Chapter 8: Principles of Security Models, Design, and Capabilities Flashcards
the active entity that makes a request to access a resource
subject
the passive entity that the subject wants to access.
object
the concept that if A trusts B and B trusts C, then A inherits trust of C through the transitive property
Transitive trust
Systems designed to work well with a narrow range of other systems, generally all from the same manufacturer.
closed system
Systems designed using agreed-upon industry standards
Open systems
a defined set of interactions allowed between computing elements, such as applications, services, networking, firmware, and hardware
application programming interfaces (APIs)
process where a programmer codes in mechanisms to anticipate and defend against errors in order to avoid the termination of execution
exception handling
to allow a system to continue to operate after a component fails
fail-soft
when a failure occurs, the system, device, or product will revert to a state that protects the health and safety of people.
fail-safe
If the priority is for maintaining availability, then when the product fails, the connection or communication is allowed to continue.
fail-open
this concept is the encouragement to avoid overcomplicating the environment, organization, or product design
keep it simple, stupid (KISS principle)
Programmers should not add capabilities and functions until they are actually necessary, so rather than create it when you think of it, instead create it only when you actually need it.
“You Aren’t Gonna Need It” (YAGNI)
The quality of software does not necessarily increase with an increase in capabilities and functions; there is often a worse software state (i.e., fewer functions), which is the better (i.e., preferred, maybe more secure) option.
“Worse Is Better” (aka New Jersey Style)
Use the least powerful programming language that is suitable for the needed solution.
Rule of Least Power
Crafting code so that it uses the least necessary hardware and software resources possible
Computing Minimalism
The idea of eliminating redundancy in software by not repeating the same code in multiple places, which would increase the difficulty if changes are needed.
“Don’t Repeat Yourself” (DRY)
a security concept where nothing inside the organization is automatically trusted.
Zero trust
dividing up an internal network into numerous subzones. Each zone is separated from the others by internal segmentation firewalls (ISFWs), subnets, or VLANs
Microsegmentation
a network security measure employed to ensure that a secure system is physically isolated from other systems
air gap
a guideline to integrate privacy protections into products during the early design phase rather than attempting to tack it on at the end of development
Privacy by Design (PbD)
crafted to create a single set of universal and harmonized privacy principles
Global Privacy Standard (GPS)
A more traditional security approach of trusting subjects and devices within the company’s security perimeter (i.e., internal entities) automatically
“trust, but verify”
allows a process to read from and write to only certain memory locations and resources.
confinement
limits set on the memory addresses and resources it can access
bounds
ensures that any behavior will affect only the memory and resources associated with the isolated process
Process isolation
allow subjects to access only authorized objects
Access controls
all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment
trusted system
the degree of confidence in satisfaction of security needs
Assurance
provides a way for designers to map abstract statements into a security policy that prescribes the algorithms and data structures necessary to build hardware and software
security model
the combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy
trusted computing base (TCB) design principle
an imaginary boundary that separates the TCB from the rest of the system
security perimeter
a channel established with strict standards to allow necessary communication to occur without exposing the TCB to security exploitations
trusted path
The part of the TCB that validates access to every resource prior to granting access requests
reference monitor
The collection of components in the TCB that work together to implement reference monitor functions
security kernel
a system that is always secure no matter what state it is in
state machine model
combines an external input with an internal machine state to model all kinds of complex systems, including parsers, decoders, and interpreters.
finite state machine (FSM)
If each possible state transition results in another secure state, the system can be called a _______
secure state machine
__________ model focuses on controlling the flow of information.
information flow
_____________ is concerned with how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level.
noninterference model
employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object.
take-grant model
a table of subjects and objects that indicates the actions or functions that each subject can perform on each object
access control matrix
a subject with any level of clearance can access resources at or below its clearance level
Bell–LaPadula model
designed after the Bell–LaPadula model, but it focuses on integrity
Biba model
the _____ model defines each data item and allows modifications through only a limited or controlled intermediary program or interface.
Clark–Wilson
created to permit access controls to change dynamically based on a user’s previous activity
Brewer and Nash model
predetermining the set or domain (i.e., a list) of objects that a subject can access.
Goguen–Meseguer model
focuses on preventing interference in support of integrity. It is formally based on the state machine model and the information flow model. However, it does not directly indicate specific mechanisms for protection of integrity. Instead, the model is based on the idea of defining a set of system states, initial states, and state transitions.
Sutherland model
focused on the secure creation and deletion of both subjects and objects.
Graham–Denning model
focuses on the assignment of object access rights to subjects as well as the resilience of those assigned rights.
Harrison–Ruzzo–Ullman (HRU) model
The ______ defines various levels of testing and confirmation of systems’ security capabilities, and the number of the level indicates what kind of testing and confirmation has been performed.
Common Criteria (CC)
a worldwide standards-setting group of representatives from various national standards organizations. ____ defines standards for industrial and commercial equipment, software, protocols, and management, among others.
International Organization for Standardization (ISO)
______ is used to prevent an active process from interacting with an area of memory that was not specifically assigned or allocated to it.
Memory protection
The _____ is both a specification for a cryptoprocessor chip on a mainboard and the general name for implementation of the specification.
Trusted Platform Module (TPM)
A _______ or _____ interface is implemented within an application to restrict what users can do or see based on their privileges. Users with full privileges have access to all the capabilities of the application. Users with restricted privileges have limited access.
constrained or restricted
