Biba
No read down, no write up.
Kenneth Biba · 1977 · Commercial data integrity
The problem it solves
Bell-LaPadula guards secrecy but ignores whether data is trustworthy. Biba flips the goal. It stops low integrity data from contaminating high integrity data, so a clean record never gets corrupted by a dirty source.
The big idea
Biba is the mirror image of Bell-LaPadula: integrity flows down, so dirty data can never flow up to clean it.
Where Bell-LaPadula stops secrets from leaking down to lower clearances, Biba stops corruption from creeping up to higher integrity. Every subject and object gets an integrity level, and the rules guarantee that high-integrity data is only ever built from sources that are at least as trustworthy. The slogan is the inverse of confidentiality: no read down, no write up.
The rules
A subject may not read data that sits at a lower integrity level than its own.
Simple Integrity Axiom (no read down)
Why: Reading lower data would let untrusted, possibly corrupt information contaminate a higher-integrity process.
A subject may not write to data that sits at a higher integrity level than its own.
Star Integrity Axiom (no write up)
Why: Writing upward would let a less trusted subject inject bad data into more trusted, cleaner objects.
A subject may not invoke, call, or send a request to a subject that has a higher integrity level.
Invocation Property
Why: Calling up could let a low-integrity subject indirectly drive a high-integrity one and corrupt data through it.
Try it
Pick an action to see what is reachable, then click a file. Or walk through it.
You read up and write down, so trusted data can only flow down.
Pick an action, then choose a target to see the rule fire.
Worked example
A process running at Medium integrity.
- 01Allowed
Read a Medium config file.
Reading at your own level is fine.
- 02Blocked
Read a Low integrity download.
No read down. Untrusted data could corrupt you.
- 03Allowed
Write to a Low integrity log.
Writing down is allowed. You are more trusted than the target.
- 04Blocked
Write into a High integrity system file.
No write up. You could corrupt data more trusted than you.
Limits and gotchas
It guards integrity only, not confidentiality
Biba says nothing about who may see secret data. It only controls the direction of integrity flow, so it cannot stop a low-integrity subject from reading sensitive material. For that reason Biba and Bell-LaPadula are often paired to cover both goals.
It can be impractically strict
Forbidding all reads from lower levels and all writes to higher levels blocks many normal workflows. Real systems often need relaxations like the low water mark or ring policy to stay usable.
It does not ensure correct or consistent transactions
Biba controls the direction of data flow but never checks whether an operation is internally valid or leaves data in a sensible state. Guaranteeing well-formed transactions is the job of the Clark-Wilson model.
It assumes the labels are already correct
The model trusts that every integrity level was assigned accurately. If a corrupt object is mislabeled as high integrity, Biba will happily treat it as clean and protect the wrong data.
Key terms
- Integrity level
- A label assigned to every subject and object that ranks how trustworthy or reliable it is. Biba compares these labels to decide who may read or write what.
- Contamination
- The spread of unreliable or corrupt data into a cleaner, higher-integrity place. Biba's whole purpose is to block contamination from flowing upward.
- Trusted
- A subject or object held at a high integrity level, meaning its data is considered reliable and safe to depend on. Trusted subjects must be protected from lower-quality input.
- Low water mark
- A dynamic variant where a subject's integrity level drops to match the lowest-integrity object it has read. Instead of forbidding a read down, it lets the read happen but downgrades the subject so contamination cannot spread further.
- Ring policy
- A relaxed Biba variant that allows a subject to read objects at any level while still enforcing no write up. It trusts subjects not to be corrupted by simply reading lower data.
Check yourself
Answer to see if you have it. Nothing is saved.
01What is the core slogan that summarizes the Biba model?
02A subject at a medium integrity level wants to write to an object at a high integrity level. What does Biba do?
03Which concern is explicitly outside the scope of the Biba model?
04Under the low water mark variant, what happens when a subject reads a lower-integrity object?
How it connects
Key takeaway
The one line
Biba = Integrity = no read down, no write up. The mirror of BLP.