A formal state-machine model that enforces CONFIDENTIALITY by controlling how subjects access objects based on classification labels. Two core rules: no read up (Simple Security Property) and no write down (Star Property).
Bell-LaPadula is the foundation of mandatory access control (MAC) in government and military systems. The CISSP exam loves to test whether you can identify which rule prevents data leakage vs. data contamination, and how it differs from integrity models like Biba.
Developed by David Bell and Leonard LaPadula in 1973 for the US Department of Defense. It was the first mathematical model to formally define a secure system using state transitions.
Simple Security Property (no read up): A subject at clearance level L cannot read an object at a higher classification level.
Star Property / *-Property (no write down): A subject at clearance level L cannot write to an object at a lower classification level. This prevents a high-clearance user from leaking classified data to a lower level.
The Basic Security Theorem proves: if a system starts in a secure state and every transition preserves the security properties, the system remains secure for all time.
Bell-LaPadula only addresses confidentiality. A low-clearance subject CAN write to a high-classification object (write up is allowed), which means a malicious low-integrity subject can corrupt TOP SECRET data. This is where Biba is needed.
Bell-LaPadula rules at a glance
| Rule | Direction | Prevents | Mnemonic |
|---|---|---|---|
| Simple Security Property | No Read Up | Unauthorized disclosure | ss: no read up |
| Star (*) Property | No Write Down | Leaking to lower levels | *: no write down |
| Discretionary Security | Access matrix | Unauthorized access within same level | Owner-controlled |