This Article 
 Bibliographic References 
 Add to: 
Correctness Criteria for Multilevel Secure Transactions
February 1996 (vol. 8 no. 1)
pp. 32-45

Abstract—The benefits of distributed systems and shared database resources are widely recognized, but they often cannot be exploited by users who must protect their data by using label-based access controls. In particular, users of label-based data need to read and write data at different security levels within a single database transaction, which is not currently possible without violating multilevel security constraints. This paper presents a formal model of multilevel transactions which provide this capability. We define four ACIS (atomicity, consistency, isolation, and security) correctness properties of multilevel transactions. While atomicity, consistency and isolation are mutually achievable in standard single-site and distributed transactions, we show that the security requirements of multilevel transactions conflict with some of these goals. This forces trade-offs to be made among the ACIS correctness properties, and we define appropriate partial correctness properties. Due to such trade-offs, an important problem is to design multilevel transaction execution protocols which achieve the greatest possible degree of correctness. These protocols must provide a variety of approaches to making trade-offs according to the differing priorities of various users. We present three transaction execution protocols which achieve a high degree of correctness. These protocols exemplify the correctness trade-offs proven in the paper, and offer realistic implementation options.

[1] D.E. Bell and L.J. LaPadula,"Secure computer system: Unified exposition and multics interpretation," Technical Report MTR-2997, Mitre Corp., Bedford, Mass., July 1975.
[2] P. Bernstein, V. Hadzilacos, and N. Goodman, Concurrency Control and Recovery in Database Systems. Addison-Wesley, 1987.
[3] B.T. Blaustein,S. Jajodia,V.E. Jones,C.J. McCollum,L. Notargiacomo,K.P. Smith, and A.S. Rosenthal,MUSET Multilevel Secure Distributed Database Management System, MTR 93W0000236, Mitre Corp., McLean, Va., Dec. 1993.
[4] B.T. Blaustein,S. Jajodia,C.J. McCollum, and L. Notargiacomo,"A model of atomicity for multilevel transactions," Proc. IEEE Symp. Research in Security and Privacy,Oakland, Calif., pp. 120-134, May 1993.
[5] O. Costich, "Transaction Processing Using an Untrusted Scheduler in a Multilevel Database With Replicated Architecture," Database Security V: Status and Prospects, C. Landwehr and S. Jajodia, eds., NorthHolland, pp. 173-190, 1992.
[6] O. Costich and J. McDermott,"A multilevel transaction problem for multilevel secure database systems and its solution for the replicated architecture," Proc. IEEE Symp. Research in Security and Privacy,Oakland, Calif., pp. 192-203, May 1992.
[7] O. Costich and S. Jajodia,"Maintaining multilevel transaction atomicity in MLS database systems with kernelized architecture," Database Security VI: Status and Prospects, B.M. Thuraisingham and C.E. Landwehr, eds., North-Holland, pp. 249-265, 1993.
[8] A. Goguen and J. Meseguer,"Security policies and security models," Proc. 1982 Symp. Security and Privacy,Oakland, Calif., Apr. 1982.
[9] J. Gray and A. Reuter, Transaction Processing: Concepts and Techniques, Morgan Kauffman, 1993.
[10] INFORMIX Guide to SQL, Apr. 1993.
[11] S. Jajodia and B. Kogan, “Transaction Processing in Multilevel Secure Databases Using Replicated Architecture,” Proc. IEEE Symp. Research in Security and Privacy, pp. 360–368, May 1990.
[12] S. Jajodia and V. Atluri, “Alternative Correctness Criteria for Concurrent Execution of Transactions in Multilevel Secure Databases,” Proc. IEEE Symp. Security and Privacy, pp. 216–224, 1992.
[13] T.F. Keefe and W.T. Tsai, “Multiversion Concurrency Control for Multilevel Secure Database Systems,” Proc. 10th IEEE Symp. Research in Security and Privacy, pp. 369-383, May 1990.
[14] W.T. Maimone and I.B. Greenberg,"Single-level multiversion schedulers for multilevel secure database systems," Proc. Sixth Ann. Computer Security Applications Conf., pp. 137-147,Tucson, Ariz., Dec. 1990.
[15] ORACLE 7 Server: SQL Language Reference Manual, Dec. 1992.
[16] K.P. Smith,"Execution reordering for multilevel secure rules," Proc. Fourth Int'l Workshop Research Issues in Data Engineering: Active Database Systems (RIDE-ADS 94), pp. 98-104,Houston, Feb. 1994.
[17] K.P. Smith,B.T. Blaustein,M.S. Collins,V. Doshi,S. Jajodia, and L. Notargiacomo,MUSET MLS Distributed DBMS Design Report, MTR 95W0000004, Mitre Corp., McLean, Va., Jan. 1995.
[18] Sybase Secure SQL Server Reference Manual, Dec. 1993.

Index Terms:
Atomicity, concurrency control, database security, distributed databases, locking protocols, multilevel secure transactions, transaction execution correctness criteria.
Kenneth P. Smith, Barbara T. Blaustein, Sushil Jajodia, LouAnna Notargiacomo, "Correctness Criteria for Multilevel Secure Transactions," IEEE Transactions on Knowledge and Data Engineering, vol. 8, no. 1, pp. 32-45, Feb. 1996, doi:10.1109/69.485627
Usage of this product signifies your acceptance of the Terms of Use.