An Introduction to Multi-level Security Confidentiality: Clark-Wilson and Brewer Nash Models vs Bell-Lapadula and Biba Models

The Biba Model was developed by Kenneth J. Biba and released in 1977 as a security model which focuses on the integrity of data. This was intended for non-military organisations where the integrity of data was more important than the confidentiality of data.

This model is built on the state machine concept which focuses on information flow. Data and subjects are grouped into multiple levels. This model was designed so that users may not modify the integrity of data in a level ranked higher than the user or be corrupted by data from a lower level than the user. This model is directed towards data integrity rather than confidentiality and can be described by the phrase “read up, write down”. The Biba Model has a set of three rules and the first two rules are the reverse of the Bell-LaPadula rules.

The Bell-LaPadula model is a state machine model used for enforcing access control in government and military applications. This model was developed by David Elliott Bell and Leonard J. LaPadula in the 1970s. In contrast to the Biba Model, the Bell-LaPadula model focuses on data confidentiality and controlled access to classified information. The first two rules for both the Biba Model and Bell-LaPadula model are similar however they state
the opposite in comparison to each other. The three main rules for both these models can be found below.

Biba Model Rules

  1. The Simple Integrity Property states that a subject at a given level of integrity must not read data at a lower integrity level (read up).
  2. The * (star) Integrity Property states that a subject at a given level of integrity must not write to data at a higher level of integrity (write down).
  3. Invocation Property states that a process from below cannot request higher access; only with subjects at an equal or lower level.

Bell-LaPadula Model Rules

  1. The Simple Security Property states that a subject at a given security level may not read an object at a higher security level.
  2. The * (star) Property states that a subject at a given security level may not write to any object at a lower security level.
  3. The Discretionary Security Property states that use of an access matrix to specify the discretionary access control.

The Biba Model and the Bell-LaPadula models are very similar however they are opposites. The Bell-LaPadula model ensures data confidentiality whereas the Biba model ensures data integrity instead.

Clark-Wilson Model

The Clark-Wilson model was originally described in a 1987 paper by David D. Clark and David R. Wilson. This model was proposed to formalise the notion of information integrity especially when compared to the requirements for multilevel security by the Department of Defence. During this period much of the work on security models focused more on confidentiality rather than integrity.

The Clark-Wilson model is based on preserving the integrity against potential data tampering. This model states that only authorised users should be able to make changes to the data. The model focuses on the user not being able to have complete and utter control to the data but rather allowing the user to modify the data in a controlled way.

The components which make up this model are as follows;

  • Users/Subject
  • Transformation Procedures (TPs)
    • The procedures that allow a CDI to be modified. The limited access to CDIs through TPs forms the backbone of the Clark-Wilson integrity model.
  • Constrained data items (CDIs)
    • Any data item who integrity is protected by the security model.
  • Unconstrained data items (UDIs)
    • Any data item not protected by the security model.
  • Integrity verification procedures (IVPs)
    • A procedure which scans data items and confirms their integrity.

This model describes how data items in the system must be kept in a valid whilst moving from one state in the system to the next – to achieve this, the model defines enforcement rules and certification rules. This model effectively states that modifications to objects must be done in a controlled way rather than allowing the subject direct read/write access. This model therefore protects against unauthorised changes from any user and enforces separation of duties thus making it a good design for commercial applications.

The Clark-Wilson model and the Biba model share some characteristics such as ensuring the integrity of data rather than the confidentiality. The Clark-Wilson model uses two levels of integrity; unconstrained data items and constrained data items. The advantage of using the Clark-Wilson
model is that all modifications must go through a trusted transformation process thus preserving the integrity of data. The Biba model on the other hand has a very simple integrity check; subjects can only read an object if the subject permission level is less than or equal to the object.

Brewer-Nash Model

The Brewer-Nash model, also known as the Chinese Wall Model is a security model where read and write access is governed by conflict of interest categories to which files/data are assigned.

This model specifies objects (O) which are items of information related to a company, a company dataset (CD) which contains objects related to a single company and a conflict of interest (COI) class which contains the datasets of companies in competition (conflict of interest).

Conflict of Interest Decision Making

The diagram above shows how if a user retrieves data about one company, He may no longer access data about the competing (COI) company. The “conflict of interest” decision making is dynamic which means it must be able to remember what was accessed in the past before
deciding whether to allow the subject access.


This model states that no information should flow in a way that would create a conflict of interest.

The Bell-LaPadula and Brewer-Nash model are similar in that they both offer confidentiality. The Brewer-Nash model was developed to prevent conflict of interest problems.

Note: This post was also written towards the latter part of 2020 – I forgot to hit the publish button!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.