Your organization implements mandatory access control based on the Bell-LaPadula Model which doesn’t support the strong star property, an alternative to the star property. There is a printer, classified as Top Secret, in your organization. Bob is a middle officer with a security clearance of Secret. He is also assigned both the simple and star security property defined in the Bell-LaPadula Model. Can Bob print his report to the printer classified as Top Secret?
A. Yes, Bell-LaPadula Model does not prohibit this type of information flow.
B. Yes, Bell-LaPadula Model allows reading data from the upper level of sensitivity.
C. No. Bell-LaPadula Model prohibits reading data from the upper level of sensitivity.
D. No. Bell-LaPadula Model prohibits writing data to a lower level of sensitivity.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Yes, Bell-LaPadula Model does not prohibit this type of information flow.
Bell LaPadula Model
- The Bell LaPadula Model is a finite state machine which controls information flow for confidentiality with two security properties:
- Simple Security Condition (property): no read up
- * (star) Security Property: no write down
- The Simple Security Condition states that a subject (Bob) may not read the information at a higher sensitivity level (no read up).
- The * (star) Security Property states that a subject (Bob) may not write information to an object at a lower sensitivity level (no write down).
The “Arrows” in The Diagram
- The diagram differs from most of the study guides you have as I put the focus on the information flow, which is the essence of the Bell Lapadula model.
- The legend of an arrow in the diagram stands for the information flow. “Read” means pulling information from one level to another, while “write” means pushing.
- Information flow from the upper level to the lower level is prohibited in the Bell Lapadula Model by applying security properties (simple and star) to the subjects.
- Don’t do rote memorization. e.g. no read up/no write down. Just keep your attention on the information flow. An officer with Secret clearance cannot read data from the upper level, Top Secret; He or she cannot write data to the lower level, Confidential.
- “Print” refers to sending a print job to the printer. It’s a push or “write”.
- Logically, printing something can be as easy as writing data to a file or folder, because some operating systems, say Linux, implement printers as part of the file system. e.g. /var/spool/lpd/lp or /dev/lp0
The Mandatory Access Control (MAC) and the Bell-Lapadula Model are the core concept of the Orange book (DoD 5200.28-STD) developed by the Department of Defense (DoD) in 1985, formally known as the Trusted Computer System Evaluation Criteria (TCSEC).
I’ve never worked for the US government agency and had no hands-on experience about the information systems related to the military, intelligence, or weapons. I designed this question solely by the book and based on my research, experience, and understanding to help CISSP aspirants comprehend the security models.