The concurrency control and recovery problem for multilevel update transactions in MLS systems

The problem is addressed of a transaction reading and writing data at multiple classification levels in a multilevel secure (MLS) database. The authors refer to such transactions as multilevel update transactions. They show that no scheduler can ensure atomicity of multilevel update transactions in the presence of transaction aborts and at the same time be secure. There are essentially two ways of scheduling multilevel update transactions. The first method, which ensures strong atomicity, involves delaying low-level subtransactions until the fats of the sibling high-level subtransactions are known. The second scheme, which ensures only semantic atomicity, involves compensating the effects of any committed subtransactions. Analysis of these schemes indicates that the compensation approach leads to lower covert channel bandwidths. A concurrency control and recovery protocol based on compensation is proposed for multilevel update transactions. The security and correctness of the protocol is considered