Enforcement of Clark-Wilson model in combination of RBAC and TE models

doi:10.7523/j.issn.2095-6134.2010.4.016

›› 2010, Vol. 27 ›› Issue (4): 538-546.DOI: 10.7523/j.issn.2095-6134.2010.4.016

• Research Articles • Previous Articles Next Articles

Enforcement of Clark-Wilson model in combination of RBAC and TE models

YUAN Chun-Yang¹, DENG Chen-Lei²

1. Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China;
2. Graduate University, Chinese Academy of Sciences, Beijing 100049, China

Received:2009-11-18 Revised:2010-03-04 Online:2010-07-15
Supported by:
Supported by National 863 Hight-tech Research Development Program of China (2006AA01Z451, 2007AA010505, and 2009AA01Z432) 

Abstract

Abstract:

An approach to enforce Clark-Wilson model in the combination of RBAC and TE models is presented, namely: separation of duties is addressed by assigning different roles to different users; special domains are used for representing transformation procedures; and the constrained data items and unconstrained data items are labeled with different types. The correctness of the enforcement and certification rules is analyzed. A detailed case study of FTP integrity policy is implemented under SEBSD, and shows that the approach achieves fine-grained access control and flexible configuration.

Key words: secure operating system, Clark-Wilson, RBAC, type enforcement

CLC Number:

TP309

YUAN Chun-Yang, DENG Chen-Lei. Enforcement of Clark-Wilson model in combination of RBAC and TE models[J]. , 2010, 27(4): 538-546.

References

[1] Clark D D, Wilson D R. A comparison of commercial and military computer security policies //IEEE Symposium of Security and Privacy, 1987: 184-194.

[2] SELinux . . http://www.nsa.gov/research/selinux/index.shtml.

[3] Ferraiolo D, Kuhn R. Role-based access controls //Proceedings of the 15th National Computer Security Conference, October 1992.

[4] Sandhu R, Coyne E J, Feinstein H L, et al. Role-based access control model
[J]. IEEE Computer, 1996, 29(2): 38-47.

[5] Ferraiolo D F, Sandhu R, Gavrila S, et al. Proposed NIST standard for role-based access control
[J]. ACM Transactions on Information and Systems Security, 2001, 4(3): 1-51.

[6] Boebert W, Kain R. A practical alternative to hierarchical integrity policies //Proceedings of the Eighth National Computer Security Conference, 1985.

[7] Brien R O, Rogers C. Developing applications on LOCK //Proc. 14th National Computer Security Conference, Washington DC, 1991: 147-156.

[8] Badger L, Sterne D F, Sherman D L, et al. A domain and type enforcement UNIX prototype . Usenix Computing Systems, 1996, 9(1): 47-83.

[9] Tidswell J, Potter J. An approach to dynamic domain and type enforcement, Microsoft Research Institute, Department of Computing, Macquarie University, NSW, Australia, 2000.

[10] Hallyn S E, Kearns P. Domain and type enforcement for Linux . . http://www.cs.wm.edu/~kearns/001lab.d/projects.d/als2000.pdf.

[11] Lampson B. Protection . ACM Operating Sys Reviews, 1974, 8(1): 18-24.

[12] Gaverila S, Barkley J. Formal specification for rbac user/role and role relationship management //Proc of third ACM Workshop on Role based access control, 1998: 81-90.

[13] Kuhn R. Mutual exclusion as a means of implementing separation of duty requirements in role based access control systems //Proc of Second ACM Workshop on Role based access control, 1997.

[14] Liang B, Shi W C, Sun Y F, et al. An approach to enforcing Clark-Wilson model in role-based access control model
[J]. Chinese Journal of Electronics, 2004, 13(4): 596-599.

[15] Schneider F B. Enforceable security policies //ACM Transactions on Information and System Security, 2001.

[16] Source Forge Website. . http://sf.net.

[17] Spencer R, Smalley S, Loscocco P, et al. The flask security architecture: system support for diverse security policies //Proceedings of the 8th USENIX Security Symposium, Washington, DC, USA, 1999: 123-139.

[18] Vance C, Watson R. Security Enhanced BSD . TR of Network Associates Laboratories, 2003 . http://www.trustedbsd.org/sebsd.

[19] Smalley S. Configuring the SELinux Policy . TR of NSA. 2003 . http://www.nsa.gov/selinux.

[20] Shockley W. Implementing the clark/wilson integrity policy using current technology //Proceedings of NIST-NCSC National Computer Security Conference, 1998: 29-37.

[21] Lee T M P. Using mandatory integrity to enforce "commercial" security //IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 1988: 140-146.

Enforcement of Clark-Wilson model in combination of RBAC and TE models

PDF (PC)

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 2

Recommended Articles

Metrics

Comments

[1]	YUAN Chun-Yang, SHI Wen-Chang, LIANG Hong-Liang, WU Yan-Jun, SHANG Qing-Hua. An Unified Framework Supporting Multiple Security Policy Models to Secure Linux [J]. , 2006, 23(2): 205-212.
[2]	WANG Fu-Liang, HE Ye-Ping, LI Li-Ping. Design and Implementation of LSM Based Secure Auditing System [J]. , 2005, 22(6): 707-711.