Clark-Wilson

The Clark-Wilson model [12] was developed to address security issues in commercial environments. The model uses two categories of mechanisms to realize integrity: well-formed transactions and separation of duty. Our framework is designed to handle the Clark-Wilson integrity model. A possible way to represent a constraint that only certain trusted programs can modify objects is using application:checksum condition, where the checksum ensures authenticity of the application. Another way is using application:endorser condition, which indicates that a valid certificate, stating that the application has been endorsed by the specified endorser, must be presented. Static separation of duty is enforced by the security administrator when assigning group membership. Dynamic separation of duty enforces control over how permissions are used at the access time [6]. Here are examples of EACL conditions specific to the Dynamic separation of duty:

• privilege:restricted Makes subject operate with the privilege of only one group at a time.
• privilege:set_of_groups Makes subject operate with the privilege of only specified groups at a time.
• endorsement:list_of_endorsers Concurrence of several subjectss to perform some operation.