Protection: Bell-Lapadula Model

by Harsh Manocha

This page is under construction.

The Bell-Lapadula Model of protection systems deals with the

control of information flow. It is a linear non-discretionary model.
This model of protection consists of the following components:

• A set of subjects, a set of objects, and an access control

matrix.
• Several ordered security levels. Each subject has a
clearance and each object has a classification which
attaches it to a security level. Each subject also has a current
clearance level which does not exceed its clearance level.
Thus a subject can only change to a clearance level below its
assigned clearance level.

The set of access rights given to a subject are the following:

• Read-Only: The subject can only read the object.

• Append : The subject can only write to the object but it
cannot read.
• Execute : The subject can execute the object but can neither
read nor write.
• Read-Write: The subject has both read and write
permissions to the object.

Control Attribute: This is an attribute given to the subject that

creates an object. Due to this, the creator of an object can pass any
of the above four access rights of that object to any subject.
However, it cannot pass the control attribute itself. The creator of
an object is also known as the controller of that object.

Restrictions imposed by the Bell-Lapadula Model:

The following restrictions are imposed by the model:

• reading down: A subject has only read access to objects

whose security level is below the subject's current clearance
level. This prevents a subject from getting access to
information available in security levels higher than its current
clearance level.
• writing up: A subject has append access to objects whose
security level is higher than its current clearance level. This
prevents a subject from passing information to levels lower
than its current level.

The Bell-Lapadula model supplements the access matrix with the

above restrictions to provide access control and information flow.
For instance, if a subject has read access to an object in the access
matrix, it may still not be able to exercise this right if the object is
at a security level higher than its clearance level.
Bell and Lapadula modeled the behavior of a protection system as
a finite state machine and defined a set of state transitions that
would not violate the security of the system. The following
operations gaurantee a secure system:

• get access: Used by a subject to initiate access to an object

(read, append, execute etc )
• release access: Used by a subject to giveup an initiated
access.
• give access: Controller of an object can give a particular
access (to that object) to a subject.
• rescind access: Controller of an object can revoke a
designated access ( to that object) from a subject.
 • create object: Allows a subject to activate an inactive object.
• delete object: Allows a subject to deactivate an active object.
• change security level:Allows a subject to change its clearance
level ( below an initial assigned value)

However certain conditions have to be satisfied before the above

operations can be performed. For instance, a subject can exercise
give and rescind rights to an object only if it has control attributes
to that object.

Bell-Lapadula is a simple linear model that exercises access and

information flow control through the above restrictive properties
and operations. However, it has a disadvantage of security levels of
objects being static. The properties of this model might become too
restrictive in cases when certain operations are outside the context
of protection system.

Questions

1) What is the effect of reading down and writing up restrictions

imposed by the Bell-Lapadula model?

2) Why is a subject's current clearance level only lower than its

initial assigned clearance level ?

3) Write down the conditions to be satisfied for each of the seven

operations to be executed.

4) Why is the Bell-Lapadula model a non-discretionary one?

References

Singhal,M. and Shivaratri,N.: Advanced Concepts in Operating

Systems , McGraw-Hill, 1994.

Peterson,J.L. and Silberschatz,A.: Operating System Concepts, 2nd

ed, Addison Wesley, 1985.
Landwehr,C.E, Formal Models of Computer Security, ACM
Computing Surveys, Sept. 1981

harsh@csgrad.cs.vt.edu

Go Back to the Operating Systems Page.

17.4 MANDATORY ACCESS CONTROL *

Discretionary access control mechanisms, while
generally e_ective, have certain weaknesses.
In particular they are susceptible to Trojan horse
schemes whereby a devious
Security 509
unauthorized user can trick an authorized user into
disclosing sensitive data. For example,
suppose that student Tricky Dick wants to break into
the grade tables of instructor
Trustin Justin. Dick does the following:
He creates a new table called MineAllMine and gives
INSERT privileges on this
table to Justin (who is blissfully unaware of all this
attention, of course).
He modi_es the code of some DBMS application that
Justin uses often to do a
couple of additional things: _rst, read the Grades
table, and next, write the result
into MineAllMine.
Then he sits back and waits for the grades to be
copied into MineAllMine and later
undoes the modi_cations to the application to ensure
that Justin does not somehow _nd
out later that he has been cheated. Thus, despite the
DBMS enforcing all discretionary
access controls|only Justin's authorized code was
allowed to access Grades|sensitive
data is disclosed to an intruder. The fact that Dick
could surreptitiously modify
Justin's code is outside the scope of the DBMS's
access control mechanism.
Mandatory access control mechanisms are aimed at
addressing such loopholes in discretionary
access control. The popular model for mandatory
access control, called
the Bell-LaPadula model, is described in terms of
objects (e.g., tables, views, rows,
columns), subjects (e.g., users, programs), security
classes, and clearances. Each
database object is assigned a security class, and
each subject is assigned clearance for
a security class; we will denote the class of an object
or subject A as class(A). The
security classes in a system are organized according
to a partial order, with a most
secure class and a least secure class. For
simplicity, we will assume that there are
four classes: top secret (TS), secret (S), con_dential
(C), and unclassi_ed (U). In this
system, TS > S > C > U, where A > B means that
class A data is more sensitive than
class B data.
The Bell-LaPadula model imposes two restrictions on
all reads and writes of database
objects:
1. Simple Security Property: Subject S is allowed
to read object O only if class(S)
_ class(O). For example, a user with TS clearance can
read a table with C clearance,
but a user with C clearance is not allowed to read a
table with TS classi_-
cation.
2. *-Property: Subject S is allowed to write object O
only if class(S) _ class(O). For
example, a user with S clearance can only write
objects with S or TS classi_cation.
If discretionary access controls are also speci_ed,
these rules represent additional restrictions.

Thus, to read or write a database object, a user must

have the necessary
privileges (obtained via GRANT commands) and the
security classes of the user and the
object must satisfy the preceding restrictions. Let us
consider how such a mandatory
510 Chapter 17
control mechanism might have foiled Tricky Dick.
The Grades table could be classi
_ed as S, Justin could be given clearance for S, and
Tricky Dick could be given a
lower clearance (C). Dick can only create objects of C
or lower classi_cation; thus,
the table MineAllMine can have at most the
classi_cation C. When the application
program running on behalf of Justin (and therefore
with clearance S) tries to copy
Grades into MineAllMine, it is not allowed to do so
because class(MineAllMine) <
class(application), and the *-Property is violated.