This discussion is taken from HongHai Shen's thesis.
The Bell-LaPadula Model (BLM), also called the multi-level model, was proposed by Bell and LaPadula for enforcing access control in government and military applications. In such applications, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: ``Unclassified personnel cannot read data at confidential levels'' and ``Top-Secret data cannot be written into the files at unclassified levels''. This
mandatory access control, which, according to the United States Department of Defense Trusted Computer System Evaluation Criteria is ``a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (e.g., clearance) of subjects to access information of such sensitivity". The converse of mandatory access control is discretionary access control, which is defined as ``a means of restricting access to objects based on the identity of subject and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) to any other subject".
The Bell-LaPadula model supports mandatory access control by determining the access rights from the security levels associated with subjects and objects. It also supports discretionary access control by checking access rights from an access matrix. With respect to specification, we can regard the multi-level model as adding higher-level mechanisms to the matrix model. In addition to supporting arbitrary access specifications to the access matrix, the model groups protected objects according to different security labels and decides user privileges by their authorized security clearance levels (It is awkward, though not impossible, to specify this kind of access definition using the matrix model.).
More formally, each object is associated with a security level of the form (classification level, set of categories). Each subject is also associated with a maximum and current security level, which can be changed dynamically. The set of classification levels is ordered by a $<$ relationship. For instance, it can be the set top-secret, secret, confidential, unclassified, where
unclassified < confidential < secret < top-secretA category is a set of names such as Nuclear and NATO. Security level A dominates B if and only if A's classification level > B's classification level, and A's category set contains B's. For instance,
top-secret, {Nuclear, NATO}
dominates
secret, {NATO}
because
top-secret > secretand the set
{Nuclear, NATO}
contains
{NATO}
In the model, an access request (subj, obj, acc) is granted if and only
if all of the following properties are satisfied:
simple security property (no read up): if acc is read, then level(subj) should dominate level(obj).
*-property (no write down): if acc = append, then level(obj) should dominate level(subj); if acc = write, then level(obj) should be equal to level(subj).
discretionary security property: the (subj, obj) cell in the matrix contains acc.
Like Multics,
this model has the problems of hierarchical access control and does not
always support the need to know principle except in rigid military situations.