Security Models: BLP, Biba & Clark-Wilson
MΓ΄ hΓ¬nh BαΊ£o mαΊt: Bell-LaPadula, Biba & Clark-Wilson
Key Terms
Memory Aid β Learn This First
Bell-LaPadula (BLP) β Confidentiality Model
BLP was designed for military/government classification systems. Its core goal: prevent information from flowing to a subject with insufficient clearance.
| Rule | Name | Meaning | Example |
|---|---|---|---|
| No Read Up | Simple Security Rule | A subject CANNOT read an object at a HIGHER classification than their clearance | A Secret-cleared analyst cannot read Top Secret documents |
| No Write Down | Star Property (β ) | A subject CANNOT write data to an object at a LOWER classification (prevents leaking classified data down) | A Top Secret user cannot email classified info to a Secret-level mailbox |
| Strong Star | Strong Star Property | Can only read AND write at own classification level (most restrictive form) | Top Secret user can only access Top Secret β not Secret or Confidential |
Biba β Integrity Model
Biba is the OPPOSITE of BLP β it protects data integrity rather than confidentiality. High-integrity processes must not be contaminated by low-integrity data.
| Rule | Name | Meaning | Example |
|---|---|---|---|
| No Read Down | Simple Integrity Rule | A subject CANNOT read data from a LOWER-integrity object (low-integrity input could corrupt high-integrity decisions) | Credit scoring model cannot read raw customer-submitted text directly |
| No Write Up | Integrity Star Property | A subject CANNOT write to a HIGHER-integrity object (low-integrity actor cannot modify high-integrity data) | A customer-facing service cannot write directly to the credit decision database |
Clark-Wilson β Commercial Integrity Model
Clark-Wilson is designed for commercial environments (banking, accounting). It ensures data can only be modified in controlled ways, through authorized procedures, by authorized users.
Key Components
| Component | Acronym | Definition | Platform C Example |
|---|---|---|---|
| Constrained Data Items | CDI | Sensitive data that must be protected and can only be modified via TPs | Loan application state, credit decision records, disbursement amounts |
| Unconstrained Data Items | UDI | Input data not yet validated β untrustworthy until processed by an IVP | Raw customer-submitted loan application form data |
| Transformation Procedures | TP | The ONLY authorized operations that can modify CDIs β well-defined, audited transactions | Temporal workflow activities: applyForLoan(), approveLoan(), disburseFunds() |
| Integrity Verification Procedures | IVP | Procedures that confirm CDIs are valid and consistent | Post-disbursement reconciliation: verify disbursed amount matches approved amount |
Brewer-Nash (Chinese Wall) β Conflict of Interest
Brewer-Nash prevents conflicts of interest by dynamically restricting access based on what you have ALREADY accessed. Once you access one client's data, you cannot access a competitor's data β the "wall" is erected after first access.
| Concept | Explanation |
|---|---|
| Conflict of Interest Class | A group of competing organizations (e.g., Bank A and Bank B) |
| Dynamic Separation | Access restrictions change based on access history β not pre-defined roles |
| Use Cases | Investment banks, consulting firms, law firms β professionals who serve competing clients |
| Key Difference from SoD | Brewer-Nash is dynamic (history-based); SoD is static (role-based) |
Model Comparison Table
| Model | Property Protected | Key Rules | Sector | Platform C Relevance |
|---|---|---|---|---|
| Bell-LaPadula | Confidentiality | No Read Up, No Write Down | Military / Government | Low β TS data is commercial, not classified |
| Biba | Integrity | No Read Down, No Write Up | Financial, critical systems | High β credit scoring integrity, input validation |
| Clark-Wilson | Integrity (commercial) | Well-formed transactions, SoD, CDI/TP | Banking, accounting | High β loan workflow activities = Transformation Procedures |
| Brewer-Nash | Conflict of interest | Dynamic access based on history | Consulting, investment banking | Medium β multi-lender platform isolation (Partner A β Partner D) |
- BLP = Confidentiality (No Read UP, No Write DOWN) β information flows upward to higher classification only
- Biba = Integrity (No Read DOWN, No Write UP) β trust flows downward to lower integrity only
- TRICK: BLP's "No Read Up" means a Secret-cleared person CANNOT read Top Secret documents β even though they have a clearance, it's not high enough
- Clark-Wilson = Commercial integrity (well-formed transactions + SoD). NOT for government β that's BLP
- Brewer-Nash = conflict of interest. It is DYNAMIC β the wall is erected AFTER you access one client's data, not before
- BLP allows Low to read Low and High to read Low (no restriction reading same or lower level) β only reading UP is blocked
Biba in Platform C credit scoring: The credit scoring service (high integrity) must only accept validated inputs (Transformation Procedures in Clark-Wilson terms) from authorized services, never raw customer input directly. Customer data (UDI) must be validated by the application service (IVP) before it becomes a CDI that can influence the credit decision.
Clark-Wilson in Platform C loan workflows: All Partner A loan application state transitions must occur only through Temporal workflow activities (WFTs β Well-Formed Transactions). No direct database writes are allowed outside the workflow. The Temporal server enforces that state transitions follow the defined sequence: Apply β Verify β Approve β Disburse. Any attempt to skip steps or write directly to the database is rejected β this is Clark-Wilson's TP enforcement in action.
Practice Questions
Q1. A Secret-cleared government analyst attempts to read a Top Secret document. According to Bell-LaPadula, which rule prevents this access?
A. Simple Security Rule (No Read Up) β BLP prevents reading objects at a classification above the subject's clearance levelQ2. A low-integrity external data feed attempts to update a high-integrity credit decision record directly. Which Biba rule is violated?
A. Integrity Star Property (No Write Up) β low-integrity subjects cannot write to high-integrity objectsQ3. A bank wants to ensure that all financial transactions follow defined procedures, cannot be modified arbitrarily, and require multiple roles to approve. Which security model BEST fits these requirements?
A. Clark-Wilson β designed for commercial integrity with well-formed transactions, CDI protection, and separation of dutiesQ4. In Clark-Wilson, a customer fills out a loan application form and submits it. At this point, the submitted form data is best described as which type of data item?
A. UDI (Unconstrained Data Item) β raw, unvalidated input that has not yet been processed by an IVPQ5. A consultant at a financial advisory firm accesses data for Client A (a bank). Later, a colleague asks the consultant to review a document for Client B (a competitor bank). The system denies access. Which model is enforcing this?
A. Brewer-Nash (Chinese Wall) β once Client A data is accessed, access to competing Client B data is dynamically blocked