A semantic-based transaction processing model for multilevel transactions1

Indrakshi Ray, Paul Ammann, Sushil Jajodia
1998 Journal of Computer Security  
Multilevel transactions have been proposed for multilevel secure databases; in contrast to most proposals, such transactions allow users to read and write across multiple security levels. The security requirement that no high level operation in uence a low level operation often con icts with the atomicity requirement o f the standard transaction processing model. In particular, others have shown that no concurrency control algorithm based on the standard transaction processing model can
more » ... e both atomicity and security. This con ict motivates us to propose an alternative semantic-based transaction processing model for multilevel transactions. Our model uses the semantics of the application to analyze an application and reason about its behavior. Our notion of correctness is based on semantic correctness instead of serializability as in the standard transaction processing model. Semantic correctness ensures that database consistency is maintained, transactions output consistent data, and all partially executed transactions complete. We show h o w an example application can be analyzed to assure semantic correctness and how this analysis can be automated. We also propose a simple timestamp-based multiversion concurrency control algorithm for transaction processing on a kernelized architecture. The advantages of our model over the standard transaction processing model are that atomicity can be assessed, and for some applications ensured via o line analysis, more concurrency is achieved, lesser synchronization between security levels is required, and a larger class of multilevel transactions can be processed. grants F30602 97 1 0139. atomicity can be assessed in advance via o line analysis. In addition, our model achieves greater concurrency, requires lesser synchronization between security levels, and can process a larger class of multilevel transactions than the algorithms based on the standard transaction processing model. We rst motivate the requirement for multilevel transactions. By de nition, a single-level transaction prevents update operations at di erent levels from being grouped as an atomic transaction. Users, on the other hand, may need to execute a number of operations at di erent security levels as an atomic transaction. An example will help to illustrate this point. Suppose there is a mission database that maintains threat resource information in a military environment. A resource is in a busy or idle state depending on whether or not it has been assigned to some threat. The information of whether a resource is busy or not is classi ed at a lower level secret than the information of the resource to threat assignment top secret. The transaction Respond is responsible for assigning a resource to some threat. The Respond transaction performs two operations: i it picks an idle resource and changes its state to busy, and ii assigns the resource picked in operation i to the threat. The user submitting this transaction must be cleared to the top secret level. Note that Respond updates at multiple security levels; hence it cannot be modeled as one single-level transaction. To execute Respond using single-level transactions, the user must rst log-on at the level secret and execute operation i and subsequently log-on at level top secret and execute operation ii. Executing Respond as two single-level transactions may be undesirable for two reasons. First, it forces the user to manage the scheduling of the single-level transactions. Even worse, interleavings with other transactions may produce incorrect results. Consequently, multilevel transactions BJMN93, CJ93, CM92, SBJN96 h a v e been proposed to overcome this di culty. A m ultilevel transaction permits read and write operations across a range of security levels to be executed as an atomic unit. To minimize the size of trusted code, a multilevel transaction is decomposed into single-level sections; a section contains all operations at the same security level. Almost all the work in the area of multilevel transaction is based on the standard transaction processing model BHG87 . The latter requires transactions to satisfy the atomicity, consistency, and isolation properties. x Consequently, m ultilevel transactions based on the standard transaction processing model are also required to satisfy these three properties. In addition, multilevel transactions must also satisfy the security property SBJN96 , which ensures that executing a multilevel transaction causes no illegal information ow across security levels. The atomicity requirement often con icts with the security requirement o f a m ultilevel transaction: a high section of a transaction may be unable to complete due to violations of the integrity constraints, and a rollback of low sections can be exploited to implement a c o v ert channel. Smith et al. SBJN96 prove that it is impossible to have concurrency control algorithms based on the standard transaction processing model that ensures the simultaneous satisfaction of the atomicity and security properties. This motivates us to propose an alternative semantic-based model for processing multilevel transactions. Our model uses the semantics of the transaction to reason about correct and incorrect behavior of the application. Like other researchers CM92, CJ93 , we decompose a multilevel transaction into single-level sections. We execute each section atomically. Decomposing transactions into atomic sections results in the loss of the atomicity, consistency and isolation properties. To remedy this loss, we propose a set of replacement properties which w e call the semantic atomicity property, the consistent execution property and the sensitive transaction isolation property. In the case of single level transactions, these properties reduce to the traditional properties. The new properties are de ned in terms of semantic histories which are necessary to reason about correct and incorrect interleavings of sections of transactions. The semantic atomicity property ensures that all partially executed transactions complete, or, in other words, either all or none of the sections of a transaction x The fourth standard property, durability, is exactly the same for secure databases as for traditional databases and so we do not mention it further. the ordering relation H such that, 1. for each T i 2 T, a section of T i either appears exactly once in H or does not appear at all,
doi:10.3233/jcs-980108 fatcat:agywsbxwqvgazme3psgl7eh5lq