Clark-Wilson model

from Wikipedia, the free encyclopedia

Using the Clark-Wilson model , the leaves integrity of a computer system to describe and implement.

The security model describes the measures that are necessary to keep a computer system in a healthy state. To this end, measures are introduced with regard to data corruption or data loss due to errors or deliberate compromise. The model describes how data remains valid within data processing. It also specifies the rights of the individual executing identities, as well as rules for maintaining and validating system resources.

history

The model was described by David D. Clark and David R. Wilson in 1987 . In contrast to the models originating from the military sector, such as the Bell-LaPadula and Biba model , which meet the requirements of Trusted Computer System Evaluation Criteria , the Clark-Wilson model attempts to specify integrity for commercial security systems. It can be applied very well to business processes and other application software.

The Clark-Wilson model is mainly used in the financial sector. Every mainframe today processes data according to this model or a variation of it.

Basics

The model describes the IT data and processes by means of compliance ( enforcement ) and certification rules ( certification ). These rules form the basis for ensuring the integrity of a system. The model is always based on a closed transaction .

  • A valid transaction is a sequence of operations that take the system from one state to the next. The transaction must always be atomic. This means that the state change only takes place if the transaction has no errors.
  • In the Clark-Wilson model , integrity is ensured through transaction control.
  • The principle of separation of duty requires that the certifier and the implementer of a transaction are different.

The following constructs are used for this:

  • Constrained Data Item (CDI): data to which the security model must be applied, i. i.e., which must always be in a valid state.
  • Unconstrained Data Item (UDI): Data that is not (yet) subject to the security model, e.g. B. Data that do not have to be integer or user input.
  • Integrity Verification Procedure (IVP) ensures that all CDIs in a system are in a valid state.
  • Transformation Procedures (TPs) receive a CDI or a UDI and convert them to a new CDI. This is achieved through certification.

Rules of the Clark-Wilson model

C1
All IVPs must properly ensure that all CDIs are in a valid state when they are executed.
C2
All TPs must be certified, i.e. that is, they must bring a CDI into a valid state. For each TP and the number of CDIs that may be changed by it, the security officer must maintain a relation. The relation has the form (TP i , (CDI a , CDI b , CDI c , ...)) and specifies the arguments for which the TP is certified.
E1
The system must keep a list of the relations from C2 and ensure that a CDI can only be changed by a TP for which both have a common relation.
E2
The system must keep a list of relations of the form (UserID, TP i , (CDI a , CDI b , CDI c , ...)) that specifies the user account under which the TP is running. Only TPs that correspond to such a relation may be executed.
C3
The E2 list must be certified, taking into account the separation of duties.
E3
The system has to authenticate every user who wants to execute a TP.
C4
All TPs must be certified and append to a log all information necessary to reconstruct the operations that have been carried out. The log is also a CDI and only allows data to be attached.
C5
All TP that process a UDI as input data must be certified to only carry out valid transactions for all possible values ​​of the UDI, or otherwise carry out no transactions at all. The result is a CDI.
E4
Only the certifier is allowed to change a relation list. In accordance with the segregation of duties, the latter must not have any execution rights to the TPs affected by him.

See also

swell

  1. David D. Clark, David R. Wilson: A Comparison of Commercial and Military Computer Security Policies (PDF; 1.1 MB). IEEE Symposium on Security and Privacy, p. 184, 1987.