Lecture 10 Notes

Question 1

reference monitor

Answer 1

part of the TCB that validates access to every resource prior to granting access requests

stands between each subject and object

may be a conceptual part of the TCB

Question 2

security kernel

Answer 2

The collection of components in the TCB that work together to implement reference monitor functions

Question 3

security perimeter

Answer 3

imaginary boundary that separates the TCB from the rest of the system

Question 4

trusted paths

Answer 4

For the TCB to communicate with the rest of the system, it must create secure channels called, also called

Question 5

TCSEC guidelines on trusted paths

Answer 5

B2 and higher systems

Question 6

State Machine Model

Answer 6

The state machine model describes a system that is secure in every of its possible states, and it is based on the notion of Finite State Machine (FSM)
A state is a snapshot of a system at a specific moment in time
Next state and output are a function of current state and input

Question 7

Information Flow Model

Answer 7

The information flow model focuses on the flow of information
Based on a state machine model
Designed to prevent unauthorized, insecure, or restricted information flow

Question 8

Bell-LaPadula and Biba Model Type

Answer 8

Information Flow Model

Question 9

Bell-LaPadula

Answer 9

preventing information from flowing from a high security level to a low security level

This is accomplished by blocking lower-classified subjects from accessing higher-classified objects

With these restrictions, the model is focused on maintaining the confidentiality of objects, but it does not address integrity and availability

Question 10

Biba

Answer 10

preventing information from flowing from a low security level to a high security level

Question 11

Noninterference Model

Answer 11

The noninterference model is loosely based on the information flow model

However, it is concerned with how the actions of a subject at a higher security level affect the system state or actions of a subject at a lower security level

The actions of a higher level subject A should not affect the actions of lower level subject B or even be noticed by B

Question 12

composition theories

Answer 12

explain how outputs from one system relate to inputs to another system

Cascading
Input for one system comes from the output of another system

Feedback
One system provides input to another system, and vice versa

Hookup
One system sends input to another system and also to external entities

Question 13

Take-Grant Model

Answer 13

The Take-Grant model employs a directed graph to dictate how rights can be passed
from one subject to another
from a subject to an object

Question 14

Access Control Matrix

Answer 14

An access control matrix is a table of subjects and objects indicating the actions or functions that each subject can perform on each object

Question 15

access control list (ACL)

Answer 15

An ACL is tied to the object: it lists valid actions each subject can perform

Each column of the matrix is an access control list (ACL)

Question 16

capabilities list

Answer 16

A capability list is tied to the subject: it lists valid actions that can be taken on each object

From an administration perspective, using only capability lists for access control is a management nightmare
To remove access to a particular object, every user (subject) that has access to it must be individually manipulated

Each row of the matrix is a capabilities list

Question 17

Properties of Bell-LaPadula State Machine

Answer 17

Focused on Confidentiality

The Simple Security Property states that a subject may not read information at a higher sensitivity level (no read up)

The * (star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down)
This is also known as the confinement property

The Discretionary Security Property states that the system uses an access matrix to enforce discretionary access control (need-to-know)

Question 18

Properties of Biba State machine

Answer 18

Focused on integrity

The Simple Integrity Property states that a subject cannot read an object at a lower integrity level (no read down)

The * (star) Integrity Property states that a subject cannot modify an object at a higher integrity level (no write up)

As with Bell-LaPadula, Biba requires that all subjects and objects have a classification label

Question 19

Brewer and Nash Model

Answer 19

AKA Chinese Wall

Creates security domains that are sensitive to conflict of interest

Question 20

Closed System

Answer 20

Designed to work with a narrow range of other systems, generally all from the same manufacturer

Standards for closed systems are often proprietary and not normally disclosed

In closed-source (or commercial) solutions source code and internal logic are hidden from the public

Question 21

Open System

Answer 21

Designed using agreed-upon industry standards

Much easier to integrate with systems from different manufacturers

In open-source solutions source code and internal logic are exposed to the public

Question 22

Confinement

Answer 22

Process confinement allows a process to read from and write to only certain memory locations and resources

Question 23

Bounds

Answer 23

Each process that runs on a system is assigned an authority level (e.g., user and kernel)

Question 24

Isolation

Answer 24

When a process is confined through enforcing access bounds, that process runs in isolation

Question 25

Controls

Answer 25

Controls use access rules to limit the access by a subject to an object

Question 26

Trust

Answer 26

A trusted system is one in which all protection mechanisms and security components work together to process sensitive data for many types of users while maintaining a stable and secure computing environment

Question 27

Assurance

Answer 27

Assurance is simply defined as the degree of confidence in the satisfaction of security needs

Question 28

TCSEC

Answer 28

AKA “Orange Book”

The TCSEC established guidelines to evaluate a stand-alone computer from the security perspective

Category A: Verified protection
Category B: Mandatory protection
Category C: Discretionary protection
Category D: Minimal protection

Question 29

ITSEC

Answer 29

The ITSEC represents an initial attempt to create security evaluation criteria in Europe

The ITSEC guidelines evaluate the functionality and assurance of a system using separate ratings for each category

The functionality rating of a system states how well the system performs all necessary functions based on its design and intended purpose
Rating scale: F-D (F1) – F-B3 (F6)

The assurance rating represents the degree of confidence that the system will work properly in a consistent manner
Rating scale: E0 – E6

ITSEC addresses concerns about loss of integrity and availability in addition to confidentiality

Question 30

Common Criterion

Answer 30

The Common Criteria represent a global effort that involves everybody who worked on TCSEC and ITSEC as well as other players

This document was converted by ISO into an official standard
ISO 15408, Evaluation Criteria for Information Technology Security

Protection Profiles (PPs) specify the security requirements and protections of a product that is to be evaluated (Target of Evaluation, TOE)

Security Targets (STs) specify the claims of security from the vendor that are built into a TOE

Question 31

Common Criterion Assurance Levels

Answer 31

Assurance levels
EAL1: Functionally tested
EAL2: Structurally tested
EAL3: Methodically tested and checked
EAL4: Methodically designed, tested, and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified, designed, and tested
EAL7: Formally verified, designed, and tested

Question 32

Covert Channel

Answer 32

A covert channel is a method to pass information over a path that is not normally used for communication

All levels at or above B2 must contain controls to detect and prohibit covert channels (TCSEC)

Question 33

Covert storage channels

Answer 33

Conveys information by writing data to a common storage area where another process can read it

Question 34

Covert timing channels

Answer 34

Conveys information by altering the performance of a system component or modifying a resource’s timing in a predictable manner

Question 35

Payment Card Industry – Data Security Standard (PCI-DSS)

Answer 35

PCI-DSS is a collection of requirements for improving the security of electronic payment transactions

Question 36

International Organization for Standardization (ISO)

Answer 36

ISO is a worldwide standards-setting group of representatives from various national standards organizations

ISO defines standards for industrial and commercial equipment, software, protocols, and management, among others

Question 37

Certification

Answer 37

Internal comprehensive evaluation of the technical and nontechnical security features of an IT system

Question 38

Accreditation

Answer 38

A formal declaration by a Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using prescribed safeguards at an acceptable level of risk (external evaluation)