Bell-LaPadula and Biba

By /

📏 Models of Control: Bell-LaPadula, Biba, and the Origins of Information Assurance

By James K. Bishop, vCISO | Founder, Stage Four Security

As computer systems evolved in the 1970s, the U.S. Department of Defense needed a way to ensure that sensitive data—classified, secret, and top secret—couldn’t leak between users or systems. In response, researchers developed formal models of access control that mathematically proved security properties. Two of the most influential were Bell-LaPadula and Biba.

This post explains what these models do, why they were necessary, and how they laid the groundwork for information assurance, multilevel security, and system certification frameworks that persist to this day.

🔒 Bell-LaPadula (1973): Confidentiality First

  • Creators: David Elliott Bell and Leonard J. LaPadula
  • Developed for: U.S. Department of Defense Multics systems
  • Focus: Ensuring confidentiality—preventing unauthorized disclosure of information

🧪 Core Properties

  • Simple Security Property (no read up): A subject at a lower security level cannot read data at a higher level (e.g., unclassified user can’t read classified data)
  • *-Property (Star Property, no write down): A subject at a higher security level cannot write to a lower level (prevents leaking secret data into public areas)

Bell-LaPadula was the first major formal security model and is still the backbone of government-grade multilevel security (MLS) systems today.

🔧 Biba Model (1977): Integrity Over Confidentiality

  • Creator: Kenneth J. Biba
  • Focus: Data integrity—ensuring information is not improperly modified

🔄 Core Rules

  • Simple Integrity Property (no read down): Subjects should not read data at lower integrity levels (prevents contamination)
  • Integrity *-Property (no write up): Subjects should not write to higher-integrity objects (prevents corruption)

Biba flipped Bell-LaPadula’s logic, focusing on protecting data from tampering rather than unauthorized reading. It found major application in commercial and safety-critical systems like financial transactions and aviation controls.

⚖️ Why These Models Mattered

  • First provable security models: Used formal logic to show systems could enforce policy rules
  • Separated policy from mechanism: Influenced the architecture of trusted computing bases (TCBs)
  • Set the stage for mandatory access controls: Unlike DAC (Discretionary Access Control), these models enforced controls that users couldn’t override
  • Formed the basis of the Orange Book (TCSEC): U.S. Department of Defense standard for evaluating secure systems

📘 Real-World Applications

  • SELinux and AppArmor: Implement MAC (Mandatory Access Control) models that draw on Bell-LaPadula/Biba logic
  • Multilevel secure databases: Store data at multiple classifications while enforcing access rules
  • Policy engines like OPA: While more flexible, their structure echoes these early models—conditions, rules, and provable outcomes

📣 Final Thought

Bell-LaPadula and Biba were the cybersecurity field’s first real frameworks. They showed that we could reason about trust—not just configure it. And while modern systems demand more nuance, the core ideas still guide how we enforce policies, build controls, and certify systems. If you’re building secure software or designing access policies, you’re standing on their shoulders.

Need help applying provable models to cloud-native architecture, zero trust, or access control policy design? Let’s talk.

Scroll to Top