CS 556 – Computer Security Spring 2018cs556/lecture-notes/clark... · 2018. 2. 13. · Dr....
Transcript of CS 556 – Computer Security Spring 2018cs556/lecture-notes/clark... · 2018. 2. 13. · Dr....
-
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 1 / 21
CS 556 – Computer Security
Spring 2018
Dr. Indrajit Ray
Email: [email protected]
Department of Computer Science
Colorado State University
Fort Collins, CO 80523, USA
-
CLARK-WILSON MODEL
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 2 / 21
-
Integrity in Clark-Wilson Model
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 3 / 21
● Data integrity
✦ Quality
✦ Correctness
✦ Authenticity
✦ Accuracy
● System integrity
✦ Successful and correct operation of system
-
Integrity in Clark-Wilson Model
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 4 / 21
● Integrity defined by a set of constraints
● Data is in a consistent state when it satisfies these constraints
✦ For some data integrity may not matter
● If all relevant data is in consistent state, system integrity is
satisfied
-
Separation of Duty
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 5 / 21
● If two or more steps are required to perform a critical task, no
single person or entity should perform the task from beginning to
end but the task should be divided among two or more people or
entities
-
Seperation of Function
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 6 / 21
● The same person should not perform two or more different
functions in the system.
-
Principle of Least Privilege
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 7 / 21
● An entity should be able to access only such information or
resources that are necessary to its legitimate purpose
-
Well-formed Transactions
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 8 / 21
● User should not be able to manipulate data arbitrarily but only in
constrained, well-defined ways that preserve the integrity of the
data
-
MODEL OVERVIEW
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 9 / 21
-
CW Model Components
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 10 / 21
● CDI: Constrained Data Items
✦ Data that is subject to integrity controls
● UDI: Unconstrained Data Items
✦ These data items are not subject to integrity controls
-
CW Model Components (cont’d)
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 11 / 21
● IVP: Integrity Verification Procedures
✦ These procedures test if the CDIs conform to the integrity
constraints
● TP: Transaction Procedures
✦ These procedures are used to change the CDIs
✦ They take the system from one valid state to another
-
Certification Rules and Enforcement Rules
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 12 / 21
● Ensure integrity is achieved and is preserved
✦ Certification Rules – Integrity monitoring rules enforced by
the administrator
✦ Enforcement Rules – Integrity preserving rules guaranteed
by the system
-
Certification Rules
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 13 / 21
● C1 - IVP Certification – The system will have an IVP for
validating the integrity of any CDI
● C2 - Validity – The application of a TP to any CDI must maintain
the integrity of that CDI. CDIs must be certified to ensure that
they result in a valid CDI
-
Certification Rules (cont’d)
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 14 / 21
● C3 - Modification – A CDI can only be changed by a TP. TPs
must be certified to ensure they implement the principles of
separation of duties & least privilege
● C4 - Journal Certification – TPs must be certified to ensure
that their actions are logged
● C5 – TPs which act on UDIs must be certified to ensure that
they result in a valid CDI
-
Enforcement Rules
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 15 / 21
● E1 - Enforcement of Validity – Only certified TPs can operate
on CDIs
● E2 - Enforcement of Separation of Duty – Users must only
access CDIs through TPs for which they are authorized
● E3 - User Identity – The system must authenticate the identity
of each user attempting to execute a TP
● E4 - Initiation – Only administrator can specify TP
authorizations
-
Model Discussion
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 16 / 21
-
Handling Untrusted Inputs
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 17 / 21
● Any TP that takes as input a UDI may perform only valid
transformations, or no transformations, for all possible values of
the UDI. The transformation either rejects the UDI or transforms
it into a CDI
✦ For example, in a bank ATM, numbers entered at the the
keyboard are UDIs so cannot be input to TPs as such. TPs
must validate numbers (to make them a CDI) before using
them; if validation fails, TP rejects UDI
-
Separation of Duty
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 18 / 21
● Only the certifier of a TP may change the list of entities
associated with that TP. No certifier of a TP, or of an entity
associated with that TP, may ever have execute permission with
respect to that entity
✦ Enforces separation of duty with respect to certified and
allowed relations.
-
Ensuring Integrity
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 19 / 21
● Provides an assurance that CDIs can be modified only in
constrained ways.
✦ Ensured by rules C1, C2, C5, and E1 and E4
● Provides an ability to control access to resources
✦ Ensured by rules C3 and E2 and E3.
-
Ensuring Integrity (cont’d)
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 20 / 21
● Provides an ability to ascertain after the fact that changes to
CDIs are valid and the system is in a valid state
✦ Provided by rules C1 and C4
● Provides an ability to uniquely associate an user to her/his action
✦ Enforced by rule E3
-
Summary
CLARK-WILSON
MODEL
MODEL OVERVIEW
Model Discussion
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 21 / 21
● Model of integrity suitable for many commercial scenarios
● Problem with difficulty to implement well-formed transactions
Clark-Wilson ModelIntegrity in Clark-Wilson ModelIntegrity in Clark-Wilson ModelSeparation of DutySeperation of FunctionPrinciple of Least PrivilegeWell-formed Transactions
Model OverviewCW Model ComponentsCW Model Components (cont'd)Certification Rules and Enforcement RulesCertification RulesCertification Rules (cont'd)Enforcement Rules
Model DiscussionHandling Untrusted InputsSeparation of DutyEnsuring IntegrityEnsuring Integrity (cont'd)Summary
pdclock.20: pdclock.19: pdclock.18: pdclock.17: pdclock.16: pdclock.15: pdclock.14: pdclock.13: pdclock.12: pdclock.11: pdclock.10: pdclock.9: pdclock.8: pdclock.7: pdclock.6: pdclock.5: pdclock.4: pdclock.3: pdclock.2: pdclock.1: pdclock.0: