Bell-LaPadula model
|
|
See also Bell-La Padula security model.
The Bell-LaPadula Security Policy Model was proposed by David Bell and Len LaPadula in 1973 in response to US Airforce concerns over the security of time sharing mainframe systems.
The Bell-LaPadula model is a formal state transition model of computer security policy that describes a set of access control rules.
In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of a secure state is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system is secure.
A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object, and a determination is made as to whether the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice.
Features
This security model is directed toward confidentiality (rather than data integrity) and is characterized by the phrase: "no read up, no write down". Compare Biba model and Clark-Wilson model.
With Bell-LaPadula, users can only create content at or above their own security level (secret researchers can create secret or top-secret files but may not create public files). Conversely, users can only view content at or below their own security level (secret researchers can view public or secret files, but may not view top-secret files).
See, ITsecurity.com (2003). Bell-LaPadula Security Model. Retrieved May 19, 2004 from http://www.itsecurity.com/dictionary/bell.htm