Domain 3: System Design Flashcards
- Uses multiple security controls in a series
- i.e. pass one security control you enter into another
Layering
Generic list of security architecture layers
- Hardware
- Kernel and device drivers
- OS
- Applications
Hides unnecessary details from the user.
Abstraction
List of objects a subject is allowed to access.
Security Domain
- CPU hardware layering model that separates and protects domains from each other
- i.e. kernel mode and user mode
Ring Model
Allow processes to communicate with the kernel and provide a window between the rings
System Calls
List the rings in the Ring Model
Ring 0: Kernel
Ring 1: Other OS components that do not fit in Ring 0
Ring 2: Device drivers
Ring 3: User applications
Uses open hardware and standards, using standard components from a variety of vendors
Open System
Uses proprietary hardware or software
Closed System
Another name for a computer case
System Unit
Communication between the CPU, memory, and input/output devices (i.e. keyboard, mouse, and etc.) occurs here
Computer Bus
Is the part of the CPU that performs math calculations
Arithmetic Logic Unit (ALU)
Four steps of a CPU “fetch and execute (FDX)” process
- Fetch instructions
- Decode instruction
- Execute instruction
- Write (save) Result
Combines multiple CPU steps into one process
Pipelining
Causes the CPU to stop processing its current task, save the state and begin processing a new request.
Interrupt
An executable program and its associated data loaded and running in memory
Process
Parent process that spawns additional child processes
Threads
Allows multiple tasks to run simultaneously on one CPU
Multitasking
Runs multiple processes on multiple CPUs
Multiprocessing
CPU design that uses a large set of complex machine language instructions
Complex Instruction Set Computer (CISC)
CPU design that uses reduced set of simpler instructions
Reduced Interaction Set Computer (RISC)
Memory logical control that prevents one process from interfacing with another
Process Isolation
Uses virtual memory to copy contents of RAM to and from disk
Swapping
Storage that can be written to once and read many times.
WORM Storage
Hardware chip that provides random number generation for cryptographic operations
Trusted Platform Module
Prevents code execution in memory locations that are not pre-defined to contain executable content
Data Execution Prevention (DEP)
Randomizes memory addresses make exploitation difficult
Address Space Location Randomization (ASLR)
Provides interface between hardware and rest of the OS
Kernel
- Enforces system’s security policy
- Logical part of the TCB
- i.e. preventing a normal user from writing to a restricted file like the system password file
Reference Monitor
Called bare metal, virtualization OS runs directly on server
Type 1 Hypervisor
Virtualization application runs on a normal OS i.e. Windows 10
Type 2 Hypervisor
- Customer configures OS, apps, and performs all required maintenance
- Cloud service provider maintains the cloud infrastructure
- i.e. servers, storage, some cases network resources
Infrastructure As A Service (IaaS)
- Customer manages their apps
- Cloud service provider is responsible for the maintenance of host OS and the underlying infrastructure
- i.e. hardware, OS, applications
Platform As A Service (PaaS)
- Completely configured, from the OS to apps
- Customer does not manage or control any assets
- i.e. Gmail
Software as a Service (SaaS)
- Cloud that houses data for a single organization
- Can be operated by a third party or in-house
Private Clouds
Attempts to harness the computational resources of a large number of dissimilar devices
Grid Computing
Allows for increased performance through economies of scale
Large-Scale Parallel Systems
- Any system can act as client, server or both, depending on data needs
- No central servers in this model.
Peer-to-Per (P2P)
Allows centralization of applications and their data, as well as the associated security costs of upgrades, patching, data storage, etc.
Thin Clients
Form of computer management device that controls industrial processes and machines
Industrial Control Systems (ICS)
Typically found in industrial process plants where the need to gather data and implement control over a large-scale environment from a single location is essential.
DCS Units
- Typically deployed for management and automation of various industrial operations
- i.e. Controlling systems on a assembly line, large digital light display (giant display system in a stadium)
PLC Units
Can operate as a stand alone device, be networked together with other like systems, or be networked with traditional IT systems.
SCADA System
Divides CPU time among child process (aka threads)
Multithreading
Restricts a process to reading from and writing to certain memory locations
Confinement
Limits of memory a process cannot exceed when reading or writing
Bounds
The mode a process runs in when it is confined through the use of memory bounds
Isolation
Collections of TCB components that implement the functionality of the reference monitor
Security Kernel