Chapter 8 Principles of Security Models, Design, and Capabilities Flashcards
What is the difference between subjects and objects?
The subject is the active entity that makes a request to access a resource. A subject can be a user, process, program, computer, or organization. The object is the passive entity that the subject wants to access. Access is the relationship between the subject and object, which could include reading, writing, changing, deleting, printing, moving, backing up, etc.
The actual entities being referenced are specific to an individual access request. The entity that is the object in one request could be the subject in another.
Leads into transitive trust. If A trust B and B trusts C, A inherits trust of C. This can be a security issue; you may block certain sites, but if you allow access to a VPN, and the VPN allows access to those sites, people have access to those sites through transitive trust.
What is privacy by design?
PHD. A guideline to integrate privacy protections into products during the early design phase instead of doing it at the end. Seven key principles:
–proactive, not reactive
–privacy as the default
–privacy embedded into design
–full functionality, aka positive sum, not zero sum
–end to end security
–visibility and transparency
–respect for user privacy
What is confinement?
Process confinement allows a process to read from and write to only certain memory locations and resources. AKA sandboxing. Applies the principle of least privilege. Can be implemented in the OS, through an application or service, or through a hypervisor.
What are bounds?
Each process that runs on the system is assigned an authority level. In simple systems, it may only be user and kernel. The bounds of a process consists of limits set on the memory address and resources it can access. In most systems, the bound segment logical areas of memory for each process. Physical bounds reqire each bounded process to run in an area of memory that is separate from other process. This can be more expensive but is more secure.
What is isolation?
When a process is confined through enforcing access bounds, that process runs in isolation. Process isolation ensures any behavior will affect only the memory and resources associated with the isolated process. Isolation is used to protect the operating environment, the kernel of the operating system, and other independent applicatoins.
Confinement is making sure that an active process can only access certain resources, bounds is the limit of authorization assigned to a process, and ioslation is the means by which confinement is implemented through the use of bounds.
What is a security model?
Provides a way for designers to map abstract statements into a security policy that prescribes the algorithms and data structures necessary to build hardware and software.
What are tokens, capability lists, and labels?
Tokens are separate objects that associated with resources that describe their security attributes. It can communicate security information about an object prior to requesting access to the actual object. Various list are used to store security information about multiple objects.
A capabilities list maintains a row of security attributes for each controlled object. Not as flexible as tokens, but offers quicker lookups when a subject requests access to an object.
A label is a permanent part of the object to which it is attached. Once it is set, it cannot be altered. This provides a safeguard against tampering that the other models do not.
What is the Trusted Computing Base?
The TCB principle is the combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy. It is a subset of the overall computing system, and should be as small as possible so that a detailed analysis can reasonably ensure it meets requirements. It is the only portion of the system that can be trusted to adhere to and enforce security policy.
What is the security perimeter?
An imaginary boundary that separates the TCB from the rest of the system. It ensures that no insecure communications or interactions happen between the TCB and everything else. The TCB must create secure channels, aka trusted paths, to communicate out.
The perimeter may allow for the use of a trusted shell, which allows the subject to perform command line operations without risk to the TCB. The subject cannot break out of isolation to affect the TCB.
What is the reference monitor?
The part of the TCB that validates access to every resource before granting access. It stands between every subject and object, verifies the subject’s credentials meet the object’s requirements, and acts as the access control monitor.
What is the security kernel?
The collection of components in the TCB that implement the reference monitor functions is called the security kernel. The kernel launches appropriate components to enforce reference monitor functionality.
What is the state machine model?
A system that is always secure no matter what state it is in. It is based on the computer science definition of of “finite state machine.” An FSM combines an external input with an internal machine to model all kinds of complex systems. Given an input and a state, an FSM transitions to another state and may create an output.
Next state = F(input,current state).
Output = F(input, current state)
A state is a snapshot of a system at a specific moment in time. If all aspects of a state meet the requirements of the security policy, it is cconsidered secure. A transition occurs when accepting input or producing output, and always results in a new state. If each possible state transition results in another secure state, it is known as a secure state machine.
What is an information flow model?
Based on the state machine model. Doesn’t just address the direction of flow, but also the type of flow. Designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security. Can be between subjects and objects at the same or different classification levels. Used to establish a relationship between two versions or states of the same object when those two versions or states exist at different points of time. Excludes all undefined flow pathways.
What is the non interference model?
Loosely based on the information flow model. It is more cncerned about how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower level. You don’t want the lower system to be able to see what is going on at higher classifications.
What is the Take Grant Model?
Employs a directed graph to dictate how rights can be passed from one subject to another or from a subject to an object. A subject with the grant right can grant other object or subject any right he possesses, and a subject with a take right can take a right from another subject. There is also a create rule and delete rule. Basically, using these rules lets you figure out when rights in the system can change and where leakage can occur.