Protection: Bell-Lapadula Model

by Harsh Manocha

This page is under construction.

The Bell-Lapadula Model of protection systems deals with the control of information flow. It is a linear non-discretionary model. This model of protection consists of the following components:

The set of access rights given to a subject are the following:

Control Attribute: This is an attribute given to the subject that creates an object. Due to this, the creator of an object can pass any of the above four access rights of that object to any subject. However, it cannot pass the control attribute itself. The creator of an object is also known as the controller of that object.

Restrictions imposed by the Bell-Lapadula Model:

The following restrictions are imposed by the model:

The Bell-Lapadula model supplements the access matrix with the above restrictions to provide access control and information flow. For instance, if a subject has read access to an object in the access matrix, it may still not be able to exercise this right if the object is at a security level higher than its clearance level.

Bell and Lapadula modeled the behavior of a protection system as a finite state machine and defined a set of state transitions that would not violate the security of the system. The following operations gaurantee a secure system:

However certain conditions have to be satisfied before the above operations can be performed. For instance, a subject can exercise give and rescind rights to an object only if it has control attributes to that object.

Bell-Lapadula is a simple linear model that exercises access and information flow control through the above restrictive properties and operations. However, it has a disadvantage of security levels of objects being static. The properties of this model might become too restrictive in cases when certain operations are outside the context of protection system.

Questions

1) What is the effect of reading down and writing up restrictions imposed by the Bell-Lapadula model?

2) Why is a subject's current clearance level only lower than its initial assigned clearance level ?

3) Write down the conditions to be satisfied for each of the seven operations to be executed.

4) Why is the Bell-Lapadula model a non-discretionary one?

References

Singhal,M. and Shivaratri,N.: Advanced Concepts in Operating Systems , McGraw-Hill, 1994.

Peterson,J.L. and Silberschatz,A.: Operating System Concepts, 2nd ed, Addison Wesley, 1985.

Landwehr,C.E, Formal Models of Computer Security, ACM Computing Surveys, Sept. 1981

harsh@csgrad.cs.vt.edu

Go Back to the Operating Systems Page.