Security Model: Bell-lapadula model

Bell-lapadula model: This is a state machine model that describes a set of access control rules which use security labels on objects and clearances for subjects.
The security labels like Top secret, secret, confidential etc., to the least security labels like public or even unclassified can be used. For e.g., TCS associates create documents which are affixed with the classification depending on the data created in the document.
This model stresses on data confidentiality on the classified objects with the classification affixed to it. The concept of state machine is introduced indicating the entities in a computer system are divided into subjects and objects, and it can be formally proven that each state transition preserves security by moving from one secure state to another secure state. For e.g., if the document is confidential it is moved between the TCS & associated party only, which is directed by the NDA (non-disclosure agreement).
This module also introduces a concept of state machine with a set of allowable states in a computer system defining mathematical model of computation used to design both computer programs and sequential logic circuits. This state machine is deemed to be secure if the same complies with the security policy of the company. If the access of the document is allowed to the associated person in the same project i.e. the clearance of a subject is compared to the classification of the object then the transition is secure. These rules of clearance mentioned is said to be lattice based.
The bell-lapadula model stands on the basis of 3 properties namely 1. no read-up, 2. no write-down & 3. the Discretionary Security Property.
Property 1: no read-up
This is a property which says an associate cannot read any documents prepared by his/her higher officials. The documents are highly confidential or may be strategic and cannot be disclosed to lower level officials for e.g., Annual Income Statement.
Property 2: no write-down
Suppose we have a log manager in the network which collects logs from all devices. Obviously this log manager would be of great importance during network crisis. Hence the log manager would be branded as a system HIGH. Now a network may have many processes which are supposed to be of less importance and hence termed as system LOW, which in this case will not be able to send logs to the log manager. Incidentally the whole picture of the network activity would be lost since we loose logs from those processes branded as LOW processes not giving the actual picture of the network. To avoid this we have "no write-down" property.
Property 3: the Discretionary Security Property
This is an access control which is based on the identity of the subjects. If an associate (subject) has certain type of access on the object, he/she can transfer rights to other associate (subject) of their choice.
Bell Lapadula confidentiality model can be a multi-level security model which formally specifies a kind of MAC (Mandatory Access Control) policy. For the multi-level security, this policy needs a trusted subject wherein the same transfers information from higher level document to lower level document. Obviously the trusted subject must be 1. aligned to security policy of the company or otherwise this subject ceases to be trusted & 2. it has to be free of the *-property which is "no write down" required to maintain system security in an automated environment.
Mandatory Access Control:
In this access control the decisions are to be taken by central authority rather than the individual owner of the subject. This is also called a Non-discretionary access control. In this scenario a lower classification should not be allowed to read to higher classification document. And this property is know as "simple security rule" or "no read up". Conversely no higher classification subject should be able to write into lower classification object. This is a *-property. It is required to maintain the specified range in which it operates. The Strong * Property is an alternative to the *-Property, in which subjects may write to objects with only a matching security level. With this property only write to the same level is maintained in the absence of *-property.
Principle of least privilege:
When ever a subject or an object is in use, it should be in a stable state meaning it cannot change it's classification. This oscillation will cause the issue in transfer of data between a subject and an object or between the subjects. Oscillation of classification during use can cause in the break of the security policy defined inflicting damages to confidentiality. To check this issue a Tranquility principle has come into existence.
Tranquility principle:
Basically there are 2 types of Tranquility principle, 1. principle of strong tranquility & 2. principle of weak tranquility
1. Principle of strong tranquility: This principle says that the security labels or classifications cannot change during the normal operation of the system.
2. Principle of weak tranquility: This principle says that the security labels or classification can change so as to never violate the security policy.
The principle of weak tranquility gives rise to a principle of least privilege where the objects oscillate between the lower and higher allowable range to make the process viable in a particular application.
1. Addresses confidentiality but limits integrity.
2. Information can pass through a covert channel in MAC, where information of a higher security class is deduced by inference such as assembling and intelligently combining information of a lower security class.
3. Tranquility principle limits the applicability of the model.
Authored by Ajit Kulkarni
Rate this article: 
No votes yet
Article category: