💾 Archived View for spam.works › mirrors › textfiles › hacking › ncsc-tr-005-2.txt captured on 2023-11-14 at 09:55:57.

View Raw

More Information

⬅️ Previous capture (2023-06-14)

-=-=-=-=-=-=-

NCSC TECHNICAL REPORT - 005

Volume 2/5

Library No. S-243,039

FOREWARD

This report is the second of five companion documents to the Trusted Database Management 
System Interpretation of the Trusted Computer System Evaluation Criteria. The companion 
documents address topics that are important to the design and development of secure database 
management systems, and are written for database vendors, system designers, evaluators, and 
researchers. This report addresses entity and referential integrity issues in multilevel secure 
database management systems.

ACKNOWLEDGMENTS

The National Computer Security Center extends special recognition to the authors of this 
document. The initial version was written by Vinti Doshi and Sushil Jajodia of the MITRE 
Corporation. The final version was written by Bill Wilson and Stan Wisseman of Arca Systems, 
Inc.

The documents in this series were produced under the guidance of Shawn P. O'Brien of the 
National Security Agency, LouAnna Notargiacomo and Barbara Blaustein of the MITRE 
Corporation, and David Wichers of Arca Systems, Inc.

We wish to thank the members of the information security community who enthusiastically gave 
of their time and technical expertise in reviewing these documents and in providing valuable 
comments and suggestions.

TABLE OF CONTENTS

SECTION	PAGE

1.0	INTRODUCTION	1

1.1	BACKGROUND AND PURPOSE	1

1.2	SCOPE	1

1.3	INTRODUCTION TO ENTITY AND REFERENTIAL INTEGRITY	2

1.4	AUDIENCES OF THIS DOCUMENT	3

1.5	ORGANIZATION OF THIS DOCUMENT	4

2.0	BACKGROUND	5

2.1	BASIC CONCEPTS OF ENTITY AND REFERENTIAL INTEGRITY	6

2.2	REFERENTIAL INTEGRITY RULES	10

2.2.1	DELETE	10

2.2.2	UPDATE of Referenced Relation	13

2.2.3 	NSERT or UPDATE of Referencing Relation	17

2.2.4	Additional Rules	17

2.3	PROBLEMS WITH REFERENTIAL INTEGRITY CONSTRAINTS	17

3.0	ENTITY AND REFERENTIAL INTEGRITY IN MLS DATABASES	18

3.1	RELATED TCSEC REQUIREMENTS	18	

3.2	BASIC CONCEPTS IN MULTILEVEL RELATIONS	19

3.3	THE CONCEPT OF PRIMARY KEY IN MULTILEVEL RELATIONS	21

3.4	ENTITY INTEGRITY IN MULTILEVEL RELATIONS	21

3.5	REFERENTIAL INTEGRITY IN MULTILEVEL RELATIONS	22

3.6	ENFORCEMENT OF INTEGRITY CONSTRAINTS	25

4.0	COVERT CHANNELS	27

4.1	PRIMARY KEY UNIQUENESS	27

4.2	ENFORCEMENT OF REFERENTIAL INTEGRITY RULES	28

4.2.1 Enforcement of Integrity Rules When C[FK] = C[PK]		29

4.2.2 Enforcement of Integrity Rules When C[FK] > C[PK]		30

4.3	RELATION TO DBMS ARCHITECTURE	36

5.0	SUMMARY	38

REFERENCES		39

LIST OF FIGURES

FIGURE	PAGE

2.1:	RELATION SOD	6

2.2:	RELATION PS	8

2.3:	REFERENTIAL CONSTRAINTS IN RELATIONS PR, PS, AND SOD	9

2.4:	RELATIONS SOD AND PS AFTER STARSHIP = "APOLLO" IS DELETED
UNDER THE CASCADES-DELETE RULE		11	

2.5:	RELATIONS SOD AND PS AFTER STARSHIP = "APOLLO" IS
DELETED UNDER THE NULLIFIES-DELETE RULE		12

2.6:	RELATIONS SOD AND PS AFTER STARSHIP = "ENTERPRISE" IS
UPDATED TO THE VALUE "USS ENTERPRISE"
UNDER THE CASCADES-UPDATE RULE		15

2.7:	RELATIONS SOD AND PS AFTER STARSHIP = "ENTERPRISE" IS
UPDATED TO THE VALUE "USS ENTERPRISE" UNDER THE
NULLIFIES-UPDATE RULE		16

3.1:	DIFFERENT SOD VIEWS BASED ON ACCESS CLASS	21

3.2:	TYPICAL RELATION INSTANCES FOR SOD AND PS	23

3.3:	UNCLASSIFIED INSTANCES OF PS AND SOD RELATIONS	24

4.1:	SOD AFTER INSERTION OF TUPLE CORRESPONDING TO
STARSHIP = "VOYAGER" BY UNCLASSIFIED USER		28

4.2:	RELATION PS AND SOD WHEN C[FK] = C[PK]	30

4.3:	RELATIONS SOD AND PS WITHOUT POLYINSTANTIATION	32

4.4:	RELATIONS WITH TUPLE-LEVEL GRANULARITY	34

4.5:	RELATIONS WITH ATTRIBUTE-LEVEL GRANULARITY	35

LIST OF TABLES

TABLE	PAGE

4.1:	SUMMARY OF COVERT CHANNELS IN REFERENTIAL INTEGRITY
RULES		36

SECTION 1

INTRODUCTION

This document is the second volume in the series of companion documents to the Trusted Database 
Management System Interpretation of the Trusted Computer System Evaluation Criteria [TDI 91; 
DoD 85]. This document examines entity and referential integrity issues in multilevel secure 
(MLS) database management systems and summarizes the research to date in these areas.

1.1	BACKGROUND AND PURPOSE

In 1991 the National Computer Security Center published the Trusted Database Management 
System Interpretation (TDI) of the Trusted Computer System Evaluation Criteria (TCSEC). The 
TDI, however, does not address many topics that are important to the design and development of 
secure database management systems (DBMSs). These topics (such as inference, aggregation, and 
database integrity) are being addressed by ongoing research and development. Since specific 
techniques in these topic areas had not yet gained broad acceptance, the topics were considered 
inappropriate for inclusion in the TDI.

The TDI is being supplemented by a series of companion documents to address these issues 
specific to secure DBMSs. Each companion document focuses on one topic by describing the 
problem, discussing the issues, and summarizing the research that has been done to date. The intent 
of the series is to make it clear to DBMS vendors, system designers, evaluators, and researchers 
what the issues are, the current approaches, their pros and cons, how they relate to a TCSEC/TDI 
evaluation, and what specific areas require additional research. Although some guidance may be 
presented, nothing contained within these documents should be interpreted as criteria.

These documents assume the reader understands basic DBMS concepts and relational database 
terminology. A security background sufficient to use the TDI and TCSEC is also assumed; 
however, fundamentals are discussed whenever a common understanding is important to the 
discussion.

1.2	SCOPE

This document addresses entity and referential integrity issues in multilevel secure DBMSs. It is 
the second of five volumes in the series of TDI companion documents, which includes the 
following documents:

?	Inference and Aggregation Issues in Secure Database Management Systems [Inference 
96]

?	Entity and Referential Integrity Issues in Multilevel Secure Database Management 
Systems

?	Polyinstantiation Issues in Multilevel Secure Database Management Systems [Poly 96]

?	Auditing Issues in Secure Database Management Systems [Audit 96]

?	Discretionary Access Control Issues in High Assurance Secure Database Management 
Systems [DAC 96]

This series of documents uses terminology from the relational model to provide a common basis 
for understanding the concepts presented. For most of the topics covered in this series the concepts 
presented should apply to most database modeling paradigms, depending on the specifics of each 
model. For the entity and referential integrity constraints discussed in this document, however, 
there are important differences between different models. This is because the primary keys in a 
relational DBMS represent both unique identifiers for tuples and values of attributes in the tuple. 
They must be protected in accordance with the sensitivity of the data they represent and this can 
interfere with their role as a unique identifier of tuples. By contrast, the object identifier (OID) in 
an Object-Oriented DBMS is not a property or attribute of the object it identifies, and does not 
represent a user-visible data value. Khoshafian and Copeland provide a useful taxonomy of 
different ways of specifying object identity including the techniques used in relational and Object-
Oriented DBMSs [Khoshafian 86]. Similarly, in a relational DBMS, foreign keys represent data 
values and serve as pointers to other tuples. In an Object-Oriented DBMS, pointers to other objects 
are not used to store data values, but rather to represent the inclusion of one object within another. 
As in relational databases, problems may occur if a reference is deleted and some references remain 
in objects. The implications of these distinctions for enforcement of secrecy in an Object-Oriented 
DBMS require further research. This document specifically addresses relational DBMSs.

This document is related to the companion documents Inference and Aggregation Issues in Secure 
Database Management Systems and Polyinstantiation Issues in Multilevel Secure Database 
Management Systems. Much of the discussion of the relationship between enforcement of integrity 
constraints and multilevel security centers on the potential inference channels which integrity 
constraints can introduce. One way to avoid these channels for entity integrity is to use 
polyinstantiation. This is discussed later in more detail.

1.3	INTRODUCTION TO ENTITY AND REFERENTIAL INTEGRITY

Secrecy and integrity are two key concepts in the community of database security researchers and 
users. Secrecy refers to the protection or safety of the data against unauthorized disclosure, and 
integrity refers to the unauthorized alteration or destruction of data. In the wider database research 
community, integrity refers more generally to the correctness, accuracy, and internal consistency 
of data.

Preserving the accuracy of information is extremely important rn any database. In the relational 
model, one way in which accuracy of information is preserved is by preventing updates that violate 
integrity constraints. Entity integrity and referential integrity are two of the most important 
integrity constraints. They are defined on relations and are enforced by the DBMS.

Entity integrity states that no primary key attribute of a relation is allowed to have null values. In 
addition, the primary key must have a unique value. These properties of a primary key correspond 
to the fact that entities in the real world are distinguishable (i.e., they have a unique identification 
of some kind). In the relational model, the primary key performs the function of unique 
identification. Referential integrity is an interrelation integrity constraint. In general, referential 
integrity defines existence relationships between entities in a database that need to be maintained 
by the DBMS. This document defines these integrity constraints formally and presents their 
importance in the context of security in detail.

In multilevel applications, data are classified to control disclosure. It is important to realize the 
necessary trade-off to be made between secrecy and integrity because of the challenges in 
enforcing integrity constraints across multiple secrecy levels without disclosure of information. 
This document defines entity and referential integrity for a standard relational DBMS and then 
presents methods for resolving the inherent integrity/secrecy conflict in an MLS environment.

1.4	AUDIENCES OF THIS DOCUMENT

This document is targeted at four primary audiences: the security research community, database 
application developers/system integrators, trusted product vendors, and product evaluators. In 
general, this document is intended to present a framework for understanding the nature of entity 
and referential integrity policies or requirements and how they conflict with the need to enforce an 
access control policy. This framework is used to describe the research that has been done to date 
and the approaches they present for providing solutions. Each of the specific audiences should 
expect to get the following from this document:

Researcher

This document describes the basic problems in simultaneously enforcing integrity constraints and 
MAC. Some important research contributions are discussed as various topics are covered. Related 
research on other aspects of integrity and the relationship to secrecy is discussed in Section 3.6. 
For additional relevant work, the researcher should consult two other companion documents, 
Inference and Aggregation Issues in Secure Database Management Systems [Inference 96] and 
Polyinstantiation Issues in Multilevel Secure Database Management Systems [Poly 96].

Database Application Developer/System Integrator

This document describes various entity and referential integrity facilities which could be provided 
by an MLS DBMS. It discusses the implications of these facilities relative to the tradeoffs involved 
in meeting a system's requirements for secrecy and integrity.

Trusted Product Vendor

This document describes the conflicts between Mandatory Access Controls (MAC) and multilevel 
entity and referential integrity constraints. It then discusses approaches to entity and referential 
integrity enforcement in an MLS database and the benefits and drawbacks of these approaches. In 
particular, it considers how the issues with enforcement of entity and referential integrity 
constraints in an MLS database relate to the TCSEC access control and covert channel 
requirements. This is discussed in the context of tuple level as well as element level labeling. This 
document will provide a framework for understanding specific requirements interpretations as they 
are developed by the National Computer Security Center.

Evaluator

This document describes access control and covert channel issues related to entity and referential 
integrity. It provides a framework for analyzing specific vendor mechanisms and understanding 
Technical Review Board/Interpretations Working Group decisions.

1.5	ORGANIZATION OF THIS DOCUMENT

The organization of the remainder of this document is as follows:

?	Section 2 gives the definitions of entity and referential integrity with respect to single-level 
DBMSs and describes various important concepts related to referential integrity.

?	Section 3 defines the basic concepts of entity and referential integrity with respect to 
multilevel relations.

?	Section 4 discusses the issues associated with covert channels related to enforcing entity 
and referential integrity constraints.

?	Section 5 presents conclusions.

SECTION 2

BACKGROUND

Entity integrity and referential integrity are two basic integrity requirements in a relational DBMS 
(RDBMS). They help prevent incorrect data from being entered into the database. Entity integrity 
guarantees a unique representation of each entity in the database through specification of primary 
key attributes for each relation. Referential integrity assures that if any references exist between 
two or more entities, then the related entities do exist in the database. Referential integrity places 
restrictions on foreign key attributes.

Referential integrity is one of the most important interrelation integrity constraints for the 
relational data model. Although its basic concepts have been discussed over the past ten years, a 
successful referential integrity capability for a RDBMS is still a challenging implementation 
problem. While referential integrity appears to be a simple concept, the operational definitions that 
appear in the literature are imprecise and lead to a host of anomalies.

A standard relational database can be perceived by its users as a collection of relations. A relation 
has well-defined mathematical properties and is used to store data. Each relation has two parts:

1.	A state-invariant relation schema R (A1, A2, ..., An), where each Ai is an attribute over 
some domain Di, 1 ? i ? n, which is a set of acceptable values for Ai.

2.	A state-dependent relation R over R, which is a set of distinct tuples of the form (a1, a2..., 
an), where each element ai; is a value in domain di, 1 ? i ? n.

The following notation and conventions are used throughout this document. In definitions, relation 
schemes are denoted in bold fonts (such as R, R1, R2), and the corresponding relations are denoted 
using plain fonts (such as R, R1, R2). However, when clear in specific examples, the same symbol 
is used to denote the relation schema, as well as the corresponding relation. Let X denote one or 
more attributes of a relation R. If t is a tuple in a relation R, t [X] denotes the projection of t onto X.

This section first defines entity and referential integrity, followed by terminology related to these 
concepts. The examples make use of Structured Query Language (SQL) syntax [ANSI 92, 94]. The 
section then gives various rules for enforcing referential integrity and discusses the problems 
associated with referential integrity in single-level relational databases. From this understanding 
of integrity, we can then better discuss the conflict with enforcement of a MAC policy in Section 3.

2.1	BASIC CONCEPTS OF ENTITY AND REFERENTIAL INTEGRITY

Before defining entity integrity, it is necessary to define the concept of a primary key.

In simple terms, the primary key of a relation is just a unique identifier of each tuple in the relation. 
More precisely, a primary key for a relation R is a set of attributes PK with the following 
properties:

1.	The value of PK uniquely identifies each tuple in the relation R. That is, for any state of 
R, and any tuples t1 and t2, if t1[PK] = t2[PK] then t1 = t2.

2.	PK is minimal. That is, there is no proper subset of PK satisfying property 1.

It is possible there is more than one set of attributes satisfying these properties. Any such set is 
called a candidate key. Precisely one candidate must be chosen and designated as the primary key 
of R.

Example 1. Consider the relation schema SOD (Starship, Objective, Destination), which contains 
for each starship its name (Starship), the purpose of the flight (Objective), and its destination 
(Destination). An example relation for relation schema SOD is given in Figure 2.1.

STARSHIP

OBJECTIVE

DESTINATION

Enterprise

Exploration

Talos

Voyager

Spying

Mars

Apollo

Exploration

Moon

Saratoga

Mining

Moon

Figure 2.1: Relation SOD

Since the attribute Starship uniquely identifies each tuple of the relation SOD, it is a candidate key 
of the relation SOD. As Starship is the only candidate key of the relation SOD, it is also the primary 
key of relation SOD.

In SQL syntax, the attribute(s) constituting the primary key can be specified when a relation 
schema is created, as the following shows:

CREATE TABLE SOD

(Starship CHAR(20) NOT NULL,

Objective CHAR(15),

Destination CHAR(10),

PRIMARY KEY (Starship))

Notice that the ANSI syntax uses the term "TABLE" instead of the term "relation" used in this 
document.

The entity integrity constraint requires that all attribute values of the primary key be defined for 
each tuple.

Entity Integrity: If PK is the primary key for relation R, then for all states of R, for every tuple 
t in R and every attribute A in PK, t[A] is not null.

A foreign key provides a basis for a tuple to refer to another tuple. Let R1 and R2 be two relation 
schemas, and let R1 and R2 denote the respective relations corresponding to these schemas.

Referential Integrity: Let PK denote the primary key of R2, and let FK denote one or more 
attributes of the relational schema R1. FK is said to be a foreign key of R1 referencing R2 if 
given any tuple t1 in R1, the following two requirements are met:

1.	t1 [FK] is either wholly null or wholly non-null, and

2.	Whenever t1[FX] is non-null, there is a tuple t2 in R2 such that t1[FK] = t2[PK].

Here R1 is the referencing relation and R2 is the referenced relation. Sometimes PK is referred to 
as the target value of the foreign key FK. Notice that R1 and R2 need not be distinct.

Example 2. In addition to the relation schema SOD given in Example 1, consider the relation 
schema PS (Person_Name, Starship), which contains the name of the employee (Person_Name) 
and the name of the ship assigned to the employee (Starship). An example relation for PS is given 
in Figure 2.2.

Suppose Person_Name uniquely identifies each employee in the PS relation, then Person_Name 
becomes the primary key for the relation schema PS. If Starship is declared a foreign key for PS 
with the relation schema SOD as the referenced relation, a DBMS that supports referential integrity 
will automatically ensure that whenever an employee is assigned a (non-null) ship, there is a 
matching tuple in the relation schema SOD with an identical value for the attribute Starship.

Notice that employee Mr. Spock, given in Figure 2.2, has not been assigned any starship. It seems 
from the definition of the PS relation that nulls are allowed. In some applications it may be 
desirable to prohibit this situation (i.e., every employee must be assigned a starship). The 
referencing relation's schema definition can specify whether or not the foreign key attribute can 
assume a null value.

Using SQL syntax, foreign keys can be specified as follows:

CREATE TABLE PS

Person_Name	CHAR(15) NOT NULL,

Starship	CHAR(20),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship)).

PERSON_NAME

STARSHIP

James Kirk

Enterprise

Mr. Spock

<null>

Tim McKelley

Apollo

Figure 2.2: Relation PS

It follows from the definition of the foreign key that there is an identical matching primary key 
value in the referenced relation for every foreign key value in the referencing relation. It is 
important to maintain the integrity between the referencing values (foreign key values) and the 
referenced values (primary key values).

Example 3. Consider the relation schema PR (Person_Name, Rank), which contains the employee 
name (Person_Name) and the rank of the employee (Rank). Person_Name is the primary key for 
the relation schema. Person_Name is also the foreign key referring to relation schema PS.

The relation schema PR can be expressed in SQL as follows:

CREATE TABLE PR

(Person_Name	CHAR(20) NOT NULL,

Rank	CHAR(15),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Person_Name) REFERENCES PS (Person Name))

Here, the relation schema PR references the relation schema PS given in Example 2. In addition, 
the relation schema PS in Example 2 references the relation schema SOD. Since there is a 
referential constraint from PR to PS, and also from PS to SOD, relation schema PS becomes both 
a referencing relation and a referenced relation, see Figure 2.3.

Figure 2.3: Referential Constraints in Relations PR, PS, and SOD

This can be depicted as a referential path from PR to SOD as follows:

PR > PS  > SOD

Referential Cycles: Closed referential paths, or referential paths that point back to the starting 
relation, are referred to as referential cycles. In general, the referential cycle including n 
relations (where n > 1) can be represented as follows [Date 86, 90]:

Rn >  Rn-1 >  Rn-2  > ... >  R2 >  R1 >  Rn.

Referential cycles are of interest since they can cause insertion problems. In the presence of 
referential cycles, it is necessary that one of the following constraints be true; otherwise, it is 
impossible to insert the first tuple in any or each of the relations:

1.	One of the foreign keys in the referential cycle must be allowed to have a null value, or

2.	The constraint check should be done only at the end-of-transaction (i.e., when the 
transaction commits).

A self-referencing relation is a special case of a referential cycle that includes exactly one relation: 
a relation can have multiple foreign keys corresponding to different relations.

Some important concepts related to the terms defined in this section can be summarized as follows:

?	A primary key of a relation cannot have a null value in any tuple within that relation (entity 
integrity) and each primary key must be unique (property of a primary key).

?	Foreign keys can have null values. For example, in Figure 2.2 the employee Mr. Spock has 
not been assigned any starship as yet; therefore, the Starship value for Mr. Spock is null. 
(Note: If in a specific instance it is desired to prohibit null values for foreign keys, this can 
be done by using a NOT NULL clause for the attributes in the foreign key when the 
relation is created.)

?	For referential integrity, every non-null value of a foreign key must be matched by an 
identical primary key value in the referenced relation. But the converse need not be true; 
for example, starship Saratoga in Figure 2.1 has no employee assigned to it in Figure 2.2.

?	A relation can be a referenced relation, as well as a referencing relation.

2.2	REFERENTIAL INTEGRITY RULES

Whenever two or more relations are related through referential constraints, it is necessary that 
references be kept consistent in the face of insertions, deletions, and updates to these relations. Date 
identifies several actions which can be taken to maintain consistency of references [Date 90]. 
Exactly which action is chosen for a particular relation depends on the behavior desired by the 
underlying application. These possible actions are discussed in the following subsections.

2.2.1	DELETE

When the target of a foreign key is deleted it could result in a dangling reference. Some action is 
needed to make sure this does not happen. Four options that may be specified for the referenced 
relation are RESTRICTED-delete, CASCADES-delete, NULLIFIES-delete, and SET 
DEFALILT-delete. Each of these is explained in turn.

RESTRICTED-delete

If the RESTRICTED-delete option is specified, the primary key value in the referenced relation 
cannot be deleted as long as there exists at least one matching foreign key value in the referencing 
relation. The deletion of the referenced value is restricted to the case where there is no 
corresponding referencing value in the referencing relation.

For instance, suppose an attempt is made to delete the starship Apollo from the relation SOD. Since 
the referencing relation PS refers to the relation SOD through the attribute Starship, under the 
RESTRICTED-delete rule, this deletion cannot be performed as there is a tuple in PS referencing 
starship Apollo. The delete is denied and the two relations would remain unchanged.

The syntax for specifying the RESTRICTED-delete rule may be given as follows:

CREATE TABLE PS

(Person_Name	CHAR(20) NOT NULL,

Starship	CHAR(15),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship),

ON DELETE	RESTRICT)

CASCADES-delete

Under the CASCADES-delete option, whenever the target tuple of a foreign key is deleted, all 
referencing foreign key tuples are also deleted. In the previous example, if an attempt is made to 
delete the starship Apollo from the relation SOD, the delete would be cascaded to the relation PS 
and the employee tuples referencing the starship Apollo would also be deleted. After such a 
CASCADES-delete operation, the relations SOD and PD would change to the form given in Figure 
2.4.

SOD



STARSHIP

OBJECTIVE

DESTINATION

Enterprise

Exploration

Talos

Voyager

Spying

Mars

Saratoga

Mining

Rigel

PS

PERSON_NAME

STARSHIP

James Kirk

Enterprise

Mr. Spock

<null>

Figure 2.4: Relations SOD and PS after Starship = "Apollo" is Deleted under the
CASCADES-Delete Rule

In SQL, the CASCADES-delete rule can be specified as follows:

CREATE TABLE PS

(Person_Name	CHAR(20) NOT NULL,

Starship	CHAR(15),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship),

ON DELETE	CASCADE)

NULLIFIES-delete

Whenever the NULLIFIES-delete option is specified for a foreign key, the referencing foreign key 
attribute values will be set to a null value when the tuple containing the referenced value is deleted. 
In the example given earlier, when starship Apollo is deleted, the foreign key value, for all tuples 
referencing Apollo in relation PS, is set to null. The new state of the relations is as shown in Figure 
2.5.

SOD



STARSHIP

OBJECTIVE

DESTINATION

Enterprise

Exploration

Talos

Voyager

Spying

Mars

Saratoga

Mining

Rigel

PS

PERSON_NAME

STARSHIP

James Kirk

Enterprise

Mr. Spock

<null>

Tim McKelley

<null>

Figure 2.5: Relations SOD and PS after Starship = "Apollo" is Deleted under the 
NULLIFIES-Delete Rule

Before setting the referencing value to null, it is important to make sure that the relation schema 
allows a null value for the foreign key attribute. Otherwise, there will be a conflict.

The NULLIFIES-delete rule can be expressed in SQL as follows:

CREATE TABLE PS

(Person_Name	CHAR(20) NOT NULL,

Starship	CHAR(15),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship),

ON DELETE	SET NULL)

SET DEFAULT-delete

The SQL2 [ANSI 92] and SQL3 [ANSI 94] standards provide yet another referential action for the 
delete operation, called SET DEFAULT. This option is similar to the NULLIFIES delete rule 
given above. The only difference is that the SET DEFAULT option contains a default clause that 
specifies the default value for the attribute. The default value may be a null or a non-null value. If 
the referential action specifies the SET DEFAULT option, then each referencing attribute is 
defined by an implicit or explicit default clause. If the default value is null, then SET DEFAULT 
is equivalent to a SET NULL.

The SQL syntax for the SET DEFAULT-delete rule is as follows:

CREATE TABLE PS

(Person_Name	CHAR(20) NOT NULL,

Starship	CHAR(15),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship),

ON DELETE	SET DEFAULT < option>)

The default option is specified in the <option> field.

2.2.2	UPDATE of Referenced Relation

Changing the primary key values in a referenced relation could violate referential integrity unless 
appropriate action is taken. There are different options which can be specified for the referencing 
relation whenever an update is made to the target primary key values of a referenced relation. The 
possible options are RESTRICTED-update, CASCADES-update, NULLIFIES-update, or SET 
DEFAULT-update.

RESTRICTED-update

Under the RESTRICTED-update option, an update to the target primary key values of a referenced 
relation cannot be made as long as there exists at least one matching foreign key value in the 
referencing relation. The update to the referenced tuple is restricted to the case where there are no 
matching referencing tuples.

As an example, suppose an attempt is made to update the name of the starship from Enterprise to 
USS Enterprise in relation SOD shown in Figure 2.1. As there is an employee assigned to the ship, 
the update is rejected. The relations SOD and PS remain unchanged, and look like Figures 2.1 and 
2.2.

The syntax for specifying the RESTRICTED-update option may be specified as follows:

CREATE TABLE PS

(Person_Name	CHAR(20) NOT NULL,

Starship	CHAR(15),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship),

ON UPDATE	RESTRICT)

CASCADES-update

If the CASCADES-update option is specified for a referencing relation, whenever an update is 
made to the referenced attribute, all changes are cascaded to the matching referencing attributes. 
This means that whenever the target value of a foreign key is modified, all referencing foreign key 
values are also similarly modified. Consider the example where an attempt is made to update the 
name of the starship from Enterprise to USS Enterprise in the relation schema SOD. Under 
CASCADE-update, the update is cascaded to the matching referencing tuples in the relation 
schema PS. For the employee assigned to starship Enterprise, the name is updated to USS 
Enterprise. The new state of the two relations SOD and PS is shown in Figure 2.6.

In SQL, the CASCADE-update option can be expressed as follows:

CREATE TABLE PS

(Person_Name	CHAR(20) NOT NULL,

Starship	CHAR(15),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship),

ON UPDATE	CASCADE)

SOD



STARSHIP

OBJECTIVE

DESTINATION

USS Enterprise

Exploration

Talos

Voyager

Spying

Mars

Apollo

Exploration

Moon

Saratoga

Mining

Rigel

PS

PERSON_NAME

STARSHIP

James Kirk

USS Enterprise

Mr. Spock

Null

Tim McKelley

Apollo

Figure 2.6: Relations SOD and PS after Starship = "Enterprise" is Updated to the Value 
"USS Enterprise" under the CASCADES-Update Rule

NULLIFIES-update

Under the NULLIFIES-update option, the referencing foreign key attribute values are set to null 
whenever the target primary key values in the referenced relation are updated. In the example given 
earlier, when the name of the starship is updated from Enterprise to USS Enterprise, the Starship 
for the employee assigned to Enterprise is set to null. The new state of the relations is shown in 
Figure 2.7.

Before setting the referencing value to null, it is important to make sure that the schema definition 
allows a null value for the foreign key attribute. If the nulls rule does not allow a null value, then 
there will be a conflict between the two integrity rules.

The NULLIFIES-update rule is expressed in SQL syntax as follows:

CREATE TABLE PS

(Person_Name	CHAR(20) NOT NULL,

Starship	CHAR(I5),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship),

ON UPDATE	SET NULL)

SOD



STARSHIP

OBJECTIVE

DESTINATION

USS Enterprise

Exploration

Talos

Voyager

Spying

Mars

Apollo

Exploration

Moon

Saratoga

Mining

Rigel

PS

PERSON_NAME

STARSHIP

James Kirk

< null >

Mr. Spock

< null >

Tim McKelley

Apollo

Figure 2.7: Relations SOD and PS after Starship = "Enterprise" is Updated to the Value 
"USS Enterprise" under the NULLIFIES Update Rule

SET DEFAULT-update

SQL2 and SQL3 define another referential constraint for update, which is SET DEFAULT. If the 
referential constraint specifies the SET DEFAULT option, then each referencing attribute is 
defined by an implicit or explicit default clause. The default clause specifies the default value for 
the attribute, and the default value may be a null or a non-null value. If the default value is null, 
then the SET DEFAULT option can be considered equivalent to the NULLIFIES update rule.

The SQL syntax for the SET DEFAULT-update rule is as follows:

CREATE TABLE PS

(Person_Name	CHAR(20) NOT NULL,

Starship	CHAR(15),

PRIMARY KEY	(Person_Name),

FOREIGN KEY	(Starship) REFERENCES SOD (Starship),

ON UPDATE	SET DEFAULT <option>)

The default option is specified in the <option> field.

2.2.3	INSERT or UPDATE of Referencing Relation

When a tuple is inserted into a relation with a foreign key or a tuple in the relation is updated, the 
insertion (or update) of a foreign key value should be in accordance with referential integrity. Each 
foreign key value must be NULL or have an identical matching primary key value in the referenced 
relation. This requirement can be enforced by disallowing the insert (or update) unless the 
condition is met or by setting the foreign key to a default value or null (if nulls are allowed) when 
the condition is not met.

2.2.4	Additional Rules

In spite of the many integrity rules discussed in this section, the rules above are not exhaustive. 
Additional options include conversation with the end user and transferring information to some 
other files. For instance, an additional option in SQL3 is the PENDANT specification, which 
implies that each primary key value in the referenced relation is the same as some foreign key value 
in the referencing relation. For example, if the referential constraint for the relation EMP is as 
shown below, then as soon as the last employee in a particular department is deleted, the 
department will also be deleted.

FOREIGN KEY (Starship) REFERENCES [PENDANT] SOD(Starship)

2.3	PROBLEMS WITH REFERENTIAL INTEGRITY CONSTRAINTS

Referential integrity plays a major role in RDBMSs where it is employed to express existence 
dependencies. The concept of referential integrity seems to be simple, but it has been a topic of 
discussion for the past several years [Markowitz 90; Horowitz 92]. The operational definitions are 
not precise and, therefore, lead to some anomalies. Confusion surrounds both the concept itself and 
its implementation in RDBMSs. There is a need to carefully examine the data manipulation 
problems caused by certain referential integrity structures and to find ways to avoid these 
problems.

In a RDBMS, a single update or delete can affect multiple tuples through the application of 
referential integrity rules (e.g., cascading deletes or updates). It is necessary for these processes to 
be deterministic. In other words, the final state of the database should be a function of the initial 
state of the database, and the specific statement to be executed. At times, certain referential 
constraints associated with relations may block update or deletion of some tuples because of 
conflicting referential constraint specifications, thus making the outcome of the update or delete 
statement unpredictable. Some of the problems that have been identified are dependency on the 
order in which referential integrity constraints are applied, referential cycles, and dependency on 
the order in which the tuples are processed in response to a query. Discussion of these problems in 
detail is outside the scope of this document.

SECTION 3

ENTITY AND REFERENTIAL INTEGRITY IN MLS DATABASES

Before entity and referential integrity can be defined for multilevel relations, it is necessary to 
extend the basic concepts of classical (single-level) relations to the multilevel context. In MLS 
databases, data are assigned different security levels and each user is assigned a clearance level. 
Each user can only access data they are cleared for based on the user's security clearance. As a 
consequence the meaning of relations becomes more complicated in the multilevel world, and 
there is no clear consensus regarding the exact definition of a multilevel relational model.

To develop an MLS database, it is necessary to (1) define a security policy, (2) develop 
mechanisms that support the policy, and (3) get the necessary assurance that the system developed 
is secure. This section first reviews the basic concepts for the multilevel relational data model, then 
defines entity and referential integrity constraints for multilevel relations.

3.1	RELATED TCSEC REQUIREMENTS

The TCSEC imposes two types of requirements which affect how entity and referential integrity 
can be enforced in a DBMS targeted to meet the TCSEC requirements at B1 and above. A DBMS 
targeted for Class B1 or above must enforce a MAC policy over all subjects and storage objects it 
controls. This places requirements on the sensitivity labels of elements of primary and foreign keys 
and on the relationships between sensitivity levels of foreign keys and the primary keys they 
reference. For a DBMS targeted at Class B2 or above, the TCSEC requires a thorough search for 
covert channels (storage channels only at Class B2). In the multilevel context, enforcement of the 
uniqueness of primary keys and enforcement of referential integrity can create significant covert 
channels. Guidelines on acceptable bandwidths for covert channels are given in Section 8 of the 
TCSEC. This section specifically addresses the implications of direct enforcement of MAC 
controls (as required at B1 and above). The implications of integrity enforcement on covert 
channels is covered in Section 4. A determination of precisely which approaches to enforcing 
entity and referential integrity will be considered compliant with the TCSEC requirements will 
evolve over time as the Evaluation Community publishes official interpretations on this subject. 
However, with the successful evaluation of Trusted Oracle7 DBMS MAC Mode with an 
unmodified integrity mechanism, precedence has been set for Class B1 DBMSs [Oracle 94].

3.2	BASIC CONCEPTS IN MULTILEVEL RELATIONS

The basic model for multilevel relations needs to be defined with a MAC policy in mind. The MAC 
policy for MLS databases is often based on the Bell-LaPadula model [Bell 76], which is stated in 
terms of subjects and objects. A subject is an active entity, such as a process that can request access 
to objects, whereas an object is a passive entity, such as a record, a file, or a field within a record. 
Every subject is assigned a clearance level and every object a classification level. Classification 
levels and clearances are collectively referred to as security levels, and form a lattice. Each security 
level has two components: a hierarchical component and a set (possibly empty) of unordered 
categories. A security level c1 is said to dominate security level c2, in the partial order, if (1) the 
hierarchical component of c1 is greater than or equal to that of c2, and (2) all categories in c2 are 
included in those of c1. A security level c1 strictly dominates security level c2, in the partial order, 
if (1) c1 dominates c2, and (2) c1 does not equal c2. The following are two necessary conditions in 
the Bell-LaPadula model [Bell 76; DoD 85]:

1.	The Simple Security Condition or "No Read Ups": A subject can only read objects at a 
security level dominated by the subject's level, and

2.	The *-Property (Star Property) or "No Write Downs": A subject can only write objects 
at a security level that dominates the subject's level.

To apply these concepts to a DBMS it is necessary to determine the granularity of the objects 
protected by MAC, i.e., the storage objects. Security levels are then associated with these storage 
objects. Work on MLS databases has focused on four choices for assigning security levels to data 
stored in a relation. One can assign security levels to entire relations, to individual tuples (rows) of 
a relation, to individual attributes (columns) of a relation, or to individual elements of a relation. 
In the definitions below, the most general case is considered, in which security levels are assigned 
to individual data elements stored in relations. However, since tuple level labeling is used in all 
DBMS products evaluated to date, the concepts are also considered in the (simplified) context of 
tuple level labeling.

A relation schema in the multilevel context not only contains all its data attributes, but also includes 
the corresponding security level for each data attribute. Formal definitions of a multilevel relation 
schema and multilevel relations are as follows [Denning 87]:

Relation Schema: A multilevel relation schema has the following form:

R(A1, C1, A2, C2, ... , An, Cn).

Each Ai is a data attribute over some domain Di and Ci is the classification attribute of Ai. The 
domain of Ci, i = 1, ...,n is some set consisting of security levels.

If tuple level labeling is used, there will only be one classification attribute for the entire tuple:

R(A1, A2, ... , An, C).

For a multilevel logical relation schema R, there is a corresponding relation Rc per security level 
in the security lattice. A user having a clearance at a security level c sees the relation Rc, which 
contains data at security level c or below. More formally,

Relations: A relation at a security level c has the following form:

Rc(A1, C1, A2, C2, ... , An, Cn)

Rc consists of a set of tuples of the form (a1, c1, a2, .2.... ,an, cn), where each ai  lies in the domain 
Di or ai is null, c > ci, ci, i = 1 ... ,n. Even if ai is null, its classification attribute ci is never null.

When an attribute value ai is null, there are two reasonable possibilities for the corresponding 
security level value: ci could be assigned a value that is identical to c, or the security level of the 
attributes constituting the primary key. In this document, ci would be assigned a value consistent 
with the second possibility.

If the security level of the primary key value is not dominated by c in a tuple, then that tuple is not 
shown in Rc at all. If the security level of the primary key value is dominated by c, then that tuple 
is shown in Rc; however, any attribute value with a security level not dominated by c, is shown 
having a null value with the corresponding security level the same as that of the primary key value.

For tuple level labeling, Rc consists of those tuples whose security level is dominated by c.

These concepts can be better explained with the help of an example taken from [Jajodia 91].

Example 4. Consider the relation schema SOD given in Example 1. Starship is the primary key of 
the relation schema SOD, and the security levels are assigned at the granularity of individual data 
elements. The hierarchical order usually followed is Top Secret (TS), Secret (S), Confidential (C), 
and Unclassified (U). A user with a Secret clearance will see the entire multilevel relation SODS, 
while a user with an Unclassified clearance will see the Unclassified instance SODU as shown in 
Figure 3.1.

SODS



STARSHIP

OBJECTIVE

DESTINATION

Enterprise U

Exploration U

Talos U

Voyager U

Spying S

Mars S

SODU

STARSHIP

OBJECTIVE

DESTINATION

Enterprise U

Exploration 

Talos U

Voyager U

<null>

<nulls> U

Figure 3.1: Different SOD Views Based on Access Class

3.3	THE CONCEPT OF PRIMARY KEY IN MULTILEVEL RELATIONS

The notion of a primary key is a fundamental concept in the world of single-level relational 
databases. The primary key is used to maintain integrity of relations, it is used during the database 
design, and it is also used for storage and retrieval purposes. The primary key for a single-level 
relation must satisfy the uniqueness property and the minimality property, as discussed in Section 
2.1. Entity integrity requires that the primary key serves as a unique identifier of each tuple in the 
relation and that it does not contain a null value. The uniqueness property can create covert 
channels as discussed in Section 4. One approach to avoiding these channels involves augmenting 
the user-defined primary key with security level attributes associated with the primary key 
attributes. However, in the remainder of this document it is assumed that there is a user-specified 
primary key consisting of a subset of the data attributes and not including the security level 
[Denning 87]. It is called the apparent primary key of the multilevel relation schema.

3.4	ENTITY INTEGRITY IN MULTILEVEL RELATIONS

A relation schema R will be assumed to have a user-defined apparent primary key consisting of 
one or more data attributes of R. It will be denoted by PK. The entity integrity property of the 
standard relational model can be extended to the multilevel environment by defining the three 
requirements given below, which are applicable only to element level classification [Denning 87]. 
The three requirements are automatically met for tuple level classification.

The first requirement is the same as for the standard relational model, that no tuple in an Rc have 
a null value for any attribute in PK. The second requirement states that the PK values should be 
uniformly classified; otherwise, the PK value would not be wholly non-null or wholly null for 
some security level. The third requirement states that the security level of values for the attributes 
not in PK must dominate the security level of the PK attributes; otherwise, there could be instances 
where non-null attributes would be associated with a null primary key when viewed below the level 
of the primary key. These three requirements can be more formally defined as follows:

A multilevel relation schema R is said to satisfy entity integrity, if for all relation instances Rc 
of R and, tuple t ? Rc,

1.	If Ai  ? PK, then t[Ai]  ?null,

2.	If Ai, Aj ? PX, then t[Ci] = t[Cj], i.e., PK is said to be uniformly classified, and

3.	If Ai  ? PK, then t[Ci]  t[C[PK]] (where C[PK] is the classification of the apparent 
primary key PK).

3.5	REFERENTIAL INTEGRITY IN MULTILEVEL RELATIONS

As discussed in the previous section, a non-null foreign key value in a referencing relation should 
always have a matching primary key value in the referenced relation. In an MLS database, this 
requirement has implications for the relationship among the security levels of the attributes of the 
foreign key and the security level of the referenced primary key. In addition, the possible actions 
which could be taken to enforce referential integrity on update and deletion can introduce covert 
channels as discussed in Section 4. Relation schemas, in the following example, will be used to 
illustrate the different situations in which a security conflict may occur.

Example 5. Consider the multilevel relation schema PS given in Example 2. Person_Name is the 
apparent primary key of the relation schema PS, and Starship is the foreign key of PS, which refers 
to the relation schema SOD. Typical relation instances for SOD and PS are given in Figure 3.2. 
Note that in the example schema only the attribute names are part of the primary key and the 
foreign key. The respective security levels are not a part of the key. Therefore, there are some 
tuples with the security level of the foreign key in relation PS higher or lower than the security level 
of the corresponding primary key in relation SOD. The example includes such tuples to explain the 
conflicts arising when the security levels are at different levels.

SOD



STARSHIP

OBJECTIVE

DESTINATION

Enterprise U

Exploration U

Talos U

Voyager U

Spying S

Mars S

Apollo S

Spying S

Moon S

PS

PERSON_NAME

STARSHIP

James Kirk U

Enterprise U

Mr. Spock U

Voyager S

Tim McKelley U

Apollo U

Figure 3.2: Typical Relation Instances for SOD and PS

Recall the definition of referential integrity for standard relational databases:

Referential Integrity: If FK is a foreign key of R1 referencing R2, PK is the primary key of 
R2, t1 is a tuple of an instance R1 of R1, and t2 is a tuple of an instance R2 of R2, then

1.	t1 [FK] is either wholly null or wholly non-null, and

2.	Whenever t1[FK] is non-null, there is a tuple t2 in R2 such that t1[FK] = t2[PK].

For MLS databases we need to have this property be true for the database as seen from any security 
level. Assume tl [FK] is not wholly null as viewed from some security level. The first requirement 
above says that it must then be wholly non-null. If the attribute values making up FK did not all 
have the same security level, there would be some security level for which some of the attribute 
values in FK would be null and others non-null. Since this is not allowed, all attribute values in FK 
must have the same security level. If all attribute values of FK are null, then by convention they 
are assigned the same security level. This argument gives us the first rule for referential integrity.

Rule 1. The foreign key of the referencing relation must be uniformly classified (i.e., all 
attribute values that make up the foreign key must be assigned an identical security level).

This rule is automatically satisfied for tuple level labeling.

The second part of referential integrity requires that if the foreign key FK is not null then there is 
a matching primary key PK in the referenced relation R2. For this to be true for the database as 
seen from the security level of FK, the matching PK must be visible at the security level of FK. 
Hence, the security level of FK must dominate the security level of the matching primary key PK. 
This gives us the second rule of referential integrity.

Rule 2. The security level of the foreign key must dominate the security level of the primary 
key of the referenced tuple (i.e., C[FK] > C[PK]).

For tuple level labeling, this rule reduces to the requirement that the security level of the referenced 
tuple must be dominated by the security level of the referencing tuple.

PS

PERSON_NAME

STARSHIP

James Kirk U

Enterprise U

Mr. Spock U

Null U

Tim McKelley U

Apollo U

SOD



STARSHIP

OBJECTIVE

DESTINATION

Enterprise U

Exploration U

Talos U

Voyager U

Null U

Null U

Figure 3.3: Unclassified Instances of PS and SOD Relations

Example 6. Consider the relations SOD and PS as shown in Figure 3.2. An Unclassified user sees 
the two relations as given in Figure 3.3. For the Unclassified user, the referential integrity property 
has been violated because there is no Starship "Apollo" visible to the Unclassified user. From the 
Unclassified user's point of view either Starship "Apollo" does not exist, which is a referential 
integrity error, or it references a classified Starship that is not displayed to the user, which is a 
security error.

3.6	ENFORCEMENT OF INTEGRITY CONSTRAINTS

Most of the research work on the topics covered in this document has either focused on 
polyinstantiation as a mechanism to deal with primary key requirements and entity integrity or has 
dealt with the broader question of inference. Meadows did some early work on the conflicts of 
integrity and security that mainly considered approaches for maximizing integrity while 
eliminating inference channels [Meadows 88]. Polyinstantiation and inference research are 
covered in the appropriate TDI companion documents. However, there are several works dealing 
with aspects of database integrity which go beyond just entity and referential integrity and do not 
fit into those areas.

Notargiacomo and Wiseman have explored separation of duty as an approach to protect data from 
unauthorized modification within MLS databases [Notargiacomo 91; Wiseman 90]. The concept 
of applying separation of duty to integrity enforcement is to ensure that, before a modification to 
the state is made, sufficient people agree that it properly reflects the real world requirement. The 
fact that certain users are unlikely to collude with a particular change, an underlying assumption, 
is indicated by the way roles are assigned to users. Notargiacomo explores the issues of integrating 
an interpretation of the Clark-Wilson integrity model [Clark 87, 88] into a multilevel DBMS 
security policy. Her preliminary investigation raised issues on object granularity; interaction of 
MAC, DAC, and integrity policies; application of Clark-Wilson type controls to classes of users; 
and the need for nested transactions. Wiseman sees the high level abstract view of separation of 
duty as several people agreeing to change state. Integrity can be encouraged by enforcing 
constraints which ensure the state is always valid and by subjecting inputs to separation of duty.

Reind van de Reit and Beukering describe how constraints involving integrity and security can be 
specified in MOXUM, their active object-oriented knowledge-base system [van de Reit 94]. Their 
premise is that changes to the database should be governed by rules in the form of integrity 
constraints and security checks. In this case, integrity constraints refer to the quality of the data, 
while security constraints refer to protection and access rights. Both kinds of constraints are 
specified in MOKUM as Prolog predicates and are not separated. Each time some manipulation on 
an object or a collection mentioned in a constraint is performed (create/change/inspect/destroy), 
some check has to be performed. The Prolog scripts regulate access to object collections and 
enforce integrity constraints through triggers. This implies a need to extend the Trusted Computing 
Base to include the Prolog compiler which is problematic with respect to assurance.

In addition to considering the entity and referential integrity conflicts with security, Maimone and 
Allen provide alternatives to resolving problems that arise in maintaining transaction integrity and 
value constraints [Maimone 91]. A security conflict with transaction integrity may arise if a single 
transaction is designed so that some steps must perform write operations at different security 
levels. Value constraints are defined integrity rules that may restrict the valid values for a data 
element. A conflict arises when some existing data classified above the label of the user activating 
the constraint does not meet constraints defined after object creation. They make the distinction 
between the use of triggers and constraints for enforcing integrity rules. The utility of declarative 
constraints, including primary and foreign key and value or domain constraints, is that the 
constraint declares an invariant property, detailing the meaning of a consistent state.

Marks and Jajodia [Jajodia 94] have developed a technique to enforce certain integrity constraints 
and minimize the amount of sensitive information disclosed. They transform multilevel constraints 
into constraints that can be enforced at individual levels and approximate enforcement of the 
multilevel constraint.

SECTION 4

COVERT CHANNELS

The B2 or higher MAC requirements of the TCSEC specify that an MLS system must additionally 
guard against indirect accesses through information flows. It is recognized that some covert 
channels will exist in any system. The TCSEC provides guidelines on what actions must be taken 
for channels depending on the bandwidth of the channel. Enforcement of integrity constraints can 
create covert channels. These channels are discussed in this section. Interpretations indicating 
precisely what channels will be deemed acceptable for systems evaluated against various TCSEC 
levels will be developed as the Evaluation Community deals with specific vendor implementations.

4.1	PRIMARY KEY UNIQUENESS

Problems arise in multilevel relations when a user at a lower security level tries to enter a tuple with 
the same primary key value as that of an existing tuple at a higher security level or when a user 
tries to update the primary key attribute to a value that already exists at a higher level. This insert/
update cannot be allowed if primary key uniqueness is to be preserved. On the other hand, if the 
user is not allowed to insert the primary key value, then there exists a covert channel. The following 
example provides a concrete illustration.

Example 7. Consider the multilevel relation schema SOD of Example 4 in Section 3.2; the actual 
relation is the same as the Secret instance shown in Figure 3.3. Suppose the Unclassified user, who 
sees the Unclassified instance in Figure 3.3, attempts to update the missing values in the second 
tuple corresponding to the starship "Voyager." If the user is allowed to do this update, then there 
will be two tuples corresponding to the primary key value of Starship "Voyager" in the Secret 
instance, leading to a violation of the primary key constraint, as shown in Figure 4.1. But if the 
Unclassified user's attempt is rejected, then there is a channel. Since this is unacceptable, a way 
must be found to deal with the existence of both tuples in the Secret instance.



STARSHIP

OBJECTIVE

DESTINATION

Enterprise U

Exploration U

Talos U

Voyager U

Spying S

Mars S

Voyager U

Exploration U

Moon U

Figure 4.1: SOD After Insertion of Tuple Corresponding to Starship = "Voyager" by 
Unclassified User

Since the user can infer that a Secret tuple exists with the same primary key the user is attempting 
to insert, this channel can be viewed as an example of inference. However, it also represents a 
covert channel because a Secret process can insert or delete tuples with a given primary key and 
this action could be detected by the Unclassified user. To avoid this channel, both the Secret tuple 
and the Unclassified tuple for the starship "Voyager" must somehow co-exist in the instance at the 
Secret level.

These security considerations have led to the notion of polyinstantiation [Denning 87]. 
Polyinstantiation forces a relation to contain multiple tuples with the same primary key but 
distinguishable by their classification levels or by the non-primary key attributes of the relation 
[Lunt 91]. It is because the user designated primary key must be augmented with classification 
levels to maintain primary key uniqueness in a polyinstantiated database that we have used 
Denning'' term apparent primary key for the user-specified primary key. Jajodia contends that the 
use of polyinstantiation for cover stories needs to be confined to those cases where it is intended 
since uncontrolled use of polyinstantiation leads to further loss of integrity and confusion with the 
semantics of the relational data model [Jajodia 90].

The debate continues as to whether polyinstantiation is needed in multilevel relations or not 
[Sandhu 91]. If polyinstantiation is not required in multilevel relations, then there must be a 
solution to close channels. If polyinstantiation is used, then the question is how polyinstantiation 
should be managed. Burns maintains that as a result of the fundamental conflict with enforcing 
confidentiality and secrecy of information in an MLS database with integrity, DBMS products will 
have to be expanded to include the ability to correct the errors and inconsistencies introduced by 
polyinstantiation [Burns 90a]. A thorough discussion of all the issues associated with 
polyinstantiation is beyond the scope of this document, but is covered in another volume in this 
series: Polyinstantiation Issues in Multilevel Secure Database Management Systems [Poly 96]. For 
the purpose of this document, the discussion of polyinstantiation is confined to the impact it has on 
referential integrity.

4.2	ENFORCEMENT OF REFERENTIAL INTEGRITY RULES

Section 3 showed that for referential integrity in an MLS database, the security level of the foreign 
key must dominate the security level of the primary key of the referenced tuple (C [FK]   C[PX]). 
This requirement guarantees that the referenced primary key will be visible to any user who sees 
the foreign key as non-null. However, the situation is somewhat more complicated if the referenced 
relation is polyinstantiated. In this event, there may be more than one tuple with an apparent 
primary key matching FK. Some method must be used to uniquely and consistently determine 
which primary key will be considered to be the referenced primary key. One approach is to 
augment FK with the security level of its attributes (the tuple security level if tuple level labeling 
is used). If that approach is used, a matching PK will have the same security level as FX and the 
requirement on the relationship between security levels of PK and FK becomes C[FK] = C[PK].

Enforcement of referential integrity through the rules described in Section 2.2 can result in covert 
channels. These channels are discussed below. The discussion is divided into the two permitted 
cases: C[FK] = C[PK] and C[FK] > C[PK].

4.2.1	Enforcement of Integrity Rules When C[FK] = C[PK]

To study the enforcement of integrity rules when the security level of the referencing tuple and the 
security level of the referenced tuple are the same, we need to look at the cases of the four different 
levels of granularity in multilevel relations. For relations with relation level labeling or tuple level 
labeling, all the integrity rules are usable without modification because this case can be considered 
to be equivalent to relationships occurring in a single-level database. For attribute and element 
level labeling there is a potential channel for the CASCADFS-delete rule. All other rules can be 
enforced without any problem. This channel can be better explained with the help of an example.

Example 8. Consider the two relations SOD and PS as given in Figure 4.2. The security level of 
the foreign key in relation PS in this example is the same as the security level of the referenced 
primary key in relation SOD. For the second tuple in relation PS, an Unclassified user oily sees the 
attribute Person_Name. The user is not cleared to see the value of Starship for this tuple and also 
the user cannot see the corresponding referenced tuple in relation SOD. Suppose a Confidential 
user comes in and attempts to delete the second tuple in relation SOD where Starship = "Saratoga." 
If the delete rule specified is a CASCADES-delete, then the referencing tuple in PS is also deleted. 
An Unclassified user now will not see the attribute value Person_Name = "Mr. Spock" any more, 
and this causes a channel.

PS

PERSON_NAME

STARSHIP

James Kirk U

Enterprise U

Mr. Spock U

Saratoga C

SOD



STARSHIP

OBJECTIVE

DESTINATION

Enterprise U

Exploration C

Talos C

Saratoga C

Mining C

Rigel C

Figure 4.2: Relation PS and SOD when C[FK] = C[PK]

The channel in this case can be avoided if the equivalence of the security levels of the foreign key 
and the referenced primary key is extended. If the security level of the entire referencing tuple is 
the same as the security level of the entire referenced tuple, then no violations occur when 
enforcing the insert, delete, and update rules. This fact has been acknowledged in the SeaView 
model [Lunt 90] and the referential secrecy model given by Burns [Burns 90b]. Burns also suggests 
selective enforcement of referential integrity in those cases where the security level of both the 
referencing relation and the referenced relation are not the same, assuming that the channel either 
can be monitored or is deemed not to cause a serious threat.

4.2.2	Enforcement of Integrity Rules When C[FK] > C[PK]

Now the final case will be considered where the security level of the referencing tuple dominates 
the security level of the referenced tuple. Each of the integrity rules for insert, delete, and update 
will be considered individually, and the effect of the dominance of the referencing tuple's security 
level over that of the referenced tuple will be investigated. The effect of different levels of labeling 
granularity in multilevel relations upon enforcement of integrity will also be considered. 
Throughout this discussion, we will assume that either the relations are not polyinstantiated or a 
consistent method is employed to determine the unique primary key referred to by a foreign key.

1.	Element-Level Granularity - Each of the integrity rules for insert, delete, and update is 
examined individually for relations with element-level granularity, and conditions 
violating the security constraints are investigated.

a.	Delete Rule - As discussed in Section 2.2.1, the four delete rules for referential 
integrity in single-level relations are as follows:

i.	RESTRICTED-delete Rule

ii.	CASCADES-delete Rule

iii.	NULLIFIES-delete Rule

iv.	SET-DEFAULT-delete Rule

Each of these rules is considered in turn for applicability to multilevel relations labeled at the 
element level.

i.	RESTRICTED-delete Rule - The RESTRICTED-delete rule states that the referenced 
primary key tuple cannot be deleted as long as there is a corresponding referencing 
tuple somewhere in the database. For instance, consider the relations SOD and PS 
given in Figure 4.3.

In relation PS, the security level of the foreign key value Starship = "Voyager" dominates 
the security level of the primary key value in the relation SOD. According to the 
RESTRICTED-delete rule, as long as there is a tuple having foreign key value "Voyager" 
in PS, the tuple with primary key value "Voyager" cannot be deleted from the relation 
SOD. This gives rise to a channel, as there is a downward flow of information from the 
high-level referencing foreign key to the low-level subject attempting to delete the tuple 
containing the primary key. Therefore, the RESTRICTED-delete Rule violates secrecy 
when the security level of the foreign key dominates the security level of the primary key 
of the referenced tuple.

ii.	CASCADES-delete Rule - If the delete rule specified is the CASCADES-delete rule, 
then if the tuple in SOD with Starship = "Voyager" is deleted at the Unclassified level, 
then the tuple in PS with Starship = "Voyager" at the Secret level should also be 
deleted. In the relation instance of PS, given in Figure 4.3, Person_Name = "Mr. 
Spock" is at the Unclassified level in the tuple containing Starship = "Voyager" at the 
Secret level. Although the Unclassified user would not see any value for Starship in 
the PS tuple with Person_Name = "Mr. Spock," this tuple will be deleted as a result of 
the CASCADES-delete action. Therefore, the user will be able to infer that the tuple 
contained Starship = "Voyager." This is a channel. If the attribute value "Mr. Spock" 
were classified as Secret, there would have been no channel. Hence, the CASCADES-
delete rule fails in relations with element-level labeling and C[FK] > C[PK], if any 
non-foreign key attribute value in the referencing tuple is at a lower security level than 
the foreign key attribute value. Even though the CASCADES-delete rule is not invalid 
for all the cases, channels exist that cannot be covered or be removed. Hence, 
CASCADES-delete cannot be used for defining an integrity constraint in relations 
with element-level labeling which allow a foreign key to strictly dominate its 
corresponding primary key.

SOD



STARSHIP

OBJECTIVE

DESTINATION

Enterprise U

Exploration U

Talos U

Voyager U

Spying S

Mars S

Apollo S

Spying S

Moon S

PS

PERSON_NAME

STARSHIP

James Kirk U

Enterprise U

Mr. Spock U

Voyager S

Figure 4.3: Relations SOD and PS without Polyinstantiation

iii.	NULLIFIES-delete Rule - If the delete rule specified is NULLIFIES-delete, then 
the value of Starship = "Voyager" in relation PS is set to null when the tuple in SOD 
for Starship = "Voyager" is deleted. This does not conflict with the security 
constraints, as long as write-ups are allowed, since there would not be a downward 
flow of information.

iv.	SET DEFAULT-delete Rule - The argument for the SET DEFAULT-delete rule is 
the same as for the NULLIFIES-delete rule. As previously noted, the SET 
DEFAULT rule is equivalent to the NULLIFIES rule when null is specified as the 
default.

In summary, when the foreign key value is higher than the security level of the primary key 
value, then the NULLIFIES-delete rule and the SET DEFAULT-delete do not create 
downward information flows. However, the RESTRICTED-delete and CASCADES-
delete rules can result in covert channels.

b.	UPDATE Rule - As discussed in Section 2.2.2, the four update rules for referential 
integrity in single-level relations are as follows:

i.	RESTRICTED-update Rule

ii.	CASCADES-update Rule

iii.	NULLIFIES-update Rule

iv.	SET DEFAULT-update Rule

The following paragraphs discuss the application of the update rules to multilevel relations labeled 
at the element level.

i.	RESTRICTED-update Rule - Consider the relations SOD and PS given in Figure 
4.2. In relation PS, the security level of the foreign key value Starship = "Voyager" 
dominates that of the primary key value in the relation SOD. According to the 
RESTRICTED-update rule, as long as there is a tuple having foreign key value 
"Voyager" in PS, the primary key value "Voyager" cannot be updated in the 
relation SOD. This gives rise to a channel because there is flow of information from 
the high-level referencing foreign key to the low-level subject attempting to delete 
the tuple containing the primary key. Therefore, the RESTRICTED-update Rule 
will not work when updating a referenced tuple if the security level of the 
referencing tuple dominates the security level of the referenced tuple.

ii.	CASCADES-update Rule - The CASCADES-update Rule states that if the primary 
key value Starship = "Voyager" in SOD is updated, then the foreign key value 
Starship = "Voyager" in PS will also be updated. This does not conflict with the 
security constraints, as long as write-ups are allowed, since there would not be a 
downward flow of information.

iii.	NULLIFIES-update Rule - The NULLIFIES-update Rule specifies that the value of 
Starship = "Voyager" in relation PS be set to null if Starship = "Voyager" in SOD 
is updated. Again, this does not conflict with the security constraints, as long as 
write-ups are allowed, since there would not be a downward flow of information.

iv.	SET DEFAULT-update Rule - The SET DEFAULT-update Rule does not violate 
any security or integrity constraints when the security level of the foreign key 
dominates the security level of the primary key. The explanation is the same as for 
the NULLIFIES-update rule.

In summary, CASCADES-update, NULLIFIES-update, and SET DEFAULT-update do 
not result in downward information flow. The RESTRICTED-update rule can result in a 
covert channel.

c.	INSERT Rule - The insert rule for integrity states that the insertion of a foreign key 
value should comply with the referential integrity rules; that is, each foreign key value 
in the referencing relation should have an identical primary key value in the referenced 
relation. In MLS databases, it is important to ensure that there is no downward flow of 
information when the insertion is made. If the security level of the referencing tuple 
(foreign key value) dominates the security level of the referenced tuple (primary key 
value), then there is no such possibility of a channel. If a higher user attempts to insert 
a foreign key value, the user's insertion is accepted or rejected based on the presence 
or absence of the referenced value at the lower security level. There will be only an 
upward flow of information, which means that both integrity and security rules are 
satisfied. It should be noted that, unlike with polyinstantiated relations, there is no 
confusion while inserting the tuples in the two relations.

SOD



No.

STARSHIP

OBJECTIVE

DESTINATION

TC

1

Enterprise

Exploration

Talos

U

2

Enterprise

Spying

Mars

S

PS

No.

PERSON_NAME

STARSHIP

TC

3

James Kirk

Enterprise

U

4

Mr. Spock

Enterprise

S

Figure 4.4: Relations with Tuple-Level Granularity

2.	Tuple-Level Granularity - The argument for referential integrity control in relations with 
tuple-level granularity is the same as the discussion above for element-level granularity. The only 
difference is that instead of each data element having an individual security level, the entire tuple 
in the relation is assigned a security level as shown in Figure 4.4. As is the case for element-level 
granularity, a security conflict occurs when the RESTRICTED-update/delete option is enforced. 
There is a downward flow of information when a low user tries to update/delete a target value, and 
is allowed to do so depending on the absence of a matching referencing tuple at a higher level. All 
other integrity rules are valid for relations with tuple-level granularity. The problem with 
CASCADES-delete that occurs for element-level granularity does not occur with tuple-level 
granularity because, for tuple-level granularity, each element in the tuple is explicitly assumed to 
have the same security level as defined in the tuple class. As such, a user will never be in the 
situation where he can view some attributes of a tuple but not others and then witness the tuple 
vanish due to a cascading delete on attributes that the user is not cleared to see, which would be a 
covert channel due to the inference of the high attribute's value.

3.	Attribute-Level Granularity - As described earlier, attribute-level granularity means that each 
attribute in a relation is assigned a single security level. All values of an attribute are classified at 
the same level of security across all tuples in the relation. From the discussion in Section 3.5, to 
maintain referential integrity, the security level of the foreign key attribute in the referencing 
relation must dominate the security level of the primary key attribute in the referenced relation.

The case to be considered is where the security level of the foreign key attribute strictly dominates 
the security level of the apparent primary key attribute. In this case, the relations SOD and PS are 
as given in Figure 4.5.

SOD



No.

STARSHIP U

OBJECTIVE S

DESTINATION U

1

Enterprise

Exploration

Talos

2

Voyager

Spying

Mars

PS

No.

PERSON_NAME U

STARSHIP S

3

James Kirk

Enterprise

4

Mr. Spock

Enterprise

Figure 4.5: Relations with Attribute-Level Granularity

Following the discussion earlier, it can be observed that all the integrity rules can be applied to the 
case above except for the RESTRICTED-delete or the RESTRICTED-update rule. Under 
RESTRICTED-update or delete, whenever a lower subject tries to update or delete the tuple 
containing a particular primary key attribute value, the attempt is accepted or rejected based on the 
presence of a matching value in the foreign key attribute at the higher security level. This gives rise 
to a channel.

4.	Relation-Level Granularity - As defined earlier, a relation with relation-level granularity has 
a single classification level defined for the entire relation, or in other words, all data elements in 
the relation are at the same security level.

For instance, consider the relation schema SOD, given in Example 4, and the relation 
schema PS, given in Example 6. Relation PS references relation SOD, with Starship being 
the foreign key attribute. The security level of the primary key "Starship" (i.e., C[PK]) is 
the same as the security level of the relation SOD, and the security level of the foreign key 
"Starship" (i.e., C[FK]) is the same as the security level of the relation PS. Based on the 
restrictions derived in rule 2 in Section 3.5, the security level of the foreign key should 
always dominate the security level of the primary key. Therefore, for relation-level 
granularity, the security level of the relation PS should dominate the security level of the 
relation SOD.

Let the security level of relation SOD be Unclassified and of PS be Secret. Then C[FK] = 
Secret and C[PK] = Unclassified (i.e., C[FK] > C[PK]). From the discussion in Section 3.5, 
it can be seen that, if C[FK] > C[PK], then all integrity rules except RESTRICTED-delete 
and RESTRICTED-update can be used, without any covert channels.

The table below gives a summary of the integrity rules that apply to different levels of granularity 
without compromising secrecy by permitting downward information flows. In the case of 
polyinstantiated relations it is necessary in all cases that there be a method to unambiguously 
determine which instance of the apparent key is referenced.

Level of Granularity

Element

Tuple

Attribute

Relation

Insert Rule

OK

OK

OK

OK

Delete Rules:

RESTRICTED-delete

Channel

Channel

Channel

Channel

CASCADES-delete

Channel

OK

OK

OK

NULLIFIES-delete

OK

OK

OK

OK

SET-DEFAULT-
delete

OK

OK

OK

OK

Update Rules:

RESTRICTED-update

Channel

Channel

Channel

Channel

CASCADES-update

OK

OK

OK

OK

NULLIFIES-update

OK

OK

OK

OK

SET-DEFAULT-
update

OK

OK

OK

OK

Table 4.1: Summary of Covert Channels in Referential Integrity Rules for C[FK] > C[PK]

4.3	RELATION TO DBMS ARCHITECTURE

A Trusted Computing Base (TCB) consists of one or more sub-elements that together enforce a 
security policy over a system. Complex systems distribute policy enforcement to various sub-
elements. While determining the trust characteristics of a complex system on the basis of a 
collection of subparts is not well understood, there are approaches for arguing about composition 
of systems.

The approach used in the TDI is to view the system as being composed of hierarchically-ordered 
systems. There is a "privilege" hierarchy characterized by dependency. The construct developed 
for dealing with layered systems is TCB subsets. A TCB subset enforces a security policy over a 
set of resources for that layer, and may or may not include hardware. If a TCB subset can be shown 
to be constrained and unprivileged relative to the more primitive TCB subset from which it obtains 
resources, then the scope of the covert channel analysis can be limited. An example of this 
approach is the SeaView prototype.

SRI International developed the SeaView prototype multilevel RDBMS to validate the SeaView 
theoretical model and to demonstrate that the prototype is suitable for engineering development 
[Hsieh 93]. The design approach provides users with element-level labeling. SeaView constructs 
multilevel relations as views over stored single-level relations. The single-level relations are stored 
in files managed by an underlying multilevel operating system. Thus, individually labeled data 
elements need not be stored in individually labeled storage objects. The SeaView approach allows 
multilevel database operations to be decomposed into corresponding single-level operations on the 
single-level relations. The decomposition is transparent to the user, who considers the multilevel 
relations to be stored relations. Thus, the SeaView model extends entity and referential integrity to 
multilevel relations. It also allows application dependent integrity rules to be defined on multilevel 
relations; and it ensures that updates of multilevel relations are well defined. In addition, the 
SeaView model constrains multilevel relations with polyinstantiation integrity, which specifies 
consistency for polyinstantiated tuples and elements.

In the SeaView approach, the underlying architecture guards against covert channels during 
enforcement of entity and referential integrity. This is because the DBMS instance operating on 
behalf of a subject is untrusted with respect to the underlying operating system MAC policy (i.e., 
it can only read data with a security level dominated by the subject's level and can only write data 
with a security level dominating the subject's level). SRI utilized Trusted Oracle OS MAC Mode, 
which has been evaluated as a constrained TCB subset architecture [Oracle 94].

On the other hand, a secure DBMS can be built with MAC enforcement done in the DBMS, not 
just the underlying operating system. In this approach, the DBMS will have the privilege to violate 
the operating system's MAC controls. With this architecture, called a trusted subject architecture, 
the DBMS designer has to make a tradeoff between channel free enforcement of entity and 
referential integrity constraints, or enforcement of the constraints in a manner which allows 
selected channels. In the latter case, the constraint enforcement mechanism must be carefully 
analyzed to make sure that the downward information flows are thoroughly understood and that 
they are acceptable for the target environment or evaluation class. For example, Trusted Oracle7 
DBMS MAC Mode (which uses the trusted subject architecture) was successfully evaluated at 
Class B1 [Oracle 94]. In DBMS MAC Mode, entity and referential integrity can be enforced. An 
audit event was added to Trusted Oracle7 to detect use of potential covert channels.

SECTION 5

SUMMARY

Entity integrity and referential integrity are two important integrity constraints that should be 
enforced by the DBMS. While entity integrity is necessary for preserving correctness of data 
within a relation, referential integrity is required for maintaining interrelation integrity in the 
relational data model. In this document, these concepts have been extended to multilevel DBMSs.

The extension of the concept of referential integrity from single-level relations to multilevel 
relations is not straightforward. This is because restrictions are needed to provide referential 
integrity control in multilevel DBMSs without compromising secrecy. The basic requirement for 
referential integrity is that each referencing foreign key value must have an identical target primary 
key value in the referenced relation. An additional requirement for multilevel relations is that each 
foreign key and primary key should be uniformly classified (i.e., all attributes included in a key 
should have the same security level) and each foreign key dominates its referenced primary key.

From the discussion in the document, it can be concluded that enforcing referential integrity, when 
the security level of the foreign key is equal to the security level of the referenced primary key, is 
simple and without any ambiguity. All integrity rules apply in this case, whether the relations allow 
polyinstantiation or not. When polyinstantiation is allowed, some method such as including the 
security level of the primary and foreign key values as part of the key must be used to differentiate 
references, and allow the referential integrity rules to be enforced.

Referential integrity completely fails when the security level of the foreign key does not dominate 
the security level of the primary key. When the security level of the foreign key strictly dominates 
the security level of the referenced primary key, some of the integrity rules for actions to be taken 
upon deletion or modification of a key value can be applied without channels, with some 
differences based on labeling granularity.

Inclusion of a mechanism which enforces integrity across security levels in Class B2 and above 
DBMSs may not be feasible due to conflicts with the covert channel requirements. However, with 
the successful evaluation of Trusted Oracle7 DBMS MAC Mode with an unmodified integrity 
mechanism, precedence has been set for Class B1 DBMSs.

REFERENCES

[ANSI 92]	ANSI. Database Language SQL2. In ANSI X3.135-1992, American National 
Standards Institute, New York. December 1992.

[ANSI 94]	ANSI. SQL3 - Working Draft. Draft Version, Available From X3 Secretariat, 
Computer and Business Equipment Manufacturers Association (CBEMA), 1250 
Eye St. N.W., Suite 200 Washington, D.C. 20005-3992. September 1994.

[Audit 96]	National Computer Security Center, Auditing Issues in Secure Database 
Management Systems, NCSC Technical Report-005, Volume 4/5, May 1996.

[Bell 76]	D. E. Bell and L. J. LaPadula. Secure Computer Systems: Unified Exposition and 
Multics Interpretation, The MITRE Corporation. March 1976.

[Burns 90a]	R. K. Burns. Integrity and Secrecy: Fundamental Conflicts in the Database 
Environment. In Proceedings of the Third RADC Database Security Workshop, 
Castille, NY. 1990.

[Burns 90b]	R. K. Burns. Referential Secrecy. In Proceedings of the IEEE Symposium on 
Security and Privacy, IEEE Computer Society Press. May 1990.

[Clark 87]	D. D. Clark and D. R. Wilson. A Comparison of Commercial and Military 
Computer Security Policies. In Proceedings of the IEEE Symposium on Security 
and Privacy, Oakland, CA. May 1987.

[Clark 88]	D. D. Clark and D. R. Wilson. Evolution of a Model for Computer Integrity. In 
Proceedings of the 11th National Computer Security Conference, Baltimore, 
MD. October 1988.

[DAC 96]	National Computer Security Center, Discretionary Access Control Issues in 
High Assurance Secure Database Management Systems, NCSC Technical 
Report-005, Volume 5/5, May 1996.

[Date 86]	C. J. Date. An Introduction to Database Systems, Vol. I, 4th Edition, Addison-
Wesley, Reading, MA. 1986.

[Date 90]	C. J. Date. Referential Integrity and Foreign Keys: Further Considerations. In 
Relational Database Writings 1985-1989, Addison-Wesley, pp. 99-184. 1990.

[Denning 87]	D. E. Denning, T. F. Lunt, R. R. Schell, M. Heckman, and W. R. Shockley. "A 
Multilevel Relational Data Model," Proceedings of the 1987 IEEE Symposium 
on Security and Privacy, IEEE Computer Society Press, pp. 220-234. 1987.

[DoD 85]	Department of Defense Trusted Computer System Evaluation Criteria, DoD 
5200.28-STD, Washington, DC. December 1985.

[Hsieh 93]	D. Hsieh, T. Lunt, and P. Boucher. The SeaView Prototype. RL-TR-93-216 Final 
Technical Report, SRI International. November 1993.

[Horowitz 92]	B. M. Horowitz. A Run-Time Execution Model for Referential Integrity 
Maintenance. In Proceedings of the 8th International Conference on Data 
Engineering, Tempe, AZ, pp. 548-556. February 1992.

[Inference 96]	National Computer Security Center, Inference and Aggregation Issues in Secure 
Database Management Systems, NCSC Technical Report-005, Volume 1/5, 
May 1996.

[Jajodia 90]	S. Jajodia, and R. Sandhu. Polyinstantiation Integrity in Multilevel Relations. In 
Proceedings of the 1990 IEEE Symposium on Security and Privacy, Oakland, 
CA. May 1990.

[Jajodia 91]	S. Jajodia, and R. Sandhu. Toward a Multilevel Secure Relational Data Model. 
In Proceedings of ACM SIGMOD International Conference on Management of 
Data, Denver, CO, pp. 50-59. May 1991.

[Jajodia 94]	S. Jajodia and D. G. Marks. Maintaining Secrecy and Integrity in Multilevel 
Databases: A Practical Approach. In Proceedings of the 18th National 
Information Systems Security Conference, Baltimore, MD. Oct. 10-13 1995.

[Khoshafian 86]	S. N. Khoshafian and G. P. Copeland. Object Identity. In Proceedings for 
OOPSLA 1986. pp. 406-416. September 1986.

[Lunt 90]	T. F. Lunt, D. E. Denning, R. R. Schell, M. Heckman, and W. R. Shockley. The 
SeaView Security Model. In IEEE Transactions on Software Engineering, Vol. 
16, No. 6, pp. 593-607. June 1990.

[Lunt 91]	T. F. Lunt, and D. Hsieh. Update Semantics for a Multilevel Relational Database 
System. In Database Security, IV: Status and Prospects, S. Jajodia and C. E. 
Landwehr (editors), Elsevier Science Publishers B. V. (North Holland), IFIP, pp. 
281-296.1991.

[Maimone 91]	B. Maimone and R. Allen. Methods for Resolving the Security vs. Integrity 
Conflict. In Research Directions in Database Security, IV: Proceedings of the 
Fourth RADC Workshop, Rae Burns (editor). April 1991.

[Markowitz 90]	V. M. Markowitz. Referential Integrity in Relational Database Management 
Systems: A Comparative Study. Preprint. 1990.

[Meadows 88]	C. Meadows and S. Jajodia. Integrity Versus Security in Multi-Level Secure 
Databases. In Database Security Status and Prospects, ed. C. Landwehr, North 
Holland. 1988.

[Notargiacomo 91] L. Notargiacomo. Database Integrity: Based on the Clark-Wilson Integrity 
Model. In Proceedings of the 3rd RADC Database Security Workshop. 1991.

[Oracle 94]	Oracle7 and Trusted Oracle7 Final Evaluation Report, NCSC-EPL-94/004, C-
Evaluation Report No. 07-95, Library No. S242,198, National Computer 
Security Center, 5 April 1994.

[Poly 96]	National Computer Security Center, Polyinstantiation Issues in Multilevel 
Secure Database Management Systems, NCSC Technical Report-005, Volume 
3/5, May 1996.

[Sandhu 91]	R. Sandhu and S. Jajodia. Honest Databases That can Keep Secrets. In 
Proceedings 14th National Computer Security Conference, Washington, D.C. 
Oct. 1991.

[TDI 91]	Trusted Database Management System Interpretation of the Trusted Computer 
System Evaluation Criteria, NCSC-TG-021, National Computer Security 
Center. April 1991.

[van de Reit 94]	R. van de Reit and J. Beukering. The Integration of Security and Integrity 
Constraints in MOKUM. In Proceedings of the 8th IFIP 11.3 WG on Database 
Security. Bad Sdzdetfurth, Germany, 23-26 August 1994.

[Wiseman 90]	S. Wiseman. The Control of Integrity in Databases. In Proceedings of the 4th 
IFIP 11.3 WG on Database Security, Halifax, England, 18-21 September 1990.
Rank
Person_Name
Primary key
PR
Foreign key
Primary key
Starship
Person_Name
Foreign key
PS
Primary key
Starship
Objective
Destination
SOD
Keith F. Brewster

Acting Chief, Partnerships and Processes
May 1996