CHAPTER 4_Security Architecture and Design Flashcards

Question

Emphasis: CPU Operation Modes

Answer 1

CPU Operation ModesAs stated earlier, the CPU provides the ring structure architecture and the operating system assigns its processes to the different rings. When a process is placed in ring 0, its activities are carried out in kernel mode, which means it can access the most critical resources in a nonrestrictive manner. The process is assigned a status level by the operating system (stored as PSW) and when it needs to interact with the CPU, the CPU checks its status to know what it can and cannot allow the process to do. If the process has the status of user mode, the CPU will limit the process’s access to system resources and restrict the functions it can carry out on these resources.

Answer 2

The Harrison-Ruzzo-Ullman (HRU) model deals with access rights of subjects and the integrity of those rights. A subject can carry out only a finite set of operations on an object. Since security loves simplicity, it is easier for a system to allow or disallow authorization of operations if one command is restricted to a single operation. For example, if a subject sent command X, which only required the operation of Y, this is pretty straightforward and allows the system to allow or disallow this operation to take place. But, if a subject sent a command M and to fulfill that command, operations N, B, W, and P had to be carried out, then there is much more complexity for the system to decide if this command should be authorized. Also the integrity of the access rights needs to be ensured, so in this example if one operation cannot be processed properly, the whole command fails. So while it is easy to dictate that subject A can only read object B, it is not always so easy to ensure each and every function supports this high-level statement. The HRU model is used by software designers to ensure that no unforeseen vulnerability is introduced and the stated access control goals are achieved.

Answer 3

Component of the CPU that carries out logic and mathematical functions as they are laid out in the programming code being processed by the CPU.

Answer 4

I trust that you will act properly; thus, I have a high level of assurance in you.Response: You are such a fool.

Answer 5

A multilevel security system can operate in different modes depending on the sensitivity of the data being processed, the clearance level of the users, and what those users are authorized to do. The mode of operation describes the security conditions under which the system actually functions.

Answer 6

A system is operating in multilevel security mode when it permits two or more classification levels of information to be processed at the same time when not all of the users have the clearance or formal approval to access all the information being processed by the system. So all users must have formal approval, NDA, need-to-know, and the necessary clearance to access the data that they need to carry out their jobs. In this mode, the user cannot access all of the data on the system, only what she is cleared to access.

Answer 7

A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of two operations: subtract money from one account and add it to a different account. By making sure the new values in her checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external consistency. The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If we follow our same example of banking software, if a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures.

Answer 8

Multitasking scheduling scheme used by operating systems to allow for computer resource time slicing. Used in newer, more stable operating systems.

Answer 9

Individual subjects must be uniquely identified.

Answer 10

Software or hardware signal that indicates that system resources (i.e., CPU) are needed for instruction processing.

Answer 11

Computer security can be a slippery term because it means different things to different people. Many aspects of a system can be secured, and security can happen at various levels and to varying degrees. As stated in previous chapters, information security consists of the following main attributes:

Answer 12

This model allows for dynamically changing access controls that protect against conflicts of interest. Also known as the Chinese Wall model.

Answer 13

Division A: Verified ProtectionFormal methods are used to ensure that all subjects and objects are controlled with the necessary discretionary and mandatory access controls. The design, development, implementation, and documentation are looked at in a formal and detailed way. The security mechanisms between B3 and A1 are not very different, but the way the system was designed and developed is evaluated in a much more structured and stringent procedure.

Answer 14

Ensures that unauthorized entities are not aware of routing information or frequency of communication via traffic analysis. Mechanisms include padding messages, sending noise, or sending false messages.

Answer 15

Establishes the type and intensity of the evaluation.

Answer 16

Abstraction means that the details of something are hidden. Developers of applications do not know the amount or type of memory that will be available in each and every system their code will be loaded on. If a developer had to be concerned with this type of detail, then her application would be able to work only on the one system that maps to all of her specifications. To allow for portability, the memory manager hides all of the memory issues and just provides the application with a memory segment. The application is able to run without having to know all the hairy details of the operating system and hardware it is running on.

Answer 17

Protects against masquerading and playback attacks. Mechanisms include digital signatures, encryption, timestamp, and passwords.

Answer 18

Individual security functions which must be provided by a product.

Answer 19

Read-Only MemoryRead-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

Answer 20

This integrity model is implemented to protect the integrity of data and to ensure that properly formatted transactions take place. It addresses all three goals of integrity:

Answer 21

Combination of main memory (RAM) and secondary memory within an operating system.

Answer 22

A lattice is a mathematical construct that is built upon the notion of a group. The most common definition of the lattice model is “a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set.”

Answer 23

International standard that provides guidelines on how to create and maintain system architectures.

Answer 24

* Prevent unauthorized users from making modifications * Prevent authorized users from making improper modifications (separation of duties) * Maintain internal and external consistency (well-formed transaction)

Answer 25

Operating System ArchitecturesWe started this chapter by looking at system architecture approaches. Remember that a system is made up of all the necessary pieces for computation: hardware, firmware, and software components. The chapter moved into the architecture of a CPU, which just looked at the processor. Now we will look at operating system architectures, which deal specifically with the software components of a system.

Answer 26

Fast and expensive memory type that is used by a CPU to increase read and write operations.

Answer 27

Why Put a Product Through Evaluation?Submitting a product to be evaluated against the Orange Book, Information Technology Security Evaluation Criteria, or Common Criteria is no walk in the park for a vendor. In fact, it is a really painful and long process, and no one wakes up in the morning thinking, “Yippee! I have to complete all of the paperwork that the National Computer Security Center requires so my product can be evaluated!” So, before we go through these different criteria, let’s look at why anyone would even put themselves through this process.

Answer 28

* Prevent unauthorized users from making modifications * Prevent authorized users from making improper modifications (separation of duties) * Maintain internal and external consistency (well-formed transaction)

Answer 29

The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the “no read up” rule, and the *-property rule is referred to as the “no write down” rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classification must be equal.

Answer 30

Security KernelThe security kernel is made up of hardware, software, and firmware components that fall within the TCB, and it implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. The security kernel has three main requirements:

Answer 31

Attacker manipulates the “condition check” step and the “use” step within software to allow for unauthorized activity.

Answer 32

A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.

Answer 33

Other Types of Covert ChannelsAlthough we are looking at covert channels within programming code, covert channels can be used in the outside world as well. Let’s say you are going to attend one of my lectures. Before the lecture begins, you and I agree on a way of communicating that no one else in the audience will understand. I tell you that if I twiddle a pen between my fingers in my right hand, that means there will be a quiz at the end of class. If I twiddle a pen between my fingers in my left hand, there will be no quiz. It is a covert channel, because this is not a normal way of communicating and it is secretive. (In this scenario, I would twiddle the pen in both hands to confuse you and make you stay after class to take the quiz all by yourself. Shame on you for wanting to be forewarned about a quiz!)

Answer 34

A subject cannot write data to an object at a higher integrity level (referred to as “no write up”).

Answer 35

Certification vs. AccreditationWe have gone through the different types of evaluation criteria that a system can be appraised against to receive a specific rating. This is a very formalized process, following which the evaluated system or product will be placed on an EPL indicating what rating it achieved. Consumers can check this listing and compare the different products and systems to see how they rank against each other in the property of protection. However, once a consumer buys this product and sets it up in their environment, security is not guaranteed. Security is made up of system administration, physical security, installation, configuration mechanisms within the environment, and continuous monitoring. To fairly say a system is secure, all of these items must be taken into account. The rating is just one piece in the puzzle of security.

Answer 36

An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policymakers into a set of rules that a computer system must follow.

Answer 37

Now that we have talked about how everything is supposed to work, let’s take a quick look at some of the things that can go wrong when designing a system.

Answer 38

Specific attacks can take advantage of the way a system processes requests and performs tasks. A time-of-check/time-of-use (TOC/TOU) attack deals with the sequence of steps a system uses to complete a task. This type of attack takes advantage of the dependency on the timing of events that take place in a multitasking operating system.

Answer 39

A silicon component made up of integrated chips with millions of transistors that carry out the execution of instructions within a computer.

Answer 40

A subject cannot read data at a lower integrity level (no read down).

Answer 41

Reference MonitorUp to this point we have a CPU that provides a ringed structure and an operating system that places its components in the different rings based upon the trust level of each component. We have a defined security policy, which outlines the level of security we want our system to provide. We have chosen the mechanisms that will enforce the security policy (TCB) and implemented security perimeters (interfaces) to make sure these mechanisms communicate securely. Now we need to develop and implement a mechanism that ensures that the subjects that access objects within the operating system have been given the necessary permissions to do so. This means we need to develop and implement a reference monitor.

Answer 42

This is faster than DRAM because DRAM can access only one block of data at a time, whereas EDO DRAM can capture the next block of data while the first block is being sent to the CPU for processing. It has a type of “look ahead” feature that speeds up memory access.

Answer 43

Works like (and builds upon) EDO DRAM in that it can transmit data to the CPU as it carries out a read option, but it can send more data at once (burst). It reads and sends up to four memory addresses in a small number of clock cycles.

Answer 44

ISO/IEC 15408-3 defines the assurance requirements, which are also organized in a hierarchy of classes, families, and components. This part outlines the evaluation assurance levels, which is a scale for measuring assurance of TOEs, and it provides the criteria for evaluation of protection profiles and security targets.

Answer 45

Central program used to manage virtual machines (guests) within a simulated environment (host).

Answer 46

A subject cannot write to an object at a lower security level (the “no write down” rule).

Answer 47

This model shows how a finite set of procedures can be available to edit the access rights of a subject.

Answer 48

This is the first mathematical model of a multilevel security policy that defines the concept of a secure state and necessary modes of access. It ensures that information only flows in a manner that does not violate the system policy and is confidentiality focused.

Answer 49

Okay, here is your memory, here is my memory, and here is Bob’s memory. No one use each other’s memory!

Answer 50

Response: Black magic. It uses eye of bat, tongue of goat, and some transistors.

Answer 51

The microarchitecture contains the things that make up the physical CPU (registers, logic gates, ALU, cache, etc.). The CPU knows mechanically how to use all of these parts; it just needs to know what the operating system wants it to do. A chef knows how to use all of his pots, pans, spices, and ingredients, but he needs an order from the menu so he knows how to use all of these properly to achieve the requested outcome. Similarly, the CPU has a “menu” of operations the operating system can “order” from, which is the instruction set. The operating system puts in its order (render graphics on screen, print to printer, encrypt data, etc.), and the CPU carries out the request and provides the result.

Answer 52

* Segment all memory types and provide an addressing scheme for each at an abstraction level * Allow for the sharing of specific software modules, such as dynamic link library (DLL) procedures

Answer 53

Premapped I/O and fully mapped I/O (described next) do not pertain to performance, as do the earlier methods, but provide two approaches that can directly affect security. In a premapped I/O system, the CPU sends the physical memory address of the requesting process to the I/O device, and the I/O device is trusted enough to interact with the contents of memory directly, so the CPU does not control the interactions between the I/O device and memory. The operating system trusts the device to behave properly. Scary.

Answer 54

(aka Orange Book) U.S. DoD standard used to assess the effectiveness of the security controls built into a system. Replaced by the Common Criteria.

Answer 55

When the CPU has to change from processing code in user mode to kernel mode. This is a protection measure, but it causes a performance hit.

Answer 56

In state machine models, to verify the security of a system, the state is used, which means that all current permissions and all current instances of subjects accessing objects must be captured. Maintaining the state of a system deals with each subject’s association with objects. If the subjects can access objects only by means that are concurrent with the security policy, the system is secure. A state of a system is a snapshot of a system at one moment of time. Many activities can alter this state, which are referred to as state transitions. The developers of an operating system that will implement the state machine model need to look at all the different state transitions that are possible and assess whether a system that starts up in a secure state can be put into an insecure state by any of these events. If all of the activities that are allowed to happen in the system do not compromise the system and put it into an insecure state, then the system executes a secure state machine model.

Answer 57

System ArchitectureIn Chapter 2 we covered enterprise architecture frameworks and introduced their direct relationship to system architecture. As explained in that chapter, an architecture is a tool used to conceptually understand the structure and behavior of a complex entity through different views. An architecture description is a formal description and representation of a system, the components that make it up, the interactions and interdependencies between those components, and the relationship to the environment. An architecture provides different views of the system, based upon the needs of the stakeholders of that system.

Answer 58

Interrupt value assigned to a noncritical operating system activity.

Answer 59

Memory sticks that are plugged into a computer’s motherboard and work as volatile memory space for an operating system.

Answer 60

For a subject to be able to read and write to an object, the subject’s clearance and the object’s classification must be equal.

Answer 61

The Common Criteria uses protection profiles in its evaluation process. This is a mechanism used to describe a real-world need for a product that is not currently on the market. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding EAL rating that the intended product will require. The protection profile describes the environmental assumptions, the objectives, and the functional and assurance level expectations. Each relevant threat is listed along with how it is to be controlled by specific objectives. The protection profile also justifies the assurance level and requirements for the strength of each protection mechanism.

Answer 62

Values assigned to computer components (hardware and software) to allow for efficient computer resource time slicing.

Answer 63

Systems described as open are built upon standards, protocols, and interfaces that have published specifications. This type of architecture provides interoperability between products created by different vendors. This interoperability is provided by all the vendors involved who follow specific standards and provide interfaces that enable each system to easily communicate with other systems and allow add-ons to hook into the system easily.

Answer 64

Technical evaluation of the security components and their compliance to a predefined security policy for the purpose of accreditation.

Answer 65

Use of segregation in design decisions to protect software components from negatively interacting with each other. Commonly enforced through strict interfaces.

Answer 66

Ending of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

Answer 67

Designs are built upon proprietary procedures, which inhibit interoperability capabilities.

Answer 68

Identifies the specific requirements the product or system must meet during the development phases, from design to implementation.

Answer 69

Tool that marks unused memory segments as usable to ensure that an operating system does not run out of memory.

Answer 70

International standard used to assess the effectiveness of the security controls built into a system from functional and assurance perspectives.

Answer 71

Collection of document types to convey an architecture in a formal manner.

Answer 72

Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities.

Answer 73

I have my decoder ring, cape, and pirate’s hat on. I will communicate to my spy buddies with this tribal drum and a whistle.

Answer 74

• Swap contents from RAM to the hard drive as needed (explained later in the “Virtual Memory” section of this chapter)

Answer 75

Graham-Denning ModelRemember that these are all models, so they are not very specific in nature. Each individual vendor must decide how it is going to actually meet the rules outlined in the chosen model. Bell-LaPadula and Biba do not define how the security and integrity levels are defined and modified, nor do they provide a way to delegate or transfer access rights. The Graham-Denning model addresses some of these issues and defines a set of basic rights in terms of commands that a specific subject can execute on an object. This model has eight primitive protection rights, or rules of how these types of functionalities should take place securely, which are outlined next:

Answer 76

A system is operating in compartmented security mode when all users have the clearance to access all the information processed by the system in a system high-security configuration, but might not have the need-to-know and formal access approval. This means that if the system is holding secret and top-secret data, all users must have at least a top-secret clearance to gain access to this system. This is how compartmented and multilevel security modes are different. Both modes require the user to have a valid need-to-know, NDA, and formal approval, but compartmented security mode requires the user to have a clearance that dominates (above or equal to) any and all data on the system, whereas multilevel security mode just requires the user to have clearance to access the data she will be working with.

Answer 77

Process 1, go into your room and play with your toys. Process 2, go into your room and play with your toys. No intermingling and no fighting!

Answer 78

Small, temporary memory storage units integrated and used by the CPU during its processing functions.

Answer 79

Physical connections between processing components and memory segments used to transmit data being used during processing procedures.

Answer 80

Architecture that separates system functionality into hierarchical layers.

Answer 81

Computer security can be a slippery term because it means different things to different people. Many aspects of a system can be secured, and security can happen at various levels and to varying degrees. As stated in previous chapters, information security consists of the following main attributes:

Answer 82

This model shows how subjects and objects should be created and deleted. It also addresses how to assign specific access rights.

Answer 83

A subject cannot request service (invoke) of higher integrity.

Answer 84

Strategic tool used to dictate how sensitive information and resources are to be managed and protected.

Answer 85

Condition variable that indicates to the CPU what mode (kernel or user) instructions need to be carried out in.

Answer 86

* Programmed I/O * Interrupt-driven I/O * I/O using DMA * Premapped I/O * Fully mapped I/O

Answer 87

There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions.

Answer 88

ISO/IEC 15408-1 lays out the general concepts and principles of the CC evaluation model. This part defines terms, establishes the core concept of TOE, describes the evaluation context, and necessary audience. It provides the key concepts for PP, security requirements, and guidelines for the security target.

Answer 89

* It looks specifically at the operating system and not at other issues like networking, databases, and so on. * It focuses mainly on one attribute of security—confidentiality—and not on integrity and availability. * It works with government classifications and not the protection classifications commercial industries use. * It has a relatively small number of ratings, which means many different aspects of security are not evaluated and rated independently.

Answer 90

Naming distinctions just means that the different processes have their own name or identification value. Processes are usually assigned process identification (PID) values, which the operating system and other processes use to call upon them. If each process is isolated, that means each process has its own unique PID value. This is just another way to enforce process isolation.

Answer 91

The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modification. For a system to achieve a higher level of trust, it must require subjects (programs, users, processes) to be fully authorized prior to accessing an object (file, program, resource). A subject must not be allowed to use a requested resource until the subject has proven it has been granted access privileges to use the requested object. The reference monitor is an access control concept, not an actual physical component, which is why it is normally referred to as the “reference monitor concept” or an “abstract machine.”

Answer 92

Check the consistency of CDIs with external reality

Answer 93

All operating system processes run in a hierarchical model in kernel mode.

Answer 94

Operating System ComponentsAn operating system provides an environment for applications and users to work within. Every operating system is a complex beast, made up of various layers and modules of functionality. It has the responsibility of managing the hardware components, memory management, I/O operations, file system, process management, and providing system services. We next look at each of these responsibilities that every operating system type carries out. However, you must realize that whole books are written on just these individual topics, so the discussion here will only scratch the surface.

Answer 95

Interrupt value assigned to a critical operating system activity.

Answer 96

A formal state transition model that describes a set of access control rules designed to ensure data integrity.

Answer 97

Formal acceptance of the adequacy of a system’s overall security by management.

Answer 98

* Improper oversight in the development of the product * Improper implementation of access controls within the software * Existence of a shared resource between the two entities which are not properly controlled

Answer 99

No More Pencil WhippingMany organizations are taking the accreditation process more seriously than they did in the past. Unfortunately, sometimes when a certification process is completed and the documentation is sent to management for review and approval, management members just blindly sign the necessary documentation without really understanding what they are signing. Accreditation means management is accepting the risk that is associated with allowing this new product to be introduced into the organization’s environment. When large security compromises take place, the buck stops at the individual who signed off on the offending item. So as these management members are being held more accountable for what they sign off on, and as more regulations make executives personally responsible for security, the pencil whipping of accreditation papers is decreasing.

Answer 100

Hardware, software, and firmware components that fall within the TCB and implement and enforce the reference monitor concept.

Answer 101

Erasable programmable read-only memory (EPROM) can be erased, modified, and upgraded. EPROM holds data that can be electrically erased or written to. To erase the data on the memory chip, you need your handy-dandy ultraviolet (UV) light device that provides just the right level of energy. The EPROM chip has a quartz window, which is where you point the UV light. Although playing with UV light devices can be fun for the whole family, we have moved on to another type of ROM technology that does not require this type of activity.

Answer 102

Ensures that the network is available even if attacked. Mechanisms include fault-tolerant and redundant systems and the capability to reconfigure network parameters in case of an emergency.

Answer 103

* Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments * Allow many users with different levels of access to interact with the same application running in one memory segment

Answer 104

Protection mechanism provided by operating systems that can be implemented as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual memory mapping.

Answer 105

Put the processor over there by the plant, the memory by the window, and the secondary storage upstairs.

Answer 106

Indirect addressing used by processes within an operating system. The memory manager carries out logical-to-absolute address mapping.

Answer 107

Software, hardware, and firmware must be able to be tested individually to ensure that each enforces the security policy in an effective manner throughout their lifetimes.

Answer 108

* The types of users who will be directly or indirectly connecting to the system * The type of data (classification levels, compartments, and categories) processed on the system * The clearance levels, need-to-know, and formal access approvals the users will have

Answer 109

A system is operating in system high-security mode when all users have a security clearance to access the information but not necessarily a need-to-know for all the information processed on the system. So, unlike in the dedicated security mode, in which all users have a need-to-know pertaining to all data on the system, in system high-security mode, all users have a need-to-know pertaining to some of the data.

Answer 110

* Use a host intrusion detection system to watch for any attackers using back doors into the system. * Use file system encryption to protect sensitive information. * Implement auditing to detect any type of back door use.

Answer 111

Too much data is put into the buffers that make up a stack. Common attack vector used by hackers to run malicious code on a target system.

Answer 112

Mechanism used to delineate between the components within and outside of the trusted computing base.

Answer 113

A subject cannot read data within an object that resides at a higher security level (the “no read up” rule).

Answer 114

A specification of the conventions for constructing and using a view. A template from which to develop individual views by establishing the purposes and audience for a view and the techniques for its creation and analysis.

Answer 115

Mode that a CPU works within when carrying out more trusted process instructions. The process has access to more computer resources when working in kernel versus user mode.

Answer 116

The C rating category has two individual assurance ratings within it, which are described next. The higher the number of the assurance rating, the greater the protection.

Answer 117

The watchdog timer is an example of a critical process that must always do its thing. This process will reset the system with a warm boot if the operating system hangs and cannot recover itself. For example, if there is a memory management problem and the operating system hangs, the watchdog timer will reset the system. This is one mechanism that ensures the software provides more of a stable environment.Thread Management

Answer 118

As mentioned earlier, the invocation property in the Biba model states that a subject cannot invoke (call upon) a subject at a higher integrity level. Well, how is this different from the other two Biba rules? The “*-integrity axiom (no write up) dictates how subjects can modify objects. The simple integrity axiom (no read down) dictates how subjects can read objects. The invocation property dictates how one subject can communicate with and initialize other subjects at run time. An example of a subject invoking another subject is when a process sends a request to a procedure to carry out some type of task. Subjects are only allowed to invoke tools at a lower integrity level. With the invocation property, the system is making sure a dirty subject cannot invoke a clean tool to contaminate a clean object.

Answer 119

All of the code of the operating system working in kernel mode in an ad hoc and nonmodularized manner.

Answer 120

Flash memory is a special type of memory that is used in digital cameras, BIOS chips, memory cards, and video game consoles. It is a solid-state technology, meaning it does not have moving parts and is used more as a type of hard drive than memory.

Answer 121

Specific design of a microprocessor, which includes physical components (registers, logic gates, ALU, cache, etc.) that support a specific instruction set.

Answer 122

This is a model in which information is restricted in its flow to only go to and from entities in a way that does not negate or violate the security policy.

Answer 123

Under fully mapped I/O, the operating system does not trust the I/O device. The physical address is not given to the I/O device. Instead, the device works purely with logical addresses and works on behalf (under the security context) of the requesting process, so the operating system does not trust the device to interact with memory directly. The operating system does not trust the process or device and it acts as the broker to control how they communicate with each other.

Answer 124

Carries out read operations on the rising and falling cycles of a clock pulse. So instead of carrying out one operation per clock cycle, it carries out two and thus can deliver twice the throughput of SDRAM. Basically, it doubles the speed of memory activities, when compared to SDRAM, with a smaller number of clock cycles. Pretty groovy.

Answer 125

To provide a safe and stable environment, an operating system must exercise proper memory management—one of its most important tasks. After all, everything happens in memory.

Answer 126

The security kernel is made up of hardware, software, and firmware components that fall within the TCB, and it implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. The security kernel has three main requirements:

Answer 127

* Every address reference is validated for protection. * Two or more processes can share access to the same segment with potentially different access rights. * Different instruction and data types can be assigned different levels of protection. * Processes cannot generate an unpermitted address or gain access to an unpermitted segment.

Answer 128

Code within software that provides a back door entry capability.

Answer 129

Outlines how a system can simultaneously process information at different classifications for users with different clearance levels.

Answer 130

A subject cannot read data from a lower integrity level (referred to as “no read down”).

Answer 131

Beginning of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

Answer 132

Program loaded in memory within an operating system.

Answer 133

Our system has various classifications of data, and each individual has the clearance and need-to-know to access only individual pieces of data.

Answer 134

Set of operations and commands that can be implemented by a particular processor (CPU).

Answer 135

Establishes a protection boundary, meaning the threats or compromises within this boundary to be countered. The product or system must enforce the boundary established in this section.

Answer 136

Temporary memory location the CPU uses during its processes of executing instructions. The ALU’s “scratch pad” it uses while carrying out logic and math functions.

Answer 137

Measures taken during development and evaluation of the product to assure compliance with the claimed security functionality.

Answer 138

Mandatory access control is enforced by the use of security labels. The architecture is based on the Bell-LaPadula security model, and evidence of reference monitor enforcement must be available.

Answer 139

Protects data from being accessed in an unauthorized method during transmission. Mechanisms include access controls, encryption, and physical protection of cables.

Answer 140

Systems Evaluation MethodsAn assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated. There are different methods of evaluating and assigning assurance levels to systems. Two reasons explain why more than one type of assurance evaluation process exists: methods and ideologies have evolved over time, and various parts of the world look at computer security differently and rate some aspects of security differently. Each method will be explained and compared.

Answer 141

The Orange BookThe U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book with an orange cover, which is called, appropriately, the Orange Book. (We like to keep things simple in security.) Customers used the assurance rating that the criteria present as a metric when comparing different products. It also provided direction for manufacturers so they knew what specifications to build to, and provides a one-stop evaluation process so customers do not need to have individual components within the systems evaluated.

Answer 142

Systems referred to as closed use an architecture that does not follow industry standards. Interoperability and standard interfaces are not employed to enable easy communication between different types of systems and add-on features. Closed systems are proprietary, meaning the system can only communicate with like systems.

Answer 143

Static RAM (SRAM) does not require this continuous-refreshing nonsense; it uses a different technology, by holding bits in its memory cells without the use of capacitors, but it does require more transistors than DRAM. Since SRAM does not need to be refreshed, it is faster than DRAM, but because SRAM requires more transistors, it takes up more space on the RAM chip. Manufacturers cannot fit as many SRAM memory cells on a memory chip as they can DRAM memory cells, which is why SRAM is more expensive. So, DRAM is cheaper and slower, and SRAM is more expensive and faster. It always seems to go that way. SRAM has been used in cache, and DRAM is commonly used in RAM chips.

Answer 144

Synchronizes itself with the system’s CPU and synchronizes signal input and output on the RAM chip. It coordinates its activities with the CPU clock so the timing of the CPU and the timing of the memory activities are synchronized. This increases the speed of transmitting and executing data.

Answer 145

Applications that can carry out multiple activities simultaneously by generating different instruction sets (threads).

Answer 146

Layered operating systems provide data hiding, which means that instructions and data (packaged up as procedures) at the various layers do not have direct access to the instructions and data at any other layers. Each procedure at each layer has access only to its own data and a set of functions that it requires to carry out its own tasks. If a procedure can access more procedures than it really needs, this opens the door for more successful compromises. For example, if an attacker is able to compromise and gain control of one procedure and this procedure has direct access to all other procedures, the attacker could compromise a more privileged procedure and carry out more devastating activities.

Answer 147

Systems of a higher trust level may need to implement hardware segmentation of the memory used by different processes. This means memory is separated physically instead of just logically. This adds another layer of protection to ensure that a lower-privileged process does not access and modify a higher-level process’s memory space.

Answer 148

In a covert timing channel, one process relays information to another by modulating its use of system resources. The two processes that are communicating to each other are using the same shared resource. So in our example, Process A is a piece of nefarious software that was installed via a Trojan horse. In a multitasked system, each process is offered access to interact with the CPU. When this function is offered to Process A, it rejects it—which indicates a 1 to the attacker. The next time Process A is offered access to the CPU, it uses it, which indicates a 0 to the attacker. Think of this as a type of Morse code, but using some type of system resource.

Answer 149

When a computer has two or more CPUs and one CPU is dedicated to a specific program while the other CPUs carry out general processing procedures.

Answer 150

Memory management is critical, but what types of memory actually have to be managed?

Answer 151

Process DomainThe term domain just means a collection of resources. A process has a collection of resources assigned to it when it is loaded into memory (run time), as in memory addresses, files it can interact with, system services available to it, peripheral devices, etc. The higher the ring level that the process executes within, the larger the domain of resources that is available to it.

Answer 152

Software and hardware guards allow the exchange of data between trusted (high assurance) and less trusted (low assurance) systems and environments. Let’s say you are working on a MAC system (working in dedicated security mode of secret) and you need the system to communicate with a MAC database (working in multilevel security mode, which goes up to top secret). These two systems provide different levels of protection. If a system with lower assurance could directly communicate with a system of higher assurance, then security vulnerabilities and compromises could be introduced. So, a software guard can be implemented, which is really just a front-end product that allows interconnectivity between systems working at different security levels. (The various types of guards available can carry out filtering, processing requests, data blocking, and data sanitization.) Or a hardware guard can be implemented, which is a system with two NICs connecting the two systems that need to communicate. The guard provides a level of strict access control between different systems.

Answer 153

Combination of monolithic and microkernel architectures. The microkernel carries out critical operating system functionality, and the remaining functionality is carried out in a client\server model within kernel mode.

Answer 154

Provides the name of the profile and a description of the security problem to be solved.

Answer 155

Ensures that a sender cannot deny sending a message. Mechanisms include encryption, digital signatures, and notarization.

Answer 156

Nonvolatile memory that is used on motherboards for BIOS functionality and various device controllers to allow for operating system-to-device communication. Sometimes used for off-loading graphic rendering or cryptographic functionality.

Answer 157

Memory segmentsMost applications have several different functions. Word processing applications can open files, save files, open other programs (such as an e-mail client), and print documents. Each one of these functions requires a thread (instruction set) to be dynamically generated. So, for example, if Tom chooses to print his document, the word processing process generates a thread that contains the instructions of how this document should be printed (font, colors, text, margins, and so on). If he chooses to send a document via e-mail through this program, another thread is created that tells the e-mail client to open and what file needs to be sent. Threads are dynamically created and destroyed as needed. Once Tom is done printing his document, the thread that was generated for this functionality is broken down.

Answer 158

Instruction set generated by a process when it has a specific activity that needs to be carried out by an operating system. When the activity is finished, the thread is destroyed.

Answer 159

Part of the CPU that oversees the collection of instructions and data from memory and how they are passed to the processing components of the CPU.

Answer 160

The security mechanisms and the system as a whole must perform predictably and acceptably in different situations continuously.

Answer 161

Vendor’s written explanation of the security functionality and assurance mechanisms that meet the needed security solution—in other words, “This is what our product does and how it does it.”

Answer 162

The Red BookThe Orange Book addresses single-system security, but networks are a combination of systems, and each network needs to be secure without having to fully trust each and every system connected to it. The Trusted Network Interpretation (TNI), also called the Red Book because of the color of its cover, addresses security evaluation topics for networks and network components. It addresses isolated local area networks and wide area internetwork systems.

Answer 163

A subject cannot modify an object in a higher integrity level (no write up).

Answer 164

Routes messages in a way to avoid specific threats. Mechanisms include network configuration and routing tables.

Answer 165

Temporary memory location that holds critical processing parameters. They hold values as in the program counter, stack pointer, and program status word.

Answer 166

A set of subroutines that are shared by different applications and operating system processes.

Answer 167

A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system’s security policy.

Answer 168

A subject cannot read data at a higher security level (no read up).

Answer 169

Protection mode that a CPU works within when carrying out less trusted process instructions.

Answer 170

Security Architecture RequirementsIn the 1970s computer systems were moving from single user, stand-alone, centralized and closed systems to multiuser systems that had multiprogramming functionality and networking capabilities. The U.S. government needed to ensure that all of the systems that it was purchasing and implementing were properly protecting its most secret secrets. The government had various levels of classified data (secret, top secret) and users with different clearance levels (Secret, Top Secret). It needed to come up with a way to instruct vendors on how to build computer systems to meet their security needs and in turn a way to test the products these vendors developed based upon those same security needs.

Answer 171

Interleaved execution of more than one program (process) or task by a single operating system.

Answer 172

* Limit processes to interact only with the memory segments assigned to them * Provide access control to memory segments

Answer 173

Multitasking scheduling scheme used by older operating systems to allow for computer resource time slicing. Processes had too much control over resources, which would allow for the programs or systems to “hang.”

Answer 174

The term domain just means a collection of resources. A process has a collection of resources assigned to it when it is loaded into memory (run time), as in memory addresses, files it can interact with, system services available to it, peripheral devices, etc. The higher the ring level that the process executes within, the larger the domain of resources that is available to it.

Answer 175

Physical connections between processing components and memory segments used to communicate the physical memory addresses being used during processing procedures.

Answer 176

Monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor and restrict resource access.

Answer 177

Trustworthy software channel that is used for communication between two processes that cannot be circumvented.

Answer 178

Memory protection mechanism used by some operating systems. Memory segments may be marked as nonexecutable so that they cannot be misused by malicious software.

Answer 179

Physically mapping software to individual memory segments.

Answer 180

European standard used to assess the effectiveness of the security controls built into a system.

Answer 181

The central processing unit (CPU) is the brain of a computer. In the most general description possible, it fetches instructions from memory and executes them. Although a CPU is a piece of hardware, it has its own instruction set that is necessary to carry out its tasks. Each CPU type has a specific architecture and set of instructions that it can carry out. The operating system must be designed to work within this CPU architecture. This is why one operating system may work on a Pentium Pro processor but not on an AMD processor. The operating system needs to know how to “speak the language” of the processor, which is the processor’s instruction set.

Answer 182

Designs are built upon accepted standards to allow for interoperability.

Answer 183

Protects the protocol header, routing information, and packet payload from being modified. Mechanisms include message authentication and encryption.

Answer 184

“Checklist” and process of examining the security-relevant parts of a system (TCB, reference monitor, security kernel) and assigning the system an assurance rating.

Answer 185

Computer architecture encompasses all of the parts of a computer system that are necessary for it to function, including the operating system, memory chips, logic circuits, storage devices, input and output devices, security components, buses, and networking interfaces. The interrelationships and internal working of all of these parts can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanisms. Thank goodness for the smart people who figured this stuff out! Now it is up to us to learn how they did it and why.

Answer 186

An assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated. There are different methods of evaluating and assigning assurance levels to systems. Two reasons explain why more than one type of assurance evaluation process exists: methods and ideologies have evolved over time, and various parts of the world look at computer security differently and rate some aspects of security differently. Each method will be explained and compared.

Answer 187

The architecture and protection features are not much different from systems that achieve a B3 rating, but the assurance of an A1 system is higher than a B3 system because of the formality in the way the A1 system was designed, the way the specifications were developed, and the level of detail in the verification techniques. Formal techniques are used to prove the equivalence between the TCB specifications and the security policy model. A more stringent change configuration is put in place with the development of an A1 system, and the overall design can be verified. In many cases, even the way in which the system is delivered to the customer is under scrutiny to ensure there is no way of compromising the system before it reaches its destination.

Answer 188

* Discretionary access control-based operating system * Provides role-based access control functionality * Capability of protecting data classified at “public” and “confidential” levels * Does not allow unauthorized access to sensitive data or critical system functions * Enforces least privilege and separation of duties * Provides auditing capabilities * Implements trusted paths and trusted shells for sensitive processing activities * Enforces identification, authentication, and authorization of trusted subjects * Implements a capability-based authentication methodology * Does not contain covert channels * Enforces integrity rules on critical files

Answer 189

Application Programming Interface (API)An API is the doorway to a protocol, operating service, process, or DLL. When one piece of software needs to send information to another piece of software, it must format its communication request in a way that the receiving software understands. An application may send a request to an operating system’s cryptographic DLL, which will in turn carry out the requested cryptographic functionality for the application.

Answer 190

Formal ModelsUsing models in software development has not become as popular as once imagined, primarily because vendors are under pressure to get products to market as soon as possible. Using formal models takes more time during the architectural phase of development, extra time that many vendors feel they cannot afford. Formal models are definitely used in the development of systems that cannot allow errors or security breaches, such as air traffic control systems, spacecraft software, railway signaling systems, military classified systems, and medical control systems. This does not mean that these models, or portions of them, are not used in industry products, but rather that industry vendors do not always follow these models in the purely formal and mathematical way all the time.

Answer 191

Holds the memory address for the following instructions the CPU needs to act upon.

Answer 192

A subject can perform read and write functions only to the objects at its same security level.

Answer 193

Software interface that enables process-to-process interaction. Common way to provide access to standard routines to a set of software programs.

Answer 194

System Security ArchitectureUp to this point we have looked at system architectures, CPU architectures, and operating system architectures. Remember that a system architecture has several views to it, depending upon the stakeholder’s individual concerns. Since our main concern is security, we are going to approach system architecture from a security point of view and drill down into the core components that are part of most computing systems today. But first we need to understand how the goals for the individual system security architectures are defined.

Answer 195

All of these different models can get your head spinning. Most people are not familiar with all of them, which can make it all even harder to absorb. The following are the core concepts of the different models:

Answer 196

If an operating system is using interrupt-driven I/O, this means the CPU sends a character over to the printer and then goes and works on another process’s request. When the printer is done printing the first character, it sends an interrupt to the CPU. The CPU stops what it is doing, sends another character to the printer, and moves to another job. This process (send character—go do something else—interrupt—send another character) continues until the whole text is printed. Although the CPU is not waiting for each byte to be printed, this method does waste a lot of time dealing with all the interrupts. So we excused those smart people and brought in some new smarter people, who came up with I/O using DMA.

Answer 197

If you continue your studies in operating system architecture, you will undoubtedly run into some of the confusion and controversy surrounding these families of architectures. The intricacies and complexities of these arguments are out of scope for the CISSP exam, but a little insight is worth noting.

Answer 198

Two processes cannot complete their activities because they are both waiting for system resources to be released.

Answer 199

Maintenance HooksIn the programming world, maintenance hooks are a type of back door. They are instructions within software that only the developer knows about and can invoke, and which give the developer easy access to the code. They allow the developer to view and edit the code without having to go through regular access controls. During the development phase of the software, these can be very useful, but if they are not removed before the software goes into production, they can cause major security issues.

Answer 200

Product proposed to provide a needed security solution.

Answer 201

Concept that defines a set of design requirements of a reference validation mechanism (security kernel), which enforces an access control policy over subjects’ (processes, users) ability to perform operations (read, write, execute) on objects (files, resources) on a system.

Answer 202

Documentation must be provided, including test, design, and specification documents, user guides, and manuals.

Answer 203

Core operating system processes run in kernel mode and the remaining ones run in user mode.

Answer 204

I/O Using DMA Direct memory access (DMA) is a way of transferring data between I/O devices and the system’s memory without using the CPU. This speeds up data transfer rates significantly. When used in I/O activities, the DMA controller feeds the characters to the printer without bothering the CPU. This method is sometimes referred to as unmapped I/O.

Answer 205

Fundamental organization of a system embodied in its components, their relationships to each other and to the environment, and the principles guiding its design and evolution.

Answer 206

Two or more processes attempt to carry out their activity on one resource at the same time. Unexpected behavior can result if the sequence of execution does not take place in the proper order.

Answer 207

Simultaneous execution of more than one program (process) or task by a single operating system.

Answer 208

Processes can be in various activity levels. Ready = waiting for input. Running = instructions being executed by CPU. Blocked = process is “suspended.”

Answer 209

In the programming world, maintenance hooks are a type of back door. They are instructions within software that only the developer knows about and can invoke, and which give the developer easy access to the code. They allow the developer to view and edit the code without having to go through regular access controls. During the development phase of the software, these can be very useful, but if they are not removed before the software goes into production, they can cause major security issues.

Answer 210

Audit data must be captured and protected to enforce accountability.

Answer 211

Methodically designed, tested, and reviewed

Answer 212

ISO/IEC15408 is the international standard that is used as the basis for the evaluation of security properties of products under the CC framework. It actually has three main parts:

Answer 213

Well, just look at all of these processes squirming around like little worms. We need some real organization here!

Answer 214

Computer systems can be developed to integrate easily with other systems and products (open systems) or can be developed to be more proprietary in nature and work with only a subset of other systems and products (closed systems). The following sections describe the difference between these approaches.

Answer 215

Read-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

Answer 216

All operating system processes run in kernel mode. Core processes run within a microkernel and others run in a client\server model.

Answer 217

Creation of a simulated environment (hardware platform, operating system, storage, etc.) that allows for central control and scalability.

Answer 218

* Swap contents from RAM to the hard drive as needed (explained later in the “Virtual Memory” section of this chapter) * Provide pointers for applications if their instructions and memory segment have been moved to a different location in main memory

Answer 219

Reduced amount of code running in kernel mode carrying out critical operating system functionality. Only the absolutely necessary code runs in kernel mode, and the remaining operating system code runs in user mode.

Answer 220

Process SchedulingScheduling and synchronizing various processes and their activities is part of process management, which is a responsibility of the operating system. Several components need to be considered during the development of an operating system, which will dictate how process scheduling will take place. A scheduling policy is created to govern how threads will interact with other threads. Different operating systems can use different schedulers, which are basically algorithms that control the timesharing of the CPU. As stated earlier, the different processes are assigned different priority levels (interrupts) that dictate which processes overrule other processes when CPU time allocation is required. The operating system creates and deletes processes as needed, and oversees them changing state (ready, blocked, running). The operating system is also responsible for controlling deadlocks between processes attempting to use the same resources.

Answer 221

Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.

Answer 222

Representation of a whole system from the perspective of a related set of concerns.

Brainscape's Knowledge GenomeTM

CHAPTER 4_Security Architecture and Design Flashcards

Brainscape's Knowledge Genome^TM