Security Models
What a security model is and what enforces it
"What actually enforces the policy?" is the trap the exam springs in this subtopic, and the answer is never the model itself: a model is only a rulebook, inert until a reference monitor mediates access against it and a security kernel inside the Trusted Computing Base implements that mediation. Get those four terms separated and you have the spine of the whole page (it assumes you already hold the CIA triad and the difference between a security policy, a goal, and a control, a mechanism). For each classic model the exam asks just two things, which pillar it protects and what component enforces it, so anchor every model to its pillar and its enforcer as you read.
A security model is a formal (frequently mathematical) statement of the rules a system must obey to satisfy a chosen policy goal, almost always one pillar of the CIA triad. It sits between the abstract policy ("a Secret user must not read Top Secret data") and the implementation (the code, kernel, and hardware). Its payoff is provability: instead of testing access decisions one case at a time, you can reason that the policy holds across every reachable system state. CISSP questions rarely ask you to prove anything; they ask you to map a named model to its pillar and recite its access rules in the correct direction.
The reference monitor: the enforcement core every model assumes
A model is inert unless something mediates every access attempt against it. That mediator is the reference monitor, which NIST defines as "a set of design requirements on a reference validation mechanism that ... enforces an access control policy over all subjects and objects" (NIST SP 800-53 Rev. 5 glossary[1]). It must satisfy three properties at once: always invoked (complete mediation, no access bypasses it), tamperproof (protected from modification), and verifiable (small enough to be analyzed and tested for correctness).
The reference monitor is an abstraction; its concrete implementation is the security kernel, the "hardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept" (NIST/CNSSI glossary[2]). The security kernel and everything else trusted to enforce policy together form the Trusted Computing Base (TCB): the "totality of protection mechanisms within a computer system, including hardware, firmware, and software ... responsible for enforcing a security policy" (NIST/CNSSI glossary[3]). The figure shows that nesting: the security kernel implements the reference monitor concept and sits inside the TCB boundary, while the model stays outside as the rulebook the kernel applies.
Keep these four straight, because the exam separates them deliberately: the model is the rulebook, the reference monitor is the design concept that mediates access, the security kernel is its implementation, and the TCB is the full trusted boundary you must evaluate for assurance. When a question asks "what enforces the policy?" the answer is the reference monitor / security kernel inside the TCB, never the model itself.
Bell-LaPadula and Biba: the mirror-image lattice models
This section covers the two level-based (lattice) models. They behave by the same shared mechanic, so learn that mechanic once and then treat the two as opposites.
The shared mechanic: a lattice and two rules per model
Both Bell-LaPadula and Biba are multilevel security (MLS) models used to specify Mandatory Access Control (MAC), "an access control policy that is uniformly enforced across all subjects and objects" where the system, not the object owner, decides access (NIST SP 800-53 Rev. 5 glossary[4]). Every subject and object carries a label drawn from an ordered set of levels (a lattice). Each model then states two rules: one constraining reads and one constraining writes. The trick to never confusing them is to anchor on the pillar each protects, then read the rules off the goal.
Bell-LaPadula (BLP): confidentiality
BLP's goal is to stop secrets from leaking down to a lower classification. NIST states its two rules plainly: a Secret process "should not be allowed to read a file with a label of Top Secret. This is known as the 'simple security rule,' or 'no read up.' Conversely, a [Secret] user ... should not be allowed to write to a file with a label of Confidential. This rule is called the '-property' (pronounced 'star property') or 'no write down'" (NIST IR 7316, Assessment of Access Control Systems, 2006[5]). So: *Simple Security Property = no read up; Star () Property = no write down.* A common misread is that "no write down" is about protecting the writer. It is not; it stops a high-clearance subject from copying secrets into a low container where uncleared users could read them. BLP adds a tranquility property: a frequent exam form is the strong tranquility rule, that labels do not change during operation, versus weak tranquility, that labels may change only in ways that do not violate the policy. NIST also notes a stricter variant, the *strict -property, requiring that information be written at the subject's level only, not above it.
Biba: integrity, the exact inverse
Biba's goal is the mirror image: stop low-integrity (untrusted) data from flowing up and corrupting high-integrity data. So its rules invert BLP's. The Simple Integrity Axiom = no read down (a high-integrity subject must not read lower-integrity data, which might be corrupt) and the Star Integrity Axiom = no write up (a subject must not write to a higher-integrity object, which would let it inject untrusted content). NIST lists "the Bell-La Padula Confidentiality and Biba Integrity models" together as the canonical MLS pair (NIST IR 7316[5]).
The single sentence that survives exam pressure: BLP keeps secrets from leaking down (no read up / no write down); Biba keeps garbage from flowing up (no read down / no write up). Because their write rules point in opposite directions, a system cannot enforce both simultaneously on the same labels, a detail distractors exploit.
Transaction and conflict-of-interest models
This section covers the integrity and confidentiality models that do NOT use clearance levels. Read it after the lattice models, because its whole point is to handle cases BLP and Biba cannot. The figure first sets the whole map straight: each classic model is filed under the CIA pillar it protects, so a scenario question becomes "which pillar?" then "which model under it?".
Clark-Wilson: integrity through controlled transactions
Clark-Wilson enforces integrity in commercial systems where the concern is fraud and error, not military secrecy. Instead of labels, it requires that users never touch data directly: they act only through certified programs. Its core construct is the access triple (subject -> program -> object): a subject may operate on a constrained data item only through an authorized transformation procedure. Data is split into constrained data items (CDIs), which must stay consistent, and unconstrained data items (UDIs); transformation procedures (TPs) are the only operations allowed to change CDIs, and integrity verification procedures (IVPs) check that CDIs are in a valid state. Critically, Clark-Wilson builds in separation of duties so the person who creates a transaction is not the person who approves it. NIST classifies Clark-Wilson as the canonical example of Historical Separation of Duty (NIST IR 7316[5]), and defines separation of duty as the principle that "no user should be given enough privileges" to misuse the system alone, enforced statically or dynamically (the two-person rule being a dynamic example).
Brewer-Nash (Chinese Wall): dynamic conflict of interest
Brewer-Nash, the Chinese Wall policy, addresses a problem neither level-based nor transaction-based models touch: commercial conflict of interest. NIST records that "Brewer and Nash identified the Chinese Wall policy ... to address conflict-of-interest issues" and that it is history-based: a subject's past accesses determine which objects they may access next (NIST IR 7316[5]). The canonical example is a consultant who, having read data for one company in a conflict-of-interest class (e.g., one bank), is thereafter walled off from competitors in that same class. The wall is dynamic: at the start a subject can access anything, but each access narrows future choices. NIST notes the Chinese Wall is "a commercially inspired confidentiality policy" whose objective is "to prevent illicit flows of information" across the wall, so although it is often discussed alongside integrity models, its pillar is confidentiality.
Graham-Denning and Harrison-Ruzzo-Ullman (HRU)
Two more formal models govern the protection state itself rather than reads and writes of data. Graham-Denning defines a set of primitive rights and rules for securely creating and deleting subjects and objects and for transferring rights. Harrison-Ruzzo-Ullman (HRU) extends this and is famous for proving that, in the general case, the safety problem (deciding whether a given right can ever leak to a subject) is undecidable. The exam-level takeaway is simply that these answer "how are access rights themselves administered and is leakage provable?", which the data-flow models do not.
How models reason: state-machine, information-flow, noninterference
This section names three reasoning frameworks. They describe HOW a model proves security, not which pillar it protects, so a single named model can be more than one of them at once. The figure makes that overlap visible: Bell-LaPadula sits under two lenses because it qualifies as both a state-machine model and an information-flow model.
A state-machine model treats the system as a set of states and transitions and proves the system is secure in every reachable state and across every transition; a system that starts secure and only ever transitions to secure states is a secure state machine. Both Bell-LaPadula and Biba are state-machine models.
An information-flow model tracks how data moves between objects and security levels and blocks any flow that violates the policy. NIST's modern term is information flow control: "controls to ensure that information transfers within a system or organization are not made in violation of the security policy" (NIST SP 800-53 Rev. 5 glossary[6]). Bell-LaPadula is the textbook information-flow model: its "no write down" rule is exactly a forbidden downward flow.
A noninterference model is stricter still: the actions of a higher-level subject must produce no observable effect on a lower-level subject. Its purpose is to defeat covert channels and inference, where a low-level user deduces high-level information indirectly. This is not hypothetical even under MAC: NIST warns that "information can pass through a covert channel in MAC, where information of a higher security class is deduced by inference such as assembling and intelligently combining information of a lower security class" (NIST IR 7316[5]). Noninterference is the property that closes that gap.
Because these are lenses rather than rulebooks, an exam answer can correctly attach several to one model (BLP is a state-machine and an information-flow model), and a single "which type of model" question may hinge on which lens the stem emphasizes.
Exam-pattern recognition
This section maps question shapes to the right answer. Read the others first; this is the pattern layer.
Pattern 1: "Which model protects [pillar]?" Confidentiality and a level/clearance scenario -> Bell-LaPadula. Integrity and levels -> Biba. Integrity in a commercial/financial transaction setting with separation of duties -> Clark-Wilson. Conflict of interest / competing clients -> Brewer-Nash (Chinese Wall). The trap answer is usually the other CIA pillar's model (offering Biba when the stem is about secrecy).
Pattern 2: direction of a rule. A stem cites "no write down" or the "*-property" -> Bell-LaPadula confidentiality. "No write up" or "Simple Integrity Axiom" -> Biba. The reliable method is to name the pillar first, then derive the direction: confidentiality stops secrets flowing down, so reads can't go up and writes can't go down; integrity is the inverse. Distractors swap one of the two rules (e.g., pairing "no read up" with "no write up"), which is internally inconsistent for either model.
Pattern 3: "What enforces the model / what must be evaluated for assurance?" The answer is the reference monitor (the design concept), implemented by the security kernel, within the Trusted Computing Base. The trap is to offer the model name itself, or to swap these three terms; recall that the reference monitor must be tamperproof, always-invoked, and verifiable (NIST SP 800-53 Rev. 5 glossary[1]).
Pattern 4: Clark-Wilson specifics. Stems mentioning "well-formed transactions," "the access triple," or "a user may not both create and approve" point to Clark-Wilson; the underlying principle being tested is separation of duties, which NIST defines as no single user holding enough privilege to act alone (NIST IR 7316[5]).
Pattern 5: covert channels / inference. A stem describing a low-level user deducing high-level data indirectly is testing the limits of level-based MAC and points to a noninterference model as the mitigation, not BLP or Biba (NIST IR 7316[5]). Finally, beware the framing trap that the classic models govern availability: none of Bell-LaPadula, Biba, Clark-Wilson, or Brewer-Nash addresses the availability pillar.
Classic security models: pillar, access rules, and core idea
| Model | Protects | Read rule | Write rule | Core idea |
|---|---|---|---|---|
| Bell-LaPadula | Confidentiality | No read up (Simple Security) | No write down (Star *) | Lattice/state-machine; secrets cannot flow to a lower level |
| Biba | Integrity | No read down (Simple Integrity) | No write up (Star Integrity) | Inverse of BLP; low-integrity data cannot corrupt high |
| Clark-Wilson | Integrity | Via certified programs only | Well-formed transactions only | Access triple + separation of duties + audit |
| Brewer-Nash (Chinese Wall) | Confidentiality (conflict of interest) | Allowed only if no COI with prior access | Constrained to avoid leaking across the wall | Dynamic; past access decides future access |
| Graham-Denning / HRU | Integrity of the protection state | Governed by defined rights | Governed by defined rights | Formal rules for creating/deleting subjects, objects, and rights |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- A security model formalizes one policy goal so it can be proven, not just tested
A security model is a precise, often mathematical, statement of the rules a system must follow to uphold a policy goal, almost always one CIA pillar. It sits between the abstract policy and the implementation, so you can reason that the policy holds across every reachable state rather than checking access decisions case by case. On the exam the recurring task is to name which pillar a model protects and recite its rules in the correct direction.
Trap Equating the security model with the security policy itself. The policy states the goal in the abstract, while the model is the formal rule set that makes that goal provable.
- Bell-LaPadula protects confidentiality with no read up and no write down
Bell-LaPadula's Simple Security Property forbids reading above your clearance (no read up) and its Star (*) Property forbids writing below your level (no write down), so classified data cannot flow downward to a lower level. It is a lattice-based multilevel model used to specify Mandatory Access Control. The "no write down" rule protects the data, not the writer: it stops a high-clearance subject from copying secrets into a low container that uncleared users could read.
Trap Reading "no write down" as protecting the author's work from being overwritten: it actually prevents secrets leaking to a lower classification.
4 questions test this
- A defense contractor implements a Bell-LaPadula compliant system for processing classified documents. A software process running at the…
- During a security assessment, an auditor discovers that a Bell-LaPadula implementation allows a Top Secret process to signal information to…
- A government agency's multilevel security system implements Bell-LaPadula for confidentiality protection. Security analysts have identified…
- An architect is configuring the mandatory rules for a multilevel system where analysts hold Secret clearances. Accreditors require that a…
- Biba protects integrity and is the exact inverse of Bell-LaPadula
Biba's Simple Integrity Axiom forbids reading below your level (no read down) and its Star Integrity Axiom forbids writing above your level (no write up), so low-integrity data cannot corrupt high-integrity data. Because its write rule points opposite to Bell-LaPadula's, the mnemonic is "BLP keeps secrets from leaking down; Biba keeps garbage from flowing up." A system cannot enforce both on the same labels at once since their write rules conflict.
Trap Pairing "no read up" with "no write up": that mixes one BLP rule with one Biba rule and is internally inconsistent for either model.
6 questions test this
- A security architect at a defense agency enforces Bell-LaPadula on a multilevel system to protect the confidentiality of records classified…
- A control systems engineer is selecting the formal rule for a high-integrity industrial process that performs safety calculations. The…
- A reliability architect at a medical-device manufacturer is defining integrity rules for a trusted calibration process that computes…
- A security manager at a regulated bank is choosing a formal security model to govern the core ledger that holds customer account balances.…
- In an organization implementing the Biba integrity model, a software developer with a medium integrity clearance attempts to modify a…
- A security architect is comparing the Bell-LaPadula model to the Biba model for a new classified information system. Which statement…
- Clark-Wilson enforces integrity through well-formed transactions, not clearance levels
Clark-Wilson keeps commercial data consistent by forbidding direct access: subjects change constrained data items (CDIs) only through certified transformation procedures (TPs), and integrity verification procedures (IVPs) confirm the data is in a valid state. Its central construct is the access triple (subject to program to object) so a user never operates on data except through an authorized program. This suits fraud and error prevention in financial systems, where clearance levels (BLP/Biba) are the wrong tool.
Trap Assuming Clark-Wilson assigns integrity levels and read/write rules like Biba. It governs integrity through certified programs and the access triple, not a lattice of labels.
3 questions test this
- A financial services company is implementing the Clark-Wilson model to protect its transaction processing system. The security team needs…
- A healthcare organization is comparing the Clark-Wilson model with the Biba model for protecting patient billing records. Which statement…
- A financial services company is implementing the Clark-Wilson model to protect its banking transaction data. When configuring the model,…
- Clark-Wilson bakes in separation of duties so no one both creates and approves a change
Clark-Wilson requires separation of duties: the subject who initiates a transaction cannot be the one who approves it, so fraud needs collusion rather than a single actor. NIST defines separation of duty as the principle that no user is given enough privilege to misuse the system alone, enforced statically or dynamically (the two-person rule is the dynamic case). This is why exam stems about "a user may not both create and approve" point to Clark-Wilson.
Trap Attributing a separation-of-duties requirement to Biba or Bell-LaPadula. Those control read/write by level and say nothing about splitting a transaction across two people.
- Brewer-Nash (Chinese Wall) blocks conflict of interest using access history
Brewer-Nash, the Chinese Wall policy, walls off data sets that present a commercial conflict of interest: once a subject reads data for one company in a conflict class, they are barred from competitors in that same class. It is dynamic and history-based: past access decides future access, so the accessible set narrows with each read. Despite often being grouped with integrity models, its goal is confidentiality: preventing illicit information flow across the wall.
Trap Classifying Brewer-Nash as an integrity model because it is taught alongside Biba and Clark-Wilson. Its actual goal is confidentiality, stopping information flow between conflicting clients.
- Graham-Denning and HRU govern the protection state, and HRU proves safety is undecidable
Graham-Denning defines primitive rights and rules for securely creating and deleting subjects and objects and transferring rights: it administers the protection matrix itself rather than reads and writes of data. Harrison-Ruzzo-Ullman (HRU) extends this and famously proves the safety problem (can a given right ever leak to a subject) is undecidable in the general case. The takeaway is that these answer how rights are administered and whether leakage is provable, which the data-flow models do not.
Trap Crediting the undecidable safety-problem proof to Graham-Denning. The proof that the general safety problem is undecidable belongs to Harrison-Ruzzo-Ullman.
- The reference monitor must be tamperproof, always-invoked, and verifiable
A reference monitor is the abstract control that mediates every access attempt against the policy; NIST requires three properties simultaneously: always invoked (complete mediation, nothing bypasses it), tamperproof (protected from modification), and verifiable (small enough to be analyzed for correctness). It is the enforcement concept every model assumes: a model is inert without something that actually checks each access.
Trap Naming the security model itself as what enforces access: the model is the rulebook; the reference monitor is what mediates against it.
- The security kernel implements the reference monitor; the TCB is the full trusted boundary
The security kernel is the concrete hardware, firmware, and software that implements the reference monitor concept, and it must mediate all access, resist modification, and be verifiable. The Trusted Computing Base (TCB) is the totality of protection mechanisms (hardware, firmware, and software) responsible for enforcing the security policy, so it is the boundary you evaluate for assurance. Keep the three straight: reference monitor (concept), security kernel (implementation), TCB (whole trusted boundary).
Trap Treating the security kernel and the TCB as the same thing. The kernel is the component that implements the reference monitor, while the TCB is the entire trusted boundary that contains it.
- State-machine, information-flow, and noninterference describe HOW a model reasons
These three are reasoning frameworks, not pillar choices, so one named model can be several at once. A state-machine model proves the system is secure in every reachable state and transition; an information-flow model tracks data movement between levels and blocks disallowed flows; a noninterference model requires that a higher-level subject's actions have no observable effect on a lower-level subject. Bell-LaPadula is simultaneously a state-machine and an information-flow model.
Trap Treating state-machine, information-flow, and noninterference as mutually exclusive labels. They describe how a model reasons, so a single model like Bell-LaPadula can be more than one at once.
- Noninterference defeats covert channels and inference that level-based MAC leaves open
A noninterference model goes beyond blocking direct flows: it requires a high-level subject's behavior to be unobservable to a low-level subject, closing covert channels and inference. This matters because even strict MAC leaks: NIST warns information of a higher class can be deduced by assembling and combining lower-class information. A stem describing a low user indirectly deducing high data is testing this gap, and the answer is a noninterference model, not BLP or Biba.
Trap Assuming Bell-LaPadula's no-read-up / no-write-down already closes covert channels and inference. Those block direct flows but leave the indirect leakage that noninterference is meant to address.
3 questions test this
- During a security assessment, an auditor discovers that a Bell-LaPadula implementation allows a Top Secret process to signal information to…
- A security analyst discovers that users are able to determine the existence of sensitive employee termination records by noting that…
- A government agency's multilevel security system implements Bell-LaPadula for confidentiality protection. Security analysts have identified…
- Bell-LaPadula and Biba are lattice models specifying Mandatory Access Control
Both Bell-LaPadula and Biba are multilevel security models that label every subject and object with a level drawn from an ordered lattice, used to express Mandatory Access Control. Under MAC the system enforces protection decisions over the object owner's wishes (the owner cannot override the policy) which is what distinguishes it from owner-controlled discretionary access control. The lattice ordering is what gives "up" and "down" their meaning in the read/write rules.
Trap Thinking the object owner can grant or override access under these lattice models. That is discretionary access control; MAC enforces the policy regardless of the owner's wishes.
5 questions test this
- A defense contractor needs to implement an access control system where access decisions are made by a central authority based on security…
- A government agency requires that access decisions be based on the sensitivity level of information and users' formal clearance levels,…
- A government defense contractor is implementing access controls for a classified information system that requires users to possess formal…
- A security administrator at a defense contractor is implementing an access control system where data is classified as Confidential, Secret,…
- A government agency is implementing a new document management system that must prevent users from sharing classified information with…
- Match the model to the scenario's pillar, not to a keyword
Choose the model from the goal in the stem: confidentiality with clearance levels selects Bell-LaPadula; integrity with levels selects Biba; integrity via controlled transactions and separation of duties selects Clark-Wilson; conflict of interest among competing parties selects Brewer-Nash. The common distractor is the other CIA pillar's model: offering Biba when the scenario is about secrecy, or BLP when it is about preventing corruption.
- The classic models address confidentiality and integrity, never availability
None of Bell-LaPadula, Biba, Clark-Wilson, or Brewer-Nash addresses the availability pillar: they govern who may read or write what, not whether the system stays reachable. Availability is handled through resilience, redundancy, and continuity design instead. A stem that frames any of these models as protecting uptime or availability is using a framing trap.
Trap Selecting a confidentiality or integrity model as the answer to an availability requirement: these models say nothing about uptime.
- Bell-LaPadula's tranquility property governs whether labels can change during operation
Bell-LaPadula adds a tranquility property about label stability: strong tranquility means security labels never change while the system runs, whereas weak tranquility allows labels to change only in ways that do not violate the security policy. This matters because allowing a subject or object to be relabeled mid-operation could otherwise sidestep the no-read-up / no-write-down rules.
Trap Swapping the definitions so that weak tranquility forbids all label changes. It is strong tranquility that bars any change during operation, while weak tranquility permits policy-safe relabeling.
References
- Reference monitor: NIST CSRC Glossary (NIST SP 800-53 Rev. 5) Whitepaper
- Security kernel: NIST CSRC Glossary (CNSSI 4009-2015) Whitepaper
- Trusted Computing Base (TCB): NIST CSRC Glossary (CNSSI 4009-2015) Whitepaper
- Mandatory Access Control: NIST CSRC Glossary (NIST SP 800-53 Rev. 5) Whitepaper
- NIST IR 7316: Assessment of Access Control Systems Whitepaper
- Information flow control: NIST CSRC Glossary (NIST SP 800-53 Rev. 5) Whitepaper