Clark-Wilson Integrity Model

Addresses information integrity control

• Uses the notion of transactional data transformations.

• Separation of duty: transaction certifiers $\ne$ implementers.

Terminology

Data items

Constrained Data Item (CDI).

• Can only be manipulated by TPs.

Unconstrained Data Item (UDI).

Integrity policy procedures

• Integrity Verification Procedure (IVP).

  • Ensures that all CDIs conform to the integrity specification.

• Transformation Procedure (TP).

  • Well-formed transaction.

    • Take as input a CDI or a UDI and produce a CDI.

  • Must guarantee (via certification) that transforms all possible UDI values to “safe” CDI values.

Certification and Enforcement

Integrity assurance.

• Certification.

  • Relatively to the integrity policy.

• Enforcement.

Two sets of rules.

• Certification Rules (C).

• Enforcement Rules (E).

Rules

Basic rules

• C1: when an IVP is executed, it must ensure that all CDIs are valid.

• C2: for some associated set of CDIs, a TP must transform those CDIs from one valid state to another.

• E1: the system must maintain a list of certified relations and ensure only TPs certified to run on a CDI change that CDI.

Separation of duty (external consistency)

• E2: the system must associate a user with each TP and set of CDIs. The TP may access CDIs on behalf of the user if authorized.

• C3: allowed user-TP-CDI relations must meet “separation of duty” requirements

Identification gathering

• E3: the system must authenticate every user attempting a TP (on each attempt).

Audit trail

• C4: all TPs must append to a log enough information to reconstruct operations.

UDI processing

• C5: a TP taking a UDI as input may only perform valid transactions for all possible values of the UDI. The TP will either accept (convert to CDI) or reject the UDI.

Certification constraints

• E4: only the certifier of a TP may change the associated list of entities.