A Protocol for Releasing Purpose Marks to Prevent Illegal Information Flow

A transaction is assigned with a purpose which is a collection of roles. Suppose a transaction T₁ writes an object o₂ after reading an object o₁ and then another transaction T₂ reads the object o₂ and writes an object o₃. Here, data in the object o₁ might flow into o₃ via o₂. Unless T₂ is granted a read access right of the object o₁, illegal information flow occur. In order to prevent the illegal information flow, T₁ marks the object o₂ with the purpose of T₁. T₂ cannot read o₂ unless the purpose of T₂ includes a read right of o₁. In result, the throughput is degraded. Objects whose information may flow into an object o are source objects of o. An object is timed out if it takes some time units after the object is lastly written. While there occur no illegal information flow in our purpose marking (PM)protocol, transactions which imply illegal information flow are aborted. We evaluate the PM protocol in terms of how many transactions are aborted.