Biba
Overview
The Biba Integrity Model, developed by Kenneth J. Biba in 1975, is a formal state transition system for computer security policy. It defines access control rules that preserve data integrity. Where Bell-LaPadula focuses on confidentiality, Biba specifically prevents unauthorized data modification.
Model
[request_definition]
r = sub, sub_level, obj, obj_level, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (r.act == "read" && r.sub_level <= r.obj_level) || (r.act == "write" && r.sub_level >= r.obj_level)
Policy
Biba typically requires no explicit policy rules since integrity levels determine access control. The matcher implements Biba integrity rules:
- No Read Down (Simple Integrity Property): Subjects cannot read objects with lower integrity levels
- No Write Up (Star Integrity Property): Subjects cannot write to objects with higher integrity levels
Core Principles
Biba's "read up, write down" approach inverts Bell-LaPadula's "read down, write up" model. This ensures:
- Data Integrity Protection: Prevents high-integrity data corruption from lower-integrity sources
- Controlled Information Flow: Limits writes to flow from higher to lower integrity levels only
- Trust Preservation: Maintains data trustworthiness at each integrity level
Examples
Request Examples
alice, 3, data1, 1, read # alice (level 3) reads data1 (level 1) - DENIED (No Read Down)
bob, 2, data2, 2, read # bob (level 2) reads data2 (level 2) - ALLOWED
charlie, 1, data1, 1, read # charlie (level 1) reads data1 (level 1) - ALLOWED
bob, 2, data3, 3, read # bob (level 2) reads data3 (level 3) - ALLOWED
charlie, 1, data2, 2, read # charlie (level 1) reads data2 (level 2) - ALLOWED
alice, 3, data3, 3, write # alice (level 3) writes data3 (level 3) - ALLOWED
bob, 2, data3, 3, write # bob (level 2) writes data3 (level 3) - DENIED (No Write Up)
charlie, 1, data2, 2, write # charlie (level 1) writes data2 (level 2) - DENIED (No Write Up)
alice, 3, data1, 1, write # alice (level 3) writes data1 (level 1) - ALLOWED
bob, 2, data1, 1, write # bob (level 2) writes data1 (level 1) - ALLOWED
Integrity Levels
Biba represents integrity levels as integers where higher values indicate greater integrity:
- Level 1: Low integrity (public data, user-generated content)
- Level 2: Medium integrity (verified data, trusted sources)
- Level 3: High integrity (system data, administrative content)
- Level 4: Critical integrity (security policies, system configuration)
Use Cases
Common Biba model applications:
- Financial systems requiring data accuracy
- Healthcare records management
- Database systems requiring data integrity
- Environments where preventing data corruption outweighs preventing disclosure
- Systems where information accuracy and reliability are critical
Implementation Notes
- Enforces mandatory access control (MAC) focused on integrity
- System administrators assign integrity levels based on data trustworthiness
- Access decisions depend on integrity levels rather than user identity
- Prevents data corruption through controlled read/write operations
- Unlike Bell-LaPadula, most Biba implementations use few integrity levels
Comparison with Bell-LaPadula
| Aspect | Bell-LaPadula | Biba |
|---|---|---|
| Primary Focus | Confidentiality | Integrity |
| Read Rule | No Read Up | No Read Down |
| Write Rule | No Write Down | No Write Up |
| Phrase | "Read down, write up" | "Read up, write down" |