Which of the following statements relating to the Biba security model is FALSE?

A.
It is a state machine model.

B.
A subject is not allowed to write up.

C.
Integrity levels are assigned to subjects and objects.

D.
Programs serve as an intermediate layer between subjects and objects.

Explanation:
The statement, “Programs serve as an intermediate layer between subjects and objects” in the Biba model is
FALSE. The Clark–Wilson model uses programs as an intermediate layer between subjects and objects.
The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the BellLaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a
lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly
to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned
with security levels and confidentiality, so it does not base access decisions upon this type of lattice. Instead,
the Biba model uses a lattice of integrity levels.
If implemented and enforced properly, the Biba model prevents data from any integrity level from flowing to a
higher integrity level. Biba has three main rules to provide this type of protection:
*-integrity axiom A subject cannot write data to an object at a higher integrity level (referred to as “no write
up”).
Simple integrity axiom A subject cannot read data from a lower integrity level (referred to as “no read
down”).
Invocation property A subject cannot request service (invoke) of higher integrity.
Incorrect Answers:
A: The Biba model is a state machine model.
B: It is true that a subject is not allowed to write up in the Biba model.
C: It is true that integrity levels are assigned to subjects and objects in the Biba model.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 372