The Bell-LaPadula Model (BLP) Model

“Our initial work focused on a definition of ‘security’ within a mathematical (conceptual) framework,” as mentioned in the paper, Back at the Bell–LaPadula Model (2005).

The first publication of the BLP model, Secure Computer Systems: Mathematical Foundations (1973), states the problem of security to be solved:


Let us consider a security compromise to be unauthorized access to information, where unauthorized means that an inappropriate clearance or a lack of need-to-know is involved in the access to the information. Then a central problem to be solved within the computing system is how to guarantee that unauthorized access (by a process) to information (file, program, data) does not occur.

Source: Secure Computer Systems: Mathematical Foundations (1973)

The First Publication of the BLP Model

Modified Requirements of The BLP Model
Modified Requirements of The BLP Model
Basic Security Theorem (revised)
Basic Security Theorem (revised)

Discretionary Access Control (DAC) and Need-to-know

In the paper, Secure Computer System: Unified Exposition and Multics Interpretation (1976), the authors mentioned that “there is one further aspect of security that we address: the problem is called discretionary security and it is also based on current military/governmental policy (known as ‘need-to-know’).”

Need-to-know is the “decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.”

Source: CNSSI 4009-2015

That said, the model aims to guarantee unauthorized access to information does not occur by enforcing appropriate clearance and need-to-know. According to Wikipedia, the model defines one discretionary access control (DAC) rule and two mandatory access control (MAC) rules with three security properties:

  1. The Simple Security Property states that a subject at a given security level may not read an object at a higher security level.
  2. The * (star) Security Property states that a subject at a given security level may not write to any object at a lower security level.
  3. The Discretionary Security Property uses an access matrix to specify the discretionary access control.

BLP and TCSEC (Orange Book)

The BLP model plays a vital role in the TCSEC (Orange Book), which explicitly relates need-to-know to discretionary controls:

Discretionary controls are not a replacement for mandatory controls. In an environment in which information is classified (as in the DoD) discretionary security provides for a finer granularity of control within the overall constraints of the mandatory policy. Access to classified information requires effective implementation of both types of controls as precondition to granting that access. In general, no person may have access to classified information unless:
(a) that person has been determined to be trustworthy, i.e., granted a personnel security clearance — MANDATORY, and
(b) access is necessary for the performance of official duties, i.e., determined to have a need-to-know — DISCRETIONARY. In other words, discretionary controls give individuals discretion to decide on which of the permissible accesses will actually be allowed to which users, consistent with overriding mandatory policy restrictions.

Source: TCSEC (Orange Book)

Need-to-know can be enforced by identity-based Discretionary Access Control (DAC) or lattice-based Mandatory Access Control (MAC) using non-hierarchical labels for compartments.

TCB Access Control
TCB Access Control


Leave a Reply