Chapter 3 Security Engineering Flashcards
ISO/IEC/IEEE 42010
systems and software engineering – architecture description (outlines specifications for system architecture frameworks and architecture languages)
What is an architecture view?
Architecture views expresses architects decision regarding each stakeholders concerns
Each view confirms to a particular viewpoint (eg Logical, physical, structural)
Baking in vs Bolting on security
Baking in : At architecture phase
Bolting on: At development phase
What do general registers hold
variables and temporary data
What do special registers hold
program counter
stack pointer
program status word
What does program counter register hold?
memory address of next instruction to be fetched
what is the significance of program status word
PSW holds different bits, one of the bits indicates if CPU should be in user mode or privileged mode
What are the 6 different types of RAM
- Static
- Dynamic
- Synchronous
- EDO DRAM
- Burst EDO DRAM
- Double data rate DRAM
What are the characteristics of Static RAM
- Fast
- takes lot of space
- more costly
- uses transistors
What are the characteristics of Dynamic RAM
- slow
- less space
- less costly
- uses capacitors
What are the characteristics of Synchronous RAM
Synchronises clock of RAM with that of CPU for faster access
What are the characteristics of EDO DRAM
Has a look ahead feature to access data while first one is being sent to CPU
In Burst EDO DRAM, data can be sent in bursts of 4 blocks
What are the characteristics of Double Data Rate DRAM
Reads on both clock pulses, effectively doubling speed
What are the two common memory protection techniques
Address Space Layout Randomisation (ASLR)
Data Execution Prevention (DEP)
What is multi-tasking
multiple programs loaded in memory at same time
AND
multiple programs executed simultaneously by CPU
What is difference between multi-tasking and multi-programming
To be checked
Asymmetric multi-processisng
Multiple CPUs can be used for processing at same time
Specific applications dedicated to one CPU
Good for time sensitive applications
What is Thrashing
when a computer spends more time moving data from one small portion of memory to other rather than processing the data
What are the different types of memory addresses
Physical memory addresses used by CPU: Absolute addresses
Addresses used by software : Logical
Known address with offset : Relative addresses
Co-operative vs pre-emptive multi-tasking
processes voluntarily release resources vs forcefully (CPU decides amount of time)
What is process spawning
creating new child processes is referred to as spawning processes
eg in linux/unix - command interpreter is a process itself and within it when commnads are executed like grep etc, they spawn new processes with characteristics similar to the parent process but with its own memory space
In what states can a process be in?
- Blocked state – waiting for inputs
- Ready state – waiting to send instructions to CPU
- Running state – being executed by CPU
What are the responsibilities of Operating System
- Creating new processes
- Assigning them resources
- Synchronizing communication
- Making sure nothing insecure is taking place
What does the OS Process table contain
- One entry per process in the table
- State of the process
- Stack pointer
- Memory allocation
- Program counter
- Status of open files
How does CPU switch between processes
CPU requires all of the information in process table loaded into registers for process execution. When process 1’s time is up and process 2 is to be executed, the process 1 information is moved back to the process table and maintained there till required again for process 1 to execute.
Break between two processes happens using interrupt
what are the types of interrupts
Software Interrupts
Hardware Interrupts (used by devices)
How do interrupts work
The s/w or h/w raises interrupts to the cpu.
The cpu then acknowledges or entertains the interrupt as per its decision
If one process needs to interrupt another process, OS decices on the priority to determine if the interruption should be allowed
Maskable vs non-maskable interrupt
maskable interrupt can be ignored
What are the functions of Memory stacks
- Each process has its own stack
- It is in LIFO mode
- Stack pointer is used to indicate to CPU where it is within the stack
- Last instrcutuion in stack is the return pointer where the results or control are transferred
What is a thread
A thread is made up of the individual instruction set and the data that must be worked on by the CPU
Who creates a thread
A thread is created by a process
Each thread shares same resources of the process that created it eg memory space, file access
What is multi-threading
Application running multiple tasks via threads at the same time
Give an example of how process can become malicious
An attacker can inject malicious instructions in a process. Since process is already verified by OS and running, such injections can end up executing the attackers code. To prevent this, processes should only accept instructions from a approved entity and that the instructions are validated before execution
What is a software deadlock
process A commits resource 1 and needs resource 2 to do the job while process B has committed resource 2 and needs resource 1 to do the job
Why is process isolation required
To ensure different processes do not step on one another
What are the 4 ways process isolation can be achieved
- Object encapsulation
- Time multiplexing of resources
- Virtual memory mapping
- Naming distinctions
What are the goals of memory management
- Provide an abstraction layer for programmers
- Maximise performance using limited memory pool
- Protect OS and Apps in memory
What are the memory manager roles
- Physical Organisation
- Logical Organisation (Abstraction)
- Protection (limit as per privilege)
- Sharing
- Relocation (swap different types)
How are base and limit registers used
CPU assigns base and limit memory address to process
CPU compares the base and limit address in the thread that is sent to it for execution
How is data held in RAM
Encyrpted data is generally unencrypted while it resides in RAM. However if the RAM uses HDD as virtual memory, this unencrypted data or the keys can become available in the HDD To attackers in unencrypted form
What are the ways CPU and Memory interacts with IO devices
- Programmable IO (CPU sends information and waits for IO, wastes time)
- Interrupt driven IO ( CPU moves on to other tasks till IO is ready. Overheads of managing multiple interrupts)
- Direct Memory Access/ DMA – IO is fed by the DMA controller. This is also known as unmapped IO
- Pre-mapped IO – CPU trusts IO device and lets it access physical memory directly
- Pre-mapped IO – CPU trusts IO device and lets it access physical memory directly
What do protection mechanisms of the OS ensure
- processes do not negatively affect each other or critical components of the system itself
1. Memory Protection
2. Ringed architecture
What is a process domain
A collection of resourcese available to the process such as
- memory segments,
- files,
- system services,
- peripheral devices etc
What are the different types of OS Architectures?
- Monolithic
- Layered OS
- Microkernel
- Hybrid Microkernel
5.
What are the featuers of monolithic architecture
all OS processes work in kernel mode.
Applications avail services through system calls.
Too many components interact directly with hardware which increases complexity
Explain Layered OS architecture
separates system functionality into hierarchical layers (however a lot of code still ran in kernel mode)
Explain Microkernel architecture
Only certain areas such as memory management and interprocoess communication run in kernel mode. Other OS compoentns such as protocols, device drivers etc run in User mode. However this too affected performance since mode transitions (ie from user mode to kernel mode) had to be done
How does a hybrid microkernel work
- All OS processes run in kernel mode
- Core processes run within a microkernetl
- Others run in a client server model
(Windows uses hyrid microkernel)
What is a trusted computing base
a collection of hardware, software and firmware that provides and enforces security
Some of them are directly responsible for security e.g memory manager, others need to behave eg. Not attempting direct access to hardware etc
in a way , the OS kernel is the TCB
Basically any part of a system that can be used to compromise the system or put it in an unstable condition is considered part of the TCB
What is a trusted path?
a communication channel between user/application and TCB
What is the role of OS in relation to TCB
TCB Executes in its own execution domain
OS ensures that TCB and nonTCB processes interact in a secure manner
What is the security perimeter in relation to TCB
It is the imaginary boundary between the trusted and non trusted
Communication across perimeter is controlled by interfaces ie APIs
What is a reference monitor
A mechanism that ensures subject’s (program/user/processes) access to objects (file/program/resource) within the OS are as per necessary permission
What does a reference monitor implement
- Mediates all access between subjects and objects
- Ensures subjects have necessary access rights
- Protect objects from unauthorise access and destructive modification
- Defines the design requirement that a reference validation mechanism must meet
- Access control decisions made in a central concerted manner
Define key features of security kernel
- It is the core of the TCB
- Mediates all access and functions between subjects and objects
- Implements and enforces the reference monitor concept
What are the three main requirements that a security kernel should fullfill
- o Process carrying out reference monitor should be isolated and tamperproff
- o Must be invoked for every access attempt
- o Must be small enough to be tested and verified in a complete comprehensive manner
Distinguish between Reference monitor, Security Kernel, and Trusted computing base
Reference Monitor
Security Kernel
Trusted Computing Base
Abstract model of controlling access of subject to object
Implementation of reference monitor through hardware , software and firmware
Sumtotal of all components in a system that enforce a security policy (includes security kernel)
What is a security model
- Maps the abstract goals of the security policy to information system terms
- Specifies explicit data structures and techniques necessary to enforce security policy
- Usually represented as mathematical and analytical ideas
a security policy provides certain goals and the security model provides the necessary mathematical formulas, relationships and logic structure to be followed to accomplish this goal
-Key points of Bell Lapadula
Uses Security Levels
- Simple security rule (No read up )
- * Property (no write down)
- Strong star property (read/write only on same level)
Key points of Biba model
Uses Integrity levels
- *-integrity axiom (no write up)
- Simple integrity axiom (no read down)
- Invocation property (lower integrity subject cannot invoke higher integrity subject)
What does “Simple”and * mean in security models
(If the word simple is used, it is about reading. If the word * is used it is about writing)
What is the Clark-wilson model
it is an integrity model
users data access only through program
separation of duties is enforced
what are the 4 elements used in clark wilson
- Transformation procedure (TP)
- Constrained Data items (CDI)
- Unconstrained data items (UDI)
- Integrity verification procedures (IVP)
How does Clark-wilson model work
- Users cannot directly access CDI
- TP will carry out operations on behalf of user (user cannot modify without using TP)
- “Access triple” of subject (user)/ program (TP) / Object (CDI)
- UDI does not require high level of protection and can be manipulated directly by user
- IVP ensures data manipulation follows defined integrity rules
What is non-interference model
- concerned with what a subject knows or can come to know about the state of the system
- Higher level process should not be able to affect a change to a lower level process
What is the real intent of noninterference model
to address covert channel communications
what is the Brewer and Nash model (Chinese wall)
ubject can read / write to object if and only if subject cannot read another object that is in a different data set
Protects from conflict of interest
What are the eight primitive protection rules from Graham Denning model
How to securely create & delete a subject and object (4)
How to securely provide read / grant / Delete/ Transfer access right (4)
What is the Harrison-Ruzzo-Ullman model
Maintains the integrity of the access rights
(in situations where command X requires execution of A,B,C,D processes in order to succeed, it is essential to ensure that X has the right levels of access rights for all 4)
What is ISO/IEC 15408
It is “common criteria”for systems evaluation.
A framework in which
- Users specify security requirements from a product
- Vendor makes claim of how product meets the requirement
- Independent labs test the product
What are the two questions that common criteria help to answer?
- What does the product’s security mechanism do (functionality)
- How sure are you of that (assurance)
What are the 7 evaluation assurance levels (EAL) of common criteria
EAL 1 – Functionally tested
EAL 2- Structurally tested
EAL 3 –Methodically tested and check
EAL 4 – Methodically designed, tested and reviewed
EAL 5 – Semiformally designed and tested
EAL 6 – semiformally verified design and tested
EAL 7 – formally verified design and tested
What is the meaning of formal verification in common criteria
Formal verification means it is based on a system that can be mathematically proven
What are the protection profiles used by common criteria in its evaluation process
Provides a means to identify specific security needs
Provides goals and security mechanisms to achieve the security level
Generally contains three sections
- Security problem description (problem statement)
- Security problem objectives (functionality required in order to address problem statemet)
- Security requirements (specific requirements that can be used by developers and evaluators alike)
what is the relevance of protection profiles in common criteira
protection profiles describe the functionality, assurance, description and rationale of product requirements
Is it enough to have certification on a specific assurance level?
Having a specific assurance level means the product has the potential to provide required security. It needs to be properly configured by customer by using vendor documentation and maintained throughout its life-cycle to obtain the rated level of security
What are the Different components of common criteria
Protection profile – Defines problem statement ie description of a needed security solution
Target of evaluation (TOE) – proposed product
Security Target – vendor statement of “This is what our product does and how it does it”
Security functional requirements – Individual security functions details
Security assurance requirements – measures to ensure compliance with functionality
Packages –EAL – describes what must be met to achieve specific EAL ratings (functional and assurance requirements bundled for reuse)
What are the different levels of parallel computing
Bit level paraleelism (most CPUs use this today. Hence 64 bit is faster than 32 bit architectures)
Instruction level parallelism ( works on multi-core CPU concept)
Task level parallelism ( each task/thread runs in parallel)
Data parallelism – distribution of data on big data platforms
What are some of the security issues related to database?
Aggregation ( using a subset of information to derive the whole story)
Inference (using individual pieces to infer data e.g a clerk accessing food movements to track troop movement)
How can inference based attacks be prevented
- Content dependent checks (security levels)
- Context dependent checks (sequence of access, abnormal pattern of access etc)
- Cell Suppression (hide specific cells that contain information)
- Partitioning
- Noise and perturbation (adding dummy or nonsense data)
What are the three different type of Industrial Control Systems
- Programmable Logic Controllers (PLC) – these were used to control individual conveyor belts or other manufacturing machinery
- Distributed control systems (DCS) – PLC is localized to a machine, but DCS can be used for supervised, coordinated control across machines
- Supervisory control and data acquisition (SCADA) – across longer distances, eg DCS could be used for a single power plant while SCADA used across a power distribution network
Few common threats
What are maintenance hooks
use of backdoors by deverlopers to gain access to code for troubleshooting or updates. Can be misused by attackers if found out
What is TOC/TOU attack
time of check and time of use. Attacker jumps in between two tasks and modifies something to control the result
What is a race condition
an attack in which attacker makes processes execute out of seqeuence to control the result ( e.g performing authorization before authentication)
