Bell LaPadula: Handling Empty Sets

TL;DR

The Bell LaPadula model can be tricky when dealing with empty sets of subjects or objects. This guide explains how to correctly interpret and apply the ‘no read up’ and ‘no write down’ rules in these scenarios, ensuring your system remains secure.

Understanding the Problem

Bell LaPadula is a security model based on two main rules:

• No Read Up: A subject cannot read data with a higher security level than its own.
• No Write Down: A subject cannot write data to objects with a lower security level than its own.

Problems arise when you have an empty set of subjects or objects that meet the criteria for these rules. For example, what happens if there are no subjects cleared to read a particular file?

Solution Guide

1. Define Security Levels: First, clearly define your security levels (e.g., Confidential, Secret, Top Secret).
2. Understand the Empty Set: An empty set means there are *no* elements that satisfy a condition. In Bell LaPadula terms, it means no subjects or objects meet the requirements of a rule.
   • If you’re checking ‘No Read Up’, an empty set of subjects cleared to read higher-level data is acceptable – it simply means nobody *should* be able to access that data.
   • Similarly, if you’re checking ‘No Write Down’, an empty set of objects with lower security levels is also acceptable – no one should write to those objects.
3. Applying ‘No Read Up’ with Empty Subjects: If a subject wants to read data at a higher security level, and the set of subjects cleared for that access is empty, the rule is considered satisfied (because no one *can* violate it). The system should prevent the read operation.
4. Applying ‘No Write Down’ with Empty Objects: If a subject wants to write data to an object at a lower security level, and the set of objects meeting that criteria is empty, the rule is satisfied (no one can violate it). The system should prevent the write operation.
5. Example Scenario:

   Let’s say we have:

   • Subject A with security level ‘Secret’.
   • Object X with security level ‘Top Secret’.
   • No subjects are cleared to read ‘Top Secret’ data.

   Because the set of subjects cleared to read ‘Top Secret’ is empty, Subject A should be denied access to Object X (satisfying ‘No Read Up’).

6. Code Example (Conceptual): This isn’t a specific language example, but illustrates the logic.

   
   if (subject.securityLevel < object.securityLevel) {
     // Check if any subjects are cleared to read at or above the object's level
     List<Subject> allowedSubjects = getSubjectsClearedFor(object.securityLevel);
     if (allowedSubjects.isEmpty()) {
       // No subjects are allowed - deny access
       denyReadAccess();
     } else {
       // Subjects are allowed, check if the current subject is in the list
       if (!allowedSubjects.contains(subject)) {
         denyReadAccess();
       }
     }
   }
   

7. Important Considerations:
   • Discretionary Access Control (DAC): Bell LaPadula often works *with* DAC. Even if 'No Read Up' is satisfied, a DAC mechanism might still allow access based on other criteria.
   • System Design: Ensure your system’s implementation correctly handles empty sets and prevents unintended data leaks. Thorough testing is crucial.