D3 - Security Architecture and Design Flashcards
System’s architecture is make up of different _, which are representations of system _ and their . Each view addresses a different aspect of the sytem (, _ , _, _)
views
components; relationships
functionality; performance; interoperability; security
ISO/IEC 42010:2007
International Standard
Outlines how system architecture frameworks and their description languages are to be used.
CPU contains a _ and _.
Contains a control unit, which controls the timing of the execution of instructions and data.
ALU, performs mathematical functions and logical operations
Memory managers use various memory protection mechanisms, such as:
base (beginning0 and limit (ending) addressing
address space layout randomization
data execution prevention
Operating systems use what kind of memory schemes?
absolute (hardware addresses), logical (indexed addresses), and relative address (indexed addresses, including offsets)
How are buffer overflow vulnerabilities best addressed?
implementing bounds checking
What is a garbage collector?
A software tool that releases unused memory segments to help prevent “memory starvation”
Different processor families work within different _ to execute specific instruction sets.
microarchitectures
Why were early operating systems considered “monolithic”?
Because all of the code worked within one layer and ran ni kernal mode, components communicated in an ad hoc manner
Operating systems can work iwthin the following architecutres:
monolithic kernal, microkernal, hybrid kernal
What is mode transition?
when a CPU has to switch from executingone process’s instructions running in user mode to another process’s instructions running in kernal mode.
CPUs provide a ringed architecture, which _ _ run within. The more trusted processes run in the - rings and have access to all or most of the _ _. Nontrusted processes run in - rings and have access to smaller amount of resources.
operating systems
lower-numbered
system resource
higher-numbered
Operating system processes are executed in _ or _ mode.
Applications are executed in _ mode, also known as “_ _”.
privileged; supervisor
user; “problem state”
What does virtual storage combine to have a larger bank of memory?
RAM and secondary storage
The more complex a security mechanism is the _ amount of assurance it can usually provide
less
TCB - Trusted computing base
A collection of system components that enforce the security policy directly and protect the system. These components are within the security perimeter.
What components make up the TCB?
hardware, software, firmware
What is a security perimeter?
An imaginary boundary that has trusted components within it (those that make up the TCB and untrusted components outside it.
Reference Monitor
An abstract machine that ensures all subjects have the necessary access rights before accessing objects. It mediates all access to objects by subjects.
Security kernal
mechanism that actually enforces the rules of the reference monitor concept
What are necessary concepts for the security kernal?
It must isolate processes carrying out the reference monitor concept
must be tamperproof
Must be invoked for each access attempt
Must be small enough to be properly tested
How can processes be isolated?
Segmneted memory addressing Encapsulation of objects Time multiplexing of shared resources Naming distinctions Virtual mapping
The level of security a system provides depends upon how well it enforces its _ _
security policy
Multilevel security system
Processes data at different classifications (security levels) and users with different clearances (security levels) can use the system
When does data hiding occur?
When processes work at different layers and have layers of access control between them. Processes need to know how to communicate only iwht each other’s interfaces.
Security model
Maps the abstract goals of a security policy to computer system terms and concepts. Gives the security policy structure and provides a framework for the system
A _ _ is often proprietary to the manufacturer or vendor.
closed system
An _ _ allows for more interoperability
Open system
The Bell-LaPadula model deals only with _, while the Biba and Clarke-Wilson models deal only with _.
confidentiality
integrity
State machine model
Deals with the different states a system can enter. If a system starts ins a secure state, all state transitions take place securely, the system shuts down and fails securely and the system will never end up in an insecure state.
Lattice Model
provides an upper bound and a lower bound of authorized access for subjects
The Bell-LaPadula model has a simple security rule, which means:
A subject cannot read data from a higher level (no read up).
Bell-LaPadula *-property rule means:
the subject cannot write to an object at a lower level (no write down).
Bell-LaPadula strong star property:
a sbuject can read and write to its own security level
The Biba model does not let subjects _ to objects at a higher integrity level (no _ up) and does not let subjects read data at a _ integrity level (no read down). This is done to protect the integrity of the data.
write; write
lower
The LBell LaPadula model is used mainly in _ and _-oriented systems. The Biba and Clark-Wilson models are used in the _ sector.
military; government
commercial
Clark-Wilson Model
subjects can only access objects through applications. Illustrates how to provide functionality for separation of duties and requires auditing tasks within software.
What does it mean when a system is working in a dedicated security mode?
It only deals with one level of data classification; all users must have this level o fclearance to be able to use the system
Trust
A system uses all of its protectio nmechanisms properly to process sensivtive data for many types of users.
Assurance
level of cnofidence you have in this trust and that the protection mechansisms behave properly in all circumstances predictably
Orange Book aka TCSEC (Trusted Computer System Evaluation Criteria)
Developed to evaluate systems built to be mainly used by the government; the expanded
Orange Book deals with main:
stand-alone systems
ITSEC evaluates:
the asurance and functionality of a system’s protection mechanisms separately.
Common Criterial
Provides globally recognized evaluation criterial, combining TCSEC, ITSEC, CTCPEC, Federal Criteria
What does the Common C riteria use to provide assurance for targets of evaluation (TOE)
Protection profiles
Security Targets
Ratings (EAL1 to EAL7)
Covert channel
An unintended communication path that transfers data in a way that violates the security policy.
What are the two types of covert channels?
Timing & storage
Covert timing channel
Enables a process to relay information to another process by modulating its use of system resources
A covert storage channel
Enables a process to write data to a storage medium so another process can read it
Why is a maintenance hookj developed?
To let a programmer into the application quickly for maintenance. Should be removed before the application goes into production or it can cause a serious security risk.
What does process isolation ensure?
That multiple processes can run concurrently and the processes will not interfere with each other or affect each other’s memory segments.
TOC/TOU
Time-of-check/time-of-use. Class of asynchronous attacks
Biba model addresses the first coal of:
integrity; to prevent unauthorized users from making gmodifications
Clark-Wilson model addressess all three integrity goals:
1- prevent users from making modifications
2 - prevent authorized users from improper modifications
3 - maintain interna and external consistency
System architecture
Formal tool used to design computer systems in a maaner that ensures each of the stakeholder’s concerns is addressed