Chapter 8- Security Models, Design and Capabilities Flashcards
Controlling access to a resource in a secure system involves 2 entities name and explain them
- Subject: is a user or process that makes a request to access a resource.
- Object: this is the resource a user or process wants to access.
Systems are built and designed according to 2 philosophies, explain them
- Open system: this are designed using agreed industry standards. They are easier to integrate with systems that adopt the same standards.
- Closed systems are designed to work with a narrow range of systems and are harder to integrate unlike other systems. It is harder to attack closed systems
Open Source vs Closed Source
In open source, the source code and other internal logic is available to the public.
Closed source: the internal logic and source code is hidden from the public. This depends on the programmer to revise the product over time.
Define Confinement
Confinement allows a process to read from and write to certain memory locations and resources. This is also known as sandboxing.
Explain Bounds
Each process that runs on a system is assigned an authority level.
Simple Systems:
In simple systems there are 2 authority levels (i.e. user and kernel.
Bounds of a process sets a limit on the memory addresses and resources it can access. It states the area in which a process is confined or contained.
There are 2 types of bounds:
Physical bounds: require each bounds to run in an area of memory that is physically separated from other bounded processes.
Logical bounds: it is the job of the o/s to enforce logical bounds and disallow access to other processes.
Define Isolation
Isolation occurs when a process is confined through enforcing access bounds, that process runs in isolation.
it is used to protect the operating environment, the kernel of the operating systems and other independent applications.
List the 3 concepts that make it possible to implement secure systems
Confinement, Isolation and bounds
Explain MAC
Mandatory Access Control: static attributes of the subject and object are considered to determine the permissibility of the access.
Explain DAC
Discretionary Access Control: subject have ability to define access to objects. Access Control List serves as dynamic access rulesets that the subject can modify.
what is the primary goal of controls
Controls are used to ensure the confidentiality and integrity of data.
Define Trusted Systems
Trusted Systems is one in which protection mechanisms work together to process sensitive data for many types of users while maintaining a stable secure computing environment.
Define Assurance
Assurance is the degree of confidence and satisfaction of the security needs.
Define Security Model
Security Model provides a way for designers to map abstract statements into a security policy that prescribes the algorithm and data structures necessary to build hardware and software.
Define Capability list
Capability List maintains a row of security attributes for each controlled object
Define Trusted Computing Base
Trusted Computing Base (TCB) is a combination of hardware, software and controls that work together to form a trusted base to enforce your security policy.
TCB is the only portion of that system that can be trusted to enforce your security policy.
Describe Security Perimeter
Security Perimeter is the imaginary boundary that separates the the TCB from the rest of the system.
Explain Reference Monitor
Part of the TCB that validates access to every resource prior to granting access is called the reference monitor. It stands between the every subject and object.
It is the access control monitor for TCB. It enforces access control or authorization based on the security model.
Define State machine model
State machine model is always secure regardless of the state it is in.
Define Finite State Machine
Finite State Machine (FSM) combines an external input with an internal machine state to model all kinds of complex systems including parsers, decoders and interpreters.
Define a state
State is the snapshot of machine at any specific moment in time.
Define secure state machine
Secure state machine always boots to a secure state and maintains a secure state across all transitions. It allows subjects to access resources in a secure manner compliant with security policy.
Explain Information flow models
This focuses on the flow of information. They are based on state machine models. e.g. Bell-LaPadula model and and Biba.
They are used to prevent the unauthorized, insecure and restricted information flow often between different levels of security.
Explain noninterference model
Noninterference model is based on information flow model. It is concerned on how the actions of a subject on a higher security level may affect the system state or actions of a lower security level.
There are 3 recognized composition theories
Cascading, Feedback and Hookup.
- Cascading: input for one comes from the output from another system.
- Feedback: one system provides input to another system.
- Hookup: one system sends input to another system but also sends input to other systems.
Explain Take-Grant Model
Take rule: allows a subject to take rights over an object.
Grant rule: allows a subject to grant rights to an object.
Create rule: allows a subject to create new rights
Remove rule: allows a subject to remove rights it has
Describe Bell-LaPadula
Bell-LaPadula are in place to protect data confidentiality.
No read up no write down. A subject cannot read an object classified higher than the subject is cleared for.
But a trusted subject is not
Describe Biba Model
Biba ensure data integrity.
Biba was designed to address 3 integrity issues and they are:
Prevent modification of objects by unauthorized subjects
Prevent unauthorized modification of objects by authorized subjects.
Protect internal and external object consistency.
Biba model focuses on
Integrity
Bell-LaPadula model focuses on
Confidentiality
Explain Clark Wilson Model
Clark Wilson Model focuses on integrity of data. It uses the Subject/Program/Object known as the control triple.
It uses 2 principles: well formed transactions and separation of duties. It defines the following:
Constrained Data Item (CDI): any item whose integrity is protected by the security model.
Unconstrained Data Item(UDI): any data item that is not controlled by the security model.
Integrity Verification Procedure (IVP): scans items and confirms their integrity.
Transformation Procedures: the only procedures that are allowed to modify CDI.
How does Clark Wilson grant access to objects
Clark Wilson grants access to objects through transformation procedures and a restricted model interface.
Define restricted model interface
Restricted Model Interface:
This uses classification based restrictions to offer only subject specific authorized information and functions
Explain Brewer and Nash Model
Brewer and Nash Model was created to permit access controls to change dynamically based on user’s previous activity.
The model applies to a single integrated database.
Explain Goguen-Meseguer Model
Goguen-Meseguer: This is an integrity model. It forms the basis on noninterference conceptual theories. It determines the set or domain i.e. the list of objects that a subject can access.
Describe TCSEC
Trusted Computer System Evaluation Criteria was designed to be used when evaluating vendor products and vendors to ensure that they all build the necessary functionality and secure assurance into products.
TCSEC defines the following categories:
A Verified Protection
B Mandatory Protection
C Discretionary Protection
D Minimal Protection
Discuss Discretionary Protection
Discretionary Protection Systems provide basic access control.
Discretionary Security Protection (C1): it controls access by user IDs or groups.
Controlled Access Protection (C2): users must be identified individually to gain access to objects. It must also enforce media cleansing.
Discuss Mandatory Protection
Mandatory Protection (B1,B2,B3)
This is based of Bell-LaPadula model (confidentiality). Mandatory Access is based on security labels.
Labeled Security (B1): each subject and object have a security label. This helps permission compatibility. Structured Protection (B2):In addition to B1, B2 must ensure that no covert channels exists. Operator and Administrator functions are separated and process isolation is maintained
Security Domain (B3): it provides more functionality by further increasing isolation of unrelated processes. it shifts to simplicity to reduce vulnerabilities.
Describe Verified Protection (A1)
This is the highest level of protection. It is similar to B3 but the difference is in the development cycle. Each phase in the design is documented, evaluated and verified before the next steps are taken.
Explain Common Criteria
Common Criteria defines the various levels of testing and confirmation of systems security capabilities.
Protection Profiles: specify the product to be evaluated.
Security Targets: claims of security from the targets that are built into the Target of Evaluation (TOE).
Explain Common Criteria Assurance Levels
EAL 1: Functionally tested- this is sought when some assurance in accurate operations is necessary but threat to security are not seen as serious
EAL 2: Structurally Tested: this is sought when users or developers need low to moderate level of independently guaranteed security.
EAL 3: Methodically Tested and checked: this is sought when there is need for a moderate level of independently ensured security.
EAL 4: Methodically Designed tested and verified: this is sought when developers or users require moderate to high level of independently ensured security.
EAL 5: Semiformally designed and tested: this is sought when the requirement is for high level independently ensured security.
EAL 6: Semiformally verified, designed and tested: this is sought when developing specialized TOEs for high risk situations.
EAL 7: Formally Verified designed and tested: this is sought when developing a security TOE for applications in extremely high risk situations.
Define Subject
Subject is a person or process that makes a request to access a resource. Access can mean reading from or writing to a resource.
Define Object
Object: this is the resource that a user or process wants to access.
Confinement can be implemented through
- operating system itself
- Confinement application or service
- Virtualization
- Hypervisor solution.
What do you understand by bounds
- Set limit on memory addresses and resources it can access
- Segments logical areas of memory for process to use
Physical bounds Logical Bounds
Physically separated Logically bounded in memory space
Expensive Cheaper
More secure Less secure
PCI DSS Acronym means
Payment Card Industry Data Security Standard.
Explain the 2 evaluation phases
The 2 phases of evaluation are: certification and evaluation.
Evaluation is used to assess how well a system measures up to the desired level of security.
Certification: is the first phase in the total evaluation process. This is the comprehensive evaluation of the technical and nontechnical security features of an IT systems. This includes testing the system’s hardware, software and configuration.
Management review the certification information and decides whether the system satisfies the security needs of the organization.
Certification is internal.
Accreditation: this is the formal declaration by the designated approving authority (DAA) that an IT system is approved to operate in a particular mode using prescribed set of safeguards at an acceptable level of risk. This is conducted by third parties or external bodies.
They are divided into 4 phases: Definition, Verification, validation and Post Accreditation
Describe Virtualization
Virtualization is used to host one or more operating systems within the memory of a single host computer.
Advantages of virtualization
- real time scalability
2. ability to launch several individual instances of server or services.
Define TPM
Trusted Platform Module is both the specification for the crypto-processor chip on a mainboard and the general name for implementation of the specification
Define HSM
Hardware Security Module is the crypto-processor used to manage or store digital encryption keys, accelerate crypto operations, support faster digital signatures and improve authentication.
- It is often an add on adapter or peripheral or can be a Transmission Control Protocol / Internet Protocol (TCP/IP)
- It includes Tamper Protection to prevent the use of physical access.
Explain Constrained or restricted interface
This is implemented within the interface to restrict what the user can see or do based on their privileges i.e. disabled or dimmed command.
Describe Fault tolerance
Fault tolerance is the ability of a system to suffer fault but continue to operate. This is achieved by the addition of redundant components e.g. Redundant Array of Inexpensive Disks (RAID)
a
a
b
b
c
c
d
d
e
e