[Bell LaPadula model] April14,2012

Bell LaPadula model: The Bell-LaPadula Model (BLM), also called the multi-level model, was proposed by Bell and LaPadula for enforcing access control in government and military applications. In such applications, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: Unclassified personnel cannot read data at confidential levels and Top-Secret data cannot be written into the files at unclassified levels. The Bell-LaPadula model supports mandatory access control in terms of objects (tables, view, rows, columns, etc.), subjects (users, programs, etc.) security classes and clearances by determining the access rights from the security levels associated with subjects and objects. It also supports discretionary access control by checking access rights from an access matrix. More formally, each object is associated with a security level. Each database object is assigned a security class, and each subject is assigned clearance for a security class. We denote the class of an object or subject A as class(A). The security class in a system are organized according to a partial order, with a most secure class and a least secure class. Each subject is also associated with a maximum and current security level, which can be changed dynamically. The set of classification levels is ordered by a $ < $ relationship. For simplicity, we assume that there are four classes: top secret (TS), secret (S), confidential (C) and unclassified (U) where U < C < S < TS. This means that class C is more secure than class U, class S is more secure than class C, and class TS is the most secured class. The Bell-LaPadula model imposes two restrictions on all reads and writes of database objects: Simple Security Property: Subject S is allowed to read object Q only if class(S) > class (C). For example, a user with TS clearance can read a table with C clearance, but a user with C clearance is not allowed to read a table with TS classification. *-Property: Subject S is allowed to write object Q only if class(S) < class(C). For example, a user with S clearance can write only objects with S or TS classification. The set of access rights given to a subject are the following: Read-Only: The subject can only read the object. Append: The subject can only write to the object but it cannot read. Execute: The subject can execute the object but can neither read nor write. Read-Write: The subject has both read and write permissions to the object.
Page1of4

[Bell LaPadula model] April14,2012

Control Attribute: This is an attribute given to the subject that creates an object. Due to this, the creator of an object can pass any of the above four access rights of that object to any subject. However, it cannot pass the control attribute itself. The creator of an object is also known as the controller of that object.

Restrictions imposed by the Bell-LaPadula Model: - The following restrictions are imposed by the model: Reading down: - A subject has only read access to objects whose security level is below the subject's current clearance level. - This prevents a subject from getting access to information available in security levels higher than its current clearance level. Writing up: - A subject has appended access to objects whose security level is higher than its current clearance level. - This prevents a subject from passing information to levels lower than its current level.

The Bell-LaPadula model supplements the access matrix with the above restrictions to provide access control and information flow. For instance, if a subject has read access to an object in the access matrix, it may still not be able to exercise this right if the object is at a security level higher than its clearance level.

Page2of4

[B LaPadu model] April14,20 Bell ula 012

Bell and LaPadula model the beha B led avior of a pro otection sys stem as a fin state machine nite an defined a set of state transitions that would no violate th security of the system. nd t ot he f The following operations guarantee a secure syste T g em: Get access: Used by a subj a bject to initi iate access to an objec (read, app ct pend, execu etc.). ute Relea access: Used by a sub ase U bject to give up an initia access. e ated Give access: Con ntroller of an object can g n give a partic cular access (to that obje to ect) a subject. Rescind access: Controller of an object can revoke a designate access (to that o ed o object from a sub t) bject. Creat object: Allows a subject to activa an inactiv object. te ate ve Delete object: Al e llows a subje to deactiv an activ object. ect vate ve Change security level: Allow a subject to change its clearance level (belo an ws t e ow initial assigned va l alue).

Page3of4

[Bell LaPadula model] April14,2012

However certain conditions have to be satisfied before the above operations can be performed. For instance, a subject can exercise give and rescind rights to an object only if it has control attributes to that object. Bell-LaPadula is a simple linear model that exercises access and information flow control through the above restrictive properties and operations. However, it has a disadvantage of security levels of objects being static. The properties of this model might become too restrictive in cases when certain operations are outside the context of protection system.

Page4of4