Abstract
A multilevel secure (MLS) replicated database system consists of a set of untrusted databases, one at each security level. Each database contains object replicas from dominated levels. To ensure consistency, the transaction scheduler at each level must produce a serializable schedule with a serialization order compatible with those of all dominated databases, a property we call downward compatibility. For some security label orderings, however, such a mechanism without additional synchronization can result in a nonserializable global schedule. In this paper, we identify a class of partially ordered sets (posets) we call multilevel-acyclic, which is sufficient to guarantee a serializable global order when only downward compatibility is enforced. We present a basic protocol and show it is correct for multilevel-acyclic posets. To deal with posets outside this class, we propose a timestamp-based protocol. Our timestamp-based protocol works for all posets by a carefule timestamp assignment and commiting transactions in timestamp order. We also present an untrusted (distributed) method of timestamp generation for the timestamp-based protocol.
Get full access to this article
View all access options for this article.