The Bell-Lapadula (BLP) Model of protection systems deals with the control of information flow. It is a linear non-discretionary model. It allows for the definition of a mandatory information flow policy and a discretionary access control policy.
The Bell-LaPadula model implements an information policy for confidentiality, and includes a protection matrix to further refine the information flow policy. The protection state, or simply state, of a computer system is a snapshot of all security-relevant information that is subject to change.
The Bell-LaPadula model of protection consists of the following components:
- A set of subjects, a set of objects, and an access control matrix.
- Several ordered security levels.
Each subject has a clearance and each object has a classification which attaches it to a security level. Each subject also has a current clearance level which does not exceed its clearance level. Thus a subject can only change to a clearance level below its assigned clearance level.
The set of access rights given to a subject are the following:
- Read-Only: The subject can only read the object.
- Append : The subject can only write to the object but it cannot read.
- Execute : The subject can execute the object but can neither read nor write.
- Read-Write: The subject has both read and write permissions to the object.
The following restrictions are imposed by the model:
- Reading Down: A subject has only read access to objects whose security level is below the subject’s current clearance level. This prevents a subject from getting access to information available in security levels higher than its current clearance level.
- Writing Up: A subject has append access to objects whose security level is higher than its current clearance level. This prevents a subject from passing information to levels lower than its current level.
For example, these are two typical access specifications: “Unclassified personnel cannot read data at confidential levels” and “Top-Secret data cannot be written into the files at unclassified levels”.
The first contribution of the Bell-LaPadula model was to formally define what it meant for a computer system to be in a secure state. A second contribution was to prove that it is possible to construct computer systems that only exist in secure states. That is, it is possible to build a computer system and define a security policy such that for all future points in time, the system is in a secure state.
Demerits of BLP Model
- The model focuses on protecting Confidentiality only.
- The process of assigning and enforcing security classifications for object and subject is given a deceptive procedure in the model which is hard to implement in real life.
- Security level (Classification) of object (data) changes over time which calls for the object level to be dynamic.
- This model has the problems of hierarchical access control and does not always support the need to know principle except in rigid military situations.