Chapter 6

Question 0

Define Trusted Computing Base (TCB).

Answer 0

The totality of protection mechanisms within a computer system - including hardware, firmware, and software - the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of the TCB to correctly enforce a security policy depends solely on the mechanisms within the TCB and in the correct input by system administrative personnel of parameters related to the security policy.

Question 1

Define Security Kernel.

Answer 1

The Hardware, firmware, and software elements of a trusted computing base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct.

Question 2

Where could the Reference Monitor be placed?

Answer 2

1) hardware: access control mechanisms in microprocessors.
2) operating system kernel: (example, hypervisor; a virtual machine that emulates the host computer it is running on)
3) operating system: (example, access control in Unix and Windows 2000)
4) services layer: access control in database systems, java virtual machine, .NET common language runtime,…
5) application: security checks in the application code to address application specific requirements.

Question 3

List the Reference monitor design choices.

Answer 3

1) RM in kernel: program and RM are separated.
2) interpreter: program inside the RM.
3) In-line RM (modified application): RM inside program.

Question 4

What are the two requirements that have to be addressed when securing an operating system ?

Answer 4

1) users should be able to use (invoke) the OS.

2) users should not be able to misuse the OS.

Question 5

What are the concepts used to achieve the requirements to secure the operating system? Where can they be used?

Answer 5

1) modes of operation.
2) controlled invocation, also called restricted privilege.

These concepts can be used in any layer of a computing system, be it application software, operating system, or hardware. However, these mechanisms an be disabled if the attacker gets access to a lower layer.

Question 6

Between what should the OS distinguish in order to protect it self in modes of operation?

Answer 6

To protect itself, an OS must be able to distinguish computations ‘on behalf’ of the OS from computations ‘on behalf’ of a user.

Question 7

Define mode of operation.

Answer 7

Mode of operation defines which actions (example, machine instructions) may be performed on a system.

Question 8

How does a system work in dual-mode operation?

Answer 8

In dual-mode operation a system can work in:

• user mode (protected mode), here instructions that are not critical for security may be performed, or in
• supervisor mode (kernel, monitor, root, system mode);

Question 9

Define privileged instructions.

Answer 9

privileged instructions are instructions that can only be executed in supervisor mode.

Question 11

What does the status flag do?

Answer 11

Status flag allows system to work in different modes:

• intel 80x86: two status bits and four modes.
• unix distinguish between user and superuser.

Question 12

What are the reasons for placing security in the core?

Answer 12

1) it may be possible to evaluate security to a higher level of assurance.
2) putting security mechanisms into the core of the system reduces the performance overheads caused by security checks.

Question 13

What information is stored in the descriptors?

Answer 13

Information about system objects such as memory segments, access control tables, and gates.

Question 14

Where are descriptors stored? And how are they accessed?

Answer 14

Descriptors are stored in the descriptor table and accessed via selectors.

Question 15

What is a selector?

Answer 15

A selector is a 16-bit field containing an index pointing to the object’s entry in the descriptor table and also a requested privilege level (RPL) field. Only the OS has access to selectors.

Question 16

What is a gate?

Answer 16

System object pointing to a procedure, where the gate has a privilege level different from that of the procedure it points to. Allow execute-only access to procedures in an inner ring.

Question 17

What does create a loophole (confused deputy problem)?

Answer 17

Allowing out-ring procedures to invoke inner-ring procedures creates a potential security loophole. The outer-ring process may ask the inner-ring procedure to copy an inner ring object to the outer ring; this will not be prevented by any of the mechanisms, nor does it violate the states security policy. Known as luring attack.

Question 18

How can the loophole (confused deputy problem) is solved?

Answer 18

We should take into account the level of the calling process, use the adjust requested privilege level (ARPL) instruction. This instruction changes the RPL fields of all selectors to the CPL of the calling process. The system then compares the RPL (in the selector) and the DPL (in the descriptor) of an object and refuse to complete the requested operation if they differ.

Question 19

How is the integrity of the OS itself is preserved?

Answer 19

OS manages access to data and resources. Multitasking OS interleaves execution of processes belonging to different users. I has to:

• separate user space from OS space,
• logically separate users,
• restrict the memory objects a process can access.

Question 20

What does the logical separation of users prevent?

Answer 20

Logical separation of users prevents accidental and intentional interference between users.

Question 21

Where does logical separation of users take place?

Answer 21

• file management, dealing with logical memory objects.

- memory management, deals with physical memory objects.

Question 22

What are the two main ways of structuring memory?

Answer 22

1) segmentation, divides memory into logical units of variable lengths
+ a division into logical units is a good basis for enforcing a security policy
- units of variable length make memory management more difficult.

2) paging, divides memory into pages of equal length.
+ fixed length units allow efficient memory management.
- paging is not a good basis for access control as pages are not logical units. One page may contain objects requiring different protection. Page faults can create covert channel.

Question 23

When does page fault occur?

Answer 23

When a process accesses a logical object stored on more than one page, a page fault occurs whenever a new page is requested.

Question 24

When does covert channels exists?

Answer 24

Covert channel exists if page faults are observable.

Question 25

What’s the options for controlling access to memory?

Answer 25

1) the operating system modifies the address it receives from user from user processes.
2) operating system constructs the effective addresses from relative addresses it receives from user processes.
3) the operating system checks whether the addresses it receives from user process are within given bounds.

Question 26

What are fence registers?

Answer 26

The fence registers contains the address of the end of the memory area allocated to the operating system.

Question 27

What are bound registers?

Answer 27

Define the bottom of the user space. Base and bounds registers allow to separate program from data space.

Question 28

What is tagged architectures?

Answer 28

Tagged architectures indicate type of each memory object.

Question 29

Define controlled invocation.

Answer 29

Invocation of a function that executes privileged instructions to provide a limited, well-defined functionality and then returns to user mode.