Access control & memory

Question 1

What is access control?

Answer 1

a broad term that describes the administrative, physical, and technical controls that regulate the interaction between subjects and objects

Question 2

What is access control also known as?

Answer 2

Identity and access management (IAM)

Question 3

What is a subject?

Answer 3

any active entity that requests access to a resource (an object)

Question 4

Examples of subjects (2)

Answer 4

1. Users
2. Processes

Question 5

What is an object?

Answer 5

a resource, a passive entity that is or contains the information that is needed by a subject

Question 6

Examples of resources (3)

Answer 6

1. files
2. I/O
3. database entries

Question 7

What is access control used for?

Answer 7

granting, preventing, or revoking access to an object

Question 8

What are the four stages of the access control process?

Answer 8

1. Identification
2. Authentication
3. Authorisiation
4. Accounting

Question 9

What are the three authentication methods?

Answer 9

1. knowlegde
2. ownership
3. characteristic

Question 10

What is a type 1 error (false rejection)?

Answer 10

when a known legitimate authorised user is rejected as unknown/unauthorised user

Question 11

What is a type 2 error (false acceptance)?

Answer 11

when an unknown/unauthorised user is authenticated as a known/authorised user

Question 12

What is multi-factor authentication?

Answer 12

requiring multiple independent evidences to establish identity

Question 13

What are the three requirements for authentication?

Answer 13

1. Implicit deny
2. Neet to know
3. Separation of duties

Question 14

What is implicit deny?

Answer 14

if no rule is specified for the transaction of the subject/object, the authorization policy should deny the transaction (conforming with the more general “default-safe” principle)

Question 15

What is meant by “need to know”?

Answer 15

a subject should be granted access to an object only if the access is needed to carry out the job of the subject (conforming with the more general “least-privilege” principle)

Question 16

What is “separation of duties”?

Answer 16

a single individual should not
perform all the critical- or privileged-level duties.
Important duties must be separated/divided among
several individual

Question 17

Access control models (4)

Answer 17

1. Mandatory Access Control: MAC
2. Discretionary Access Control: DAC
3. Role-Based Access Control: RBAC
4. Attribute-Based Access Control: ABAC

Question 18

Alternative name for mandatory access control (MAC)?

Answer 18

Rule-based access control

Question 19

Alternative name for discretionary access control (DAC)?

Answer 19

Identity-based access control

Question 20

What is an access control policy?

Answer 20

a specification for an access decision function

Question 21

Examples of access control policies (2)

Answer 21

Bell-LaPadula & Biba

Question 22

What does the Bell-LaPadula access control policy model guarantee?

Answer 22

Confidentiality

Question 23

What does the Biba access control policy model guarantee?

Answer 23

Data integrity

Question 24

How is access control often expressed?

Answer 24

Using an access control matrix?

Question 25

In what two ways are access control matrices implemented?

Answer 25

Access control lists & capability lists

Question 26

Why are access control matrices not the most efficient?

Question 27

Advantages of access controls lists over capability lists (3)

Answer 27

1. Easier for human interpretation
2. Easy to remove rights on a particular resource (only need to modify one list)
3. particularly suitable when new resources may be added/removed but the users are pretty stable
4. scale up well and work in distributed settings

Question 28

Advantages of capability lists over access controls lists (2)

Answer 28

1.

Question 29

What is Address Space Layout Randomisation (ASLR)?

Answer 29

randomizing the addresses of functions and data, specifically, the positions of the initial stack, the heap, and the libraries, between every run of the program

Question 30

What is the benefit of Address Space Layout Randomisation?

Answer 30

it becomes much harder for the attacker to exploit the system through memory corruption vulnerabilities, as it will be more difficult to predict addresses of interest for the attacker (e.g. where certain secrets are loaded, where certain libraries/shellcodes will be loaded to.)

Question 31

What is the purpose of an operating system?

Answer 31

To provide an interface between the computer users and the computer’s hardware