This Article 
 Bibliographic References 
 Add to: 
Controlling Aggregation in Distributed Object Systems: A Graph-Based Approach
December 2001 (vol. 12 no. 12)
pp. 1236-1255

The Distributed Object Kernel is a federated database system providing a set of services which allow cooperative processing across different databases. The focus of this paper is the design of a DOK security service that provides for enforcing both local security policies, related to the security of local autonomous databases, and federated security policies, governing access to data aggregates composed of data from multiple distributed databases. We propose Global Access Control, an extended access control mechanism enabling a uniform expression of heterogeneous security information. Mappings from existing Mandatory and Discretionary Access Controls are described. To permit the control of data aggregation, the derivation of unauthorized information from authorized data, our security framework provides a logic-based language, the Federated Logic Language (FELL), which can describe constraints on both single and multiple states of the federation. To enforce constraints, FELL statements are mapped to state transition graphs which model the different subcomputations required to check the aggregation constraints. Graph aggregation operations are proposed for building compound state transition graphs for complex constraints. To monitor aggregation constraints, two marking techniques, called Linear Marking Technique and Zigzag Marking Technique, are proposed. Finally, we describe a three-layer DOK logical secure architecture enabling the implementation of the different security agents. This includes a Coordination layer, a Task layer, and a Database layer. Each contains specialized agents that enforce a different part of the federated security policy. Coordination is performed by the DOK Manager, enforcing security is performed by a specialized Constraint Manager agent, and the database functions are implemented by user and data agents.

[1] M. Ashrafi, “Path-Based Prefetching Techniques for CODAR,” master's thesis, RMIT Univ. technical report, Feb. 2001.
[2] “Census Working Paper 96/4—Fact Sheet 08—Confidentiality in Output,” Australian Bureau of Statistics, 1996.
[3] D.E. Bell and L.J. LaPadula, “Secure Computer System: Unified Exposition and Multics Interpretation,” Technical Report MTR-2997, MITRE Corp. Bedford, Mass., 1976.
[4] L.J. Buczkowski, “Database Inference Controller,” Database Security III: Status and Prospects, D.L. Spooner and C. Landwehr, eds., 1990.
[5] P. Chrysanthis, Z. Tari, and O. Bukhres, “Transaction Management in Databases,” Handbook on Data Management in Information Systems, J. Blazewicz, W. Kubiak, T. Morzy, and M. Rusinkiewicz, eds., vol. 3, 1998.
[6] Special issue on Intelligent Agents, Comm. ACM, vol. 37, no. 7, July 1994.
[7] G. Craske and Z. Tari, “A Property-Based Clustering Approach for the CORBA Trading Service,” Proc. Int'l Conf. Distributed Computer Systems (ICDCS), pp. 517-525, 1999.
[8] V. Dupin, “Query&Object Cache Management for CODAR Database Adapter,” master's thesis, RMIT Univ. technical report, Dec. 2000.
[9] D. Edmond, M. Papazoglou, and Z. Tari, “An Overview of Reflection and Its Use in Cooperation,” Int'l J. Intelligent and Cooperative Information Systems (ICIS), vol. 4, no. 1, pp. 3-44, 1995.
[10] T.D. Garvey, T.F. Lunt, and M.E. Stickel, “Abductive and Approximative Reasoning Models for Characterising Inference Channels,” Proc. Fourth Workshop Foundations of Computer Security, 1991.
[11] M.L. Goyal and G.V. Singh, “Access Control in Heterogeneous Database Management Systems,” Computers and Security, vol. 10, no. 7, pp. 661-669, 1991.
[12] S. Jajodia and R. Sandhu, “Towards a Multilevel Secure Relational Data Model,” Proc. Int'l Conf. Management of Data (SIGMOD), pp. 50-59, 1991.
[13] D. Jonscher and K.R. Dittrich, “An Approach For Building Secure Database Federations,” Proc. Int'l Conf. Very Large Database (VLDB), pp. 24-35, 1994.
[14] T.F. Lunt, “Aggregation and Inference: Fact and Fallacies,” Proc. IEEE Symp. Research in Security and Privacy, 1989.
[15] M. Morgenstein, “Controlling Logical Inference in Multilevel Database System,” Proc. IEEE Symp. Security and Privacy, 1988.
[16] M.S. Olivier, “A Multilevel Secure Federated Database,” Databases Security, J. Biskup, M. Morgenstern and C.E. Landwehr, eds., pp. 183-198, 1994.
[17] Object Management Group, “Common Object Request Broker Architecture and Specification,” OMG document, revision 2.2, 96-3-4, 1995.
[18] G. Pernul, "Canonical security modeling for federated databases," Proc. IFIP TC2/WG2.6 Conf. Semantics of Interoperable Database Systems, Nov. 1992.
[19] X. Qian, M.E. Stickel, P.D. Karp, T.F. Lunt, and T.D. Garey, “Detection and Elimination of Inference Channels in Multilevel Relational Database Systems,” Proc. IEEE Symp. Research in Security and Privacy, 1993.
[20] C.L. Chang, R.A. Stachowitz, and J.B. Combs, “Validation of Nonmonotonic Knowledge-Based Systems,” Proc. IEEE Int'l Conf. Tools for Artificial Intelligence, Nov. 1990.
[21] S. Setiawan, “CODAR—A POA Based CORBA Database Adapter,” master's thesis, RMIT Univ. technical report, May 2000.
[22] H. Sie, “CORBAC—A Role Based Access Control for CORBA Security Service,” master's thesis, RMIT Univ. technical report, Oct. 2000.
[23] M. Sivaramakrishnan, “CORBA Query Service,” master's thesis, RMIT Univ. technical report, Feb. 2001.
[24] Z. Tari, W. Cheng, K. Yetongnon, and I. Savnik, “Towards Cooperative Databases: The DOK Approach,” Proc. Int'l Conf. Parallel and Distributed Computing Systems (PDCS), pp. 595-600, 1996.
[25] Z. Tari, H. Hamidjaja, and Q.T. Lin, “Cache Management in CORBA Distributed Object Systems,” IEEE Concurrency, vol. 8, no. 3, pp. 48-55, July-Sept. 2000.
[26] Z. Tari and J. Stokes, “Designing A Reengineering Service for the DOK Federated Database System,” Proc. IEEE Int'l Conf. Data Eng. (ICDE), pp. 465-475, 1997.
[27] J. Widom and S. Ceri, Active Database Systems: Triggers and Rules for Advanced Database Processing. Morgan Kaufmann, 1996.

Index Terms:
Access control, data aggregation, inference, distributed databases, federated databases, CORBA
Z. Tari, A. Fry, "Controlling Aggregation in Distributed Object Systems: A Graph-Based Approach," IEEE Transactions on Parallel and Distributed Systems, vol. 12, no. 12, pp. 1236-1255, Dec. 2001, doi:10.1109/71.970557
Usage of this product signifies your acceptance of the Terms of Use.