Multilevel Security

Richard E. Smith, University of St. Thomas


MLS Problem

Multiuser Operating Modes

Bell–La Padula Model


MLS and System Privileges

Limitations in MLS Mechanisms

Assurance Problem

System Design Strategies

Verifying System Correctness

Covert Channels

Evaluation, Certification, and Accreditation

Empty Shelf

Multilevel Networking

Labeled Networks

Multiple Independent Levels of Security (MILS)


Nondefense Applications Similar to MLS



Cross References



Many businesses and organizations need to protect secret information, and most can tolerate some leakage. Organizations that use multilevel security (MLS) systems tolerate no leakage at all. Businesses may face legal or financial risks if they fail to protect business secrets, but they can generally recover afterward by paying to repair the damage. At worst, the business goes bankrupt. Managers who take risks with business secrets might lose their jobs if secrets are leaked, but they are more likely to lose their jobs to failed projects or overrun budgets. This places a limit on the amount of money a business will invest in data secrecy.

The defense community, which includes the military services, intelligence organizations, related government agencies, and their supporting enterprises, cannot easily recover from certain information leaks. Stealth systems are not stealthy if the targets know what to look for, and surveillance systems do ...

Get Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management, Volume 3 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.