Presentation on theme: "1 TOPIC CLARK-WILSON MODEL Ravi Sandhu. 2 CLARK-WILSON MODEL Elements of the model UsersActive agents TPsTransformation Procedures: programmed abstract."— Presentation transcript:
1 TOPIC CLARK-WILSON MODEL Ravi Sandhu
2 CLARK-WILSON MODEL Elements of the model UsersActive agents TPsTransformation Procedures: programmed abstract operations, e.g., debit, credit. CDIsConstrained Data Items: can be manipulated only by TPs UDIsUnconstrained Data Items: can be manipulated by users via primitive read and write operations IVPsIntegrity Verification Procedures: run periodically to check consistency of CDIs with external reality
3 CLARK-WILSON MODEL TPs CDIs USERS UDIs IVPs Internal and external consistency of CDIs
4 CLARK-WILSON RULES C1IVPs validate CDI state C2TPs preserve valid state C3Suitable (static) separation of duties C4TPs write to log C5TPs validate UDIs E1CDIs changed only by authorized TP E2Users authorized to TP and CDI E3Users are authenticated E4Authorizations changed only by security officer
5 CERTIFICATION RULES C1IVPs are certified to be correct, i.e., they ensure that all CDIs are in a valid state C2All TPs are certified to be correct, i.e., they preserve the validity and correctness of CDIs. Each TP is certified to execute on particular sets of CDIs. C3The relations in E2 are certified to meet separation of duties requirements C4All TPs must be certified to write to an append only CDI (the log) all information necessary to permit reconstruction of the operation C5Every TP that takes a UDI as input must be certified to produce a valid CDI or no CDI for all possible values of the UDI
6 ENFORCEMENT RULES E1The system maintains (and enforces) a list of all CDIs for which each TP is certified. Each TP is only allowed to operate on CDIs for which it is certified E2The system maintains (and enforces) a list of relations of the form: (UserID, TPi, (CDIa, CDIb, CDIc,....)) relating a user, a TP, and the data objects that TP may reference on behalf of that user. E3All users are authenticated by the system E4Only the agent permitted to certify entities may change the lists in E1 and E2. An agent that can certify a TP cannot have execute rights for that TP.
7 CLARK-WILSON ASSESSMENT Too static Too centralized: security-officer is God and nobody else can change any authorization Has had a beneficial effect in convincing the mainstream security community that there is more to integrity than Biba
8 RELATIONSHIP OF ACCESS CONTROL MODELS TO CLARK-WILSON Enforcement Rules Easily expressed Certification Rules Outside the scope of access control
9 REFERENCES Clark, D.D. and Wilson, D.R. "A Comparison of Commercial and Military Computer Security Policies." Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1987, pages The original Clark-Wilson paper. Subsequently Clark and Wilson have stated that the Commercial-Military dichotomy in the title was a mistake. The real issue is integrity versus confidentiality. Lee, T.M.P. "Using Mandatory Integrity to Enforce "Commercial" Security." Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1988, pages Schockley, W.R. "Implementing the Clark/Wilson Integrity Policy Using Current Technology." Proc. 11th NBS-NCSC National Computer Security Conference, (1988). Two independent attempts to implement Clark-Wilson using a Biba lattice. Due to Biba-BLP equivalence the same constructions can be done in a BLP lattice. Sandhu, R.S. "Transaction Control Expressions for Separation of Duties." Proc. Aerospace Computer Security Applications Conference, (1988). Going beyond Clark-Wilson to do dynamic separation of duties.