Vai al contenuto principale

Biba

Overview

The Biba model (1975) enforces integrity: subjects and objects have integrity levels. Rules: no read down (don’t read lower-integrity data), no write up (don’t write to higher-integrity data). So high-integrity data cannot be corrupted by lower-integrity sources.

Model

[request_definition]
r = sub, sub_level, obj, obj_level, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (r.act == "read" && r.sub_level <= r.obj_level) || (r.act == "write" && r.sub_level >= r.obj_level)

Policy

Usually no p rules; the matcher implements Biba from request levels:

  • No Read Down (Simple Integrity Property): Subjects cannot read objects with lower integrity levels
  • No Write Up (Star Integrity Property): Subjects cannot write to objects with higher integrity levels

Core Principles

Biba's "read up, write down" approach inverts Bell-LaPadula's "read down, write up" model. This ensures:

  1. Data Integrity Protection: Prevents high-integrity data corruption from lower-integrity sources
  2. Controlled Information Flow: Limits writes to flow from higher to lower integrity levels only
  3. Trust Preservation: Maintains data trustworthiness at each integrity level

Examples

Request Examples

alice, 3, data1, 1, read    # alice (level 3) reads data1 (level 1) - DENIED (No Read Down)
bob, 2, data2, 2, read      # bob (level 2) reads data2 (level 2) - ALLOWED
charlie, 1, data1, 1, read  # charlie (level 1) reads data1 (level 1) - ALLOWED
bob, 2, data3, 3, read      # bob (level 2) reads data3 (level 3) - ALLOWED
charlie, 1, data2, 2, read  # charlie (level 1) reads data2 (level 2) - ALLOWED

alice, 3, data3, 3, write   # alice (level 3) writes data3 (level 3) - ALLOWED
bob, 2, data3, 3, write     # bob (level 2) writes data3 (level 3) - DENIED (No Write Up)
charlie, 1, data2, 2, write # charlie (level 1) writes data2 (level 2) - DENIED (No Write Up)
alice, 3, data1, 1, write   # alice (level 3) writes data1 (level 1) - ALLOWED
bob, 2, data1, 1, write     # bob (level 2) writes data1 (level 1) - ALLOWED

Integrity Levels

Biba represents integrity levels as integers where higher values indicate greater integrity:

  • Level 1: Low integrity (public data, user-generated content)
  • Level 2: Medium integrity (verified data, trusted sources)
  • Level 3: High integrity (system data, administrative content)
  • Level 4: Critical integrity (security policies, system configuration)

Use Cases

Common Biba model applications:

  • Financial systems requiring data accuracy
  • Healthcare records management
  • Database systems requiring data integrity
  • Environments where preventing data corruption outweighs preventing disclosure
  • Systems where information accuracy and reliability are critical

Implementation Notes

  • Enforces mandatory access control (MAC) focused on integrity
  • System administrators assign integrity levels based on data trustworthiness
  • Access decisions depend on integrity levels rather than user identity
  • Prevents data corruption through controlled read/write operations
  • Unlike Bell-LaPadula, most Biba implementations use few integrity levels

Comparison with Bell-LaPadula

AspectBell-LaPadulaBiba
Primary FocusConfidentialityIntegrity
Read RuleNo Read UpNo Read Down
Write RuleNo Write DownNo Write Up
Phrase"Read down, write up""Read up, write down"