Databases Reference
In-Depth Information
DAC mechanism independent from the underlying operating system). The
DAC is enforced on views. Trusted Oracle is unique in that it does not
employ locking to enforce concurrency control. Instead, it employs single-
level multiversioning. Because there is no locking and no writing down
under this approach, there is no chance of a covert signaling channel
occurring.
The system metadata is handled as a normal relation. For the Hinke-
Schaefer version of the product, that means the metadata is partitioned into
operating system objects of the appropriate security level. For the trusted-
subject version of the product, each tuple of the metadata relations is inde-
pendently labeled.
11.4.4.4 Trusted Informix
Trusted Informix is intended to be a trusted-subject-based architecture and
run on both the HP/UX operating system and the AT&T System V MLS.
The product associates security labels on rows (tuples). However, rather than
enforcing its own MAC mediation, the system makes calls to the underlying
trusted operating system, which in turn makes calls to the operating system.
Trusted Informix supports the ability of changing existing row labels; it does
so by copying the data into a new row at a different level and then deleting
the original row.
Content-independent DAC is enforced on DBs, tables, rows, and col-
umns. The product supports polyinstantiation on insert, and the mechanism
cannot be shut off once activated. The system metadata are all protected at
system high. The product has a unique approach to handling MLS concur-
rency control. If a higher level subject locks an object, a lower level subject
is still allowed to write the object. By permitting that writing, the product
ensures that the higher level subject cannot signal the lower level subject via
the locking mechanism. This approach opens up a potential data integrity
problem, because even locked objects can be written by lower level subjects.
Trusted Informix addresses the problem by alerting the higher level subjects
when a locked object has been written and giving the subject the option of
either backing out of the transaction or continuing.
11.4.5
Multilevel Object Data Models
This section describes some of the major multilevel object-oriented data
models described in the literature.
