Domain 3: Security Engineering; Security Models Flashcards

1
Q

Is Bell-LaPadula mandatory or discretionary?

A

Mandatory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is reading down?

A

When a subject reads an object at a lower security level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is writing up?

A

When a subject passes information to an object which has higher sensitivity than the subject has permission to access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the State Machine Model?

A

A state machine model is a mathematical model that groups all possible system occurences, called states. Every possible state of a system is evaluated, showing all possible interactions between subjects and objects. If every state is proven to be secure, the system is proven to be secure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the focus of the Bell-LaPadula Model?

A

Maintaining the confidentiality of objects. This means not allowing users at a lower security level to access objects at a higher level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the two rules Bell-LaPadula observes?

A

The Simple Security Property and the * Security Property.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the Simple Security Property?

A

“no read up”. A subject at a specific classification level cannot read an object at a higher level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the * Security Property? (Star Security Property)

A

“no write down”. A subject at a higher classification level cannot write down to an object at a lower level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Within the Bell-Lapadula access control model, what are the two properties that dictate how the system will issue security labels for objects?

A

The Strong Tranquility Property states that security labels will not change while the system is operating. The Weak Tranquility Property states that security labels will not change in a way that conflicts with defined security properties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Lattice-based access control?

A

Lattice-based access control allows security controls for complex environments. For every relationship between a subject and object, there are defined upper and lower access limits implemented by the system. The subject can be allowed access to higher or lower classification depending on their needs. Subjects have a Least Upper Bound (LUB) and Greatest Lower Bound (GLB) depending on their position in the latice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Biba-Model?

A

Focuses on Integrity of data. “no write up;no read down”. This prevents bad data from being written to higher classification levels, and bad data being read from lower classification levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Within the Biba-Model, the rule for “no read down” is called?

A

The Simple Integrity Axiom.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Within the Biba-Model, the rule for “no write up” is called?

A

The * Integrity Axiom.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the Clark-Wilson model?

A

Clark-Wilson is a real-world integrity model that protects integrity by requiring subjects to access objects via programs. Because the programs have specific limitations to what they can and cannot do, this model effectively limits the capabilities of the subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the two primary concepts Clark-Wilson uses to ensure the security policy is enforced?

A

Well-formed transactions and Separation of Duties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Within Clark-Wilson, what does Well-formed transactions describe?

A

It describes Clark-Wilson’s ability to enforce control over applications. This process is comprised of the “access control triple:” user, transformation procedure, and constrained data item.

17
Q

Within Clark-Wilson, describe the “access control triple”.

A

A transformation procedure (TP) is a well-formed transaction.
A constrained data item (CDI) is data that requires integrity.
An unconstrained data item (UDI) are data that do not require integrity.

18
Q

Within Clark-Wilson, what is IVP?

A

Integrity Verification Procedures, ensures that the data are kept in a valid state.

19
Q

Within Clark-Wilson, for each TP…

A

… an audit record is made and entered into the access control system. This provides both detective and recovery controls in case integrity is lost.

20
Q

Within Clark-Wilson, what is the purpose of separation of duties?

A

To ensure authorized users do not change data in an inappropriate way.

21
Q

What is the Chinese Wall Model?

A

It’s designed to avoid conflict of interest by prohibiting one person, such as a consultant, from accessing multiple conflict of interest (CoIs) categories. The Chinese Wall model requires that CoIs be identified so that once a consultant gains access to one CoI, they cannot read or write to an opposing CoI.

22
Q

What is the Noninterference model?

A

It prevents covert channel communication from occuring by ensuring data at different security domains remain separate from one another. This separation prevents information from crossing security boundaries.

23
Q

What is a covert channel?

A

A cover channel is policy-violating communication that is hidden from the owner or users of a data system.

24
Q

What is the Take-Grant Protection Model?

A

The Take-Grant Protection Model contains rules that govern the interactions between subjects and objects, and permissions subjects can grant to other subjects. Rules include: take, grant, create, and remove.

25
Q

What is the Access Control Matrix?

A

An access control matrix is a table that defines access permissions between specific subjects and objects. A matrix is a data structure that acts as a table lookup for the operating system.

26
Q

Within the Access Control Matrix, what are the functions of the rows and columns?

A

The rows show the capabilities of each subject. Each row is called a capability list. The columns show the ACL for each object or application.

27
Q

What are the six frameworks and rules of the Zachman Framework for Enterprise Architecture?

A

The frameworks are what, how, where, who, when, and why. The rules are planner, owner, designer, builder, programmer, and user.

28
Q

What are the three parts of the Graham-Denning model and what are the eight rules?

A
The three parts are: subject, object, and rules. The rules are:
R1: Transfer Access
R2: Grant Access
R3: Delete Access
R4: Read Object
R5: Create Object
R6: Destroy Object
R7: Create Subject
R8: Destroy Subject.
29
Q

How is the Harrison-Ruzzo-Ullman model different from the Graham-Denning model?

A
It treats the subjects to be also objects. There are only six primitive rules:
Create object
Create subject
Destroy object
Destroy subject
Enter right into access matrix
Destroy right from access matrix
30
Q

What are the four Modes of Operation?

A

Dedicated, System High, Compartmented, Multilevel.

31
Q

What is the Dedicated mode of operation?

A

The system contains objects of one classification label. All subjects must possess a clearance level equal or greater than the label of the object.

32
Q

What is System High mode of operation?

A

The system contains objects of mixed labels. All subjects must have a clearance level equal to the system’s highest object.

33
Q

What is Compartmented mode of operation?

A

Objects on the system are placed into compartments that require additional approval before a subject has access to it, even if the subject has the appropriate clearance to access the system.

34
Q

What is Multilevel mode of operation?

A

The systems stores objects of differing clearance labels, and the subjects have differing clearance levels. A top secret subject can access top secret objects, but a secret subject can not. A reference monitor mediates the access between subjects and objects.