Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
1,322 views
19 slides
Aug 18, 2020
Slide 1 of 19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
About This Presentation
Module 1: Advanced System Security and Digital Forensics
Slide Content
Lecture #8: Clark-Wilson & Chinese Wall Model for
Multilevel Security
Dr.Ramchandra Mangrulkar, DJSCE Mumbai
August 18, 2020
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Multilevel Security
Dr.Ramchandra Mangrulkar, DJSCE Mumbai
August 18, 2020
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Multilevel Security Models
Bell La Padula Model Biba Model Chinese Wall Model Clark-Wilson Model
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Bell La Padula Model Biba Model Chinese Wall Model Clark-Wilson Model
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Chinese Wall Model
Figure 1:
1
1
https://www.skillset.com/Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Figure 1:
1
1
https://www.skillset.com/Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Chinese Wall Model
Proposed by Brewer and Nash, 1989. Aimed at consultancy business. Mainly proposed to avoid conict between clients. Analysts have to avoid conicts of interest when dealing with dierent clients. Motivation: A business consultant should not give advice to "HSBC" if he has insider
knowledge about "Natwest".
A business consultant can give advice to both "HSBC" and H&M since they
are not competitors.
e.g., stock exchange, investment bank, law rm.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Proposed by Brewer and Nash, 1989. Aimed at consultancy business. Mainly proposed to avoid conict between clients. Analysts have to avoid conicts of interest when dealing with dierent clients. Motivation: A business consultant should not give advice to "HSBC" if he has insider
knowledge about "Natwest".
A business consultant can give advice to both "HSBC" and H&M since they
are not competitors.
e.g., stock exchange, investment bank, law rm.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Example of Conict
Figure 2:
2
2
http://www.computing.surrey.ac.uk/Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Figure 2:
2
2
http://www.computing.surrey.ac.uk/Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
The Model
Principal: Users should not access the condential information of both client
organization and one or more of its competitors.
How it works: Users have no "Wall" Initially. Once any given le is accessed, les with competitor information becomes
inaccessible.
Access control rules change with user behavior. Access control changed dynamically based on user previous actions. Main goal is to prevent conict of interests by user's access attempts. Information ow model where information ow get restricted that would
result in conict of interest.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Principal: Users should not access the condential information of both client
organization and one or more of its competitors.
How it works: Users have no "Wall" Initially. Once any given le is accessed, les with competitor information becomes
inaccessible.
Access control rules change with user behavior. Access control changed dynamically based on user previous actions. Main goal is to prevent conict of interests by user's access attempts. Information ow model where information ow get restricted that would
result in conict of interest.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Terminology used in Chinese Wall
Company denoted c2C Subjectss2Sare the analysts having access to company information Objectso2Oare items of information, each belonging to a company All objects concerning the same company are collected in a company data
set. Functiony:O!Cmaps object to its company dataset
Conict of interest classes indicate which companies are in competition. The
functionx:O!P(C) gives the conict of interest class for each object, i.e.
the set of all companies that should not learn about the contents of the
object.
Security label is a pair (x(o), y(o)) Sanitized information is object with no sensitive information Label is (;y(o)) MatrixNS;Orecords history of subjects actions (true or false)
Ns;o=
(
True;if if the subject s has had access to object o,:
False;if the subject s has never had access to object o.:
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Company denoted c2C Subjectss2Sare the analysts having access to company information Objectso2Oare items of information, each belonging to a company All objects concerning the same company are collected in a company data
set. Functiony:O!Cmaps object to its company dataset
Conict of interest classes indicate which companies are in competition. The
functionx:O!P(C) gives the conict of interest class for each object, i.e.
the set of all companies that should not learn about the contents of the
object.
Security label is a pair (x(o), y(o)) Sanitized information is object with no sensitive information Label is (;y(o)) MatrixNS;Orecords history of subjects actions (true or false)
Ns;o=
(
True;if if the subject s has had access to object o,:
False;if the subject s has never had access to object o.:
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Prevent Direct Information Flow
The rst security policy deals with direct information ow. We want to
prevent a subject from being exposed to a conict of interest. Therefore,
access is granted only if the object requested belongs to
A company data set already held by the user, or An entirely dierent conict of interest class. Simple Security Policy:
A subject s is permitted to access an object o only if for all objects o' with
Ns;o
0=TRUE;y(o) =y(o
0
)
ory(o)=2x(o
0
):Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
The rst security policy deals with direct information ow. We want to
prevent a subject from being exposed to a conict of interest. Therefore,
access is granted only if the object requested belongs to
A company data set already held by the user, or An entirely dierent conict of interest class. Simple Security Policy:
A subject s is permitted to access an object o only if for all objects o' with
Ns;o
0=TRUE;y(o) =y(o
0
)
ory(o)=2x(o
0
):Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Prevent Direct Information Flow
Figure 3:
3 An analyst with access to grey shaded areas, will have access to other objects
in Bank A data set, but not Bank B dataset
3
https://www.eit.lth.seDr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Figure 3:
3 An analyst with access to grey shaded areas, will have access to other objects
in Bank A data set, but not Bank B dataset
3
https://www.eit.lth.seDr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Indirect Information Flow
Figure 4:
4 Analyst A updates bank information about company A. Analyst B can read this bank information and write to an object in company
B.
4
https://www.eit.lth.seDr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Figure 4:
4 Analyst A updates bank information about company A. Analyst B can read this bank information and write to an object in company
B.
4
https://www.eit.lth.seDr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
To avoid Indirect Information Flow
* - Property A subject s is granted write access to an object o only if s has no read access
to an object o' withy(o)6=y(o
0
) andx(o
0
)6=.
Write access to an object is only granted if no other object belonging to a
dierent company data set that contains unsanitized information can be read.
both write operations are blocked by the * - Property. The * - Property stops unsanitized information from owing out of a
company data set.
Very restrictive: If you can read sensitive information in one company, you
can not write to objects in any other company { ever
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
* - Property A subject s is granted write access to an object o only if s has no read access
to an object o' withy(o)6=y(o
0
) andx(o
0
)6=.
Write access to an object is only granted if no other object belonging to a
dierent company data set that contains unsanitized information can be read.
both write operations are blocked by the * - Property. The * - Property stops unsanitized information from owing out of a
company data set.
Very restrictive: If you can read sensitive information in one company, you
can not write to objects in any other company { ever
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Clark { Wilson MODEL
Framework and guideline (`model') for formalizing security policies.
Address the security requirements of commercial applications. Reviews Integrity between Military and Commercial Applications Typically address, "Who gets to do what sort of transactions" rather than
"Who sees what information"
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Framework and guideline (`model') for formalizing security policies.
Address the security requirements of commercial applications. Reviews Integrity between Military and Commercial Applications Typically address, "Who gets to do what sort of transactions" rather than
"Who sees what information"
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Clark { Wilson Model cont...
Integrity requirements are divided into two parts: Internal consistency:refers to properties of the internal state of a system and
can be enforced by the computing system;
External consistency:refers to the relation of the internal state of a system to
the real world and has to be enforced by means outside the computing
system, e.g. by auditing.
General mechanisms for enforcing integrity are as follows: Well-formed transactions { data items can be manipulated only by a specic
set of programs; users have access to programs rather than to data items.
Separation of duties { users have to collaborate to manipulate data and to
collude to circumvent the security system.
Uses programs as an intermediate layer between subjects and objects (data
items). Subjects are authorized to execute certain programs.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Integrity requirements are divided into two parts: Internal consistency:refers to properties of the internal state of a system and
can be enforced by the computing system;
External consistency:refers to the relation of the internal state of a system to
the real world and has to be enforced by means outside the computing
system, e.g. by auditing.
General mechanisms for enforcing integrity are as follows: Well-formed transactions { data items can be manipulated only by a specic
set of programs; users have access to programs rather than to data items.
Separation of duties { users have to collaborate to manipulate data and to
collude to circumvent the security system.
Uses programs as an intermediate layer between subjects and objects (data
items). Subjects are authorized to execute certain programs.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Points to remember
1
Subjects have to be identied and authenticated.
2
Objects can be manipulated only by a restricted set of programs.
3
Subjects can execute only a restricted set of programs.
4
A proper audit log has to be maintained.
5
The system has to be certied to work properly.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
1
Subjects have to be identied and authenticated.
2
Objects can be manipulated only by a restricted set of programs.
3
Subjects can execute only a restricted set of programs.
4
A proper audit log has to be maintained.
5
The system has to be certied to work properly.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Basic Principles of Access Control in the Clark{Wilson
Model
Figure 5:
5
5
https://www.eit.lth.seDr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Model
Figure 5:
5
5
https://www.eit.lth.seDr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Basic Principles of Access Control
Data items governed by the security policy are called constrained data items
(CDIs)
Inputs to the system are captured as unconstrained data items (UDIs). Conversion of UDIs to CDIs is a critical part of the system. CDIs can be manipulated only by transformation procedures (TPs). The integrity of an item is checked by integrity verication procedures (IVPs). Security properties are dened through ve certication rules.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Data items governed by the security policy are called constrained data items
(CDIs)
Inputs to the system are captured as unconstrained data items (UDIs). Conversion of UDIs to CDIs is a critical part of the system. CDIs can be manipulated only by transformation procedures (TPs). The integrity of an item is checked by integrity verication procedures (IVPs). Security properties are dened through ve certication rules.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Basic Principles of Access Control in the Clark{Wilson
Model
Figure 6:
6
6
Rezky Wulandari, YoutubeDr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Model
Figure 6:
6
6
Rezky Wulandari, YoutubeDr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Certication Rules
1
CR1 IVPs must ensure that all CDIs are in a valid state at the time the IVP
is run (integrity check on CDIs).
2
CR2 TPs must be certied to be valid, i.e. valid CDIs must always be
transformed into valid CDIs; each TP is certied to access a specic set of
CDIs.
3
CR3 The access rules must satisfy any separation-of-duties requirements.
4
CR4 All TPs must write to an append-only log.
5
CR5 Any TP that takes a UDI as input must either convert the UDI into a
CDI or reject the UDI and perform no transformation at all.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
1
CR1 IVPs must ensure that all CDIs are in a valid state at the time the IVP
is run (integrity check on CDIs).
2
CR2 TPs must be certied to be valid, i.e. valid CDIs must always be
transformed into valid CDIs; each TP is certied to access a specic set of
CDIs.
3
CR3 The access rules must satisfy any separation-of-duties requirements.
4
CR4 All TPs must write to an append-only log.
5
CR5 Any TP that takes a UDI as input must either convert the UDI into a
CDI or reject the UDI and perform no transformation at all.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Enforcement rules
1
ER1 For each TP, the system must maintain and protect the list of entries
(CDIa,CDIb, . . . ) giving the CDIs the TP is certied to access (capability of
the TP).
2
ER2 For each user the system must maintain and protect the list of entries
(TP1,TP2,. . . ) specifying the TPs the user can execute (capability of the
user).
3
ER3 The system must authenticate each user requesting to execute a TP.
4
ER4 Only a subject that may certify an access rule for a TP may modify the
respective entry in the list. This subject must not have execute rights on that
TP.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
1
ER1 For each TP, the system must maintain and protect the list of entries
(CDIa,CDIb, . . . ) giving the CDIs the TP is certied to access (capability of
the TP).
2
ER2 For each user the system must maintain and protect the list of entries
(TP1,TP2,. . . ) specifying the TPs the user can execute (capability of the
user).
3
ER3 The system must authenticate each user requesting to execute a TP.
4
ER4 Only a subject that may certify an access rule for a TP may modify the
respective entry in the list. This subject must not have execute rights on that
TP.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel SecurityAugust 18, 2020
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,322
- Slides 19
- Age 1932 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views