The Speci cation and Implementation of ` Commercial ' Security RequirementsIncluding

A framework for the speciication of security policies is proposed. It can used to formally specify conndentiality and integrity policies, the latter can be given in terms of Clark-Wilson style access triples. The framework extends the Clark-Wilson model in that it can be used to specify dynamic segregation of duty. For application systems where security is critical, a mul-tilevel security based approach is deened. Security policies for less critical applications can be implemented using standard Unix based systems. Both implementation strategies are based on the standard protection mechanisms that are provided by the respective systems. 1 Introduction Clark and Wilson 6] propose a model for (integrity) security that can be used for systems where security is enforced across both the operating system and the application systems. Their model is based on commercial data processing practices and can be used as a basis for evaluating the security of a complete application system. It's operating-system security requirements can be captured in terms of multilevel security (MLS), and can therefore be implemented and evaluated usingèxisting technology' 14, 18]. However, 15] argues that, whereas the Clark-Wilson model considers static segregation of duty, it does not consider the formalization of dynamic segregation of duty. In this paper, we describe a framework in which security policies, including dynamic segregation of duty, can be expressed. By expressing dynamic segregation of duty in terms of relabeling policies 11], it becomes possible to use the results in 14, 18] for implementation and evaluation of these policies. Our framework also provides a basis for policy re-nement and composition 10]. These can be used in the development of complex policies which may include combinations of integrity and conndentiality requirements spread across diierent applications. MLS systems are typically used when security is critical; a high degree of assurance is required that the security policy is upheld. For application systems that are less security critical, 16] outlines how they can be supported by a standard Unix system according to the Clark-Wilson model. We