Abstract: The BLP can guarantee the security of information by allowing downward information flow from the low security level to high security level.However，under some circumstances，the upward information flow is also necessary.Clark-Wilson model is used to control and audit subject’s state transition and run time adjustment of low-water-mark policy parameters.This paper proposes a model that allows the upward information flow in the control of Clark-Wilson model.The model is proved secure and applicable.

Key words: information security, Bell-LaPadula（BLP） model, Clark-Wilson model, mandatory access control

摘要： BLP模型通过允许低安全级别到高安全级别的信息流动，保证了信息的机密性。但是不能解决普遍存在的下向信息流。而Clark-Wilson模型通过可监控的状态转换提供了完整性保护。提出的模型以BLP控制策略为基础，并在Clark-Wilson模型的监控下，允许下向信息流的流动。证明了该模型是安全的，可行的。

关键词: 信息安全, BLP模型, Clark-Wilson模型, 强制访问控制