Chinese Wall Policies

Lecturer: Professor Fred B. Schneider

Lecture notes by Michael Clarkson
based in part on notes by Lynette I. Millett
from lectures by Professor Fred B. Schneider

This lecture is based in part on:

Pierangela Samarati and Sabrina De Capitani di Vimercati.  Access Control:  Policies, Models, and Mechanisms.  In Foundations of Security Analysis and Design: Tutorial Lectures, Lecture Notes in Computer Science, vol. 2171, p. 137--193, 2001.

Note:  If your browser does not support Unicode, you will not be able to view this page correctly.  Your browser must be able to render the following symbols: ⊆ (subset or equal), ≤ (less than or equal), ≠ (not equal).

Chinese Wall Policies

Consider an investment bank.  It employs consultants who both advise and analyze companies.  When advising, such consultants learn secret information about a company's finances that should not be shared with the public.  The consultant could exploit this insider information while performing analysis, to profit either himself or other clients.  Such abuse is prohibited by law.

Brewer and Nash (1989) developed a MAC policy for this scenario, calling it Chinese Wall by analogy to the Great Wall of China.  The intuition is that an unbreachable wall is erected between different parts of the same company; no information may pass over or through the wall.  In the Chinese Wall policy, we (as usual) have have objects, subjects, and users.  However, objects are now grouped into company datasets (CDs).  For example, an object might be a file, and a company dataset would then be all of the files related to a single company.  Company datasets are themselves grouped into conflict of interest classes (COIs).  For example, one COI might be the set of all companies in the banking industry, and another COI might be all the companies in the oil industry.

The original security conditions for Chinese Wall given by Brewer and Nash were overly restrictive, and we omit them here.  Sandhu (1992) later gave the following (less restrictive) conditions.  Note that these conditions require the tracking the set of read objects for each user and subject.

  1. A user U may read object O only if U has never read any object O' such that:

    1. COI(O) = COI(O'), and

    2. CD(O) ≠ CD(O').

  2. A subject S associated with user U may read object O only if U may read O.

  3. A subject S may write object O only if:

    1. S may read O, and

    2. S has never read an object O' such that CD(O) ≠ CD(O').

The first two conditions guarantee that a single user never breaches the wall by reading information from two different CDs within the same COI.  The third condition guarantees that two or more users never cooperatively breach the wall by performing a series of read and write operations.  Suppose that S1 has previously read from CD1, and S2 has previously read from CD2.  Consider the following sequence of operations, based on the figure above.

At the end of this sequence, S2 would have read information pertaining to both CD1 and CD2, which would violate the Chinese Wall policy since both CDs are in the same COI.  But Condition 3b prevents the write operation by restricting when a subject may write:  once a subject reads two objects from different CDs, that subject may never write any object.  So for read--write access, a user must create a distinct subject for each CD.  For read-only access, a user can create a single subject to read from several COIs.