Professional Documents
Culture Documents
Refereed Article
SODA: A Secure
Object-oriented
Database System
T. F. Keefel, W. T. Tsai’ and
M. B. Thuraisingham**
’ Department ofcomputer Science, CTt~iversity of‘Mitzrl~sota, Minneapohs, MN 55455, U.S.A.
“Honeywell Inc., Corporate Systems,Developrn~rrtDivisiow, Golden V&y, MN 55427, U.S.A.
This paper describes a security model for object-oriented useful object-oriented DBMSs and generates a
systems. The model supports a flexible data classification policy
need for security.
based on inheritance. The classification policy allows for a
smooth transition bctwccn rigid classification rules and
unlimited polyinstantiation. The security model treats the data Object-oricntcd DBMSs support a powerful com-
model as well as the computational model of object-oriented putational model which can be used to express
systems allowing more flexibility. This model trades an applications. The relational algebra does not deal
increase in complexity for a more flexible security model.
with the subject of updating or creating new rela-
Kqwords: Secure database, Data classification, Object-oricntcd tions even though most relational DBMSs do
m&l. Security cntitics. provide this capability. The fact that the
object-oriented model includes an explicit compu-
tational model allows the incorporation of the
1. Introduction
computational model into the security model.
Each object has a type or class it belongs to. All Figure 1 illustrates some of the concepts discussed
objects in a class arc cquivalcnt computationally. above.
Each may have a diffcrcnt state but the type of
computation which can bc performed on an object
4. Security Model
is uniform throughout the class. The class d&tics
what methods arc available in instances of the class This section introduces a security model with
and what instance variables arc included in the several unique features. First, it is proposed for use
instance objects. The class of an object is also an in object-oriented systems.
object. A class object crcatcs new instances of its
own type. A class object de&s a type by specializ- Secondly, the protected passive data in our model
ing other types and defining additional behavior. arc instance variables and objects. Access to them is
The refined types arc referred to as its sub-types. arbitrated by the TCB. Another common choice
An object inherits methods and access to instance for protected objects is a mcssagc [3, 201. In this
variables from its class object and each super-type approach each object is given a classification. To
of the class object all the way up the inheritance enforce the *-property [2], messages can only be
lattice to the root, OISJECT. sent to objects of an equal or higher lcvcl and
responses can only bc rcccived from objects of a
Methods arc specified such that only data con- lower or equal level. This technique is well suited
tained in the object receiving the message arc to distributed systems where the message passing is
mod&d directly. A method activation has no part of the system kernel. Howcvcr, this approach
knowledge about the states of other objects and it has several problems. First, the need to enforce the
cannot directly affect other objects. *-property ensures that only objects of the same
518
Computers and Security Vol. 8, No. 6
set of application-indcpcndcnt propcrtics which sing security constraints. The classification method
describe relations bctwcen entity classifications. It allows the classification rigidity to be tuned on a
defines integrity rules for thcsc entity classifica- class-by-class basis. This provides for wide varia-
tions. It is difficult to determine which entities in tions in labclling rcquiremcnts.
the model act as protected objects and which act as
subjects. This makes the security propcrtics of the
2. Multilevel Security
model difficult to evaluate.
Multilevel secure computers protect objects classi-
Mandatory security is investigated in ref. [ 181. ficd at more than one level and allow sharing
Security is cnforccd with a combination of com- between users of different clearance levels. Objects
pile-time and run-time checks. The security model arc labcllcd with their sensitivity lcvcls. Subjects arc
classifies variables as having a fixed or indctermin- associated with clearance lcvcls. A multilevel secure
ate sensitivity level. The indeterminate levels are computer arbitrates all access of objects by subjects.
meant to deal with indeterminate information The arbitration is carried out by the rcfcrcncc
flows and must bc checked at run-time. The monitor according to a security policy.
security model does not support automatic object
classification rules nccdcd in a DBMS. MLS/DRMSs must deal with large numbers of
objects, intcrrclatcd in complex ways which have
semantic meaning. This causes scvcral problems.
The USC of a sensitivity level range to control the
sensitivitylcvcls of data in a container is used in The first is efficiency. Large numbers of objects
can cause a large burden on the access monitor.
SEAVIEW [151 and TNJIIATA [141. TNJIIATA uses it to
Secondly, all of thcsc objects must be classified in a
limit vulnerability. SEAVIEW uses it to limit poly-
complete and consistent way. The third problem is
instantiation where it is augmented with security
rcprcscnting and manipulating objects containing
constraints for tuplc labclling. In our approach
data of multiple sensitivity levels. The inter-
these constraints are the security constraints. Con-
relations of the data and their semantics lead to an
straint satisfaction is enforced as part of mandatory
infcrencc problem. Inference occurs when infor-
security. Constraint satisfaction guides the action of
the reference monitor. mation which can be rctricvcd from the database
allows other data to be deduced. Inference provides
a flow of data which is not arbitrated by the
WC propose a security model for a multilcvcl
rcferencc monitor.
secure object-oriented database (SODA) with the
following advantages. It is posed in terms of an
object-oriented model, and it enforces information 3. Object-Oriented Systems
containment and security label integrity. The This section gives a brief background on objcct-
model covers the computational model as well as
oriented systems. Thcrc is a wide variation in what
data access and classification. This allows the inter-
is meant by “object oriented.” Most of our inter-
action of the two concerns. The classification lcvcl
pretation comes from SMALLTALK-80 [1 I]. Varia-
of a computation is adjusted based on its clearance
tions on this model arc given in ref. [ 191. The
level, the data it has access to, and classification
object-oriented model began as a programming
constraints enforced on data it wishes to create.
system. Our definition of an object-oriented
system also stems from our desire to incorporate
The model supports a data classification policy database considerations such as schema evolution,
which fits naturally into the object-oriented model. transactions and controlled sharing of data. Our
The classification technique is based on the inhcri- understanding of these issues comes from rcfs. [I],
tance lattice which allows a natural way of expres- [7] and [IT].
519
T..F. Keefe et al.ISODA: A Secure Object-oriented Database System
lcvcl can send and receive messages. Secondly, mcs- object, there is good assurance that no portions ot
sages arc sent to the class to carry out actions on the the system are unprotcctcd. The view that cvcry-
instances of the class. When the instances of the thing is an object is interesting. It gives a simple
class have different sensitivity levels, the class understanding of the system but dots not tell the
objects must tither bc trusted to handle multilcvcl whole story. To really understand the objcct-
objects, or thcrc must be a version of the class for oriented model and our security model it is ncccs-
each sensitivity lcvcl. Thcsc models also have diff- sary to understand the practical limitations of this
culty with shared variables, c.<q.variables in the class view. For cxamplc, all objects store their state in
which arc available to all of the instances. Unless instance variables in the form of other objects. This
the instance objects and the class sham the same view leads to an indcfinitc recursion. Each object
sensitivity lcvcl, c-1ass variables will tither be stores its state in terms of other objects and no values
unreadable or unwritablc. These problems stem arc actually stored. The missing concept is the
from the fact that a method when executing in this primitive object. These objects reprcscnt their state
model has access to all of the object’s data. directly without using other objects and thcrcfore
tcrminatc the recursion. Another example of a
Data classification in our model is based on special case involves methods. Methods carry out
inheritance. Each object in a class shares the same their actions by sending messages. This is also a
classification constraint. Each may have a different problem; each method sends mcssagcs but none
sensitivity level but all satisfy the common con- performs a computation. Primitive methods arc the
straint. The classification constraint of a class is answer to this problem; they perform actions
inherited by its sub-types. The constraint may be directly and send no messages. Another concept of
redcfincd in the new class but only by the system object-oriented systems is that each object is an
security officer. instance of another. The solution here is the object
Mctaclass which is an instance of itself.
Attaching classification constraints to classes and
allowing subclasses to inherit classification con- These discontinuities point to special cases in the
straints simplifies data classification. It uses the object-oriented model and special casts in our
existing structure of the system as the basis for security model. The three cases dcscribcd above
classification. The inheritance of constraints must be considered as special cases of the security
cnsurcs that they only need to be spccificd when model as well. First, all objects in the model arc
there is a change. labcllcd except primitive objects which are not
labelled at all. They represent basic data elements
Data classification specifics a range of sensitivity which have little meaning out of context. Secondly,
lcvcls which can be assigned to an object and is all methods have an independent current classifka-
strictly enforced by the model. This allows the clas- tion level except for primitive methods. Thcsc
sification rigidity to bc adjusted on a fine scale. methods inherit the current classification of the
method activation which called them. Each object
Each method activation is independent. The inherits classification constraints from its class.
current classification level of the method activation Metaclass is an instance of itself and must provide a
rcprcscnts the sensitivity level of data which the built-in classification constraint.
activation has read. Once the activation finishes,
this information disappears and control is returned 4.1 Security Entities
to the caller acting with its original authority. This section identifies the security role played by
each entity in the object-oriented model. The
A fundamental concept of the model is that since portions of the object-oriented model discussed arc
everything in the object-oriented model is an as follows: classes, primitive objects, objects,
520
Computers and Security, Vol. 8, No. 6
instance variables, messages and method activa- context described by an activation. The execution is
tions. carried out by sending mcssagcs to objects. Primi-
tive methods are carried out directly by the
Classes method activation without sending mcssagcs.
A class represents the type of its instances. The class
defines the methods and instance variables its 4.2 Labelled Entities
instances have. It also defines class variables which This model supports two types of labclled entities,
arc available to all instances. Classification con- objects and instance variables. Each object can
straints arc recorded in the class and apply to all support only one type. Either the object is labelled
instances. or its instance variables arc, but not both. Object
labelling associates a sensitivity label with an object.
Primitive Objects This label is used to arbitrate access to the cntirc
Thcsc objects arc the basic clemcnts which all object regardless of the context in which it is used.
objects can be broken into. They arc not assigned This type of labelling is illustrated in Fig. 2.
sensitivity lcvcls. They represent basic data elc-
ments which have little meaning out of context. An object with instance variables labelled has a
sensitivity level for each instance variable of the
Objects object. The label controls access to the contents of
Each object can have a sensitivity level. This sensi- the instance variable. This labelling protects the
tivity level restricts access to the whole object associations between instance variables. Since an
rather than just one instance variable. This classifi- object can bc refcrcnced by more than one object,
cation method can be used to protect the objects variable labclling allows a classification to be asso-
regardless of where the rcferencc is from. ciated with each context in which the data arc seen.
Variable labelling is illustrated in Fig. 3.
Instance Variables
Each instance variable can have a sensitivity level.
The value of the instance variable is the protected
data. This classification can bc used to protect
Label
primitive values and associations between objects.
Messages
A message is sent on behalf of, and represents a
~
subject. It is sent to an object requesting execution
of a sclectcd method with the authority of the
security subject which the message represents.
Fig. 2. Object labclling.
Messages arc conceptually labelled with two
security classification levels. The first is the clcar-
ante level of the user. The second level is the cur-
rent security classification of the originating
timphgee
method. These two levels act as an upper and lower
bound on the authority of the new method activa-
tion.
Method Activations
Method activations are the only active entities in
the model. Each method executes in a separate Fig. 3. Instance variable labelling.
521
T. F. Keefe et aLlSODA: A Secure Object-oriented Database System
522
Computers and Security, Vol. 8, No. 6
Rule 1.1
Read the value of a labelled object with sensitivity
lcvc! Lo if Lo G Ls,,,,,. An unreadable object
returns nil. (Nil is the val.uc stored in an instance
variable when an object is created. It means that no
object is stored there.) Fig. 5. Labelled object modification rules.
523
T. F. Keefe et al.ISODA: A Secure Object-oriented Database System
allowed to change and thcsc changes have not yet Rule 1.1’
been defined. The maintenance of these properties Read the value of all labcllcd objects in the poly-
can be ensured only after examining the modifica- instantiated set with sensitivity level Lo if
tion policy for method classification levels. The Lo 6 Ls,,,,,. Nil is returned when no objects arc
security propertics cnforccd by the model arc dis- readable.
cussed in Section 5.
Rule 1.2’
Add a labclled object to the polyinstantiatcd set
4.52 Polyinstantiation with sensitivity level Lo = Lsrorrrnrif LbOllO,,,
< Ls,,,,,
The multiparty update conflict is noted by Den- and LsC,,,C,,l6 L,,,; otherwise reject the update and
ning et al. in [4, 51 and is the problem which poly- inform the user.
instantiation addresses. The conflict arises when
low-level users unknowingly attempt to overwrite Polyinstantiation introduces scvcral problems. First,
higher level data which are invisible to them. If the the intcrprctation of the data bccomcs more com-
write is rcjectcd a storage channel is created. If it is plex. Many simple values bccomc sets of values
allowed, high level users have no way to protect when polyinstantiation is used. This complicates
their data. understanding of the data and makes applications
harder to develop. The second problem deals with
Until now, WC have ignored this problem. If the replacement. Normally, when a labelled object is
classification range for an instance variable is stored in an instance variable it replaces the
dcgeneratc, i.e. LbOlfO,,,
= Lrop, this is adequate. In this lab&d object that is already thcrc. With poly-
case, the slot in which a labelled object is stored has instantiation this is not necessarily the cast. It may
one allowable sensitivity level. The model requires just add another value to the set.
that to store a labcllcd object the user’s classifica-
4.5.3 Method Activation Security Levels
tion level be equal to the lcvcl of the slot (Rule 1.2).
Now if an update is rejected it is so because the A method activation executes with a security classi-
user’s classification does not satisfy Rule 1.2. This fication level LScu,,c,,tdetermined by two quantities.
rejection cannot cause a covert channel. The first is the clcarancc level LSclca, of the user.
The second quantity is the current security classifi-
cation level LSorlglnaror of the method activation
When Lropstrictly dominates Lbotromeach slot has a
which started this method by sending a message.
range of sensitivity levels. In this case polyinstantia-
Below is a set of rules determining the current
tion is used to eliminate the conflict. Polyinstantia-
security classification of a method activation.
tion allows each slot to contain an object of each
sensitivity level between Lbottomand Ltoy. Rule 2.1
The login method begins execution with classifica-
Polyinstantiation is added to the model by allowing tion level Ls,,,,,,,_ = SYSTEM LOW, (the method
each instance variable to contain a collection of begins when the system is started and has no
labelled objects. This collection is called a poly- originator).
instantiated set. Each element of the set is a labelled
object. The sensitivity level ‘of each clement is Rule 2.2
unique in the set. When an element is added with A method activation begins with a classification
the same sensitivity level it replaces the original level Lscurrenr
= LSorigi*mor~
member.
Rule 2.3
Rules 1.l and I.2 of the previous section can be If a labelled object with sensitivity level Lo such
revised to include polyinstantiation as follows: =GLo is read or added to a polyinstan-
that LsCurrcnr
524
Computers and Security, Vol. 8, No. 6
tiatcd set the current classification level of the “Method Activation 1” (Rule 2.2). “Method Activa-
method will be increased to the least upper bound tion 1” reads an object with a sensitivity level L 1. In
ofLScurrclltand Lo, i.e. LkurrcIlrlub L,. the process of doing this its current classification
level is raised to Ll (Rule 2.3). When “Method
Rule 2.4 Activation 1” returns, the “Login Activation”
The object rcturncd by a method activation is resumes with its original current classification level
labcllcd with the method activation’s LsCu,rcnr. of System Low. Finally, it writes an object with
constraint [~2, L2) and subscqucntly raises its
Thcsc rules cnsurc LsCUlrCllfwill always dominate the current classification level to L2 (Rule 2.3).
lcvcl of the information available to the activation.
The current classification level will begin at the
5. Model Properties
lowest possible level to allow the method activation
the most flexibility possible. This section discusses properties of the security
model. WC do not attempt formal proofs of these
One point that is not explicitly stated is that the properties but use informal arguments to
current classification level pertains to a method dcmonstratc them.
activation. When the method returns, the informa-
tion encoded in the state of the activation dis- 5.1 Simple Security Property
appears. The caller then resumes with its original The simple security property states that a subject
current classification lcvcl. with a clearance level L, is not allowed to read an
object with a sensitivity level L, such that Lo > L,.
An cxamplc of how these rules work is shown in In the notation used in this model, a subject with
Fig. 6. Each line shows the authority range [current clearance level LSclca, is not allowed to read an
classification level, clearance level] for a method object with sensitivity level L,, if Lo > Ls,,,,,. This
activation. The action which causes the change in is ensured by Rule I. 1’.
authority level is described in italicized text
bctwecn the lines. 5.2 *-Property
The *-property states that a subject with current
The “Login Activation” begins with a current clas- security classification level L, cannot write objects
sification level of System Low (Rule 2.1). It sends a with sensitivity level Lo such that L, > Lo. The
message to another object which starts execution of proposed model does not allow information to bc
written down. Evidence is based on two facts. First,
the current classification level dominates the sensi-
tivity level of all information accessible to the
method (Rule 2.3) and secondly the method activa-
tion cannot write or create objects such that
L Scurrent
> L, (from Rule 1.2 I, i.e. Ld = LsCUrrenr).
525
T. F. Keefe et al.ISODA: A Secure Object-oriented Database System
526
Computers and Security, Vol. 8, No. 6
527
T. F. Keefe et al. ISODA: A Secure Object-oriented Database System
TABLE I
Trusted design components
Lkcriptior2
This represents the interface between the OHJ~CT and the OHJECTM~MOKY. It must allocate objects to the
proper sensitivity memory scgmcnt.
If an attempt is made to read or write above the current classification level in accordance with I<ulc 1.l ’
and 1.2’, the WHJECT is requested to raise its current classification level to allow the read or write.
OHJK’T When a method begins execution, the WIIJE~T is instructed to stack its current classification lcvcl. The
WHJKT will unstack its previous current classification level when the method completes.
OI~JECT c’~.Ass supports the classification of oHJt(‘l. It provides protocol for recording the security
constraints and providing access to them by the object memory.
I’OLYIN5TANTIAl~tl) \I:1 This object must support sets of labellcd objects. It supports methods to insert and retricvc objects
determined by their sensitivity level. This object hides the polyinstantiated sets from the user, but relics
on the object memory for security.
\UHJK’l This object represents the subject. It supports requests to change the current classification level, stack and
unstack its current classification level.
This class provides the interface for setting the classification of oIjJE(:l (‘LA\> by the system security
officer. This is a trusted application.
classification level of the process as required. The Fig. 7. Object allocation for labelled objects.
528
Computers and Securiv, Vol. 8, No. 6
model described in ref. [2] provides a command to We identified several primitive methods used for
change creating new objects, accessing instance variables
relies on a subject not maintaining and performing methods. These methods are
memory segments inherited by all objects in the system and served as
the basis for access control. These methods are
described briefly below.
iNsrv.4RA-r:index
method activation. This method answers the contents of the instance
variable denoted by index.
529
T. F. Keefe et al. ISODA: A Secure Object-oriented Database System
classification level is stacked before a method is ing was especially useful bccausc by building the
cxccuted and is unstacked when the method com- prototype WC learned precisely the parts of the
plctcs. This functionality is included in the PER- object-oriented model which we needed to undcr-
FORM:WITH: method. Each subject has a window stand.
intcrfacc. Since SMALLTALK does not support multi-
ple simultaneous users this gives us a way of Dynamic modification of the current classification
simulating their interaction. lcvcl was the biggest unknown in our model. In
our original model (121 the current classification
With polyinstantiation comes a new class Poly- level was associated with a user and not the subject.
instantiatedsct. Instances serve as repositories of In this model, the current classification level of a
labcllcd objects. The labcllcd objects in a Poly- user cannot decrcasc. The prototype made apparent
instantiatedset have unique sensitivity lcvcls. The how restrictive this model was. The prototype
class supports methods for selecting visible objects, helped us to explore the feasibility of associating
adding objects to the set, and methods to support
the current classification with the method activa-
heuristic selection stratcgics, such as “most sensitive
tion. This cffcctivcly allows the current classifica-
member”. tion as seen by the user to dccreasc. The prototype
hclpcd us to understand the risks and gather evi-
The prototype has been modified to follow the dcncc of the approach’s feasibility.
spcciflcation in this paper and now scrvcs as an
cxpcrimcntal prototype. An experimental proto-
We originally thought it would be relatively easy
type necessarily has a limited focus. This prototype
to develop a secure database on top of SMALLTALK.
limits its focus to the following issues
We assumed that certain low level operations such
as sending mcssagcs or accessing instance variables
(1) Access restrictions.
could be mod&cd directly. We planned to modify
(2) Security constraints.
thcsc methods and embed the security model in
(3) Polyinstantiation.
the SMALLTALK system itself. This turned out to be
?Jna”‘c modification of subject security
, difficult since these operations are carried out
directly by the interpreter. Changing these func-
(5) Sensitivity labellcr.
tions requires modifications to the compiler or the
interpreter. Regardless, the prototype was
It dots not address
dcvelopcd according to this model. The model can
be exercised but the security it provides can be
(1) System architecture.
bypassed.
(2) Pcrformancc.
This focus determines the types of tests that can be By trying to implement certain aspects of the
carried out using this prototype. We intend to USC model WC found out immediately its complexity.
the prototype to explore the impact of polyinstan- While a simple function may have a complex
tiation on the user and the application developer. implementation, if the complexity cannot be
reduced, it is likely that the function is complex.
The prototype clarified our understanding of the One place where we have noticed a lot of complex-
SODA model and helped us to refine it. The pro- ity is in our implementation of Polyinstantiatcd-
cess of prototyping also gave support to the feasi- Sets. The selection of elements to retrieve and
bility and soundness of the model. Our increased replace is quite complex in the prototype. WC
understanding came in part from a better undcr- believe more clarification of polyinstantiation in
standing of the object-oriented model. This learn- our model is needed.
530
Computers and Security, Vol. 8, No. 6
Logical structuring of the model was improved only used when it is indicated by the data being
from the prototype. The prototype makes apparent stored and not because of rcstrictivcness of the
the inappropriate distribution of responsibilities. In security model.
the object-oriented model an object only has access
to its own data. This encapsulation makes poor One distinct advantage of our approach is that the
logical structure readily apparent. If responsibility object-oricntcd computation model provides a
is distributed unreasonably it will lead to a compli- uniform treatment for all objects in the system.
cated implcmcntation. An example of this is This simplifies the statcmcnt of a security model
responsibility for initializing secure objects. This and provides a high lcvcl of assurance.
includes examining the classification and either
enclosing the object in a labcllcd object or storing We have developed an exploratory prototype of the
labelled objects in each instance variable of the model to examine its feasibility. The prototype has
object. We originally wanted the class to carry out been modified to adhcrc to the model described in
this function since it had access to the classification this paper and we intend to USC it to explore imple-
information. It became clear in prototyping that mcntation issues, the ability of the model to
this solution was not sound and the function support application devclopmcnt, and pcrformancc
bccamc the responsibility of the instance. issues.
8. Conclusion References
We have proposed a security model for a multi- [‘IJ. Banerjee, H. T. Chou, J, F. Garza, W. Kim, D. Woclk, N.
level secure object-oriented system, SODA. It is hllou and H. J. Kim, I>ata model issues for object-
oricntcd applications, ACM 7ians. O@r Ir$rnj. Sysf., (I)
posed in terms of an object-oriented computation
Uanuary 1 Y87) 3-26.
model. Each object is assumed to be a self-con-
PI I>. E. Bell and L. J. LaPadula, Secure computer systems:
tained computing element whose only interaction unified exposition and mulrics interpretations, ?>c/I. Rep.
with other objects is through sending and receiving M7’R-Z997, March lY76 (Mitrc Corporation, Burlington
mcssagcs. Itoad, Belford, MA 01730, U.S.A).
PI A. Casey, Jr., S. T. Vinter, D. G. Weber, II. Varadarajan
T.
and D. Rosenthal, A secure distributed operating system.
The model allows a flexible labelling strategy based I’rt~c. 19X8 IEEE Sywp. ONSmrriry atrd Privacy, Oak/aud, CA,
on the inhcritancc lattice. The strategy accounts for Apri/ 1988, pp. 27-38.
the instance-of and sub-type relation. The two PI D. E. Denning, S. K. Akl, M. Heckman, T. F. Lunt, M.
labclling strategies allow classification of the Morgenstcrn, P. G. Neumann and K. II. Schcll, Views for
multilcvcl database security, IEEE Trans. Sofiwar~ Erg., SE-
objects themselves, or of their instance variables.
13 (2) (February 1087) 12Y- 140.
This allows a sensitivity to be associated with the
151D. E. Denning, T. F. Ixnt, l<. Ii. Schell, M. Hcckman and
information contained in the object or the context W. li. Shockley, A multilevel relational data model, Proc.
in which the information is seen. Each object 1987 Symp. on Security and Privacy, April 1987, pp. 220-234.
inherits a labelling constraint from its class. The PI B. B. Dillaway and J. T. Haigh, A practical design for
multilevel security in secure database management sys-
constraint specifics a range of allowable sensitivity
tems, Aerospace Security ConJ, December 1986.
levels for the data being labellcd. These types of
PI D. H. Fishman, D. Beech, H. P. Cate, E. C. Chow, T. Con-
constraints allow one to control the rigidness of the nors, J. W. Davis, N. Derret, C. G. Ho&, W. Kent,
classification rules on a class by class basis. P. Lyngbaek, B. Mahbod, M. A. Neimat, T. A. Kyan and M.
C. Shan, IKIS: an object-oriented database management
system, ACM Tram. Ofice Inform. Syxf., 5 (1) (January 1987)
Access control in the model accounts for the com-
48-69.
putational model of the application program. This
simplifies the task of multilevel updates on objects
PI C. Floyd, A systematic look at prototyping. In I<. Budde,
K. Kuhlenkamp, L. Mathiassen and H. Ziillighoven (eds.),
with rigid classification rules. Polyinstantiation is Approach IOProfotypin~, Springer, Berlin, 1984.
531
T. F. Keefe et aLlSODA: A Secure Object-oriented Database System
7. F. Lunt, I<. l<. Schcll, W. II. Shocklq, M. Hccknun and UNARY MESSAGES
I). Warren, A war-tcrln design for the SeaView tnulti- A unary message cxprcssion consists of the name of
lcvcl database system, Proc. 1988 IEEE Synrp. O~ISecurity orrn the rcccivcr object followed by the sclcctor of the
Privacy, Oakhf, CA, April 1988, pp. 231-241.
method to be executed. The statement below sends
T. F. Lunt, Sccurc distributed data views: identification of
dcficicncics and directions for future rcscarch, A007: I’innl
the message consisting of a selector named SALARY
I+., Vol. 4, Sill International, January IOXY, pp. 05-74. and no parameters to the object “EmpO 1:”
I>. Maicr and J. Stein, Dcvcloptncnt and i~nplclnc~~tatiot~
of an object-oriented DUMS. H. Shriver and P. Wcgncr
EmpO 1 SALARY
(cds.). In Ktwarclr Dirdor2.s in Ol+ct-Orimtrd I’roprtmii~g,
Massachusetts Institute of Technolog Press. Cambridge,
MA, 1987, pp. 35.5392. KEYWORII MESSAGES
M. Mizutw and A. E. Oldchocft, Information flow control A message can bc constructed from parts of the
111 a distriburcd object-oriented systelx ‘with statically selector or keywords alternated with arguments.
bound object variables, Pm. fOt/l NBS’NCSC Nariorrn/
The following message sends the object “House-
GJrnyrrt~rSt,~urity ChJ.~ Bahnorr, MD, 1987, pp. 36-07.
M. St&k and 11. G. Sobrow, Object-oriented program-
HoldFinances” the selector SPENII:~N: along with
,ning: thcmcs and variations, AI Max., 6 (4) (Winter 1086) objects representing the real number 30.45 and the
40-62. string “food.”
II. S. Tostcn, Data security in an object-oriented environ-
tncnt such as Stnalltalk-80, hr. f 988 Int. Conf: O~I COWI-
puler Lanpqes, Miami, FL, October 1988, pp. 234-241. HouseHoldFinances SPEND: 30.45 ON: “food”
532
Computers and Securiv, Vol. 8, No. 6
meters by a “I ” is a list of expressions which form The block sends its argument the message “salary”
the body of the block. The block shown below is a and to the resulting object it sends the message
function of one argument “objectToClassify” and with selector > and argument 100000. A block-is
returns a boolean result an object and can be used as an argument to a
[:objectToClassifyl (ObjectToClassify salary) > 1 OOOOO] method.
Dr. Bhavani Thuraisingham is a lead W. T. Tsai rcceivcd his Ph.D. and M.S.
engineer at the MITW Corporation d cgrees in computer science from the
researching in database security and University of California, Berkeley, in
integrity. Previously- she was at Honcy- 1982 and 1986 respectively, and an SS.
well Inc., and before that at Control d egrcc m computer science and engi-
Data Corporation where she worked on neering from MIT in lY70. He is cur-
database security, knowledge-based sys- rently an assistant professor in ‘the
tems and networks. She was also an Department of Computer Science at the
adjunct professor and member of the University of Minnesota. His areas of
graduate faculty in the Department of intcrest arc software engineering, artifi-
he University of Minnesota. cial intelligence, computer security, and computer systems. Hc
is a member of IEEE and AAAI.
Dr. Thuraisingham received her 13s degree in mathematics and
physics from the University of Sri-Lanka, t&j degree in com-
putcr science from the University of Minnesota, MSc. dcgrcc T. F. Keefe is a graduate student in the
in mathematical logic from the University of Bristol, U.K., and Department of Computer Science at the
Ph.D. degree in recursive functions and computability theory University of Minnesota. His. rcscarch
from the University of Wales, Swansca, U.K. She has published intcrcsts include database security and
more than 30 technical papers in the arcas of database security, software cnginccring. He rcceivcd a B.S.
knowledge-based systems and computability theory. She is a degree in clcctrical cngincering and an
member of the LEEE Computer Socicw, ACM and L&ma-Xi. MS. degree in computer science from
the University of Minnesota in I X30and
1985 rcspcctivcly. He is a mcmbcr of
IEEE.
533