A Purpose Marking and Releasing Protocol for Information Flow Control

A transaction is assigned with a purpose which is a collection of roles. Suppose a transaction T₁ with a purpose R₁ writes an object o₂ after reading an object o₁ and then another transaction T₂ with R₂ reads o₂ and writes an object o₃. Unless T₂ is granted a read right of o₁, illegal information flow occur from o₁ to o₂. In the purpose-marking(PM) protocol, T₁ marks o₂ with the purpose R₁. T₂ cannot read o₂ unless the purpose R₂ includes every read right in the mark R₁. An object o₂ whose information may flow into o₁ are source objects of o₁. Through purpose marks, illegal information flow can be prevented but purpose marks on objects are not released even if transactions which mark the objects commit. If an object is written by another transaction, the purpose mark of the object is overwritten. An object is timed out if it takes some time units after the object is lastly written. If an object is written or timed out,the object is obsolete. If source objects of an object o gets obsolete, the object o also gets obsolete. The purpose mark of obsolete objects can be released. We evaluate the PM protocol in terms of how many transactions are aborted and how many messages are transmitted to release purpose marks.