Post on 14-Feb-2021
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 1 / 21
CS 556 – Computer Security
Spring 2018
Dr. Indrajit Ray
Email: indrajit.ray@colostate.edu
Department of Computer Science
Colorado State University
Fort Collins, CO 80523, USA
CLARK-WILSON MODEL
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 2 / 21
Integrity in Clark-Wilson Model
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 3 / 21
● Data integrity
✦ Quality
✦ Correctness
✦ Authenticity
✦ Accuracy
● System integrity
✦ Successful and correct operation of system
Integrity in Clark-Wilson Model
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 4 / 21
● Integrity defined by a set of constraints
● Data is in a consistent state when it satisfies these constraints
✦ For some data integrity may not matter
● If all relevant data is in consistent state, system integrity is
satisfied
Separation of Duty
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 5 / 21
● If two or more steps are required to perform a critical task, no
single person or entity should perform the task from beginning to
end but the task should be divided among two or more people or
entities
Seperation of Function
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 6 / 21
● The same person should not perform two or more different
functions in the system.
Principle of Least Privilege
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 7 / 21
● An entity should be able to access only such information or
resources that are necessary to its legitimate purpose
Well-formed Transactions
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 8 / 21
● User should not be able to manipulate data arbitrarily but only in
constrained, well-defined ways that preserve the integrity of the
data
MODEL OVERVIEW
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 9 / 21
CW Model Components
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 10 / 21
● CDI: Constrained Data Items
✦ Data that is subject to integrity controls
● UDI: Unconstrained Data Items
✦ These data items are not subject to integrity controls
CW Model Components (cont’d)
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 11 / 21
● IVP: Integrity Verification Procedures
✦ These procedures test if the CDIs conform to the integrity
constraints
● TP: Transaction Procedures
✦ These procedures are used to change the CDIs
✦ They take the system from one valid state to another
Certification Rules and Enforcement Rules
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 12 / 21
● Ensure integrity is achieved and is preserved
✦ Certification Rules – Integrity monitoring rules enforced by
the administrator
✦ Enforcement Rules – Integrity preserving rules guaranteed
by the system
Certification Rules
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 13 / 21
● C1 - IVP Certification – The system will have an IVP for
validating the integrity of any CDI
● C2 - Validity – The application of a TP to any CDI must maintain
the integrity of that CDI. CDIs must be certified to ensure that
they result in a valid CDI
Certification Rules (cont’d)
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 14 / 21
● C3 - Modification – A CDI can only be changed by a TP. TPs
must be certified to ensure they implement the principles of
separation of duties & least privilege
● C4 - Journal Certification – TPs must be certified to ensure
that their actions are logged
● C5 – TPs which act on UDIs must be certified to ensure that
they result in a valid CDI
Enforcement Rules
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 15 / 21
● E1 - Enforcement of Validity – Only certified TPs can operate
on CDIs
● E2 - Enforcement of Separation of Duty – Users must only
access CDIs through TPs for which they are authorized
● E3 - User Identity – The system must authenticate the identity
of each user attempting to execute a TP
● E4 - Initiation – Only administrator can specify TP
authorizations
Model Discussion
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 16 / 21
Handling Untrusted Inputs
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 17 / 21
● Any TP that takes as input a UDI may perform only valid
transformations, or no transformations, for all possible values of
the UDI. The transformation either rejects the UDI or transforms
it into a CDI
✦ For example, in a bank ATM, numbers entered at the the
keyboard are UDIs so cannot be input to TPs as such. TPs
must validate numbers (to make them a CDI) before using
them; if validation fails, TP rejects UDI
Separation of Duty
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 18 / 21
● Only the certifier of a TP may change the list of entities
associated with that TP. No certifier of a TP, or of an entity
associated with that TP, may ever have execute permission with
respect to that entity
✦ Enforces separation of duty with respect to certified and
allowed relations.
Ensuring Integrity
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 19 / 21
● Provides an assurance that CDIs can be modified only in
constrained ways.
✦ Ensured by rules C1, C2, C5, and E1 and E4
● Provides an ability to control access to resources
✦ Ensured by rules C3 and E2 and E3.
Ensuring Integrity (cont’d)
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 20 / 21
● Provides an ability to ascertain after the fact that changes to
CDIs are valid and the system is in a valid state
✦ Provided by rules C1 and C4
● Provides an ability to uniquely associate an user to her/his action
✦ Enforced by rule E3
Summary
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 21 / 21
● Model of integrity suitable for many commercial scenarios
● Problem with difficulty to implement well-formed transactions
Clark-Wilson ModelIntegrity in Clark-Wilson ModelIntegrity in Clark-Wilson ModelSeparation of DutySeperation of FunctionPrinciple of Least PrivilegeWell-formed Transactions
Model OverviewCW Model ComponentsCW Model Components (cont'd)Certification Rules and Enforcement RulesCertification RulesCertification Rules (cont'd)Enforcement Rules
Model DiscussionHandling Untrusted InputsSeparation of DutyEnsuring IntegrityEnsuring Integrity (cont'd)Summary
pdclock.20: pdclock.19: pdclock.18: pdclock.17: pdclock.16: pdclock.15: pdclock.14: pdclock.13: pdclock.12: pdclock.11: pdclock.10: pdclock.9: pdclock.8: pdclock.7: pdclock.6: pdclock.5: pdclock.4: pdclock.3: pdclock.2: pdclock.1: pdclock.0: