1 Workshop Summary.- 1.1 Introduction.- 1.2 Labels.- 1.3 Aggregation.- 1.4 Discretionary Security.- 1.5 The Homework Problem.- 1.6 Classification Semantics.- 1.7 Assurance.- 1.7.1 Balanced Assurance.- 1.7.2 TCB Subsetting.- 1.7.3 Layered TCB.- 1.8 New Approaches.- 1.9 Classifying Metadata.- 1.10 Conclusions.- 1.11 References.- 2 SeaView.- 2.1 Introduction.- 2.2 Multilevel Security.- 2.3 Multilevel Relations.- 2.3.1 The Extended Relational Integrity Rules.- 2.3.2 Polyinstantiation.- 2.3.3 Constraints.- 2.4 Discretionary Security.- 2.5 Multilevel SQL.- 2.5.1 The Access Class Data Type.- 2.5.2 Dealing with Polyinstantiation.- 2.5.3 Creating Multilevel Relations.- 2.6 The SeaView Verification.- 2.7 The SeaView Design.- 2.8 Data Design Considerations.- 2.9 Conclusions.- 2.10 References.- 3 A1 Secure DBMS Architecture.- 3.1 Introduction.- 3.2 The A1 Secure DBMS Modes of Operation.- 3.3 The A1 Secure DBMS Security Policy Overview.- 3.4 A1 Secure DBMS Architecture.- 3.5 Why is ASD Needed.- 3.6 For Further Information.- 3.7 References.- 4 An Investigation of Secure Distributed DBMS Architectures.- 4.1 Introduction.- 4.1.1 Background.- 4.1.2 Requirements.- 4.2 Concept of Operation.- 4.2.1 Users.- 4.3 Security Policy Overview.- 4.3.1 Discretionary Access Control.- 4.3.2 Mandatory Access Control.- 4.4 Architecture Definition.- 4.4.1 Abstract Model.- 4.4.2 Architectural Parameters.- 4.4.3 Family of Architecture Generation.- 4.5 Discretionary Access Control Enforcement.- 4.6 Summary and Conclusions.- 4.7 References.- 5 LOCK Data Views.- 5.1 Introduction.- 5.1.1 Problem Statement.- 5.1.2 Security Policy Overview.- 5.2 LOCK Security Policy Overview.- 5.2.1 DBMS Policy Extension Needs.- 5.2.2 DBMS Policy Extensions.- 5.3 Pipelines.- 5.3.1 The Response Pipeline Design.- 5.3.2 LOCK Pipeline Organization.- 5.3.3 Response Pipeline Organization.- 5.3.4 Pipeline Implications.- 5.4 Conclusions.- 5.5 References.- 6 Sybase Secure SQL Server.- 6.1 Introduction.- 6.2 Terms and Definitions.- 6.3 Objectives.- 6.4 B2 Design Philosophy.- 6.4.1 Database Server On A Network.- 6.4.2 B2 Sybase Secure SQL Server.- 6.5 Flow of Control.- 6.5.1 Login.- 6.5.2 Parsing and Compilation.- 6.5.3 Description of Procedures.- 6.5.4 Execution of Procedures.- 6.6 Trusted Operations.- 6.6.1 SSO Trusted Interface.- 6.6.2 User — Trusted Interface.- 6.7 Auditing.- 6.8 Conclusions.- 7 An Evolution of Views.- 7.1 Introduction.- 7.2 References.- 8 Discussion: Pros and Cons of the Various Approaches.- 8.1 Introduction.- 8.2 Inference Problem.- 8.3 Aggregation Problem.- 8.3.1 Problem Instances.- 8.3.2 Two Approaches.- 8.4 Retrospective.- 8.5 References.- 9 The Homework Problem.- 10 Report on the Homework Problem.- 10.1 Introduction.- 10.2 The Example Database.- 10.3 Summary.- 11 Classifying and Downgrading: Is a Human Needed in the Loop.- 11.1 Introduction.- 11.1.1 Underlying Concepts.- 11.1.2 Classifying Outputs.- 11.1.3 Semantic Level Approach.- 11.1.4 Classifying and Downgrading.- 11.2 The Issue.- 11.3 The Answer.- 11.4 Structured Data.- 11.5 Security Semantics of an Application.- 11.6 Types of Security Semantics.- 11.7 Textual Data.- 11.8 Summary.- 11.9 References.- 12 Session Report: The Semantics of Data Classification.- 12.1 Introduction.- 12.2 References.- 13 Inference and Aggregation.- 13.1 Introduction.- 13.2 Database Inference.- 13.2.1 The Problem.- 13.2.2 A Solution Approach.- 13.3 The Inference Problem.- 13.4 Analysis of Logical Inference Problems.- 13.4.1 When Classifying a Rule is Worse than Useless.- 13.4.2 Sphere of Influence Analysis.- 13.4.3 Network of Constraints.- 13.4.4 Questions.- 13.5 General Discussion.- 13.6 References.- 14 Dynamic Classification and Automatic Sanitization.- 14.1 Introduction.- 14.2 Sanitization.- 14.3 Initial Overclassification.- 14.4 Initial Underclassification.- 14.5 Discovered Misclassification.- 14.6 Automatic Classification.- 14.7 References.- 15 Presentation and Discussion on Balanced Assurance.- 15.1 Introduction.- 15.2 References.- 16 Some Results from the Entity/Relationship Multilevel Secure DBMS Project.- 16.1 Project Goals and Assumptions.- 16.2 A Multilevel Entity/Relationship Model.- 16.2.1 Data Model Semantics.- 16.2.2 Multilevel Security Characteristics.- 16.3 Results of Research.- 16.3.1 The Underlying Abstraction.- 16.4 Conclusions.- 16.5 References.- 17 Designing a Trusted Application Using an Object-Oriented Data Model.- 17.1 Introduction.- 17.2 The Object-Oriented Data Model.- 17.3 The SMMS as an Object-Oriented Database.- 17.4 Conclusion and Future Directions.- 17.5 References.- 18 Foundations of Multilevel Databases.- 18.1 Introduction.- 18.2 Definitional Preliminaries.- 18.3 Model Theoretic Approach.- 18.3.1 Query Evaluation.- 18.3.2 Database Updates.- 18.4 Proof Theoretic Approach.- 18.4.1 Query Evaluation.- 18.4.2 Database Updates.- 18.5 Environments and Fixed Points.- 18.5.1 Environments.- 18.5.2 Mappings.- 18.5.3 Fixed Points.- 18.5.4 Least Environment.- 18.5.5 Declarative and Procedural Semantics.- 18.6 Environments and Inference.- 18.7 Handling Negative and Indefinite Information.- 18.7.1 Closed-World Assumption.- 18.7.2 Negation by Failure.- 18.8 Formal Semantics of Time.- 18.9 Other Related Topics.- 18.9.1 Theory of Relational Databases.- 18.9.2 Consistency and Completeness of Security Constraints.- 18.9.3 Assigning Security Levels to Data.- 18.10 Conclusion.- 18.11 References.- 19 An Application Perspective on DBMS Security Policies.- 19.1 Introduction.- 19.2 Problems with Automatic Polyinstantiation.- 19.2.1 Polyinstantiation and Entity Integrity.- 19.2.2 Polyinstantiation and Referential Integrity.- 19.2.3 Polyinstantiation verses Application Consistency.- 19.2.4 Problems with Simplistic Mandatory Policies.- 19.3 Problems with View-Based Controls and Constraints.- 19.4 Requirement for Transaction Authorizations.- 19.5 Summary.- 19.6 References.- 20 New Approaches to Database Security: Report on Discussion.- 20.1 Introduction.- 20.2 Report on Discussion.- 20.2.1 Open Problems in Computer Security.- 20.2.2 Old Problems for Operating Systems but New Problems for Database Systems.- 20.2.3 Database-Specific Problems.- 20.2.4 Challenge Posed by Advances in Database Technology.- 20.3 Conclusion.- 20.4 References.- 21 Metadata and View Classification.- 21.1 Introduction.- 21.2 Justification for Metadata Protection.- 21.3 Metadata Classification Approaches.- 21.3.1 Internal Schema.- 21.3.2 Conceptual Schema.- 21.3.3 External Schema.- 21.4 Metadata Protection Schemes.- 21.5 User Access to Metadata.- 21.6 Affect of User Session Level on Data Classification.- 22 Database Security Research at NCSC.- 22.1 Introduction.- 22.2 Sponsored Research Projects.- 22.3 The Future.- 22.4 Discussion Topics.- 23 Position Paper on DBMS Security.- 23.1 Introduction.- 23.2 Conclusions.