Skip to content

Page092

Integrity Models

Models such as Bell-LaPadula focus on confidentiality, sometimes at the expense of integrity. The Bell-LaPadula “No Write Down” rule means subjects can write up: a Secret subject can write to a Top Secret object. What if the Secret subject writes erroneous information to a Top Secret object? Integrity models such as Biba address this issue.

Biba Model

While many governments are primarily concerned with confidentiality, most businesses desire to ensure that the integrity of the information is protected at the highest level. Biba is the model of choice when integrity protection is vital. The Biba model, named after Kenneth J. Biba, has two primary rules: the Simple Integrity Axiom and the * Integrity Axiom.

Simple Integrity Axiom

The Simple Integrity Axiom is “no read down”: a subject at a specific classification level cannot read data at a lower classification. This prevents subjects from accessing information at a lower integrity level. This protects integrity by preventing bad information from moving up from lower integrity levels.

* Integrity Axiom

The * Integrity Axiom is “no write up”: a subject at a specific classification level cannot write to data at a higher classification. This prevents subjects from passing information up to a higher integrity level than they have clearance to change. This protects integrity by preventing bad information from moving up to higher integrity levels.

Note
Biba takes the Bell-LaPadula rules and reverses them, showing how confidentiality and integrity are often at odds. If you understand Bell-LaPadula (no read up; no write down), you can extrapolate Biba by reversing the rules: no read down; no write up.

Clark-Wilson

Clark-Wilson is a real-world integrity model that protects integrity by requiring subjects to access objects via programs. Because the programs have specific limitations to what they can and cannot do to objects, Clark-Wilson effectively limits the capabilities of the subject. Clark-Wilson uses two primary concepts to ensure that security policy is enforced: well-formed transactions and Separation of Duties.

Well-Formed Transactions

Well-Formed Transactions describe the Clark-Wilson ability to enforce control over applications. This process is comprised of the “access control triple”: user, transformation procedure, and constrained data item.

A transformation procedure (TP) is a well-formed transaction, and a constrained data item (CDI) is data that requires integrity. Unconstrained data items (UDIs) are data that do not require integrity. Assurance is based upon integrity verification procedures (IVPs) that ensure that data are kept in a valid state.

For each TP, an audit record is made and entered into the access control system. This provides both detective and recovery controls in case integrity is lost.

Certification, Enforcement, and Separation of Duties

Within Clark-Wilson, certification monitors integrity, and enforcement preserves integrity. All relations must meet the requirements imposed by the separation of duty. All TPs must record enough information to reconstruct the data transaction to ensure integrity.

Exam Warning
Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.

The purpose of separation of duties within the Clark-Wilson model is to ensure that authorized users do not change data in an inappropriate way. One example is a school’s bursar office. One department collects money and another department issues payments. Both the money collection and payment departments are not authorized to initiate purchase orders. By keeping all three roles separate, the school is assured that no one person can fraudulently collect, order, or spend the money. The school depends on the honesty and competency of each person in the chain to report any improper modification of an order, payment, or collection. It would take a conspiracy among all parties to conduct a fraudulent act.

Exam Warning
Clark-Wilson enforces the concept of a separation of duties and transformation procedures within the system.