CLARK-WILSON MODEL

1
TOPIC
CLARK-WILSON MODEL Ravi Sandhu
2
CLARK-WILSON MODEL

• Elements of the model
• Users Active agents
• TPs Transformation Procedures programmed
  abstract operations, e.g., debit, credit.
• CDIs Constrained Data Items can be manipulated
  only by TPs
• UDIs Unconstrained Data Items can be manipulated
  by users via primitive read and write operations
• IVPs Integrity Verification Procedures run
  periodically to check consistency of CDIs with
  external reality

3
CLARK-WILSON MODEL
Internal and external consistency of CDIs
USERS
TPs
IVPs
CDIs
UDIs
4
CLARK-WILSON RULES

• C1 IVPs validate CDI state
• C2 TPs preserve valid state
• C3 Suitable (static) separation of duties
• C4 TPs write to log
• C5 TPs validate UDIs
• E1 CDIs changed only by authorized TP
• E2 Users authorized to TP and CDI
• E3 Users are authenticated
• E4 Authorizations changed only by security officer

5
CERTIFICATION RULES

• C1 IVPs are certified to be correct, i.e., they
  ensure that all CDIs are in a valid state
• C2 All TPs are certified to be correct, i.e.,
  they preserve the validity and correctness of
  CDIs. Each TP is certified to execute on
  particular sets of CDIs.
• C3 The relations in E2 are certified to meet
  separation of duties requirements
• C4 All TPs must be certified to write to an
  append only CDI (the log) all information
  necessary to permit reconstruction of the
  operation
• C5 Every TP that takes a UDI as input must be
  certified to produce a valid CDI or no CDI for
  all possible values of the UDI

6
ENFORCEMENT RULES

• E1 The system maintains (and enforces) a list of
  all CDIs for which each TP is certified. Each TP
  is only allowed to operate on CDIs for which it
  is certified
• E2 The system maintains (and enforces) a list of
  relations of the form (UserID, TPi, (CDIa, CDIb,
  CDIc, ....)) relating a user, a TP, and the data
  objects that TP may reference on behalf of that
  user.
• E3 All users are authenticated by the system
• E4 Only the agent permitted to certify entities
  may change the lists in E1 and E2. An agent that
  can certify a TP cannot have execute rights for
  that TP.

7
CLARK-WILSON ASSESSMENT

• Too static
• Too centralized security-officer is God and
  nobody else can change any authorization
• Has had a beneficial effect in convincing the
  mainstream security community that there is more
  to integrity than Biba

8
RELATIONSHIP OF ACCESS CONTROLMODELS TO
CLARK-WILSON

• Enforcement Rules
• Easily expressed
• Certification Rules
• Outside the scope of access control

9
REFERENCES

• Clark, D.D. and Wilson, D.R. "A Comparison of
  Commercial and Military Computer Security
  Policies." Proc. IEEE Symposium on Security and
  Privacy, Oakland, CA, 1987, pages 184-194.
• The original Clark-Wilson paper. Subsequently
  Clark and Wilson have stated that the
  Commercial-Military dichotomy in the title was a
  mistake. The real issue is integrity versus
  confidentiality.
• Lee, T.M.P. "Using Mandatory Integrity to
  Enforce "Commercial" Security." Proc. IEEE
  Symposium on Security and Privacy, Oakland, CA,
  1988, pages 140-146.
• Schockley, W.R. "Implementing the Clark/Wilson
  Integrity Policy Using Current Technology."
  Proc. 11th NBS-NCSC National Computer Security
  Conference, 29-37 (1988).
• Two independent attempts to implement
  Clark-Wilson using a Biba lattice. Due to
  Biba-BLP equivalence the same constructions can
  be done in a BLP lattice.
• Sandhu, R.S. "Transaction Control Expressions
  for Separation of Duties." Proc. Aerospace
  Computer Security Applications Conference,
  282-286 (1988).
• Going beyond Clark-Wilson to do dynamic
  separation of duties.