Bell-LaPadula model and Biba model

这两个安全模型在看cissp osg教材的时候不懂，报的培训班老师也没讲解原理及为什么，直观上，这两个模型就是对立的。看了11 hours cissp书后恍然大悟，这是本好书。摘抄如下：

Bell-LaPadula includes the following rules and properties:

• Simple Security Property: “No read up”; a subject at a specific clearance level cannot read an object at a higher classification level. Subjects with a Secret clearance cannot access Top Secret objects, for example.

• Security Property: “No write down”; a subject at a higher clearance level cannot write to a lower classification level. For example: subjects who are logged into a Top Secret system cannot send emails to a Secret system.

• Strong Tranquility Property: Security labels will not change while the system is operating.

• Weak Tranquility Property: Security labels will not change in a way that conflicts with defined

security properties.

 

引出Biba模型：

Models such as Bell-LaPadula focus on confidentiality, sometimes at the expense of integrity. The Bell-LaPadula “no write down” rule means subjects can write up; that is, a Secret subject can write to a Top Secret object. What if the Secret subject writes erroneous information to a Top Secret object? Integrity models such as Biba address this issue.

The Biba model has two primary rules: the Simple Integrity Axiom and the * Integrity Axiom.

• Simple Integrity Axiom: “No read down”; a subject at a specific clearance level cannot read data at a lower classification. This prevents subjects from accessing information at a lower integrity level. This protects integrity by preventing bad information from moving up from lower integrity levels.

• * Integrity Axiom: “No write up”; a subject at a specific clearance level cannot write data to a higher classification. This prevents subjects from passing information up to a higher integrity level than they have clearance to change. This protects integrity by preventing bad information from moving up to higher integrity levels.

 

 

 

Did you know？

Biba takes the Bell-LaPadula rules and reverses them, showing how confidentiality and integrity are often at odds. If you understand Bell-LaPadula (no read up; no write down), you can extrapolate Biba by reversing the rules: “no read down”; “no write up.”

 

读完后解释了我的疑惑：
为什么Bell-LaPadula不能向下写？--我想是为了防止机密信息在不经意间被泄漏。For example: subjects who are logged into a Top Secret system cannot send emails to a Secret system. 但可以向上写，开始觉得有点奇怪，但是confidentical是第一目标的，但这样可能造成不完整性或不可信信息。

最后一段解释了他两为什么是相反的。