Multilevel Secure Database Management Prototypes

The three systems described in this essay each target the most stringent security standards embodied in the A1 requirements as defined by the US Department of Defense " Trusted Computer Systems Evaluation Criteria " [DOD85], which is commonly called the Orange Book. While the initial designs of all these systems — and in some cases the implementations — predate the " Trusted Database Management System Interpretation of the Trusted Computer System Evaluation Criteria " [NCSC91] (commonly called the TDI), they all had the Orange Book as a guide to the fundamental requirements that must be satisfied by a secure system at the A1 level. Also, in some cases, work on these prototypes provided the basis for comments on the evolving TDI. In addition to their A1 target, these three systems share a similarity in that they were and are intended as research prototypes, not commercial products. This means that they are not held to the requirement of satisfying market conditions, but also that they may not have had the funding to include all of the capabilities that would be required of a commercial offering. Their intent was to push forward the frontier in the area of security, but not necessarily with all the " bells and whistles " of a complete product. This is not to detract from their contributions, which are many, but only to alert the reader to the fact that today's research prototype may lead tomorrow's commercial product by many years. All of the systems enforce both a mandatory and a discretionary policy. The basis for mandatory enforcement is the access class, which includes a hierarchical, linearly ordered component called levels (for example , Top Secret > Secret > Confidential > Unclassified), and a nonhierarchical component called categories, which is not ordered. The set of access classes is partially ordered and forms a lattice. In this lattice , access class A is said to dominate access class B if the hierarchical component of A is greater than or equal to the hierarchical component of B, and the set of categories associated with A is a superset of the set