What is The Bell-LaPadula Model?

A confidentiality policy, also called an information flow policy, prevents the unauthorized disclosure of information. Unauthorized alteration of information is secondary. 

For example, the navy must keep confidential the date on which a troop ship will sail. If the date is changed, the redundancy in the systems and paperwork should catch that change. But if the enemy knows the date of sailing, the ship could be sunk. 

Because of extensive redundancy in military communications channels, availability is also less of a problem.

The Bell-LaPadula Model corresponds to military-style classifications. It has influenced the development of many other models and indeed much of the development of computer security technologies. 

The simplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering. These clearances represent sensitivity levels. The higher the security clearance, the more sensitive the information and the greater the need to keep it confidential.  

A subject has a security clearance levels like C (for CONFIDENTIAL), TS (for TOP SECRET). An object has a security classification levels like S (for SECRET), UC (for UNCLASSIFIED). When we refer to both subject clearances and object classifications, we use the term "classification". 

The goal of the Bell-LaPadula security model is to prevent read access to objects at a security classification higher than the subject's clearance.

The properties of the Bell-LaPadula model are:
  • -          The simple security property which is “no read up”.
  • -          The star property which is “no write down”.

A problem with this model is it does not deal with the integrity of data.