In a previous post, I gave a brief introduction to mandatory access control (MAC) and discretionary access control (DAC) access models. In this article, we’ll explore an actual implementation of a MAC model, explicitly designed to protect the confidentiality of information. It’s called the Bell-LaPadula model.

Bell-LaPadula MAC model

The Bell-LaPadula model is a MAC access model that was designed to satisfy very narrow requirements but satisfy them in the most formally correct way. The requirement to be met was to enforce the confidentiality of information, and the design method was to adopt formal techniques so that it was provably secure. Technically, this is done through a device called a state machine but we can ignore those details for this article.

Let’s first frame the discussion, and define the following security levels. Note that the model doesn’t care what the security levels are, but rather, these are just examples. The model does assume that the security levels are hierarchical in nature, though.

The model adopts two principles:

  • Principals at a given security level cannot read resources at a higher security level. This is called the Simple Security Property.
  • Principals at a given security level cannot write to resources at a lower security level. This is called the Star Security Property.
The Simple Security Property is quite intuitive; if a user only has clearance to read documents classified at a given security level, then they definitely shouldn’t be able to read documents classified at a level higher than that. E.g. a secret agent might have the ability to read documents up to level “highly classified” but they cannot read any higher. They are, however, able to read anything below this level. You can think of this rule as the “no read up” rule.

The second principle says that you cannot write to a security clearance lower than your own, but interestingly, you can read them. So again, if you’re a secret agent with a clearance of “highly classified” you are able to write to “super classified” and “super-super classified” even though you cannot read them. This at first seems a bit odd, but best to think it through by example: if you’ve got a security clearance of a particular level, preventing write-downs stops confidential information from leaking to a lower security level. Further, being able to write up allows you to exchange confidential information with people above your clearance but still get assurance no one can read it. A great example is a secret agent wanting to send a message back to headquarters. This rule can be thought of as “no write down”.

Together, the Bell-LaPadula Model can be summarized as no reading up, no writing down. If you do this, you’re enforcing confidentiality.

Shortfalls of the model

The Bell-LaPadula Model correctly enforces confidentiality and protects the sensitive nature of information protected by it. Importantly though, it’s rarely used by itself, because it has a few short-comings:

  • It does not enforce integrity
  • It does not protect against covert channels
Both of these were not really in the scope of what the model was aimed at solving, so calling them a shortcoming is probably a bit unfair. There are, however, solutions to the above which we will cover in the coming articles. Interestingly, there is a converse MAC model that protects integrity but not confidentiality, called the Biba model, which we’ll go over next. Finally, we’ll explore covert channels and how the Bell-LaPadula Model does not provide protection against them.

Photo by Beth Macdonald on Unsplash