Domain 3 - Security Engineering Flashcards
Common Criteria ISO 15408
Structured methodology for documenting security requirements,
documenting and validating
Evaluation Assurance Level 0
EAL0 – Inadequate assurance
Evaluation Assurance Level 1
EAL1 – Functionally tested
Evaluation Assurance Level 2
EAL2 – Structurally tested
Evaluation Assurance Level 3
EAL3 – Methodically tested and checked
Evaluation Assurance Level 4
EAL4 – Methodically designed, tested and reviewed
Evaluation Assurance Level 5
EAL5 – Semi formally designed and tested
Evaluation Assurance Level 6
EAL6 – Semi formally verified design and tested
Evaluation Assurance Level 7
EAL7 – Formally verified design and tested
Target of Evaluation (TOE):
The product
Protection Profile
Set of security requirements for a category of products that meet specific
consumer security needs
Security Target (ST):
dentifies the security properties of TOE
Security Functional Requirements (SFRs)
Specific individual security function
NIST SP 800-27
- Initiation; need expressed, purpose documented, impact assessment
- Development/Acquisition; system designed, purchased, programmed, developed or constructed.
- Implementation; system tested and installed, certification and accreditation
- Operation/Maintenance; performs function, security operations, audits
Primary Storage
Is a temporary storage area for data entering and leaving the CPU
Process states:• Stopped;
Process finishes or must be terminated
Process states:• Waiting
The process is ready for continued execution but is waiting for a device or access
Process states: Running;
Executes on the CPU and keeps going until it finishes, its time slice expires, or it is
blocked
Process states:• Ready;
Ready; process prepared to execute when CPU read
Multitasking
execute more than one task at the same time
Multiprocessing
more than one CPU is involved.
Multi-Threading:
Execute different parts of a program simultaneously
Single state machine
Operates in the security environment at the highest level of classification of the
information within the computer. In other words, all users on that system must have clearance to access
the info on that system.
Multi-state machine
Can offer several security levels without risk of compromising the system’s
integrity
CICS
Complex instructions. Many operations per instruction. Less number of fetches
RISC
Reduced instructions. Simpler operations per instruction. More fetches.
Segmentation
Dividing a computer’s memory into segments.
Protection Keying
Numerical values, Divides physical memory up into particular sized blocks, each
of which has an associated numerical value called a protection key
Paging
Divides memory address space into even size blocks called pages. To emulate that we have
more RAM than we have.
DEP, Data Execution Prevention
A system-level memory protection feature that is built into the DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools
State Machine Mode
Describes a system that is always secure no matter what state it is in. If all
aspects of a state meet the requirements of the security policy, that state is considered secure. A
transition occurs when accepting input or producing output. A transition always results in a new state
(also called a state transition). A secure state machine model system always boots into a secure state,
maintains a secure state across all transitions, and allows subjects to access resources only in a secure
manner compliant with the security policy.
Information Flow Model –
Focuses on the flow of information. Information flow models are based on
a state machine model. The Bell-LaPadula and Biba models are both information flow models.
Information flow models don’t necessarily deal with only the direction of information flow; they can
also address the type of flow. Information flow models are designed to prevent unauthorized, insecure,
or restricted information flow, often between different levels of security (these are often referred to as
multilevel models). The information flow model also addresses covert channels by specifically
excluding all non-defined flow pathways.
Noninterference Model
Is loosely based on the information flow model. However, instead of being
concerned about the flow of information, the noninterference model is concerned with how the actions
of a subject at a higher security level affect the system state or the actions of a subject at a lower
security level. Basically, the actions of subject A (high) should not affect the actions of subject B (low)
or even be noticed by subject B. The noninterference model can be imposed to provide a form of
protection against damage caused by malicious programs such as Trojan horses
Confinement
To restrict the actions of a program. Simply put, process confinement allows a process
to read from and write to only certain memory locations and resources. This is also known as
sandboxing
Bounds
A process consist of limits set on the memory addresses and resources it can access. The
bounds state the area within which a process is confined or contained
Isolation
When a process is confined through enforcing access bounds that process runs in isolation.
Process isolation ensures that any behavior will affect only the memory and resources associated with
the isolated process
ACCESS CONTROL MATRIX
- Provides access rights to subjects for objects
- Access rights are read, write and execute
- Columns are ACL’s
- Rows are capability lists
- Supports discretionary access control
BELL-LAPADULA = MAC SUBJECTS/OBJECTS/CLEARANCES/
• Confidentiality model
• developed by DOD, thus classification
• Cannot read up (simple e=read security rule)
• Cannot write down (* property rule AKA CONFINEMENT PROPERTY). Exception is a trusted
subject.
• Uses access matrix to specify discretionary access control
• Use need to know principle
• Strong star rule: read and write capabilities at the same level
• First mathematical model defined
• tranquility principle in Bell-LaPadula prevents security level of subjects from being changed
once they are created
• Bell-LaPadula is concerned with preventing information flow from a high security level to a
low security level.
BIBA – MAC “if I in it INTEGRITY MODEL”
• Integrity model
• Cannot read down (simple e=read integrity rule)
• Simple integrity property
• cannot write up (* integrity)
• lattice based (least upper bound, greatest lower bound, flow policy)
• subject at one level of integrity cant invoke subject at a higher level of integrity
• Biba is concerned with preventing information flow from a low security level to a high security
level.
• Focus on protecting objects from external threat
CLARK WILSON
• integrity model
• Cannot be tampered, logged, and consistency
• Enforces segregation of duty
• Requires auditing
• Commercial use
• Works with SCI Constrained Data items, data item whose integrity is to be preserved
• Access to objects only through programs
• An integrity verification procedure (IVP) is a procedure that scans data items and confirms their
integrity.
Brewer and Nash
The Chinese Wall model provides a dynamic access control depending on user’s previous actions. This
model prevents conflict of interests from members of the same organization to look at information
that creates a conflict of another member of that organization.
Lipner Model
- Confidentiality and Integrity, BLP + Biba
* 1st Commercial Model
Graham-Denning
Focused on relationship between subjects and objects
TAKE-GRANT
Uses a direct graph to specify the rights that subjects can transfer to objects or that subjects can
take from other subjects
• Uses STATES and STATE TRANSITIONS
Take rule Allows a subject to take rights over an object
Grant rule Allows a subject to grant rights to an object
Create rule Allows a subject to create new rights
Remove rule Allows a subject to remove rights it has
ITSEC
• Refers to any system being evaluated as a target of evaluation (TOE).
• Does not rely on the notion of a TCB, and it doesn’t require that a system’s security components
be isolated within a TCB.
• Includes coverage for maintaining targets of evaluation after changes occur without requiring a
new formal evaluation.
Certification
Is evaluation of security features and safeguards if it meets requirements. Certification
is the comprehensive evaluation of the technical and nontechnical security features of an IT system and
other safeguards made in support of the accreditation process to establish the extent to which a
particular design and implementation meets a set of specified security requirements.
Accreditation
The formal declaration by the designated approving authority (DAA) that an IT system
is approved to operate in a particular security mode using a prescribed set of safeguards at an
acceptable level of risk. Once accreditation is performed, management can formally accept the
adequacy of the overall security performance of an evaluated system.
System accreditation
A major application or general support system is evaluated.
Site accreditation
The applications and systems at a specific, self-contained location are evaluated
Type accreditation
An application or system that is distributed to a number of different locations is
evaluate
Information Technology Security Evaluation Criteria ITSEC:
it is used in Europe only, not USA.
Addresses CIA. Unlike TCSEC it evaluates Functionality and assurance separately
Assurance from E0 to E6 (highest) and F1 to F10 (highest). Therefore a system can provide low
assurance and high functionality or vice-versa
ISO 27001
Focused on the standardization and certification of an organization’s information security management system (ISMS), security governance, a standard; ISMS. Info security minimum system
ISO 27002
A guideline which lists security control objectives and
recommends a range of specific security controls; more granular than 27001. 14 areas BOTH
INSPIRED FROM BS7799
COBIT 5
- Principle 1: Meeting Stakeholder Needs
- Principle 2: Covering the Enterprise End-to-End
- Principle 3: Applying a Single, Integrated Framework
- Principle 4: Enabling a Holistic Approach
- Principle 5: Separating Governance from Management
COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors
TOCTTOU attack
Race condition exploits, and communication disconnects are known as state
attacks because they attack timing, data flow control, and transition between one system state to
another.
RACE
Two or more processes require access to the same resource and must complete their tasks in
the proper order for normal functions
Register
CPU also includes a limited amount of onboard memory, known as registers, that provide it
with directly accessible memory locations that the brain of the CPU, the arithmetic-logical unit (ALU),
uses when performing calculations or processing instructions, small memory locations directly in the
CPU.
Stack Memory Segment
Used by processors to communicate instructions and data to each other
Memory Addressing
When using memory resources, the processor must have some means of
referring to various locations in memory. The solution to this problem is known as addressing
Register Addressing
When the CPU needs information from one of its registers to complete
an operation, it uses a register address (for example, “register 1”) to access its contents.
Immediate Addressing
Is not a memory addressing scheme per se but rather a way of
referring to data that is supplied to the CPU as part of an instruction. For example, the CPU
might process the command “Add 2 to the value in register 1.” This command uses two
addressing schemes. The first is immediate addressing—the CPU is being told to add the value
2 and does not need to retrieve that value from a memory location—it’s supplied as part of the
command. The second is register addressing; it’s instructed to retrieve the value from register 1
Direct Addressing
In direct addressing, the CPU is provided with an actual address of the
memory location to access. The address must be located on the same memory page as the
instruction being executed. Direct addressing is more flexible than immediate addressing since
the contents of the memory location can be changed more readily than reprogramming the
immediate addressing’s hard-coded data.
Indirect Addressing
Uses a scheme similar to direct addressing. However, the memory
address supplied to the CPU as part of the instruction doesn’t contain the actual value that the
CPU is to use as an operand. Instead, the memory address contains another memory address
(perhaps located on a different page). The CPU reads the indirect address to learn the address
where the desired data resides and then retrieves the actual operand from that address.
Base + Offset Addressing
Uses a value stored in one of the CPU’s registers as the base location from which to begin counting. The CPU then adds the offset supplied with the
instruction to that base address and retrieves the operand from that computed memory location
Aggregation
SQL provides a number of functions that combine records from one or more tables to
produce potentially useful information. Aggregation is not without its security vulnerabilities.
Aggregation attacks are used to collect numerous low-level security items and combine them to create
something of a higher security level or value.