3.3 Validity Checking

14 the multilevel security constraints that precisely characterize the validity of mul-tilevel relational databases. Our model-theoretic semantics is consistent with, and extends, the Bell-LaPadula model. Compared with existing approaches, our model-theoretic semantics maximizes believability without compromising integrity or introducing ambiguity. Contrary to the claim that integrity and secrecy are in fundamental connict 1, 8, 15], our results demonstrate that integrity and secrecy could live harmoniously with each other: a multilevel relational database does not have to sacriice one for the other. Moreover, validity checking in multilevel relational databases is comparable to that in single-level relational databases in terms of complexity. Instead of developing special-purpose integrity techniques for multilevel databases, we could readily adopt those from single-level databases. Several logical extensions of this work are possible. First of all, we could consider classes of integrity constraints that are more general than key-based functional and referential dependencies. Such extensions must be made with great care however, since it might become impossible to maximize believability without choosing arbitrarily what low tuples to believe at high, as we can see from the examples in Section 1. Secondly, information in a multilevel state of the world might include the metaknowledge that relates the knowledge at multiple classiication levels, such as the polyinstantiation and referential security properties of Section 3. The notion of validity needs to be extended. A view at a classiication level should not only be valid in terms of the knowledge at that level, but also be consistent with views at other levels in terms of the metaknowledge. The complexity of validity checking is likely to increase signii-cantly, because cross-level metaknowledge interacts with single-level knowledge in complicated ways, as Theorem 4 shows. Finally, we could extend our approach to the multilevel relational model with element-level classiication, based on the connection between the two classiication schemes established in 11]. Given a multilevel database, straightforward validity checking based on the recursive deenition of validity is likely to be expensive, because it involves computing views for all classiication levels and checking their validity. Luckily, multilevel validity could be equivalently characterized by multilevel security properties, whose computation is comparable in complexity to integrity checking in single-level databases. Lemma 3 Suppose that & l (b;) = fr l i g 1in. For every t 2 r l i , there is t 0 2 r i and l 0 2 i (t 0) such that tK i ] …