CS 556 – Computer Security Spring 2018cs556/lecture-notes/clark... · 2018. 2. 13. · Dr....

21
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c 2018 Colorado State University – 1 / 21 CS 556 – Computer Security Spring 2018 Dr. Indrajit Ray Email: [email protected] Department of Computer Science Colorado State University Fort Collins, CO 80523, USA

Transcript of CS 556 – Computer Security Spring 2018cs556/lecture-notes/clark... · 2018. 2. 13. · Dr....

  • Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 1 / 21

    CS 556 – Computer Security

    Spring 2018

    Dr. Indrajit Ray

    Email: [email protected]

    Department of Computer Science

    Colorado State University

    Fort Collins, CO 80523, USA

  • CLARK-WILSON MODEL

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 2 / 21

  • Integrity in Clark-Wilson Model

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 3 / 21

    ● Data integrity

    ✦ Quality

    ✦ Correctness

    ✦ Authenticity

    ✦ Accuracy

    ● System integrity

    ✦ Successful and correct operation of system

  • Integrity in Clark-Wilson Model

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 4 / 21

    ● Integrity defined by a set of constraints

    ● Data is in a consistent state when it satisfies these constraints

    ✦ For some data integrity may not matter

    ● If all relevant data is in consistent state, system integrity is

    satisfied

  • Separation of Duty

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 5 / 21

    ● If two or more steps are required to perform a critical task, no

    single person or entity should perform the task from beginning to

    end but the task should be divided among two or more people or

    entities

  • Seperation of Function

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 6 / 21

    ● The same person should not perform two or more different

    functions in the system.

  • Principle of Least Privilege

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 7 / 21

    ● An entity should be able to access only such information or

    resources that are necessary to its legitimate purpose

  • Well-formed Transactions

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 8 / 21

    ● User should not be able to manipulate data arbitrarily but only in

    constrained, well-defined ways that preserve the integrity of the

    data

  • MODEL OVERVIEW

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 9 / 21

  • CW Model Components

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 10 / 21

    ● CDI: Constrained Data Items

    ✦ Data that is subject to integrity controls

    ● UDI: Unconstrained Data Items

    ✦ These data items are not subject to integrity controls

  • CW Model Components (cont’d)

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 11 / 21

    ● IVP: Integrity Verification Procedures

    ✦ These procedures test if the CDIs conform to the integrity

    constraints

    ● TP: Transaction Procedures

    ✦ These procedures are used to change the CDIs

    ✦ They take the system from one valid state to another

  • Certification Rules and Enforcement Rules

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 12 / 21

    ● Ensure integrity is achieved and is preserved

    ✦ Certification Rules – Integrity monitoring rules enforced by

    the administrator

    ✦ Enforcement Rules – Integrity preserving rules guaranteed

    by the system

  • Certification Rules

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 13 / 21

    ● C1 - IVP Certification – The system will have an IVP for

    validating the integrity of any CDI

    ● C2 - Validity – The application of a TP to any CDI must maintain

    the integrity of that CDI. CDIs must be certified to ensure that

    they result in a valid CDI

  • Certification Rules (cont’d)

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 14 / 21

    ● C3 - Modification – A CDI can only be changed by a TP. TPs

    must be certified to ensure they implement the principles of

    separation of duties & least privilege

    ● C4 - Journal Certification – TPs must be certified to ensure

    that their actions are logged

    ● C5 – TPs which act on UDIs must be certified to ensure that

    they result in a valid CDI

  • Enforcement Rules

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 15 / 21

    ● E1 - Enforcement of Validity – Only certified TPs can operate

    on CDIs

    ● E2 - Enforcement of Separation of Duty – Users must only

    access CDIs through TPs for which they are authorized

    ● E3 - User Identity – The system must authenticate the identity

    of each user attempting to execute a TP

    ● E4 - Initiation – Only administrator can specify TP

    authorizations

  • Model Discussion

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 16 / 21

  • Handling Untrusted Inputs

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 17 / 21

    ● Any TP that takes as input a UDI may perform only valid

    transformations, or no transformations, for all possible values of

    the UDI. The transformation either rejects the UDI or transforms

    it into a CDI

    ✦ For example, in a bank ATM, numbers entered at the the

    keyboard are UDIs so cannot be input to TPs as such. TPs

    must validate numbers (to make them a CDI) before using

    them; if validation fails, TP rejects UDI

  • Separation of Duty

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 18 / 21

    ● Only the certifier of a TP may change the list of entities

    associated with that TP. No certifier of a TP, or of an entity

    associated with that TP, may ever have execute permission with

    respect to that entity

    ✦ Enforces separation of duty with respect to certified and

    allowed relations.

  • Ensuring Integrity

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 19 / 21

    ● Provides an assurance that CDIs can be modified only in

    constrained ways.

    ✦ Ensured by rules C1, C2, C5, and E1 and E4

    ● Provides an ability to control access to resources

    ✦ Ensured by rules C3 and E2 and E3.

  • Ensuring Integrity (cont’d)

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 20 / 21

    ● Provides an ability to ascertain after the fact that changes to

    CDIs are valid and the system is in a valid state

    ✦ Provided by rules C1 and C4

    ● Provides an ability to uniquely associate an user to her/his action

    ✦ Enforced by rule E3

  • Summary

    CLARK-WILSON

    MODEL

    MODEL OVERVIEW

    Model Discussion

    Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 21 / 21

    ● Model of integrity suitable for many commercial scenarios

    ● Problem with difficulty to implement well-formed transactions

    Clark-Wilson ModelIntegrity in Clark-Wilson ModelIntegrity in Clark-Wilson ModelSeparation of DutySeperation of FunctionPrinciple of Least PrivilegeWell-formed Transactions

    Model OverviewCW Model ComponentsCW Model Components (cont'd)Certification Rules and Enforcement RulesCertification RulesCertification Rules (cont'd)Enforcement Rules

    Model DiscussionHandling Untrusted InputsSeparation of DutyEnsuring IntegrityEnsuring Integrity (cont'd)Summary

    pdclock.20: pdclock.19: pdclock.18: pdclock.17: pdclock.16: pdclock.15: pdclock.14: pdclock.13: pdclock.12: pdclock.11: pdclock.10: pdclock.9: pdclock.8: pdclock.7: pdclock.6: pdclock.5: pdclock.4: pdclock.3: pdclock.2: pdclock.1: pdclock.0: