Database Reference
In-Depth Information
Table 2.1
Employee Relation in Multilevel Form
EMPLOYEE
DEPARTMENT
SALARY
TC
Ahmed U
Accounting U
7,000 U
U
Ahmed U
Sales S
7,000 U
S
Ahmed C
IT C
10,000 C
C
Mohamed TS
Telecom TS
5,000 TS
TS
Table 2.2
Employee Relation Instance for a C User
EMPLOYEE
DEPARTMENT
SALARY
TC
Ahmed U
Accounting U
7,000 U
U
Ahmed C
IT C
10,000 C
C
Table 2.1 shows a multilevel relation employee, which has three
data attributes: employee (employee name; the primary key), depart-
ment (department), and salary (salary). In addition to data attributes,
it has the tuple class attribute TC. Instead, the security class of each
attribute is shown to the right of its data value. According to the
simple security property of the Bell-LaPadula model, a multilevel
relation should be differently viewed by different users, depending on
their clearances. For instance, a user with L clearance will see the
filtered relation instance employee, as shown in Table 2.2, while a TS
user will see the entire relation of Table 2.1.
2.3 Polyinstantiation
The covert channel represents the problem of the possibility that a
lower level user can predict some unauthorized information from
a higher security level [18]. Assume that the database contains an
employee named Ahmed (with security level C) and that another user
(with security level U) decides to insert a tuple that contains Ahmed
as the name of the employee. If that insert is rejected, a U level user
can know that there is an employee named Ahmed that exists in the
multilevel relational database on some higher security level. A poly-
instantiation integrity property can solve the covert channel problem
that would be opened “by default” every time the lower level user tries
to insert a tuple with the primary key attribute that already exists in
the database on some higher security level.
Search WWH ::
Custom Search