Security Models
                   •  Bell-Lapadula: confidentiality model (read
                       down and write up).
                          •  “state” machine model.
                          •  Simple security property: subject
                              cannot read an object of higher
                              sensitivity.
                          •  Star property (*): subject cannot
                              write lower
                          •  Strong Star: cannot read/write to the
                              object of higher/lower .
                          •  Does NOT address the "need to
                              know" of the user.
                   •  Biba Integrity: integrity model (read up and
                       write down)
                          •  Simple integrity: cannot read down.
                          •  Integrity star * property: cannot write
                              higher.
                          •  Invocation property: cannot invoke
                              execution up.
                          •  1st Goal of Integrity - Unauthorized
                              users make no changes.
                          •  Access tuple: Subject and Object
                   •  Clark & Wilson: integrity model
                          •  Reaffirmed Biba's first goal of
                              integrity.
                          •  Postulated the second goal of
                              integrity - "Authorized users make no
                              unauthorized changes."