Download Inference-proof View Update Transactions with Minimal Refusals

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts
no text concepts found
Transcript 
Fakultät für Informatik
LS 6 (ISSI)
Inference-proof View Update Transactions with
Minimal Refusals
Joachim Biskup and Cornelia Tadros
Faculty of Computer Science
Information Systems and Security – ISSI
16. September 2011
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
1 / 38
Fakultät für Informatik
LS 6 (ISSI)
Objectives:
Confidentiality: Protect confidential information in database
instance db according to personalized confidentiality policy psec.
Information Sharing: Provide database client with the following
services:
access database view view ,
query about (propositional) database instance,
update view with translation to update of database instance.
Inference Control: Prevent Client to infer confidential information
from query answers and update notifications.
Achievements: Inference-proof interaction protocols which automatically
refuse some requests
ensuring confidentiality and database integrity,
providing the client with no misinformation,
optimizing availability of view-updates under a policy of last-minute
intervention.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
2 / 38
Fakultät für Informatik
LS 6 (ISSI)
1
View Update Transactions
2
Confidentiality Requirements
3
View Update Transaction Protocol
4
Availability Analysis
5
Conclusion
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
3 / 38
Fakultät für Informatik
LS 6 (ISSI)
View Update Transactions
Client-Server Interactions
invokes
replies
accesses
S∆
server
psec
view
θ
reads/
updates
θ
interaction
protocol
client C
REACT REACT
db
schema:
alphabet A
constraints con
θ query/view update request
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
4 / 38
View Update Transactions
Fakultät für Informatik
LS 6 (ISSI)
Database component
propositional complete database instance:
a set db of propositional variables.
defines truth-value assignment under closed world assumption (CWA).
database schema:
alphabet A of propositional variables and
integrity constraints con ⊆ LA
pl (set of propositional formulas).
defines reasonable instances db:
db ⊆ A
db |= con (with propositional model-of operator |=)
database view :
information of the instance db that is visible to the client.
a set view ⊆ LA
pl such that db |= view (No Misinformation).
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
5 / 38
View Update Transactions
Fakultät für Informatik
LS 6 (ISSI)
Database Operations
Query :
Syntax:
que(φ) where φ ∈ LA
pl
Semantics: evaluated by a database instance db
eval(φ)(db) := (db |= φ)
View-update transactions:
vtr (L) where L is a list of literals hX1 , . . . , Xl i
over pairwise distinct variables.
Semantics: translated to the instance, complying with the
ACID principles
¬a ∈ L delete variable a from db,
a ∈ L insert variable a into db.
Syntax:
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
6 / 38
Fakultät für Informatik
LS 6 (ISSI)
View Update Transactions
Ordinary View Update Processing
Client requests: vtr (hX1 , . . . , Xl i)
Server processes:
Compute outstanding updates
Inc∆ := {X ∈ L | eval(X )(db) = false}.
Compute modified instance
dbInc∆ := {x ∈ db | ¬x 6∈ Inc∆} ∪ (Inc∆ ∩ A).
deletions
insertions
Enforce integrity constraints
If dbInc∆ 6|= con, undo modifications and notify client about integrity
violation; else
Update view
view := neg(view , Inc∆) ∪ {X1 , . . . , Xl } ∪
refreshed
C. Tadros
requested
con
integrity preservation
Inference-proof View Update Transactions with Minimal Refusals
7 / 38
Fakultät für Informatik
LS 6 (ISSI)
View Update Transactions
View Refreshment
Refreshment in order to
adjust outdated information
(No Misinformation)
preserve information content of the view (No Loss of Information)
Refreshing view by neg(view , Inc∆) achieves these properties:
Each formula φ ∈ view is refreshed by neg(φ, Inc∆):
Replace each occurence of a modified variable x in φ by ¬x.
The refreshed formula is valid in the modified instance:
(?)
eval(neg(φ, Inc∆))(dbInc∆ ) = eval(φ)(db) = true
((?) Lemma Negation Equivalence)
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
8 / 38
Fakultät für Informatik
LS 6 (ISSI)
View Update Transactions
Example (Ordinary View-Update Processing)
Schema:
Instance:
A := {a, b, c}
db1 := {a, c}
View: view 1 := con ∪ {a ∨ b, c}
con := {¬c ⇒ a}
with CWA, i.e., db1 = {a, ¬b, c}
Client requests: vtr (h¬ci)
Server processes:
Outstanding updates:
Modify instance:
Enforce integrity :
Update view:
C. Tadros
Inc∆ = {¬c}
dbInc∆
= {a, ¬b, ¬c}
1
dbInc∆
|= con
1
view 2 = neg(view 1 , {¬c}) ∪ {¬c} ∪ con
= {¬¬c ⇒ a, a ∨ b, ¬c} ∪ con
≡ {¬c, a} (≡ logical equivalence)
Inference-proof View Update Transactions with Minimal Refusals
9 / 38
Confidentiality Requirements
1
View Update Transactions
2
Confidentiality Requirements
Confidentiality Policy
Enforcing Continuous Confidentiality
3
View Update Transaction Protocol
4
Availability Analysis
5
Conclusion
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
Fakultät für Informatik
LS 6 (ISSI)
10 / 38
Fakultät für Informatik
LS 6 (ISSI)
Confidentiality Requirements
Assumptions About the Client
Unlimited computing power.
Visible parts:
procedure of each interaction protocol P ,
all server components except for db,
the outputs REACT i , view i and S∆i of protocol P .
visible parts
S∆
server
psec
view
db
A
C. Tadros
con
θ
reads/
updates
θ
interaction
protocol
client C
REACT REACT
Inference-proof View Update Transactions with Minimal Refusals
11 / 38
Confidentiality Requirements
Fakultät für Informatik
LS 6 (ISSI)
Policy Declaration
Personalized confidentiality policy psec:
two disjoint sets psec(TCP ) and psec(CCP ) of propositional formulas,
declared by security administrator when creating the client’s account.
ψ ∈ psec(TCP ):
potential secret with temporary confidentiality requirement.
prohibits client to know that ψ is valid in the current instance.
may stand for, e.g., “Smith’s phone number is 1234”, “Smith’s bank
account number is xyz”.
ψ ∈ psec(CCP ):
potential secret with continuous confidentiality requirement.
prohibits client to know that ψ is valid in some preceding or
the current instance.
may stand for, e.g.: “Smith has cancer”.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
12 / 38
Confidentiality Requirements
Fakultät für Informatik
LS 6 (ISSI)
Definition (Confidentiality Preservation by Protocol P )
Given a potential secret ψ ∈ psec = psec(TCP ) ] psec(CCP )
and admissible, initial components con, db0 and view 0 ,
after a finite sequence Q of query and view update requests,
1
the client cannot distinguish the actual current instance dbQ
from an alternative current instance dbSQ , i.e,
ν C (P (con, db0 , psec, view 0 , Q)) = ν C (P (con, dbS0 , psec, view 0 , Q)),
2
such that, if ψ requires temporary preservation,
then ψ is not valid in dbSQ ,
3
if ψ requires continuous preservation,
then ψ is not valid in dbSQ and all preceding instances.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
13 / 38
Confidentiality Requirements
1
View Update Transactions
2
Confidentiality Requirements
Confidentiality Policy
Enforcing Continuous Confidentiality
3
View Update Transaction Protocol
4
Availability Analysis
5
Conclusion
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
Fakultät für Informatik
LS 6 (ISSI)
14 / 38
Fakultät für Informatik
LS 6 (ISSI)
Confidentiality Requirements
Inferences about Preceding Instances (1)
To reason about preceding instances the client must keep track of
effective updates.
Example (Effective Updates)
The client successfully requested hvtr (¬c), vtr (b, c)i:
effective updates ∆1 = {¬b, ¬s2 }
a
db1
¬b
c
delete c
a
¬b
¬c
insert b, c
db2
a
b
c
db3
effective updates ∆0 = {¬a, ¬s2 }
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
15 / 38
Fakultät für Informatik
LS 6 (ISSI)
Confidentiality Requirements
Inferences about Preceding Instances (1)
To reason about preceding instances the client must keep track of
effective updates.
Example (Effective Updates)
The client successfully requested hvtr (¬c), vtr (b, c)i:
effective updates ∆1 = {¬b, ¬s2 }
a
db1
¬b
c
delete c
a
¬b
¬c
insert b, c
db2
a
b
c
db3
effective updates ∆0 = {b}
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
15 / 38
Fakultät für Informatik
LS 6 (ISSI)
Confidentiality Requirements
Inferences about Preceding Instances (1)
To reason about preceding instances the client must keep track of
effective updates.
Example (Effective Updates)
The client successfully requested hvtr (¬c), vtr (b, c)i:
effective updates ∆1 = {b, c}
a
db1
¬b
c
delete c
a
¬b
¬c
insert b, c
db2
a
b
c
db3
effective updates ∆0 = {b}
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
15 / 38
Fakultät für Informatik
LS 6 (ISSI)
Confidentiality Requirements
Inferences about Preceding Instances (1)
To reason about preceding instances the client must keep track of
effective updates.
Example (Effective Updates)
The client successfully requested hvtr (¬c), vtr (b, c)i:
effective updates ∆1 = {b, c}
a
db1
¬b
c
delete c
a
¬b
¬c
insert b, c
db2
a
b
c
db3
effective updates ∆0 = {b}
Effective Updates: h{b}, {b, c}i.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
15 / 38
Fakultät für Informatik
LS 6 (ISSI)
Confidentiality Requirements
Inferences about Preceding Instances (2)
After the successful view update vtr (h¬ci), the client reasons:
Is the potential secret a ∧ c (with CCP)
valid in the preceding instance db1 ?
a ∧ c is valid in db1 iff a ∧ ¬c is valid in db2 :
{¬c}
eval(a ∧ c)(db1 ) = eval(neg(a ∧ c, {¬c}))(db1
)
= eval(a ∧ ¬c)(db2 ) (Effective update ¬c & Lemma)
a ∧ ¬c is valid in db2 , because
c has been deleted and constraint ¬c ⇒ a is preserved:
view 2 ⊃ {¬c, ¬c ⇒ a} ` a ∧ ¬c (View & propositional entailment ` )
Consequently, a ∧ c is valid in db1 .
psec(CCP ) = {a ∧ c} is violated
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
16 / 38
Confidentiality Requirements
Fakultät für Informatik
LS 6 (ISSI)
Enforcing Continuous Confidentiality
After an interaction sequence
with j effective updates h∆0 , . . . , ∆j−1 i = S∆
for each potential secret ψ ∈ psec(CCP )
ψ is valid in the preceding instance after the i + 1-th modification iff
neg(ψ, ∆i ) is valid in the current instance db.
ψ is valid in some preceding instance iff
neg(ψ, ∆0 ) ∨ . . . ∨ neg(ψ, ∆j−1 ) is valid in the current instance db.
Consequently, an interaction protocol must enforce the invariant:
view 6` neg(ψ, ∆0 ) ∨ . . . ∨ neg(ψ, ∆j−1 ) ∨ ψ
= ccp(ψ, S∆).
Given the view and the effective updates, the client cannot reason that
ψ previously has held or currently holds.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
17 / 38
View Update Transaction Protocol
Fakultät für Informatik
LS 6 (ISSI)
Inference-proof View-Update Transaction Protocol
Request: vtr (hX1 , . . . , Xl i)
1
Outstanding Updates: Inc∆ = {Xj | eval(Xj )(db) = false}
Submit the query requests que(X1 ), . . . , que(Xl ) to the protocol for
inference-proof query processing.
If one query request is refused, abort the transaction.
2
Truthful View - Confidentiality Conflict:
Check if updated view breaches confidentiality.
In case of a breach, abort the transaction.
3
Integrity - Confidentiality Conflict:
Check if notification of integrity violation conflicts confidentiality.
In case of a conflict, abort the transaction
else perform the integrity check.
4
Ordinary Processing:
In case of integrity preservation, modify the instance and update the
view.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
18 / 38
View Update Transaction Protocol
We abbreviate con conj :=
V
Fakultät für Informatik
LS 6 (ISSI)
φ
φ∈con
Case 3 Integrity - Confidentiality Conflict
1: if view i−1 and Inc∆ disclose the result of integrity check then
2:
continue ordinary processing accordingly,
3: else if view i−1 ∪ neg(¬con conj, Inc∆) ` ccp(ψ, S∆i−1 )
for a ψ ∈ psec(CCP )
or
view i−1 ∪ neg(¬con conj, Inc∆) ` ψ
for a ψ ∈ psec(TCP ) then
4:
return REACT i :=integrity check conflicts confidentiality (exit)
5: else
6:
Check integrity
neg(¬con conj, Inc∆) integrity violated after update Inc∆
ccp(ψ, S∆i−1 )
given effective updates S∆i−1 , ψ has held or holds
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
19 / 38
View Update Transaction Protocol
Fakultät für Informatik
LS 6 (ISSI)
Theorem (Confidentiality Preservation)
The query evaluation protocol and the view-update transaction protocol
together preserve continuous and temporary confidentiality preservation.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
20 / 38
Fakultät für Informatik
LS 6 (ISSI)
View Update Transaction Protocol
Example (Inference-proof View-Update Processing)
We review our running example with request vtr (h¬ci) but
policy psec(CCP ) := {¬a ∧ b} and psec(TCP ) := ∅.
case
2
3
inference checks
Truthful View - Confidentiality Conflict
neg(view 1 , Inc∆) ∪ con = view 2
≡ {¬c, a} 6` ¬a ∧ b ≡ ccp(¬a ∧ b, S∆)
Integrity - Confidentiality Conflict
passes until line 2
(result of integrity check not known to client);
view 1 ∪ neg(¬con conj, {¬c})
= {a ∨ b, c, ¬c ⇒ a} ∪ neg(¬c ∧ ¬a, {¬c})
≡ {c, ¬a, b} ` ¬a ∧ b ≡ ccp(¬a ∧ b, S∆)
computations
S∆ = h{¬c}i
Above inference checks independent from database instance,
so that request refused on any instance.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
21 / 38
Availability Analysis
Fakultät für Informatik
LS 6 (ISSI)
Availability Analysis
Availability policy: last-minute intervention
intervene (i.e., refuse request) only if necessary for confidentiality,
depending on view ,
respecting the client’s immediate information needs.
Local optimality result:
there is no view-update protocol with certain properties, e.g.,
regarding the view maintenance (no misinformation, no loss of
information etc.),
database integrity and confidentiality preservation, etc.
that in a one-step view update transaction
exits with a successful update refused by our protocol, or
provides the client with more (required) information.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
22 / 38
Conclusion
Fakultät für Informatik
LS 6 (ISSI)
Achievements:
protocols for processing query and view update request by a single
client to a complete propositional database instance,
inference-proofness of these protocols with temporary or continuous
confidentiality requirements,
availability analysis with a local optimal result under an availability
policy of last-minute intervention.
Related Work:
Inference-proof view updates admitting misinformation in the view:
[Biskup et al] dynamic view update and refreshment protocols with lying
cover stories in MLS databases, cf. [Gabillon]
Optimizing availability by preprocessing:
[Biskup, Wiese] inference-proof instance with minimal lies & personalized
availability policy
[Dawson et al] lowest classification of data in MLS databases
[Ciriani et al] minimal vertical fragmentation at schema level with visibility
constraints
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
23 / 38
Conclusion
Fakultät für Informatik
LS 6 (ISSI)
Future Work
Inference-proof refreshment protocol for multiple clients
Implementation in existing prototype for controlled interaction
execution
Other database models, e.g., relational or incomplete
Other temporal confidentiality requirements
Comparing availability between refusal and “lying” approaches
Non deterministic protocols
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
24 / 38
Conclusion
Fakultät für Informatik
LS 6 (ISSI)
Thank you for your attention!
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
25 / 38
Appendix
Fakultät für Informatik
LS 6 (ISSI)
Appendix
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
26 / 38
Appendix
Fakultät für Informatik
LS 6 (ISSI)
Negation Equivalence
Example (Refreshment)
View update transaction vtr (h¬a, bi) with view = {a ⇒ s2 } on db1
⇒
true
true
a
db 1
a
¬b
true
s2
s1
s2
No misinformation in view
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
27 / 38
Fakultät für Informatik
LS 6 (ISSI)
Appendix
Negation Equivalence
Example (Refreshment)
View update transaction vtr (h¬a, bi) with view = {a ⇒ s2 } on db1
true
a
db 1
a
¬b
true
s2
s1
s2
true
¬a
{¬a,b}
¬a
db 1
No misinformation in view
C. Tadros
⇒
true
⇒
true
b
true
s2
s1
s2
No misinformation, no loss of information
in refreshed view {¬a ⇒ s2 }
Inference-proof View Update Transactions with Minimal Refusals
27 / 38
Fakultät für Informatik
LS 6 (ISSI)
Appendix
Confidentiality Preservation
Sketch of Proof:
Both protocols ensure the invariants:
view 6` ccp(ψ, S∆)
view 6` ψ
for each ψ ∈ psec(CCP )
for each ψ ∈ psec(TCP )
Based on these invariants, alternative sequences of instances are
constructed that are indistinguishable and safe under the respective
requirement. C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
28 / 38
Fakultät für Informatik
LS 6 (ISSI)
Appendix
Availability policy: last-minute intervention
intervene (i.e., refuse request) only if necessary for confidentiality,
depending on view ,
respecting the client’s immediate information needs.
In the following: Availability analysis of an one-step view-update
transaction (Local Optimality).
Assumption: client queries que(X1 ), . . . , que(Xl ) before request
vtr (hX1 , . . . , Xl i) without a refusal so that
{¬X | X ∈ Inc∆} ∪ ({X1 , . . . , Xl } \ Inc∆) ⊆ view i−1 .
outstanding
C. Tadros
void updates
Inference-proof View Update Transactions with Minimal Refusals
29 / 38
Appendix
Fakultät für Informatik
LS 6 (ISSI)
Definition (Proper Truthful Deterministic Protocol P)
Deterministic, Atomicity and Integrity (ACID)
No Misinformation: dbi |= view i .
No Loss of Information:
Failed update:
view i ` view i−1
Successful update: view i ` neg(view i−1 , Inc∆).
Cooperativeness:
Failed update:
view i−1 ∪ neg(¬con conj, Inc∆) ` view i
Successful update: neg(view i−1 , Inc∆) ∪ con ` view i .
REACT :
truthful report about success/failure.
Soundness of Client View: If for db0i−1 admissible
the client observes different output given dbi−1 and db0i−1 , then
Failed update:
db0i−1 6|= view i
0 Inc∆
Successful update: dbi−1
6|= view i .
Confidentiality
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
30 / 38
Example (Soundness of Client View)
Reconsider the running example with another protocol P 0
db01
sensitive
Notification
db02
a
b
c
a
¬b
c
¬a
b
c
delete c
delete c
delete c
db1
models of view 2 = view 1
a
b
¬c
success
a
¬b
¬c
refuse
¬a
b
¬c
refuse
db2 integrity violation
con = {¬c ⇒ a}
Integrity conflicts policy psec(CCP ) = {¬a ∧ b}: refuse for db1 .
Additional refusal due client’s reasoning about processing of P 0
(meta-inference).
Client distinguishes db01 and db1 by the observed “refuse”.
Soundness of client view not ensured for db1 : db01 |= view 2 = view 1 .
Example (Cooperativeness)
Another protocol P 00 processes vtr (h¬ci)
db01
db02
a
b
c
a
¬b
c
¬a
b
c
db1
models of view 2 = {a xor b, c}
delete c
delete c
delete c
models of view 02 = {a, b, ¬c}
a
b
¬c
success
a
¬b
¬c
refuse
¬a
b
¬c
refuse
db2 integrity violation
con = {¬c ⇒ a}
Sound of client view is ensured by view 2 and view 02
Cooperativeness is ensured for db1 :
view 1 ∪ neg(¬con conj, {¬c}) ≡ {a ∨ b, c} ∪ {c ∧ ¬a} ` view 2
Cooperativeness is not ensured for db01 :
neg(view 1 , {¬c}) ∪ {¬c} ∪ con ≡ {a ∨ b, ¬c} ∪ {¬c ⇒ a} 6` b ∈ view 02
Appendix
Fakultät für Informatik
LS 6 (ISSI)
Definition (Local Optimality)
A proper truthful protocol P is said to be locally optimal, if for each
proper truthful protocol P̃ on every input such that
the input is admissible
its processing not necessarily ends up in an insecure state
it holds that
(Least Failed Updates) P̃ performs strictly less updates than P ,
or
(Most Informative) P̃ performs the same updates as P , but offers at
most the information provided by P (i.e., view Pi ` view P̃i ).
Theorem (Local Optimality)
The proposed view-update transaction protocol is locally optimal.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
33 / 38
Appendix
Fakultät für Informatik
LS 6 (ISSI)
Local Optimality
Sketch of Proof:
We must show:
The proposed protocol (Protocol 2) is proper truthful deterministic
protocol.
For any admissible input, any proper truthful deterministic protocol
P:
has more failed updates than Protocol 2 or
is at most as informative as Protocol 2.
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
34 / 38
Fakultät für Informatik
LS 6 (ISSI)
Appendix
We outline the proof for the situation of a potential conflict between
integrity and confidentiality, i.e.,
Integrity violation possible:
neg(view i−1 , Inc∆) 6` con
Notification of integrity violation discloses secret:
view i−1 ∪ neg(¬con conj, Inc∆) ` ccp(ψ, S∆i−1 )
for a ψ ∈ psec(CCP )
view i−1 ∪ neg(¬con conj, Inc∆) ` ψ
for a ψ ∈ psec(TCP )
or
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
35 / 38
Appendix
Fakultät für Informatik
LS 6 (ISSI)
P : proper truthful deterministic view-update transaction protocol.
The client may simulate P on each admissible db0i−1 , i.e.,
db0i−1 |= view i−1 .
In simulating, the client may distinguish three sets of admissible
instances:
Refusal due to immediate integrity-confidentiality conflict:
failing integrity check
DB1 = {db0i−1 | db0i−1 |= view i−1 ∪ neg(¬con conj, Inc∆)}
Additional refusal:
passing integrity check, but not updated
DB2 = {db0i−1 | db0i−1 |= view i−1 ∪ neg(con, Inc∆) and
P (con, db0i−1 , . . .) = (., db0i−1 , . . .)}
No refusal:
passing integrity check and updated
DB3 = {db0i−1 | db0i−1 |= view i−1 ∪ neg(con, Inc∆) and
0 Inc∆
P (con, db0i−1 , . . .) = (., dbi−1
, . . .)}
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
36 / 38
Fakultät für Informatik
LS 6 (ISSI)
Appendix
We can prove the following:
(Integrity Violation Possible)
(Additional Refusal Needed)
(Always Refused)
DB1 6= ∅.
DB2 6= ∅.
DB3 = ∅.
From the last point we can conclude that P does not perform an update
(like Protocol 2 in the studied situation).
C. Tadros
Inference-proof View Update Transactions with Minimal Refusals
37 / 38
Sketched Proof of DB3 = ∅ by Contradiction
Input Instance
Modified Instance
modify Inc∆
refuse
DB1
...
integrity violation
DB2
DB3
db0i−1
modify Inc∆
Notification
exists (DB2 6= ∅)
0
Inc∆
dbi−1
refuse
...
dbi−1
compatible with view i−1
Overall situation
modify Inc∆
dbInc∆
i−1
success
...
compatible with view P
i
(No Loss of Information)
(Soundness of Client View)
compatible with
neg(view i−1 , Inc∆) ∪ con
(Lemma Negation Equivalence)
Sketched Proof of DB3 = ∅ by Contradiction
Input Instance
Modified Instance
modify Inc∆
refuse
DB1
...
integrity violation
DB2
DB3
db0i−1
modify Inc∆
Notification
exists (DB2 6= ∅)
0
Inc∆
dbi−1
refuse
...
dbi−1
compatible with view i−1
modify Inc∆
dbInc∆
i−1
success
...
compatible with view P
i
(No Loss of Information)
(Soundness of Client View)
compatible with
neg(view i−1 , Inc∆) ∪ con
(Lemma Negation Equivalence)
Assume current instance dbi−1 ∈ DB3 (No refusal)
Sketched Proof of DB3 = ∅ by Contradiction
Input Instance
Modified Instance
modify Inc∆
refuse
DB1
...
integrity violation
DB2
DB3
db0i−1
modify Inc∆
Notification
exists (DB2 6= ∅)
0
Inc∆
dbi−1
refuse
...
dbi−1
compatible with view i−1
modify Inc∆
dbInc∆
i−1
success
...
compatible with view P
i
(No Loss of Information)
(Soundness of Client View)
compatible with
neg(view i−1 , Inc∆) ∪ con
(Lemma Negation Equivalence)
Sketched Proof of DB3 = ∅ by Contradiction
Input Instance
Modified Instance
modify Inc∆
refuse
DB1
...
integrity violation
DB2
DB3
db0i−1
modify Inc∆
Notification
exists (DB2 6= ∅)
0
Inc∆
dbi−1
refuse
...
dbi−1
compatible with view i−1
modify Inc∆
dbInc∆
i−1
success
...
compatible with view P
i
(No Loss of Information)
(Soundness of Client View)
compatible with
neg(view i−1 , Inc∆) ∪ con
(Lemma Negation Equivalence)
Sketched Proof of DB3 = ∅ by Contradiction
Input Instance
Modified Instance
modify Inc∆
refuse
DB1
...
integrity violation
DB2
DB3
db0i−1
modify Inc∆
Notification
exists (DB2 6= ∅)
0
Inc∆
dbi−1
refuse
...
dbi−1
modify Inc∆
compatible with view i−1
No Loss of Information
Soundness of Client View
dbInc∆
i−1
success
...
compatible with view P
i
(No Loss of Information)
(Soundness of Client View)
compatible with
neg(view i−1 , Inc∆) ∪ con
(Lemma Negation Equivalence)
make
valid
Models
of
view Pi
neg(view i−1 , Inc∆) ∪ con
Client cannot distinguish model of view Pi
from dbi by observed success.
Sketched Proof of DB3 = ∅ by Contradiction
Input Instance
Modified Instance
modify Inc∆
refuse
DB1
...
integrity violation
DB2
DB3
db0i−1
modify Inc∆
Notification
exists (DB2 6= ∅)
0
Inc∆
dbi−1
refuse
...
dbi−1
compatible with view i−1
modify Inc∆
dbInc∆
i−1
success
...
compatible with view P
i
(No Loss of Information)
(Soundness of Client View)
compatible with
neg(view i−1 , Inc∆) ∪ con
(Lemma Negation Equivalence)
Hence, neg(view i−1 , Inc∆) ∪ con 6` view Pi (contradicts Cooperativeness)
0 Inc∆
with dbi−1
as witness of non-implication
Related documents