Biba is a state machine model similar
to BLP for integrity policies that
regulate the modification of objects
Concerned with integrity
Models integrity policy
modifications of objects
can only flow downwards
Integrity levels (such as 'clean' and 'dirty' or 'high'
and 'low') are assigned to subjects and objects
The basic idea of Biba is that a 'dirty' subject should
not be allowed to contaminate (modify) a clean object.
Biba also has policies for an 'invoke' operation whereby
one subject can access (invoke) another subject,
Different modes
Static Mode - Similar to BLP
2 Security policies
Simple integrity property - No write up
Integrity *-property
If subject s can read (observe) object o, then s can
have write access to some other object o’
You are not permitted to 'contaminate' a
high-level object with low-level data
Anotações:
he Marketing Director of a company reads unsubstantiated information about market share from a public document obtained from the Internet. He then writes this information into the company’s strategic marketing plan for next year. The effect is that the company’s marketing strategy is based on low-grade (and possibly incorrect) data. he Biba integrity *-property prevents this situation from occurring
Dynamic Mode
Integrity levels change
a 'clean' subject may read a 'dirty' object, but the result
is that the subject is then re-classified as 'dirty'
a low-level subject is permitted to write to a high-level
object, but the object is then re-classified as low-level
Policy enforces automatic
adjustment of security levels
Biba is the Duel of BLP. If you
combine them see note
Anotações:
In other words, the combination of BLP and Biba, with the same security labels, means that a subject may only access objects at exactly the same security level. If this is the intention of the policy, then that’s fine, but as we have seen there are some obvious situations where this can lead to problems (remember the manager sending a memo to his staff!).
Can be extended to include an
access operation 'invoke'.
Subject may invoke another subject (such
as a software tool) to access an object
Subjects are only allowed to invoke tools at a lower
level. Otherwise, indirect contamination may occur.
Ring property (opposite of invoke)
A 'dirty' subject s1 may only invoke a
'clean' tool s2 to touch a 'clean' object.
The crucial lesson to learn is that you must
decide the policy before attempting to model