|
|
|
The Lee and Shockley Implementations In 1988, Lee and Shockley independently developed implementations of the Clark-Wilson integrity model using Biba’s integrity categories and trusted subjects. Both of these implementations were based on sensitivity levels constructed from independent elements. Each level represents a sensitivity to disclosure and a sensitivity to modification. Data is manipulated by certified transactions, which are trusted subjects. The trusted subject can transform data from a specific input type to a specific output type. The Biba lattice philosophy is implemented so that a subject may not read above its level in disclosure or below its level in integrity. Every subject and object has both disclosure and integrity levels for use in this implementation. The Lee and Shockley implementations prevent unauthorized users from modifying data. The Karger Implementation In 1988, Karger proposed another implementation of the Clark-Wilson integrity model, augmenting it with his secure capabilities architecture (developed in 1984) and a generic lattice security model. In this implementation, audit trails play a much more prominent part in the enforcement of security than in other implementations. The capabilities architecture combined with access control lists that represent the security lattice provide for improved flexibility in implementing integrity. In addition, the Karger implementation requires that the access control lists contain the specifics of the Clark-Wilson triples (i.e., the names of the subjects and objects the user is requesting access to and the names of the programs that provide the access), thereby enabling implementation of static separation of duties. Static separation of duties prevents unauthorized users from modifying data and prevents authorized users from making improper modifications. The part of Karger’s implementation that uses capabilities with access control lists limits actions to particular domains. The complex access control lists not only contain the triples but specify the order in which the transactions must be executed. These lists are used with audit-based capabilities to enforce dynamic separation of duties. The Karger implementation provides three levels of integrity protection. First, triples in the access control lists allow for basic integrity (i.e., static separation of duties). Second, the capabilities architecture can be used with access control lists to provide faster access and domain separation. Third, access control lists and the capabilities architecture support both dynamic separation of duties and well-formed transactions. The Jueneman Implementation In 1989, Jueneman proposed a defensive detection implementation for use on dynamic networks of interconnected trusted computers communicating through unsecured media. This implementation was based on mandatory and discretionary access controls, encryption, checksums, and digital signatures. It prevents unauthorized users from modifying data. The control mechanisms in this implementation support the philosophy that the originator of an object is responsible for its confidentiality and that the recipient is responsible for its integrity in a network environment. The mandatory access controls prevent unauthorized modification within the trusted computers and detect modifications external to the trusted computers. The discretionary access controls prevent the modification, destruction, or renaming of an object by a user who qualifies under mandatory control but lacks the owner’s permission to access the object. The encryption mechanism is used to avoid unauthorized disclosure of the object. The encryption mechanism is used to avoid unauthorized disclosure of the object. Checksums verify that the communication received is the communication that was sent, and digital signatures are evidence of the source of the communication. The Gong Implementation The Gong implementation, developed in 1989, is an identity-based and capability-oriented security system for distributed systems in a network environment. Capabilities identify each object and specify the access rights (i.e., read, write and update) to be allowed each subject that is authorized access. Access authorizations are provided in an access list. The Gong implementation consists of subjects (i.e., users), objects, object servers, and a centralized access control server. The access control server contains the access control lists, and the object server contains the capability controls for each object. This implementation is very flexible because it is independent of the protection policy (i.e., the Bell-LaPadula disclosure lattice, the Biba integrity lattice, the Clark-Wilson access triples, or the Lee-Shockley nonhierarchical categories). The Gong implementation can be used to prevent unauthorized users from modifying data and to prevent authorized users from making unauthorized modifications.
|