Recently, application-level isolation was introduced as an effective means of containing the damage that a suspicious user could inflict on data. In most cases, only a subset of the data items needs to be protected from damage due to the criticality level or integrity requirements of the data items. In such a case, complete isolation of a suspicious user can consume more resources than necessary. This paper proposes partitioning the data items into categories based on their criticality levels and integrity requirements; these categories determine the allowable data flows between trustworthy and suspicious users. An algorithm, that achieves good performance when the number of data items is small, is also provided to detect inconsistencies between suspicious versions of the data and the main version.
Amgad Fayad, Sushil Jajodia, Catherine D. McCollum