SmartSeK
Back to the atlas
ModelIntegrity

Clark-Wilson

Touch data only through certified programs.

David Clark and David Wilson · 1987 · Commercial and financial integrity

01

The problem it solves

Banks and businesses care less about secrecy and more about correctness. A user should never edit the ledger by hand. Clark-Wilson forces every change to go through a trusted, certified program, so the books always stay balanced.

02

The big idea

Users never touch protected data directly. They act only through certified programs, and every change is checked and recorded.

Clark-Wilson protects integrity by putting a trusted program between every user and the data that matters. The unit of access is a triple: a subject runs a certified Transformation Procedure, and that procedure is the only thing allowed to modify a Constrained Data Item. Checks confirm the data stays valid, and an append-only log records who did what, so the system can always prove the books are correct.

03

The rules

Users never touch protected data directly. They act only through certified programs, and the system records who is allowed to run which program on which data.

The access triple (subject to Transformation Procedure to Constrained Data Item)

Why: If people could edit critical data by hand, any mistake or fraud would go straight into the records with nothing in the way.

Protected data can be changed only by a well-formed transaction: a program written and approved to take the data from one valid state to another.

Transformation Procedures (TP)

Why: A trusted program enforces the business rules every time, so a change cannot leave the data half-finished or inconsistent.

Checks run to confirm the data is in a valid, consistent state, for example that the books still balance.

Integrity Verification Procedures (IVP)

Why: You need an independent way to catch corruption and prove the data is still correct, not just assume the programs behaved.

Raw, untrusted input from outside must be cleaned and validated by a program before it is allowed to become protected data.

UDI promoted to CDI

Why: Outside data cannot be trusted on arrival, so a controlled gate keeps bad input from contaminating the trusted store.

No single person controls a whole transaction from start to finish. Steps like entering, approving, and posting are split across different people.

Separation of duties

Why: Splitting a transaction means fraud or a serious error needs collusion between people, which is far harder to pull off.

Every change is written to an append-only log that itself counts as protected data, so the record of who did what cannot be quietly altered.

Logging and auditing as an append-only CDI

Why: An unchangeable trail lets you reconstruct events and hold people accountable, which only works if the log cannot be edited or erased.

04

Try it

Interactive · Clark-Wilson

Subject

The user

TP

Certified program

CDI

Protected data

The access triple: subject to TP to CDI

Choose how the subject tries to reach the data.

05

Worked example

A clerk updating an account balance.

  1. 01

    Edit the balance directly in the database.

    A subject cannot touch a Constrained Data Item directly.

    Blocked
  2. 02

    Run the certified deposit program.

    The program is a Transformation Procedure, the only legal path to the data.

    Allowed
  3. 03

    The program checks the books still balance.

    An Integrity Verification Procedure confirms the data is still valid.

    Allowed
  4. 04

    Approve and post the same transaction alone.

    Separation of duties. One person cannot do every step.

    Blocked
06

Limits and gotchas

  • It protects integrity, not confidentiality

    Clark-Wilson is about keeping data correct and trustworthy. It does not stop someone from reading data they should not see. For secrecy you need a confidentiality model such as Bell-LaPadula.

  • It is only as good as its certified programs

    The whole model rests on the assumption that TPs and IVPs are correct. If a Transformation Procedure has a bug or a hidden backdoor, it can corrupt protected data while looking perfectly legitimate.

  • Certification is human judgment, not automatic proof

    Someone has to manually decide that each TP and IVP actually preserves integrity. The system can enforce that only certified programs run, but it cannot guarantee the certification itself was thorough or honest.

  • It is heavier to implement than simple access rules

    Wrapping every change in certified programs, splitting duties, and maintaining audit logs takes real design effort and ongoing administration. For small or low-stakes systems that overhead may not be worth it.

  • It does not by itself ensure availability

    Clark-Wilson says nothing about keeping the system up or the data reachable. Locking everything behind certified programs can even add points of failure if those programs or approvals are unavailable.

07

Key terms

Constrained Data Item (CDI)
Protected data whose integrity the system guards. It can be changed only by a certified Transformation Procedure, never by a user directly. A bank ledger is a classic example.
Unconstrained Data Item (UDI)
Data outside the protected set, such as raw user input or an external feed. It is not yet trusted and must be validated by a program before it can become a CDI.
Transformation Procedure (TP)
A certified program that is the only legal way to change protected data. It takes a CDI from one valid state to another while enforcing the business rules.
Integrity Verification Procedure (IVP)
A check that confirms the data is in a valid, consistent state, for example that totals reconcile. It verifies integrity rather than changing data.
Well-formed transaction
A change carried out by a TP so that the data moves cleanly from one consistent state to another, with no half-completed or rule-breaking results.
Separation of duties
Splitting a transaction across multiple people so no one person can complete it alone, which means fraud or major error requires collusion.
Certification rules
The high-level rules by which trusted people certify that TPs and IVPs are correct: that TPs keep CDIs valid and that IVPs truly verify integrity.
Enforcement rules
The high-level rules the system enforces automatically at runtime: only certified TPs may touch CDIs, and only authorized subjects may run a given TP.
08

Check yourself

Answer to see if you have it. Nothing is saved.

01In Clark-Wilson, how is a user allowed to change a Constrained Data Item (CDI)?

02What is the role of an Integrity Verification Procedure (IVP)?

03Untrusted raw input arrives from outside the system. What must happen before it becomes protected data?

04Why does Clark-Wilson require separation of duties and an append-only log?

09

How it connects

10

Key takeaway

The one line

Clark-Wilson = Integrity = subject to program to data. The access triple, plus separation of duties.