Bell-LaPadula: Write Access Across Compartments

TL;DR

Yes, a subject can write to files with different compartments but the same classification level in the Bell-LaPadula model. This is because compartment restrictions don’t prevent writing within a given classification.

Understanding Bell-LaPadula

The Bell-LaPadula model focuses on controlling information flow to prevent unauthorised disclosure of sensitive data. It has two main rules:

• Simple Security Condition (Read Down): A subject can only read files with a classification level less than or equal to its own clearance.
• *-Property (Write Up): A subject can only write to files with a classification level greater than or equal to its own clearance.

Compartments are used for finer-grained access control within a classification level. They represent specific areas of knowledge.

Scenario: Write Access

Let’s say we have the following:

• Subject Clearance: Top Secret, Compartment A
• File 1: Top Secret, Compartment B (different compartment)
• File 2: Top Secret, Compartment C (different compartment)

The subject has a Top Secret clearance. Both files are also classified as Top Secret.

Steps to Determine Write Access

1. Check Classification: The subject’s classification (Top Secret) is less than or equal to the file classifications (both Top Secret). This satisfies the *-Property for both files.
2. Check Compartments: Bell-LaPadula does not restrict writing based on compartment differences within a given classification level. The subject can write to either File 1 or File 2, regardless of their compartments (B and C).

Example

Imagine a system where:

• Classification Levels: Unclassified, Confidential, Secret, Top Secret
• Compartments: Nuclear, Finance, Legal

A subject with ‘Secret’ clearance and the ‘Finance’ compartment can write to any file classified as ‘Secret’, even if those files have different compartments like ‘Nuclear’ or ‘Legal’.

Practical Considerations

• System Implementation: The specific implementation of Bell-LaPadula in an operating system or database will determine how compartment restrictions are enforced.
• Mandatory Access Control (MAC): Bell-LaPadula is a type of MAC, meaning access control decisions are made by the system, not the user.

Summary

The Bell-LaPadula model allows writing to files with different compartments as long as they share the same classification level or a higher one. Compartments refine access within a classification but don’t prevent write operations at the same level.