Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security
1. Lecture #8: Clark-Wilson & Chinese Wall Model for
Multilevel Security
Dr.Ramchandra Mangrulkar, DJSCE Mumbai
August 18, 2020
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security August 18, 2020 1 / 19
2. Multilevel Security Models
Bell La Padula Model
Biba Model
Chinese Wall Model
Clark-Wilson Model
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security August 18, 2020 2 / 19
3. Chinese Wall Model
Figure 1: The Model 1
1https://www.skillset.com/
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security August 18, 2020 3 / 19
4. Chinese Wall Model
Proposed by Brewer and Nash, 1989.
Aimed at consultancy business.
Mainly proposed to avoid conflict between clients.
Analysts have to avoid conflicts of interest when dealing with different clients.
Motivation:
A business consultant should not give advice to ”HSBC” if he has insider
knowledge about ”Natwest”.
A business consultant can give advice to both ”HSBC” and H&M since they
are not competitors.
e.g., stock exchange, investment bank, law firm.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security August 18, 2020 4 / 19
5. Example of Conflict
Figure 2: Example of Conflict 2
2http://www.computing.surrey.ac.uk/
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security August 18, 2020 5 / 19
6. The Model
Principal: Users should not access the confidential information of both client
organization and one or more of its competitors.
How it works:
Users have no ”Wall” Initially.
Once any given file is accessed, files with competitor information becomes
inaccessible.
Access control rules change with user behavior.
Access control changed dynamically based on user previous actions.
Main goal is to prevent conflict of interests by user’s access attempts.
Information flow model where information flow get restricted that would
result in conflict of interest.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson & Chinese Wall Model for Multilevel Security August 18, 2020 6 / 19
7. Terminology used in Chinese Wall
Company denoted c 2C
Subjects s 2S are the analysts having access to company information
Objects o 2O are items of information, each belonging to a company
All objects concerning the same company are collected in a company data
set. Function y : O !C maps object to its company dataset
Conflict of interest classes indicate which companies are in competition. The
function x : O !P(C) gives the conflict of interest class for each object, i.e.
the set of all companies that should not learn about the contents of the
object.
Security label is a pair (x(o), y(o))
Sanitized information is object with no sensitive information
Label is (;y(o))
Matrix NS;O records history of subjects actions (true or false)
Ns;o =
(
True; if if the subject s has had access to object o,:
False; if the subject s has never had access to object o.:
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 7 / 19
8. Prevent Direct Information Flow
The first security policy deals with direct information flow. We want to
prevent a subject from being exposed to a conflict of interest. Therefore,
access is granted only if the object requested belongs to
A company data set already held by the user, or
An entirely different conflict of interest class.
Simple Security Policy:
A subject s is permitted to access an object o only if for all objects o’ with
Ns;o0 = TRUE;y(o) = y(o0
)
or y(o) =2x(o0
):
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 8 / 19
9. Prevent Direct Information Flow
Figure 3: Prevent Direct Information Flow 3
An analyst with access to grey shaded areas, will have access to other objects
in Bank A data set, but not Bank B dataset
3https://www.eit.lth.se
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 9 / 19
10. Indirect Information Flow
Figure 4: Indirect Information Flow 4
Analyst A updates bank information about company A.
Analyst B can read this bank information and write to an object in company
B.
4https://www.eit.lth.se
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 10 / 19
11. To avoid Indirect Information Flow
* - Property
A subject s is granted write access to an object o only if s has no read access
to an object o’ with y(o) 6= y(o0
) and x(o0
) 6= .
Write access to an object is only granted if no other object belonging to a
different company data set that contains unsanitized information can be read.
both write operations are blocked by the * - Property.
The * - Property stops unsanitized information from flowing out of a
company data set.
Very restrictive: If you can read sensitive information in one company, you
can not write to objects in any other company – ever
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 11 / 19
12. Clark – Wilson MODEL
Framework and guideline (‘model’) for formalizing security policies.
Address the security requirements of commercial applications.
Reviews Integrity between Military and Commercial Applications
Typically address, ”Who gets to do what sort of transactions” rather than
”Who sees what information”
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 12 / 19
13. Clark – Wilson Model cont...
Integrity requirements are divided into two parts:
Internal consistency:refers to properties of the internal state of a system and
can be enforced by the computing system;
External consistency:refers to the relation of the internal state of a system to
the real world and has to be enforced by means outside the computing
system, e.g. by auditing.
General mechanisms for enforcing integrity are as follows:
Well-formed transactions – data items can be manipulated only by a specific
set of programs; users have access to programs rather than to data items.
Separation of duties – users have to collaborate to manipulate data and to
collude to circumvent the security system.
Uses programs as an intermediate layer between subjects and objects (data
items). Subjects are authorized to execute certain programs.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 13 / 19
14. Points to remember
1 Subjects have to be identified and authenticated.
2 Objects can be manipulated only by a restricted set of programs.
3 Subjects can execute only a restricted set of programs.
4 A proper audit log has to be maintained.
5 The system has to be certified to work properly.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 14 / 19
15. Basic Principles of Access Control in the Clark–Wilson
Model
Figure 5: Basic Principles 5
5https://www.eit.lth.se
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 15 / 19
16. Basic Principles of Access Control
Data items governed by the security policy are called constrained data items
(CDIs)
Inputs to the system are captured as unconstrained data items (UDIs).
Conversion of UDIs to CDIs is a critical part of the system.
CDIs can be manipulated only by transformation procedures (TPs).
The integrity of an item is checked by integrity verification procedures (IVPs).
Security properties are defined through five certification rules.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 16 / 19
17. Basic Principles of Access Control in the Clark–Wilson
Model
Figure 6: Basic Principles 6
6Rezky Wulandari, Youtube
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 17 / 19
18. Certification Rules
1 CR1 IVPs must ensure that all CDIs are in a valid state at the time the IVP
is run (integrity check on CDIs).
2 CR2 TPs must be certified to be valid, i.e. valid CDIs must always be
transformed into valid CDIs; each TP is certified to access a specific set of
CDIs.
3 CR3 The access rules must satisfy any separation-of-duties requirements.
4 CR4 All TPs must write to an append-only log.
5 CR5 Any TP that takes a UDI as input must either convert the UDI into a
CDI or reject the UDI and perform no transformation at all.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 18 / 19
19. Enforcement rules
1 ER1 For each TP, the system must maintain and protect the list of entries
(CDIa,CDIb, . . . ) giving the CDIs the TP is certified to access (capability of
the TP).
2 ER2 For each user the system must maintain and protect the list of entries
(TP1,TP2,. . . ) specifying the TPs the user can execute (capability of the
user).
3 ER3 The system must authenticate each user requesting to execute a TP.
4 ER4 Only a subject that may certify an access rule for a TP may modify the
respective entry in the list. This subject must not have execute rights on that
TP.
Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #8: Clark-Wilson Chinese Wall Model for Multilevel Security August 18, 2020 19 / 19