CLARK-WILSON MODEL - PowerPoint PPT Presentation

About This Presentation
Title:

CLARK-WILSON MODEL

Description:

TOPIC CLARK-WILSON MODEL Ravi Sandhu CLARK-WILSON MODEL Elements of the model Users Active agents TPs Transformation Procedures: programmed abstract operations, e.g ... – PowerPoint PPT presentation

Number of Views:234
Avg rating:3.0/5.0
Slides: 10
Provided by: gmu81
Category:

less

Transcript and Presenter's Notes

Title: CLARK-WILSON MODEL


1
TOPIC
CLARK-WILSON MODEL Ravi Sandhu
2
CLARK-WILSON MODEL
  • Elements of the model
  • Users Active agents
  • TPs Transformation Procedures programmed
    abstract operations, e.g., debit, credit.
  • CDIs Constrained Data Items can be manipulated
    only by TPs
  • UDIs Unconstrained Data Items can be manipulated
    by users via primitive read and write operations
  • IVPs Integrity Verification Procedures run
    periodically to check consistency of CDIs with
    external reality

3
CLARK-WILSON MODEL
Internal and external consistency of CDIs
USERS
TPs
IVPs
CDIs
UDIs
4
CLARK-WILSON RULES
  • C1 IVPs validate CDI state
  • C2 TPs preserve valid state
  • C3 Suitable (static) separation of duties
  • C4 TPs write to log
  • C5 TPs validate UDIs
  • E1 CDIs changed only by authorized TP
  • E2 Users authorized to TP and CDI
  • E3 Users are authenticated
  • E4 Authorizations changed only by security officer

5
CERTIFICATION RULES
  • C1 IVPs are certified to be correct, i.e., they
    ensure that all CDIs are in a valid state
  • C2 All TPs are certified to be correct, i.e.,
    they preserve the validity and correctness of
    CDIs. Each TP is certified to execute on
    particular sets of CDIs.
  • C3 The relations in E2 are certified to meet
    separation of duties requirements
  • C4 All TPs must be certified to write to an
    append only CDI (the log) all information
    necessary to permit reconstruction of the
    operation
  • C5 Every TP that takes a UDI as input must be
    certified to produce a valid CDI or no CDI for
    all possible values of the UDI

6
ENFORCEMENT RULES
  • E1 The system maintains (and enforces) a list of
    all CDIs for which each TP is certified. Each TP
    is only allowed to operate on CDIs for which it
    is certified
  • E2 The system maintains (and enforces) a list of
    relations of the form (UserID, TPi, (CDIa, CDIb,
    CDIc, ....)) relating a user, a TP, and the data
    objects that TP may reference on behalf of that
    user.
  • E3 All users are authenticated by the system
  • E4 Only the agent permitted to certify entities
    may change the lists in E1 and E2. An agent that
    can certify a TP cannot have execute rights for
    that TP.

7
CLARK-WILSON ASSESSMENT
  • Too static
  • Too centralized security-officer is God and
    nobody else can change any authorization
  • Has had a beneficial effect in convincing the
    mainstream security community that there is more
    to integrity than Biba

8
RELATIONSHIP OF ACCESS CONTROLMODELS TO
CLARK-WILSON
  • Enforcement Rules
  • Easily expressed
  • Certification Rules
  • Outside the scope of access control

9
REFERENCES
  • Clark, D.D. and Wilson, D.R. "A Comparison of
    Commercial and Military Computer Security
    Policies." Proc. IEEE Symposium on Security and
    Privacy, Oakland, CA, 1987, pages 184-194.
  • The original Clark-Wilson paper. Subsequently
    Clark and Wilson have stated that the
    Commercial-Military dichotomy in the title was a
    mistake. The real issue is integrity versus
    confidentiality.
  • Lee, T.M.P. "Using Mandatory Integrity to
    Enforce "Commercial" Security." Proc. IEEE
    Symposium on Security and Privacy, Oakland, CA,
    1988, pages 140-146.
  • Schockley, W.R. "Implementing the Clark/Wilson
    Integrity Policy Using Current Technology."
    Proc. 11th NBS-NCSC National Computer Security
    Conference, 29-37 (1988).
  • Two independent attempts to implement
    Clark-Wilson using a Biba lattice. Due to
    Biba-BLP equivalence the same constructions can
    be done in a BLP lattice.
  • Sandhu, R.S. "Transaction Control Expressions
    for Separation of Duties." Proc. Aerospace
    Computer Security Applications Conference,
    282-286 (1988).
  • Going beyond Clark-Wilson to do dynamic
    separation of duties.
Write a Comment
User Comments (0)
About PowerShow.com