Secure Concurrency Control Algorithm for
MultiLevel Secure Databases
Sonakshi Shanwal1, Suresh Kumar2
1,2
Department of CSE, Faculty of Engineering and Technology, MRIU, Faridabad
1
sonakshi.shanwal@gmail.com, 2suresh.fet@mriu.edu.in
ABSTRACT
In a Multi Level Database (MLS) data as well as user, both
are classified in order to provide security to data. Data and
users are classified at different levels in the database and
the user with a particular security level is allowed to access
the data at that level or below that level only. So the
concurrency control requirements of MLS databases are
different from the concurrency control requirements of
traditional databases. In this paper we have analysed the
problems that may occur when conventional methods of
concurrency control are used in MLS databases. We have
proposed secure and starvation-free concurrency control
algorithm.
KEYWORDS
Concurrency Control,
Databases.
Databases,
Multilevel
Secure
1. INTRODUCTION
Like traditional databases, Multi Level Database (MLS)
databases are also used by multiple users at the same time.
The MLS databases are shared by concurrent transactions
with different classification levels. Certain security aspects
are imposed to traditional databases to convert them into
Multi Level Database. Some multilevel secure database
models use access-control protocols based on the BellLaPadula model [7]. It has two properties: simple security
property and star property. The first property is for readaccess and the second property is for providing writeaccess. With these new constraints the traditional
concurrency control techniques are not suitable for MLS
databases because some additional inconsistencies occur
due to them. Since the objective of multilevel secure
databases was to classify data as well as user to enhance
the security, it may be violated if the traditional techniques
of concurrency control are used [1, 9].
Two main issues that may arise due to the basic approaches
of concurrency control are the inference problem and
signalling channels. These are the major threats to design
of multilevel secure databases and are discussed in detail in
the following section of the paper. To overcome these
issues, many researchers have proposed secure algorithms
for concurrency control in multilevel databases [8]. In this
paper a starvation-free
algorithm is proposed.
secure
concurrency control
2. SECURITY ISSUES
In the terminology of MLS databases an object may be a
data file, a record or a field within a record, and, a subject
is an active entity that can request for read/ write access to
the objects. In the MLS databases both objects and subjects
are classified. The security levels of the objects are called
classification levels and that of the subjects are termed as
clearance levels. The combination of classification levels
and the clearance levels is called a label. The MLS
databases are based on Bell-LaPadula security model
which have the following properties [7]:
Simple Security Property: It says that a subject is allowed
to have read-access to an object only if the clearance level
of the subject is identical to or higher than the classification
level of the object.
Star Property: According to this property, a subject is
allowed to have a write-access on an object only if the
clearance level of the subject is identical to the
classification level of the object.
These two properties make sure that information do not
flow from higher security level object to lower security
level subjects. However, these protocols prevent the direct
flow of information, but there is a possibility that there may
be an indirect flow of information from the subjects at
higher level to the subjects at lower level subject through
covert channels. If a communication channel is not
designed or intended to transfer information from one level
to another level but it does then it is called a covert
channel. The covert channels are classified into two
categories: storage covert channels and timing covert
channels. A covert channel is a storage covert channel if it
involves the direct storage location of other entity. A
timing covert channel is one in which a transaction
classified at higher level signals information to another
transaction classified at lower level by modulating its own
use of systems resources in such a manner that the real
response time observed by the lower level transaction is
affected by this manipulation[15]. For example, when a
user classified at a lower security level want to insert some
Ƈ 149 Ƈ
data and that data already present in the database at a
higher level of security. When this insert operation is
rejected by the system, then the lower level user will get to
know that same data already exist in the system at a higher
security level. This indirect flow of information from
higher security level to lower security level is possible
through different ways. For instance, the concurrent
execution of transactions may lead to contention of data
objects. If the results from a lower security level
transaction are delayed, when a higher security level
transaction is executing, then the user at lower security
level can determine the presence of higher security level
transactions, and may be able to infer some meaningful
information by interpreting the length of the delay. In
concurrency control approaches covert channels are
generally established when a resource or a data object is
shared between the subjects with different classification
levels [8].
The inference channel in a database is a method by which
the users classified at lower security levels can infer data
classified at higher levels. Hence the objective is to detect
and remove inference channels. When traditional
approaches for concurrency control like locking techniques
and time stamping are applied to multilevel databases,
channels are established between the transaction at low
level and the transaction at high level as discussed in [1,8].
3. LITERATURE REVIEW
In a multilevel secure database, security is imposed at
different levels. In the literature the architectures of these
databases are categorised into two broad categories [8,
15]:Woods-Hole Architecture and Trusted Subject
Architecture. In Woods-Hole architecture security is
provided by the underlying operating system whereas in
Trusted subject architecture both the database and the
operating system are responsible for security.
N. Dobrinkova [7] describes LaPadula Bell-model. The
model deals with the control of information flow and is a
linear non-discretionary model. This model of protection
consists of the following components: A set of subjects, a
set of objects, an access control matrix, and several ordered
security levels. This model was first published in 1987 and
it was a proposal for enforcing access control in
government and military applications. This model has a set
of four access-rights: Read-Only, Append, Execute, and
Read-Write. These accesses refer to the operations with the
subjects and to enforce data security and integrity by
imposing Reading-down and Writing-up restrictions.
D. E. Denning et. al. [3] proposed a model called the
SeaView model. This was developed by SRI International
and Gemini Computers in 1985. In this model, several
policies were developed in order to enforce mandatory
access control (MAC), discretionary access controls (DAC)
and relational integrity constraints, for multilevel
databases. SeaView model is a formal security model that
combines, through its policies, software and hardware, in
order to provide data security to multilevel databases.
S. Jajodia et. al. [12] gave an orange locking protocol for
concurrency control in MLS databases. In an orange
locking protocol when a transaction TL classified at low
clearance level tries to write a data object x at same level
classification; while a transaction TH classified at high
clearance level has already acquired a read lock on that
data object. At this point, the read-lock granted to the
transaction TH is converted to an orange lock. By this the
contents of the data-object x is invalidated by other
transaction’s write operation. At the commit phase of
transaction TH, it checks its entire write operation of
transaction TL, to see if there is any read-lock converted
into an orange lock. If any orange lock is present, TH may
be aborted, or rolled-back and then executed again starting
from the firstly invalidated data object after TL finishes.
Therefore, the creation of a covert channel is prevented
using orange locks.
H. T. Kim et. al. [5] proposed a secure concurrency control
protocol. They presented a concept of invisible area and tlocks. The invisible area of a high transaction Ti is a time
interval for which transaction Ti is blocked by any other
lower transaction Tj. The purpose of defining the invisible
area is to hide the operations of lower level transactions
from the currently blocked high transactions and prevent
transaction Tj from reading new versions of data objects
created by lower level transaction Tj running within this
area; otherwise Tj may suffer from a retrieval anomaly
when it resumes its execution.
N. Kaur et. Al. [8] proposed a multi-version concurrency
control algorithm. They have changed the condition for a
transaction to be included in the conflict set of any other
transaction. In the algorithm read-set of transaction R-setTj
is divided into two parts R-setdoneTj and R-setremainingTj. By
this modification they were able to improve degree of
concurrency but it may lead to retrieval anomaly.
In this case, older versions of the conflicting variables are
used by higher level transaction, however new versions of
these variables are created by the lower level transactions.
As a result recent data is not reflected to high level
transaction. Another issue was that no factor was included
in the algorithm to claim it to be starvation-free. A higher
transaction may be blocked infinite number of times and
hence the higher transaction is starved. This algorithm can
be explained with the help of following example. Suppose
there are two transactions TH and TL. The transaction TH
represents transaction of a user classified at higher security
level and TL belong to a user that is classified at lower
classification level.
Ƈ 150 Ƈ
TH: r[x0]
TL:
If R-setTjŀW-setTi= ˻
Both transactions will be executed
simultaneously without disturbing each
other.
r[y0], w[y1], c;
r[x0], w[x1], c;
When TH was executing and transaction TL with lower
classification level enters into the system and since it is of
lower classification level, transaction TL is made to wait.
Due to this timing channel may be established as the
transaction at lower classification level can observe the
time interval when it is forced to wait. In order to avoid this
problem of signalling channel TH is blocked and TL is
executed. Transaction TH resumes its execution when
transaction TL commits, but changes made by TL are not
reflected to TH . In other words TL is executed in the
invisible area of transaction TH.
4.
PROPOSED WORK: STARVATION-FREE
SECURE CONCURRENCY CONTROL
ALGORITHM
If we add the concept of orange locks to the algorithm
proposed by H. T. Kim [5], it will remove the retrieval
anomaly. The above algorithm is modified and the concept
of invisible area is removed as the changes made by a
lower transaction must be visible to a higher transaction in
any case to remove retrieval anomaly. In order to make the
algorithm starvation-free we attach a counter with every
transaction and when this counter crosses the maximum
limit the transaction will be executed and the lower
transactions will have to wait. The algorithm will proceed
in the following way:
1: The scheduler receives counter P (with initial value, say
n) read-set R-Set Ti and0 write-set W-Set Ti when
transaction Ti is submitted.
2: When there is no transaction in execution, the scheduler
executes transaction Ti. When transaction Ti commits go to
6.
4: Since a low level transaction Tj has been running, the
scheduler makes the high level transaction Ti wait until Tj
terminates. When Tj commits go to 6.
5: Because both the transactions are at the same security
level, the scheduler execute them concurrently.
If R-setTj ŀ W-setTi ࢥ,
Then at the time of conflicting data item, transaction Tj is
blocked by the scheduler.
Let transaction Ti will execute only for the duration of
creating new versions of conflicting data objects. When
transaction Tj resumes its execution it is checked if any
orange locks has been acquired by the transaction, if found,
transaction Tj is rolled-back. When both the transactions Ti
and Tj commits, go to 6.
6: When transaction Ti was the only transaction to be
executed at 2, the scheduler waits for other transactions to
be submitted. Otherwise, the scheduler will select a
transaction (say Tk) with lowest security level among the
blocked transactions, along with new transactions with the
same security level as that of transaction Tk.
5. ILLUSTRATIVE EXAMPLE
Let there are two transactions TH and TL where TH is the
transaction of user classified at higher level i.e. one whose
classification level is higher and TL is the transaction of
user with lower classification level.
3: When there is a transaction Tj that is currently in
execution and another transaction Ti arrives, the scheduler
can take three decisions according to the security level of
the incoming transaction, Ti:
i)
If L(Ti) > L(Tj). Go to 4.
ii)
If L(Ti) = L(Tj). Go to 5.
iii)
If L(Ti) < L(Tj).
If R-setTj ŀW-setTi ˻
Then transaction Tj is blocked by the
scheduler and transaction Ti will start
executing. When transaction Ti commits,
transaction Tj resumes its execution, but it
immediately check whether transaction Tj has
acquired any orange locks. If found,
transaction Tj is rolled back to release these
locks and executed again.
TH
TL
(High
Transaction)
(Low
Transaction)
r[x0]
r[y0],
r[x0],
w[y1],
w[x1],
c;
c;
Here, r[xi] represents read operation on ith version of data
object ‘x’ and similarly w[xi] is the write operation on ith
version of data object ‘x’ and ‘c’ represents commit
operation.
Ƈ 151 Ƈ
According to the previous algorithms When transaction TL
enters the system the scheduler blocks the high transaction
and the low transaction is made to execute in the invisible
area of high transaction. After the low transaction commits
the high transaction resumes its execution, but it is unaware
of the changes made by the low transaction as changes by
low transaction are invisible to high transaction. Due to
this, retrieval anomaly exists i.e. a most recent value of any
item is not retrieved by the blocked high transaction.
With the proposed algorithm this anomaly can be removed.
When TL commits and TH resumes execution, it is
immediately checked if transaction has acquired any
orange lock. If so the transaction is rolled-back in order to
release this orange lock otherwise executed.
Example 2: Let there be another set of transactions T1, T2,
and T3 in increasing order of levels i.e. T1 has highest
classification and T3 has the lowest level.
When transaction T2 is entered transaction T1 is currently
executing. Since it has lower clearance level, so transaction
T1 is blocked and transaction T2 starts its execution. Now
transaction T3 enters the system which is having the lowest
classification level among all the active transactions. At
this moment transaction T2 will also be blocked and
transaction T3 will starts its execution. When transaction T2
resumes its execution, the scheduler checks if transaction
T2 has acquired any orange lock on data object ‘y’, as ‘y’ is
modified by transaction T3, after it is read by transaction
T2. So it is changed into orange lock and the transaction T2
is rolled-back and it is executed again with the recent
version of ‘y’. When it completes its execution transaction
T1 is checked for any orange lock, as data object ‘x’ has
been modified by transaction T2, after it is read by
transaction T1. So transaction T1 is also rolled-back and
executed again with the recent version of ‘x’.
T1
T2
T3
r[x0],
r[y0],
w[x1],
w[y1],
r[y0]
c;
r[x0]
r[y0],
r[xo],
w[y1],
w[x1],
c;
r[y1],
r[z0],
w[z1],
c
6. CONCLUSIONS
We have analysed that the traditional approaches for
concurrency control cannot be applied to multilevel secure
databases and also studied the proposed algorithms for
same in multilevel secure databases. We proposed a new
algorithm for starvation-free concurrency control in MLS
databases. In our algorithm we included the concept of
orange locks. In future performance of this algorithm can
be evaluated by practically imposing it on the multilevel
secure database for concurrency control because there
exists a trade-off as when we make the algorithm
starvation-free, covert channels may be established and
when we remove the possibility of covert channel, it will
no longer remain starvation-free.
7.
[1]
REFERENCES
A.K. Khan, “Meeting Security Requirements on
Transaction Processing in MLS Databases”, Minnesota
State University, Mankato, USA, March, 2013.
[2] B. Panda, W. Perrizo, R. Haraty, “Secure Transaction
Management and Query Processing in Multilevel
Secure Database Systems”, Proc. of ACM Symposium
on Applied Computing, pp: 363-368, 1994.
[3] D. E. Denning, T. F.Lunt. “The SeaView Security
Model”, IEEE Transactions On Software Engineering,
vol. 16, issue 6, pp: 593-607, 1988.
[4] E. Bertino and R. Sandhu, “Database securityConcepts, Approaches and Challenges”, IEEE
Transactions on Dependable Secure Computing”, vol.
2, issue 1, pp: 2-19, 2005.
[5] H. T. Kim and M. H. Kim, “Starvation-Free Secure
Multiverison Concurrency Control“, Information
Processing Letters, Vol. 65, pp. 247-253, 1998.
[6] L. V. Mancini and I. Ray, “Secure Concurrency
Control in MLS Databases with Two Versions of
Data”, Computer Security, Vol. 1146, pp: 304-323,
1996.
[7] Nina Dobrinkova, “Information Security- BellLaPadula Model. Institute of Information and
Communication Technologies” Sofia, 2010.
[8] N. Kaur, R. Singh, M. Misra& A. K. Sarje,
“Concurrency Control for Multilevel Secure
Databases”, International Journal of Network Security,
Vol.9, No.1, PP.70-81, July 2009.
[9] N. Kaur, R. Singh, M. Misra and A. K. Sarje,
“Performance Evaluation of Secure Concurrency
Control Algorithm for MLS Databases”, Proceedings
of International Conference on Information
Technology, IEEE, 2005.
[10] R. Elmasri, S. Navathe,“Fundamentals of Database
Systems”, ISBN 0-201-54263-3, Addison-Wesley,
2000.
[11] S. Kang, S. Moon. “Read Down Conflict-Preserving
Serializibility as a Correctness Criterion for Multilevel
Ƈ 152 Ƈ
Secure Optimistic Concurrency Control”, CRD,
Journal of System Architecture, pp. 889-902, 2000.
[12] S. Jajodia, L. V. Mancini and I. Ray, “Secure Locking
Protocol For Multilevel Database Mangement
Systems”, Proceedings of IFIP Conf. Database
Security, pp: 177-194, 1997.
[13] S. Jajodia, C. McCallum,“Using Two Phase Commit
for Crash Recovery for Federated Multilevel Secure
Database Systems”, Dependable computing Fault
Tolerant Systems, vol. 8, pp. 365-381, New York,
Springer, Verlag, 1993.
[14] V. Atluri, S. Jajodia, E. Bertino, “Alternative
correctness criteria for concurrent execution of
transactions in MLS databases”, IEEE Trans.
Knowledge and Data Engineering, pp: 839-854, 1996.
[15] W. Rjaibi, “An Introuction to Multilevel Secure
Relational
Database
Management
Systems”,
Proceedings of Center for Advanced Studies on
Colaaborative Research, pp. 232-241, 2004.
Ƈ 153 Ƈ