The Bell-La Padula Model Top Secret Secret Confidential Unclassified Users Security Levels Documents 16
The Bell-La Padula Model 16
How the BLP Model Works Each object,x,is assigned to a security level,L(x).Similarly,each user,u,is assigned to a security level,L(u).Access to objects by users is controlled by the following two rules: Simple security property.A user u can read an object x only if L(x)≤L(u. *-property.A user u can write(create,edit,or append to)an object x only if L(u)<L(x). The simple security property is also called the "no read up"rule, as it prevents users from viewing objects with security levels higher than their own. The *-property is also called the "no write down"rule.It is meant to prevent propagation of information to users with a lower security level. 17
How the BLP Model Works • Each object, x, is assigned to a security level, L(x). Similarly, each user, u, is assigned to a security level, L(u). Access to objects by users is controlled by the following two rules: – Simple security property. A user u can read an object x only if L(x) < L(u). – *-property. A user u can write (create, edit, or append to) an object x only if L(u) < L(x). • The simple security property is also called the “no read up” rule, as it prevents users from viewing objects with security levels higher than their own. • The *-property is also called the “no write down” rule. It is meant to prevent propagation of information to users with a lower security level. 17