Security Foundations • 04 / 09

Security Models: Formal Rules for Achieving CIA

Principles define what we want. Security models provide the formal mathematical structures for how to achieve confidentiality and integrity at scale.

Confidentiality Model

Bell-LaPadula Model

David Elliott Bell & Leonard J. LaPadula — MITRE Corporation, 1973 (U.S. Air Force contract)
Protects: Confidentiality
  • Simple Security No Read Up — A subject at a lower clearance level cannot read data classified at a higher level. Prevents upward information leakage.
  • Star (*) Property No Write Down — A subject at a higher clearance level cannot write data to a lower classification level. Prevents downward disclosure of sensitive information.
  • Discretionary An access matrix governs additional read/write permissions, applied in conjunction with the two mandatory rules above.
Summary:  "Write Up, Read Down"
⚠  Limitation: Not designed to handle file sharing. Addresses confidentiality only — integrity and availability are out of scope.
Integrity Model

Biba Integrity Model

Intentional inverse of Bell-LaPadula — designed specifically for integrity protection
Protects: Integrity
  • Simple Integrity No Read Down — A higher-integrity subject should not read from a lower-integrity source. Prevents trusted processes from being contaminated by untrusted input.
  • Star (*) Integrity No Write Up — A lower-integrity subject cannot write to a higher-integrity object. Prevents untrusted subjects from corrupting trusted data.
Summary:  "Read Up, Write Down"  — the direct inverse of Bell-LaPadula
⚠  Limitation: Does not handle insider threats. An authorized high-integrity user acting maliciously is outside this model's scope.
Commercial Integrity Model

Clark-Wilson Model

Designed for commercial environments — enforces integrity via well-formed transactions and separation of duties
Protects: Integrity (Commercial)
CDI Constrained Data Item The data whose integrity we protect. Only reachable through approved transformation procedures.
UDI Unconstrained Data Item All other data types — user input, system input — must be validated before entering the controlled space.
TP Transformation Procedures The only authorized operations (read, write) permitted on CDIs. Must preserve CDI integrity throughout.
IVP Integrity Verification Procedures Checks that confirm CDIs remain in a valid, uncorrupted state after transformation procedures run.
Bell-LaPadula Write Up, Read Down
vs.
Biba Read Up, Write Down
By Design One = confidentiality, one = integrity
cybergrind.org  •  Orange Book  •  Security Foundations Series