Hola

Looking Back at the Bell-La Padula Model
David Elliott Bell Reston VA, 20191 December 7, 2005

Abstract
The Bell-La Padula security model produced conceptual tools for the analysis and design of secure computer systems. Together with its sibling engineering initiatives, it identified and elucidated security principles that endure today. This paper reviews those security principles, first intheir own time, and then in the context of today’s computer and network environment.

1. Looking Back
I look back at the Bell-La Padula Model over a career in security engineering that began with a concentrated burst of security modeling between 1972 to 1975. It is difficult, therefore, to limit myself to modeling and to exclude security topics without which real systems would never reach the field.I choose, then, to look back on both the modeling work and its engineering siblings so as to highlight their contributions to the DNA of network and computer security. What follows is not a synthesized chronicle of everything that happened but my own experiences and knowledge since the publication of the Bell-La Padula model.

2. Before the Bell-La Padula Model
In the late 1960’s, developmentsin commercial operating systems suggested the possibility of tremendous cost savings. Time-sharing was starting to provide commercial customers the ability to share the leasing costs of IBM and other big-iron computers through simultaneous or sequential use of the expensive mainframe computers. For those in classified government circles, this new capability promised even more savings. Beforetime-sharing, separate computers had to be used for each different security level which was processed on computers, or careful “color changes” had to be made so that the same equipment could be used sequentially to process information at different security levels (referred to as “periods processing”). There was therefore

the possibility of sharing those computer systems across security levels, withan important proviso. It was crucial that that processing artifacts of each security level (files, registers, data) be kept rigorously separate with a high degree of confidence. An initial effort in this direction was commissioning computer experts to test the security robustness of computer systems that were developed in response to market forces. The experts were called “tiger teams.” The successof the tiger teams was spectacular. “It is a commentary on contemporary systems that none of the known tiger team efforts has failed to date” [1]. The situation was in reality even worse than it first sounds. Tiger Teams, flush with success in attacking and taking over system A, would try their successful system-A attacks on system B. Alarmingly, many previous attacks worked immediately. Even moreworrying were the possibilities opened by a successful attack. After capturing the system and inserting a back-door entrance, penetrators could report the initial flaw and gain a reputation for good citizenship. This planting of back-doors, particularly back-doors that would persist through system and compiler recompilations, was documented in an Air Force report [2] and was the direct stimulus forthe back door Ken Thompson described in his Turing lecture [3] [4]. The conclusions drawn from Tiger Teams included the ultimate futility of “penetrate and patch” and the necessity of designing and building computer systems using a sound notion of “security” in computer systems. The U.S. Air Force initiated a set of engineering tasks, paired with several parallel modeling efforts to produce “. . .a formal statement of what is meant by a secure system — that is a model or ideal design” [5].

3. Bell-La Padula Model, 1972–1975
3.1. Problem Statement
In the summer of 1972, The MITRE Corporation initiated its task to produce a report entitled “Secure Computer Systems.” The report was to describe a “mathematical model of security in computer systems.” This task was one

of several in...