7.1 Chinese Wall Model

The Chinese Wall model [146] is a model of a security policy that refers equally to confidentiality and integrity. It describes policies that involve a conflict of interest in business, and is as important to those situations as the Bell-LaPadula Model is to the military. For example, British law requires the use of a policy similar to this, and correct implementation of portions of the model provides a defense in cases involving certain criminal charges [653, 654]. The environment of a stock exchange or investment house is the most natural environment for this model. In this context, the goal of the model is to prevent a conflict of interest in which a trader represents two clients, and the best interests of the clients conflict, so the trader could help one gain at the expense of the other.

7.1.1 Informal Description

Consider the database of an investment house. It consists of companies' records about investment and other data that investors are likely to request. Analysts use these records to guide the companies' investments, as well as those of individuals. Suppose Anthony counsels Bank of America in its investments. If he also counsels Citibank, he has a potential conflict of interest, because the two banks' investments may come into conflict. Hence, Anthony cannot counsel both banks.

The following definitions capture this:

Definition 7–1. The objects of the database are items of information related to a company.

Definition 7–2. A company dataset (CD) contains objects related to a single company.

Definition 7–3. A conflict of interest (COI) class contains the datasets of companies in competition.

Let COI(O) represent the COI class that contains object O, and let CD(O) be the company dataset that contains object O. The model assumes that each object belongs to exactly one COI class.

Anthony has access to the objects in the CD of Bank of America. Because the CD of Citibank is in the same COI class as that of Bank of America, Anthony cannot gain access to the objects in Citibank's CD. Thus, this structure of the database provides the required ability. (See Figure 7-1.)

This implies a temporal element. Suppose Anthony first worked on Bank of America's portfolio and was then transferred to Citibank's portfolio. Even though he is working only on one CD in the bank COI class at a time, much of the information he learned from Bank of America's portfolio will be current. Hence, he can guide Citibank's investments using information about Bank of America—a conflict of interest. This leads to the following rule, where PR(S) is the set of objects that S has read.

• CW-Simple Security Condition, Preliminary Version: S can read O if and only if either of the following is true.

  1. There is an object O' such that S has accessed O' and CD(O') = CD(O).

  2. For all objects O', O' PR(S) COI(O') COI(O).

Initially, PR(S) = Ø, and the initial read request is assumed to be granted. Given these assumptions, in the situation above, Bank of America's COI class and Citibank's COI class are the same, so the second part of the CW-simple security condition applies, and Anthony cannot access an object in the former, having already accessed an object in the latter.

Two immediate consequences of this rule affect subject rights. First, once a subject reads any object in a COI class, the only other objects in that COI class that the subject can read are in the same CD as the read object. So, if Susan accesses some information in Citibank's CD, she cannot later access information in Bank of America's CD.

Second, the minimum number of subjects needed to access every object in a COI class is the same as the number of CDs in that COI class. If the gasoline company COI class has four CDs, then at least four analysts are needed to access all information in the COI class. Thus, any trading house must have at least four analysts to access all information in that COI class without creating a conflict of interest.

In practice, companies have information they can release publicly, such as annual stockholders' reports and filings before government commissions. The Chinese Wall model should not consider this information restricted, because it is available to all. Hence, the model distinguishes between sanitized data and unsanitized data; the latter falls under the CW-simple security condition, preliminary version, whereas the former does not. The CW-simple security condition can be reformulated to include this notion.

• CW-Simple Security Condition: S can read O if and only if any of the following holds.

  1. There is an object O' such that S has accessed O' and CD(O') = CD(O).

  2. For all objects O', O' PR(S) COI(O') COI(O).

  3. O is a sanitized object.

Suppose Anthony and Susan work in the same trading house. Anthony can read objects in Bank of America's CD, and Susan can read objects in Citibank's CD. Both can read objects in ARCO's CD. If Anthony can also write to objects in ARCO's CD, then he can read information from objects in Bank of America's CD and write to objects in ARCO's CD, and then Susan can read that information; so, Susan can indirectly obtain information from Bank of America's CD, causing a conflict of interest. The CW-simple security condition must be augmented to prevent this.

• CW-*-Property: A subject S may write to an object O if and only if both of the following conditions hold.

  1. The CW-simple security condition permits S to read O.

  2. For all unsanitized objects O', S can read O' CD(O') = CD(O).

In the example above, Anthony can read objects in both Bank of America's CD and ARCO's CD. Thus, condition 1 is met. However, assuming that Bank of America's CD contains unsanitized objects (a reasonable assumption), then because Anthony can read those objects, condition 2 is false. Hence, Anthony cannot write to objects in ARCO's CD.

7.1.2 Formal Model

Let S be a set of subjects, let O be a set of objects, and let L = C x D be a set of labels. Define projection functions l₁: O C and l₂: O D. C corresponds to the set of COI classes, and D to the set of CDs, in the informal exposition above. The access matrix entry for s S and o O is H(s, o); that element is true if s has, or has had, read access to o, and is false otherwise. (Note that H is not an access control matrix, because it does not reflect the allowed accesses, but merely the granted accesses.) This matrix incorporates a history element into the standard access control matrix. Finally, R(s, o) represents s's request to read o.

The model's first assumption is that a CD does not span two COI classes. Hence, if two objects are in the same CD, they are in the same COI class.

Axiom 7–1. For all o, o' O, if l₂(o) = l₂(o'), then l₁(o) = l₁(o').

The contrapositive is as follows:

Lemma 7–1. For all o, o' O, if l₁(o) l₁(o'), then l₂(o) l₂(o').

So two objects in different COI classes are also in different CDs.

Axiom 7–2. A subject s can read an object o if and only if, for all o' O such that H(s, o') = true, either l₁(o') l₁(o) or l₂(o') = l₂(o).

This axiom is the CW-simple security condition: a subject can read an object if and only if it has not read objects in other datasets in the object's COI class, or if it has read objects in the object's CD. However, this rule must also hold initially for the state to be secure. So, the simplest state for which the CW-simple security condition holds is that state in which no accesses have occurred; and in that state, any requests for access should be granted. The next two axioms state this formally.

Axiom 7–3. H(s, o) = false for all s S, and o O is an initially secure state.

Axiom 7–4. If for some s S and for all o O, H(s, o) = false, then any request R(s, o) is granted.

The following theorem shows that a subject can only read the objects in a single dataset in a COI class.

Theorem 7–1. Suppose a subject s S has read an object o O. If s can read o' O, o' o, then l₁(o') l₁(o) or l₂(o') = l₂(o).

Proof By contradiction. Because s has read o, H(s, o) = true. Suppose s reads o'; then H(s, o') = true. By hypothesis, l₁(o') = l₁(o) and l₂(o') l₂(o). Summarizing this:

H(s, o) = true H(s, o') = true l₁(o') = l₁(o) l₂(o') l₂(o)

Without loss of generality, assume that s read o first. Then H(s, o) = true when s read o'; by Axiom 7–2, either l₁(o') l₁(o) or l₂(o') = l₂(o). This leads to:

(l₁(o') l₁(o) l₂(o') = l₂(o)) (l₁(o') = l₁(o) l₂(o') l₂(o))

which is equivalent to

(l₁(o') l₁(o) l₁(o') = l₁(o) l₂(o') l₂(o))

(l₂(o') = l₂(o) l₁(o') = l₁(o) l₂(o') l₂(o))

However, because l₁(o') l₁(o) l₁(o') = l₁(o) is false, and l₂(o') = l₂(o) l₂(o') l₂(o) is also false, this expression is false, contradicting the hypothesis.

From this, it follows that a subject can access at most one CD in each COI class.

Lemma 7–2. Suppose a subject s S can read an object o O. Then s can read no o' for which l₁(o') = l₁(o) and l₂(o') l₂(o).

Proof Initially, s has read no object, so by Axioms 7–3 and 7–4, access will be granted for any object o. This proves the lemma for the trivial case. Now, consider another object o'. By Theorem 7–1, if s can read o' O, o' o, then l₁(o') l₁(o) or l₂(o') = l₂(o). Conversely, if l₁(o') = l₁(o) and l₂(o') l₂(o), s cannot read o', proving the lemma in the general case.

Suppose a single COI class has n CDs. Then at least n subjects are needed to access every object. The following theorem establishes this requirement.

Theorem 7–2. Let c C and d D. Suppose there are n objects o_i O, 1 i n, for which l₁(o_i) = d for 1 i n, and l₂(o_i) l₂(o_j), 1 i, j n, i j. Then for all such o, there is an s S that can read o if and only if n | S |.

Proof By Axiom 7–2, if any subject s can read an o O, it cannot read any other o' O. Because there are n such o, there must be at least n subjects to meet the conditions of the theorem.

We next add the notion of sanitizing data. Let v(o) be the sanitized version of object o; so, for example, if v(o) = o, the object contains only public information. All sanitized objects are in a special CD in a COI containing no other CD.

Axiom 7–5. l₁(o) = l₁(v(o)) if and only if l₂(o) = l₂(v(o)).

Writing is allowed only if information cannot leak indirectly between two subjects; for example, the object cannot be used as a kind of mailbox. The next axiom captures this constraint.

Axiom 7–6. A subject s S can write to an object o O if and only if the following conditions hold simultaneously.

1. H(s, o) = true.

2. There is no o' O with H(s, o') = true, l₂(o) l₂(o'), l₂(o) l₂(v(o)), l₂(o') = l₂(v(o)) and s can read o'.

The next definition captures the notion of "information flow" by stating that information can flow from one object to another if a subject can access both objects.

Definition 7–4. Information may flow from o O to o' O if there exists a subject s S such that H(s, o) = true and H(s, o') = true. This is written (o, o').

Information flows even if the access is read-only, because then s can act on information contained in both objects, so in some sense information has flowed between them into a third entity (the subject).

The next theorem shows that unsanitized information is confined to its CD, but sanitized information may flow freely about the system.

Theorem 7–3. For any given system, the set of all information flows is the set

{ (o, o') | o O o' O l₂(o) = l₂(o') l₂(o) = l₂(v(o)) }

Proof The set

F = { (o, o') | o O o' O s S such that (H(s, o) = true H(s, o') = true) }

is the set of all information flows in the system, by Definition 7–4. Let F* be its transitive closure, which is the set of all information flows that may occur as the system changes state.

The rules banning write access constrain which of these flows will be allowed. The set of flows that Axiom 7–6 excludes are those in the set

X = { (o, o') | o O o' O l₂(o) l₂(o') l₂(o) l₂(v(o)) }

The remaining information flows are

F* – X = { (o, o') | o O o' O ¬( l₂(o) l₂(o') l₂(o) l₂(v(o)) ) }

which, by propositional logic, is equivalent to

F* – X = { (o, o') | o O o' O ( l₂(o) = l₂(o') l₂(o) = l₂(v(o)) ) }

establishing the result.

7.1.3 Bell-LaPadula and Chinese Wall Models

The Bell-LaPadula Model and the Chinese Wall model are fundamentally different. Subjects in the Chinese Wall model have no associated security labels, whereas subjects in the Bell-LaPadula Model do have such labels. Furthermore, the Bell-LaPadula Model has no notion of "past accesses," but this notion is central to the Chinese Wall model's controls.

To emulate the Chinese Wall model using Bell-LaPadula, we assign a security category to each (COI, CD) pair. We define two security levels, S (for sanitized) and U (for unsanitized). By assumption, S dom U. Figure 7-2 illustrates this mapping for the system in Figure 7-1. Each object is transformed into two objects, one sanitized and one unsanitized.

Each subject in the Chinese Wall model is then assigned clearance for the compartments that do not contain multiple categories corresponding to CDs in the same COI class. For example, if Susan can read the Bank of America and ARCO CDs, her processes would have clearance for compartment (U, {a, n}). There are three possible clearances from the bank COI class, and four possible clearances from the gasoline company COI class, combining to give 12 possible clearances for subjects. Of course, all subjects can read all sanitized data.

The CW-simple security condition clearly holds. The CW-*-property also holds, because the Bell-LaPadula *-property ensures that the category of input objects is a subset of the category of output objects. Hence, input objects are either sanitized or in the same category (that is, the same CD) as that of the subject.

This construction shows that at any time the Bell-LaPadula Model can capture the state of a system using the Chinese Wall model. But the Bell-LaPadula Model cannot capture changes over time. For example, suppose Susan falls ill, and Anna needs to access one of the datasets to which Susan has access. How can the system know if Anna is allowed to access that dataset? The Chinese Wall model tracks the history of accesses, from which Anna's ability to access the CD can be determined. But if the corresponding category is not in Anna's clearances, the Bell-LaPadula Model does not retain the history needed to determine whether her accessing the category would violate the Chinese Wall constraints.

A second, more serious problem arises when one considers that subjects in the Chinese Wall model may choose which CDs to access; in other words, initially a subject is free to access all objects. The Chinese Wall model's constraints grow as the subject accesses more objects. However, from the initial state, the Bell-LaPadula Model constrains the set of objects that a subject can access. This set cannot change unless a trusted authority (such as a system security officer) changes subject clearances or object classifications. The obvious solution is to clear all subjects for all categories, but this means that any subject can read any object, which violates the CW-simple security condition.

Hence, the Bell-LaPadula Model cannot emulate the Chinese Wall model faithfully. This demonstrates that the two policies are distinct.

However, the Chinese Wall model can emulate the Bell-LaPadula Model; the construction is left as an exercise for the reader. (See Exercise 2.)

7.1.4 Clark-Wilson and Chinese Wall Models

The Clark-Wilson model deals with many aspects of integrity, such as validation and verification, as well as access control. Because the Chinese Wall model deals exclusively with access control, it cannot emulate the Clark-Wilson model fully. So, consider only the access control aspects of the Clark-Wilson model.

The representation of access control in the Clark-Wilson model is the second enforcement rule, ER2. That rule associates users with transformation procedures and CDIs on which they can operate. If one takes the usual view that "subject" and "process" are interchangeable, then a single person could use multiple processes to access objects in multiple CDs in the same COI class. Because the Chinese Wall model would view processes independently of who was executing them, no constraints would be violated. However, by requiring that a "subject" be a specific individual and including all processes executing on that subject's behalf, the Chinese Wall model is consistent with the Clark-Wilson model.