Chapter 8 - Principles Of Security Models, Design, and Capabilities Flashcards
Confinement
Process confinement allows a process to read from and write to only certain memory locations and resources. This is also called sandboxing.
Definition of state machine model and examples of security models?
The state machine model describes a system that is always secure no matter what state it is in. Bell-LaPadula and Biba are security models built on a state machine model.
Declassification Process
Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.
Concept of the virtual storage
Virtual storage a service provided by the operating system where it uses a combination of RAM and disk storage to simulate a much larger address space than is actually present. Infrequently used portions of memory are paged out by being written to secondary storage and paged back in when required by a running program.
Most OS’s have the ability to simulate having more main memory than is physically available in the system. This is done by storing part of the data on secondary storage, such as a disk. This can be considered a virtual page. If the data requested by the system is not currently in main memory, a page fault is taken. This condition triggers the OS handler. If the virtual address is a valid one, the OS will locate the physical page, put the right information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate virtual address space along with its own mappings and protections.
Which Orange book security rating introduces the object reuse protection?
C2
What does the Clark-Wilson security model focus on?
The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy.
In access control terms, the word “dominate” refers to which of the following?
Higher or equal to access class. The reason is the term dominates refers to a subject being authorized to perform an operation if the access class of the subject is higher or dominates the access class of the object requested. This is the best answer for the term “dominates” in access control.
If a subject wishes to access an object, his security clearance must be equal or higher than the object he’s accessing.
The full list of assurance requirements for the Evaluation Assurance Levels
EAL 1: The product is functionally tested; this is sought when some assurance in accurate operation is necessary, but the threats to security are not seen as serious.
EAL 2: Structurally tested; this is sought when developers or users need a low to moderate level of independently guaranteed security.
EAL 3: Methodically tested and checked; this is sought when there is a need for a moderate level of independently ensured security.
EAL 4: Methodically designed, tested, and reviewed; this is sought when developers or users require a moderate to high level of independently ensured security.
EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured security.
EAL 6: Semiformally verified, designed, and tested; this is sought when developing specialized TOEs for high-risk situations.
EAL 7: Formally verified, designed, and tested; this is sought when developing a security TOE for application in extremely high-risk situations.
Trust level of Orange Book from low to high
The trust levels run from D (lowest) to A (highest). Within each level, a number can indicate differing requirements with higher numbers indicating a higher level of trust. The order from the least secure to the most secure is: D, C1, C2, B1, B2, B3, A1. See the one page resume at the link provided below.
Which Orange book security rating introduces the object reuse protection?
C2
Which Orange book security rating introduces security labels?
B1 is also called “Labeled Security” and each data object must have a classification label and each subject a clearence label. On each access attempt, the classification and clearence are checked to verify that the access is permissable.
B2 is also called “Structured Protection” and imposes additional controls on security policy and a more thorough review of system design and implementation.
B3 is also called “Security Domains” and and imposes more granularity in each protection mechanism
Which Orange book security rating is the FIRST to be concerned with covert channels?
B2
https://www.freepracticetests.org/images/tcsec.jpg
Differences between TCB and security kernel
The Trusted Computing Base (TCB) is defined as the total combination of protection mechanisms within a computer system. The TCB includes hardware, software, and firmware. These are part of the TCB because the system is sure that these components will enforce the security policy and not violate it.
The security kernel implements and enforces the reference monitor concept.
According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator roles?
B2
Wildcard Certificate
The correct answer is: Wildcard Certificate
Purchasing a single certificate for each of your domains and subdomains can be an expensive proposal but you can purchase a type of certificate called a Wildcard Certificate.
Examples of a wildcard certificate for a sample *.company.com:
legal.company.com
finance.company.com
personnel.company.com
Wildcard Certificates only cover one domain below the main domain so further subdomains like manager.personnel.company.com wouldn’t be valid.
You can use a wildcard certificate on each subdomain but if any one gets stolen or otherwise compromised you must replace ALL certificates on all subdomain systems. That’s the risk of using wildcard certificates.
DRAM vs SRAM
Static Random Access Memory (SRAM) is fast, expensive memory that uses small latches called “flip-flops” to store bits. Dynamic Random Access Memory (DRAM) stores bits in small capacitors (like small batteries), and is slower and cheaper than SRAM. The capacitors used by DRAM leak charge, and must be continually refreshed to maintain integrity, typically every few to a few hundred milliseconds, depending on the type of DRAM. Refreshing reads and writes the bits back to memory. SRAM does not require refreshing, and maintains integrity as long as power is supplied.
Key test points about Clark-Wilson model?
Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.
Clark-Wilson enforces the concept of a separation of duties and transformation procedures within the system.
Trusted Distribution
To ensure that the Trusted Computing Base is not tampered with during shipment or installation.
Identify-Based Access Control
An identity-based access control is an example of discretionary access control that is based on an individual’s identity. Identity-based access control (IBAC) is access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.
Rule Based Access Control (RuBAC) and Role Based Access Control (RBAC) are examples of non-discretionary access controls.
Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects.
In general, all access control policies other than DAC are grouped in the category of non-discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.
Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC.
monolithic kernel vs Microkernels
monolithic kernel is compiled into one static executable and the entire kernel runs in supervisor mode. All functionality required by a monolithic kernel must be precompiled in. If you have a monolithic kernel that does not support FireWire interfaces, for example, and insert a FireWire device into the system, the device will not operate. The kernel would need to be recompiled to support FireWire devices.
Microkernels are modular kernels. A microkernel is usually smaller and has less native functionality than a typical monolithic kernel (hence the term “micro”), but can add functionality via loadable kernel modules. Microkernels may also run kernel modules in user mode (usually ring 3), instead of supervisor mode. Using our previous example, a native microkernel does not support FireWire. You insert a FireWire device, the kernel loads the FireWire kernel module, and the device operates
Type 1 vs type 2 hypervisor
The key to virtualization security is the hypervisor, which controls access between virtual guests and host hardware. A Type 1 hypervisor (also called bare metal) is part of an operating system that runs directly on host hardware. A Type 2 hypervisor runs as an application on a normal operating system, such as Windows 10. For example: VMware ESX is a Type 1 hypervisor and VMware Workstation is Type 2.
Cache Memory
Cache memory is a type RAM that holds specific information that is accessed often.
Layering
Layering separates hardware and software functionality into modular tiers. The complexity of an issue such as reading a sector from a disk drive is contained to one layer (the hardware layer in this case). One layer (such as the application layer) is not directly affected by a change to another. Changing from an IDE (Integrated Drive Electronics) disk drive to a SCSI (Small Computer System Interface) drive has no effect on an application that saves a file. Those details are contained within one layer, and may affect the adjoining layer only