Sie sind auf Seite 1von 8

Bell LaPadula Model

By : Jihadah Binti Ahmad ST21429


Developed by David Elliot Bell and Leonard J. LaPadula in 1974 Enforce access control within the government and military environment. A model of computer security focused on confidentialitykeeping different users on different terminals on a mainframe from accessing each others file It enforced the confidentiality of access control through MLS (Multi Level Security). Multics (Multiplexed Information and Computing Service) was an influential early time-sharing operating system implements the object hierarchy concept by Bell LaPadula Model. It is discontinued during 2000. Some of the developer joint open source community to develop Unix.

How does it work?

The model captures the essentials of the access restriction implies by conventional military security level. Each subject and object is given security labels as a means to enforce access control rules. People/user/program/process known as subjects has different clearance Information/document/device/resource known as objects has different classification The clearance and classification levels are arranged hierarchically as follows :

Unclassified<Confidential<Secret<Top Secret
(Note : Unclassified is marked as the lowest level of security and Top Secret is the highest level of security)


Define 2 main rules : 1. Simple Security rule or ss rule -A subject at a given security level cannot read data/access object that resides at a higher security level. -Known as no read up rule Ex :
Employees Evaluation Classification : Top Secret

Employees Salary Classification : Secret Bob Access Clearance : Secret Daily Attendance Report Classification : Unclassified

Employees Biodata Classification : Confidential


The *-property rule A subject in a given security level cannot write information to a lower security level. Known as no write down rule

Employees Report Top Secret

Employees Report Classification : Secret Bob Access Clearance : Secret Employees Report Classification : Unclassified

Employees Report Classification : Confidential

Summary Of Access Rights Given To a Subject

Higher Level


Read/write access

Clearance : Level i

Classification: Level i

Lower Level
Subjects at level i have read/write access to object at level i Subjects at level i have read-only access to objects below level i Subjects at level i have append access (write-only) to objects above level i

Additional property

In certain cases the *-property is compromised via : 1. Strong *Property: Reading and writing are only allowed at the same security level. It denies the capability of writing to a higher level. Ex : Security subject Security object 2. The Discretionary Security Property : Uses an access matrix to specify discretionary (available for use as needed) access control. The process is permitted through a Trusted Subject.( Subject must be shown to be trustworthy with regard to the security policy,or subject who will never mix information from different security levels). Ex : Moving a lower-sensitivity document (confidential) to higher-sensitivity document (top secret) OR vice versa
Object Subject
Alice Bob Eve

Personal File
Read Read/write Read

Salary File
Read/Write Read Read

Evaluation File
Write Write Write

Example of Access Matrix Table For HR Department

Limitation of the model

Focus on confidentiality only, do not cover integrity Classification of data changes over time, how to deal with it? Data tends to migrate to higher security level (due to write up property), a trusted user has to continually downgrade it. Too complex : the process of assigning and enforcing security classification for each file and user is hard to implement in real life. It only considers normal channels of information exchange and does not address covert channels.