The Bell-LaPadula Model (BLM), also called the multi-level model, was proposed by Bell and LaPadula for enforcing access control in government and military applications. As in the ring model, it supports hierarchical access control. Unlike the ring model, it assumes users rather than software modules are arranged in layers. The main differences from the ring architecture is that there is no notion of execute, read, write, and append are handled differently, and instead of a single dimensional ring number, there is a two dimensional security level.
The following discussion is taken from HongHai Shen's thesis.
In the applications for which this model is intended, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: ``Unclassified personnel cannot read data at confidential levels'' and ``Top-Secret data cannot be written into the files at unclassified levels''. This kind of access control is also called mandatory access control, which, according to the United States Department of Defense Trusted Computer System Evaluation Criteria is ``a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (e.g., clearance) of subjects to access information of such sensitivity". The converse of mandatory access control is discretionary access control, which is defined as ``a means of restricting access to objects based on the identity of subject and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) to any other subject".
The Bell-LaPadula model supports mandatory access control by determining the access rights from the security levels associated with subjects and objects. It also supports discretionary access control by checking access rights from an access matrix.
Each object is associated with a security level of the form (classification level, set of categories). Each subject is also associated with a maximum and current classification level, which can be changed dynamically. The set of classification levels is ordered by a < relationship. For instance, it can be the set top-secret, secret, confidential, unclassified, where
unclassified < confidential < secret < top-secretA category is a set of names such as Nuclear and NATO. Security level A dominates B if and only if A's classification level is greater than or equal to B's classification level, and A's category set is a superset of B's. For instance,
top-secret, {Nuclear, NATO}
dominates
secret, {NATO}
because
top-secret > secretand the set
{Nuclear, NATO}
contains
{NATO}
In the model, an access request (subj, obj, acc) is granted if and only
if all of the following properties are satisfied:
simple security property (no read up): if acc is read, then level(subj) should dominate level(obj).
*-property - called the star property (no write down): if acc = append, then level(obj) should dominate level(subj); if acc = write, then level(obj) should be equal to level(subj).
discretionary security property: the (subj, obj) cell in the matrix contains acc.
Like Multics,
this model has the problems of hierarchical access control and does not
always support the need to know principle except in rigid military situations.