Chapter 8 - Principles Of Security Models, Design, and Capabilities Flashcards

1
Q

Confinement

A

Process confinement allows a process to read from and write to only certain memory locations and resources. This is also called sandboxing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Definition of state machine model and examples of security models?

A

The state machine model describes a system that is always secure no matter what state it is in. Bell-LaPadula and Biba are security models built on a state machine model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Declassification Process

A

Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Concept of the virtual storage

A

Virtual storage a service provided by the operating system where it uses a combination of RAM and disk storage to simulate a much larger address space than is actually present. Infrequently used portions of memory are paged out by being written to secondary storage and paged back in when required by a running program.

Most OS’s have the ability to simulate having more main memory than is physically available in the system. This is done by storing part of the data on secondary storage, such as a disk. This can be considered a virtual page. If the data requested by the system is not currently in main memory, a page fault is taken. This condition triggers the OS handler. If the virtual address is a valid one, the OS will locate the physical page, put the right information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate virtual address space along with its own mappings and protections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which Orange book security rating introduces the object reuse protection?

A

C2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does the Clark-Wilson security model focus on?

A

The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In access control terms, the word “dominate” refers to which of the following?

A

Higher or equal to access class. The reason is the term dominates refers to a subject being authorized to perform an operation if the access class of the subject is higher or dominates the access class of the object requested. This is the best answer for the term “dominates” in access control.

If a subject wishes to access an object, his security clearance must be equal or higher than the object he’s accessing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The full list of assurance requirements for the Evaluation Assurance Levels

A

EAL 1: The product is functionally tested; this is sought when some assurance in accurate operation is necessary, but the threats to security are not seen as serious.
EAL 2: Structurally tested; this is sought when developers or users need a low to moderate level of independently guaranteed security.
EAL 3: Methodically tested and checked; this is sought when there is a need for a moderate level of independently ensured security.
EAL 4: Methodically designed, tested, and reviewed; this is sought when developers or users require a moderate to high level of independently ensured security.
EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured security.
EAL 6: Semiformally verified, designed, and tested; this is sought when developing specialized TOEs for high-risk situations.
EAL 7: Formally verified, designed, and tested; this is sought when developing a security TOE for application in extremely high-risk situations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Trust level of Orange Book from low to high

A

The trust levels run from D (lowest) to A (highest). Within each level, a number can indicate differing requirements with higher numbers indicating a higher level of trust. The order from the least secure to the most secure is: D, C1, C2, B1, B2, B3, A1. See the one page resume at the link provided below.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which Orange book security rating introduces the object reuse protection?

A

C2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which Orange book security rating introduces security labels?

A

B1 is also called “Labeled Security” and each data object must have a classification label and each subject a clearence label. On each access attempt, the classification and clearence are checked to verify that the access is permissable.

B2 is also called “Structured Protection” and imposes additional controls on security policy and a more thorough review of system design and implementation.

B3 is also called “Security Domains” and and imposes more granularity in each protection mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which Orange book security rating is the FIRST to be concerned with covert channels?

A

B2

https://www.freepracticetests.org/images/tcsec.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Differences between TCB and security kernel

A

The Trusted Computing Base (TCB) is defined as the total combination of protection mechanisms within a computer system. The TCB includes hardware, software, and firmware. These are part of the TCB because the system is sure that these components will enforce the security policy and not violate it.
The security kernel implements and enforces the reference monitor concept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator roles?

A

B2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Wildcard Certificate

A

The correct answer is: Wildcard Certificate

Purchasing a single certificate for each of your domains and subdomains can be an expensive proposal but you can purchase a type of certificate called a Wildcard Certificate.

Examples of a wildcard certificate for a sample *.company.com:
legal.company.com
finance.company.com
personnel.company.com
Wildcard Certificates only cover one domain below the main domain so further subdomains like manager.personnel.company.com wouldn’t be valid.

You can use a wildcard certificate on each subdomain but if any one gets stolen or otherwise compromised you must replace ALL certificates on all subdomain systems. That’s the risk of using wildcard certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

DRAM vs SRAM

A

Static Random Access Memory (SRAM) is fast, expensive memory that uses small latches called “flip-flops” to store bits. Dynamic Random Access Memory (DRAM) stores bits in small capacitors (like small batteries), and is slower and cheaper than SRAM. The capacitors used by DRAM leak charge, and must be continually refreshed to maintain integrity, typically every few to a few hundred milliseconds, depending on the type of DRAM. Refreshing reads and writes the bits back to memory. SRAM does not require refreshing, and maintains integrity as long as power is supplied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Key test points about Clark-Wilson model?

A

Clark-Wilson requires that users are authorized to access and modify data. It also requires that data is modified in only authorized ways.

Clark-Wilson enforces the concept of a separation of duties and transformation procedures within the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Trusted Distribution

A

To ensure that the Trusted Computing Base is not tampered with during shipment or installation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Identify-Based Access Control

A

An identity-based access control is an example of discretionary access control that is based on an individual’s identity. Identity-based access control (IBAC) is access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.
Rule Based Access Control (RuBAC) and Role Based Access Control (RBAC) are examples of non-discretionary access controls.
Rule-based access control is a type of non-discretionary access control because this access is determined by rules and the subject does not decide what those rules will be, the rules are uniformly applied to ALL of the users or subjects.
In general, all access control policies other than DAC are grouped in the category of non-discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.
Both Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC) fall within Non Discretionary Access Control (NDAC). If it is not DAC or MAC then it is most likely NDAC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

monolithic kernel vs Microkernels

A

monolithic kernel is compiled into one static executable and the entire kernel runs in supervisor mode. All functionality required by a monolithic kernel must be precompiled in. If you have a monolithic kernel that does not support FireWire interfaces, for example, and insert a FireWire device into the system, the device will not operate. The kernel would need to be recompiled to support FireWire devices.

Microkernels are modular kernels. A microkernel is usually smaller and has less native functionality than a typical monolithic kernel (hence the term “micro”), but can add functionality via loadable kernel modules. Microkernels may also run kernel modules in user mode (usually ring 3), instead of supervisor mode. Using our previous example, a native microkernel does not support FireWire. You insert a FireWire device, the kernel loads the FireWire kernel module, and the device operates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Type 1 vs type 2 hypervisor

A

The key to virtualization security is the hypervisor, which controls access between virtual guests and host hardware. A Type 1 hypervisor (also called bare metal) is part of an operating system that runs directly on host hardware. A Type 2 hypervisor runs as an application on a normal operating system, such as Windows 10. For example: VMware ESX is a Type 1 hypervisor and VMware Workstation is Type 2.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Cache Memory

A

Cache memory is a type RAM that holds specific information that is accessed often.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Layering

A

Layering separates hardware and software functionality into modular tiers. The complexity of an issue such as reading a sector from a disk drive is contained to one layer (the hardware layer in this case). One layer (such as the application layer) is not directly affected by a change to another. Changing from an IDE (Integrated Drive Electronics) disk drive to a SCSI (Small Computer System Interface) drive has no effect on an application that saves a file. Those details are contained within one layer, and may affect the adjoining layer only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Example Cloud Service Levels

A

Type Example
Infrastructure as a Service (IaaS) Linux server hosting
Platform as a Service (PaaS) Web service hosting
Software as a Service (SaaS) Web mail

25
Q

Functions with using special registers

A

Special registers (dedicated registers) hold information such as the program counter, stack pointer, and program status word (PSW)

26
Q

Harrison-Ruzzo-Ullman model

A

It outlines how access rights can be changed and how subjects and objects should be created and deleted.

27
Q

At which of the Orange Book evaluation levels is configuration management required?

A

B2

28
Q

Which security model uses division of operations into different parts and requires different users to perform each part?

A

The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity.
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.

29
Q

TCSEC modes

A

The TCSEC defines four divisions: D, C, B and A where division A has the highest security.

Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
D — Minimal protection
Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division
C — Discretionary protection
C1 — Discretionary Security Protection
Identification and authentication
Separation of users and data
Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis
Required System Documentation and user manuals
C2 — Controlled Access Protection
More finely grained DAC
Individual accountability through login procedures
Audit trails
Object reuse
Resource isolation
B — Mandatory protection
B1 — Labeled Security Protection
Informal statement of the security policy model
Data sensitivity labels
Mandatory Access Control (MAC) over selected subjects and objects
Label exportation capabilities
All discovered flaws must be removed or otherwise mitigated
Design specifications and verification
B2 — Structured Protection
Security policy model clearly defined and formally documented
DAC and MAC enforcement extended to all subjects and objects
Covert storage channels are analyzed for occurrence and bandwidth
Carefully structured into protection-critical and non-protection-critical elements
Design and implementation enable more comprehensive testing and review
Authentication mechanisms are strengthened
Trusted facility management is provided with administrator and operator segregation
Strict configuration management controls are imposed
B3 — Security Domains
Satisfies reference monitor requirements
Structured to exclude code not essential to security policy enforcement
Significant system engineering directed toward minimizing complexity
Security administrator role defined
Audit security-relevant events
Automated imminent intrusion detection, notification, and response
Trusted system recovery procedures
Covert timing channels are analyzed for occurrence and bandwidth
An example of such a system is the XTS-300, a precursor to the XTS-400
A — Verified protection
A1 — Verified Design
Functionally identical to B3
Formal design and verification techniques including a formal top-level specification
Formal management and distribution procedures
An example of such a system is Honeywell’s Secure Communications Processor SCOMP, a precursor to the XTS-400

30
Q

Security Kernel

A

A security kernel is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. A protection domain consists of the execution and memory space assigned to each process. The use of protection rings is a scheme that supports multiple protection domains.

31
Q

The Brewer and Nash model

A

The Brewer and Nash model was constructed to provide information security access controls that can change dynamically. This security model, also known as the Chinese wall model, was designed to provide controls that mitigate conflict of interest in commercial organizations, and is built upon an information flow model.

32
Q

Multistate

A

A system is operating as a Multistate system when it permits two or more classification levels of information to be processed at the same time. This does not mean, all the users have clearance or formal approval to access all the information being processed by the system.

33
Q

Strong tranquility property

A

Bell-LaPadula models have rigid security policies that are built to ensure confidentiality. The strong tranquility property is an inflexible mechanism that enforces the consistent security classification of an object.

34
Q

Firmware

A

Firmware is a type of software that is held in a ROM or EROM chip. It is usually used to allow the computer to communicate with some type of peripheral devices. The systems BIOS instructions are also held in firmware on the motherboard. In most situations, firmware cannot be modified unless someone has physical access to the system.

35
Q

TPEP

A

In TCSEC, products are submitted to the National Security Centre (NCSC) and ultimately published in the Evaluation Product List (EPL). The act of rating a product’s security capabilities is called the Trusted Products Evaluation Program. (TPEP)

36
Q

DEP (Data Execution Prevention)

A

Is a security feature included in modern operating systems. It is intended to prevent a process from executing code from a no executable memory region. This helps prevent certain exploits that store code via buffer overflow.

37
Q

Garbage Collector

A

Is a software that runs an algorithm to identify unused committed memory and then tells the operating system to mark the memory as “available”

38
Q

Control Unit

A

The control unit is the component that fetches the code, interprets the code, and oversees the execution of the different instruction sets. It manages and synchronizes the system while different applications’ code and operating system instructions are being executed.

39
Q

General register vs special register

A

General registers are used to hold variables and temporary results as the ALU works through its execution steps. General registers are like the ALU’s scratch pad, which it uses while working. Special registers hold information such as program counter, stack pointer, and program status word (PSW).

40
Q

Interrupted processes security issue

A

Interrupted processes can create security breaches when the current process is given a clearance level of the previous process.

41
Q

Trusted computing system

A

Anti-virus and spyware utilities are generally not considered an integral part of a trusted computer but rather add-on features.

42
Q

Cooperative mode

A

In cooperative mode, the application manages the resources of the computer system, for example CPU’s.

43
Q

The program counter

A

The program counter register contains the memory address of the next instruction to be fetched. After the instruction is executed, the program counter is updated with the memory address of the next instruction set to be processed.

44
Q

Pre-emptive multitasking mode

A

A system that is operating in pre-emptive multitasking mode uses the operating system to manage the resources.

45
Q

Multitasking

A

Multitasking is a term that describes an activity where a user performs two or more tasks (or processes) at once. An example of this is a system that allows two different programs to be open and working at once.

Multitasking is a characteristics of an operating system, not a CPU.

46
Q

Dedicated register vs status register

A

Dedicated registers are program counters that point to memory locations which hold the next instruction.

Status registers hold state information.

47
Q

A process is suspended and waiting for an available time slot on the CPU or waiting for an event to occur. What is this?

A

Sleep state

48
Q

EEPROM vs EPROM vs PROM

A

PROM is a memory type can be altered only once. EPROM and EEPROM can both be altered over and over again.

49
Q

Virtual memory simulates what?

A

Virtual memory is also known as paging or swapping, uses storage disk space to simulate RAM.

50
Q

Primary vs Secondary vs Virtual vs Real storage

A

Primary storage is the computers main memory and can be accessed the fastest.

Secondary storage retains information even when power is turned down. It is used typically for storing applications/program instructions.

Virtual memory extends or simulates RAM.

Real storage is the process of giving a program a definite storage allocation in memory.

51
Q

Ensuring that a process does what it is intended to do every time is what kind of concept?

A

The Clark Wilson model’s one idea is the internal consistency concept. This says that computing processes always do what they are intended to do, which ensures data integrity.

52
Q

Execution Domain Switching Function

A

The TCB allows processes to switch between domains in a secure manner in order to access different levels of information. This function is known as the execution domain switch function.

53
Q

When a system to be operated in problem state, what does this mean?

A

Problem state means that an application code is executing, and the system is in the process of solving the problems or challenges presented by that application.

54
Q

Trusted recovery is first introduced in what classification in the Orange Book?

A

B3

55
Q

Trusted facility management

A

Trusted Facility Management centralizes privileged processing to a supervisory role.

56
Q

Which Orange Book classification requires the evaluation of the reference monitor?

A

B3 deals with security domains, and requires that the integrity of the reference monitor to be checked to prove that it is small enough to be tested thoroughly and tamper proof.

57
Q

Concept of encapsulation of objects

A

When a process is encapsulated, no other processes understands or interacts with its internal programming code. When process A needs to communicate with with process B, process A just needs to know how to communicate with process B’s interface.

58
Q

ISO/IEC 42010 is an international standard that outlines specifications for system architecture frameworks and architecture languages. It allows for systems to be developed in a manner that addresses all of the stakeholder’s concerns.

A

N/A