Bell-LaPadula Model

operating-systems security

Definition

Bell-LaPadula Model

The Bell-LaPadula model is a formal information flow control model for preserving confidentiality in multilevel security systems, especially government and military systems.

Each subject and object has a security label $(L,C)$, where $L$ is a security level and $C$ is a set of categories. The labels form a lattice ordered by dominance:

$$(L_1,C_1)\ge (L_2,C_2)\text{iff}{L}_1\ge L_2\text{ and }{C}_1\supseteq C_2.$$

Its core invariant is:

$$\text{information at label }x\text{ may flow to label }y\text{ only if }x\le y.$$

Equivalently, information may stay at the same label or flow upward to a more restrictive label, but it may not flow downward.

Rules

Simple security property

A subject $S$ may read an object $O$ only if the subject’s label dominates the object’s label.

If $\lambda (S)=(L_S,C_S)$ and $\lambda (O)=(L_O,C_O)$, then read access requires:

$$L_S\ge L_O\text{and}{C}_S\supseteq C_O.$$

This is no read up plus category clearance. A subject cannot read data above its level, and it cannot read data in a category for which it is not cleared.

Star property

A subject $S$ may write to an object $O$ only if the object’s label dominates the subject’s label.

If $\lambda (S)=(L_S,C_S)$ and $\lambda (O)=(L_O,C_O)$, then write access requires:

$$L_S\le L_O\text{and}{C}_S\subseteq C_O.$$

This is no write down. A subject cannot write information to a lower level or to an object with fewer categories, because that would downgrade information.

Combined effect

The simple security property controls what a subject may observe. The star property controls where a subject may place information.

Together, they allow a subject to copy information to the same label or to a more restrictive label, but never to a less restrictive label.

Flow

Upward-only flow

For security labels $x=(L_x,C_x)$ and $y=(L_y,C_y)$, information may flow from $x$ to $y$ only when:

$$x\le y\text{iff}{L}_x\le L_y\text{ and }{C}_x\subseteq C_y.$$

Operationally:

• reading $O$ into $S$ is a flow $O\to S$, so it requires $\lambda (O)\le \lambda (S)$;
• writing from $S$ to $O$ is a flow $S\to O$, so it requires $\lambda (S)\le \lambda (O)$.

This prevents data at a label $y$ from reaching subjects or objects at any lower or less specific label $x<y$.

Scope

Confidentiality only

Bell-LaPadula is a confidentiality model. It does not by itself protect integrity, availability, or covert channels.

Examples

Read access

Assume the security levels are ordered as follows:

$$\text{Unclassified}<\text{Restricted}<\text{Confidential}<\text{Secret}<\text{Top Secret}.$$

The categories are Planes, Troops, and Submarines.

Subject	Level	Cleared categories
Sven	Secret	Submarines
Oliver	Top Secret	Planes

Object	Level	Categories
warplan	Top Secret	Troops, Submarines, Planes
runway	Confidential	Planes
sonar	Top Secret	Submarines
torpedo	Secret	Submarines

• Sven can read only torpedo: it is at the same level as Sven and its category set is contained in Sven’s clearance.
• Oliver can read only runway: it is below Oliver’s level and its category set is contained in Oliver’s clearance.
• Neither subject can read warplan, because neither is cleared for all of its categories.