|
|
|
In 1977, Biba [94] studied the nature of the integrity of systems. He proposed three policies, one of which was the mathematical dual of the Bell-LaPadula Model.
A system consists of a set S of subjects, a set O of objects, and a set I of integrity levels.[1] The levels are ordered. The relation < 
I x I holds when the second integrity level dominates the first. The relation 
I x I holds when the second integrity level either dominates or is the same as the first. The function min: I x I 
I gives the lesser of the two integrity levels (with respect to ). The function i:S 
O I returns the integrity level of an object or a subject. The relation r S x O defines the ability of a subject to read an object; the relation w S x O defines the ability of a subject to write to an object; and the relation x S x S defines the ability of a subject to invoke (execute) another subject.
[1] The original model did not include categories and compartments. The changes required to add them are straightforward.
Some comments on the meaning of "integrity level" will provide intuition behind the constructions to follow. The higher the level, the more confidence one has that a program will execute correctly (or detect problems with its inputs and stop executing). Data at a higher level is more accurate and/or reliable (with respect to some metric) than data at a lower level. Again, this model implicitly incorporates the notion of "trust"; in fact, the term "trustworthiness" is used as a measure of integrity level. For example, a process at a level higher than that of an object is considered more "trustworthy" than that object.
Integrity labels, in general, are not also security labels. They are assigned and maintained separately, because the reasons behind the labels are different. Security labels primarily limit the flow of information; integrity labels primarily inhibit the modification of information. They may overlap, however, with surprising results (see Exercise 3).
Biba tests his policies against the notion of an information transfer path:
Definition 6–1. An information transfer path is a sequence of objects o1, ..., on+1 and a corresponding sequence of subjects s1, ..., sn such that si r oi and si w oi+1 for all i, 1
Intuitively, data in the object o1 can be transferred into the object on+1 along an information flow path by a succession of reads and writes.
Whenever a subject accesses an object, the policy changes the integrity level of the subject to the lower of the subject and the object. Specifically:
s 
S can write to o O if and only if i(o) i(s).
If s S reads o O, then i´(s) = min(i(s), i(o)), where i´(s) is the subject's integrity level after the read.
s1 S can execute s2 S if and only if i(s2) i(s1).
The first rule prevents writing from one level to a higher level. This prevents a subject from writing to a more highly trusted object. Intuitively, if a subject were to alter a more trusted object, it could implant incorrect or false data (because the subject is less trusted than the object). In some sense, the trustworthiness of the object would drop to that of the subject. Hence, such writing is disallowed.
The second rule causes a subject's integrity level to drop whenever it reads an object at a lower integrity level. The idea is that the subject is relying on data less trustworthy than itself. Hence, its trustworthiness drops to the lesser trustworthy level. This prevents the data from "contaminating" the subject or its actions.
The third rule allows a subject to execute another subject provided the second is not at a higher integrity level. Otherwise, the less trusted invoker could control the execution of the invoked subject, corrupting it even though it is more trustworthy.
This policy constrains any information transfer path:
Theorem 6–1. If there is an information transfer path from object o1
Proof If an information transfer path exists between o1 and on+1, then Definition 6–1 gives a sequence of subjects and objects identifying the entities on the path. Without loss of generality, assume that each read and write was performed in the order of the indices of the vertices. By induction, for any 1
This policy prevents direct modifications that would lower integrity labels. It also prevents indirect modification by lowering the integrity label of a subject that reads from an object with a lower integrity level.
The problem with this policy is that, in practice, the subjects change integrity levels. In particular, the level of a subject is nonincreasing, which means that it will soon be unable to access objects at a high integrity level. An alternative policy is to decrease object integrity levels rather than subject integrity levels, but this policy has the property of downgrading object integrity levels to the lowest level.
The ring policy ignores the issue of indirect modification and focuses on direct modification only. This solves the problems described above. The rules are as follows.
Any subject may read any object, regardless of integrity levels.
s S can write to o O if and only if i(o) i(s).
s1 S can execute s2 S if and only if i(s2) i(s1).
The difference between this policy and the low-water-mark policy is simply that any subject can read any object. Hence, Theorem 6–1 holds for this model, too.
This model is the dual of the Bell-LaPadula Model, and is most commonly called "Biba's model." Its rules are as follows.
s S can read o O if and only if i(s) i(o).
s S can write to o O if and only if i(o) i(s).
s1 S can execute s2 S if and only if i(s2) i(s1).
Given these rules, Theorem 6–1 still holds, but its proof changes (see Exercise 1). Note that rules 1 and 2 imply that if both read and write are allowed, i(s) = i(o).
Like the low-water-mark policy, this policy prevents indirect as well as direct modification of entities without authorization. By replacing the notion of "integrity level" with "integrity compartments," and adding the notion of discretionary controls, one obtains the full dual of Bell-LaPadula.
|
EXAMPLE: Pozzo and Gray [817, 818] implemented Biba's strict integrity model on the distributed operating system LOCUS [811]. Their goal was to limit execution domains for each program to prevent untrusted software from altering data or other software. Their approach was to make the level of trust in software and data explicit. They have different classes of executable programs. Their credibility ratings (Biba's integrity levels) assign a measure of trustworthiness on a scale from 0 (untrusted) to n (highly trusted), depending on the source of the software. Trusted file systems contain only executable files with the same credibility level. Associated with each user (process) is a risk level that starts out set to the highest credibility level at which that user can execute. Users may execute programs with credibility levels at least as great as the user's risk level. To execute programs at a lower credibility level, a user must use the run-untrusted command. This acknowledges the risk that the user is taking. |
|
|
|
| Top |