Chapter 8 - Principles Of Security Models, Design, and Capabilities

Question 1

Confinement

Answer 1

Process confinement allows a process to read from and write to only certain memory locations and resources. This is also called sandboxing.

Question 2

Definition of state machine model and examples of security models?

Answer 2

The state machine model describes a system that is always secure no matter what state it is in. Bell-LaPadula and Biba are security models built on a state machine model.

Question 3

Declassification Process

Answer 3

Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.

Question 4

Concept of the virtual storage

Answer 4

Virtual storage a service provided by the operating system where it uses a combination of RAM and disk storage to simulate a much larger address space than is actually present. Infrequently used portions of memory are paged out by being written to secondary storage and paged back in when required by a running program.

Most OS’s have the ability to simulate having more main memory than is physically available in the system. This is done by storing part of the data on secondary storage, such as a disk. This can be considered a virtual page. If the data requested by the system is not currently in main memory, a page fault is taken. This condition triggers the OS handler. If the virtual address is a valid one, the OS will locate the physical page, put the right information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate virtual address space along with its own mappings and protections.

Question 5

Which Orange book security rating introduces the object reuse protection?

Answer 5

C2

Question 6

What does the Clark-Wilson security model focus on?

Answer 6

The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy.

Question 7

In access control terms, the word “dominate” refers to which of the following?

Answer 7

Higher or equal to access class. The reason is the term dominates refers to a subject being authorized to perform an operation if the access class of the subject is higher or dominates the access class of the object requested. This is the best answer for the term “dominates” in access control.

If a subject wishes to access an object, his security clearance must be equal or higher than the object he’s accessing.

Question 8

The full list of assurance requirements for the Evaluation Assurance Levels

Answer 8

EAL 1: The product is functionally tested; this is sought when some assurance in accurate operation is necessary, but the threats to security are not seen as serious.
EAL 2: Structurally tested; this is sought when developers or users need a low to moderate level of independently guaranteed security.
EAL 3: Methodically tested and checked; this is sought when there is a need for a moderate level of independently ensured security.
EAL 4: Methodically designed, tested, and reviewed; this is sought when developers or users require a moderate to high level of independently ensured security.
EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured security.
EAL 6: Semiformally verified, designed, and tested; this is sought when developing specialized TOEs for high-risk situations.
EAL 7: Formally verified, designed, and tested; this is sought when developing a security TOE for application in extremely high-risk situations.

Question 9

Trust level of Orange Book from low to high

Answer 9

The trust levels run from D (lowest) to A (highest). Within each level, a number can indicate differing requirements with higher numbers indicating a higher level of trust. The order from the least secure to the most secure is: D, C1, C2, B1, B2, B3, A1. See the one page resume at the link provided below.

Question 10

Which Orange book security rating introduces the object reuse protection?

Answer 10

C2

Question 11

Which Orange book security rating introduces security labels?

Answer 11

B1 is also called “Labeled Security” and each data object must have a classification label and each subject a clearence label. On each access attempt, the classification and clearence are checked to verify that the access is permissable.

B2 is also called “Structured Protection” and imposes additional controls on security policy and a more thorough review of system design and implementation.

B3 is also called “Security Domains” and and imposes more granularity in each protection mechanism

Question 12

Which Orange book security rating is the FIRST to be concerned with covert channels?

Answer 12

B2

https://www.freepracticetests.org/images/tcsec.jpg

Question 13

Differences between TCB and security kernel

Answer 13

The Trusted Computing Base (TCB) is defined as the total combination of protection mechanisms within a computer system. The TCB includes hardware, software, and firmware. These are part of the TCB because the system is sure that these components will enforce the security policy and not violate it.
The security kernel implements and enforces the reference monitor concept.

Question 14

According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator roles?

Answer 14

B2

Question 15

Wildcard Certificate

Answer 15

The correct answer is: Wildcard Certificate

Purchasing a single certificate for each of your domains and subdomains can be an expensive proposal but you can purchase a type of certificate called a Wildcard Certificate.

Examples of a wildcard certificate for a sample *.company.com:
legal.company.com
finance.company.com
personnel.company.com
Wildcard Certificates only cover one domain below the main domain so further subdomains like manager.personnel.company.com wouldn’t be valid.

You can use a wildcard certificate on each subdomain but if any one gets stolen or otherwise compromised you must replace ALL certificates on all subdomain systems. That’s the risk of using wildcard certificates.

Question 16

DRAM vs SRAM

Answer 16

Static Random Access Memory (SRAM) is fast, expensive memory that uses small latches called “flip-flops” to store bits. Dynamic Random Access Memory (DRAM) stores bits in small capacitors (like small batteries), and is slower and cheaper than SRAM. The capacitors used by DRAM leak charge, and must be continually refreshed to maintain integrity, typically every few to a few hundred milliseconds, depending on the type of DRAM. Refreshing reads and writes the bits back to memory. SRAM does not require refreshing, and maintains integrity as long as power is supplied.

Question 17

Key test points about Clark-Wilson model?

Answer 17

Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.

Clark-Wilson enforces the concept of a separation of duties and transformation procedures within the system.

Question 18

Trusted Distribution

Answer 18

To ensure that the Trusted Computing Base is not tampered with during shipment or installation.

Question 19

Identify-Based Access Control

Answer 19

An identity-based access control is an example of discretionary access control that is based on an individual’s identity. Identity-based access control (IBAC) is access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.
Rule Based Access Control (RuBAC) and Role Based Access Control (RBAC) are examples of non-discretionary access controls.
Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects.
In general, all access control policies other than DAC are grouped in the category of non-discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.
Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC.

Question 20

monolithic kernel vs Microkernels

Answer 20

monolithic kernel is compiled into one static executable and the entire kernel runs in supervisor mode. All functionality required by a monolithic kernel must be precompiled in. If you have a monolithic kernel that does not support FireWire interfaces, for example, and insert a FireWire device into the system, the device will not operate. The kernel would need to be recompiled to support FireWire devices.

Microkernels are modular kernels. A microkernel is usually smaller and has less native functionality than a typical monolithic kernel (hence the term “micro”), but can add functionality via loadable kernel modules. Microkernels may also run kernel modules in user mode (usually ring 3), instead of supervisor mode. Using our previous example, a native microkernel does not support FireWire. You insert a FireWire device, the kernel loads the FireWire kernel module, and the device operates

Question 21

Type 1 vs type 2 hypervisor

Answer 21

The key to virtualization security is the hypervisor, which controls access between virtual guests and host hardware.

A Type 1 hypervisor (also called bare metal) is part of an operating system that runs directly on host hardware.

A Type 2 hypervisor runs as an application on a normal operating system, such as Windows 10. For example: VMware ESX is a Type 1 hypervisor and VMware Workstation is Type 2.

Question 22

Cache Memory

Answer 22

Cache memory is a type RAM that holds specific information that is accessed often.

Question 23

Layering

Answer 23

Layering separates hardware and software functionality into modular tiers. The complexity of an issue such as reading a sector from a disk drive is contained to one layer (the hardware layer in this case). One layer (such as the application layer) is not directly affected by a change to another. Changing from an IDE (Integrated Drive Electronics) disk drive to a SCSI (Small Computer System Interface) drive has no effect on an application that saves a file. Those details are contained within one layer, and may affect the adjoining layer only

Question 24

Example Cloud Service Levels

Answer 24

Type Example
Infrastructure as a Service (IaaS) Linux server hosting
Platform as a Service (PaaS) Web service hosting
Software as a Service (SaaS) Web mail

Question 25

Functions with using special registers

Answer 25

Special registers (dedicated registers) hold information such as the program counter, stack pointer, and program status word (PSW)

Question 26

Harrison-Ruzzo-Ullman model

Answer 26

It outlines how access rights can be changed and how subjects and objects should be created and deleted.

Question 27

At which of the Orange Book evaluation levels is configuration management required?

Answer 27

B2

Question 28

Which security model uses division of operations into different parts and requires different users to perform each part?

Answer 28

The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity.
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.

Question 29

TCSEC modes

Answer 29

The TCSEC defines four divisions: D, C, B and A where division A has the highest security.

Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
D — Minimal protection
Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division
C — Discretionary protection
C1 — Discretionary Security Protection
Identification and authentication
Separation of users and data
Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis
Required System Documentation and user manuals
C2 — Controlled Access Protection
More finely grained DAC
Individual accountability through login procedures
Audit trails
Object reuse
Resource isolation
B — Mandatory protection
B1 — Labeled Security Protection
Informal statement of the security policy model
Data sensitivity labels
Mandatory Access Control (MAC) over selected subjects and objects
Label exportation capabilities
All discovered flaws must be removed or otherwise mitigated
Design specifications and verification
B2 — Structured Protection
Security policy model clearly defined and formally documented
DAC and MAC enforcement extended to all subjects and objects
Covert storage channels are analyzed for occurrence and bandwidth
Carefully structured into protection-critical and non-protection-critical elements
Design and implementation enable more comprehensive testing and review
Authentication mechanisms are strengthened
Trusted facility management is provided with administrator and operator segregation
Strict configuration management controls are imposed
B3 — Security Domains
Satisfies reference monitor requirements
Structured to exclude code not essential to security policy enforcement
Significant system engineering directed toward minimizing complexity
Security administrator role defined
Audit security-relevant events
Automated imminent intrusion detection, notification, and response
Trusted system recovery procedures
Covert timing channels are analyzed for occurrence and bandwidth
An example of such a system is the XTS-300, a precursor to the XTS-400
A — Verified protection
A1 — Verified Design
Functionally identical to B3
Formal design and verification techniques including a formal top-level specification
Formal management and distribution procedures
An example of such a system is Honeywell’s Secure Communications Processor SCOMP, a precursor to the XTS-400

Question 30

Security Kernel

Answer 30

A security kernel is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. A protection domain consists of the execution and memory space assigned to each process. The use of protection rings is a scheme that supports multiple protection domains.

Question 31

The Brewer and Nash model

Answer 31

The Brewer and Nash model was constructed to provide information security access controls that can change dynamically. This security model, also known as the Chinese wall model, was designed to provide controls that mitigate conflict of interest in commercial organizations, and is built upon an information flow model.

Question 32

Multistate

Answer 32

A system is operating as a Multistate system when it permits two or more classification levels of information to be processed at the same time. This does not mean, all the users have clearance or formal approval to access all the information being processed by the system.

Question 33

Strong tranquility property

Answer 33

Bell-LaPadula models have rigid security policies that are built to ensure confidentiality. The strong tranquility property is an inflexible mechanism that enforces the consistent security classification of an object.

Question 34

Firmware

Answer 34

Firmware is a type of software that is held in a ROM or EROM chip. It is usually used to allow the computer to communicate with some type of peripheral devices. The systems BIOS instructions are also held in firmware on the motherboard. In most situations, firmware cannot be modified unless someone has physical access to the system.

Question 35

TPEP

Answer 35

In TCSEC, products are submitted to the National Security Centre (NCSC) and ultimately published in the Evaluation Product List (EPL). The act of rating a product’s security capabilities is called the Trusted Products Evaluation Program. (TPEP)

Question 36

DEP (Data Execution Prevention)

Answer 36

Is a security feature included in modern operating systems. It is intended to prevent a process from executing code from a no executable memory region. This helps prevent certain exploits that store code via buffer overflow.

Question 37

Garbage Collector

Answer 37

Is a software that runs an algorithm to identify unused committed memory and then tells the operating system to mark the memory as “available”

Question 38

Control Unit

Answer 38

The control unit is the component that fetches the code, interprets the code, and oversees the execution of the different instruction sets. It manages and synchronizes the system while different applications’ code and operating system instructions are being executed.

Question 39

General register vs special register

Answer 39

General registers are used to hold variables and temporary results as the ALU works through its execution steps. General registers are like the ALU’s scratch pad, which it uses while working. Special registers hold information such as program counter, stack pointer, and program status word (PSW).

Question 40

Interrupted processes security issue

Answer 40

Interrupted processes can create security breaches when the current process is given a clearance level of the previous process.

Question 41

Trusted computing system

Answer 41

Anti-virus and spyware utilities are generally not considered an integral part of a trusted computer but rather add-on features.

Question 42

Cooperative mode

Answer 42

In cooperative mode, the application manages the resources of the computer system, for example CPU’s.

Question 43

The program counter

Answer 43

The program counter register contains the memory address of the next instruction to be fetched. After the instruction is executed, the program counter is updated with the memory address of the next instruction set to be processed.

Question 44

Pre-emptive multitasking mode

Answer 44

A system that is operating in pre-emptive multitasking mode uses the operating system to manage the resources.

Question 45

Multitasking

Answer 45

Multitasking is a term that describes an activity where a user performs two or more tasks (or processes) at once. An example of this is a system that allows two different programs to be open and working at once.

Multitasking is a characteristics of an operating system, not a CPU.

Question 46

Dedicated register vs status register

Answer 46

Dedicated registers are program counters that point to memory locations which hold the next instruction.

Status registers hold state information.

Question 47

A process is suspended and waiting for an available time slot on the CPU or waiting for an event to occur. What is this?

Answer 47

Sleep state

Question 48

EEPROM vs EPROM vs PROM

Answer 48

PROM is a memory type can be altered only once. EPROM and EEPROM can both be altered over and over again.

Question 49

Virtual memory simulates what?

Answer 49

Virtual memory is also known as paging or swapping, uses storage disk space to simulate RAM.

Question 50

Primary vs Secondary vs Virtual vs Real storage

Answer 50

Primary storage is the computers main memory and can be accessed the fastest.

Secondary storage retains information even when power is turned down. It is used typically for storing applications/program instructions.

Virtual memory extends or simulates RAM.

Real storage is the process of giving a program a definite storage allocation in memory.

Question 51

Ensuring that a process does what it is intended to do every time is what kind of concept?

Answer 51

The Clark Wilson model’s one idea is the internal consistency concept. This says that computing processes always do what they are intended to do, which ensures data integrity.

Question 52

Execution Domain Switching Function

Answer 52

The TCB allows processes to switch between domains in a secure manner in order to access different levels of information. This function is known as the execution domain switch function.

Question 53

When a system to be operated in problem state, what does this mean?

Answer 53

Problem state means that an application code is executing, and the system is in the process of solving the problems or challenges presented by that application.

Question 54

Trusted recovery is first introduced in what classification in the Orange Book?

Answer 54

B3

Question 55

Trusted facility management

Answer 55

Trusted Facility Management centralizes privileged processing to a supervisory role.

Question 56

Which Orange Book classification requires the evaluation of the reference monitor?

Answer 56

B3 deals with security domains, and requires that the integrity of the reference monitor to be checked to prove that it is small enough to be tested thoroughly and tamper proof.

Question 57

Concept of encapsulation of objects

Answer 57

When a process is encapsulated, no other processes understands or interacts with its internal programming code. When process A needs to communicate with with process B, process A just needs to know how to communicate with process B’s interface.

Question 58

ISO/IEC 42010 is an international standard that outlines specifications for system architecture frameworks and architecture languages. It allows for systems to be developed in a manner that addresses all of the stakeholder’s concerns.

Answer 58

N/A