DATABASE SECURITY APPLICATIONS Polyinstantiation for Cover Stories

1 I N T R O D U C T I O N Polyinstantiat ion has generated a great deal of controversy lately. Some have argued tha t polyinstantiat ion and integrity are fundamental ly incompatible, and have proposed alternatives to polyinstantiation. Others have argued about the correct definition of polyinstantiat ion and its operational semantics. Much has been writ ten about this topic, as can be seen from the bibliography of this paper. There are two extreme positions that can be identified with respect to polyinstantiation. Polyinstantiat ion and integrity are fundamental ly incompatible, and steps must be taken to avoid polyinstantiat ion in multilevel relations regardless of the cost. Polyinstantiat ion is an intrinsic phenomenon, inevitable in the multilevel world. Therefore, multilevel relations must be polyinstant iated whenever necessary. * The work of both authors was partially supported by the U.S. Air Force, Rome Air Development Center through contract #F-30602-92-C-002. We are indebted to Joe Giardono for making this work possible.