The deductive filter approach to MLS database prototyping

of the database. The goal of the prototype is to achieve a concise and non-conflicting specification of the security constraints. Based on a concrete example of the application domain, the database designer and the security officer (or trusted users) are able to examine by using the prototype the adequacy of the database design and of the security classifications specified. In this paper we give the formal basis and implementation details about the prototyping language with which the prototype can be efficiently constructed without involving high development costs. This paper proposes building a prototyping environment as part of the standard design process of multilevel secure database applications. For this paper we see the following contributions: First, based on a careful study of multilevel security requirements we developed a security constraints language (SCL) for specifying application dependent database security semantics. Second, we implemented SCL by using the deductive database system LDL thereby offering a useful toolset with which a prototype of a multilevel secure relational database application can efficiently be developed. Prototyping will help the database designer to arrive at a consistent data classification and at a satisfactory database design. As prototyping environment we have decided to use the deductive database system LDL ([4][11]) as storage manager as well as its features for the implementation of a deductive filter testing security constraints. Using a deductive filter in front of the real data has the following advantages: First, as deductive databases combine features of logic programming with relational algebra, it is possible to define recursive rules as well as complex object types like lists or sets. These perfectly meet the requirements of a security constraints language covering transitive dependencies between security constraints. Second, LDL possesses no procedural semantics, in favor of a purely declarative one. This helps to state even extremely complex security requirements in a clear and concise style which is a basic requirement for experimental prototyping. 1: Introduction Research and development in the area of multilevel secure (MLS) databases has increased dramatically in recent years. As a result the first MLS DBMS products are already commercially available. Applying the new technology to real world database applications is a difficult and complicated task and makes a careful design of the database necessary. The major problem involved is data classifying and is the important design decision of how the data of the database should be classified. Data classifying involves the assignment of a security classification to a data item and is the transformation of a security object into a multilevel security object. Classifications are rules that are assigned based on specified security constraints and must properly represent the security semantics of the application. Classification rules may become very complex and for large applications rules may conflict with other classification rules specified. The outline of this paper is as follows: In section 2 we generally discuss the design process of a MLS database and show how experimental prototyping fits into it. Moreover, section 2 contains the references to related work. Section 3 consists of a general discussion of security requirements used to represent security semantics of database applications. This framework defines the scope of our Security Constraints Language (SCL) as shown in section 4. Section 5 contains implementation details of the experimental prototype in LDL. In section 6 we show by means of a representative example how a prototype helps in getting a clear understanding of a multilevel secure database application. Section 7 concludes the paper. To overcome this problem we propose to extend the common database development process by building an experimental prototype before the final implementation