Abstract. Recently, security of real-time systems becomes a very important concern in real-time database systems (RTDBS). However, security is becoming a more significant challenge in several real-time applications. Nowadays, there are many multilevel security (MLS) models, which can make RTDBS more secure. Three information security models based on multilevel security policy has been discussed, analyzed and compared in this paper. Moreover, conclude that BLP model only focuses on the confidentiality of information, and ignores the integrity. On the other hand, Biba and Clark-Wilson models only protect the integrity.
Keywords: Real-Time, Multilevel security (MLS), Multilevel models, BLP model, Biba model, Clark-Wilson model.
RTDBS is considered as a database system which exhibits the same features of traditional database system such as data independence and concurrency control. However, it simultaneously enforces real-time constraints that applications may have .
RTDBS differs from the traditional database systems in many features. RTDBSs have different correctness conditions, applications assumptions, and performance goal. RTDBS can be evaluated by the rate of transactions that do not meet their deadlines, the average delay of late transactions and the cost of missing the deadlines of transactions.
Computer technologies and network have rapidly developed. But at the same time, they also make it easy for the invaders to approach to the information of computer and network, which becomes increasingly insecure. At present, the information security evaluation standard is often used to estimate the security ability of an information system. And the estimation is based on the security model. So the information security model is vital, and it is also the forefront of information security research.
The multilevel security mechanism was originally designed to support military systems and to protect the security and confidentiality of a database. In this mechanism, information is divided into four different security levels according to the importance and sensitive degree of information. There are three famous security models based on multilevel security policy that are usually discussed — Bell-LaPadula model, Biba model and Clark-Wilson model . This paper aims at multilevel information security models’ analysis and comparisons the three multilevel security models.
The rest of this paper is organized as follows: Section 2 presents a brief overview of MLS, its signification and levels. Section 3 discussed and analyzed the models of MLS. A comparison between MLS models is given in Section 4. Section 5 is naturally the conclusion of our paper.
2 Multilevel Security (MLS)
The MLS policy was originally designed to support the computer systems in the military sector and to protect the security and their database. As shown in Fig. 1., the information in MLS is divided into four different security levels based on the information importance and the degree of its sensitive. From low to high grade, the levels contain unclassified level, confidential level, secret level and top-secret level 
Fig. 1. Security levels in Multilevel Security
MLS systems are very important because:
1. A large amount of research has been done in it, because of military funding for computer science in the USA.
2. Originally multilevel concepts were developed to support confidentiality in military applications, however now multilevel integrity policies are using by many commercial systems.
3. Recently, some products like Red Hat Linux and Microsoft Vista have started to use mandatory access control mechanisms. 
3 Analyzing of Multilevel Security Models
A security model is a symbolic representation of a policy. It delineate the require of the policy makers into a set of rules that are to be followed by a computer system. It takes the requirement of the policy and supply the requirement mathematical formulas, relationships, and structure to be go after to achieve the policy goal. There are three multilevel security models which are discussed and analyzed as follow:
3.1 The Bell-LaPadula Model
Bell-LaPadula Model (BLP) is the most common and frequently multilevel security model which is used computer . This model was designed in 1973 by D.Ellott. Bell and Leanard J. LaPadula. It is a type of computer operating model which used in military sector. The mainly using of this model is to solve the confidential problem of access control. The subjects and objects of this model can be classified by their security mark, corresponding to the military security levels. it can effectively prevent information from a high security level flowing to a low one. BLP model is describes a military security strategy for this reason it is executed in a multilevel security field with strict security hierarchies. It has already got the special attention from more of the researchers. As a hot research area in the multilevel security field, it has influenced the development of other security models a lot  .
The access operation to sensitive information in this model has to follow up these two concepts — the ‘Least Privilege’ and the ‘Need to know’.
3.2 The Biba model
Biba model was introduced in 1977 by K. J Biba. It was the first security model in the computer integrity field. It can be define as a lattice-based access control security model dealing with multilevel sensitive information . The main idea of Biba model is to applying information flow policy by using mandatory access control to strengthen discretionary access control. According to mandatory access control policies it checks flows of system information to find and to prevent the possible destruction in the system. The subject and object in Biba model has its own integrity level. The higher level data has higher accuracy and reliability than a lower one. Unlike BLP model the Biba model is used in the commercial applications, the integrity of data is more important than the confidentiality. It based on the integrity level so it is used to solve the integrity problem of applications’ data, and its access control. The significance of Biba model is to protect the integrity of information system.
3.3 The Clark-Wilson model
Clark-Wilson model suggested in 1989 by David Clark and David Wilson, Clark-Wilson model focuses on the integrity of information and system. In this model, an agent program is applied to access objects in order to protect the integrity of objects. So the user cannot directly access and control objects. The main idea of Clark-Wilson model is to use benign transaction processing technique and task separation technique to ensure the consistency of data and the integrity of the transaction. Benign transaction processing technique means that the processing of information has to be restricted in certain of privilege and range. Task separation technique divides a task into different task subsets. Every subset has to be done by at least two people. By this technique, personal bluffing can be prevented.
In this section the comparative between the previous models is focuses on Design Year, Aim, Rules, Specification, Limitations, Filed and Advantages as shown in Table 1.
4.1 Design Year
First is BLP model designed in 1973. It is the most famous MLS model. Second is Biba model which is designed in 1977. Third is Clark-Wilson model which is published in1987 and revised in 1989.
BLP model is a model which imitates military security strategy. Clark-Wilson model imitates the business environment. And Biba model can be applied in a wide scope.
BLP and Biba models have strict formal languages, and Clark-Wilson model has informal languages.
BLP model effectively prevent information from a high security level flowing to a low security because of his strict security classification. Biba model is simple and it can combine with BLP model. And Clark-Wilson model can achieve all the three integrity protection goals.
BLP model rules are:
• Simple security rule (no read up(
• The property rule (no write down(
• Strong star property rule
• subject with read/write – only at same level.
Biba model rules are :
• Integrity axiom (no write up(
• Simple integrity axiom (no read down(
Clark-Wilson model rules are :
• Subjects and objects are labeled with programs.
• Programs hand out as an intermediate layer between subjects and objects.
BLP model only focuses on the confidentiality of information, and ignores the integrity. On the opposite, Biba and Clark-Wilson models only protect the integrity.
Table 1. Models' comparison
Models / Comparison BLP Biba Clark-Wilson
Design Year 1973 1977 1989
Aim Confidentiality Integrity Integrity
Filed Military Versatility Business
Specification Formal language Formal language Informal language
Advantages Strict security classification Simplicity and the combination possibility Achieve three integrity protection
- Simple security rule (no read up(
- The property rule (no write down(
- Strong star property rule
subject with read/write – only at same level. - Integrity axiom (no write up(
- Simple integrity axiom (no read down( - Subjects and objects are `labeled’ with programs.
- Programs serve as an intermediate layer between subjects and objects.
Limitations No consideration of integrity No consideration of
confidentiality No consideration of
This paper has analyzed and compared three models of multilevel security; BLP model, Clark-Wilson model, and Biba model. However, multilevel security mechanism which used in RTDBS can effectively protect and control the vertical transmission of information flow, there is no mechanism to manage the horizontal transmission of information flow. In empirical applications, multilevel security mechanism is usually combined with multilateral security policy, so as to provide more perfect protection mechanism.
In general, the BLP model, Biba model and Clark-Wilson model are used in military field and business environment. But with the increasing number of networks users and the development of information technologies, the security demand for information becomes very important. Using one single security model has been unable to meet practical needs, so the combination of multiple models has become an inevitable trend.
This study has provided an extensive review of multilevel security models in real-time systems research.
1. A. Buchmann, "Real Time Database Systems", Idea Group, 2002.
2. Liu Baoxue, The Active Defense of Hacking, Beijing,
Publishing House of Electronics Industry, 2007.
3. Ross J. Anderson, “Security Engineering: A Guide to Building Dependable Distributed Systems”, second Edition, 2008, pp. 240-243.
4. Bell D E, Lapadula L J., "Secure computer systems", USA, Technical Report, 1973.
5. Liu Yanming, Dong Qingkuan, Li Xiaoping, "Study on Enhancing Integrity for BLP Model", Journal on communications, , 31(2), 2010.
6. Yu Sheng, Zhu Lu, Shen Changxiang, "Multilevel security Model", Computer Engineering and Design, 31 (13), 2010.
7. Sandhu R., " Latice-based Access Control Models" , IEEE Computer, 26(11) : 9-19, 1993.
8. Jin Jing and Shen Meihui, "Analysis of Security Models Based on Multilevel Security Policy", International Conference on Management of e-Commerce and e-Government, IEEE computer society, 2012.
...(download the rest of the essay above)