The first
[consensus](https://en.wikipedia.org/wiki/Consensus_(computer_science))
algorithm with
[heterogeneous failures](http://plan9.bell-labs.co/who/garay/continuum.ps),
heterogeneous participants, and heterogeneous observers.
When not all data has the same
[security properties](https://en.wikipedia.org/wiki/Information_flow_(information_theory)),
distributed
[ACID](https://en.wikipedia.org/wiki/ACID_(computer_science))
transaction scheduling has surprising security consequences.
When not all data has the same
[security properties](https://en.wikipedia.org/wiki/Information_flow_(information_theory)),
distributed
[ACID](https://en.wikipedia.org/wiki/ACID_(computer_science))
transaction scheduling has surprising security consequences.
We present a successfully implemented attack on traditional atomic
commit methods across trust domains.
An earlier, work-in-progress version of our
[CCS Talk](https://IsaacSheff.com/talk/safe-serializable-secure-scheduling).
We use the
[Decentralized Label Model](http://www.cs.cornell.edu/andru/papers/iflow-tosem.pdf)
to show how distributed algorithms, like
[Bosco](https://www.cs.cornell.edu/projects/Quicksilver/public_pdfs/52180438.pdf)
and
[Nysiad](https://www.usenix.org/legacy/events/nsdi08/tech/full_papers/ho/ho.pdf),
can be generalized from more complex trust environments.