Data Base Management Systems (DBMSs) today are usually built as subsystems on top of an Operating System (OS). This design approach can lead to problems of reliability and efficient performance as well as forcing a duplication of functions between the DBMS and OS. A new design approach is proposed which removes much of this duplication by defining independent subsystems used by both the DBMS and OS. Specifically, an I/O and file support subsystem and a security subsystem are defined. Both subsystems make use of a logical information model which models the stored information in secondary storage. The new data base operating system organization and the logical information model are presented in detail. Design of the security subsystem is stressed throughout. The security subsystem is based on the access control model, and is extended with conditional predicates (Boolean expressions) to produce an access control model with content-dependent security policies. The access matrix is implemented using a combination of access lists and capabilities. A capability is created when an object is first referenced, and can be used for subsequent accesses. In addition, the security subsystem contains: (1) an authorization model, (2) a multiprocessing ability, (3) concurrency control, and (4) a mechanism to temporarily amplify the rights of a capability. A formal specification and proof of correctness of the security subsystem is also presented.
