Bell-LaPadula model and Biba model
这两个安全模型在看cissp osg教材的时候不懂,报的培训班老师也没讲解原理及为什么,直观上,这两个模型就是对立的。看了11 hours cissp书后恍然大悟,这是本好书。摘抄如下:
Bell-LaPadula includes the following rules and properties:
• Simple Security Property: “No read up”; a subject at a specific clearance level cannot read an object at a higher classification level. Subjects with a Secret clearance cannot access Top Secret objects, for example.
• Security Property: “No write down”; a subject at a higher clearance level cannot write to a lower classification level. For example: subjects who are logged into a Top Secret system cannot send emails to a Secret system.
• Strong Tranquility Property: Security labels will not change while the system is operating.
• Weak Tranquility Property: Security labels will not change in a way that conflicts with defined
security properties.
引出Biba模型:
Models such as Bell-LaPadula focus on confidentiality, sometimes at the expense of integrity. The Bell-LaPadula “no write down” rule means subjects can write up; that is, a Secret subject can write to a Top Secret object. What if the Secret subject writes erroneous information to a Top Secret object? Integrity models such as Biba address this issue.
The Biba model has two primary rules: the Simple Integrity Axiom and the * Integrity Axiom.
• Simple Integrity Axiom: “No read down”; a subject at a specific clearance level cannot read data at a lower classification. This prevents subjects from accessing information at a lower integrity level. This protects integrity by preventing bad information from moving up from lower integrity levels.
• * Integrity Axiom: “No write up”; a subject at a specific clearance level cannot write data to a higher classification. This prevents subjects from passing information up to a higher integrity level than they have clearance to change. This protects integrity by preventing bad information from moving up to higher integrity levels.
Did you know?
Biba takes the Bell-LaPadula rules and reverses them, showing how confidentiality and integrity are often at odds. If you understand Bell-LaPadula (no read up; no write down), you can extrapolate Biba by reversing the rules: “no read down”; “no write up.”
读完后解释了我的疑惑:
为什么Bell-LaPadula不能向下写?--我想是为了防止机密信息在不经意间被泄漏。For example: subjects who are logged into a Top Secret system cannot send emails to a Secret system. 但可以向上写,开始觉得有点奇怪,但是confidentical是第一目标的,但这样可能造成不完整性或不可信信息。
最后一段解释了他两为什么是相反的。
