[ Changed 22nd October 1997 ]
The Clark-Wilson security model may be used for systems where security is enforced across both the operating system and the application systems. Under this model, a secure system may be viewed as a certified application running on top of a trusted computing base (TCB). Certifying an application corresponds to arguing (to a degree) its correctness; the TCB is expected to have undergone some sort of security evaluation. A variety of existing implementation models, for example multilevel security, have been shown capable of upholding the Clark-Wilson TCB requirements.
We argue that, given an evaluated TCB, an application designer should try to minimize the amount of security critical code that is contained within the application and rely on the TCB to enforce security wherever possible. Under the Clark-Wilson model, the TCB is expected to support (enforce) static segregation of duties. However it appears that dynamic segregation of duty must be implemented within the application itself.
In this talk I will describe a framework in which dynamic Clark-Wilson style segregation of duty policies can be expressed and supported by the TCB. I will also describe how these policies can be enforced under Unix and Multilevel TCBs.