Databases Reference
In-Depth Information
11.4.5.1 SODA Model
Keefe, Tsai, and Thuraisingham were the first to incorporate multilevel secu-
rity in object-oriented data models. The system they subsequently developed,
called SODA [36], has a number of unique properties, both in its security
model and in its data model.
The rules that govern operations within SODA are designed to enforce
the Bell and LaPadula properties and conceptually are quite simple. First,
any method activation can read a value within a labeled object or a labeled
instance variable, provided the classification of the object is dominated by
the clearance level of the method. However, if the classification of the object
dominates the current classification of the method, the methods classifica-
tion is raised to the level of the object being read. Second, a method acti-
vation may modify or create a new object of a particular classification if
the methods current classification equals that of the object in question, the
methods current classification is dominated by the upper bound of the clas-
sification range (as specified by the constraint), and the lower bound of the
classification range specified by the constraint is dominated by the subjects
clearance. If these rules are not satisfied, then a write/create operation fails.
Because method activations in SODA can have their classifications dynami-
cally upgraded, the TCB must be involved to perform the level change. If the
nature of methods can be determined in advance, then a level change opera-
tion could be restricted to the message-passing mechanism. However, this
situation is not generally the case, and the TCB must be invoked when a
method activation attempts to read an object whose classification dominates
the methods current classification. The TCB must then restart the method
activation at the point where it invoked the TCB.
11.4.5.2 SORION Model
Thuraisingham investigated security issues for the ORION object-oriented
data model [37]. The secure model was called SORION. It extends the
Microelectronics & Computer Technology Corporations ORION model
with multilevel security properties. In SORIONs security policy, subjects
and objects are assigned security levels. The following rules constitute the
policy:
1.
A subject has read access to an object if the subjects security level
dominates that of the object.
2.
A subject has write access to an object if the subjects security level
is equal to that of the object.
