Databases Reference
In-Depth Information
denial of service could still be a problem. While some types of service
B
re-
ceives from the substitute, fishbowl system may be adequate, in other cases
the lack of interaction with the real system's resources may prevent
B
from
continuing to produce valid results. On the other hand, if the semantics of
the application are such that
B
can continue producing valid work, this work
will be lost when the incident concludes even if
B
is deemed innocent and re-
connected to the real system. The fishbowling mechanism makes no provision
for re-merging updates from the substitute, fishbowl system back into the real
system.
In [77, 78], these limitations are overcome by taking advantage of ac-
tion semantics and the dependency relationships between transactions. In this
method, as in the case of fishbowling, when
B
comes under suspicion,
B
is
allowed to continue working while the security ocer attempts to determine
whether there is anything to worry about. At the same time, the system is iso-
lated from any further damage
B
might have in mind. However, this method
provides the isolation without consuming duplicate resources to construct an
entirely separate environment, allows options for partial interaction across the
boundary, and provides data-consistency-preserving algorithms for smoothly
merging
B
's work back into the real system should
B
prove innocent. Among
the partial interaction options, the
one-way isolation
concept is particularly
interesting. One-way isolation allows being-isolated transactions to read the
newest updates done by (trusted) transactions running on the main database,
but forbids trusted transactions from reading any updates done by being-
isolated transactions.
4.4 Quality Evaluation
Correctness does not always imply high quality. Two correct DQR schemes
may yield very different quality levels in the DQR services they provide. In
failure recovery, the
MTTF-MTTR
model (Mean Time To Failure - Mean
Time To Recovery model) provides a neat yet precise way to gain con-
crete understanding of the quality of a recovery service which is measured
by
MTTF/(MTTF+MTTR)
, and this quality model has played a crucial role
in advancing the theories and technologies of failure recovery. Unfortunately,
due to the reasons mentioned in Section 1, the
MTTF-MTTR
model is no
longer sucient for defining the quality of DQR services.
In principle, the
quality
of DQR services can be evaluated by a vector
composed of three criteria regarding
data integrity
and two criteria regarding
availability
:
•
C1: Dirtiness
depends on the percentage of corrupted data objects in each
data store state.
•
C2: Data Freshness
When a clean yet older version of a corrupted data
object
o
is made accessible during recovery, freshness depends on whether
a fresher version of
o
is used by new transactions. Note that one clean
