The Bell-La Padula model (BLP) is a type of security system that presents a solution to one of the classic problems in security–multilevel security. BLP preserves confidentiality in the system and is a model that’s referenced even today, even though it has some serious flaws.
Multilevel security (MLS) presents a set of users and a set of objects to be accessed. Both the users and objects are classified hierarchically with a security level as well as need-to-know categories. For example, you may have an “Unclassified” user trying to read a “Classified” object or a “Classified Crypto” user trying to write a “Classified Nuclear” object.
The Bell-La Padula model defines a way for deciding whether to grant access in each of these cases. This model uses a formula to define whether a certain level combined with a category dominates some other level combined with a category. We’ll define “Classified” as a higher level than “Unclassified”, so in the first example “Classified” (with no category) dominates “Unclassified” (with no category). I’ll ignore categories here for simplification, but in reality for one classification to dominate another, both its level and category set must dominate the other.
Having this domination function defined, we can describe the two main properties in the Bell-La Padula model:
- The Simple Security Property – A user can only read an object if the classification of the user dominates that of the object. (Also known as “read down” or “no read up”.)
- The *-Property – A user can only write to an object if the classification of the object dominates that of the user. (Also known as “write up” or “no write down”.)
The reasoning behind the Simple Security Property is pretty straight-forward. If you’re concerned about confidentiality, you definitely don’t want people to read anything that they don’t have to. It’s the second property that raises some eyebrows. Why should a user be able to overwrite something that they can’t even read? Doesn’t this create huge issues with integrity?
The answer is simply that BLP doesn’t concern itself with integrity. But when you look at the property solely from the concept of confidentiality, the idea becomes a bit more clear. A user at a certain level knows information that users at lower levels don’t, so he shouldn’t be able to write anything to those other levels. However, users at a higher level already know that information so in that sense it’s okay to write to a higher level. You don’t have to worry that someone will see something they shouldn’t know about.
Another question in this model is how can someone give an order to their subordinate at a lower level? Here BLP adds the concept of trusted users. These are a special type of users who are proven trustworthy and who have the ability to write to lower levels. To me this seems like a cheap way of adding in functionality that should be provided by the basic system. “How do you make sure someone is trustworthy?” seems like as much of a complex question as “how do you make sure information isn’t written where it shouldn’t be?” Perhaps the reason for considering the first is that it’s easier to just have a person decide the second.
Overall, it’s interesting to find that the Bell-La Padula model has retained such influence despite its inherent shortcomings. As we continue in my Computer Security course, I look forward to seeing how more modern models compare and how they’ve solved the integrity problem.