Chapter 8- Security Models, Design and Capabilities

Question 1

Controlling access to a resource in a secure system involves 2 entities name and explain them

Answer 1

1. Subject: is a user or process that makes a request to access a resource.
2. Object: this is the resource a user or process wants to access.

Question 2

Systems are built and designed according to 2 philosophies, explain them

Answer 2

1. Open system: this are designed using agreed industry standards. They are easier to integrate with systems that adopt the same standards.
2. Closed systems are designed to work with a narrow range of systems and are harder to integrate unlike other systems. It is harder to attack closed systems

Question 3

Open Source vs Closed Source

Answer 3

In open source, the source code and other internal logic is available to the public.

Closed source: the internal logic and source code is hidden from the public. This depends on the programmer to revise the product over time.

Question 4

Define Confinement

Answer 4

Confinement allows a process to read from and write to certain memory locations and resources. This is also known as sandboxing.

Question 5

Explain Bounds

Answer 5

Each process that runs on a system is assigned an authority level.

Simple Systems:
In simple systems there are 2 authority levels (i.e. user and kernel.

Bounds of a process sets a limit on the memory addresses and resources it can access. It states the area in which a process is confined or contained.

There are 2 types of bounds:
Physical bounds: require each bounds to run in an area of memory that is physically separated from other bounded processes.
Logical bounds: it is the job of the o/s to enforce logical bounds and disallow access to other processes.

Question 6

Define Isolation

Answer 6

Isolation occurs when a process is confined through enforcing access bounds, that process runs in isolation.

it is used to protect the operating environment, the kernel of the operating systems and other independent applications.

Question 7

List the 3 concepts that make it possible to implement secure systems

Answer 7

Confinement, Isolation and bounds

Question 8

Explain MAC

Answer 8

Mandatory Access Control: static attributes of the subject and object are considered to determine the permissibility of the access.

Question 9

Explain DAC

Answer 9

Discretionary Access Control: subject have ability to define access to objects. Access Control List serves as dynamic access rulesets that the subject can modify.

Question 10

what is the primary goal of controls

Answer 10

Controls are used to ensure the confidentiality and integrity of data.

Question 11

Define Trusted Systems

Answer 11

Trusted Systems is one in which protection mechanisms work together to process sensitive data for many types of users while maintaining a stable secure computing environment.

Question 12

Define Assurance

Answer 12

Assurance is the degree of confidence and satisfaction of the security needs.

Question 13

Define Security Model

Answer 13

Security Model provides a way for designers to map abstract statements into a security policy that prescribes the algorithm and data structures necessary to build hardware and software.

Question 14

Define Capability list

Answer 14

Capability List maintains a row of security attributes for each controlled object

Question 15

Define Trusted Computing Base

Answer 15

Trusted Computing Base (TCB) is a combination of hardware, software and controls that work together to form a trusted base to enforce your security policy.

TCB is the only portion of that system that can be trusted to enforce your security policy.

Question 16

Describe Security Perimeter

Answer 16

Security Perimeter is the imaginary boundary that separates the the TCB from the rest of the system.

Question 17

Explain Reference Monitor

Answer 17

Part of the TCB that validates access to every resource prior to granting access is called the reference monitor. It stands between the every subject and object.

It is the access control monitor for TCB. It enforces access control or authorization based on the security model.

Question 18

Define State machine model

Answer 18

State machine model is always secure regardless of the state it is in.

Question 19

Define Finite State Machine

Answer 19

Finite State Machine (FSM) combines an external input with an internal machine state to model all kinds of complex systems including parsers, decoders and interpreters.

Question 20

Define a state

Answer 20

State is the snapshot of machine at any specific moment in time.

Question 21

Define secure state machine

Answer 21

Secure state machine always boots to a secure state and maintains a secure state across all transitions. It allows subjects to access resources in a secure manner compliant with security policy.

Question 22

Explain Information flow models

Answer 22

This focuses on the flow of information. They are based on state machine models. e.g. Bell-LaPadula model and and Biba.

They are used to prevent the unauthorized, insecure and restricted information flow often between different levels of security.

Question 23

Explain noninterference model

Answer 23

Noninterference model is based on information flow model. It is concerned on how the actions of a subject on a higher security level may affect the system state or actions of a lower security level.

Question 24

There are 3 recognized composition theories

Answer 24

Cascading, Feedback and Hookup.

1. Cascading: input for one comes from the output from another system.
2. Feedback: one system provides input to another system.
3. Hookup: one system sends input to another system but also sends input to other systems.

Question 25

Explain Take-Grant Model

Answer 25

Take rule: allows a subject to take rights over an object.
Grant rule: allows a subject to grant rights to an object.
Create rule: allows a subject to create new rights
Remove rule: allows a subject to remove rights it has

Question 26

Describe Bell-LaPadula

Answer 26

Bell-LaPadula are in place to protect data confidentiality.

No read up no write down. A subject cannot read an object classified higher than the subject is cleared for.

But a trusted subject is not

Question 27

Describe Biba Model

Answer 27

Biba ensure data integrity.
Biba was designed to address 3 integrity issues and they are:
Prevent modification of objects by unauthorized subjects
Prevent unauthorized modification of objects by authorized subjects.
Protect internal and external object consistency.

Question 28

Biba model focuses on

Answer 28

Integrity

Question 29

Bell-LaPadula model focuses on

Answer 29

Confidentiality

Question 30

Explain Clark Wilson Model

Answer 30

Clark Wilson Model focuses on integrity of data. It uses the Subject/Program/Object known as the control triple.

It uses 2 principles: well formed transactions and separation of duties. It defines the following:

Constrained Data Item (CDI): any item whose integrity is protected by the security model.
Unconstrained Data Item(UDI): any data item that is not controlled by the security model.
Integrity Verification Procedure (IVP): scans items and confirms their integrity.
Transformation Procedures: the only procedures that are allowed to modify CDI.

Question 31

How does Clark Wilson grant access to objects

Answer 31

Clark Wilson grants access to objects through transformation procedures and a restricted model interface.

Question 32

Define restricted model interface

Answer 32

Restricted Model Interface:

This uses classification based restrictions to offer only subject specific authorized information and functions

Question 33

Explain Brewer and Nash Model

Answer 33

Brewer and Nash Model was created to permit access controls to change dynamically based on user’s previous activity.

The model applies to a single integrated database.

Question 34

Explain Goguen-Meseguer Model

Answer 34

Goguen-Meseguer: This is an integrity model. It forms the basis on noninterference conceptual theories. It determines the set or domain i.e. the list of objects that a subject can access.

Question 35

Describe TCSEC

Answer 35

Trusted Computer System Evaluation Criteria was designed to be used when evaluating vendor products and vendors to ensure that they all build the necessary functionality and secure assurance into products.

TCSEC defines the following categories:

A Verified Protection
B Mandatory Protection
C Discretionary Protection
D Minimal Protection

Question 36

Discuss Discretionary Protection

Answer 36

Discretionary Protection Systems provide basic access control.
Discretionary Security Protection (C1): it controls access by user IDs or groups.
Controlled Access Protection (C2): users must be identified individually to gain access to objects. It must also enforce media cleansing.

Question 37

Discuss Mandatory Protection

Answer 37

Mandatory Protection (B1,B2,B3)

This is based of Bell-LaPadula model (confidentiality). Mandatory Access is based on security labels.

Labeled Security (B1): each subject and object have a security label. This helps permission compatibility.
Structured Protection (B2):In addition to B1, B2 must ensure that no covert channels exists. Operator and Administrator functions are separated and process isolation is maintained

Security Domain (B3): it provides more functionality by further increasing isolation of unrelated processes. it shifts to simplicity to reduce vulnerabilities.

Question 38

Describe Verified Protection (A1)

Answer 38

This is the highest level of protection. It is similar to B3 but the difference is in the development cycle. Each phase in the design is documented, evaluated and verified before the next steps are taken.

Question 39

Explain Common Criteria

Answer 39

Common Criteria defines the various levels of testing and confirmation of systems security capabilities.

Protection Profiles: specify the product to be evaluated.

Security Targets: claims of security from the targets that are built into the Target of Evaluation (TOE).

Question 40

Explain Common Criteria Assurance Levels

Answer 40

EAL 1: Functionally tested- this is sought when some assurance in accurate operations is necessary but threat to security are not seen as serious
EAL 2: Structurally Tested: this is sought when users or developers need low to moderate level of independently guaranteed security.
EAL 3: Methodically Tested and checked: this is sought when there is need for a moderate level of independently ensured security.
EAL 4: Methodically Designed tested and verified: this is sought when developers or users require moderate to high level of independently ensured security.
EAL 5: Semiformally designed and tested: this is sought when the requirement is for high level independently ensured security.
EAL 6: Semiformally verified, designed and tested: this is sought when developing specialized TOEs for high risk situations.
EAL 7: Formally Verified designed and tested: this is sought when developing a security TOE for applications in extremely high risk situations.

Question 41

Define Subject

Answer 41

Subject is a person or process that makes a request to access a resource. Access can mean reading from or writing to a resource.

Question 42

Define Object

Answer 42

Object: this is the resource that a user or process wants to access.

Question 43

Confinement can be implemented through

Answer 43

1. operating system itself
2. Confinement application or service
3. Virtualization
4. Hypervisor solution.

Question 44

What do you understand by bounds

Answer 44

1. Set limit on memory addresses and resources it can access
2. Segments logical areas of memory for process to use

Physical bounds Logical Bounds
Physically separated Logically bounded in memory space
Expensive Cheaper
More secure Less secure

Question 45

PCI DSS Acronym means

Answer 45

Payment Card Industry Data Security Standard.

Question 46

Explain the 2 evaluation phases

Answer 46

The 2 phases of evaluation are: certification and evaluation.

Evaluation is used to assess how well a system measures up to the desired level of security.

Certification: is the first phase in the total evaluation process. This is the comprehensive evaluation of the technical and nontechnical security features of an IT systems. This includes testing the system’s hardware, software and configuration.
Management review the certification information and decides whether the system satisfies the security needs of the organization.

Certification is internal.

Accreditation: this is the formal declaration by the designated approving authority (DAA) that an IT system is approved to operate in a particular mode using prescribed set of safeguards at an acceptable level of risk. This is conducted by third parties or external bodies.
They are divided into 4 phases: Definition, Verification, validation and Post Accreditation

Question 47

Describe Virtualization

Answer 47

Virtualization is used to host one or more operating systems within the memory of a single host computer.

Question 48

Advantages of virtualization

Answer 48

1. real time scalability

2. ability to launch several individual instances of server or services.

Question 49

Define TPM

Answer 49

Trusted Platform Module is both the specification for the crypto-processor chip on a mainboard and the general name for implementation of the specification

Question 50

Define HSM

Answer 50

Hardware Security Module is the crypto-processor used to manage or store digital encryption keys, accelerate crypto operations, support faster digital signatures and improve authentication.

2. It is often an add on adapter or peripheral or can be a Transmission Control Protocol / Internet Protocol (TCP/IP)
3. It includes Tamper Protection to prevent the use of physical access.

Question 51

Explain Constrained or restricted interface

Answer 51

This is implemented within the interface to restrict what the user can see or do based on their privileges i.e. disabled or dimmed command.

Question 52

Describe Fault tolerance

Answer 52

Fault tolerance is the ability of a system to suffer fault but continue to operate. This is achieved by the addition of redundant components e.g. Redundant Array of Inexpensive Disks (RAID)

Question 53

a

Answer 53

a

Question 54

b

Answer 54

b

Question 55

c

Answer 55

c

Question 56

d

Answer 56

d

Question 57

e

Answer 57

e