In most conventional computer environments an increase in complexity of security mechanisms for greater precision and resolution can possibly degrade the performance of the system. Also, security checking which is often embedded In the operating system, database management system, or both is difficult to change and verify. This dissertation presents a new system architecture that can possibly solve many of the problems of protection and security found in a conventional environment. This new system is a MULTIprocessor system for supporting Secure Authorization with Full Enforcement (MULTISAFE) for database management.
The architecture of MULTISAFE combines the concepts of multiprocessing, pipelining, and parallelism to form a new system organization. The system's organization ls partitioned into three modules: the user and application module (UAM), the data storage and retrieval module (SRM), and the protection and security module (PSM). Each module is viewed as being implemented on one or more hardware (or virtual) processors with its own memory. The system organization incorporates a multiport-memory organization with private memories. A memory is made "private" by connecting only certain processors to it thereby providing physical separation between the UAM memory and the PSM and SRM memories. This separation (or isolation) can significantly improve security because it is physically impossible for a user to access the PSM or the SRM memories. System performance can possibly be enhanced by concurrent processing.
The modules (or processors) require direct communication among themselves and the system users. Because of this communication requirement MULTISAFE is viewed as a message-driven, dataflow system. The majority of this dissertation focuses on the flow of messages and on showing that this flow is secure. To have secure message flow in MULTISAFE all messages are classified, and all message sequences are identified. All messages are classified by five attributes (class, source, target, type, and subtype). Message sequences are formed by the receiving and sending of messages. That is, the target module of the received message becomes the source of the sent message. Message sequences begin with a user’s access request and ends with a response for that request. Such sequences are called round-trip message sequences.
Once the messages and their flow have been described, it is then possible to describe how each MULTISAFE module monitors its own messages. The monitoring of messages follows the pattern of receiving a message, processing the message, and sending a message. These three dataflow components are described as abstract data operations on the data object message. These operations are then used to describe the monitoring procedure for each module. Each module monitor is basically a table look-up process which uses the classification of the received message as the table index for determining the next message to be sent.
The proof that message flow is secure consists of showing that every message in MULTISAFE is part of a message sequence and. that every message sequence is part of a round-trip message sequence. The proof culminates by showing that an access decision is made on all MULTISAFE round-trip message sequences. / Ph. D.
Identifer | oai:union.ndltd.org:VTETD/oai:vtechworks.lib.vt.edu:10919/109937 |
Date | January 1979 |
Creators | Trueblood, Robert P. |
Contributors | Computer Science and Applications |
Publisher | Virginia Polytechnic Institute and State University |
Source Sets | Virginia Tech Theses and Dissertation |
Language | English |
Detected Language | English |
Type | Dissertation, Text |
Format | xi, 179 leaves, application/pdf, application/pdf |
Rights | In Copyright, http://rightsstatements.org/vocab/InC/1.0/ |
Relation | OCLC# 05142901 |
Page generated in 0.0023 seconds