Protection: Bell-Lapadula Model
by Harsh Manocha
This page is under construction.
The Bell-Lapadula Model of protection systems deals with the control
of information flow. It is a linear non-discretionary model. This model of protection consists of the following components:
The set of access rights given to a subject are the following:
- A set of subjects, a set of objects, and an access
- Several ordered security levels. Each subject has a clearance and each
object has a classification which attaches it to a security level. Each
subject also has a current clearance level which does not exceed its
clearance level. Thus a subject can only change to a clearance level
below its assigned clearance level.
Control Attribute: This is an attribute given to the subject that
creates an object. Due to this, the creator of an object can pass any of the
above four access rights of that object to any subject. However, it cannot
pass the control attribute itself. The creator of an object is also known as
the controller of that object.
- Read-Only: The subject can only read the object.
- Append : The subject can only write to the object but it cannot read.
- Execute : The subject can execute the object but can neither read
- Read-Write: The subject has both read and write permissions to the object.
Restrictions imposed by the Bell-Lapadula Model:
The following restrictions are imposed by the model:
The Bell-Lapadula model supplements the access matrix with the above
restrictions to provide access control and information flow. For instance,
if a subject has read access to an object in the access matrix, it may still
not be able to exercise this right if the object is at a security level higher
than its clearance level.
- reading down: A subject has only read access to objects whose security level
is below the subject's current clearance level. This prevents a subject from
getting access to information available in security levels higher than its
current clearance level.
- writing up: A subject has append access to objects whose security level is
higher than its current clearance level. This prevents a subject from passing
information to levels lower than its current level.
Bell and Lapadula modeled the behavior of a protection system as a finite
state machine and defined a set of state transitions that would not violate
the security of the system. The following operations gaurantee a secure
However certain conditions have to be satisfied before the above operations
can be performed. For instance, a subject can exercise give and rescind rights
to an object only if it has control attributes to that object.
- get access: Used by a subject to initiate access to an object (read, append,
execute etc )
- release access: Used by a subject to giveup an initiated access.
- give access: Controller of an object can give a particular access (to that
object) to a subject.
- rescind access: Controller of an object can revoke a designated access ( to
that object) from a subject.
- create object: Allows a subject to activate an inactive object.
- delete object: Allows a subject to deactivate an active object.
- change security level:Allows a subject to change its clearance level ( below
an initial assigned value)
Bell-Lapadula is a simple linear model that exercises access and information
flow control through the above restrictive properties and operations. However,
it has a disadvantage of security levels of objects being static. The
properties of this model might become too restrictive in cases when certain
operations are outside the context of protection system.
1) What is the effect of reading down and writing up restrictions imposed
by the Bell-Lapadula model?
2) Why is a subject's current clearance level only lower than its initial
assigned clearance level ?
3) Write down the conditions to be satisfied for each of the seven operations
to be executed.
4) Why is the Bell-Lapadula model a non-discretionary one?
Singhal,M. and Shivaratri,N.: Advanced Concepts in Operating Systems
, McGraw-Hill, 1994.
Peterson,J.L. and Silberschatz,A.: Operating System Concepts, 2nd ed, Addison Wesley, 1985.
Landwehr,C.E, Formal Models of Computer Security, ACM
Computing Surveys, Sept. 1981
Go Back to the Operating Systems Page.