The development of the Bell-La Padula security model (BLP) took place between 1973 and 1976 by ??David Elliott Bell and Len La Padula. Initially, the model met the needs of the U.S. Department of Defense (Department of Defense - DOD), regarding access to information, and then directed primarily to confidentiality. However, it is one of the most important security models applicable to operating systems and databases (Choucri, 2000). The Bell-La Padula model focuses on data privacy and access to classified information, contrary to the Clark & Wilson model that describes rules for the protection of data integrity. In this formal model, the entities in a computer system are divided into subjects and objects.
Subjects are assigned clearance levels;
The objects are assigned sensitivity levels.
These concepts are also explained through the following figure.
The Bell-La Padula Simple Security
The clearance levels as sensitivity access levels are called classes. A class of access (access class) consists of two components:
Security level: It is an item based on ordering, which is constituted by a classification hierarchical (TopSecret> Secret> Confidential> Unclassified);
Category set: it is a set of categories in which, the application-dependent data are used; it is not hierarchical and indicates sector (e.g. mail, commercial products, nuclear plants etc.).
Clark &Wilson is a security model, which describes the actions that are essential to obtain a computer system in a Code of state. The introduction of these measures corresponds in terms of data damage or data loss due to error or deliberate compromise. The model describes how data will remain valid within a data-processing technology. In addition, it specifies the rights of individual exporting identities, as well as rules to preserve validity of system resources. The model describes, by means of, compliance (enforcement) rules and certification of the technical data and information processes (Bendrath, 2001).
These rules form the basis for ensuring the integrity of a system. The model is always based on a self-contained transaction. A valid transaction is a sequence of operations which brings the system from one state to the next state. The transaction must always be atomic. This means that the state change occurs when the transaction has no errors. In the Clark-Wilson model, the integrity is ensured by the transaction control. The principle of division of labor (separation of duty) requires that the certifier and implementer of a transaction are different. Therefore, the following constructs are used: