Bell–LaPadula model

The Bell - LaPadula security model describes an IT security model and " is considered the first fully formalized ". 265 It protects the confidentiality of information through a system enforced rules. It thus implements the concept of Mandatory Access Control of IT system security. It should not be possible to read information a higher protection level or to transfer information a higher protection level to a lower level of protection. Systems based on the Bell - LaPadula principle, were mainly used when data are subject to a certain secrecy. The classic Bell - LaPadula systems were replaced by lattice - or compartment -based systems ( in German: Association or category -based systems ) which horizontal and vertical classifications implement (segments).

The security model was developed in 1973 by David Elliott Bell and Leonard J. LaPadula in the U.S. Air Force. The Bell - LaPadula model mainly protects the confidentiality of data: emphasis is placed on control of information flow. It should not be possible to ensure that confidential information is passed to untrusted people. This is in contrast to the Biba - model, which is a reversal of the Bell LaPadula model, mainly ensures the integrity of information flow.

Before each access three rules are checked:

The Term ★ -property should be because the authors of the model were so pressed for time that they could not clean up the papers to be delivered, and the star ( ★) was retained as a placeholder.

Use

Various, designed for safety operating systems ( OS) based on the Bell - LaPadula model. The OS model implement under the name Multi- Level Security ( MLS). Examples include SELinux, Red Hat Enterprise Linux, IBM z / OS mainframe and among others with the integrated Trusted Solaris Trusted Extensions. 268

Mathematical principles

• Each object O jurisdiction and classification assigned (Z ( O ), E ( O))
• Each subject S are assigned area of ​​responsibility and empowerment (Z ( S ), E ( S))

Reading objects is possible only if:

Writing objects is only possible if:

Producing T subjects ( for example, processes):

It must also apply: