Clark-Wilson Integrity Model

Addresses information integrity control

  • Uses the notion of transactional data transformations.

  • Separation of duty: transaction certifiers \ne implementers.

Terminology

Data items

Constrained Data Item (CDI).

  • Can only be manipulated by TPs.

Unconstrained Data Item (UDI).

Integrity policy procedures

  • Integrity Verification Procedure (IVP).

    • Ensures that all CDIs conform to the integrity specification.

  • Transformation Procedure (TP).

    • Well-formed transaction.

      • Take as input a CDI or a UDI and produce a CDI.

    • Must guarantee (via certification) that transforms all possible UDI values to “safe” CDI values.

Certification and Enforcement

Integrity assurance.

  • Certification.

    • Relatively to the integrity policy.

  • Enforcement.

Two sets of rules.

  • Certification Rules (C).

  • Enforcement Rules (E).

Rules

Basic rules

  • C1: when an IVP is executed, it must ensure that all CDIs are valid.

  • C2: for some associated set of CDIs, a TP must transform those CDIs from one valid state to another.

  • E1: the system must maintain a list of certified relations and ensure only TPs certified to run on a CDI change that CDI.

Separation of duty (external consistency)

  • E2: the system must associate a user with each TP and set of CDIs. The TP may access CDIs on behalf of the user if authorized.

  • C3: allowed user-TP-CDI relations must meet “separation of duty” requirements

Identification gathering

  • E3: the system must authenticate every user attempting a TP (on each attempt).

Audit trail

  • C4: all TPs must append to a log enough information to reconstruct operations.

UDI processing

  • C5: a TP taking a UDI as input may only perform valid transactions for all possible values of the UDI. The TP will either accept (convert to CDI) or reject the UDI.

Certification constraints

  • E4: only the certifier of a TP may change the associated list of entities.

Last updated