EditWYSIWYGAttach PDF Raw View►More Actions▼More Actions

Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in CBI_ComputerSecurity web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in CBI_ComputerSecurity web only

Revision Date Username Comment
1423 Jan 2015 - 15:43ThomasMisa 
1323 Jan 2015 - 15:36ThomasMisa 
1223 Jan 2015 - 15:34ThomasMisa 
1126 Nov 2014 - 10:14ThomasMisa 
1022 Jul 2014 - 11:11ThomasMisa 
922 Jul 2014 - 10:49ThomasMisa 
822 Oct 2013 - 13:52ThomasMisa 
703 Oct 2013 - 15:24norqu036? 
616 May 2013 - 10:29NicLewis 
515 May 2013 - 14:29NicLewis 
earlier first

Render style:     Context:

 History: r14 | r9 < r8 < r7 < r6
[X] Hide this message.
Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the University’s Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu
You are here: UMWiki>CBI_ComputerSecurity Web>Publications>PubBellLaPadula (revision 7)

Current Activitieslock Who is Who?lock People Programs Publications CSHW_2014 Systems Events Mechanisms



David Bell and Leonard LaPadula. Secure Computer System: Unified Exposition and Multics Interpretation. Hanscom AFB, Bedford, MA (1976).

This was the final in a series of four papers in which David Bell and Leonard LaPadula of the not-for-profit MITRE Corporation outlined a mathematical model for creating secure computing systems. The first two papers, both from 1973, produced a mathematical framework and model, while the third, from 1974, developed refinements and extensions to the model. This fourth paper was created in 1975, and published by the MITRE Corporation in 1976, to synthesize the foundations created in the preceding papers, and to provide a practical example of the security model using the then contemporaneous MULTICS operating system.(1)(2) While not the first computer security model, Carl Weissman's ADEPT-50 system, and his "High-water mark," a security model stating that any object that a user opens will reflect the highest security level currently open, were introduced in 1969, the Bell-La Padula model outlined in the first three papers, and presented in a real-world use-case in the fourth, presented a practical, mathematical basis for computer security development.(3)

The impetus behind the Bell-LaPadula model grew out of a 1972 effort in the Electronic Systems Division of the United States Air Force. Major Roger Schell, head of the ESD, commissioned an assessment of computer security to find a solution to the Air Force's expensive policy of purchasing multiple and redundant computer systems to avoid placing classified and non-classified data on the same machine. Consultant James P. Anderson concluded that no existing systems met with the Air Force's requirements of placing data of multiple security clearance levels on the same machine, also noting that the use of "tiger teams" to test computer security did not result in secure systems. The Anderson report criticized existing models of computer security, such as Clark Weissman's "high-water mark" algorithm, which reclassified the security status of a file based upon the highest level security profile of the documents the file contained. The report stated that models such as the "high-water mark" did not provide sufficient criteria for security. Instead, the Anderson report recommended funding the development of a "security kernel," a small operating system that would intercede in all interactions between the main operating system, and the computer hardware, insuring that all traffic conformed to an established security requirement. The kernel would be small enough that, theoretically, it would be possible to verify that it functioned exactly as intended, a level of verification impossible on a large, complex operating system. This stipulation was to avoid the threat of Trojan horses, pieces of code that appeared to perform one function, but performed another, surreptitious function. Programmers could, and did, place unverified code into operating systems, sometimes for the purpose of creating "trap doors," secret points of access known only to the programmer. A security kernel was intended to help mitigate these threats.(4)(5)

Following the Anderson report, the ERD funded further security research at institutions such as the MITRE Corporation, where David Bell and Leonard LaPadula formulated the mathematical model of computer security that would carry their names. The Bell-LaPadula Model was based upon the concept of the computer as a whole system, and espoused the "*-property" (pronounced "star-property"), or the "no read up, no write down" property, which stated that subjects (which could be humans or processes on the computer) could not read files of a higher classification level than their own, nor could they write down to file of a lower classification than their own. The "no write down" rule was meant to prevent users and processes from writing data from a higher classification file down to a lower classification file. (6)(7) According to David Bell, this differed from the "high-water mark" model in that, with high-water mark, the security levels of files would start to migrate upward, with files rising to become classified as System High due to the model's feature of escalating security levels.(8) The *-property, according to Bell and LaPadula, would defeat the threat of Trojan horses, without the need of verifying all the code running on a computer. The model concluded that security was inductive, meaning that it was possible to maintain the security of a system as long as it adhered to the minimum check established in the model. This conclusion was controversial in computer security, as there were numerous conditions in which such a model did not work, including the presence of covert channels, which inadvertently leaked information through legitimate communication channels on the computer. However, the Bell-LaPadula model was, according to Roger Schell, a "foundation of mathematical completeness" for computer security, forming the basis for the mathematical modeling of security concepts, such as the security kernel.(9)


1 , 3 : lock BellSecureComputerSystem.pdf, 5-6 - 1976 Secure Computer System: Unified Exposition and Multics Interpretation paper (Login Required)

2 : http://star-property.offthisweek.com/resume.html

4 : Donald MacKenzie, Mechanizing Proof: Computing, Risk, and Trust, (Cambridge, MA: MIT Press, 2001), 158-162.

5 : Jeffrey R. Yost, "A History of Computer Security Standards," 601-605, in Karl de Leeuw and Jan Bergstra, eds., The History of Information Security: A Comprehensive Handbook, (Oxford, UK: Elsevier, 2007), 595-621.

6 : Donald MacKenzie, Mechanizing Proof: Computing, Risk, and Trust, (Cambridge, MA: MIT Press, 2001), 162-166.

7 : Jeffrey R. Yost, "A History of Computer Security Standards," 604-605, in Karl de Leeuw and Jan Bergstra, eds., The History of Information Security: A Comprehensive Handbook, (Oxford, UK: Elsevier, 2007), 595-621.

8 : Jeffrey R. Yost, "An Interview with David Elliott Bell, OH 411," Charles Babbage institute, 2012, 21-22.

9 : Donald MacKenzie, Mechanizing Proof: Computing, Risk, and Trust, (Cambridge, MA: MIT Press, 2001), 165-166.

Edit | WYSIWYG | Attach |  PDF |  History: r14 | r9 < r8 < r7 < r6 |  Backlinks |  Raw View | More topic actions...
Topic revision: r7 - 03 Oct 2013 - 15:24:45 - norqu036
Signed in as lewi0740 (NicLewis) | Sign out
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback