Jump to content

Clark–Wilson model

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by CISSP Researcher (talk | contribs) at 04:55, 29 October 2005. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The Clark-Wilson Integrity Model is security model based on transactions. 

  * A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state.
  * In this model the integrity policy addresses the integrity of the transactions.
  * The principle of separation of duty requires that the certifier of a transaction and the implementer are different entities.

Specifically, in the Clark-Wilson Model there are four constructs: 

  * Intergrity Verification Procedures (IVP)
  * Transformation Procedures (TP)*
  * Constrained Data Items (CDI)
  * Uncontrained Data Items (UDI).

The only transactions that can apply to data items are IVPs and TPs.

The model consists of two sets of rules: Certification Rules (CR#) and Enforcement Rules (ER#). To paraphrase these: 

  CR1 - When an IVP is executed, it must ensure the CDIs are valid.
  
  CR2 - For some associated set of CDIs, a TP must transform those CDIs from one valid state to another.

Since we must make sure that these TPs are certified to operate on a particular CDI, we must have ER1 and ER2. 

  ER1 - System must maintain a list of certified relations and ensure only TPs certified to run on a CDI change that CDI.
  
  ER2 - System must associate a user with each TP and set of CDIs.  The TP may access the CDI on behalf of the user if it is       
        "legal".

This requires keeping track of triples (user, TP, {CDIs}) called "allowed relations". 

  CR3 - Allowed relations must meet the requirements of "seperation of duty".

We need authentication to keep track of this. 

  ER3 - System must authenticate every user attempting a TP.  Note that this is per TP request, not per login.

For security purposes, a log should be kept. 

  CR4 - All TPs must append to a log enough information to reconstruct the operation.

When information enters the system it need not be trusted or constrained (i.e. can be a UDI). We must deal with this appropriately. 

  CR5 - Any TP that takes a UDI as input may only perform valid transactions for all possible values of the UDI.  The TP will   
        either accept (convert to CDI) or reject the UDI.

Finally, to prevent people from gaining access by changing qualifications of a TP: 

  ER4 - Only the certifier of a TP may change the list of entities associated with that TP.

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Clark–Wilson_model&oldid=26767209"