Moses Garuba (2004) Performance study of a COTS Distributed DBMS adapted for multilevel security.
Full text access: Open
Multilevel secure database management system (MLS/DBMS) products no longer enjoy direct commercial-off-the-shelf (COTS) support. Meanwhile, existing users of these MLS/DBMS products continue to rely on them to satisfy their multilevel security requirements. This calls for a new approach to developing MLS/DBMS systems, one that relies on adapting the features of existing COTS database products rather than depending on the traditional custom design products to provide continuing MLS support. We advocate fragmentation as a good basis for implementing multilevel security in the new approach because it is well supported in some current COTS database management systems. We implemented a prototype that utilises the inherent advantages of the distribution scheme in distributed databases for controlling access to single-level fragments; this is achieved by augmenting the distribution module of the host distributed DBMS with MLS code such that the clearance of the user making a request is always compared to the classification of the node containing the fragments referenced; requests to unauthorised nodes are simply dropped. The prototype we implemented was used to instrument a series of experiments to determine the relative performance of the tuple, attribute, and element level fragmentation schemes. Our experiments measured the impact on the front-end and the network when various properties of each scheme, such as the number of tuples, attributes, security levels, and the page size, were varied for a Selection and Join query. We were particularly interested in the relationship between performance degradation and changes in the quantity of these properties. The performance of each scheme was measured in terms of its response time. The response times for the element level fragmentation scheme increased as the numbers of tuples, attributes, security levels, and the page size were increased, more significantly so than when the number of tuples and attributes were increased. The response times for the attribute level fragmentation scheme was the fastest, suggesting that the performance of the attribute level scheme is superior to the tuple and element level fragmentation schemes. In the context of assurance, this research has also shown that the distribution of fragments based on security level is a more natural approach to implementing security in MLS/DBMS systems, because a multilevel database is analogous to a distributed database based on security level. Overall, our study finds that the attribute level fragmentation scheme demonstrates better performance than the tuple and element level schemes. The response times (and hence the performance) of the element level fragmentation scheme exhibited the worst performance degradation compared to the tuple and attribute level schemes.
This is a Published version This version's date is: 23/07/2004 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/f076f347-2036-6bd0-98c8-e1d2dc9cf4ab/1/
Deposited by () on 14-Jul-2010 in Royal Holloway Research Online.Last modified on 10-Dec-2010
[1] Multilevel data management security. Technical report, Air Force Studies Board Com-mittee on Multilevel Data Management Security, Washington, DC, March 1983.[2] M.D. Abrams, S. Jajodia, and H. Podell, editors. Information Security: An IntegratedCollection of Essays. IEEE Computer Society Press, Los Alamitos, California, 1998.[3] J.P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51-1, U.S. Air Force Electronic Systems Division, Bedford, Massachusetts, Oc-tober 1972.[4] J.P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51-2, U.S. Air Force Electronic Systems Division, Bedford, Massachusetts, Oc-tober 1972.[5] ANSI. Database Language SQL. American National Standards Institute, Washington,DC, x3.135-1992 edition, 1992.[6] V. Atluri, S. Jajodia, and B. George. Multilevel Secure Transaction Processing. KluwerAcademic Publishers, Boston, Massachusetts, 1999.[7] D.E. Bell and L.J. LaPadula. Secure computer systems: Mathematical foundationsand model. Technical Report ESD-TR-73-278-1, MITRE Corporation, Bedford, Mas-sachusetts, November 1973.[8] D.E. Bell and L.J. LaPadula. Secure computer systems: Mathematical foundationsand model. Technical Report ESD-TR-73-278-2, MITRE Corporation, Bedford, Mas-sachusetts, November 1973.[9] P.A. Bernstein, V. Hadzilacos, N. Goodman, and V. Radzilacos. Concurrency Controland Recovery in Database Systems. Addison-Wesley, Reading, Massachusetts, 1987.[10] K.J Biba. Integrity considerations for secure computer systems. Technical ReportESD-TR-76-372, U.S. Air Force Electronic Systems Division, Bedford, Massachusetts,April 1977.[11] H. Bidgoli and R. Azarmsa. Computer Security: New managerial concern for the 1980sand beyond. Journal of Systems Management, 2:21Û27, November 1989.[12] D. Bitton, D.J. DeWitt, and C. Turbyßll. Benchmarking database systems: A system-atic approach. In Proceedings, 9th International Conference on Very Large Databases,pages 8Û19, Florence, Italy, October 1983. Morgan-Kaufmann.[13] D.F.C. Brewer and M.J. Nash. The Chinese Wall security policy. In Proceedings, IEEESymposium on Security and Privacy, pages 206Û214, Oakland, California, May 1989.IEEE Computer Society Press.[14] U. Bussolati, M.G. Fugini, and G. Martella. A conceptual framework for securitysystems: The action-entity model. In Proceedings, 9th IFIP World Conference, pages127Û132, Paris, France, September 1983. IFIP Press.[15] S. Castano, M. Fugini, G. Martella, and P. Samarati. Database Security. Addison-Wesley, Essex, England, 1994.[16] S. Ceri, B. Navathe, and G. Wiederhold. Distribution design of logical databaseschemas. IEEE Transactions on Software Engineering, 9(4):487Û504, November 1983.[17] S. Ceri, M. Negri, and G. Pelagatti. Horizontal data partitioning in database design. InProceedings, ACM SIGMOD International Conference on Management of Data, pages128Û136, Orlando, Florida, June 1982. ACM Press.[18] S. Ceri and G. Pelagatti. Distributed Databases: Principles and Systems. McGraw-Hill,New York, New York, 1984.[19] S.K. Chang and W.H. Cheng. A methodology for structured database decomposition.IEEE Transactions on Software Engineering, 6(2):205Û218, March 1980.[20] F. Chen and R. Sandhu. The semantics and expressive power of the MLR data model.In Proceedings, IEEE Symposium on Security and Privacy, pages 128Û142, Oakland,California, April 1995. IEEE Computer Society Press.[21] D.D. Clark and D.R. Wilson. A comparison of commercial and military computersecurity policies. In Proceedings, IEEE Symposium on Security and Privacy, pages184Û194, Oakland, California, April 1987. IEEE Computer Society Press.[22] O. Costich, J. McLean, and J. McDermott. Conßdentiality in a replicated architecturetrusted database system: A formal model. In Proceedings of the Computer SecurityFoundations Workshop VII, pages 60Û65, Franconia, New Hampshire, June 1994. IEEEComputer Society Press.[23] C. Dalton and T.H. Choo. An operating system approach to securing e-services. Com-munications of the ACM, 44(2):58Û64, February 2001.[24] C.J. Date. An Introduction to Database Systems. Addison-Wesley, Reading, Mas-sachussetts, 8th edition, 2003.[25] D.E. Denning. A lattice model of secure information àow. Communications of theACM, 19(5):236Û243, May 1976.[26] D.E. Denning. Commutative ßlters for reducing inference threats in multilevel databasesystems. In Proceedings, IEEE Symposium on Security and Privacy, pages 134Û146,Oakland, California, April 1985. IEEE Computer Society Press.[27] D.E. Denning, S.G. Akl, M. Heckman, T.F. Lunt, M. Morgenstern, P.G. Neumann, andR.R. Schell. Views for multilevel database security. IEEE Transactions on SoftwareEngineering, 13(2):129Û140, February 1987.[28] D.E. Denning, T.F. Lunt, R.R. Schell, W. Shockley, and M. Heckman. The SeaViewsecurity model. In Proceedings, IEEE Symposium on Security and Privacy, pages218Û233, Oakland, California, April 1988. IEEE Computer Society Press.[29] D.J. DeWitt, S. Ghandeharizadeh, and D. Schneider. A performance analysis of theGamma database machine. SIGMOD Record (ACM Special Interest Group on Man-agement of Data), 17(3):350Û360, September 1988.[30] DoD. Department of defense privacy program. Directive 5400.11, U.S. Department ofDefense, Washington, DC, June 1982.[31] DoD. Security requirements for automated information systems (AISs). Directive5200.28, U.S. Department of Defense, Washington, DC, March 1988.[32] D. Downs and G.J. Popek. A kernel design for a secure database management system.In Proceedings, 3rd International Conference on Very Large Databases, pages 507Û514,Tokyo, Japan, October 1977. IEEE Computer Society Press.[33] P. Dwyer, G. Jelatis, and B.M. Thuraisingham. Multilevel security in database man-agement systems. Computers and Security, 6(3):252Û260, June 1987.[34] C. Dye. Oracle Distributed Systems. O'Reilly & Associates Inc., Sebastopol, California,1999.[35] H. Garcia-Molina, J. Ullman, and J. Widom. Database Systems: The Complete Book.Prentice Hall, Upper Saddle River, New Jersey, 2002.[36] D. Garlan and M. Shaw. An introduction to software architecture. In V. Ambriolaand G. Tortora, editors, Advances in Software Engineering and Knowledge Engineer-ing, volume 2, pages 1Û39, River Edge, New Jersey, 1992. World Scientißc PublishingCompany.[37] M. Gasser. Building a Secure Computer System. Van Nostrand Reinhold, New York,1988.[38] D. Gollmann. Computer Security. John Wiley & Sons, Chichester, England, 1999.[39] R. Graubart. The integrity-lock approach to secure database management. In Pro-ceedings, IEEE Symposium on Security and Privacy, pages 62Û74, Oakland, California,April 1984. IEEE Computer Society Press.[40] J. Gray, editor. The Benchmark Handbook for Database and Transaction Systems.Morgan-Kaufmann, San Francisco, California, 2nd edition, 1993.[41] J. Gray and A. Reuter. Transaction Processing: Concepts and techniques. Morgan-Kaufmann, San Francisco, California, 1993.[42] J.T. Haigh, R.C. O'Brien, and D.J. Thomasen. The LDV secure relational DBMSmodel. In S. Jajodia and C.E. Landwehr, editors, Database Security IV: Status andprospects, pages 265Û280. Elsevier Science, North-Holland, January 1991.[43] Honeywell. Secure distributed data views Ü security policy extensions. Technical Re-port A002, Honeywell Systems Research Center and Corporate Systems DevelopmentDivision, St. Anthony, Minnesota, April 1987.[44] R. Jain. The Art of Computer Systems Performance Analysis: Techniques for experi-mental design, measurement, simulation, and modeling. John Wiley & Sons, Hoboken,New Jersey, 1991.[45] S. Jajodia and R. Mukkamala. EÞects of SeaView decomposition of multilevel relationson database performance. In S. Jajodia and C.E. Landwehr, editors, Database SecurityV: Status and prospects, pages 203Û225. Elsevier Science, North-Holland, January 1992.[46] S. Jajodia and R. Sandhu. Polyinstantiation integrity in multilevel relations. In Pro-ceedings, IEEE Symposium on Security and Privacy, pages 104Û115, Oakland, Califor-nia, May 1990. IEEE Computer Society Press.[47] S. Jajodia and R. Sandhu. A novel decomposition of multilevel relations into single-level relations. In Proceedings, IEEE Symposium on Security and Privacy, pages 300Û313, Oakland, California, May 1991. IEEE Computer Society Press.[48] S. Jajodia and R. Sandhu. Towards a multilevel secure relational data model. InJ. CliÞord and R. King, editors, Proceedings, ACM SIGMOD International Conferenceon Management of Data, pages 50Û59, Denver, Colorado, May 1991. ACM Press.[49] A.K. Jones, R.J. Lipton, and L. Snyder. A linear time algorithm for deciding security.In Proceedings, 17th IEEE Symposium on Foundations of Computer Science, pages33Û41, Houston, Texas, October 1976. IEEE Computer Society Press.[50] N. Jukic, S. Vrbsky, A. Parrish, B. Dixon, and B. Jukic. A belief-consistent multilevelsecure relational data model. Information Systems Journal, 24(5):377Û400, July 1999.[51] M.H. Kang, A.P. Moore, and I.S. Moskowitz. Design and Assurance Strategy for theNRL Pump. IEEE Computer, 31(4):56Û64, April 1998.[52] T.F. Keefe, M.B. Thuraisingham, and W.T. Tsai. Secure query-processing strategies.IEEE Computer, 22(3):63Û70, March 1989.[53] K.Henry. Legacy multilevel secure database management systems: The future. Tech-nical Report DARPA-DSO-SR-15, Defense Advanced Research Projects Agency, Ar-lington, Virginia, May 2000.[54] W. Kim, D. Reiner, and D. Batory, editors. Query Processing in Database Systems.Springer-Verlag, London, England, 1985.[55] R. Knapman, J. Bryant, and C. Martin. The Stargres release 3.2: Software struc-ture. Technical Report APL-CAIR-328-3, Johns Hopkins University Applied PhysicsLaboratory, Laurel, Maryland, April 2000.[56] R. Knapman, M. Furst, D. Shtengel, and L. Freeman. The Stargres release 3.2: StarQL.Technical Report APL-CAIR-328-4, Johns Hopkins University Applied Physics Labo-ratory, Laurel, Maryland, October 2000.[57] B. Lampson. Protection. ACM Operating System Reviews, 8(1):18Û24, January 1974.[58] C.E. Landwehr. Formal models for computer security. ACM Computing Surveys,13(3):247Û278, September 1981.[59] M. Levene and G. Loizou. A Guided Tour of Relational Databases and Beyond.Springer-Verlag, London, England, 1999.[60] T. Lunt, editor. Research Directions in Database Security. Springer-Verlag, New York,New York, 1992.[61] T.F. Lunt, R.R. Schell, W. Shockley, M. Heckman, and D. Warren. A near-term design for the SeaView multilevel database system. In Proceedings, IEEE Symposium on Security and Privacy, pages 234Û244, Oakland, California, June 1988. IEEE Computer Society Press.[62] J. McLean. A comment on the `Basic Security Theorem' of Bell and LaPadula. Infor-mation Processing Letters, 20(2):67Û70, February 1985.[63] A. Motro. Integrity = validity + completeness. ACM Transactions on DatabaseSystems, 14(4):480Û502, December 1989.[64] NCSC. Department of defense trusted computer system evaluation criteria. ReportDoD 5200.28-STD, National Computer Security Centre, Washington, DC, December1985. Orange Book edition.[65] NCSC. Trusted network interpretation of the trusted computer systems evaluationcriteria (TCSEC). Report NCSC-TG-005, National Computer Security Centre, Wash-ington, DC, July 1987.[66] NCSC. Trusted database management system interpretation of the trusted computersystem evaluation criteria (TCSEC). Report NCSC-TG-021, National Computer Se-curity Centre, Washington, DC, April 1991.[67] NIST. Common criteria for information technology security evaluation. Report 2.1,National Institute of Standards and Technology, Washington, DC, August 1999.[68] M.T. Ozsu and P. Valduriez. Principles of Distributed Database Systems. PrenticeHall, Upper Saddle River, New Jersey, 2nd edition, 1999.[69] G. Pßster. In Search of Clusters: The ongoing battle in lowly parallel computing.Prentice Hall, Upper Saddle River, New Jersey, 2nd edition, 1998.[70] C.P. Pàeeger and S.L. Pàeeger. Security in Computing. Prentice Hall, EnglewoodCliÞs, New Jersey, 3rd edition, 2003.[71] J. Rushby and B. Randell. A distributed secure system. IEEE Computer, 16(7):55Û67,July 1983.[72] D. Russell and G.T. Gangemi. Computer Security Basics. O'Reilly & Associates Inc.,Sebastopol, California, 1991.[73] SCC. Locked workstation program LWS expanded environment study report. TechnicalReport SCS-1-96, Secure computing corporation, San Jose, California, January 1996.[74] R.R. Schell, T.F. Tao, and M. Heckman. Designing the gemsos security kernel for secu-rity and performance. In Proceedings, 8th DoD/NBS Computer Security Conference,pages 108Û119, Gaithersburg, Maryland, May 1985. IEEE Computer Society Press.[75] K. Smith and M. Winslett. Entity modelling in the MLS relational model. In Li-YanYuan, editor, Proceedings, 18th International Conference on Very Large Databases,pages 199Û210, Vancouver, Canada, August 1992. Morgan-Kaufmann.[76] M. Stonebraker and E. Wong. Access control in a relational database managementsystem by query modißcation. In Proceedings, 1974 ACM Annual Conference, pages180Û186, New York, May 1974. ACM Press.[77] B. Thuraisingham and A. Kamon. Query processing in a trusted database manage-ment system: Design and performance study. Technical Report MTP-292, MITRECorporation, Bedford, Massachusetts, June 1990.[78] B. Thuraisingham and A. Kamon. Secure query processing in distributed databasemanagement systems: Design and performance studies. In Proceedings, 6th AnnualComputer Security Applications Conference, pages 88Û102, Tucson, Arizona, December1990.[79] TPC. TPC Benchmark A. Standard Specißcation Report TPC-A-2.0-94, TransactionProcessing Performance Council, San Francisco, California, June 1994.[80] TPC. TPC Benchmark B. Standard Specißcation Report TPC-B-2.0-94, TransactionProcessing Performance Council, San Francisco, California, June 1994.[81] TPC. TPC Benchmark C. Standard Specißcation Report TPC-C-5.2-03, TransactionProcessing Performance Council, San Francisco, California, December 2003.[82] C. Turbyßll, C. Orji, and D. Bitton. AS3AP: A comparative relational databasebenchmark. In Proceedings, 34th IEEE Computer Society International Conference,pages 560Û564, San Francisco, California, February 1989. IEEE Computer SocietyPress.[83] J. Wilson. A security policy for an A1 DBMS (a trusted subject). In Proceedings,IEEE Symposium on Security and Privacy, pages 116Û125, Oakland, California, May1989. IEEE Computer Society Press.[84] S.R. Wiseman. Purple Penelope: Extending the security of Windows NT. TechnicalReport RSRE-97224, Defence Research Agency, Malvern, England, February 1997.[85] A.W. Wood, S.R. Lewis, and S.R. Wiseman. The SWORD multilevel secure DBMS.Technical Report RSRE-92005, Defence Research Agency, Malvern, England, May1992.