The Biba model, another MAC-based model, enforces integrity (unlike the Bell-LaPadula model, which enforces confidentiality). Biba includes two rules that are reversed from the Bell-LaPadula model:
Simple Integrity Axiom—no read down : Subjects granted access to any security level may not read an object at a lower security level, at least not as the authoritative source. For example, a captain of a ship can read orders from an admiral and consider them authoritative and actionable. However, if a seaman recruit tries to issue orders to the captain, the captain will not read them as authoritative.
The * Integrity Axiom (read as “star Integrity Axiom”)—no write up : Subjects granted access to any security level may not write to any object at a higher security level. For example, a seaman recruit cannot write orders for the captain of the ship. Similarly, the captain cannot write orders for the admiral.