Granularity of Data Protection for MLS Applications and DBMSs

A secure Database Management System (DBMS) will be widely adopted only if it provides a convenient base for application development. Given this assumption, we examine two questions: "Should an application’s view of the database consist of objects whose attributes are at more than one security level" and "Should a DBMS directly support such multilevel objects?" We investigate the impact on MLS application development of alternative degrees of DBMS support. Performance estimates and a comparison methodology are also presented. We conclude that applications should be built using object classes that capture natural real world entities and whose instances may include elements at different security levels. We then show that direct DBMS support for such classes can be quite helpful. As a byproduct, our analysis describes how untrusted code can decompose operations on multilevel objects into operations on single-level objects.