62 CHAPTER 5. VERIFIABLE SECURITY GOALS
4. The join operator ⊕ is a totally deﬁned least upper bound operator.
The key result comes from axiom 4. In a ﬁnite lattice, the join operator is deﬁned for any
combination of security classes. Thus, for X
⊕ ... ⊕ X
= Z, the security class Z that results
from a combination of data from any security classes in SC must also be in SC. For lattice policies,
the results of any join operation can be modeled because the securit y class of the operation can always
Note that the Example 5.5(b) satisﬁes the Denning axioms, so it is a ﬁnite lattice. Any
combination of data can be assigned a security class. For example, when a secret process generates
data read from conﬁdential and unclassiﬁed inputs, the data generated is labeled secret, which is the
least upper bound of the three secur ity classes. However, we can see that Example 5.5(a) does not
satisfy axioms 3 and 4, so we cannot label the results from any operation that uses the data from two
Finally, a useful concept is the inverse of the can-ﬂow relation, called the dominance relation.
Dominance is typically used in the security literature.
Deﬁnition 5.7. A ≥ B (read as A dominates B) if and only if B → A.The strictly dominates relation
> is deﬁned by A>B if and only if A ≥ B and A = B. We say that A and B are comparable if
A ≥ B or B ≥ A. Otherwise, A and B are incomparable.
Dominance indicates which security c lass is more sensitive (i.e., contains data that is more
secret). From a security perspective, dominance deﬁnes the information ﬂows that are not allowed.
That is, if A>B, then A’s data must not ﬂow to B or this constitutes a leak.
5.2.2 BELL-LAPADULA MODEL
The most common information ﬂow model in secure operating systems for enforcing secrecy re-
quirements is the Bell-LaPadula (BLP) model . There are a variety of models associated with
Bell and LaPadula, but we describe a common variant here, known as the Multics interpretation.
This BLP model is a ﬁnite lattice model where the security classes represent two dimensions of
secrecy: sensitivity level and need-to-know. The sensitive level of data is a total order indicating se-
crecy regardless of the type of data. In the BLP model, these levels consist of the four governmental
security classes mentioned previously: top-secret, secret, conﬁdential, and unclassiﬁed. However, it was
found that not everyone with a particular security class “needs to know” all the information labeled
for that class.The BLP model includes a set of categor ies that describe the topic areas for data, deﬁn-
ing the need-to-know access. The BLP model assigns a sensitivity level that deﬁnes the secrecy level
that the subject is authorized for, and also a set of categories, called a compartment, to each subject
and object. The combination of sensitivit y level and compartment for a subject are often called its
clearance. For objects, their combination of sensitivity level and compartment are called its access class.
Example 5.8. Figure 5.3 shows a Bell-LaPadula policy with two sensitivity lev els and three cate-
gories. The edges show the direction of information ﬂow authorized by the Bell-LaPadula policy. If
5.2. INFORMATION FLOW SECRECY MODELS 63
Figure 5.3: This a Haase diagram (with the information ﬂow direction added in edges) of a Bell-
LaPadula policy consisting of two sensitivity levels (top-secret and secret where top-secret dominates) and
three categories (NUC, MIL, and ST). The edges show the information ﬂows authorized by the Bell-
LaPadula model for this lattice.
a subject is cleared for top-secret:MIL, it is able to read from this class, top-secret:none,
and secret:MIL. However, information cannot ﬂow to the top-secret:MIL class from
top-secret:MIL+ST or others that include categories besides MIL. Even information that is labeled
with the secret sensitivity level, but has additional categories may not ﬂow to top-secret:MIL.
Of course, subjects at the top-secret:MIL clearance can write to any top-secret class that in-
cludes the category MIL, but none of secret classes.The latter is not possible because the sensitivity
level top-secret dominates or is incomparable to any secret class. Writes may only be allowed
to classes that dominate the subject’s clearance.
The BLP model deﬁnes two key properties for information ﬂow secrecy enforcement.
Deﬁnition 5.9. The simple-security property states that subject s c an read an object o only if SC(s) ≥
SC(o). Thus, a subject can only read data that at their security class or is less secret. Second, the