An improved MLS policy model

Bell-LaPadula model is able to provide excellent protection for confidentiality, but is short of integrity policy. Moreover, its trusted subjects are endowed too much privilege to be conformed with the principle of least privilege. In order to resolve these problems, a new hybrid model called CIUSM is proposed, which takes Bell-LaPadula as the initial model. CIUSM organically absorbs ideas of well-formed transaction in Clark-Wilson model and domain separation in DTE model, which effectively remedy the loss of integrity policy and limit the accessible range of trusted subjects. Finally, safety of CIUSM and Bell-LaPadula are quantitatively estimated and compared based on security entropy theory. Research shows that CIUSM has higher security strength than BLP, being able to meet security requirements for both confidentiality and integrity.