2

For mandatory access control, the following rules, due to Bell and La Padula, are imposed:

  1. User i can retrieve object j only if the clearance level of i is greater than or equal to the classification level of j.
  2. User i can update object j only if the clearance level of i is equal to the classification level of j.

For the second rule, I can understand for the insert case. Such rule is necessary in order to prevent a user with secret classification from copying secret data to a file of lower classification. But why for delete and modify? Why should not a user from higher class delete and modify data of the lower class?

CodesInChaos
  • 11,854
  • 2
  • 40
  • 50
Ju Ju
  • 39
  • 3

1 Answers1

0

Quoting from the SSCP CBK Book, to substantiate your concern, the issue with the Bell-LaPadula architecture is laid out:

However, it [Bell-La Padula] does not take into consideration the possibility that a subject may add, append or transmit sensitive information to an area of lower sensitivity.

It goes on to say:

Bell-LaPadula adds another property to counteract this called the star '*' property. The "*" property blocks the channel between different sensitivities such that when a subject has accessed an object for a read operation, then objects at a lower sensitivity level cannot be accessed for create and modify operations ("no write down").

The answer to your question in the simplest sense is the "no write down" rule includes insert, modify and delete because they are all write operations.

Further to that modifying existing records is not much different than inserting data when concerned about data leakages from high clearance objects to lower ones.

Whome
  • 1,231
  • 11
  • 21