CHAPTER 4_Security Architecture and Design Flashcards

1
Q

Bullets: Stack

A

Memory segment used by processes to communicate instructions and data to each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Bullets: Packages—EALs

A

Functional and assurance requirements are bundled into packages for reuse. This component describes what must be met to achieve specific EAL ratings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Bullets: The *-property rule

A

A subject cannot write to an object at a lower security level (no write down).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Bullets: Rationale

A

Justifies the profile and gives a more detailed description of the real-world problem to be solved. The environment, usage assumptions, and threats are illustrated along with guidance on the security policies that can be supported by products and systems that conform to this profile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Bullets: Noninterference model

A

This formal multilevel security model states that commands and activities performed at one security level should not be seen by, or affect, subjects or objects at a different security level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Bullets: Unconstrained data items (UDIs)

A

Can be manipulated by users via primitive read and write operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Bullets: Transformation procedures (TPs)

A

Programmed abstract operations, such as read, write, and modify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Emphasis: Isn’t the Orange Book Dead?

A

Isn’t the Orange Book Dead?We have moved from the Orange Book to the Common Criteria in the industry, so a common question is, “Why do I have to study this Orange Book stuff?” The Orange Book was the first evaluation criteria and was used for 20 years. Many of the basic terms and concepts that have carried through originated in the Orange Book. And we still have several products with these ratings that eventually will go through the Common Criteria evaluation process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explanations: Clark-Wilson Model

A

The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Emphasis: Bell-LaPadula vs. Biba

A

Bell-LaPadula vs. BibaThe Bell-LaPadula model is used to provide confidentiality. The Biba model is used to provide integrity. The Bell-LaPadula and Biba models are informational flow models because they are most concerned about data flowing from one level to another. Bell-LaPadula uses security levels, and Biba uses integrity levels. It is important for CISSP test takers to know the rules of Biba and Bell-LaPadula. Their rules sound similar: simple and * rules—one writing one way and one reading another way. A tip for how to remember them is that if the word “simple” is used, the rule is talking about reading. If the rule uses * or “star,” it is talking about writing. So now you just need to remember the reading and writing directions per model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Bullets: Monolithic

A

All operating system processes run in kernel mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explanation Bullets: The following list shows the different types of functionalities and assurance items tested during an evaluation:

A
  • Security functional requirements
  • Identification and authentication
  • Audit
  • Resource utilization
  • Trusted paths/channels
  • User data protection
  • Security management
  • Product access
  • Communications
  • Privacy
  • Protection of the product’s security functions
  • Cryptographic support
  • Security assurance requirements
  • Guidance documents and manuals
  • Configuration management
  • Vulnerability assessment
  • Delivery and operation
  • Life-cycle support
  • Assurance maintenance
  • Development
  • Testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explanations: Programmable I/O

A

If an operating system is using programmable I/O, this means the CPU sends data to an I/O device and polls the device to see if it is ready to accept more data. If the device is not ready to accept more data, the CPU wastes time by waiting for the device to become ready. For example, the CPU would send a byte of data (a character) to the printer and then ask the printer if it is ready for another byte. The CPU sends the text to be printed one byte at a time. This is a very slow way of working and wastes precious CPU time. So the smart people figured out a better way: interrupt-driven I/O.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Emphasis: Programmable read-only memory (PROM)

A

Programmable read-only memory (PROM) is a form of ROM that can be modified after it has been manufactured. PROM can be programmed only one time because the voltage that is used to write bits into the memory cells actually burns out the fuses that connect the individual memory cells. The instructions are “burned into” PROM using a specialized PROM programmer device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Bullets: Stakeholder

A

Individual, team, or organization (or classes thereof) with interests in, or concerns relative to, a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explanations: Compartmented Security Mode

A

Our system has various classifications of data, and each individual has the clearance to access all of the data, but not necessarily the need to know.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Emphasis: Memory Protection Techniques

A

Memory Protection TechniquesSince your whole operating system and all your applications are loaded and run in memory, this is where the attackers can really do their damage. Vendors of different operating systems (Windows, Unix, Linux, Macintosh, etc.) have implemented various types of protection methods integrated into their memory manager processes. For example, Windows Vista was the first version of Windows to implement address space layout randomization (ASLR), which was first implemented in OpenBSD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Explanation Bullets: The goals of memory management are to

A
  • Provide an abstraction level for programmers
  • Maximize performance with the limited amount of memory available
  • Protect the operating system and applications loaded into memory
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Bullets: Symmetric mode multiprocessing

A

When a computer has two or more CPUs and each CPU is being used in a load-balancing method.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Explanations: Random Access Memory

A

Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Bullets: Labels

A

Access control labels must be associated properly with objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Emphasis: ISO/IEC 15408-2

A

ISO/IEC 15408-2 defines the security functional requirements that will be assessed during the evaluation. It contains a catalog of predefined security functional components that maps to most security needs. These requirements are organized in a hierarchical structure of classes, families, and components. It also provides guidance on the specification of customized security requirements if no predefined security functional component exists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Emphasis: integrity

A

The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Bullets: Trusted computing base

A

A collection of all the hardware, software, and firmware components within a system that provide security and enforce the system’s security policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Emphasis: CPU Operation Modes

A

CPU Operation ModesAs stated earlier, the CPU provides the ring structure architecture and the operating system assigns its processes to the different rings. When a process is placed in ring 0, its activities are carried out in kernel mode, which means it can access the most critical resources in a nonrestrictive manner. The process is assigned a status level by the operating system (stored as PSW) and when it needs to interact with the CPU, the CPU checks its status to know what it can and cannot allow the process to do. If the process has the status of user mode, the CPU will limit the process’s access to system resources and restrict the functions it can carry out on these resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Emphasis: Harrison-Ruzzo-Ullman (HRU)

A

The Harrison-Ruzzo-Ullman (HRU) model deals with access rights of subjects and the integrity of those rights. A subject can carry out only a finite set of operations on an object. Since security loves simplicity, it is easier for a system to allow or disallow authorization of operations if one command is restricted to a single operation. For example, if a subject sent command X, which only required the operation of Y, this is pretty straightforward and allows the system to allow or disallow this operation to take place. But, if a subject sent a command M and to fulfill that command, operations N, B, W, and P had to be carried out, then there is much more complexity for the system to decide if this command should be authorized. Also the integrity of the access rights needs to be ensured, so in this example if one operation cannot be processed properly, the whole command fails. So while it is easy to dictate that subject A can only read object B, it is not always so easy to ensure each and every function supports this high-level statement. The HRU model is used by software designers to ensure that no unforeseen vulnerability is introduced and the stated access control goals are achieved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Bullets: Arithmetic logic unit (ALU)

A

Component of the CPU that carries out logic and mathematical functions as they are laid out in the programming code being processed by the CPU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Explanations: Trust and Assurance

A

I trust that you will act properly; thus, I have a high level of assurance in you.Response: You are such a fool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Explanations: Security Modes of Operation

A

A multilevel security system can operate in different modes depending on the sensitivity of the data being processed, the clearance level of the users, and what those users are authorized to do. The mode of operation describes the security conditions under which the system actually functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Emphasis: multilevel security mode

A

A system is operating in multilevel security mode when it permits two or more classification levels of information to be processed at the same time when not all of the users have the clearance or formal approval to access all the information being processed by the system. So all users must have formal approval, NDA, need-to-know, and the necessary clearance to access the data that they need to carry out their jobs. In this mode, the user cannot access all of the data on the system, only what she is cleared to access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Emphasis: separation of duties

A

A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of two operations: subtract money from one account and add it to a different account. By making sure the new values in her checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external consistency. The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If we follow our same example of banking software, if a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Bullets: Preemptive multitasking

A

Multitasking scheduling scheme used by operating systems to allow for computer resource time slicing. Used in newer, more stable operating systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Bullets: Identification

A

Individual subjects must be uniquely identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Bullets: Interrupt

A

Software or hardware signal that indicates that system resources (i.e., CPU) are needed for instruction processing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Emphasis: Computer security

A

Computer security can be a slippery term because it means different things to different people. Many aspects of a system can be secured, and security can happen at various levels and to varying degrees. As stated in previous chapters, information security consists of the following main attributes:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Bullets: Brewer and Nash model

A

This model allows for dynamically changing access controls that protect against conflicts of interest. Also known as the Chinese Wall model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Emphasis: Division A: Verified Protection

A

Division A: Verified ProtectionFormal methods are used to ensure that all subjects and objects are controlled with the necessary discretionary and mandatory access controls. The design, development, implementation, and documentation are looked at in a formal and detailed way. The security mechanisms between B3 and A1 are not very different, but the way the system was designed and developed is evaluated in a much more structured and stringent procedure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Bullets: Traffic flow confidentiality

A

Ensures that unauthorized entities are not aware of routing information or frequency of communication via traffic analysis. Mechanisms include padding messages, sending noise, or sending false messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Bullets: Evaluation assurance requirements

A

Establishes the type and intensity of the evaluation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Emphasis: Abstraction

A

Abstraction means that the details of something are hidden. Developers of applications do not know the amount or type of memory that will be available in each and every system their code will be loaded on. If a developer had to be concerned with this type of detail, then her application would be able to work only on the one system that maps to all of her specifications. To allow for portability, the memory manager hides all of the memory issues and just provides the application with a memory segment. The application is able to run without having to know all the hairy details of the operating system and hardware it is running on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Bullets: Authentication

A

Protects against masquerading and playback attacks. Mechanisms include digital signatures, encryption, timestamp, and passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Bullets: Security functional requirements

A

Individual security functions which must be provided by a product.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Emphasis: Read-Only Memory

A

Read-Only MemoryRead-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Bullets: Clark-Wilson model

A

This integrity model is implemented to protect the integrity of data and to ensure that properly formatted transactions take place. It addresses all three goals of integrity:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Bullets: Virtual memory

A

Combination of main memory (RAM) and secondary memory within an operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Explanations: Lattice Model

A

A lattice is a mathematical construct that is built upon the notion of a group. The most common definition of the lattice model is “a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Bullets: ISO/IEC 42010:2007

A

International standard that provides guidelines on how to create and maintain system architectures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Goals of Integrity Models : The following are the three main goals of integrity models:

A
  • Prevent unauthorized users from making modifications
  • Prevent authorized users from making improper modifications (separation of duties)
  • Maintain internal and external consistency (well-formed transaction)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Emphasis: Operating System Architectures

A

Operating System ArchitecturesWe started this chapter by looking at system architecture approaches. Remember that a system is made up of all the necessary pieces for computation: hardware, firmware, and software components. The chapter moved into the architecture of a CPU, which just looked at the processor. Now we will look at operating system architectures, which deal specifically with the software components of a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Bullets: Cache memory

A

Fast and expensive memory type that is used by a CPU to increase read and write operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Emphasis: Why Put a Product Through Evaluation?

A

Why Put a Product Through Evaluation?Submitting a product to be evaluated against the Orange Book, Information Technology Security Evaluation Criteria, or Common Criteria is no walk in the park for a vendor. In fact, it is a really painful and long process, and no one wakes up in the morning thinking, “Yippee! I have to complete all of the paperwork that the National Computer Security Center requires so my product can be evaluated!” So, before we go through these different criteria, let’s look at why anyone would even put themselves through this process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Explanation Bullets: Goals of Integrity Models

The following are the three main goals of integrity models:

A
  • Prevent unauthorized users from making modifications
  • Prevent authorized users from making improper modifications (separation of duties)
  • Maintain internal and external consistency (well-formed transaction)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Emphasis: strong star property rule

A

The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the “no read up” rule, and the *-property rule is referred to as the “no write down” rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classification must be equal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Emphasis: Security Kernel

A

Security KernelThe security kernel is made up of hardware, software, and firmware components that fall within the TCB, and it implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. The security kernel has three main requirements:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Bullets: Time-of-check/time-of-use (TOC/TOU) attack

A

Attacker manipulates the “condition check” step and the “use” step within software to allow for unauthorized activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Emphasis: buffer overflow

A

A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Emphasis: Other Types of Covert Channels

A

Other Types of Covert ChannelsAlthough we are looking at covert channels within programming code, covert channels can be used in the outside world as well. Let’s say you are going to attend one of my lectures. Before the lecture begins, you and I agree on a way of communicating that no one else in the audience will understand. I tell you that if I twiddle a pen between my fingers in my right hand, that means there will be a quiz at the end of class. If I twiddle a pen between my fingers in my left hand, there will be no quiz. It is a covert channel, because this is not a normal way of communicating and it is secretive. (In this scenario, I would twiddle the pen in both hands to confuse you and make you stay after class to take the quiz all by yourself. Shame on you for wanting to be forewarned about a quiz!)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Bullets: *-integrity axiom

A

A subject cannot write data to an object at a higher integrity level (referred to as “no write up”).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Emphasis: Certification vs. Accreditation

A

Certification vs. AccreditationWe have gone through the different types of evaluation criteria that a system can be appraised against to receive a specific rating. This is a very formalized process, following which the evaluated system or product will be placed on an EPL indicating what rating it achieved. Consumers can check this listing and compare the different products and systems to see how they rank against each other in the property of protection. However, once a consumer buys this product and sets it up in their environment, security is not guaranteed. Security is made up of system administration, physical security, installation, configuration mechanisms within the environment, and continuous monitoring. To fairly say a system is secure, all of these items must be taken into account. The rating is just one piece in the puzzle of security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Explanations: Security Models

A

An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policymakers into a set of rules that a computer system must follow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Explanations: A Few Threats to Review

A

Now that we have talked about how everything is supposed to work, let’s take a quick look at some of the things that can go wrong when designing a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Explanations: Time-of-Check/Time-of-Use Attacks

A

Specific attacks can take advantage of the way a system processes requests and performs tasks. A time-of-check/time-of-use (TOC/TOU) attack deals with the sequence of steps a system uses to complete a task. This type of attack takes advantage of the dependency on the timing of events that take place in a multitasking operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Bullets: Central processing unit (CPU)

A

A silicon component made up of integrated chips with millions of transistors that carry out the execution of instructions within a computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Bullets: The simple integrity axiom

A

A subject cannot read data at a lower integrity level (no read down).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Emphasis: Reference Monitor

A

Reference MonitorUp to this point we have a CPU that provides a ringed structure and an operating system that places its components in the different rings based upon the trust level of each component. We have a defined security policy, which outlines the level of security we want our system to provide. We have chosen the mechanisms that will enforce the security policy (TCB) and implemented security perimeters (interfaces) to make sure these mechanisms communicate securely. Now we need to develop and implement a mechanism that ensures that the subjects that access objects within the operating system have been given the necessary permissions to do so. This means we need to develop and implement a reference monitor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Bullets: Extended data out DRAM (EDO DRAM)

A

This is faster than DRAM because DRAM can access only one block of data at a time, whereas EDO DRAM can capture the next block of data while the first block is being sent to the CPU for processing. It has a type of “look ahead” feature that speeds up memory access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Bullets: Burst EDO DRAM (BEDO DRAM)

A

Works like (and builds upon) EDO DRAM in that it can transmit data to the CPU as it carries out a read option, but it can send more data at once (burst). It reads and sends up to four memory addresses in a small number of clock cycles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Emphasis: ISO/IEC 15408-3

A

ISO/IEC 15408-3 defines the assurance requirements, which are also organized in a hierarchy of classes, families, and components. This part outlines the evaluation assurance levels, which is a scale for measuring assurance of TOEs, and it provides the criteria for evaluation of protection profiles and security targets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Bullets: Hypervisor

A

Central program used to manage virtual machines (guests) within a simulated environment (host).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Bullets: *-property rule

A

A subject cannot write to an object at a lower security level (the “no write down” rule).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Bullets: Harrison-Ruzzo-Ullman model

A

This model shows how a finite set of procedures can be available to edit the access rights of a subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Bullets: Bell-LaPadula model

A

This is the first mathematical model of a multilevel security policy that defines the concept of a secure state and necessary modes of access. It ensures that information only flows in a manner that does not violate the system policy and is confidentiality focused.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Explanations: Memory Mapping

A

Okay, here is your memory, here is my memory, and here is Bob’s memory. No one use each other’s memory!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Explanations: The Central Processing Unit

A

Response: Black magic. It uses eye of bat, tongue of goat, and some transistors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Emphasis: microarchitecture

A

The microarchitecture contains the things that make up the physical CPU (registers, logic gates, ALU, cache, etc.). The CPU knows mechanically how to use all of these parts; it just needs to know what the operating system wants it to do. A chef knows how to use all of his pots, pans, spices, and ingredients, but he needs an order from the menu so he knows how to use all of these properly to achieve the requested outcome. Similarly, the CPU has a “menu” of operations the operating system can “order” from, which is the instruction set. The operating system puts in its order (render graphics on screen, print to printer, encrypt data, etc.), and the CPU carries out the request and provides the result.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Explanation Bullets: Logical organization

A
  • Segment all memory types and provide an addressing scheme for each at an abstraction level
  • Allow for the sharing of specific software modules, such as dynamic link library (DLL) procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Explanations: Premapped I/O

A

Premapped I/O and fully mapped I/O (described next) do not pertain to performance, as do the earlier methods, but provide two approaches that can directly affect security. In a premapped I/O system, the CPU sends the physical memory address of the requesting process to the I/O device, and the I/O device is trusted enough to interact with the contents of memory directly, so the CPU does not control the interactions between the I/O device and memory. The operating system trusts the device to behave properly. Scary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Bullets: Trusted Computer System Evaluation Criteria (TCSEC)

A

(aka Orange Book) U.S. DoD standard used to assess the effectiveness of the security controls built into a system. Replaced by the Common Criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Bullets: Mode transition

A

When the CPU has to change from processing code in user mode to kernel mode. This is a protection measure, but it causes a performance hit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Emphasis: state transitions

A

In state machine models, to verify the security of a system, the state is used, which means that all current permissions and all current instances of subjects accessing objects must be captured. Maintaining the state of a system deals with each subject’s association with objects. If the subjects can access objects only by means that are concurrent with the security policy, the system is secure. A state of a system is a snapshot of a system at one moment of time. Many activities can alter this state, which are referred to as state transitions. The developers of an operating system that will implement the state machine model need to look at all the different state transitions that are possible and assess whether a system that starts up in a secure state can be put into an insecure state by any of these events. If all of the activities that are allowed to happen in the system do not compromise the system and put it into an insecure state, then the system executes a secure state machine model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Emphasis: System Architecture

A

System ArchitectureIn Chapter 2 we covered enterprise architecture frameworks and introduced their direct relationship to system architecture. As explained in that chapter, an architecture is a tool used to conceptually understand the structure and behavior of a complex entity through different views. An architecture description is a formal description and representation of a system, the components that make it up, the interactions and interdependencies between those components, and the relationship to the environment. An architecture provides different views of the system, based upon the needs of the stakeholders of that system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Bullets: Maskable interrupt

A

Interrupt value assigned to a noncritical operating system activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Bullets: RAM

A

Memory sticks that are plugged into a computer’s motherboard and work as volatile memory space for an operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Bullets: Strong star property rule

A

For a subject to be able to read and write to an object, the subject’s clearance and the object’s classification must be equal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Emphasis: protection profiles

A

The Common Criteria uses protection profiles in its evaluation process. This is a mechanism used to describe a real-world need for a product that is not currently on the market. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding EAL rating that the intended product will require. The protection profile describes the environmental assumptions, the objectives, and the functional and assurance level expectations. Each relevant threat is listed along with how it is to be controlled by specific objectives. The protection profile also justifies the assurance level and requirements for the strength of each protection mechanism.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Bullets: Interrupts

A

Values assigned to computer components (hardware and software) to allow for efficient computer resource time slicing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Emphasis: open

A

Systems described as open are built upon standards, protocols, and interfaces that have published specifications. This type of architecture provides interoperability between products created by different vendors. This interoperability is provided by all the vendors involved who follow specific standards and provide interfaces that enable each system to easily communicate with other systems and allow add-ons to hook into the system easily.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Bullets: Certification

A

Technical evaluation of the security components and their compliance to a predefined security policy for the purpose of accreditation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Bullets: Data hiding

A

Use of segregation in design decisions to protect software components from negatively interacting with each other. Commonly enforced through strict interfaces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Bullets: Limit registers

A

Ending of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Bullets: Closed system

A

Designs are built upon proprietary procedures, which inhibit interoperability capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Bullets: Development assurance requirements

A

Identifies the specific requirements the product or system must meet during the development phases, from design to implementation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

Bullets: Garbage collector

A

Tool that marks unused memory segments as usable to ensure that an operating system does not run out of memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

Bullets: Common Criteria

A

International standard used to assess the effectiveness of the security controls built into a system from functional and assurance perspectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

Bullets: Architectural description (AD)

A

Collection of document types to convey an architecture in a formal manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Bullets: Address space layout randomization (ASLR)

A

Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

Explanations: Covert Channels

A

I have my decoder ring, cape, and pirate’s hat on. I will communicate to my spy buddies with this tribal drum and a whistle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

Explanations: Relocation

A

• Swap contents from RAM to the hard drive as needed (explained later in the “Virtual Memory” section of this chapter)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

Emphasis: Graham-Denning Model

A

Graham-Denning ModelRemember that these are all models, so they are not very specific in nature. Each individual vendor must decide how it is going to actually meet the rules outlined in the chosen model. Bell-LaPadula and Biba do not define how the security and integrity levels are defined and modified, nor do they provide a way to delegate or transfer access rights. The Graham-Denning model addresses some of these issues and defines a set of basic rights in terms of commands that a specific subject can execute on an object. This model has eight primitive protection rights, or rules of how these types of functionalities should take place securely, which are outlined next:

100
Q

Emphasis: compartmented security mode

A

A system is operating in compartmented security mode when all users have the clearance to access all the information processed by the system in a system high-security configuration, but might not have the need-to-know and formal access approval. This means that if the system is holding secret and top-secret data, all users must have at least a top-secret clearance to gain access to this system. This is how compartmented and multilevel security modes are different. Both modes require the user to have a valid need-to-know, NDA, and formal approval, but compartmented security mode requires the user to have a clearance that dominates (above or equal to) any and all data on the system, whereas multilevel security mode just requires the user to have clearance to access the data she will be working with.

101
Q

Explanations: Process Activity

A

Process 1, go into your room and play with your toys. Process 2, go into your room and play with your toys. No intermingling and no fighting!

102
Q

Bullets: Register

A

Small, temporary memory storage units integrated and used by the CPU during its processing functions.

103
Q

Bullets: Data bus

A

Physical connections between processing components and memory segments used to transmit data being used during processing procedures.

104
Q

Bullets: Layered operating system architecture

A

Architecture that separates system functionality into hierarchical layers.

105
Q

Explanations: Computer Security

A

Computer security can be a slippery term because it means different things to different people. Many aspects of a system can be secured, and security can happen at various levels and to varying degrees. As stated in previous chapters, information security consists of the following main attributes:

106
Q

Bullets: Graham-Denning model

A

This model shows how subjects and objects should be created and deleted. It also addresses how to assign specific access rights.

107
Q

Bullets: Invocation property

A

A subject cannot request service (invoke) of higher integrity.

108
Q

Bullets: Security policy

A

Strategic tool used to dictate how sensitive information and resources are to be managed and protected.

109
Q

Bullets: Program status word

A

Condition variable that indicates to the CPU what mode (kernel or user) instructions need to be carried out in.

110
Q

Explanation Bullets: Operating systems can carry out software I/O procedures in various ways. We will look at the following methods:

A
  • Programmed I/O
  • Interrupt-driven I/O
  • I/O using DMA
  • Premapped I/O
  • Fully mapped I/O
111
Q

Explanations: Division D: Minimal Protection

A

There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions.

112
Q

Emphasis: ISO/IEC 15408-1

A

ISO/IEC 15408-1 lays out the general concepts and principles of the CC evaluation model. This part defines terms, establishes the core concept of TOE, describes the evaluation context, and necessary audience. It provides the key concepts for PP, security requirements, and guidelines for the security target.

113
Q

Explanation Bullets: The Orange Book mainly addresses government and military requirements and expectations for their computer systems. Many people within the security field have pointed out several deficiencies in the Orange Book, particularly when it is being applied to systems that are to be used in commercial areas instead of government organizations. The following list summarizes a majority of the troubling issues that security practitioners have expressed about the Orange Book:

A
  • It looks specifically at the operating system and not at other issues like networking, databases, and so on.
  • It focuses mainly on one attribute of security—confidentiality—and not on integrity and availability.
  • It works with government classifications and not the protection classifications commercial industries use.
  • It has a relatively small number of ratings, which means many different aspects of security are not evaluated and rated independently.
114
Q

Emphasis: Naming distinctions

A

Naming distinctions just means that the different processes have their own name or identification value. Processes are usually assigned process identification (PID) values, which the operating system and other processes use to call upon them. If each process is isolated, that means each process has its own unique PID value. This is just another way to enforce process isolation.

115
Q

Emphasis: reference monitor

A

The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modification. For a system to achieve a higher level of trust, it must require subjects (programs, users, processes) to be fully authorized prior to accessing an object (file, program, resource). A subject must not be allowed to use a requested resource until the subject has proven it has been granted access privileges to use the requested object. The reference monitor is an access control concept, not an actual physical component, which is why it is normally referred to as the “reference monitor concept” or an “abstract machine.”

116
Q

Bullets: Integrity verification procedures (IVPs)

A

Check the consistency of CDIs with external reality

117
Q

Bullets: Layered

A

All operating system processes run in a hierarchical model in kernel mode.

118
Q

Emphasis: Operating System Components

A

Operating System ComponentsAn operating system provides an environment for applications and users to work within. Every operating system is a complex beast, made up of various layers and modules of functionality. It has the responsibility of managing the hardware components, memory management, I/O operations, file system, process management, and providing system services. We next look at each of these responsibilities that every operating system type carries out. However, you must realize that whole books are written on just these individual topics, so the discussion here will only scratch the surface.

119
Q

Bullets: Nonmaskable interrupt

A

Interrupt value assigned to a critical operating system activity.

120
Q

Bullets: Biba model

A

A formal state transition model that describes a set of access control rules designed to ensure data integrity.

121
Q

Bullets: Accreditation

A

Formal acceptance of the adequacy of a system’s overall security by management.

122
Q

Explanation Bullets: The channel to transfer this unauthorized data is the result of one of the following conditions:

A
  • Improper oversight in the development of the product
  • Improper implementation of access controls within the software
  • Existence of a shared resource between the two entities which are not properly controlled
123
Q

Emphasis: No More Pencil Whipping

A

No More Pencil WhippingMany organizations are taking the accreditation process more seriously than they did in the past. Unfortunately, sometimes when a certification process is completed and the documentation is sent to management for review and approval, management members just blindly sign the necessary documentation without really understanding what they are signing. Accreditation means management is accepting the risk that is associated with allowing this new product to be introduced into the organization’s environment. When large security compromises take place, the buck stops at the individual who signed off on the offending item. So as these management members are being held more accountable for what they sign off on, and as more regulations make executives personally responsible for security, the pencil whipping of accreditation papers is decreasing.

124
Q

Bullets: Security kernel

A

Hardware, software, and firmware components that fall within the TCB and implement and enforce the reference monitor concept.

125
Q

Emphasis: Erasable programmable read-only memory (EPROM)

A

Erasable programmable read-only memory (EPROM) can be erased, modified, and upgraded. EPROM holds data that can be electrically erased or written to. To erase the data on the memory chip, you need your handy-dandy ultraviolet (UV) light device that provides just the right level of energy. The EPROM chip has a quartz window, which is where you point the UV light. Although playing with UV light devices can be fun for the whole family, we have moved on to another type of ROM technology that does not require this type of activity.

126
Q

Bullets: Continuity of operations

A

Ensures that the network is available even if attacked. Mechanisms include fault-tolerant and redundant systems and the capability to reconfigure network parameters in case of an emergency.

127
Q

Explanation Bullets: Sharing

A
  • Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments
  • Allow many users with different levels of access to interact with the same application running in one memory segment
128
Q

Bullets: Process isolation

A

Protection mechanism provided by operating systems that can be implemented as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual memory mapping.

129
Q

Explanations: Computer Architecture

A

Put the processor over there by the plant, the memory by the window, and the secondary storage upstairs.

130
Q

Bullets: Logical addresses

A

Indirect addressing used by processes within an operating system. The memory manager carries out logical-to-absolute address mapping.

131
Q

Bullets: Life-cycle assurance

A

Software, hardware, and firmware must be able to be tested individually to ensure that each enforces the security policy in an effective manner throughout their lifetimes.

132
Q

Explanation Bullets: These modes are used in MAC systems, which hold one or more classifications of data. Several things come into play when determining the mode the operating system should be working in:

A
  • The types of users who will be directly or indirectly connecting to the system
  • The type of data (classification levels, compartments, and categories) processed on the system
  • The clearance levels, need-to-know, and formal access approvals the users will have
133
Q

Emphasis: some

A

A system is operating in system high-security mode when all users have a security clearance to access the information but not necessarily a need-to-know for all the information processed on the system. So, unlike in the dedicated security mode, in which all users have a need-to-know pertaining to all data on the system, in system high-security mode, all users have a need-to-know pertaining to some of the data.

134
Q

Countermeasures : Because maintenance hooks are usually inserted by programmers, they are the ones who usually have to take them out before the programs go into production. Code reviews and unit and quality assurance testing should always be on the lookout for back doors in case the programmer overlooked extracting them. Because maintenance hooks are within the code of an application or system, there is not much a user can do to prevent their presence, but when a vendor finds out a back door exists in its product, it usually develops and releases a patch to reduce this vulnerability. Because most vendors sell their software without including the associated source code, it may be very difficult for companies who have purchased software to identify back doors. The following lists some preventive measures against back doors:

A
  • Use a host intrusion detection system to watch for any attackers using back doors into the system.
  • Use file system encryption to protect sensitive information.
  • Implement auditing to detect any type of back door use.
135
Q

Bullets: Buffer overflow

A

Too much data is put into the buffers that make up a stack. Common attack vector used by hackers to run malicious code on a target system.

136
Q

Bullets: Security perimeter

A

Mechanism used to delineate between the components within and outside of the trusted computing base.

137
Q

Bullets: Simple security rule

A

A subject cannot read data within an object that resides at a higher security level (the “no read up” rule).

138
Q

Bullets: Viewpoint

A

A specification of the conventions for constructing and using a view. A template from which to develop individual views by establishing the purposes and audience for a view and the techniques for its creation and analysis.

139
Q

Bullets: Kernel mode (supervisory state, privilege mode)

A

Mode that a CPU works within when carrying out more trusted process instructions. The process has access to more computer resources when working in kernel versus user mode.

140
Q

Explanations: Division C: Discretionary Protection

A

The C rating category has two individual assurance ratings within it, which are described next. The higher the number of the assurance rating, the greater the protection.

141
Q

Emphasis: watchdog timer

A

The watchdog timer is an example of a critical process that must always do its thing. This process will reset the system with a warm boot if the operating system hangs and cannot recover itself. For example, if there is a memory management problem and the operating system hangs, the watchdog timer will reset the system. This is one mechanism that ensures the software provides more of a stable environment.Thread Management

142
Q

Emphasis: read

A

As mentioned earlier, the invocation property in the Biba model states that a subject cannot invoke (call upon) a subject at a higher integrity level. Well, how is this different from the other two Biba rules? The “*-integrity axiom (no write up) dictates how subjects can modify objects. The simple integrity axiom (no read down) dictates how subjects can read objects. The invocation property dictates how one subject can communicate with and initialize other subjects at run time. An example of a subject invoking another subject is when a process sends a request to a procedure to carry out some type of task. Subjects are only allowed to invoke tools at a lower integrity level. With the invocation property, the system is making sure a dirty subject cannot invoke a clean tool to contaminate a clean object.

143
Q

Bullets: Monolithic operating system architecture

A

All of the code of the operating system working in kernel mode in an ad hoc and nonmodularized manner.

144
Q

Emphasis: Flash memory

A

Flash memory is a special type of memory that is used in digital cameras, BIOS chips, memory cards, and video game consoles. It is a solid-state technology, meaning it does not have moving parts and is used more as a type of hard drive than memory.

145
Q

Bullets: Microarchitecture

A

Specific design of a microprocessor, which includes physical components (registers, logic gates, ALU, cache, etc.) that support a specific instruction set.

146
Q

Bullets: Information flow model

A

This is a model in which information is restricted in its flow to only go to and from entities in a way that does not negate or violate the security policy.

147
Q

Explanations: Fully Mapped I/O

A

Under fully mapped I/O, the operating system does not trust the I/O device. The physical address is not given to the I/O device. Instead, the device works purely with logical addresses and works on behalf (under the security context) of the requesting process, so the operating system does not trust the device to interact with memory directly. The operating system does not trust the process or device and it acts as the broker to control how they communicate with each other.

148
Q

Bullets: Double data rate SDRAM (DDR SDRAM)

A

Carries out read operations on the rising and falling cycles of a clock pulse. So instead of carrying out one operation per clock cycle, it carries out two and thus can deliver twice the throughput of SDRAM. Basically, it doubles the speed of memory activities, when compared to SDRAM, with a smaller number of clock cycles. Pretty groovy.

149
Q

Explanations: Memory Management

A

To provide a safe and stable environment, an operating system must exercise proper memory management—one of its most important tasks. After all, everything happens in memory.

150
Q

Emphasis: security kernel

A

The security kernel is made up of hardware, software, and firmware components that fall within the TCB, and it implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. The security kernel has three main requirements:

151
Q

Explanation Bullets: Memory Protection Issues

A
  • Every address reference is validated for protection.
  • Two or more processes can share access to the same segment with potentially different access rights.
  • Different instruction and data types can be assigned different levels of protection.
  • Processes cannot generate an unpermitted address or gain access to an unpermitted segment.
152
Q

Bullets: Maintenance hooks

A

Code within software that provides a back door entry capability.

153
Q

Bullets: Multilevel security policies

A

Outlines how a system can simultaneously process information at different classifications for users with different clearance levels.

154
Q

Bullets: Simple integrity axiom

A

A subject cannot read data from a lower integrity level (referred to as “no read down”).

155
Q

Bullets: Base registers

A

Beginning of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

156
Q

Bullets: Process

A

Program loaded in memory within an operating system.

157
Q

Explanations: Multilevel Security Mode

A

Our system has various classifications of data, and each individual has the clearance and need-to-know to access only individual pieces of data.

158
Q

Bullets: Instruction set

A

Set of operations and commands that can be implemented by a particular processor (CPU).

159
Q

Bullets: Functional requirements

A

Establishes a protection boundary, meaning the threats or compromises within this boundary to be countered. The product or system must enforce the boundary established in this section.

160
Q

Bullets: General registers

A

Temporary memory location the CPU uses during its processes of executing instructions. The ALU’s “scratch pad” it uses while carrying out logic and math functions.

161
Q

Bullets: Security assurance requirements

A

Measures taken during development and evaluation of the product to assure compliance with the claimed security functionality.

162
Q

Explanations: Division B: Mandatory Protection

A

Mandatory access control is enforced by the use of security labels. The architecture is based on the Bell-LaPadula security model, and evidence of reference monitor enforcement must be available.

163
Q

Bullets: Data confidentiality

A

Protects data from being accessed in an unauthorized method during transmission. Mechanisms include access controls, encryption, and physical protection of cables.

164
Q

Emphasis: Systems Evaluation Methods

A

Systems Evaluation MethodsAn assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated. There are different methods of evaluating and assigning assurance levels to systems. Two reasons explain why more than one type of assurance evaluation process exists: methods and ideologies have evolved over time, and various parts of the world look at computer security differently and rate some aspects of security differently. Each method will be explained and compared.

165
Q

Emphasis: The Orange Book

A

The Orange BookThe U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book with an orange cover, which is called, appropriately, the Orange Book. (We like to keep things simple in security.) Customers used the assurance rating that the criteria present as a metric when comparing different products. It also provided direction for manufacturers so they knew what specifications to build to, and provides a one-stop evaluation process so customers do not need to have individual components within the systems evaluated.

166
Q

Emphasis: Closed systems

A

Systems referred to as closed use an architecture that does not follow industry standards. Interoperability and standard interfaces are not employed to enable easy communication between different types of systems and add-on features. Closed systems are proprietary, meaning the system can only communicate with like systems.

167
Q

Emphasis: does

A

Static RAM (SRAM) does not require this continuous-refreshing nonsense; it uses a different technology, by holding bits in its memory cells without the use of capacitors, but it does require more transistors than DRAM. Since SRAM does not need to be refreshed, it is faster than DRAM, but because SRAM requires more transistors, it takes up more space on the RAM chip. Manufacturers cannot fit as many SRAM memory cells on a memory chip as they can DRAM memory cells, which is why SRAM is more expensive. So, DRAM is cheaper and slower, and SRAM is more expensive and faster. It always seems to go that way. SRAM has been used in cache, and DRAM is commonly used in RAM chips.

168
Q

Bullets: Synchronous DRAM (SDRAM)

A

Synchronizes itself with the system’s CPU and synchronizes signal input and output on the RAM chip. It coordinates its activities with the CPU clock so the timing of the CPU and the timing of the memory activities are synchronized. This increases the speed of transmitting and executing data.

169
Q

Bullets: Multithreading

A

Applications that can carry out multiple activities simultaneously by generating different instruction sets (threads).

170
Q

Emphasis: data hiding

A

Layered operating systems provide data hiding, which means that instructions and data (packaged up as procedures) at the various layers do not have direct access to the instructions and data at any other layers. Each procedure at each layer has access only to its own data and a set of functions that it requires to carry out its own tasks. If a procedure can access more procedures than it really needs, this opens the door for more successful compromises. For example, if an attacker is able to compromise and gain control of one procedure and this procedure has direct access to all other procedures, the attacker could compromise a more privileged procedure and carry out more devastating activities.

171
Q

Explanations: Hardware Segmentation

A

Systems of a higher trust level may need to implement hardware segmentation of the memory used by different processes. This means memory is separated physically instead of just logically. This adds another layer of protection to ensure that a lower-privileged process does not access and modify a higher-level process’s memory space.

172
Q

Emphasis: covert timing channel

A

In a covert timing channel, one process relays information to another by modulating its use of system resources. The two processes that are communicating to each other are using the same shared resource. So in our example, Process A is a piece of nefarious software that was installed via a Trojan horse. In a multitasked system, each process is offered access to interact with the CPU. When this function is offered to Process A, it rejects it—which indicates a 1 to the attacker. The next time Process A is offered access to the CPU, it uses it, which indicates a 0 to the attacker. Think of this as a type of Morse code, but using some type of system resource.

173
Q

Bullets: Asymmetric mode multiprocessing

A

When a computer has two or more CPUs and one CPU is dedicated to a specific program while the other CPUs carry out general processing procedures.

174
Q

Explanations: Memory Types

A

Memory management is critical, but what types of memory actually have to be managed?

175
Q

Emphasis: Process Domain

A

Process DomainThe term domain just means a collection of resources. A process has a collection of resources assigned to it when it is loaded into memory (run time), as in memory addresses, files it can interact with, system services available to it, peripheral devices, etc. The higher the ring level that the process executes within, the larger the domain of resources that is available to it.

176
Q

Emphasis: guards

A

Software and hardware guards allow the exchange of data between trusted (high assurance) and less trusted (low assurance) systems and environments. Let’s say you are working on a MAC system (working in dedicated security mode of secret) and you need the system to communicate with a MAC database (working in multilevel security mode, which goes up to top secret). These two systems provide different levels of protection. If a system with lower assurance could directly communicate with a system of higher assurance, then security vulnerabilities and compromises could be introduced. So, a software guard can be implemented, which is really just a front-end product that allows interconnectivity between systems working at different security levels. (The various types of guards available can carry out filtering, processing requests, data blocking, and data sanitization.) Or a hardware guard can be implemented, which is a system with two NICs connecting the two systems that need to communicate. The guard provides a level of strict access control between different systems.

177
Q

Bullets: Hybrid microkernel architecture

A

Combination of monolithic and microkernel architectures. The microkernel carries out critical operating system functionality, and the remaining functionality is carried out in a client\server model within kernel mode.

178
Q

Bullets: Descriptive elements

A

Provides the name of the profile and a description of the security problem to be solved.

179
Q

Bullets: Nonrepudiation

A

Ensures that a sender cannot deny sending a message. Mechanisms include encryption, digital signatures, and notarization.

180
Q

Bullets: ROM

A

Nonvolatile memory that is used on motherboards for BIOS functionality and various device controllers to allow for operating system-to-device communication. Sometimes used for off-loading graphic rendering or cryptographic functionality.

181
Q

Emphasis: Memory segments

A

Memory segmentsMost applications have several different functions. Word processing applications can open files, save files, open other programs (such as an e-mail client), and print documents. Each one of these functions requires a thread (instruction set) to be dynamically generated. So, for example, if Tom chooses to print his document, the word processing process generates a thread that contains the instructions of how this document should be printed (font, colors, text, margins, and so on). If he chooses to send a document via e-mail through this program, another thread is created that tells the e-mail client to open and what file needs to be sent. Threads are dynamically created and destroyed as needed. Once Tom is done printing his document, the thread that was generated for this functionality is broken down.

182
Q

Bullets: Thread

A

Instruction set generated by a process when it has a specific activity that needs to be carried out by an operating system. When the activity is finished, the thread is destroyed.

183
Q

Bullets: Control unit

A

Part of the CPU that oversees the collection of instructions and data from memory and how they are passed to the processing components of the CPU.

184
Q

Bullets: Continuous protection

A

The security mechanisms and the system as a whole must perform predictably and acceptably in different situations continuously.

185
Q

Bullets: Security target

A

Vendor’s written explanation of the security functionality and assurance mechanisms that meet the needed security solution—in other words, “This is what our product does and how it does it.”

186
Q

Emphasis: The Red Book

A

The Red BookThe Orange Book addresses single-system security, but networks are a combination of systems, and each network needs to be secure without having to fully trust each and every system connected to it. The Trusted Network Interpretation (TNI), also called the Red Book because of the color of its cover, addresses security evaluation topics for networks and network components. It addresses isolated local area networks and wide area internetwork systems.

187
Q

Bullets: The *-integrity axiom

A

A subject cannot modify an object in a higher integrity level (no write up).

188
Q

Bullets: Selective routing

A

Routes messages in a way to avoid specific threats. Mechanisms include network configuration and routing tables.

189
Q

Bullets: Special registers

A

Temporary memory location that holds critical processing parameters. They hold values as in the program counter, stack pointer, and program status word.

190
Q

Bullets: Dynamic link libraries (DLLs)

A

A set of subroutines that are shared by different applications and operating system processes.

191
Q

Emphasis: covert channel

A

A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system’s security policy.

192
Q

Bullets: The simple security rule

A

A subject cannot read data at a higher security level (no read up).

193
Q

Bullets: User mode (problem state)

A

Protection mode that a CPU works within when carrying out less trusted process instructions.

194
Q

Emphasis: Security Architecture Requirements

A

Security Architecture RequirementsIn the 1970s computer systems were moving from single user, stand-alone, centralized and closed systems to multiuser systems that had multiprogramming functionality and networking capabilities. The U.S. government needed to ensure that all of the systems that it was purchasing and implementing were properly protecting its most secret secrets. The government had various levels of classified data (secret, top secret) and users with different clearance levels (Secret, Top Secret). It needed to come up with a way to instruct vendors on how to build computer systems to meet their security needs and in turn a way to test the products these vendors developed based upon those same security needs.

195
Q

Bullets: Multiprogramming

A

Interleaved execution of more than one program (process) or task by a single operating system.

196
Q

Explanation Bullets: Protection

A
  • Limit processes to interact only with the memory segments assigned to them
  • Provide access control to memory segments
197
Q

Bullets: Cooperative multitasking

A

Multitasking scheduling scheme used by older operating systems to allow for computer resource time slicing. Processes had too much control over resources, which would allow for the programs or systems to “hang.”

198
Q

Emphasis: domain

A

The term domain just means a collection of resources. A process has a collection of resources assigned to it when it is loaded into memory (run time), as in memory addresses, files it can interact with, system services available to it, peripheral devices, etc. The higher the ring level that the process executes within, the larger the domain of resources that is available to it.

199
Q

Bullets: Address bus

A

Physical connections between processing components and memory segments used to communicate the physical memory addresses being used during processing procedures.

200
Q

Bullets: Network management

A

Monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor and restrict resource access.

201
Q

Bullets: Trusted path

A

Trustworthy software channel that is used for communication between two processes that cannot be circumvented.

202
Q

Bullets: Data execution prevention (DEP)

A

Memory protection mechanism used by some operating systems. Memory segments may be marked as nonexecutable so that they cannot be misused by malicious software.

203
Q

Bullets: Hardware segmentation

A

Physically mapping software to individual memory segments.

204
Q

Bullets: Information Technology Security Evaluation Criteria (ITSEC)

A

European standard used to assess the effectiveness of the security controls built into a system.

205
Q

Emphasis: central processing unit (CPU)

A

The central processing unit (CPU) is the brain of a computer. In the most general description possible, it fetches instructions from memory and executes them. Although a CPU is a piece of hardware, it has its own instruction set that is necessary to carry out its tasks. Each CPU type has a specific architecture and set of instructions that it can carry out. The operating system must be designed to work within this CPU architecture. This is why one operating system may work on a Pentium Pro processor but not on an AMD processor. The operating system needs to know how to “speak the language” of the processor, which is the processor’s instruction set.

206
Q

Bullets: Open system

A

Designs are built upon accepted standards to allow for interoperability.

207
Q

Bullets: Message integrity

A

Protects the protocol header, routing information, and packet payload from being modified. Mechanisms include message authentication and encryption.

208
Q

Bullets: Assurance evaluation criteria

A

“Checklist” and process of examining the security-relevant parts of a system (TCB, reference monitor, security kernel) and assigning the system an assurance rating.

209
Q

Emphasis: Computer architecture

A

Computer architecture encompasses all of the parts of a computer system that are necessary for it to function, including the operating system, memory chips, logic circuits, storage devices, input and output devices, security components, buses, and networking interfaces. The interrelationships and internal working of all of these parts can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanisms. Thank goodness for the smart people who figured this stuff out! Now it is up to us to learn how they did it and why.

210
Q

Emphasis: assurance evaluation

A

An assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated. There are different methods of evaluating and assigning assurance levels to systems. Two reasons explain why more than one type of assurance evaluation process exists: methods and ideologies have evolved over time, and various parts of the world look at computer security differently and rate some aspects of security differently. Each method will be explained and compared.

211
Q

Explanations: Al: Verified Design

A

The architecture and protection features are not much different from systems that achieve a B3 rating, but the assurance of an A1 system is higher than a B3 system because of the formality in the way the A1 system was designed, the way the specifications were developed, and the level of detail in the verification techniques. Formal techniques are used to prove the equivalence between the TCB specifications and the security policy model. A more stringent change configuration is put in place with the development of an A1 system, and the overall design can be verified. In many cases, even the way in which the system is delivered to the customer is under scrutiny to ensure there is no way of compromising the system before it reaches its destination.

212
Q

Explanation Bullets: When you get back from lunch, your boss hands you the same paper with the following:

A
  • Discretionary access control-based operating system
  • Provides role-based access control functionality
  • Capability of protecting data classified at “public” and “confidential” levels
  • Does not allow unauthorized access to sensitive data or critical system functions
  • Enforces least privilege and separation of duties
  • Provides auditing capabilities
  • Implements trusted paths and trusted shells for sensitive processing activities
  • Enforces identification, authentication, and authorization of trusted subjects
  • Implements a capability-based authentication methodology
  • Does not contain covert channels
  • Enforces integrity rules on critical files
213
Q

Emphasis: Application Programming Interface (API)

A

Application Programming Interface (API)An API is the doorway to a protocol, operating service, process, or DLL. When one piece of software needs to send information to another piece of software, it must format its communication request in a way that the receiving software understands. An application may send a request to an operating system’s cryptographic DLL, which will in turn carry out the requested cryptographic functionality for the application.

214
Q

Emphasis: Formal Models

A

Formal ModelsUsing models in software development has not become as popular as once imagined, primarily because vendors are under pressure to get products to market as soon as possible. Using formal models takes more time during the architectural phase of development, extra time that many vendors feel they cannot afford. Formal models are definitely used in the development of systems that cannot allow errors or security breaches, such as air traffic control systems, spacecraft software, railway signaling systems, military classified systems, and medical control systems. This does not mean that these models, or portions of them, are not used in industry products, but rather that industry vendors do not always follow these models in the purely formal and mathematical way all the time.

215
Q

Bullets: Program counter

A

Holds the memory address for the following instructions the CPU needs to act upon.

216
Q

Bullets: The strong star property rule

A

A subject can perform read and write functions only to the objects at its same security level.

217
Q

Bullets: Application programming interface

A

Software interface that enables process-to-process interaction. Common way to provide access to standard routines to a set of software programs.

218
Q

Emphasis: System Security Architecture

A

System Security ArchitectureUp to this point we have looked at system architectures, CPU architectures, and operating system architectures. Remember that a system architecture has several views to it, depending upon the stakeholder’s individual concerns. Since our main concern is security, we are going to approach system architecture from a security point of view and drill down into the core components that are part of most computing systems today. But first we need to understand how the goals for the individual system security architectures are defined.

219
Q

Explanations: Security Models Recap

A

All of these different models can get your head spinning. Most people are not familiar with all of them, which can make it all even harder to absorb. The following are the core concepts of the different models:

220
Q

Explanations: Interrupt-Driven I/O

A

If an operating system is using interrupt-driven I/O, this means the CPU sends a character over to the printer and then goes and works on another process’s request. When the printer is done printing the first character, it sends an interrupt to the CPU. The CPU stops what it is doing, sends another character to the printer, and moves to another job. This process (send character—go do something else—interrupt—send another character) continues until the whole text is printed. Although the CPU is not waiting for each byte to be printed, this method does waste a lot of time dealing with all the interrupts. So we excused those smart people and brought in some new smarter people, who came up with I/O using DMA.

221
Q

Explanations: Cause for Confusion

A

If you continue your studies in operating system architecture, you will undoubtedly run into some of the confusion and controversy surrounding these families of architectures. The intricacies and complexities of these arguments are out of scope for the CISSP exam, but a little insight is worth noting.

222
Q

Bullets: Software deadlock

A

Two processes cannot complete their activities because they are both waiting for system resources to be released.

223
Q

Emphasis: Maintenance Hooks

A

Maintenance HooksIn the programming world, maintenance hooks are a type of back door. They are instructions within software that only the developer knows about and can invoke, and which give the developer easy access to the code. They allow the developer to view and edit the code without having to go through regular access controls. During the development phase of the software, these can be very useful, but if they are not removed before the software goes into production, they can cause major security issues.

224
Q

Bullets: Target of evaluation

A

Product proposed to provide a needed security solution.

225
Q

Bullets: Reference monitor

A

Concept that defines a set of design requirements of a reference validation mechanism (security kernel), which enforces an access control policy over subjects’ (processes, users) ability to perform operations (read, write, execute) on objects (files, resources) on a system.

226
Q

Bullets: Documentation

A

Documentation must be provided, including test, design, and specification documents, user guides, and manuals.

227
Q

Bullets: Microkernel

A

Core operating system processes run in kernel mode and the remaining ones run in user mode.

228
Q

Emphasis: unmapped I/O

A

I/O Using DMA Direct memory access (DMA) is a way of transferring data between I/O devices and the system’s memory without using the CPU. This speeds up data transfer rates significantly. When used in I/O activities, the DMA controller feeds the characters to the printer without bothering the CPU. This method is sometimes referred to as unmapped I/O.

229
Q

Bullets: Architecture

A

Fundamental organization of a system embodied in its components, their relationships to each other and to the environment, and the principles guiding its design and evolution.

230
Q

Bullets: Race condition

A

Two or more processes attempt to carry out their activity on one resource at the same time. Unexpected behavior can result if the sequence of execution does not take place in the proper order.

231
Q

Bullets: Multitasking

A

Simultaneous execution of more than one program (process) or task by a single operating system.

232
Q

Bullets: Process states (ready, running, blocked)

A

Processes can be in various activity levels. Ready = waiting for input. Running = instructions being executed by CPU. Blocked = process is “suspended.”

233
Q

Emphasis: maintenance hooks

A

In the programming world, maintenance hooks are a type of back door. They are instructions within software that only the developer knows about and can invoke, and which give the developer easy access to the code. They allow the developer to view and edit the code without having to go through regular access controls. During the development phase of the software, these can be very useful, but if they are not removed before the software goes into production, they can cause major security issues.

234
Q

Bullets: Accountability

A

Audit data must be captured and protected to enforce accountability.

235
Q

Bullets: EAL4

A

Methodically designed, tested, and reviewed

236
Q

Emphasis: ISO/IEC15408

A

ISO/IEC15408 is the international standard that is used as the basis for the evaluation of security properties of products under the CC framework. It actually has three main parts:

237
Q

Explanations: Process Management

A

Well, just look at all of these processes squirming around like little worms. We need some real organization here!

238
Q

Explanations: Open vs. Closed Systems

A

Computer systems can be developed to integrate easily with other systems and products (open systems) or can be developed to be more proprietary in nature and work with only a subset of other systems and products (closed systems). The following sections describe the difference between these approaches.

239
Q

Emphasis: firmware

A

Read-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

240
Q

Bullets: Hybrid microkernel

A

All operating system processes run in kernel mode. Core processes run within a microkernel and others run in a client\server model.

241
Q

Bullets: Virtualization

A

Creation of a simulated environment (hardware platform, operating system, storage, etc.) that allows for central control and scalability.

242
Q

Explanation Bullets:

The memory manager has five basic responsibilities:

Relocation

A
  • Swap contents from RAM to the hard drive as needed (explained later in the “Virtual Memory” section of this chapter)
  • Provide pointers for applications if their instructions and memory segment have been moved to a different location in main memory
243
Q

Bullets: Microkernel architecture

A

Reduced amount of code running in kernel mode carrying out critical operating system functionality. Only the absolutely necessary code runs in kernel mode, and the remaining operating system code runs in user mode.

244
Q

Emphasis: Process Scheduling

A

Process SchedulingScheduling and synchronizing various processes and their activities is part of process management, which is a responsibility of the operating system. Several components need to be considered during the development of an operating system, which will dictate how process scheduling will take place. A scheduling policy is created to govern how threads will interact with other threads. Different operating systems can use different schedulers, which are basically algorithms that control the timesharing of the CPU. As stated earlier, the different processes are assigned different priority levels (interrupts) that dictate which processes overrule other processes when CPU time allocation is required. The operating system creates and deletes processes as needed, and oversees them changing state (ready, blocked, running). The operating system is also responsible for controlling deadlocks between processes attempting to use the same resources.

245
Q

Emphasis: Random access memory (RAM)

A

Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.

246
Q

Bullets: View

A

Representation of a whole system from the perspective of a related set of concerns.