Bell-LaPadula Model

Definition

Bell-LaPadula Model

The Bell-LaPadula model is a formal information flow control model based on security classifications (e.g., Top Secret, Secret, Confidential, Unclassified). It enforces confidentiality by preventing information from flowing from a higher security level to a lower one.

A security classification $SC$ forms a lattice where $S C_{1} \geq S C_{2}$ means $S C_{1}$ dominates $S C_{2}$ (is more restrictive).

Access Rules

Simple Security Property (No Read Up)

Subject $S$ may read object $O$ only if $SC (S) \geq SC (O)$ .

A subject cannot read data at a higher security level than its own clearance.

*-Property (No Write Down)

Subject $S$ may write to object $O$ only if $SC (S) \leq SC (O)$ .

A subject cannot write data to a lower security level than its own clearance.

Combined Effect

The Simple Security Property prevents unauthorized disclosure (reading secrets you should not see). The *-Property prevents unintentional leakage (copying secrets to unsecured locations). Together, they ensure information flows only upward or stays at the same level.

Information Flow

Upward-Only Flow

Information may flow from level $L$ to level $H$ if and only if $L \leq H$ . The Bell-LaPadula rules ensure:

Read: $S \leftarrow O$ requires $SC (S) \geq SC (O)$ (downward read)

Write: $S \to O$ requires $SC (S) \leq SC (O)$ (upward write)

This guarantees that data at level $H$ cannot reach subjects or objects at level $L < H$ .

Lukas' Notes

Bell-LaPadula Model

Definition

Access Rules

Information Flow

Graph View

Table of Contents

Backlinks