Kang, M. H., J. N. Froscher, J. McDermott, O. Costich, and R. Peyton
  "Achieving Database Security through Data Replication: The SINTRA
  Prototype," Proc. 17th National Computer Security
  Conference, Baltimore, MD, Sept, 1994, pp. 77-87. 
<a href="1994kang-ncsc.ps">
 PostScript</a>

<blockquote>
There are several proposed approaches for multilevel secure (MLS)
database systems which protect classified information.  The
SINTRA (Secure INformation Through Replicated Architecture)
database system, which is currently being prototyped at the Naval
Research Laboratory, is a multilevel trusted database system based on a
replicated data approach. This approach uses physical separation of
classified data as a protection measure. Each database contains data at
a given security level and replicas of all data at lower security
levels. Project goals include good performance and full database
capability.  For practical reasons (e.g., ease of evaluation, portability) the
SINTRA database system uses as many readily-available commercial
components as possible. In this paper, security constraints and the
rationale for the SINTRA prototype are described.  We also present the
structure and function of each component of the SINTRA prototype: the
global scheduler, the query preprocessor, and the user interface. A
brief description of the SINTRA recovery mechanism is also presented.
</blockquote>