Reference LibraryBell-LaPadula Model
Security ModelDomain 3: Security Architecture & Engineering

Bell-LaPadula Model

Exam Relevance:

A formal state-machine model that enforces CONFIDENTIALITY by controlling how subjects access objects based on classification labels. Two core rules: no read up (Simple Security Property) and no write down (Star Property).

Why It Matters for CISSP

Bell-LaPadula is the foundation of mandatory access control (MAC) in government and military systems. The CISSP exam loves to test whether you can identify which rule prevents data leakage vs. data contamination, and how it differs from integrity models like Biba.

Background & Origin

Developed by David Bell and Leonard LaPadula in 1973 for the US Department of Defense. It was the first mathematical model to formally define a secure system using state transitions.

The Two Core Rules

Simple Security Property (no read up): A subject at clearance level L cannot read an object at a higher classification level.

Star Property / *-Property (no write down): A subject at clearance level L cannot write to an object at a lower classification level. This prevents a high-clearance user from leaking classified data to a lower level.

State Machine Basis

The Basic Security Theorem proves: if a system starts in a secure state and every transition preserves the security properties, the system remains secure for all time.

Limitations

Bell-LaPadula only addresses confidentiality. A low-clearance subject CAN write to a high-classification object (write up is allowed), which means a malicious low-integrity subject can corrupt TOP SECRET data. This is where Biba is needed.

Bell-LaPadula rules at a glance

RuleDirectionPreventsMnemonic
Simple Security PropertyNo Read UpUnauthorized disclosuress: no read up
Star (*) PropertyNo Write DownLeaking to lower levels*: no write down
Discretionary SecurityAccess matrixUnauthorized access within same levelOwner-controlled

Related Concepts

BibaClark WilsonPki