Hi, guys, Ed Amaroso here. So I want to tell you about some work that was done at Mitre just around the time that the Bell-LaPadula model was being developed for disclosure. And it was actually work that was done by another Mitre employee named Ken Biba. Here's what he was interested in. He thought Bell-LaPadula were looking at how disclosure properties can be respected in systems that the military was building back in the 70s. And yeah, through the 80s and 90s, and so on. So his idea was, how would integrity properties be preserved and respected in a system along the lines of what Bell-LaPadula did? So here's what he said. He said, instead of the classic military thing where you have top secret, secret, confidential, and classified for disclosure properties. And we said they would be labels with clearances for people, classifications for documents. We call them both labels, and again, top secret and so on, the way military would do it. He said, the way integrity works, it's a different scale. Like up at the top, you'd have high integrity people or high integrity documents. Where a high integrity document is something that has no corruption in it, has no changes in it, has not been modified. It does what it says, it's something you can trust. Ditto a high integrity person, all the way down to a low integrity document, which has a lot of garbage in it. It has insertions and special things you don't notice, and it's trojan, then blah, blah, blah. And ditto people, low integrity people, people you can't trust. So we said, we've have that kind of scale, high and low and medium. What would that mean, from whether you can read or write. So we said, let's imagine a high integrity person reading a high integrity document. Is that okay? Yeah, it's perfectly fine. But he said, what about a really high integrity individual? Like thinking a beautiful little baby just born, a beautiful high integrity baby. And then, as it gets older, it reads low integrity stuff. It goes to school, it reads some star. It goes to college, reads really low integrity stuff. What happens then is it could corrupt the high integrity individual. In fact, it could actually drop its integrity like life could be this monotonically decreasing integrity function, I hope it's not that. But anyway, he said, you really ought not to allow high integrity processes reading low integrity things. And then, for writing, he said, it's kind of the opposite, where a high integrity person can write to a high integrity document. But should low integrity information be written up to a high integrity document, he said, no. So his two mottos became no read down, no write up, which is the opposite of Bell-LaPadula. [LAUGH] Bell-LaPadula, we said, no read up, no write down. Flip it for Biba. What does that mean? I mean, do you do them both? Do you do one or the other? How would something like this be implemented? So very quickly, this concept of modeling became a question. And I'll tell you, the idea of building a model and using that model as the basis for trying to describe how the world operates and works. I think that it's a good thing to do, it's just the world has to actually reflect the model. I guess with a scientist, we develop theories. If the theory does not describe experimentation or your reality of the way the world is really operating, then the theory is wrong. And ditto these models, so you had Biba, Bell-LaPadula. Now, Biba had some nice properties, if you think about it. For example, if the high integrity stuff is, say, your kernel, your operating system kernel, and the lower integrity stuff are all your apps, the idea of somehow not having applications to be able to write into those high integrity system, kernel functions or system object. It's a pretty good idea, like it keeps viruses out of that sort of thing. And then, like administrators running as root high integrity processes, probably ought not to be reading apps that come in, downloaded from an app store, shouldn't be reading down. So the Biba model has some nice implications in cybersecurity. But it turns out that both Bell-LaPadula and Biba had real problems. And in our next video, what we're going to do is we're going to take a couple minutes and look at how those problems kind of realize themselves and the implication it has for modeling. Now, before we do that, we're going to just try to test our understanding here of Biba and Bell-LaPadula type models with a very simple quiz. Do these respect the Biba property? And it turns out, if you look at them, they're [LAUGH] all inconsistent, so the answer is D. None of them are considered acceptable in the context of Biba. So hopefully, that helps with your understanding of Biba and the Bell-LaPadula model. Think about these properties because for many years, they drove the way we did cybersecurity. But you're going to see in a subsequent video that they do have pretty significant problems. I'll see you in a little bit.
