# Bell-LaPadula (BLP) Model One-sentence definition: Formal **confidentiality** model for mandatory access control in multilevel systems with rules **no read up** and **no write down**. ## Key Facts - Subjects/objects have security levels (e.g., Unclassified→Top Secret). - Simple security property: subject cannot read higher level (**no read up**). - *-property (star): subject cannot write to lower level (**no write down**). - Strong star: read/write only at one’s level. - Enforces MAC via lattice dominance; prevents data leakage downward. - Focuses on confidentiality (not integrity/availability). - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Identify which rule prevents leakage to lower classification. **Mnemonic:** “BLP protects **B**e **L**ow **P**rohibited (no write down).” ## Mini Scenario Q: Secret user wants to email Unclassified receiver—BLP impact? A: Violates *-property; disallowed. ## Revision Checklist - Define simple security vs *-property. - State what BLP protects and what it doesn’t. - Explain strong star implication. ## Related [[Biba Integrity Model]] · [[Clark-Wilson Integrity Model]] · [[Lattice-Based Access Control (LBAC)]] · [[Noninterference and Information Flow]] · [[Reference Monitor and TCB]] · [[Domain 3 - Index]]