2 CLARK-WILSON MODEL Elements of the model Users Active agents TPs Transformation Procedures: programmed abstract operations, e.g., debit, credit.CDIs Constrained Data Items: can be manipulated only by TPsUDIs Unconstrained Data Items: can be manipulated by users via primitive read and write operationsIVPs Integrity Verification Procedures: run periodically to check consistency of CDIs with external reality
3 CLARK-WILSON MODEL Internal and external consistency of CDIs USERS IVPsTPsCDIsUDIs
4 CLARK-WILSON RULES C1 IVPs validate CDI state C2 TPs preserve valid stateC3 Suitable (static) separation of dutiesC4 TPs write to logC5 TPs validate UDIsE1 CDIs changed only by authorized TPE2 Users authorized to TP and CDIE3 Users are authenticatedE4 Authorizations changed only by security officer
5 CERTIFICATION RULESC1 IVPs are certified to be correct, i.e., they ensure that all CDIs are in a valid stateC2 All TPs are certified to be correct, i.e., they preserve the validity and correctness of CDIs. Each TP is certified to execute on particular sets of CDIs.C3 The relations in E2 are certified to meet separation of duties requirementsC4 All TPs must be certified to write to an append only CDI (the log) all information necessary to permit reconstruction of the operationC5 Every TP that takes a UDI as input must be certified to produce a valid CDI or no CDI for all possible values of the UDI
6 ENFORCEMENT RULESE1 The system maintains (and enforces) a list of all CDIs for which each TP is certified. Each TP is only allowed to operate on CDIs for which it is certifiedE2 The system maintains (and enforces) a list of relations of the form: (UserID, TPi, (CDIa, CDIb, CDIc, ....)) relating a user, a TP, and the data objects that TP may reference on behalf of that user.E3 All users are authenticated by the systemE4 Only the agent permitted to certify entities may change the lists in E1 and E2. An agent that can certify a TP cannot have execute rights for that TP.
7 CLARK-WILSON ASSESSMENT Too staticToo centralized: security-officer is God and nobody else can change any authorizationHas had a beneficial effect in convincing the mainstream security community that there is more to integrity than Biba
8 RELATIONSHIP OF ACCESS CONTROL MODELS TO CLARK-WILSON Enforcement RulesEasily expressedCertification RulesOutside the scope of access control
9 REFERENCESClark, D.D. and Wilson, D.R. "A Comparison of Commercial and Military Computer Security Policies." Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1987, pagesThe original Clark-Wilson paper. Subsequently Clark and Wilson have stated that the Commercial-Military dichotomy in the title was a mistake. The real issue is integrity versus confidentiality.Lee, T.M.P. "Using Mandatory Integrity to Enforce "Commercial" Security." Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1988, pagesSchockley, W.R. "Implementing the Clark/Wilson Integrity Policy Using Current Technology." Proc. 11th NBS-NCSC National Computer Security Conference, (1988).Two independent attempts to implement Clark-Wilson using a Biba lattice. Due to Biba-BLP equivalence the same constructions can be done in a BLP lattice.Sandhu, R.S. "Transaction Control Expressions for Separation of Duties." Proc. Aerospace Computer Security Applications Conference, (1988).Going beyond Clark-Wilson to do dynamic separation of duties.