Bell-LaPadula model
Encyclopedia
The Bell-LaPadula Model is a state machine
model used for enforcing access control
in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell
to formalize the U.S. Department of Defense
(DoD) multilevel security
(MLS) policy. The model is a formal state transition model
of computer security policy
that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public").
The Bell–LaPadula model is an example of a model where there is no clear distinction of protection and security.
and controlled access to classified information
, in contrast to the Biba Integrity Model
which describes rules for the protection of data integrity
. In this formal model, the entities in an information system
are divided into subjects and objects. The notion of a "secure state
" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively
proving that the system satisfies the security objectives of the model. The Bell–LaPadula model is built on the concept of a state machine with a set of allowable states in a computer network system. The transition from one state to another state is defined by transition functions.
A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy
. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control
(MAC) rules and one discretionary access control
(DAC) rule with three security properties:
The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell–LaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the ★-property. Untrusted subjects are. Trusted Subjects must be shown to be trustworthy with regard to the security policy. This security model is directed toward access control and is characterized by the phrase: "no read up, no write down." Compare the Biba model
, the Clark-Wilson model
and the Chinese Wall
model.
With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not create public files; no write-down). Conversely, users can view content only at or below their own security level (i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up).
The Bell–LaPadula model explicitly defined its scope. It did not treat the following extensively:
s and is motivated by integrity concerns. This Strong ★ Property was anticipated in the Biba model
where it was shown that strong integrity in combination with the Bell–LaPadula model resulted in reading and writing at a single level.
. That is, processes start with a low clearance level regardless of their owners clearance, and progressively accumulate higher clearance levels as actions require it.
Finite state machine
A finite-state machine or finite-state automaton , or simply a state machine, is a mathematical model used to design computer programs and digital logic circuits. It is conceived as an abstract machine that can be in one of a finite number of states...
model used for enforcing access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell
Roger R. Schell
Roger R. Schell is President of ÆSec, a company focused on appliances built on hardened platforms for secure, reliable e-business on the Internet. For several years he managed the development and delivery of security for several Novell releases of network software products including an integral...
to formalize the U.S. Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
(DoD) multilevel security
Multilevel security
Multilevel security or Multiple Levels of Security is the application of a computer system to process information with different sensitivities , permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for...
(MLS) policy. The model is a formal state transition model
State transition system
In theoretical computer science, a state transition system is an abstract machine used in the study of computation. The machine consists of a set of states and transitions between states, which may be labeled with labels chosen from a set; the same label may appear on more than one transition...
of computer security policy
Computer security policy
A computer security policy defines the goals and elements of an organization's computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure...
that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public").
The Bell–LaPadula model is an example of a model where there is no clear distinction of protection and security.
Features
The Bell–LaPadula model focuses on data confidentialityConfidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
and controlled access to classified information
Classified information in the United States
The United States government classification system is currently established under Executive Order 13526, the latest in a long series of executive orders on the topic. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the...
, in contrast to the Biba Integrity Model
Biba model
The Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity...
which describes rules for the protection of data integrity
Data integrity
Data Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
. In this formal model, the entities in an information system
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...
are divided into subjects and objects. The notion of a "secure state
Secure state
A secure state is Information System security term to describe where entities in an computer system are divided into subjects and objects, and it can be formally proven that each state transition preserves security by moving from one secure state to another secure state. Thereby it can be...
" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively
Mathematical induction
Mathematical induction is a method of mathematical proof typically used to establish that a given statement is true of all natural numbers...
proving that the system satisfies the security objectives of the model. The Bell–LaPadula model is built on the concept of a state machine with a set of allowable states in a computer network system. The transition from one state to another state is defined by transition functions.
A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy
Security policy
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls...
. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
(MAC) rules and one discretionary access control
Discretionary access control
In computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
(DAC) rule with three security properties:
- The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up).
- The ★-property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The ★-property is also known as the Confinement property.
- The Discretionary Security Property - use of an access matrixAccess Control MatrixIn computer science, an Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system. It was first introduced by Butler W...
to specify the discretionary access control.
The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell–LaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the ★-property. Untrusted subjects are. Trusted Subjects must be shown to be trustworthy with regard to the security policy. This security model is directed toward access control and is characterized by the phrase: "no read up, no write down." Compare the Biba model
Biba model
The Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity...
, the Clark-Wilson model
Clark-Wilson model
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a...
and the Chinese Wall
Chinese wall
In business, a Chinese wall or firewall is an information barrier implemented within a firm to separate and isolate persons who make investment decisions from persons who are privy to undisclosed material information which may influence those decisions...
model.
With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not create public files; no write-down). Conversely, users can view content only at or below their own security level (i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up).
The Bell–LaPadula model explicitly defined its scope. It did not treat the following extensively:
- Covert channelCovert channelIn computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy...
s. Passing information via pre-arranged actions was described briefly. - Networks of systems. Later modeling work did address this topic.
- Policies outside multilevel security. Work in the early 1990s showed that MLS is one version of boolean policies, as are all other published policies.
Strong ★ Property
The Strong ★ Property is an alternative to the ★-Property, in which subjects may write to objects with only a matching security level. Thus, the write-up operation permitted in the usual ★-Property is not present, only a write-to-same operation. The Strong ★ Property is usually discussed in the context of multilevel database management systemDatabase management system
A database management system is a software package with computer programs that control the creation, maintenance, and use of a database. It allows organizations to conveniently develop databases for various applications by database administrators and other specialists. A database is an integrated...
s and is motivated by integrity concerns. This Strong ★ Property was anticipated in the Biba model
Biba model
The Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity...
where it was shown that strong integrity in combination with the Bell–LaPadula model resulted in reading and writing at a single level.
Tranquility principle
The tranquility principle of the Bell–LaPadula model states that the classification of a subject or object does not change while it is being referenced. There are two forms to the tranquility principle: the "principle of strong tranquility" states that security levels do not change during the normal operation of the system. The "principle of weak tranquility" states that security levels may never change in such a way as to violate a defined security policy. Weak tranquility is desirable as it allows systems to observe the principle of least privilegePrinciple of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
. That is, processes start with a low clearance level regardless of their owners clearance, and progressively accumulate higher clearance levels as actions require it.
Limitations
- Only addresses confidentiality, control of writing (one form of integrity), ★-property and discretionary access control
- Covert channels are mentioned but are not addressed comprehensively
- The tranquility principle limits its applicability to systems where security levels do not change dynamically. It allows controlled copying from high to low via trusted subjects.
See also
- Biba Integrity ModelBiba modelThe Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity...
- The Clark-Wilson Integrity Model
- Discretionary Access ControlDiscretionary access controlIn computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
- DAC - Graham-Denning ModelGraham-Denning modelThe Graham-Denning Model is a computer security model that shows how subjects and objects should be securely created and deleted.It also addresses how to assign specific access rights...
- Mandatory Access ControlMandatory access controlIn computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
- MAC - Multilevel securityMultilevel securityMultilevel security or Multiple Levels of Security is the application of a computer system to process information with different sensitivities , permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for...
- MLS - Security Modes of OperationSecurity modesGenerally, Security modes refer to information systems security modes of operations used in mandatory access control systems. Often, these systems contain information at various levels of security classification...
- Take-grant protection modelTake-Grant Protection ModelThe take-grant protection model is a formal model used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules...