commences or after it has terminated may be undesirable. This we will refer to as level 2 security. Finally, applications often specify application-oriented (level 3) security requirements. This paper considers security restrictions in the latter category and proposes a rigorous approach that may be used to specify such policies. Enforcement (implementation) of such policies is also considered. The paper assumes that level 1 and level 2 mechanisms are in place and builds level 3 security mechanisms on these underlying levels.

Self-protecting objects in a secure federated database

This paper presents an implementation strategy for a secure federated database. A federated database is a distributed database with a relatively high degree of site autonomy. The proposed implementation strategy assumes that a federal security policy specifies the security aspects that apply to all sites of the federation. Each site is then able to extend the security policy that applies to data owned by it with its own site security policy. The site security policies are guaranteed to be enforced even if an object of one site is relocated to another site.

Alter-egos and Roles: Supporting Workflow Security in Cyberspaces

Workflow Management (WFM) Systems automate traditional processes where information flows between individuals. WFM systems have two major implications for security. Firstly, since the description of a workflow process explicitly states when which function is to be performed by whom security specifications may be automatically derived from such descriptions. Secondly, the derived security specifications have to be enforced. This paper considers these issues for a Cyberspace workflow system by describing a small, but comprehensive example.

An Information-Flow Model for Privacy (Infopriv)

Privacy is concerned with the protection of personal information. Traditional security models (such as the Bell-LaPadula model) assume that users can be trusted and instead concentrate on the processes within the boundaries of the computer system. The InfoPriv model goes further by assuming that users (especially people) are not trustworthy. The information flow between the users should, therefore, be taken into account as well. The basic elements of InfoPriv are entities and the information flow between them. Information flow can either be positive (permitted) or negative (not permitted). It is shown how InfoPriv can be formalised by using graph theory. This formalisation includes the notion of information sanitisers (or trusted entities). InfoPriv is concluded with a discussion of its static and dynamic aspects. A Prolog prototype based on InfoPriv has been implemented and tested successfully on a variety of privacy policies.

Enforcing Privacy by Withholding Private Information

Privacy of information is becoming more and more important as we start trusting unknown computers, servers and organisations with more and more of our personal information. Thus far, no reliable and practical method to enforce privacy has been discovered. Often a set of private information has to be supplied simply to enable the recipient to verify that one member of the set is correct given the other methods. An income tax return is an example where such information has to be supplied simply to verify taxable income. The object of this paper is to consider mechanisms to safeguard our private information in cases where this information is required not for the contents, but as input to verify calculations. We shall present an encryption method to protect private information where the private information consists of a set of numeric values S on which some function G has to be applied and the result α = G(S) has to be supplied to a target organisation. The result α must be verifiable by the target organisation, without disclosing S. We apply this method to the specific case of protecting the privacy of electronic income tax returns, and discuss other possible applications.

Security Policies in Replicated and Autonomous Databases

Autonomous object databases are becoming important in the Internet world of today and involve integration of several local databases. Such databases support local access for transactions and queries and local control over authorization of classes and objects. At the same time, these database objects are often replicated in various sites and are available for access by global queries and transactions. Such global access, which may involve a global query optimizer, is required to handle conflicts between the local authorizations of replicated objects, but give consistent results regardless of site dependent optimizations.

An object-based version of the path context model

A number of formal models have been proposed for computer security, the best known being the Bell and LaPadula model. Formal models provide a solid foundation for security, making it possible to precisely specify security requirements, to reason with mathematical assurance about security issues and to prove security properties formally. However, most security models do not realistically reflect the complexity of current computer systems. The Path Context Model (PCM) is a recent formal security model attempting to solve this problem. A number of aspects of PCM have not yet been defined precisely. This paper starts by giving a formal definition of PCM. It is then shown that it is difficult to protect composite objects—objects consisting of other, less complex objects—with PCM. This problem can be solved by modifying PCM so that every level of such a composite object can do the access checks relevant to that level of the object. This is illustrated in the last section of the paper, where an object-based vers...

Using workflow to enhance security in federated databases

A workflow system automates processes that occur during the daily operation of an organisation. The description of such a process inherently includes information about who needs to perform each step. It also includes information about when this subject has to perform that step. This information can be used to enhance security in the system. In particular the when information can be used to dynamically adapt security according to the current state of the workflow process.