Talk:Biba Integrity Model

According to Security in Computing, 3rd Edition (Pfleeger & Pfleeger), the Simple Integrity Property is defined as:

Subject s can modify (have write access to) object o only if I(s) >= I(o).

In other words (still according to Pfleeger), "an untrusted subject who has write access to an object reduces the integrity of that object."

This runs counter to the stated article. Introduction to Computer Security (Bishop) has a different statement of what the Biba Integrity rules are (and he provides three rules, not just two).

This gives me three interpretations.

I found (well, was pointed to) a DTIC Reference and was told I could order a copy from NTIS, so I did. It just arrived yesterday.

The Biba paper defines three different mandatory integrity models:
 * 1) Low-Water Mark Policy
 * 2) Ring Policy
 * 3) Strict Integrity Policy

(I could transcribe these statements in the paper's language if that would be more helpful.)

The Low-Water Mark Policy is a dynamic policy with three rules that basically amount to:
 * 1) the new integrity level of a subject is the minimum of the previous integrity level of the subject and the integrity level of the currently accessed object
 * 2) for all subjects s, and all objects o, a subject can modify an object iff the integrity level of the object is dominated by the integrity level of the subject.
 * 3) for all subjects s1 and s2, s1 may invoke s2 iff the integrity level of s2 is dominated by the integrity level of s1.

This policy has the disadvantage that the policy changes as the program runs, so what may have been accessible at the start of the program may no longer be accessible halfway through.

The Ring Policy is a more flexible policy that only provides two rules:
 * 1) for all objects o and all subjects s, s may modify o iff the integrity level of the object is dominated by the integrity level of the subject. (This is very close to Pfleeger's statement of the simple integrity property.)
 * 2) for all subjects s1 and s2, s1 may invoke s2 iff the integrity level of s2 is dominated by the integrity level of s1

The Strict Integrity Policy is 'considered a "complement" or "dual" of the security policy' (p32). This is the policy that states the two axioms which correspond to the Bell-La Padula model. This gives three rules/axioms:
 * 1) for all subjects s and all objects o, s may observe o iff the integrity level of s is dominated by the integrity level of o
 * 2) for all subjects s and all objects o, s may modify o iff the integrity level of o is dominated by the integrity level of s
 * 3) for all subjects s1 and s2, s1 may invoke s2 iff the integrity level of s2 is dominated by the integrity level of s1

(I'm going to have to dig up Bishop's book to double check, but I think he's the closest so far.)

This is my first time contributing here... is this sort of thing worthwhile to clean up and put in to the article proper? I only just got my copy of the paper and I've only read through it once, and I did skim quite a bit of it.

SJS 07:52, 28 October 2005 (UTC)

Merger
I'm recommending that Biba Integrity Model be merged to Biba Model since the other related models all follow the "Inventor-Name Model" title convention. Dthvt 21:16, 8 December 2006 (UTC)