Page 504 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 504
reclassification.
The Bell-LaPadula model addresses only the confidentiality of data. It
does not address its integrity or availability. Because it was designed in
the 1970s, it does not support many operations that are common
today, such as file sharing and networking. It also assumes secure
transitions between security layers and does not address covert
channels (covered in Chapter 9, “Security Vulnerabilities, Threats, and
Countermeasures”). Bell-LaPadula does handle confidentiality well, so
it is often used in combination with other models that provide
mechanisms to handle integrity and availability.
Biba Model
For some nonmilitary organizations, integrity is more important than
confidentiality. Out of this need, several integrity-focused security
models were developed, such as those developed by Biba and by Clark-
Wilson. The Biba model was designed after the Bell-LaPadula model.
Where the Bell-LaPadula model addresses confidentiality, the Biba
model addresses integrity. The Biba model is also built on a state
machine concept, is based on information flow, and is a multilevel
model. In fact, Biba appears to be pretty similar to the Bell-LaPadula
model, except inverted. Both use states and transitions. Both have
basic properties. The biggest difference is their primary focus: Biba
primarily protects data integrity. Here are the basic properties or
axioms of the Biba model state machine:
The Simple Integrity Property states that a subject cannot read an
object at a lower integrity level (no read-down).
The * (star) Integrity Property states that a subject cannot modify
an object at a higher integrity level (no write-up).
In both the Biba and Bell-LaPadula models, there are two
properties that are inverses of each other: simple and * (star).
However, they may also be labeled as axioms, principles, or rules.
