Evaluation of a Purpose-Based Marking (PM) Protocol for Secure Distributed Systems

A process issues a transaction to manipulate objects. The transaction is assigned with a purpose which is a subfamily of roles granted to the process. Suppose a transaction T₁ writes an object o₂ after reading an object o₁ and then another transaction T₂ reads the object o₂ and writes an object o₃. Here, data in the object o₁ might flow into the object o₃ via the object o₂. Unless T₂ is granted a read access right of the object o₁, illegal information flow occur. In order to prevent the illegal information flow, T₁ marks the object o₂ with the purpose of T₁. T₂ cannot read o₂ unless the purpose of T₂ includes a read right of o₁. In result, the throughput is degraded. Objects whose information may flow into an object o are source objects of o. If the source objects are written, a purpose mark on the object o is released. In addition, an object o might have some lifetime lambda when o´s data has to be secure since the data is created. If it takes lambda time units since the object o is marked, the purpose mark is released. While there occur no illegal information flow in our purpose marking (PM) protocol, transactions which imply illegal information flow are aborted. We evaluate the PM protocol in terms of how many transactions are aborted.