The [[Bell and LaPadula model|BLP model]] only lets us write up and read down. This is great for confidentiality but does not guarantee integrity. In contrast, the Biba model focuses on [[CIA triad#Integrity|integrity]] or unauthorized modification of data or quality of information in objects. It allows *read up* and *write down*. User levels can be low, medium, or high integrity. Low integrity users cannot produce high integrity data. High integrity users do not want to read low quality data. The purpose is to stop low quality information flowing to high level users. ### Information flow Sensitive data is the source from which information flow starts. - Read and writes are allowed but tracked (statically or dynamically) to see where such information ends up - Prevent information flow at certain exit points (ex, SSN being sent to an untrusted server) - Policy must define sensitive data sources and allowed/disallowed exits - System utilizes techniques like taint tracking to enforce policy