7/30/2019 Bell_LaPadula_model (1).pdf

1/4

[Bell LaPadula model] April14,2012

Page1of4

Bell LaPadula model:

- The Bell-LaPadula Model (BLM), also called the multi-level model, was proposed byBell and LaPadula for enforcing access control in government and military applications.

- In such applications, subjects and objects are often partitioned into different securitylevels. A subject can only access objects at certain levels determined by his security level.

- For instance, the following are two typical access specifications: Unclassified personnelcannot read data at confidential levels and Top-Secret data cannot be written into the

files at unclassified levels.

- The Bell-LaPadula model supports mandatory access control in terms of objects (tables,view, rows, columns, etc.), subjects (users, programs, etc.) security classes and clearances

by determining the access rights from the security levels associated with subjects and

objects.

- It also supports discretionary access control by checking access rights from an accessmatrix. More formally, each object is associated with a security level.

- Each database object is assigned a security class, and each subject is assigned clearancefor a security class. We denote the class of an object or subject A as class(A).

- The security class in a system are organized according to a partial order, with a mostsecure class and a least secure class.

- Each subject is also associated with a maximum and current security level, which can bechanged dynamically. The set of classification levels is ordered by a $ < $ relationship.

- For simplicity, we assume that there are four classes: top secret (TS), secret (S),confidential (C) and unclassified (U) where U < C < S < TS.

- This means that class C is more secure than class U, class S is more secure than class C,and class TS is the most secured class.

- The Bell-LaPadula model imposes two restrictions on all reads and writes of databaseobjects:

Simple Security Property: Subject S is allowed to read object Q only if class(S)> class (C). For example, a user with TS clearance can read a table with C

clearance, but a user with C clearance is not allowed to read a table with TS

classification.

*-Property: Subject S is allowed to write object Q only if class(S) < class(C). Forexample, a user with S clearance can write only objects with S or TS

classification.

- The set of access rights given to a subject are the following: Read-Only: The subject can only read the object. Append: The subject can only write to the object but it cannot read. Execute: The subject can execute the object but can neither read nor write. Read-Write: The subject has both read and write permissions to the object.

7/30/2019 Bell_LaPadula_model (1).pdf

2/4

[Bell LaPadula model] April14,2012

Page2of4

Control Attribute:

- This is an attribute given to the subject that creates an object.- Due to this, the creator of an object can pass any of the above four access rights of that

object to any subject. However, it cannot pass the control attribute itself.

- The creator of an object is also known as the controller of that object.

Restrictions imposed by the Bell-LaPadula Model:

- The following restrictions are imposed by the model: Reading down:

- A subject has only read access to objects whose security level is below the subject'scurrent clearance level.

- This prevents a subject from getting access to information available in security levelshigher than its current clearance level.

Writing up:- A subject has appended access to objects whose security level is higher than its currentclearance level.

- This prevents a subject from passing information to levels lower than its current level.

- The Bell-LaPadula model supplements the access matrix with the above restrictions toprovide access control and information flow.

- For instance, if a subject has read access to an object in the access matrix, it may still notbe able to exercise this right if the object is at a security level higher than its clearance

level.

7/30/2019 Bell_LaPadula_model (1).pdf

3/4

- Ba

- T

ell and LaP

nd defined a

he followin

Getexecu

Relea Give

a subj

Resciobjec

Crea Delet Chan

initial

adula mode

set of state

operations

ccess: Use

te etc.).

se access:

access: Con

ect.

nd access:

) from a su

e object: A

object: Al

ge security

assigned va

[

led the beha

transitions t

guarantee a

d by a sub

sed by a su

troller of an

Controller

ject.

llows a subj

lows a subj

level: Allo

lue).

ell LaPad

vior of a pr

hat would n

secure syst

ject to initi

bject to giv

object can

f an object

ect to activa

ct to deacti

s a subjec

la model]

otection sys

ot violate th

em:

ate access

up an initi

ive a partic

can revoke

te an inacti

ate an acti

to change

April14,20

tem as a fin

e security o

to an obje

ted access.

ular access

a designat

e object.

e object.

its clearanc

12

Page

ite state ma

the system

t (read, ap

(to that obje

d access (t

level (bel

3of4

chine

.

pend,

ct) to

that

w an

7/30/2019 Bell_LaPadula_model (1).pdf

4/4

[Bell LaPadula model] April14,2012

Page4of4

- However certain conditions have to be satisfied before the above operations can beperformed.

- For instance, a subject can exercise give and rescind rights to an object only if it hascontrol attributes to that object.

- Bell-LaPadula is a simple linear model that exercises access and information flow controlthrough the above restrictive properties and operations.

- However, it has a disadvantage of security levels of objects being static.- The properties of this model might become too restrictive in cases when certain

operations are outside the context of protection system.