The Bell and LaPadula definition of security for computer systems has been widely used for some years as the model followed in the National Computer Security Center’s evaluation process for trusted computer systems. This paper addresses the author’s concerns about the limitations of this model and presents proposals for a more refined definition that takes into consideration the ability to change the security level of users and objects and the issue of secure state transitions in addition to the issue of secure states. Along the way, an excellent tutorial discussion about computer security shows clearly how slippery the problems can be in this important field.

This paper is clearly written and achieves its purpose of discussing the limitations of Bell and LaPadula’s definition and presenting alternatives. Everyone involved in the technical aspects of computer security (especially those who have been or are now involved in designing commercial products) should carefully read it.