Thomas F. Keefe

Database concurrency control in multilevel secure database management systems

Concurrent execution of transactions in database management systems (DBMSs) may lead to contention for access to data, which in a multilevel secure DBMS (MLS/DBMS) may lead to insecurity. Security issues involved in database concurrency control for MLS/DBMSs are examined, and it is shown how a scheduler can affect security. Data conflict security, (DC-security), a property that implies a system is free of covert channels due to contention for access to data, is introduced. A definition of DC-security based on noninterference is presented. Two properties that constitute a necessary condition for DC-security are introduced along with two simpler necessary conditions. A class of schedulers called output-state-equivalent is identified for which another criterion implies DC-security. The criterion considers separately the behavior of the scheduler in response to those inputs that cause rollback and those that do not. The security properties of several existing scheduling protocols are characterized. Many are found to be insecure. >

Multilevel secure transaction processing: status and prospects

Since 1990, transaction processing in multilevel secure database management systems (DBMSs) has been receiving a great deal of attention from the database research community. Transaction processing in these systems requires modification of conventional scheduling algorithms and commit protocols. These modifications are necessary because preserving the usual transaction properties when transactions are executing at different security levels often conflicts with the enforcement of the security policy. Considerable effort has been devoted to the development of efficient, secure algorithms for the major types of secure DBMS architectures: kernelized, replicated, and distributed. An additional problem that arises uniquely in multilevel secure DBMSs is that of secure, correct execution when data at multiple security levels must be written within one transaction. Significant progress has been made in a number of these areas, and a few of the techniques have been incorporated into commercial trusted DBMS products. However, there are many open problems remain to be explored. This paper reviews the achievements to date in transaction processing for multilevel secure DBMSs. The paper provides an overview of transaction processing needs and solutions in conventional DBMSs as background, explains the constraints introduced by multilevel security, and then describes the results of research in multilevel secure transaction processing. Research results and limitations in concurrency control, multilevel transaction management, and secure commit protocols are summarized. Finally, important new areas are identified for secure transaction processing research.

On Transaction Processing for Multilevel Secure Replicated Databases

Transaction scheduling in MultiLevel Secure (MLS) replicated databases has received much attention recently. However, several proposed protocols exhibit subtle flaws which can result in schedules which are not serializable. In this paper, we explain the problem and present a transaction scheduling protocol for MLS replicated databases free from this problem. We also show the protocol is one-copy serializable and demonstrate that it is secure. In addition, our protocol requires only a small trusted portion and it accepts a larger class of transactions (those that can “write-up”) than previous protocols. It is interesting that the protocol can be adopted for use with heterogeneous databases because it does not require an atomic commitment protocol, and does not assume homogeneous concurrency control and recovery algorithms in local databases.

The concurrency control and recovery problem for multilevel update transactions in MLS systems

The problem is addressed of a transaction reading and writing data at multiple classification levels in a multilevel secure (MLS) database. The authors refer to such transactions as multilevel update transactions. They show that no scheduler can ensure atomicity of multilevel update transactions in the presence of transaction aborts and at the same time be secure. There are essentially two ways of scheduling multilevel update transactions. The first method, which ensures strong atomicity, involves delaying low-level subtransactions until the fats of the sibling high-level subtransactions are known. The second scheme, which ensures only semantic atomicity, involves compensating the effects of any committed subtransactions. Analysis of these schemes indicates that the compensation approach leads to lower covert channel bandwidths. A concurrency control and recovery protocol based on compensation is proposed for multilevel update transactions. The security and correctness of the protocol is considered.<<ETX>>

Transaction Management for Multilevel Secure Replicated Databases

A multilevel secure (MLS) replicated database system consists of a set of untrusted databases, one at each security level. Each database contains object replicas from dominated levels. To ensure consistency, the transaction scheduler at each level must produce a serializable schedule with a serialization order compatible with those of all dominated databases, a property we call downward compatibility. For some security label orderings, however, such a mechanism without additional synchronization can result in a nonserializable global schedule. In this paper, we identify a class of partially ordered sets (posets) we call multilevel-acyclic, which is sufficient to guarantee a serializable global order when only downward compatibility is enforced. We present a basic protocol and show it is correct for multilevel-acyclic posets. To deal with posets outside this class, we propose a timestamp-based protocol. Our timestamp-based protocol works for all posets by a carefule timestamp assignment and commiting transactions in timestamp order. We also present an untrusted (distributed) method of timestamp generation for the timestamp-based protocol.

Supporting reliable and atomic transaction management in multidatabase systems

Transaction management in multidatabase systems (MDBSs) is complicated by the autonomy requirement, especially in the case of failure. We demonstrate necessary and sufficient conditions for supporting reliable and atomic transaction management in MDBSs. Most previous work assumes single version histories and conflict serializability; this precludes the use of multiversion scheduling protocols in the local database systems. To deal with multiple versions, it is necessary to extend conflict serializability to one-copy serializability. A decentralized transaction management scheme is presented for use in MDBSs which assumes local histories are one-copy serializable and cascadeless. Only a minimum access restriction is imposed on global update subtransactions. Our scheme not only ensures global serializability in the face of failures, but also ensures freedom from global deadlocks.<<ETX>>

A multiversion transaction scheduler for centralized multilevel secure database systems

Transactions are vital for multilevel secure database management systems (MLS/DBMSs) because they provide transparency to concurrency and failure. Concurrent execution of transactions may lead to contention among subjects for access to data. In MLS/DBMSs this can lead to covert channels. Multiversion schedulers reduce the contention for access to data by maintaining multiple versions. We propose a secure multiversion scheduling protocol and demonstrate its correctness, i.e., demonstrate that it produces only serializable schedules. We develop an abstract model of a scheduler that implements the protocol and show that it is secure, i.e., satisfies the MLS noninterference assertions. Thus, an implementation which adheres to the assumptions of the abstract model will be both secure and correct. In addition, we consider a method for generating timestamps.

The Impact of Multilevel Security on Database Buffer Management

Multilevel security introduces new constraints on methods for DBMS buffer management. Design issues include buffer allocation across security levels, secure page replacement, and reader/writer synchronization. We present a client/buffer manager interface with a set of synchronization guarantees that does not delay low writers in the presence of concurrent high readers, an allocation scheme that partitions slots by security level but allows buffers, underutilized at the low level, to be used by subjects at high levels using a technique we call “slot stealing.” We also propose a general page replacement algorithm and methods of synchronizing readers and writers that involve varying degrees of page replication. We use simulation to investigate the performance characteristics of the various solutions.

Version pool management in a multilevel secure multiversion transaction manager

The paper presents initial results of an ongoing project to develop an experimental prototype of a multilevel secure (MLS) database system (DBS) based upon a multiversion scheduling protocol. The purpose of the project is to explore design alternatives and demonstrate feasibility. The work focuses on the mechanisms needed to provide efficient access to multiple versions of data as required by the protocol. With this protocol, strictly dominating transactions are serialized before active dominated transactions to avoid contention. These dominating transactions require access to old snapshots. The purpose of this work is to characterize the storage and access cost associated with the approach. We describe a prototype featuring an untrusted version pool mechanism to study this question. An analytical model is developed to predict storage and search costs. The analytical model is validated through measurements made on the prototype.<<ETX>>

Concurrency control for federated multilevel secure database systems

During the past decade, there has been much interest in Multilevel Secure (MLS) database management systems. This has resulted in several commercial MLS database systems and research prototypes available today. We believe that interoperation in MLS database systems is the next logical step. The diversity of solutions among these systems also motivates the study of the interoperability issues. A federated MLS database system is a system implemented on top of a collection of autonomous pre-existing MLS local database systems (LDBSs). Transaction processing in federated MLS database systems is complicated by autonomy and security requirements, since these requirements often conflict with each other. In this paper, we propose a concurrency control protocol for transaction processing in federated MLS database systems. Our protocol ensures global serializability but requires that the security lattice at each local site be totally ordered. However, the union of each local lattice can be partially ordered. In the future work we hope to relax the restriction on local security lattice.