1 Clark Wilson Implementation Shilpa Venkataramana

2 Overview Introduction Types of Clark Wilson Implementation – The Lee and Shockley Implementation – The Karger Implementation – The Jueneman Implementation – The Gong Implementation References

3 Introduction – Clark Wilson Implementation Provides a foundation of specifying and analyzing an integrity policy for a computing system An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. Integrity defined by a set of constraints – Eg - bank D is today deposits, W is withdrawal, YB is yesterday’s balance, TB is today’s balance Integrity constraints – TB = D+YB-W

4 The Lee and Shockley Implementation In 1988, Lee and Shockley independently developed implementations of the Clark-Wilson integrity model using Biba’s integrity categories and trusted subjects. Both of these implementations were based on sensitivity levels constructed from independent elements.

5 The Lee and Shockley Implementation Each level represents a sensitivity to disclosure and a sensitivity to modification. Data is manipulated by certified transactions, which are trusted subjects. The trusted subject can transform data from a specific input type to a specific output type.

6 The Lee and Shockley Implementation The Biba lattice philosophy is implemented so that a subject may not read above its level in disclosure or below its level in integrity. Every subject and object has both disclosure and integrity levels for use in this implementation. The Lee and Shockley implementations prevent unauthorized users from modifying data.

7 Karger Implementation In 1988, Karger proposed another implementation of the Clark-Wilson integrity model, augmenting it with his secure capabilities architecture (developed in 1984) and a generic lattice security model. The capabilities architecture combined with access control lists that represent the security lattice provide for improved flexibility in implementing integrity.

8 Karger Implementation The Karger implementation requires that the access control lists that contains the specifics of the Clark- Wilson triples- – the names of the subjects and objects the user is requesting access to and – the names of the programs that provide the access, to enable implementation of static separation of duties Static separation of duties prevents unauthorized users from modifying data and prevents authorized users from making improper modifications

9 Karger Implementation It uses capabilities with access control lists that limits actions to particular domains. The complex access control lists not only contain the triples but specify the order in which the transactions must be executed. These lists are used with audit-based capabilities to enforce dynamic separation of duties.

10 Karger Implementation Karger Implementation provides three levels of integrity – First – Triples in access control lists to allow for basic integrity – Second –capabilites architecture can be used with access control lists – Third - Support both dynamic separation duties and well formed transactions

11 Jueneman Implementation In 1989, Jueneman proposed a defensive detection implementation for use on dynamic networks of interconnected trusted computers communicating through unsecured media. This implementation was based on mandatory and discretionary access controls, encryption, checksums, and digital signatures.

12 Jueneman Implementation It prevents unauthorized users from modifying data The control mechanisms in this implementation support the philosophy that the originator of an object is responsible for its confidentiality and that the recipient is responsible for its integrity in a network environment. The mandatory access controls prevent unauthorized modification within the trusted computers and detect modifications external to the trusted computers.

13 Jueneman Implementation The control mechanisms in this implementation support the philosophy that the originator of an object is responsible for its confidentiality and that the recipient is responsible for its integrity The mandatory access controls prevent unauthorized modification within the trusted computers and detect modifications external to the trusted computers.

14 Jueneman Implementation The discretionary access controls prevent the modification, destruction, or renaming of an object by a user who qualifies under mandatory control but lacks the owner’s permission to access the object. The encryption mechanism is used to avoid unauthorized disclosure of the object. Checksums verify that the communication received is the communication that was sent, and digital signatures are evidence of the source of the communication

15 Gong Implementation The Gong implementation, developed in 1989, is an identity-based and capability-oriented security system for distributed systems in a network environment. Capabilities identify each object and specify the access rights (i.e., read, write and update) to be allowed each subject that is authorized access. Access authorizations are provided in an access list.

16 Gong Implementation The Gong implementation consists of subjects (i.e., users), objects, object servers, and a centralized access control server. The access control server contains the access control lists, and the object server contains the capability controls for each object.

17 Gong Implementation This implementation is very flexible because it is independent of the protection policy (i.e., the Bell-LaPadula disclosure lattice, the Biba integrity lattice, the Clark-Wilson access triples, or the Lee-Shockley nonhierarchical categories). The Gong implementation can be used to prevent unauthorized users from modifying data and to prevent authorized users from making unauthorized modifications.

18 Reference html Wilson_Integrity_Model Wilson_Integrity_Model