Applying semantic knowledge to real-time update of access control policies

Real-time update of access control policies, that is, updating policies while they are in effect and enforcing the changes immediately, is necessary for many security-critical applications. In this paper, we consider real-time update of access control policies in a database system. Updating policies while they are in effect can lead to potential security problems, such as, access to database objects by unauthorized users. In this paper, we propose several algorithms that not only prevent such security breaches but also ensure the correctness of execution. The algorithms differ from each other in the degree of concurrency provided and the semantic knowledge used. Of the algorithms presented, the most concurrency is achieved when transactions are decomposed into atomic steps. Once transactions are decomposed, the atomicity, consistency, and isolation properties no longer hold. Since the traditional transaction processing model can no longer be used to ensure the correctness of the execution, we use an alternate semantic-based transaction processing model. To ensure correct behavior, our model requires an application to satisfy a set of necessary properties, namely, semantic atomicity, consistent execution, sensitive transaction isolation, and policy-compliant. We show how one can verify an application statically to check for the existence of these properties.     

分布式实时事务的原子提交

分布式实时数据库系统中，事务除具有传统数据库事务的ACID特性外，还具有定时限制（如截止期等）。传统提交协议及已研究出的实时提交协议都不保证分布式实时事务的原子性，结合实时事务截止期要求，描述了分布式实时事务的原子提前及其正确性准则，给出了适合于固（或软）实时事务的原子提前协议RTACP及其处理过程并证明了其正确性，还对RTACP进行了性能比较和评价，表明其分别在不同方面更优越。     

实时数据库事务的正确性及实现算法

实时数据库系统中事务可以有定时限制（典型地为截止期）,事务超过截止期可能给系统带来灾难性后果,事务不光要满足数据库的完整性与一致性,而且要满足在时间上的正确性以及事务之间在结构上的正确性,传统的事务处理方法仅着眼于事务存取数据库的正确性,对于时间正确性与结构正确性无能为力,详细讲座了实时事务的正确性,包含结果正确性、时间正确性、行为正确性及结构正确性,已有的研究成果中大多用不央的算法及策略来保证不同的正确性要求;给出了保证实时事务正确性的一个统一的图论算法。     

Global committability in multidatabase systems

Develops a formal basis for research into the reliability aspects of transaction processing in multidatabase systems (MDBSs). We define a new correctness notion called `global committability' for the correct unilateral commit and the retry recovery of global transactions in an autonomous MDBS environment. This notion makes it easier to ensure the isolation property of global transactions when the retry approach is applied. The formalization work illustrates that the conventional serializability and recoverability notions are not sufficient to specify the correct execution (i.e. isolated execution and recovery) of global transactions when the unilateral commit and the retry recovery are used to ensure the atomicity of global transactions. This work is significant because the unilateral commit and the retry recovery are an attractive complementary means to the undo recovery (whose correct schedule is specified by the conventional recoverability notion) for advanced transaction applications with the characteristics of site autonomy and long-lived execution     

Read-down conflict-preserving serializability as a correctness criterion for multilevel-secure optimistic concurrency control: CSR/RD

It is important to note that conflict-preserving serializability and related theory are artifacts of an era of database development where correctness alone was the overriding concern. With the advent of multilevel-secure databases, there is clearly a need to reexamine such theories. Any correctness criterion to govern transaction processing in the multilevel security context has to incorporate both secureness and correctness in a unified manner. This paper makes original contributions in two different but closely related areas to the optimistic concurrency control in multilevel-secure, single-version databases. First, read-down conflict-preserving serializability (CSR/RD) captures multilevel-secure database consistency requirements and secure transaction correctness properties via a single notion. Second, it presents a multilevel-secure optimistic concurrency control (MLS/OCC) scheme that has several desirable properties: If lower-level transactions were somehow allowed to continue with their executions in spite of the conflict with high-level transactions, covert timing-channel freeness would be satisfied. This sort of optimistic approach for conflict insensitiveness and the properties of non-blocking and deadlock freedom make the optimistic concurrency control scheme especially attractive to multilevel-secure transaction processing.     

移动分布式实时嵌套事务提交

在移动分布式计算环境中,事务移动性和无线网络固有的缺陷使得传统的分布式实时事务管理机制不足以支持移动分布式实时事务的执行,故有必要为移动实时事务研究新的事务处理机制,以提高其成功率.着重研究移动实时事务的提交机制.首先,通过分析移动分布环境中实时事务的特点给出了一个基于功能替代的移动实时嵌套事务模型.然后,提出了一个基于此模型的三层提交结构以及能够保证移动实时事务原子性和结构正确性的三阶段实时提交协议3PRTC(three-phase real-time commit).性能测试表明,所提出的事务模型及其提交机制能够提高实时事务的成功率.     

分布式数据库多级一致性统一建模理论研究

分布式数据库系统出现了支持多协调器和多副本存储的新架构,这给事务调度的正确性带来了新的挑战,包括缺少中心协调器带来的新数据异常以及多副本机制带来的读取数据一致性等问题.基于事务隔离级别和分布式系统一致性协议的定义,为多协调器多副本分布式数据库的事务多级一致性构建了一个混合依赖图模型.该形式化模型为事务的正确调度提供具有鲁棒性的评价标准,可以方便地对数据库事务调度情况进行动态或静态分析检验.     

Exception handling in workflow management systems

Fault tolerance is a key requirement in process support systems (PSS), a class of distributed computing middleware encompassing applications such as workflow management systems and process centered software engineering environments. A PSS controls the flow of work between programs and users in networked environments based on a “metaprogram” (the process). The resulting applications are characterized by a high degree of distribution and a high degree of heterogeneity (properties that make fault tolerance both highly desirable and difficult to achieve). We present a solution for implementing more reliable processes by using exception handling, as it is used in programming languages, and atomicity, as it is known from the transaction concept in database management systems. We describe the mechanism incorporating both transactions and exceptions and present a validation technique allowing to assess the correctness of process specifications     

Highly available and reliable communication protocols for heterogeneous systems

Existing and legacy software systems are the product of lengthy and individual development histories. Interoperability among such systems offers the support of global applications on these systems. However, interoperability among these heterogeneous systems is hampered by the absence of a reliable communication environment that supports the development of global applications.In this paper, we show how a generic communication framework can serve as a testbed for the specification, verification, and execution of distributed communication protocols. The development of distributed, global concurrency protocols is much simpler than using traditional tools, like RPC (remote procedure call), because our framework provides a high-level communication mechanism that frees the protocol designer from thinking in a message-based style. We present several protocols that are consistent with realistic assumptions about local database systems, and proofs of their correctness and consistency preservation. We also show that the execution of these protocols is fault-tolerant. The distribution of systems can be chosen according to application requirements, without adaptation of protocols. Fault tolerance can be fine-tuned within the framework itself, so that verified protocols do not need modifications in this case either.Besides protocols for traditional transaction processing, we present communication protocols for advanced transaction models that relax one or more of the ACID properties of transactions. These advanced transaction models enable local autonomy and thus are much better suited for heterogeneous environments.     

实时数据库系统的正确性

实时数据库系统的正确性就是与定时限制紧密相联的数据库一致性和事务正确性，中对此作了详细讨论，指出ＲＴＯＢ的一致性包括内部一致、外部一致和相互一致；事务正确性包括结果正确性，行为正确性，结构正确性和时间正确性，进一步的关键问题是判断正确性的准则和表示方法，对此中提出了一个经历模型，它可方便地且来说明各种恰当的正确性。     

电子商务的安全和原子：模型、协议和验证

电子商务的流行与接受主要取决于下述属性：安全、原子、隐私与匿名．对于需要安全、原子和隐私等3个属性的物理商品的电子交易还没有合适的电子商务协议．基于此,提出了一个称为ELC的电子商务模型,ELC模型模拟了国际贸易中的电子信用证．然后提出了一个安全、原子的电子商务协议．最后,在有一个入侵者的情况下,通过使用BAN风格的逻辑证明所期望的属性分析了协议的强度和正确性     

Correctness proof of a database replication protocol under the perspective of the I/O automaton model

Correctness of recent database replication protocols has been justified in a rather informal way focusing only in safety properties and without using any rigorous formalism. Since a database replication protocol must ensure some degree of replica consistency and that transactions follow a given isolation level, previous proofs only focused in these two issues. This paper proposes a formalization using the I/O automaton model, identifying several components in the distributed system that are involved in the replication support (replication protocol, group communication system, database replicas) and specifying clearly their actions in the global replicated system architecture. Then, a general certification-based replication protocol guaranteeing the snapshot isolation level is proven correct. To this end, different safety and liveness properties are identified, checked and proved. Our work shows that some details of the replication protocols that were ignored in previous correctness justifications are indeed needed in order to guarantee our proposed correctness criteria.     

一个安全、原子的电子商务协议及其形式化验证

电子商务的普及与接受主要取决于下述属性的解决：安全、原子、隐私与匿名,形式化描述和分析是描述电子商务协议并验证它各性的有效方法,面向物理商品交易的电子商务协议需要具备３个属性：安全、原子和隐私,介绍了一个安全、可靠的电子商务协议ＢＥＡＲＣＡＴ及其形式化描述,并龙有人侵者的情况下,通过用ＢＡＮ类型的逻辑证明所期望的属性的方式对协议的强度和正确性作形式化分析。     

Chronological scheduling of transactions with temporal dependencies

Database applications often impose temporal dependencies between transactions that must be satisfied to preserve data consistency. The extant correctness criteria used to schedule the execution of concurrent transactions are either time independent or use strict, difficult to satisfy real-time constraints. On one end of the spectrum, serializability completely ignores time. On the other end, deadline scheduling approaches consider the outcome of each transaction execution correct only if the transaction meets its real-time deadline. In this article, we explore new correctness criteria and scheduling methods that capture temporal transaction dependencies and belong to, the broad area between these two extreme approaches. We introduce the concepts ofsuccession dependency andchronological dependency and define correctness criteria under which temporal dependencies between transactions are preserved even if the dependent transactions execute concurrently. We also propose achronological scheduler that can guarantee that transaction executions satisfy their chronological constraints. The advantages of chronological scheduling over traditional scheduling methods, as well as the main issues in the implementation and performance of the proposed scheduler, are discussed.     

安全数据库系统中的事务

在多级安全数据库系统中经典的BLP模型的“向上写”违反了数据库的完整性,并产生隐通道和带来多实例问题,事务间的提交和回退依赖也会产生隐通道,在对事务安全性分析的基础上提出了安全事务模型和安全事务正确性标准一安全冲突可串行化(SCSR),最后给出了一个避免隐通道的安全并发控制算法．     

Overview of multidatabase transaction management

A multidatabase system (MDBS) is a facility that allows users access to data located in multiple autonomous database management systems (DBMSs). In such a system,global transactions are executed under the control of the MDBS. Independently,local transactions are executed under the control of the local DBMSs. Each local DBMS integrated by the MDBS may employ a different transaction management scheme. In addition, each local DBMS has complete control over all transactions (global and local) executing at its site, including the ability to abort at any point any of the transactions executing at its site. Typically, no design or internal DBMS structure changes are allowed in order to accommodate the MDBS. Furthermore, the local DBMSs may not be aware of each other and, as a consequence, cannot coordinate their actions. Thus, traditional techniques for ensuring transaction atomicity and consistency in homogeneous distributed database systems may not be appropriate for an MDBS environment. The objective of this article is to provide a brief review of the most current work in the area of multidatabase transaction management. We first define the problem and argue that the multidatabase research will become increasingly important in the coming years. We then outline basic research issues in multidatabase transaction management and review recent results in the area. We conclude with a discussion of open problems and practical implications of this research.     

分布式实时事务提交协议

在分布式实时数据库系统中，保证事务原子性的唯一途径是研究和开发出一个实时的原子提交协议．首先详细分析了事务因数据访问冲突而形成的各种依赖关系，在此基础上提出了实时的原子乐观提交协议——2SC协议，该协议减少了事务的等待时间，提高了事务的并发度，且能无缝地和现有的并发控制协议集成在一起，保证事务的可串行化和原子性．通过模拟实验研究表明，采用该协议能够减少超过截止期的事务数目。     

Alternative correctness criteria for concurrent execution oftransactions in multilevel secure databases

Investigates issues related to transaction concurrency control in multilevel secure databases. This paper demonstrates how the conflicts between the correctness requirements and the secrecy requirements can be reconciled by proposing two different solutions. It first explores the correctness criteria that are weaker than one-copy serializability. Each of these weaker criteria, though not as strict as one-copy serializability, is required to preserve database consistency in some meaningful way, and moreover, its implementation does not require the scheduler to be trusted. It proposes three different, increasingly stricter notions of serializability (level-wise serializability, one-item read serializability and pair-wise serializability) that can serve as substitutes for one-copy serializability. The paper then investigates secure concurrency control protocols that generate one-copy serializable histories and presents a multiversion timestamping protocol that has several very desirable properties: it is secure, produces multiversion histories that are equivalent to serial one-copy histories in which transactions are placed in a timestamp order, eliminates starvation and can be implemented using single-level untrusted schedulers     

Recovery of PTUIE handling from source codes through recognizing its probable properties

Automated recovery of system features and their designs from program source codes is important in reverse engineering and system comprehension. It also helps in the testing of software. An error that is made by users in an input to an execution of a transaction and discovered only after the completion of the execution is called a posttransaction user-input error (PTUIE) of the transaction. For a transaction in any database application, usually, it is essential to-provide transactions for correcting the effect that could result from any PTUIE of the transaction. We discover some probable properties that exist between the control flow graph of a transaction and the control flow graphs of transactions for correcting PTUIE of the former transaction. Through recognizing these properties, we present a novel approach for the automated approximate recovery of provisions and designs for transactions to correct PTUIE of transactions in a database application. The approach recognizes these properties through analyzing the source codes of transactions in the database application statically.     

Revisiting Transaction Management in Multidatabase Systems

A lot of research efforts have focused on global serializability, global atomicity, and global deadlocks in multidatabase systems. Surprisingly, however, very few transaction processing model exists that ensures global serializability, global atomicity, and freedom from global deadlocks in a uniform manner. In this paper, we examine previous transaction processing models and propose a new transaction processing model that generates globally serializable and deadlock-free schedules in failure-prone multidatabase systems. A new transaction processing model adopts rigid conflict serializability as a correctness criterion on global serializability, and follows an emulated 2PC, criteria for global commitment, and an abort-based multidatabase recovery scheme for global serializability in failure-prone multidatabase systems. In addition, a deadlock-free policy is suggested where rigid conflict serializability is enforced when each subtransaction, including redo transactions, begins its execution. To practically support a new transaction processing model, Rigid Ticket Ordering (RTO) methods are designed. The proposed transaction processing model has the following improvements: (a) it resolves abnormal direct conflicts identified in this paper, (b) it imposes no restrictions on the execution of local transactions, and (c) it relaxes the restrictions on the execution of global transactions.