Bell-LaPadula Model Explained

TL;DR

The Bell-LaPadula model is a security policy used to control access to sensitive data. It’s based on two main rules: No Read Up (you can’t read files at a higher classification level) and No Write Down (you can’t write to files at a lower classification level). This guide explains how it works in practice, using compartments to further refine access.

Understanding Bell-LaPadula

The Bell-LaPadula model aims to prevent unauthorised disclosure of information. It does this by controlling who can read and write data based on its classification level (e.g., Top Secret, Secret, Confidential) and categories (compartments).

Key Concepts

• Classification Level: The sensitivity of the information (Top Secret > Secret > Confidential).
• Compartment: A category within a classification level. Think of it as needing to know what inside a classification, not just that you’re cleared for the level. Examples include ‘Nuclear’, ‘Finance’, ‘Personnel’.
• Subject: An active entity (user or process) trying to access data.
• Object: The passive entity containing information (file, database record).

The Two Rules

1. No Read Up: A subject can only read objects with a classification level equal to or lower than its own clearance.
2. No Write Down: A subject can only write to objects with a classification level equal to or higher than its own clearance.

Adding Compartments

Compartments add another layer of security. Even if a user has the correct classification level, they still need access to the specific compartment(s) containing the data.

Practical Implementation Steps

1. Define Classification Levels: Establish your levels (e.g., Top Secret, Secret, Confidential, Unclassified).
2. Define Compartments: Determine categories within each level (e.g., Top Secret – Nuclear, Top Secret – Intelligence; Secret – Finance, Secret – Personnel).
3. Assign Clearances to Subjects: Give users clearances that specify both classification levels and compartments they have access to. For example:
   • User A: Clearance = Top Secret (Nuclear compartment)
   • User B: Clearance = Secret (Finance, Personnel compartments)
4. Label Objects: Assign classification levels and compartments to each data object. For example:
   • File 1: Classification = Top Secret, Compartment = Nuclear
   • File 2: Classification = Secret, Compartment = Finance
   • File 3: Classification = Confidential, No compartment
5. Enforce the Rules: Implement access control mechanisms that check both classification level and compartments before allowing read or write operations. This is usually done within an operating system’s security kernel or a database management system.

   Here’s a simplified example of how you might represent this in pseudocode:

   
   function canAccess(subjectClearance, objectLabel, accessType) {
     if (accessType == "read") {
       return subjectClearance.level >= objectLabel.level && containsAllCompartments(subjectClearance.compartments, objectLabel.compartments);
     } else if (accessType == "write") {
       return subjectClearance.level <= objectLabel.level;
     }
     return false; // Invalid access type
   }
   

6. Example Scenarios:
   • User A (Top Secret - Nuclear) can read File 1 (Top Secret - Nuclear).
   • User A cannot read File 2 (Secret - Finance) because of the compartment mismatch.
   • User B (Secret - Finance) can read File 2 (Secret - Finance).
   • User B cannot read File 1 (Top Secret - Nuclear) due to classification level.
   • User A can write to File 1 (Top Secret - Nuclear).
   • User A cannot write to File 2 (Secret - Finance) because of the compartment mismatch and lower classification.

Important Considerations

• Discretionary Access Control (DAC): Bell-LaPadula is a mandatory access control (MAC) model, meaning access isn't decided by the object owner but by system policy. It often works alongside DAC.
• Trusted Computing Base: The components enforcing Bell-LaPadula must be highly trusted to prevent circumvention.
• Complexity: Implementing and managing compartments can become complex in large systems.