Databases Reference
In-Depth Information
IBM's DB2 [48], Microsoft's SQL Server [49], and Oracle's Oracle Database
[50].
Besides the basic idea of WAL, a set of important enhancements such as (a)
using log sequence number (LSN) to correlate the state of a page with respect
to logged updates of that page and (b) fuzzy checkpoints are proposed by
ARIES [26], the de facto (industry) standard for transaction recovery models.
Finally, in addition to such standard recovery techniques as WAL, the
database industry has developed various proprietary recovery tools. For ex-
ample, DB2 Log Analysis Tool [51] allows you to monitor data changes; DB2
Recovery Expert [52] analyzes and provides diagnostics of altered database
assets, and can roll data changes backward or forward; Oracle Recovery
Manager [53] manages the database backup and restore process; and Oracle
Data Guard creates, maintains, manages and monitors one or more standby
databases.
Limitations in Solving the DQR Problem:
Although existing
transaction recovery methods are matured in handling failures, they are not
designed to deal with malicious attacks. In particular, first, the durability
property ensures that traditional recovery mechanisms never undo committed
transactions. However, the fact that a transaction commits does not guarantee
that its effects are desirable. Specifically, a committed transaction may reflect
inappropriate and/or malicious activity.
Second, although attack recovery is related to the notion of
cascading abort
[3], cascading aborts only capture the
read-from
relation between active trans-
actions, and in standard recovery approaches cascading aborts are avoided by
requiring transactions to read only committed data [54].
Third, there are two common approaches to handling the problem of un-
doing committed transactions: rollback and compensation. (3a) The rollback
approach is simply to roll back all activity - desirable as well as undesirable -
to a checkpoint believed to be free of damage. The rollback approach is effec-
tive, but expensive, in that all of the desirable work between the time of the
checkpoint and the time of recovery is lost. Although there are algorithms for
eciently establishing snapshots on-the-fly [38, 39, 40], maintaining frequent
checkpoints may not work since no checkpoint taken between the time of at-
tack and the time of recovery can be used. (3b) The compensation approach
[55, 56] seeks to undo either committed transactions or committed steps in
long-duration or nested transactions [54] without necessarily restoring the
data state to appear as if the malicious transactions or steps had never been
executed. There are two kinds of compensation: action-oriented and effect-
oriented [54, 57, 58, 59]. Action-oriented compensation for a transaction or
step
T
i
compensates only the actions of
T
i
. Effect-oriented compensation for
a transaction or step
T
i
compensates not only the actions of
T
i
, but also the
actions that are affected by
T
i
. Although various types of compensation are
possible, all of them require semantic knowledge of the application, and none
of them is adopted by mainstream commercial systems.
