Bell-LaPadula Security Model

The Bell-Lapadula (BLP) Model of protection systems deals with the control of information flow. It is a linear non-discretionary model. It allows for the definition of a mandatory information flow policy and a discretionary access control policy.

The Bell-LaPadula model implements an information policy for confidentiality, and includes a protection matrix to further refine the information flow policy. The protection state, or simply state, of a computer system is a snapshot of all security-relevant information that is subject to change.

The Bell-LaPadula model of protection consists of the following components:

  • A set of subjects, a set of objects, and an access control matrix.
  • Several ordered security levels.

Each subject has a clearance and each object has a classification which attaches it to a security level. Each subject also has a current clearance level which does not exceed its clearance level. Thus a subject can only change to a clearance level below its assigned clearance level.

The set of access rights given to a subject are the following:

  • Read-Only: The subject can only read the object.
  • Append : The subject can only write to the object but it cannot read.
  • Execute : The subject can execute the object but can neither read nor write.
  • Read-Write: The subject has both read and write permissions to the object.

The following restrictions are imposed by the model:

  • Reading Down: A subject has only read access to objects whose security level is below the subject’s current clearance level. This prevents a subject from getting access to information available in security levels higher than its current clearance level.
  • Writing Up: A subject has append access to objects whose security level is higher than its current clearance level. This prevents a subject from passing information to levels lower than its current level.

For example, these are two typical access specifications: “Unclassified personnel cannot read data at confidential levels” and “Top-Secret data cannot be written into the files at unclassified levels”.

The first contribution of the Bell-LaPadula model was to formally define what it meant for a computer system to be in a secure state. A second contribution was to prove that it is possible to construct computer systems that only exist in secure states. That is, it is possible to build a computer system and define a security policy such that for all future points in time, the system is in a secure state.

Demerits of BLP Model

  • The model focuses on protecting Confidentiality only.
  • The process of assigning and enforcing security classifications for object and subject is given a deceptive procedure in the model which is hard to implement in real life.
  • Security level (Classification) of object (data) changes over time which calls for the object level to be dynamic.
  • This model has the problems of hierarchical access control and does not always support the need to know principle except in rigid military situations.

Further reading: Wikipedia, Researchgate

Leave a Reply

Your email address will not be published. Required fields are marked *