Home > Software Security > Clark – Wilson Recovered

Clark – Wilson Recovered

July 15th, 2009 jmolini Leave a comment Go to comments

One of the projects I’ve been working on recently is to prepare a reading list for software security professionals.  Over the years it has become increasingly difficult to find the right reference papers on topics that should be of interest to all of us.  The hardest paper to find is the paper that described the original Clark – Wilson integrity model.  However, after 5 years of searching, I found it and uploaded it to the Papers directory here on the site.  You can download here from this site.

I tracked down the Clark-Wilson paper precisely because it was so difficult to find.  It was presented in 1987, the year before the IEEE began storing Security & Privacy conference proceedings online.  Therefore, it was relatively easy to find Brewer Nash (published in 1988), but almost impossible to find Clark Wilson.  Even the references to the paper are missing data that you can only find in their original text.  Other integrity models are available through other channels, but I had never seen a source on the Internet for this specific document.  So I finally found a copy at Stony Brook University in New York and uploaded it as a service to the community. 

Why?

I think that this model is important for a few reasons.  First, Clark-Wilson is one of the early models that successfully described a workable approach to data integrity.  I was not impressed with Bibabecause it appeared to merely rehash Bell-LaPadula, replacing disclosure with integrity.  I did not see in Biba the specialized attention that integrity controls required.  Brewer-Nash (aka “Chinese Wall”) was a good paper, but still relied on users to control their own actions.  Clark-Wilson, however, seems to work without special “struts.”  It is also most compatible with modern object oriented systems, IMO. 

In a well formed OO system, data transformation is bound to the entity that hosts the data.  This is compatible with the concept of the Transformation Procedure.  Moreover, the concept of a Constrained Data Item can be implemented through a variety of object interface management methods, like getters and setters.  So Clark-Wilson gets my vote for best integrity model from the early offerings.  There have been improvements.  I’ll talk about them in a future post.

Until then, look through the model.  Think about how it could improve the quality of your system.  Then post a comment to let me know if you agree or not.  I’d be interested to hear your perspectives. 

Jim Molini, CISSP, CSSLP

Categories: Software Security Tags:
  1. No comments yet.
  1. No trackbacks yet.