Clark-Wilson Inrtegrity Model Flashcards
What is the Clark-Wilson integrity model based on?
This model checks for integrity by determining whether the states in the system are consistent with the expectations. The model bases itself on simple banking principles by imagining operations as transactions.
For an actual implementation of the model, a transaction will encompass complex and application specific operations.
Therefore, transactions are more complex than the simple read, write, and execute commands seen in the Bell-LaPadula and Biba models.
What is meant by the consistency constraint in the Clark-Wilson Integrity Model?
The consistency constraint is based on the expected difference of state 1 and state 2 given a set of transactions on state 1.
This is best understood using a bank account as an example, it yesteray’s balance YB = 100, and there is a deposit D = 20 and withdrawal W = 10 one would expect todays balance TB = 110.
The consistency constraint can therefore be expressed as:
TB = YB + R - W
What are the main features of the Clark-Wilson Model?
The main features are:
- Authentication - Users must be identified and authenticated.
- Well-formed transaction - A series of operations that transform the system from one consistent state to another.
- Objects can only be modified, and subjects can only execute well formed transactions.
- Auditing - Transactions and modifications must be logged and audited.
- Separation of duty - The ones who examine and certify transactions must be different from the implementors of the transactions.
What are the elements in the Clark-Wilson model?
The main elements in the Clark-Wilson model are:
- Constrained Data Items (CDI) - Objects and data that are subject to integrity controls.
- Unconstrained Data Items (UDI) - Objects and data that are not subject to integrity controls.
- Integrity Verification Procedure (IVP) - Procedures that test whether the CDIs conform to the integrity constraints.
- Transformation Procedures (TP) - Procedures that take the system from one valid state to another. These are the only procedures allowed to modify CDIs.
What are the five certification rules in the Clark-Wilson Model?
The 5 certification rules in the Clark-Wilson model are:
CR1 - When any IVP runs it must ensure that all CDIs are in valid states.
CR2 - For any set of associated CDIs, a TP must transform those CDIs in a valid state into a new valid state.*
CR3 - The allowed relations must meet the requirements imposed by the principle of seperation of duty. For instance, a TP cannot have both modify and auditing rights for any one CDI.
CR4 - All TPs must append enough information to reconstruct the operation to an append only CDI.**
CR5 - A TP can transform a UDI into a CDI by performing a valid transformation, and vice versa. Therefore, a CDI can become an unrestricted UDI.
- Say that the set of CDIs are bank accounts and the TPs is a system process. CR2 defines a relation certified which defines what accounts (CDIs) the process (TP) can alter.
** This “append only CDI” is just a dumb name for the logs. CR4 ensures that TPs log enough information to understand the sequence of operations by inspecting the logs. The logs are the specific CDI that the auditors can access.
What are the enforcement rules in the Clark-Wilson Model?
There are 4 enforcement rules in the Clark-Wilson Model:
ER1 - The system must maintain certified relations and ensure that only TPs certified to run on a CDI can manipulate it.
ER2 - A user must be associated with each TP and set of CDIs since the TP will access the CDIs on behalf of the user.
ER3 - The system must authenticate each user attempting to execute a TP.
ER4 - Only a certifier of a TP may change the list of entities associated with that TP. This enforces separation of duty.
Are ordinary users allowed to perform certifications on TP?
No, only a certifier can add/remove the entry of CDIs that a given TP can operate on.
