Domain 3: Security Engineering; Security Models

Question 1

Is Bell-LaPadula mandatory or discretionary?

Answer 1

Mandatory.

Question 2

What is reading down?

Answer 2

When a subject reads an object at a lower security level.

Question 3

What is writing up?

Answer 3

When a subject passes information to an object which has higher sensitivity than the subject has permission to access.

Question 4

What is the State Machine Model?

Answer 4

A state machine model is a mathematical model that groups all possible system occurences, called states. Every possible state of a system is evaluated, showing all possible interactions between subjects and objects. If every state is proven to be secure, the system is proven to be secure.

Question 5

What is the focus of the Bell-LaPadula Model?

Answer 5

Maintaining the confidentiality of objects. This means not allowing users at a lower security level to access objects at a higher level.

Question 6

What are the two rules Bell-LaPadula observes?

Answer 6

The Simple Security Property and the * Security Property.

Question 7

What is the Simple Security Property?

Answer 7

“no read up”. A subject at a specific classification level cannot read an object at a higher level.

Question 8

What is the * Security Property? (Star Security Property)

Answer 8

“no write down”. A subject at a higher classification level cannot write down to an object at a lower level.

Question 9

Within the Bell-Lapadula access control model, what are the two properties that dictate how the system will issue security labels for objects?

Answer 9

The Strong Tranquility Property states that security labels will not change while the system is operating. The Weak Tranquility Property states that security labels will not change in a way that conflicts with defined security properties.

Question 10

What is Lattice-based access control?

Answer 10

Lattice-based access control allows security controls for complex environments. For every relationship between a subject and object, there are defined upper and lower access limits implemented by the system. The subject can be allowed access to higher or lower classification depending on their needs. Subjects have a Least Upper Bound (LUB) and Greatest Lower Bound (GLB) depending on their position in the latice.

Question 11

What is the Biba-Model?

Answer 11

Focuses on Integrity of data. “no write up;no read down”. This prevents bad data from being written to higher classification levels, and bad data being read from lower classification levels.

Question 12

Within the Biba-Model, the rule for “no read down” is called?

Answer 12

The Simple Integrity Axiom.

Question 13

Within the Biba-Model, the rule for “no write up” is called?

Answer 13

The * Integrity Axiom.

Question 14

What is the Clark-Wilson model?

Answer 14

Clark-Wilson is a real-world integrity model that protects integrity by requiring subjects to access objects via programs. Because the programs have specific limitations to what they can and cannot do, this model effectively limits the capabilities of the subject.

Question 15

What are the two primary concepts Clark-Wilson uses to ensure the security policy is enforced?

Answer 15

Well-formed transactions and Separation of Duties.

Question 16

Within Clark-Wilson, what does Well-formed transactions describe?

Answer 16

It describes Clark-Wilson’s ability to enforce control over applications. This process is comprised of the “access control triple:” user, transformation procedure, and constrained data item.

Question 17

Within Clark-Wilson, describe the “access control triple”.

Answer 17

A transformation procedure (TP) is a well-formed transaction.
A constrained data item (CDI) is data that requires integrity.
An unconstrained data item (UDI) are data that do not require integrity.

Question 18

Within Clark-Wilson, what is IVP?

Answer 18

Integrity Verification Procedures, ensures that the data are kept in a valid state.

Question 19

Within Clark-Wilson, for each TP…

Answer 19

… an audit record is made and entered into the access control system. This provides both detective and recovery controls in case integrity is lost.

Question 20

Within Clark-Wilson, what is the purpose of separation of duties?

Answer 20

To ensure authorized users do not change data in an inappropriate way.

Question 21

What is the Chinese Wall Model?

Answer 21

It’s designed to avoid conflict of interest by prohibiting one person, such as a consultant, from accessing multiple conflict of interest (CoIs) categories. The Chinese Wall model requires that CoIs be identified so that once a consultant gains access to one CoI, they cannot read or write to an opposing CoI.

Question 22

What is the Noninterference model?

Answer 22

It prevents covert channel communication from occuring by ensuring data at different security domains remain separate from one another. This separation prevents information from crossing security boundaries.

Question 23

What is a covert channel?

Answer 23

A cover channel is policy-violating communication that is hidden from the owner or users of a data system.

Question 24

What is the Take-Grant Protection Model?

Answer 24

The Take-Grant Protection Model contains rules that govern the interactions between subjects and objects, and permissions subjects can grant to other subjects. Rules include: take, grant, create, and remove.

Question 25

What is the Access Control Matrix?

Answer 25

An access control matrix is a table that defines access permissions between specific subjects and objects. A matrix is a data structure that acts as a table lookup for the operating system.

Question 26

Within the Access Control Matrix, what are the functions of the rows and columns?

Answer 26

The rows show the capabilities of each subject. Each row is called a capability list. The columns show the ACL for each object or application.

Question 27

What are the six frameworks and rules of the Zachman Framework for Enterprise Architecture?

Answer 27

The frameworks are what, how, where, who, when, and why. The rules are planner, owner, designer, builder, programmer, and user.

Question 28

What are the three parts of the Graham-Denning model and what are the eight rules?

Answer 28

The three parts are: subject, object, and rules. The rules are:
R1: Transfer Access
R2: Grant Access
R3: Delete Access
R4: Read Object
R5: Create Object
R6: Destroy Object
R7: Create Subject
R8: Destroy Subject.

Question 29

How is the Harrison-Ruzzo-Ullman model different from the Graham-Denning model?

Answer 29

It treats the subjects to be also objects. There are only six primitive rules:
Create object
Create subject
Destroy object
Destroy subject
Enter right into access matrix
Destroy right from access matrix

Question 30

What are the four Modes of Operation?

Answer 30

Dedicated, System High, Compartmented, Multilevel.

Question 31

What is the Dedicated mode of operation?

Answer 31

The system contains objects of one classification label. All subjects must possess a clearance level equal or greater than the label of the object.

Question 32

What is System High mode of operation?

Answer 32

The system contains objects of mixed labels. All subjects must have a clearance level equal to the system’s highest object.

Question 33

What is Compartmented mode of operation?

Answer 33

Objects on the system are placed into compartments that require additional approval before a subject has access to it, even if the subject has the appropriate clearance to access the system.

Question 34

What is Multilevel mode of operation?

Answer 34

The systems stores objects of differing clearance labels, and the subjects have differing clearance levels. A top secret subject can access top secret objects, but a secret subject can not. A reference monitor mediates the access between subjects and objects.