Biba

Overview

The Biba Integrity Model, developed by Kenneth J. Biba in 1975, is a formal state transition system for computer security policy. It defines access control rules that preserve data integrity. Where Bell-LaPadula focuses on confidentiality, Biba specifically prevents unauthorized data modification.

Model

[request_definition]
r = sub, sub_level, obj, obj_level, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (r.act == "read" && r.sub_level <= r.obj_level) || (r.act == "write" && r.sub_level >= r.obj_level)

Policy

Biba typically requires no explicit policy rules since integrity levels determine access control. The matcher implements Biba integrity rules:

• No Read Down (Simple Integrity Property): Subjects cannot read objects with lower integrity levels
• No Write Up (Star Integrity Property): Subjects cannot write to objects with higher integrity levels

Core Principles

Biba's "read up, write down" approach inverts Bell-LaPadula's "read down, write up" model. This ensures:

1. Data Integrity Protection: Prevents high-integrity data corruption from lower-integrity sources
2. Controlled Information Flow: Limits writes to flow from higher to lower integrity levels only
3. Trust Preservation: Maintains data trustworthiness at each integrity level

Examples

Request Examples

alice, 3, data1, 1, read    # alice (level 3) reads data1 (level 1) - DENIED (No Read Down)
bob, 2, data2, 2, read      # bob (level 2) reads data2 (level 2) - ALLOWED
charlie, 1, data1, 1, read  # charlie (level 1) reads data1 (level 1) - ALLOWED
bob, 2, data3, 3, read      # bob (level 2) reads data3 (level 3) - ALLOWED
charlie, 1, data2, 2, read  # charlie (level 1) reads data2 (level 2) - ALLOWED

alice, 3, data3, 3, write   # alice (level 3) writes data3 (level 3) - ALLOWED
bob, 2, data3, 3, write     # bob (level 2) writes data3 (level 3) - DENIED (No Write Up)
charlie, 1, data2, 2, write # charlie (level 1) writes data2 (level 2) - DENIED (No Write Up)
alice, 3, data1, 1, write   # alice (level 3) writes data1 (level 1) - ALLOWED
bob, 2, data1, 1, write     # bob (level 2) writes data1 (level 1) - ALLOWED

Integrity Levels

Biba represents integrity levels as integers where higher values indicate greater integrity:

• Level 1: Low integrity (public data, user-generated content)
• Level 2: Medium integrity (verified data, trusted sources)
• Level 3: High integrity (system data, administrative content)
• Level 4: Critical integrity (security policies, system configuration)

Use Cases

Common Biba model applications:

• Financial systems requiring data accuracy
• Healthcare records management
• Database systems requiring data integrity
• Environments where preventing data corruption outweighs preventing disclosure
• Systems where information accuracy and reliability are critical

Implementation Notes

• Enforces mandatory access control (MAC) focused on integrity
• System administrators assign integrity levels based on data trustworthiness
• Access decisions depend on integrity levels rather than user identity
• Prevents data corruption through controlled read/write operations
• Unlike Bell-LaPadula, most Biba implementations use few integrity levels

Comparison with Bell-LaPadula

Aspect	Bell-LaPadula	Biba
Primary Focus	Confidentiality	Integrity
Read Rule	No Read Up	No Read Down
Write Rule	No Write Down	No Write Up
Phrase	"Read down, write up"	"Read up, write down"