You are hereMultilevel Security / MLS Concurrency Control

MLS Concurrency Control


The intent of Multilevel Security is to prevent unauthorized information flows to users who are not cleared to access the information. One covert way that illegal information flows may occur within non-secure systems is by exploiting locking concurrency control protocols (e.g., two-phase locking or explicitly locking) commonly used within non-secure DBMS products.

 

The illegal information flow is achieved by a high-level user locking a low-level object for read. A low-level user then attempts to lock the object for write. Because the write lock requires a unique lock, it will be delayed or denied because of the existence of the high-level lock. The low-level user can then create a program that exploits the existence (or non-existence) of the locking delay to receive information from the cooperating high-level user. The following diagram demonstrates this process.

 

Insecure Concurrency Control Resulting in an Illegal Information Flow

Trusted RUBIX eliminates the covert channels provided through locking concurrency protocols by using a unique algorithm know as the Secure Multiversion Timestamp Ordering (Secure MVTO) concurrency control protocol. Secure MVTO creates a new version of a row upon every update and uses transaction timestamps to ensure a user operates on the correct row version.

 

In our example, the high-level user never locks the row being read. Additionally, the low-level user never requires a lock on the row, she simply creates a new version of the row alongside the original version.

 

The following diagram demonstrates how Trusted RUBIX and Secure MVTO remove illegal information flows caused by locking concurrency control algorithms.

 

Trusted RUBIX Secure Concurrency Control