Decentralized information flow control for databases

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2012.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Cataloged from student-submitted PDF version of thesis.Includes bibliographical references (p. 177-194).Privacy and integrity concerns have been mounting in recent years as sensitive data such as medical records, social network records, and corporate and government secrets are increasingly being stored in online systems. The rate of high-profile breaches has illustrated that current techniques are inadequate for protecting sensitive information. Many of these breaches involve databases that handle information for a multitude of individuals, but databases don't provide practical tools to protect those individuals from each other, so that task is relegated to the application. This dissertation describes a system that improves security in a principled way by extending the database system and the application platform to support information flow control. Information flow control has been gaining traction as a practical way to protect information in the contexts of programming languages and operating systems. Recent research advocates the decentralized model for information flow control (DIFC), since it provides the necessary expressiveness to protect data for many individuals with varied security concerns.However, despite the fact that most applications implicated in breaches rely on relational databases, there have been no prior comprehensive attempts to extend DIFC to a database system. This dissertation introduces IFDB, which is a database management system that supports DIFC with minimal overhead. IFDB pioneers the Query by Label model, which provides applications with a simple way to delineate constraints on the confidentiality and integrity of the data they obtain from the database. This dissertation also defines new abstractions for managing information flows in a database and proposes new ways to address covert channels. Finally, the IFDB implementation and case studies with real applications demonstrate that database support for DIFC improves security, is easy for developers to use, and has good performance.by David Andrew Schultz.Ph.D

Logical Foundations of Multilevel Databases

International audienceIn this paper, we propose a formal model for multilevel databases. This model aims at being a generic model, that is it can be interpreted for any kind of database (relational, object-oriented...). Our model has three layers. The first layer corresponds to a model for a non-protected database. The second layer corresponds to a model for a multilevel database. In this second layer, we propose a list of theorems that must be respected in order to build a secure multilevel database. We also propose a new solution to manage cover stories without using the ambiguous technique of polyinstantiation. The third layer corresponds to a model for a MultiView database, that is, a database that provides at each security level a consistent view of the multilevel database. Finally, as an illustration, we interpret our 3-layer model in the case of an object-oriented database

Performance study of a COTS Distributed DBMS adapted for multilevel security

Multilevel secure database management system (MLS/DBMS) products no longer enjoy direct commercial-off-the-shelf (COTS) support. Meanwhile, existing users of these MLS/DBMS products continue to rely on them to satisfy their multilevel security requirements. This calls for a new approach to developing MLS/DBMS systems, one that relies on adapting the features of existing COTS database products rather than depending on the traditional custom design products to provide continuing MLS support. We advocate fragmentation as a good basis for implementing multilevel security in the new approach because it is well supported in some current COTS database management systems. We implemented a prototype that utilises the inherent advantages of the distribution scheme in distributed databases for controlling access to single-level fragments; this is achieved by augmenting the distribution module of the host distributed DBMS with MLS code such that the clearance of the user making a request is always compared to the classification of the node containing the fragments referenced; requests to unauthorised nodes are simply dropped. The prototype we implemented was used to instrument a series of experiments to determine the relative performance of the tuple, attribute, and element level fragmentation schemes. Our experiments measured the impact on the front-end and the network when various properties of each scheme, such as the number of tuples, attributes, security levels, and the page size, were varied for a Selection and Join query. We were particularly interested in the relationship between performance degradation and changes in the quantity of these properties. The performance of each scheme was measured in terms of its response time. The response times for the element level fragmentation scheme increased as the numbers of tuples, attributes, security levels, and the page size were increased, more significantly so than when the number of tuples and attributes were increased. The response times for the attribute level fragmentation scheme was the fastest, suggesting that the performance of the attribute level scheme is superior to the tuple and element level fragmentation schemes. In the context of assurance, this research has also shown that the distribution of fragments based on security level is a more natural approach to implementing security in MLS/DBMS systems, because a multilevel database is analogous to a distributed database based on security level. Overall, our study finds that the attribute level fragmentation scheme demonstrates better performance than the tuple and element level schemes. The response times (and hence the performance) of the element level fragmentation scheme exhibited the worst performance degradation compared to the tuple and attribute level schemes

Design and construction of maintainable knowledge bases through effective use of entity-relationship modeling techniques

The use of an accepted logical database design tool, Entity-Relationship Diagrams (E-RD), is explored as a method by which conceptual and pseudo-conceptual knowledge bases may be designed. Extensions to Peter Chen\u27s classic E-RD method which can model knowledge structure used by knowledge-based applications are explored. The use of E-RDs to design knowledge bases is proposed as a two-stage process. In the first stage, and E-RD, termed the Essential E-RD, is developed of the realm of the problem or enterprise being modeled. The Essential E-RD is completely independent of any knowledge representation model (KRM) and is intended for the understanding of the underlying conceptual entities and relationships in the domain of interest. The second stage of the proposed design process consists of expanding the Essential E-RD. The resulting E-RD, termed the Implementation E-RD, is a network of E-RD-modeled KRM constructs and will provide a method by which the proper KRM may be chosen and the knowledge base may be maintained. In some cases, the constructs of the Implementation E-RD may be mapped directly to a physical knowledge base. Using the proposed design tool will aid in both the development of the knowledge base and its maintenance. The need for building maintainable knowledge bases and problems often encountered during knowledge base construction will be explored. A case study is presented in which this tool is used to design a knowledge base. Problems avoided by the use of this method are highlighted, as are advantages the method presents to the maintenance of the knowledge base. Finally, a critique of the ramifications of this research is presented, as well as needs for future research

A Survey of Traditional and Practical Concurrency Control in Relational Database Management Systems

Traditionally, database theory has focused on concepts such as atomicity and serializability, asserting that concurrent transaction management must enable correctness above all else. Textbooks and academic journals detail a vision of unbounded rationality, where reduced throughput because of concurrency protocols is not of tremendous concern. This thesis seeks to survey the traditional basis for concurrency in relational database management systems and contrast that with actual practice. SQL-92, the current standard for concurrency in relational database management systems has defined isolation, or allowable concurrency levels, and these are examined. Some ways in which DB2, a popular database, interprets these levels and finesses extra concurrency through performance enhancement are detailed. SQL-92 standardizes de facto relational database management systems features. Given this and a superabundance of articles in professional journals detailing steps for fine-tuning transaction concurrency, the expansion of performance tuning seems bright, even at the expense of serializabilty. Are the practical changes wrought by non-academic professionals killing traditional database concurrency ideals? Not really. Reasoned changes for performance gains advocate compromise, using complex concurrency controls when necessary for the job at hand and relaxing standards otherwise. The idea of relational database management systems is only twenty years old, and standards are still evolving. Is there still an interplay between tradition and practice? Of course. Current practice uses tradition pragmatically, not idealistically. Academic ideas help drive the systems available for use, and perhaps current practice now will help academic ideas define concurrency control concepts for relational database management systems

Secondary storage management in an object-oriented database management system

Ankara : The Department of Computer Engineering and Information Sciences and the Institute of Engineering and Sciences of Bilkent Univ. , 1988.Thesis (Master's) -- Bilkent University, 1988.Includes bibliographical references leaves 91-95.In this thesis, a survey on object-orientation and object-oriented database management systems has been carried out and a secondary storage management and indexing module is implemented for an object-oriented database management system prototype developed at Bilkent University. First, basic concepts, characteristics, and application areas of objectoriented approach are introduced, then, the designed prototype system is presented, the secondary storage management module is explained in detail and the functions of the other modules are summarized. Finally, the current research issues in the object-oriented database systems are introduced.Karaorman, MuratM.S

Evaluation of Functional Data Models for Database Design and Use

The problems of design, operation, and maintenance of databases using the three most popular database management systems (Hierarchical, CQDASYL/DBTG, and Relational) are well known. Users wishing to use these systems have to make conscious and often complex mappings between the real-world structures and the data structuring options (data models) provided by these systems. In addition, much of the semantics associated with the data either does not get expressed at all or gets embedded procedurally in application programs in an ad-hoc way. In recent years, a large number of data models (called semantic data models) have been proposed with the aim of simplifying database design and use. However, the lack of usable implementations of these proposals has so far inhibited the widespread use of these concepts. The present work reports on an effort to evaluate and extend one such semantic model by means of an implementation. It is based on the functional data model proposed earlier by Shipman[SHIP81). We call this 'Extended Functional Data Model' (EFDM). EFDM, like Shipman's proposals, is a marriage of three of the advanced modelling concepts found in both database and artificial intelligence research: the concept of entity to represent an object in the real world, the concept of type hierarchy among entity types, and the concept of derived data for modelling procedural knowledge. The functional notation of the model lends itself to high level data manipulation languages. The data selection in these languages is expressed simply as function application. Further, the functional approach makes it possible to incorporate general purpose computation facilities in the data languages without having to embed them in procedural languages. In addition to providing the usual database facilities, the implementation also provides a mechanism to specify multiple user views of the database