Bell-LaPadula
No read up, no write down.
David Bell and Leonard LaPadula · 1973 · US military multilevel security
The problem it solves
Militaries put people of different clearances on one system. The danger is a secret leaking from a high level down to someone not cleared to see it. Bell-LaPadula stops that leak by controlling who can read and write at each level.
The big idea
Information can only flow up, never down: a subject reads at or below its level and writes at or above its level.
Bell-LaPadula protects confidentiality by labeling every subject with a clearance and every object with a classification, then ranking them on a lattice. The mandatory rules guarantee that a secret can travel toward higher levels but can never drain to a lower one. On top of that, a discretionary access matrix adds need to know, so even a properly cleared subject only sees the objects it is explicitly allowed to touch.
The rules
You cannot read anything above your clearance.
Simple Security Property (no read up)
Why: It stops a subject from seeing secrets that sit above its clearance.
You cannot write to anything below your clearance.
Star Property (no write down)
Why: It stops a high subject, or a trojan horse running as that subject, from copying secrets down to a lower level.
A subject can only act on an object if the access matrix also grants that specific permission, on top of the level rules.
Discretionary Security Property (ds-property)
Why: It enforces need to know: clearance alone is not enough, the access matrix must also allow the access.
You can read and write only at your own level, never write up.
Strong Star Property
Why: Plain write up is allowed by the basic rules but lets a subject blindly clobber higher data it cannot see, so this stricter variant forbids it to protect integrity.
Try it
Pick an action to see what is reachable, then click a file. Or walk through it.
You read down and write up, so information can only flow up.
Pick an action, then choose a target to see the rule fire.
Worked example
An analyst cleared Secret on a multilevel system.
- 01Allowed
Read a Confidential memo.
Reading down is fine. The memo sits below your clearance.
- 02Blocked
Read a Top Secret report.
No read up. The report is above your clearance.
- 03Allowed
Write a new Secret note.
Writing at your own level is allowed.
- 04Blocked
Copy notes down into a Confidential file.
No write down. That could leak Secret data to a lower level.
Limits and gotchas
It protects confidentiality only
Bell-LaPadula keeps secrets from leaking down but says nothing about whether data is accurate or trustworthy. Integrity is out of scope, which is exactly the gap the Biba model was built to fill.
Write up allows blind overwrite
The basic rules permit a low subject to write up to a higher object it cannot read. That subject can overwrite or corrupt data it never sees. The strong star property exists to close this hole by forbidding write up.
Covert channels are out of scope
The model controls legitimate read and write operations only. It does not address covert channels, where a high subject leaks information indirectly through timing, resource usage, or other side effects that are not formal reads or writes.
It assumes tranquility
The model assumes labels do not change during operation. If security levels can shift freely while the system runs, the proofs no longer hold. The System Z critique showed that without a tranquility assumption you can relabel everything to the lowest level and call the system secure, which makes the model hollow.
Trusted subjects are an unmodeled exception
Real systems must sometimes move data down, for example to declassify a sanitized report. Bell-LaPadula handles this only by carving out trusted subjects that are allowed to violate the star property. Their correctness is assumed, not proven by the model.
Key terms
- Subject
- An active entity that requests access, such as a user, process, or program acting on a user's behalf.
- Object
- A passive entity that holds information and is accessed, such as a file, record, memory segment, or device.
- Clearance
- The security level assigned to a subject. It sets the highest classification of data the subject is trusted to handle.
- Classification
- The security level assigned to an object. It marks how sensitive the information inside the object is.
- Security level
- A label that combines a hierarchical sensitivity rank (for example Confidential, Secret, Top Secret) with a set of non-hierarchical categories or compartments.
- Dominance
- The ordering between two security levels. One level dominates another when its rank is at least as high and its category set includes the other's. This is how the model compares levels.
- Mandatory access control (MAC)
- Access decided by system-wide labels and rules that ordinary users cannot override. The simple security property and star property are MAC rules.
- Discretionary access control (DAC)
- Access decided by an owner or administrator and recorded in an access matrix. The ds-property layers this need to know check on top of MAC.
- Trusted subject
- A subject permitted to break the star property under strict control, for example to declassify or move data down. It is the model's deliberate exception for controlled downgrade.
Check yourself
Answer to see if you have it. Nothing is saved.
01An analyst cleared Secret tries to open a Top Secret report. What does Bell-LaPadula do, and why?
02Why does Bell-LaPadula forbid a Top Secret process from writing into a Confidential file?
03A subject is cleared Secret and the file is classified Secret, so the level rules pass. The access is still denied. Which rule explains this?
04What problem does the Strong Star Property fix compared to the basic star property?
How it connects
Key takeaway
The one line
BLP = Confidentiality = no read up, no write down.