topic n.
Skip this Video
Loading SlideShow in 5 Seconds..
TOPIC PowerPoint Presentation


200 Views Download Presentation
Download Presentation


- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


  2. Elements of the model Users Active agents TPs Transformation Procedures: programmed abstract operations, e.g., debit, credit. CDIs Constrained Data Items: can be manipulated only by TPs UDIs Unconstrained Data Items: can be manipulated by users via primitive read and write operations IVPs Integrity Verification Procedures: run periodically to check consistency of CDIs with external reality CLARK-WILSON MODEL

  3. CLARK-WILSON MODEL Internal and external consistency of CDIs USERS IVPs TPs CDIs UDIs

  4. C1 IVPs validate CDI state C2 TPs preserve valid state C3 Suitable (static) separation of duties C4 TPs write to log C5 TPs validate UDIs E1 CDIs changed only by authorized TP E2 Users authorized to TP and CDI E3 Users are authenticated E4 Authorizations changed only by security officer CLARK-WILSON RULES

  5. C1 IVPs are certified to be correct, i.e., they ensure that all CDIs are in a valid state C2 All TPs are certified to be correct, i.e., they preserve the validity and correctness of CDIs. Each TP is certified to execute on particular sets of CDIs. C3 The relations in E2 are certified to meet separation of duties requirements C4 All TPs must be certified to write to an append only CDI (the log) all information necessary to permit reconstruction of the operation C5 Every TP that takes a UDI as input must be certified to produce a valid CDI or no CDI for all possible values of the UDI CERTIFICATION RULES

  6. E1 The system maintains (and enforces) a list of all CDIs for which each TP is certified. Each TP is only allowed to operate on CDIs for which it is certified E2 The system maintains (and enforces) a list of relations of the form: (UserID, TPi, (CDIa, CDIb, CDIc, ....)) relating a user, a TP, and the data objects that TP may reference on behalf of that user. E3 All users are authenticated by the system E4 Only the agent permitted to certify entities may change the lists in E1 and E2. An agent that can certify a TP cannot have execute rights for that TP. ENFORCEMENT RULES

  7. Too static Too centralized: security-officer is God and nobody else can change any authorization Has had a beneficial effect in convincing the mainstream security community that there is more to integrity than Biba CLARK-WILSON ASSESSMENT

  8. Enforcement Rules Easily expressed Certification Rules Outside the scope of access control RELATIONSHIP OF ACCESS CONTROLMODELS TO CLARK-WILSON

  9. Clark, D.D. and Wilson, D.R. "A Comparison of Commercial and Military Computer Security Policies." Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1987, pages 184-194. The original Clark-Wilson paper. Subsequently Clark and Wilson have stated that the Commercial-Military dichotomy in the title was a mistake. The real issue is integrity versus confidentiality. Lee, T.M.P. "Using Mandatory Integrity to Enforce "Commercial" Security." Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1988, pages 140-146. Schockley, W.R. "Implementing the Clark/Wilson Integrity Policy Using Current Technology." Proc. 11th NBS-NCSC National Computer Security Conference, 29-37 (1988). Two independent attempts to implement Clark-Wilson using a Biba lattice. Due to Biba-BLP equivalence the same constructions can be done in a BLP lattice. Sandhu, R.S. "Transaction Control Expressions for Separation of Duties." Proc. Aerospace Computer Security Applications Conference, 282-286 (1988). Going beyond Clark-Wilson to do dynamic separation of duties. REFERENCES