Implementing the Message Filter Object-Oriented Security Model without Trusted Subjects

We propose a new architectural framework and implementation scheme, for the message #lter multilevel security model for object-oriented databases. Major complications in implementing the model arise from the intrinsic nature of object-oriented computations which are abstract and often involve arbitrarily complex write-up actions. Dealing with the timing of write-up operations has broad implications on security #due to the potential for signaling channels#, integrity, and performance. A fundamental insight, gained in the course of our research, has been to close these channels by allowing concurrent computations in what is otherwise a logically sequential computation. However in closing these channels one has to meet the con#icting goals of integrity and performance. Our earlier work investigated an architecture that called for a trusted subject #session manager# to manage a tree of concurrentmultilevel computations generated by a user session. In this paper we provide an alternate achi..