Bell-LaPadula Model

April 16, 2023

Bell LaPadula Model (BLP)

Bell-LaPadula is a security model for managing access control and was originally developed for use in the military in the 1970s.

The model is used to ensure confidentiality of information. To do this, the model sets out different attributes:

  • Security clearance for Subjects (people or groups)
  • Security classification for Objects (files, documents etc)

This means that subjects will have a security clearance level, which will determine the level of object security classification they can interact with.

Security Levels

A typical range of security levels (from high to low) may look something like:

  • Top Secret
  • Secret
  • Confidential
  • Unrestricted

Subjects like Military Chiefs would have Top Secret clearance, and subjects like lower level admin employees may only have Unrestricted or Confidential clearance.

Similarly, Objects like detailed military plans could be classified as ‘Top Secret’, whilst publicly accessible recruitment leaflets may be ‘Unrestricted’ level.

In practice, this restricts subjects from certain access of objects, depending on the policy of the model.

Bell-LaPadula implements these restrictions using a few different policies, an can be thought of as actions involving ‘reading’ or ‘writing’.

Simple Security Policy

Simple Security Policy - “No read ups”

This policy restricts a subject from reading an object at a higher security level, only allowing the subject to read at its own level or lower.

Level Subject Object
Top Secret
Secret Operation Report
Confidential Recruiter Personel File
Unrestricted Marketing Leaflet

In the example above, the Recruiter has ‘Confidential’ level clearance which means they can access the Personel File, as this object has the same security level. They could also access the Marketing Leaflet, as this has an ‘Unrestricted’ level which is lower than ‘Confidential’. They can not, however, access the Operation Report as their security level is too low.

Star Property (* Property)

Star Property Policy - “No write downs”

This policy restricts a subject from writing to an object at a lower security level, only allowing the subject to write at its own level or higher.

Level Subject Object
Top Secret Top Secret Intel Report
Secret Analyst Standard Intel Report

In the example above, Analysts have ‘Secret’ level clearance which means they can write Standard Intel Reports classed as Secret. They could also write Top Secret Intel Reports at the higher security level, however they would not be able to write down to a lower secrity level.

Strong Star Property (Strong * Property)

Strong Star Property Policy - “No Read/Write Up or Down”

This is an alternative to the Star Property policy that restricts a subject to only being able to read/write to their security level.


This post covered the Bell LaPadula security model, which uses different types of policies for ensuring data confidentiality. There are other types of security models, such as the Biba Model (which is essentially the inverse of BLP) that addresses data integrity.

Profile picture

Written by Andrew Yule