In general, preservation of data integrity has three goals:
- Prevent data modification by unauthorized parties
- Prevent unauthorized data modification by authorized parties
- Maintain internal and external consistency (i.e. data reflects the real world)
This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: "read up, write down". This is in contrast to the Bell-LaPadula model which is characterized by the phrase "read down, write up".
In the Biba model, users can only create content at or below their own integrity level (a monk may write a prayer book that can be read by commoners, but not one to be read by a high priest). Conversely, users can only view content at or above their own integrity level (a monk may read a book written by the high priest, but may not read a pamphlet written by a lowly commoner). Another analogy to consider is that of the military chain of command. A General may write orders to a Colonel, who can issue these orders to a Major. In this fashion, the General's original orders are kept intact and the mission of the military is protected (thus, "read up" integrity). Conversely, a Private can never issue orders to his Sergeant, who may never issue orders to a Lieutenant, also protecting the integrity of the mission ("write down").
The Biba model defines a set of security rules, the first two of which are similar to the Bell–LaPadula model. These first two rules are the reverse of the Bell–LaPadula rules:
- The Simple Integrity Property states that a subject at a given level of integrity must not read data at a lower integrity level (no read down).
- The * (star) Integrity Property states that a subject at a given level of integrity must not write to data at a higher level of integrity (no write up).[3]
- Invocation Property states that a process from below cannot request higher access; only with subjects at an equal or lower level.