As an analog of confidentiality labels, integrity labels in the Biba model
are assigned according to which of the following rules?

A.
Objects are assigned integrity labels according to their trustworthiness; subjects are assigned
classes according to the harm that would be done if the data were modified improperly.

B.
Objects are assigned integrity labels identical to the corresponding confidentiality labels.

C.
Integrity labels are assigned according to the harm that would occur from unauthorized
disclosure of the information.

D.
Subjects are assigned classes according to their trustworthiness; objects are assigned integrity
labels according to the harm that would be done if the data were modified improperly.

Explanation:
As subjects in the world of confidentiality are assigned clearances
related to their trustworthiness, subjects in the Biba model are
assigned to integrity classes that are indicative of their trustworthiness.
Also, in the context of confidentiality, objects are
assigned classifications related to the amount of harm that would be
caused by unauthorized disclosure of the object. Similarly, in the
integrity model, objects are assigned to classes related to the amount
of harm that would be caused by the improper modification of the
object. Answer a is incorrect since integrity properties and
confidentiality properties are opposites. For example, in the BellLaPadula model, there is no prohibition against a subject at one
classification reading information from a lower level of
confidentiality. However, when maintenance of the integrity of data
is the objective, reading of information from a lower level of
integrity by a subject at a higher level of integrity risks
contaminating data at the higher level of integrity. Thus, the simple
and * -properties in the Biba model are complements of the
corresponding properties in the Bell-LaPadula model. Recall that the
Simple Integrity Property states that a subject at one level of integrity
is not permitted to observe (read) an object of a lower integrity (no
read down). Also, the *- Integrity Property states that an object at one

level of integrity is not permitted to modify (write to) an object of a
higher level of integrity (no write up).
* Answer “Objects are assigned integrity labels according to their trustworthiness; subjects are
assigned classes according to the harm that would be done if the data were modified improperly”
is incorrect since the words object and subject are interchanged.
* In answer “Integrity labels are assigned according to the harm that would occur from
unauthorized disclosure of the information”, unauthorized disclosure refers to confidentiality and
not to integrity.