Are Bell-LaPadula and Biba models used in real big software security design?

Question

I am currently studying both Bell-LaPadula and Biba models, I found this models too theoretical as I see the examples and I can see that there are used for designing particular services that needs particular security design that can be achieved with Bell-LaPadula or Biba model. However, I cant see that this models fit for Operating Systems for example, as in general we can read and write files. Or maybe, another example like a professor that has a level "Expert {Science}" and wants to read and modify exams of the students that have "Student {Science}"

So, Are Bell-LaPadula and Biba models used in real big software security design? Or is for special features? So in that last case, operating Systems like Unix implement other models that maybe have features that are implemented with models like Bell-LaPadula or Biba.

Answer 1

https://thumbs.gfycat.com/AcrobaticLegitimateAnura-mobile.mp4

As the name suggests, these are models, and not implementations. Bell-LaPadula provided a framework that guided how to think about confidentiality (and that significantly impacted the military clearance system) but it is not actively the source of any modern systems security.

from:

Limitations of BLP Restricted to confidentiality. No policies for changing access rights; a complete general downgrade is secure; BLP intended for systems with static security levels. BLP contains covert channels: a low subject can detect the existence of high objects when it is denied access. Sometimes, it is not sufficient to hide only the contents of objects. Also their existence may have to be hidden.

As you can see from these limitations, the model is not sufficient for a modern system security design.

Here is a previous question that asks for practical examples, and you can see that the answers discuss how the model influenced thinking, not how it provided a map for implementation. Practical non-government uses of Biba, Bell-LaPadula, etc. models