More Books
Introduction to Computer Security
Introduction to Computer Security
Table of Contents
Copyright
Preface
Goals
Philosophy
Organization
Differences Between this Book and Computer Security: Art and Science
Special Acknowledgment
Acknowledgments
Chapter 1. An Overview of Computer Security
Section 1.1.  The Basic Components
Section 1.2.  Threats
Section 1.3.  Policy and Mechanism
Section 1.4.  Assumptions and Trust
Section 1.5.  Assurance
Section 1.6.  Operational Issues
Section 1.7.  Human Issues
Section 1.8.  Tying It All Together
Section 1.9.  Summary
Section 1.10.  Further Reading
Section 1.11.  Exercises
Chapter 2. Access Control Matrix
Section 2.1.  Protection State
Section 2.2.  Access Control Matrix Model
Section 2.3.  Protection State Transitions
Section 2.4.  Summary
Section 2.5.  Further Reading
Section 2.6.  Exercises
Chapter 3. Foundational Results
Section 3.1.  The General Question
Section 3.2.  Basic Results
Section 3.3.  Summary
Section 3.4.  Further Reading
Section 3.5.  Exercises
Chapter 4. Security Policies
Section 4.1.  Security Policies
Section 4.2.  Types of Security Policies
Section 4.3.  The Role of Trust
Section 4.4.  Types of Access Control
Section 4.5.  Example: Academic Computer Security Policy
Section 4.6.  Summary
Section 4.7.  Further Reading
Section 4.8.  Exercises
Chapter 5. Confidentiality Policies
Section 5.1.  Goals of Confidentiality Policies
Section 5.2.  The Bell-LaPadula Model
Section 5.3.  Summary
Section 5.4.  Further Reading
Section 5.5.  Exercises
Chapter 6. Integrity Policies
Section 6.1.  Goals
Section 6.2.  Biba Integrity Model
Section 6.3.  Clark-Wilson Integrity Model
Section 6.4.  Summary
Section 6.5.  Further Reading
Section 6.6.  Exercises
Chapter 7. Hybrid Policies
Section 7.1.  Chinese Wall Model
Section 7.2.  Clinical Information Systems Security Policy
Section 7.3.  Originator Controlled Access Control
Section 7.4.  Role-Based Access Control
Section 7.5.  Summary
Section 7.6.  Further Reading
Section 7.7.  Exercises
Chapter 8. Basic Cryptography
Section 8.1.  What Is Cryptography?
Section 8.2.  Classical Cryptosystems
Section 8.3.  Public Key Cryptography
Section 8.4.  Cryptographic Checksums
Section 8.5.  Summary
Section 8.6.  Further Reading
Section 8.7.  Exercises
Chapter 9. Key Management
Section 9.1.  Session and Interchange Keys
Section 9.2.  Key Exchange
Section 9.3.  Cryptographic Key Infrastructures
Section 9.4.  Storing and Revoking Keys
Section 9.5.  Digital Signatures
Section 9.6.  Summary
Section 9.7.  Further Reading
Section 9.8.  Exercises
Chapter 10. Cipher Techniques
Section 10.1.  Problems
Section 10.2.  Stream and Block Ciphers
Section 10.3.  Networks and Cryptography
Section 10.4.  Example Protocols
Section 10.5.  Summary
Section 10.6.  Further Reading
Section 10.7.  Exercises
Chapter 11. Authentication
Section 11.1.  Authentication Basics
Section 11.2.  Passwords
Section 11.3.  Challenge-Response
Section 11.4.  Biometrics
Section 11.5.  Location
Section 11.6.  Multiple Methods
Section 11.7.  Summary
Section 11.8.  Further Reading
Section 11.9.  Exercises
Chapter 12. Design Principles
Section 12.1.  Overview
Section 12.2.  Design Principles
Section 12.3.  Summary
Section 12.4.  Further Reading
Section 12.5.  Exercises
Chapte 13. Representing Identity
Section 13.1.  What Is Identity?
Section 13.2.  Files and Objects
Section 13.3.  Users
Section 13.4.  Groups and Roles
Section 13.5.  Naming and Certificates
Section 13.6.  Identity on the Web
Section 13.7.  Summary
Section 13.8.  Further Reading
Section 13.9.  Exercises
Chapter 14. Access Control Mechanisms
Section 14.1.  Access Control Lists
Section 14.2.  Capabilities
Section 14.3.  Locks and Keys
Section 14.4.  Ring-Based Access Control
Section 14.5.  Propagated Access Control Lists
Section 14.6.  Summary
Section 14.7.  Further Reading
Section 14.8.  Exercises
Chapter 15. Information Flow
Section 15.1.  Basics and Background
Section 15.2.  Compiler-Based Mechanisms
Section 15.3.  Execution-Based Mechanisms
Section 15.4.  Example Information Flow Controls
Section 15.5.  Summary
Section 15.6.  Further Reading
Section 15.7.  Exercises
Chapter 16. Confinement Problem
Section 16.1.  The Confinement Problem
Section 16.2.  Isolation
Section 16.3.  Covert Channels
Section 16.4.  Summary
Section 16.5.  Further Reading
Section 16.6.  Exercises
Chapter 17. Introduction to Assurance
Section 17.1.  Assurance and Trust
Section 17.2.  Building Secure and Trusted Systems
Section 17.3.  Building Security In or Adding Security Later
Section 17.4.  Summary
Section 17.5.  Further Reading
Section 17.6.  Exercises
Chapter 18. Evaluating Systems
Section 18.1.  Goals of Formal Evaluation
Section 18.2.  TCSEC: 19831999
Section 18.3.  FIPS 140: 1994Present
Section 18.4.  The Common Criteria: 1998Present
Section 18.5.  SSE-CMM: 1997Present
Section 18.6.  Summary
Section 18.7.  Further Reading
Section 18.8.  Exercises
Chapter 19. Malicious Logic
Section 19.1.  Introduction
Section 19.2.  Trojan Horses
Section 19.3.  Computer Viruses
Section 19.4.  Computer Worms
Section 19.5.  Other Forms of Malicious Logic
Section 19.6.  Defenses
Section 19.7.  Summary
Section 19.8.  Further Reading
Section 19.9.  Exercises
Chapter 20. Vulnerability Analysis
Section 20.1.  Introduction
Section 20.2.  Penetration Studies
Section 20.3.  Vulnerability Classification
Section 20.4.  Frameworks
Section 20.5.  Summary
Section 20.6.  Further Reading
Section 20.7.  Exercises
Chapter 21. Auditing
Section 21.1.  Definitions
Section 21.2.  Anatomy of an Auditing System
Section 21.3.  Designing an Auditing System
Section 21.4.  A Posteriori Design
Section 21.5.  Auditing Mechanisms
Section 21.6.  Examples: Auditing File Systems
Section 21.7.  Audit Browsing
Section 21.8.  Summary
Section 21.9.  Further Reading
Section 21.10.  Exercises
Chapter 22. Intrusion Detection
Section 22.1.  Principles
Section 22.2.  Basic Intrusion Detection
Section 22.3.  Models
Section 22.4.  Architecture
Section 22.5.  Organization of Intrusion Detection Systems
Section 22.6.  Intrusion Response
Section 22.7.  Summary
Section 22.8.  Further Reading
Section 22.9.  Exercises
Chapter 23. Network Security
Section 23.1.  Introduction
Section 23.2.  Policy Development
Section 23.3.  Network Organization
Section 23.4.  Availability and Network Flooding
Section 23.5.  Anticipating Attacks
Section 23.6.  Summary
Section 23.7.  Further Reading
Section 23.8.  Exercises
Chapter 24. System Security
Section 24.1.  Introduction
Section 24.2.  Policy
Section 24.3.  Networks
Section 24.4.  Users
Section 24.5.  Authentication
Section 24.6.  Processes
Section 24.7.  Files
Section 24.8.  Retrospective
Section 24.9.  Summary
Section 24.10.  Further Reading
Section 24.11.  Exercises
Chapter 25. User Security
Section 25.1.  Policy
Section 25.2.  Access
Section 25.3.  Files and Devices
Section 25.4.  Processes
Section 25.5.  Electronic Communications
Section 25.6.  Summary
Section 25.7.  Further Reading
Section 25.8.  Exercises
Chapter 26. Program Security
Section 26.1.  Introduction
Section 26.2.  Requirements and Policy
Section 26.3.  Design
Section 26.4.  Refinement and Implementation
Section 26.5.  Common Security-Related Programming Problems
Section 26.6.  Testing, Maintenance, and Operation
Section 26.7.  Distribution
Section 26.8.  Conclusion
Section 26.9.  Summary
Section 26.10.  Further Reading
Section 26.11.  Exercises
Chapter 27. Lattices
Section 27.1.  Basics
Section 27.2.  Lattices
Section 27.3.  Exercises
Chapter 28. The Extended Euclidean Algorithm
Section 28.1.  The Euclidean Algorithm
Section 28.2.  The Extended Euclidean Algorithm
Section 28.3.  Solving ax mod n = 1
Section 28.4.  Solving ax mod n = b
Section 28.5.  Exercises
Chapter 29. Virtual Machines
Section 29.1.  Virtual Machine Structure
Section 29.2.  Virtual Machine Monitor
Section 29.3.  Exercises
Bibliography
Index
SYMBOL
A
E
F
I
L
T

6.3. Clark-Wilson Integrity Model

In 1987, David Clark and David Wilson developed an integrity model [177] radically different from previous models. This model uses transactions as the basic operation, which models many commercial systems more realistically than previous models.

One main concern of a commercial environment, as discussed above, is the integrity of the data in the system and of the actions performed on that data. The data is said to be in a consistent state (or consistent) if it satisfies given properties. For example, let D be the amount of money deposited so far today, W the amount of money withdrawn so far today, YB the amount of money in all accounts at the end of yesterday, and TB the amount of money in all accounts so far today. Then the consistency property is

D + YB W = TB

Before and after each action, the consistency conditions must hold. A well-formed transaction is a series of operations that transition the system from one consistent state to another consistent state. For example, if a depositor transfers money from one account to another, the transaction is the transfer; two operations, the deduction from the first account and the addition to the second account, make up this transaction. Each operation may leave the data in an inconsistent state, but the well-formed transaction must preserve consistency.

The second feature of a commercial environment relevant to an integrity policy is the integrity of the transactions themselves. Who examines and certifies that the transactions are performed correctly? For example, when a company receives an invoice, the purchasing office requires several steps to pay for it. First, someone must have requested a service, and determined the account that would pay for the service. Next, someone must validate the invoice (was the service being billed for actually performed?). The account authorized to pay for the service must be debited, and the check must be written and signed. If one person performs all these steps, that person could easily pay phony invoices; however, if at least two different people perform these steps, both must conspire to defraud the company. Requiring more than one person to handle this process is an example of the principle of separation of duty.

Computer-based transactions are no different. Someone must certify that the transactions are implemented correctly. The principle of separation of duty requires that the certifier and the implementors be different people. In order for the transaction to corrupt the data (either by illicitly changing the data or by leaving the data in an inconsistent state), two different people must either make similar mistakes or collude to certify the well-formed transaction as correct.

6.3.1. The Model

The Clark-Wilson model defines data subject to its integrity controls as constrained data items, or CDIs. Data not subject to the integrity controls are called unconstrained data items, or UDIs. For example, in a bank, the balances of accounts are CDIs since their integrity is crucial to the operation of the bank, whereas the gifts selected by the account holders when their accounts were opened would be UDIs, because their integrity is not crucial to the operation of the bank. The set of CDIs and the set of UDIs partition the set of all data in the system being modeled.

A set of integrity constraints (similar in spirit to the consistency constraints discussed above) constrain the values of the CDIs. In the bank example, the consistency constraint presented earlier would also be an integrity constraint.

The model also defines two sets of procedures. Integrity verification procedures, or IVPs, test that the CDIs conform to the integrity constraints at the time the IVPs are run. In this case, the system is said to be in a valid state. Transformation procedures, or TPs, change the state of the data in the system from one valid state to another; TPs implement well-formed transactions.

Return to the example of bank accounts. The balances in the accounts are CDIs; checking that the accounts are balanced, as described above, is an IVP. Depositing money, withdrawing money, and transferring money between accounts are TPs. To ensure that the accounts are managed correctly, a bank examiner must certify that the bank is using proper procedures to check that the accounts are balanced, to deposit money, to withdraw money, and to transfer money. Furthermore, those procedures may apply only to deposit and checking accounts; they might not apply to other types of accountsfor example, to petty cash. The Clark-Wilson model captures these requirements in two certification rules:

Certification rule 1 (CR1): When any IVP is run, it must ensure that all CDIs are in a valid state.

Certification rule 2 (CR2): For some associated set of CDIs, a TP must transform those CDIs in a valid state into a (possibly different) valid state.

CR2 defines as certified a relation that associates a set of CDIs with a particular TP. Let C be the certified relation. Then, in the bank example,

(balance, account1), (balance, account2), …, (balance, accountn) C.

CR2 implies that a TP may corrupt a CDI if it is not certified to work on that CDI. For example, the TP that invests money in the bank's stock portfolio would corrupt account balances even if the TP were certified to work on the portfolio, because the actions of the TP make no sense on the bank accounts. Hence, the system must prevent TPs from operating on CDIs for which they have not been certified. This leads to the following enforcement rule:

Enforcement rule 1 (ER1): The system must maintain the certified relations, and must ensure that only TPs certified to run on a CDI manipulate that CDI.

Specifically, ER1 says that if a TP f operates on a CDI o, then (f, o) C. However, in a bank, a janitor is not allowed to balance customer accounts. This restriction implies that the model must account for the person performing the TP, or user. The Clark-Wilson model uses an enforcement rule for this:

Enforcement rule 2 (ER2): The system must associate a user with each TP and set of CDIs. The TP may access those CDIs on behalf of the associated user. If the user is not associated with a particular TP and CDI, then the TP cannot access that CDI on behalf of that user.

This defines a set of triples (user, TP, { CDI set }) to capture the association of users, TPs, and CDIs. Call this relation allowed A. Of course, these relations must be certified:

Certification rule 3 (CR3): The allowed relations must meet the requirements imposed by the principle of separation of duty.

Because the model represents users, it must ensure that the identification of a user with the system's corresponding user identification code is correct. This suggests:

Enforcement rule 3 (ER3): The system must authenticate each user attempting to execute a TP.

An interesting observation is that the model does not require authentication when a user logs into the system, because the user may manipulate only UDIs. But if the user tries to manipulate a CDI, the user can do so only through a TP; this requires the user to be certified as allowed (per ER2), which requires authentication of the user (per ER3).

Most transaction-based systems log each transaction so that an auditor can review the transactions. The Clark-Wilson model considers the log simply as a CDI, and every TP appends to the log; no TP can overwrite the log. This leads to:

Certification rule 4 (CR4): All TPs must append enough information to reconstruct the operation to an append-only CDI.

When information enters a system, it need not be trusted or constrained. For example, when one deposits money into an automated teller machine (ATM), one need not enter the correct amount. However, when the ATM is opened and the cash or checks counted, the bank personnel will detect the discrepancy and fix it before they enter the deposit amount into one's account. This is an example of a UDI (the stated deposit amount) being checked, fixed if necessary, and certified as correct before being transformed into a CDI (the deposit amount added to one's account). The Clark-Wilson model covers this situation with certification rule 5:

Certification rule 5 (CR5): Any TP that takes as input a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI.

The final rule enforces the separation of duty needed to maintain the integrity of the relations in rules ER2 and ER3. If a user could create a TP and associate some set of entities and herself with that TP (as in ER3), she could have the TP perform unauthorized acts that violated integrity constraints. The final enforcement rule prevents this:

Enforcement rule 4 (ER4): Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of an entity associated with that TP, may ever have execute permission with respect to that entity.

This rule requires that all possible values of the UDI be known, and that the TP be implemented so as to be able to handle them. This issue arises again in both vulnerabilities analysis and secure programming.

This model contributed two new ideas to integrity models. First, it captured the way most commercial firms work with data. The firms do not classify data using a multilevel scheme, and they enforce separation of duty. Second, the notion of certification is distinct from the notion of enforcement, and each has its own set of rules. Assuming correct design and implementation, a system with a policy following the Clark-Wilson model will ensure that the enforcement rules are obeyed. But the certification rules require outside intervention, and the process of certification is typically complex and prone to error or to incompleteness (because the certifiers make assumptions about what can be trusted). This is a weakness in some sense, but it makes explicit assumptions that other models do not.

6.3.2. Comparison with the Requirements

We now consider whether the Clark-Wilson model meets the five requirements in Section 6.1. We assume that production programs correspond to TPs and that production data (and databases) are CDIs.

Requirement 1.

If users are not allowed to perform certifications of TPs, but instead only "trusted personnel" are, then CR5 and ER4 enforce this requirement. Because ordinary users cannot create certified TPs, they cannot write programs to access production databases. They must use existing TPs and CDIsthat is, production programs and production databases.

Requirement 2.

This requirement is largely procedural, because no set of technical controls can prevent a programmer from developing and testing programs on production systems. (The standard procedural control is to omit interpreters and compilers from production systems.) However, the notion of providing production data via a special process corresponds to using a TP to sanitize, or simply provide, production data to a test system.

Requirement 3.

Installing a program from a development system onto a production system requires a TP to do the installation and "trusted personnel" to do the certification.

Requirement 4.

CR4 provides the auditing (logging) of program installation. ER3 authenticates the "trusted personnel" doing the installation. CR5 and ER4 control the installation procedure (the new program being a UDI before certification and a CDI, as well as a TP in the context of other rules, after certification).

Requirement 5.

Finally, because the log is simply a CDI, management and auditors can have access to the system logs through appropriate TPs. Similarly, they also have access to the system state.


Thus, the Clark-Wilson model meets Lipner's requirements.

6.3.3. Comparison with Other Models

The contributions of the Clark-Wilson model are many. We compare it with the Biba model to highlight these new features.

Recall that the Biba model attaches integrity levels to objects and subjects. In the broadest sense, so does the Clark-Wilson model, but unlike the Biba model, each object has two levels: constrained or high (the CDIs) and unconstrained or low (the UDIs). Similarly, subjects have two levels: certified (the TPs) and uncertified (all other procedures). Given this similarity, can the Clark-Wilson model be expressed fully using the Biba model?

The critical distinction between the two models lies in the certification rules. The Biba model has none; it asserts that "trusted" subjects exist to ensure that the actions of a system obey the rules of the model. No mechanism or procedure is provided to verify the trusted entities or their actions. But the Clark-Wilson model provides explicit requirements that entities and actions must meet; in other words, the method of upgrading an entity is itself a TP that a security officer has certified. This underlies the assumptions being made and allows for the upgrading of entities within the constructs of the model (see ER4 and CR5). As with the Bell-LaPadula Model, if the Biba model does not have tranquility, trusted entities must change the objects' integrity levels, and the method of upgrading need not be certified.

Handling changes in integrity levels is critical in systems that receive input from uncontrolled sources. For example, the Biba model requires that a trusted entity, such as a security officer, pass on every input sent to a process running at an integrity level higher than that of the input. This is not practical. However, the Clark-Wilson model requires that a trusted entity (again, perhaps a security officer) certify the method of upgrading data to a higher integrity level. Thus, the trusted entity would not certify each data item being upgraded; it would only need to certify the method for upgrading data, and the data items could be upgraded. This is quite practical.

Can the Clark-Wilson model emulate the Biba model? The relations described in ER2 capture the ability of subjects to act on objects. By choosing TPs appropriately, the emulation succeeds (although the certification rules constrain trusted subjects in the emulation, whereas the Biba model imposes no such constraints). The details of the construction are left as an exercise for the reader (see Exercise 6).