4.2.1. Confidentiality Models: Bell-LaPadula and Lattice-Based
💡 First Principle: The Bell-LaPadula model defines confidentiality by controlling information flow: information can flow up to higher classification levels but never down to lower ones. This directly implements the government classification model — a Secret-cleared analyst can read Top Secret documents (receive information up), but cannot write information down to Unclassified (which would leak classified content downward).
Bell-LaPadula (BLP) Model — Confidentiality:
Developed for the US DoD multilevel security (MLS) problem. Two core rules:
| Rule | Name | Definition | Purpose |
|---|---|---|---|
| Simple Security Property | "No Read Up" | A subject cannot read an object at a higher classification than the subject's clearance level | Prevents reading information above clearance |
| Star (*) Security Property | "No Write Down" | A subject cannot write to an object at a lower classification level | Prevents leaking classified information to lower levels |
| Discretionary Security Property | Access matrix | Uses an access control matrix to specify discretionary permissions | Subject to classification rules above |
Memory aid: BLP = Confidentiality = "Read down, Write up" is allowed. "Read up, Write down" is prohibited.
Information flow: In BLP, information flows upward only — a Top Secret subject can write to Top Secret objects (and up), but writing to Secret or Unclassified objects is the "*" (star) property violation that would leak TS content downward.
Biba Model — Integrity:
Biba inverts BLP's rules to protect integrity instead of confidentiality. The concern is contamination: untrusted (low-integrity) data corrupting high-integrity data.
| Rule | Name | Definition | Purpose |
|---|---|---|---|
| Simple Integrity Property | "No Read Down" | A subject cannot read an object at a lower integrity level | Prevents high-integrity subject from being contaminated by low-integrity data |
| Star (*) Integrity Property | "No Write Up" | A subject cannot write to an object at higher integrity level | Prevents low-integrity subject from corrupting high-integrity data |
Memory aid: Biba = Integrity = "Read up, Write down" is allowed. "Read down, Write up" is prohibited.
Why they conflict: BLP says "no write down" (write up to maintain confidentiality). Biba says "no write up" (write down to maintain integrity). If you implement both, a subject can only read and write at exactly their own level — which makes the system nearly unusable in practice. Real systems make trade-offs or implement each model in separate security domains.
Comparison table:
| Dimension | Bell-LaPadula | Biba |
|---|---|---|
| Property protected | Confidentiality | Integrity |
| No read | Up (above clearance) | Down (below integrity level) |
| No write | Down (below classification) | Up (above integrity level) |
| Information flow | Upward | Downward |
| Primary use case | Government classification | Financial systems, audit logs, code repos |
| Threat addressed | Unauthorized disclosure | Unauthorized modification / contamination |
⚠️ Exam Trap: A common distractor says "Bell-LaPadula prevents unauthorized modification." It does not — BLP only addresses confidentiality. If a Secret-cleared user modifies a Secret document with incorrect information, BLP has nothing to say about that. Integrity is Biba's domain, not BLP's.
Reflection Question: A financial institution processes trades through a system where: (1) market data feeds are ingested from external sources (low trust, low integrity level), (2) trading algorithms process that data (high integrity level), and (3) trade records must be protected from tampering. Which formal model(s) apply to this system, and what specific rules prevent contamination of the trading algorithms by the market data feeds?
