| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Clark-Wilson Triple and the Confused Deputy
Clark-Wilson Triple and the Confused Deputy
Posted Feb 14, 2008 19:01 UTC (Thu) by AnswerGuy (subscriber, #1256)Parent article: Role-based access control in SELinux (developerWorks)
I find it mildly annoying that this article didn't make any reference to the Clark-Wilson Integrity Model which is, in fact, the academic term of art to describe what they are using SELinux DTE to implement. (This user can only access that data through this specific code: a Clark-Wilson triple). The code which is empowered to access the data is called (by Hardy, and Shapiro, et al. a "deputy").
The reason I find the omission annoying is because anyone who as made a halfway serious academic study of computer systems security should be familiar with these terms of art. (And I would, at best, consider my familiarity with the topic to be only "halfway serious"). By making such references one gives the reader information upon which to do meaningful further research. (In other words if you know that this thing they describe as "RBAC" is actually implementing something like Clark-Wilson triples then you have a keyword to use in searches that will turn up the academic treatments which are most likely to be relevant. This, in turn, can lead to comparisons (so the reader might learn, for example, that their requirements more closely match those which call for implementations Bell-LaPadula or Biba models) or they might be interested in reading about The Confused Deputy.
In particular it is useful to know that any program which is empowered to access a resource with permissions/privileges that exceed those of the user accessing the program is a "deputy" charged with enforcing a set of policies about how that resource (file) is accessed. For example to ensure that only valid changes are made to a data file, or possibly that only only aggregations and computations results are generated without allowing the raw data to be read. This concept of data integrity enforced by the combination of user, "deputy" and resource is the essence of the Clark-Wilson integrity model. Auditors of such systems must have a list of all valid triples (users, "deputized" programs, and resources). To make such lists more manageable its common to arrange users into groups (all members of which are equivalent for data integrity purposes), and it's possible to group resources by directories. However, these concepts don't necessarily map directly to system users, groups, files and directories. For example on a system with an RDBMS (such as PostgreSQL or MySQL) then their are DB users which can be granted specific permissions to each database, table, and/or view, etc.
Also reading further about the Clark-Wilson integrity model one can learn of additional requirements which were not considered by this article nor by the SELinux implementation described there. (For example, if I understand it correctly, to fully implement a Clark-Wilson model the entity which can create the triple ... the relationship between user and data through a (deputy) program ... should NOT be able to access the data nor the programs directly. Without this constraint I guess the overall system integrity cannot be assured as there's no guarantee that this entity (super-user) hasn't compromised the integrity. Seeing such additional constraints noted in academic work might serve as a warning to the pragmatic implementer that they may have to consider further implications of what they are doing and what guarantees they think they can assert about their system.
Just one link in the original article --- to the first Wikipedia article I referenced, would have immensely improved it by giving the reader far more to think about. (Adding the one to the Confused Deputy would, of course, go even further since it points out the most important weakness in this integrity model and can lead to information about other integrity models that address that weakness; but that would be unnecessary now that I've touched up the CW article on Wikipedia).
I don't condone worship at the altars in the ivory towers of academia. However, I would appreciate a little more observance of those situations where it can add real value.
Jim Dennis
(Log in to post comments)
Clark-Wilson Triple and the Confused Deputy
Posted Feb 14, 2008 22:54 UTC (Thu) by tv (subscriber, #32991) [Link]
You know, one the problem with computer science as an academic subject is that everything, no matter how minute, is labeled with the names of at least two people and that too many publications contain novelty only in homeopathic doses. At times, it seems like the phenomenon of software patents mirrors some of the more problematic traits of academia in that area.
Clark-Wilson Triple and the Confused Deputy
Posted Feb 15, 2008 11:24 UTC (Fri) by NAR (subscriber, #1313) [Link]
Corporate researchers are payed/recognized for patents, academic researchers are payed/recognized for publications - I guess that explains the similarity.
Clark-Wilson Triple and the Confused Deputy
Posted Feb 15, 2008 21:09 UTC (Fri) by drag (subscriber, #31333) [Link]
Well lots of academic institutions see software patents as a form of revenue to be exploited. In fact since they rarely produce any commercially viable software themselves (rather they do things that form the basis of commercial offerings later on) then that puts them in a better position to make money from software patents then your average software company. Eolas, for example, when they sued Microsoft for having the audacity to incorporate support for browser plug-ins were in fact using a patent developed by University of California. UC was a joint plaintiff along side Eolas and made money from the successful exploitation of the patent system. This is one of the problems that people face when fighting software patents.. much of academia is on the other side of the argument since they have a personal profit motivation.
Homeopathic Doses of Novelty
Posted Feb 16, 2008 16:33 UTC (Sat) by AnswerGuy (subscriber, #1256) [Link]
I can't help but point out that quite alot of academic work is not intended to clump together large "doses of novelty." In fact, the nature of most academic research and publication is to focus on one particular subject or perhaps a novel combination of otherwise well-known topics and perform and in-depth analysis of that. Naturally such things are "boring" to most people and only relevant to very narrow groups (usually other researchers in the same niche of the same field and occasionally in other fields which are affected by the topic at hand. My earlier point was that sometimes there are facets of a body of knowledge which become "terms of art" in their field. On the one hand one can argue that a requirement to use the terms of art is elitist (who cares of he knows about the Clark-Wilson work if he describes the concept adequately). But my point was that the omission does have some downsides. In particular a reference to such a fundamental term gives the reader the basis for finding out quite a bit more information with very little additional effort. It's omission would make it very difficult to find this related work (no other simple terms or phrases are sufficiently unique to the discussion to readily lead to it using search engines ... for example). Also on the other hand, the proper use of these obscure "terms of art" allows one to more succinctly base one's work on those concepts and allows those readers familiar with the terminology to get to the point more quickly. (Yes, this can be at the expensive of broader readership which might be forced to chase a hyperlink or read a side bar or whatever to "catch up"). In the case of these "Clark-Wilson triples" the concept is recurring (for example using traditional UNIX set group ID (SGID) it's possible for me to "deputize" a program so that it has access to data (such as a game's score file, or a mail spool) while preventing direct access thereto (using arbitrary tools such as an editor). Unfortunately the problem of the confused deputy is also recurrent. (There are also some odd issues in the traditional UNIX model: for example if I want to make a certain SGID program only accessible to members of a different group then I have to use permissions on one or more parent directories to the program's links to express that policy. Example: I might have a cash register file which I want to be modified only by certain accounting programs while also restricting access such that those accounting programs can only be accessed by a certain group of users -- cashiers, for example. Normally programmers and admins immediately reach for SUID in that situation. But that carries even higher risks (the confused deputy can chmod "his" files and thereby completely expose them). A different technique is to put the accounting programs into a directory which is associated with the target user group (chgrp cashiers ./acctbin) and which is not world executable (chmod 07450 ./acctbin). Now the acctbin/* executables can be marked SGID to the acctdata group. Result: only members of the cashiers group can execute the programs which are deputized to modify the accouting data. Despite this wrinkle it is far less complicated and plausibly about as effective as the SELinux model described in the original article. (Incidentally one can express logical OR and logical AND relationships using hard links into other parent directories and multiple levels of directory. I'll leave that as an exercise to the reader). Now I will also grant that referring to these as "Clark-Wilson triples" may be misleading. They describe a set of relationships among user, program and data which is similar to those detailed by the "Clark-Wilson integrity model" but the system as a whole doesn't conform to their design. (Remember the little constraint about who the creator/maintainer of these triples must not have direct execute permissions on the programs in question). However I think that giving this particular relationship a name is useful for discussing systems administration topics more succinctly. When I say I have "deputized" a program it would be nice if that was as readily understood as when I might way that I've "wrapped" it with a script. (And, in fact, one could then talk about deputizing a wrapper in a meaningful way without getting bogged down by the details). I remain unconvinced that SELinux gives us enough real additional functionality to justify it's horrendous complexity. I still advocate more widespread use of systrace which is simple enough to explain in a page and to more or less fully document in a few pages (with the pre-requisite that the reader understands UNIX/Linux system call usage) and which is analagous to an ubiquitous networking security model. So I can tell any sysadmin that systrace is like a firewall or set of packet filters between user space and the system call interface to the kernel and I've summarized the entirety of the systrace model in a single sentence. Anyone who has dealt with packet filtering will then already have a ready frame of reference into which to feed the usage details. They will probably "get it" immediately. I have seen almost zero traction on the SELinux model. It's so convoluted and so disjoint from the rest of the UNIX/Linux permissions and access/control model that the vast majority of sysadmins prefer to disable it wherever possible. We could argue that those sysadmins are just a bunch of old-fogeys who are unwilling to embrace change and who are impeding progress. I've seen SELinux proponents come just short of calling all of the rest of us a bunch of Luddites. (If we were truly "Luddites" then SELinux should be welcomed as it's complexity will surely guarantee those of us who can learn it paying work for the rest of our careers). Anyway, I hope this is entertaining and perhaps a bit informative because, at this point I realize I'm just rambling. Time to get that first cup of coffee. :) JimD
Homeopathic Doses of Novelty
Posted Feb 21, 2008 13:58 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]
>My earlier point was that sometimes there are facets of a body of knowledge which become "terms of art" in their field. On the one hand one can argue that a requirement to use the terms of art is elitist (who cares of he knows about the Clark-Wilson work if he describes the concept adequately). >But my point was that the omission does have some downsides. In particular a reference to such a fundamental term gives the reader the basis for finding out quite a bit more information with very little additional effort. It's omission would make it very difficult to find this related work (no other simple terms or phrases are sufficiently unique to the discussion to readily lead to it using search engines ... for example). "terms of art" are pointers on the cognitive stack to vastly bigger amounts of information out there on the research heap. The indirection speeds up the process of absorbing new material if you're along the learning curve already, but the complexity hurts the New Guy. Tradeoffs: always, the tradeoffs. The other point is that affixing one's name as the symbol identifying an idea is one form of immortality for all the Gilgamesh characters out there. Matt Mackall's sig on the LKML: "Mathematics is the supreme nostalgia of our time."