Presentation is loading. Please wait.

Presentation is loading. Please wait.

TOPIC CLARK-WILSON MODEL Ravi Sandhu.

Published byRiley Castillo Modified over 11 years ago

Similar presentations

Presentation on theme: "TOPIC CLARK-WILSON MODEL Ravi Sandhu."— Presentation transcript:

1 TOPIC CLARK-WILSON MODEL Ravi Sandhu

2 CLARK-WILSON MODEL Elements of the model Users Active agents
TPs Transformation Procedures: programmed abstract operations, e.g., debit, credit. CDIs Constrained Data Items: can be manipulated only by TPs UDIs Unconstrained Data Items: can be manipulated by users via primitive read and write operations IVPs Integrity Verification Procedures: run periodically to check consistency of CDIs with external reality

3 CLARK-WILSON MODEL Internal and external consistency of CDIs USERS
IVPs TPs CDIs UDIs

4 CLARK-WILSON RULES C1 IVPs validate CDI state
C2 TPs preserve valid state C3 Suitable (static) separation of duties C4 TPs write to log C5 TPs validate UDIs E1 CDIs changed only by authorized TP E2 Users authorized to TP and CDI E3 Users are authenticated E4 Authorizations changed only by security officer

5 CERTIFICATION RULES C1 IVPs are certified to be correct, i.e., they ensure that all CDIs are in a valid state C2 All TPs are certified to be correct, i.e., they preserve the validity and correctness of CDIs. Each TP is certified to execute on particular sets of CDIs. C3 The relations in E2 are certified to meet separation of duties requirements C4 All TPs must be certified to write to an append only CDI (the log) all information necessary to permit reconstruction of the operation C5 Every TP that takes a UDI as input must be certified to produce a valid CDI or no CDI for all possible values of the UDI

6 ENFORCEMENT RULES E1 The system maintains (and enforces) a list of all CDIs for which each TP is certified. Each TP is only allowed to operate on CDIs for which it is certified E2 The system maintains (and enforces) a list of relations of the form: (UserID, TPi, (CDIa, CDIb, CDIc, ....)) relating a user, a TP, and the data objects that TP may reference on behalf of that user. E3 All users are authenticated by the system E4 Only the agent permitted to certify entities may change the lists in E1 and E2. An agent that can certify a TP cannot have execute rights for that TP.

7 CLARK-WILSON ASSESSMENT
Too static Too centralized: security-officer is God and nobody else can change any authorization Has had a beneficial effect in convincing the mainstream security community that there is more to integrity than Biba

8 RELATIONSHIP OF ACCESS CONTROL MODELS TO CLARK-WILSON
Enforcement Rules Easily expressed Certification Rules Outside the scope of access control

9 REFERENCES Clark, D.D. and Wilson, D.R. "A Comparison of Commercial and Military Computer Security Policies." Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1987, pages The original Clark-Wilson paper. Subsequently Clark and Wilson have stated that the Commercial-Military dichotomy in the title was a mistake. The real issue is integrity versus confidentiality. Lee, T.M.P. "Using Mandatory Integrity to Enforce "Commercial" Security." Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1988, pages Schockley, W.R. "Implementing the Clark/Wilson Integrity Policy Using Current Technology." Proc. 11th NBS-NCSC National Computer Security Conference, (1988). Two independent attempts to implement Clark-Wilson using a Biba lattice. Due to Biba-BLP equivalence the same constructions can be done in a BLP lattice. Sandhu, R.S. "Transaction Control Expressions for Separation of Duties." Proc. Aerospace Computer Security Applications Conference, (1988). Going beyond Clark-Wilson to do dynamic separation of duties.

Download ppt "TOPIC CLARK-WILSON MODEL Ravi Sandhu."

Similar presentations

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.

INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.

1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.

Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.

Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.

Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
CS691 – Chapter 6 of Matt Bishop

CS691 – Chapter 6 of Matt Bishop
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
Dan Fleck CS 469: Security Engineering

Dan Fleck CS 469: Security Engineering
Access Models and Integrity Trent Jaeger January 14, 2004.

Access Models and Integrity Trent Jaeger January 14, 2004.
Security Models and Architecture

Security Models and Architecture
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Lipner’s.
May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.

May 4, 2004ECS 235Slide #1 Biba Integrity Model Basis for all 3 models: Set of subjects S, objects O, integrity levels I, relation ≤  I  I holding when.
Verifiable Security Goals

Verifiable Security Goals
Security Models.

Security Models.

Similar presentations

Ads by Google