This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
A Trusted Subject Architecture for Multilevel Secure Object-Oriented Databases
February 1996 (vol. 8 no. 1)
pp. 16-31

Abstract—In this paper, we address security in object-oriented database systems for multilevel secure environments. Such an environment consists of users cleared to various security levels, accessing information labeled with varying classifications. Our purpose is three-fold. First, we show how security can be naturally incorporated into the object model of computing so as to form a foundation for building multilevel secure object-oriented database management systems. Next, we show how such an abstract security model can be realized under a cost-effective, viable, and popular security architecture. Finally, we give security arguments based on trusted subjects and a formal proof to demonstrate the confidentiality of our architecture and approach.

A notable feature of our solution is the support for secure synchronous write-up operations. This is useful when low level users want to send information to higher level users. In the object-oriented context, this is naturally modeled and efficiently accomplished through write-up messages sent by low level subjects. However, such write-up messages can pose confidentiality leaks (through timing and signaling channels) if the timing of the receipt and processing of the messages is observable to lower level senders. Such covert channels are a formidable obstacle in building high-assurance secure systems. Further, solutions to problems such as these have been known to involve various tradeoffs between confidentiality, integrity, and performance. We present a concurrent computation model that closes such channels while preserving the conflicting goals of confidentiality, integrity, and performance. Finally, we give a confidentiality proof for a trusted subject architecture and implementation and demonstrate that the trusted subject (process) cannot leak information in violation of multilevel security.

[1] D.E. Bell and L.J. LaPadula,"Secure computer systems: Unified exposition and multics interpretation," Technical Report MTR-2997. Belford, Mass.: Mitre Corp., Mar. 1976.
[2] "Trusted Oracle 7 technical overview," ORACLE White Paper, technical report. Redwood Shores, Calif.: Oracle Corp., 1993.
[3] "Multilevel data management security," Nat'l Research Council Technical report, Committee on Multilevel Data Management Security, 1983.
[4] D. Denning,"A lattice model of secure information flow," Comm. ACM, vol. 19, no. 5, pp. 236-243, 1976.
[5] D. Fisherman,"IRIS: An object-oriented database management system," ACM Trans. Office Information Systems, vol. 5, no. 1, pp. 48-69, Jan. 1987.
[6] J.A. Goguen and J. Meseguer,"Security policies and security models," Proc. IEEE Symp. Research in Security and Privacy, IEEE, May 1982.
[7] J.A. Goguen and J. Meseguer,"Unwinding and inference control," Proc. IEEE Symp. Research in Security and Privacy, pp. 75-86, IEEE, May 1984.
[8] J. Gray,"Probabilistic interference," Proc. IEEE Symp. Security and Privacy, May 1990.
[9] W.M. Hu,"Reducing timing channels with fuzzy time," Proc. IEEE Symp. Research in Security and Privacy. IEEE, May 1991.
[10] Building Applications for Secure SQL Server.Emeryville, Calif.: Sybase Inc., Sept. 1993.
[11] "Technical summary: Open INGRES/enhanced security," Proc. Workshop Research Progress in MLS Relational Database Systems.Mt. Desert Island, Maine: Technical Cooperation Program, XTP-1, 1994.
[12] S. Jajodia and B. Kogan,"Integrating an object-oriented data model with multilevel security," Proc. IEEE Symp. Research in Security and Privacy, IEEE, May 1990.
[13] T.F. Keefe,W.T. Tsai, and M.B. Thuraisingham,"A multilevel security model for object-oriented system," Proc. 11th Nat'l Computer Security Conf., pp. 1-9, Oct. 1988.
[14] W. Kim et al., "Integrating an object-oriented programming system with a database system," Proc. Conf. Object-Oriented Programming Systems, Languages, and Applications, pp. 142-152, 1988.
[15] T.F. Lunt,"Multilevel security for object-oriented database system," Database Security, III: Status and Prospects, D.L. Spooner and C. Landwehr, eds., pp. 199-209.Amsterdam: North-Holland 1990.
[16] D. Maier et al., "Development of an object-oriented DBMS," Proc. Conf. Object-Oriented Programming Systems, Languages, and Applications, pp. 472-482.New York: ACM, Sept. 1986.
[17] D. Maier and J. Stein,"Development and implementation of an object-oriented DBMS," B. Shriver and P. Wegner, eds., Research Directions in Object-Oriented Programming, pp. 355-392.Cambridge, Mass.: MIT Press, 1987.
[18] D. McCullough,"Specifications for multilevel security and a hook-up property," Proc. IEEE Symp. Security and Privacy, May 1987.
[19] D. McCullough,"A hookup theorem for multilevel security," IEEE Trans. Software Engineering, vol. 16, pp. 563-568, June 1990.
[20] J. McLean,"Security models and information flow," IEEE Symp. Security and Privacy, pp. 180-187,Oakland, Calif., May 1990.
[21] J.K. Millen and T.F. Lunt,"Security for object-oriented database systems," Proc. IEEE Symp. Security and Privacy, pp. 260-272, May 1992.
[22] J.P. O'Connor,"Trusted RUBIX technical overview," Proc. Workshop on Research Progress in MLS Relational Database Systems.Mt. Desert Island, Maine: Technical Cooperation Program, XTP-1, 1994.
[23] R.S. Sandhu,"Lattice-based access control models," Computer, vol. 26, no. 11, pp. 9-19, Nov. 1993.
[24] "SYBASE secure SQL server," technical paper series. Emeryville, Calif.: Sybase Inc., 1994.
[25] R.K. Thomas,"Supporting secure and efficient write-up in high-assurance multilevel object-based computing," PhD thesis, George Mason Univ., Fairfax, Va., Aug. 1994.
[26] R.K. Thomas and R.S. Sandhu,"A kernelized architecture for multilevel secure object-oriented databases supporting write-up," J. Computer Security, vol. 2, no. 3, pp. 231-275, 1994.
[27] R.K. Thomas and R.S. Sandhu,"Supporting object-based high-assurance write-up in multilevel databases for the replicated architecture," Proc. European Symp. Research in Computer Security (ESORICS '94),Brighton, England, pp. 403-428, Nov. 1994.
[28] M.B. Thuraisingham,"A multilevel secure object-oriented data model," Proc. 12th Nat'l Computer Security Conf., pp. 579-590, Oct. 1989.

Index Terms:
Multilevel security, secure write-up, object-oriented databases, trusted subject architecture, covert channels, confidentiality proof.
Citation:
Roshan K. Thomas, Ravi S. Sandhu, "A Trusted Subject Architecture for Multilevel Secure Object-Oriented Databases," IEEE Transactions on Knowledge and Data Engineering, vol. 8, no. 1, pp. 16-31, Feb. 1996, doi:10.1109/69.485626
Usage of this product signifies your acceptance of the Terms of Use.