Clark-Wilson Integrity Model
Addresses information integrity control
Uses the notion of transactional data transformations.
Separation of duty: transaction certifiers implementers.
Terminology
Data items
Constrained Data Item (CDI).
Can only be manipulated by TPs.
Unconstrained Data Item (UDI).
Integrity policy procedures
Integrity Verification Procedure (IVP).
Ensures that all CDIs conform to the integrity specification.
Transformation Procedure (TP).
Well-formed transaction.
Take as input a CDI or a UDI and produce a CDI.
Must guarantee (via certification) that transforms all possible UDI values to “safe” CDI values.
Certification and Enforcement
Integrity assurance.
Certification.
Relatively to the integrity policy.
Enforcement.
Two sets of rules.
Certification Rules (C).
Enforcement Rules (E).
Rules
Basic rules
C1: when an IVP is executed, it must ensure that all CDIs are valid.
C2: for some associated set of CDIs, a TP must transform those CDIs from one valid state to another.
E1: the system must maintain a list of certified relations and ensure only TPs certified to run on a CDI change that CDI.
Separation of duty (external consistency)
E2: the system must associate a user with each TP and set of CDIs. The TP may access CDIs on behalf of the user if authorized.
C3: allowed user-TP-CDI relations must meet “separation of duty” requirements
Identification gathering
E3: the system must authenticate every user attempting a TP (on each attempt).
Audit trail
C4: all TPs must append to a log enough information to reconstruct operations.
UDI processing
C5: a TP taking a UDI as input may only perform valid transactions for all possible values of the UDI. The TP will either accept (convert to CDI) or reject the UDI.
Certification constraints
E4: only the certifier of a TP may change the associated list of entities.
Last updated