Security models enable people to access only the data classified for their clearance level. There are many models. We will cover Bell-LaPadula and Biba, both of which use mathematical formulas. You don’t need to know the formulas or other details, but you should be familiar with the models and their pros and cons.
- Bell-LaPadula. This model was established in 1973 for the United States Air Force. It focuses on confidentiality. The goal is to ensure that information is exposed only to those with the right level of classification. For example, if you have a Secret clearance, you can read data classified as Secret, but not Top Secret data. This model has a “no read up” (users with a lower clearance cannot read data classified at a higher level) and a “no write down” (users with a clearance higher than the data cannot modify that data) methodology. Notice that Bell-LaPadula doesn’t address “write up,” which could enable a user with a lower clearance to write up to data classified at a higher level. To address this complexity, this model is often enhanced with other models that focus on integrity. Another downside to this model is that it doesn’t account for covert channels. A covert channel is a way of secretly sending data across an existing connection. For example, you can send a single letter inside the IP identification header. Sending a large message is slow. But often such communication isn’t monitored or caught.
- Biba. Released in 1977, this model was created to supplement Bell-LaPadula. Its focus is on integrity. The methodology is “no read down” (for example, users with a Top Secret clearance can’t read data classified as Secret) and “no write up” (for example, a user with a Secret clearance can’t write data to files classified as Top Secret). By combining it with Bell-LaPadula, you get both confidentiality and integrity.
There are other models; for example, the Clark-Wilson model also focuses on integrity.