Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security

Lecture #8: Clark-Wilson & Chinese Wall Model for
Multilevel Security
Dr.Ramchandra Mangrulkar, DJSCE Mumbai
August 18, 2020
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security August 18, 2020 1 / 19

Multilevel Security Models
Bell La Padula Model
Biba Model
Chinese Wall Model
Clark-Wilson Model

Chinese Wall Model
Figure 1: The Model 1
1https://www.skillset.com/

Chinese Wall Model
Proposed by Brewer and Nash, 1989.
Aimed at consultancy business.
Mainly proposed to avoid conflict between clients.
Analysts have to avoid conflicts of interest when dealing with different clients.
Motivation:
A business consultant should not give advice to ”HSBC” if he has insider
knowledge about ”Natwest”.
A business consultant can give advice to both ”HSBC” and H&M since they
are not competitors.
e.g., stock exchange, investment bank, law firm.

Example of Conﬂict
Figure 2: Example of Conﬂict 2
2http://www.computing.surrey.ac.uk/

The Model
Principal: Users should not access the confidential information of both client
organization and one or more of its competitors.
How it works:
Users have no ”Wall” Initially.
Once any given file is accessed, files with competitor information becomes
inaccessible.
Access control rules change with user behavior.
Access control changed dynamically based on user previous actions.
Main goal is to prevent conflict of interests by user’s access attempts.
Information flow model where information flow get restricted that would
result in conflict of interest.

Terminology used in Chinese Wall
Company denoted c 2C
Subjects s 2S are the analysts having access to company information
Objects o 2O are items of information, each belonging to a company
All objects concerning the same company are collected in a company data
set. Function y : O !C maps object to its company dataset
Conﬂict of interest classes indicate which companies are in competition. The
function x : O !P(C) gives the conﬂict of interest class for each object, i.e.
the set of all companies that should not learn about the contents of the
object.
Security label is a pair (x(o), y(o))
Sanitized information is object with no sensitive information
Label is (;y(o))
Matrix NS;O records history of subjects actions (true or false)
Ns;o =
(
True; if if the subject s has had access to object o,:
False; if the subject s has never had access to object o.:
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 7 / 19

Prevent Direct Information Flow
The first security policy deals with direct information flow. We want to
prevent a subject from being exposed to a conflict of interest. Therefore,
access is granted only if the object requested belongs to
A company data set already held by the user, or
An entirely different conflict of interest class.
Simple Security Policy:
A subject s is permitted to access an object o only if for all objects o’ with
Ns;o0 = TRUE;y(o) = y(o0
)
or y(o) =2x(o0
):

Prevent Direct Information Flow
Figure 3: Prevent Direct Information Flow 3
An analyst with access to grey shaded areas, will have access to other objects
in Bank A data set, but not Bank B dataset
3https://www.eit.lth.se

Indirect Information Flow
Figure 4: Indirect Information Flow 4
Analyst A updates bank information about company A.
Analyst B can read this bank information and write to an object in company
B.

To avoid Indirect Information Flow
* - Property
A subject s is granted write access to an object o only if s has no read access
to an object o’ with y(o) 6= y(o0
) and x(o0
) 6= .
Write access to an object is only granted if no other object belonging to a
diﬀerent company data set that contains unsanitized information can be read.
both write operations are blocked by the * - Property.
The * - Property stops unsanitized information from ﬂowing out of a
company data set.
Very restrictive: If you can read sensitive information in one company, you
can not write to objects in any other company – ever

Clark – Wilson MODEL
Framework and guideline (‘model’) for formalizing security policies.
Address the security requirements of commercial applications.
Reviews Integrity between Military and Commercial Applications
Typically address, ”Who gets to do what sort of transactions” rather than
”Who sees what information”

Clark – Wilson Model cont...
Integrity requirements are divided into two parts:
Internal consistency:refers to properties of the internal state of a system and
can be enforced by the computing system;
External consistency:refers to the relation of the internal state of a system to
the real world and has to be enforced by means outside the computing
system, e.g. by auditing.
General mechanisms for enforcing integrity are as follows:
Well-formed transactions – data items can be manipulated only by a speciﬁc
set of programs; users have access to programs rather than to data items.
Separation of duties – users have to collaborate to manipulate data and to
collude to circumvent the security system.
Uses programs as an intermediate layer between subjects and objects (data
items). Subjects are authorized to execute certain programs.

Points to remember
1 Subjects have to be identiﬁed and authenticated.
2 Objects can be manipulated only by a restricted set of programs.
3 Subjects can execute only a restricted set of programs.
4 A proper audit log has to be maintained.
5 The system has to be certiﬁed to work properly.

Basic Principles of Access Control in the Clark–Wilson
Model
Figure 5: Basic Principles 5

Basic Principles of Access Control
Data items governed by the security policy are called constrained data items
(CDIs)
Inputs to the system are captured as unconstrained data items (UDIs).
Conversion of UDIs to CDIs is a critical part of the system.
CDIs can be manipulated only by transformation procedures (TPs).
The integrity of an item is checked by integrity verification procedures (IVPs).
Security properties are defined through five certification rules.

Basic Principles of Access Control in the Clark–Wilson
Model
Figure 6: Basic Principles 6
6Rezky Wulandari, Youtube

Certification Rules
1 CR1 IVPs must ensure that all CDIs are in a valid state at the time the IVP
is run (integrity check on CDIs).
2 CR2 TPs must be certified to be valid, i.e. valid CDIs must always be
transformed into valid CDIs; each TP is certified to access a specific set of
CDIs.
3 CR3 The access rules must satisfy any separation-of-duties requirements.
4 CR4 All TPs must write to an append-only log.
5 CR5 Any TP that takes a UDI as input must either convert the UDI into a
CDI or reject the UDI and perform no transformation at all.

Enforcement rules
1 ER1 For each TP, the system must maintain and protect the list of entries
(CDIa,CDIb, . . . ) giving the CDIs the TP is certiﬁed to access (capability of
the TP).
2 ER2 For each user the system must maintain and protect the list of entries
(TP1,TP2,. . . ) specifying the TPs the user can execute (capability of the
user).
3 ER3 The system must authenticate each user requesting to execute a TP.
4 ER4 Only a subject that may certify an access rule for a TP may modify the
respective entry in the list. This subject must not have execute rights on that
TP.

Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security

More Related Content

What's hot (20)

Similar to Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security (20)

More from Dr. Ramchandra Mangrulkar (20)

Recently uploaded (20)

Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security