Clark-Wilson policy

CW policy was defined to solve the limitations of [[Bell and LaPadula model]] in a corporate setting. They assume here that in a general organization, users usually do not create arbitrary code to read or write files. Instead, users are allowed to run certain applications (e.g. payroll, purchasing). The applications have operations they execute that in turn access certain files or databases. Such allowed operations are called **well-formed transactions**. Transactions correspond to high-level operations that could be performed on data. >[!info]- The policy captures the workflow or sequence of operations. >Suppose we have four people in a company, a purchasing agent, the receiving agent, the supplier, and accounts payable. The purchasing agent buys a thing, which then sends a receipt to the receiving agent and the supplier. The order is sent from the supplier to the receiving agent. Accounts payable pays for the thing. >There is a certain order things should happen in. The receiving agent should have an order receipt before they receive the supplies. Accounts payable must receive proof of delivery before issuing the check. ### Separation of duty The same person should not be able to perform conflicting jobs to avoid fraud. For example, the same person should not have the purchasing and the buying rights. ### CW policy #### Policy definitions The policy here is like the [[Access control matrix|ACM]]. It defines: 1. Which users can perform what transactions 2. What data items can be accessed by the transactions 3. What is the defined order in which users must perform transactions #### Policy statements - Constrained data items $(CDi)$ → cannot read/write directly, only accessible by transactions - Transformation procedures $(TPi)$ → $i^{th}$ transformation procedure - Policy is made up three parts: - Set of triples → lt;UserID, TPi, \{CDi1, CDi2, ...CDik\}>$ - Sequencing or order of transactions - Separation of duty (e.g. $TP1$ must exclude $TP2$) - States must be kept to handle sequencing and separation of duty ### Implementing CW - Parts of implementation with Unix like mechanisms → ACLs, users and groups, [[Setuid and access control|setuid]] - Only certain programs can access certain data items - We use [[Setuid and access control|setuid]] with internal user-ids for applications and transactions. In this case, actual users don’t have access to constrained data items. - We can give execute access to certain programs. [[Setuid and access control|setuid]] can allow program to run with its own permissions by changing the effective uid. This way users have access to programs & programs have access to $CDi$. - Implementing sequencing and separation of duty are harder to implement because they are stateful.