Secure Engineering

Question 1

Open/Closed System

Answer 1

Proprietary software, harder to integrate with.

Question 2

Confinement

Answer 2

Allows process to w/r to only certain memory locations and resources. Sandboxing

Question 3

Bounds

Answer 3

The area in memory/resources process can operate

Question 4

Isolation

Answer 4

When process is confined when enforcing bounds

Question 5

Mandatory Access Control

Answer 5

Static attributes of the subject/object are considered to determine access. RBAC

Question 6

Discretionary Access Control

Answer 6

Subject has some ability to define objects to access. Access control list - dynamic access rule set that hte subject can modify. Often relates to subject’s identity

Question 7

Trusted System

Answer 7

all protection mechanisms work together

Question 8

Assurance

Answer 8

Degree of confidence in satisfaction of security needs

Question 9

Trusted computing base

Answer 9

Hardware + software + controls to enforce security policy

Subset of system. Small as possible. Doesn’t require all other systems be trutsted.

Security perimeter -> trusted paths.

Reference monitor validates access to every resources prior to granting. Stands between every subj/obj

Security kernel: collection of components in TCB that implement RefMon functins

Question 10

Orange Book

Answer 10

DoD 5200.28 / TCB

Question 11

State Machine Model

Answer 11

Always secure no matter what state it’s in. Finite state machine, each state evaluate

Question 12

Information Flow Model

Answer 12

Based on SMM. Bell-LaPdaula and Biba models.

Designed to prevent unauthorized/insecure/restricted info flow, often between ddiff levels of security.

Question 13

Noninterference model

Answer 13

Concerned w/ how actions of subject at higher securit level affect system state of actions of a subject at a lower security level.

Question 14

Composition Theories

Answer 14

Cascading / Feedback / Hookup

Cascading: input for sy1 comes from output of sys2
Feedback: sys2 provides feedback input to sys1
Hookup: sys1 sends info to sys2, another external system

Question 15

Take-Grant model

Answer 15

Directed graph how rights can be passed from one subject to another from a subject to an object.

Take rule, Grant Rule, Create Rule, Remove rule

Question 16

Access Control Matrix

Answer 16

Table of subjects and objects indicating which actions the subject can perform.

Each column is an ACL. Each row is a capabilities list

Question 17

Bell-LaPaluda Model

Answer 17

Focused on maintaining confidentiality. State machine model security

Simple Security Property: no read up
* security property: no write down (confinement property)
Discretionary security property: Access matrix to enforce DAC

Question 18

Biba model

Answer 18

Addresses integrity. State machine model concept. Commercial orgs

Simple Integrity Prop: no read-down
* Integrity Property: no write-up

Drawbacks: only integrity (no CA). No internal threat handling. No access control mgmt. Doesn’t prevent covert channels

Question 19

Clark-Wilson model

Answer 19

Commercial application. Subject/program/object (triple). Subjects access objects through programs. Integrity.

• Constrained Data Item
• Unconstraited data item.
• Integrity verification procedure
• Transformation procedures. only procedures allowed to modify a CDI.

Security labels. Restricted interface model.

Question 20

Brewer and Nash (Chinese Wall) model

Answer 20

Puts a ‘wall’ around data from domains in the same conflict class.
At moment of action, access to any conflicting data is temporarily blocked.

Question 21

Goguen-Meseguer Model

Answer 21

Integrity model. Noninterference theories/model. Users can only perform predetermined actions on predetermined objects

Question 22

Sutherland Model

Answer 22

Integiry model. SMM + info flow model. Defines a set of system states, initial states, and state transitions…

Question 23

Graham-Denning Model

Answer 23

Secure creation/deletion of subjects and objects.

Rules for: create and object/subj, delete and obj/subj, provide read/grant/delete/transfer access.

Usually defined in an Access Control matrix

Question 24

TCSEC

Answer 24

repealed and replaced by Common Criteria. Orange book. Focused on confidentiality

Trusted Computer System Evaluation Criteria. Part of Rainbow Series

Categories:

• A: verified protection. Highest level of security
• B: mandatory protection
• C: discretionary protection
• D: minimal protection. Reserved for systems that have been evaluated but do not meet other category requirements

Levels

• D: Minimal Protection
• C1: Discretionary Protection
• C2: Controlled Access Protection
• B1: Labeled Security
• B2: Structured protection
• B3: Security domains
• A1: Verified protection

Question 25

ITSEC

Answer 25

European model. Replaced with Common Criteria. Address CIA. Doesn’t required TBC. Coverage for maintaining targets of evaluation after changes without re-evaluating.

Functionality of system rated F-D to F-B3.
Assurance from E0 to E6.

Question 26

Common Criteria

Answer 26

ISO 15408. Protection Profiles + Security Targets

PPs: security reqs and protections for a TOE. “I want”
STs: claims of security from the vendor. “I will”

3 parts:

1. Intro and General Model
2. Security Functional Requirements
3. Security Assurance

EALs (eval assurance levels), EAL1-7.

Question 27

Rainbow Series

Answer 27

Orange book: TCSEC
Red book: TCSEC for network connected systems.
Green book: password management guidelines.

Yellow: Guidance for applying TCSEC to spec environments
Tan Book: Audit in trusted systems

Question 28

Discretionary protection

Answer 28

Categories C1-C2 of TCSEC.
Systems provide basic access control. Lacking more sophisticated/stringent controls.

C1: Discretionary security protection: controls access by User IDs/groups. Weaker

C2: Stronger than C1. users must be identified individually to gain access to objects. Enforces media cleaning.

Question 29

Mandatory Protection

Answer 29

Categories B1,B2,B3

Provide more security controls than C or D systems. Based on Bell-LaPadula.

Labeled Security B1: each subj/obj has a label. Sufficient for classified data

Structured protection B2: B1 + no covert channels. Process isolated maintained, operators/admin functions are separated.

Security Domains B3: Further separate and isolate unrelated processes. Secret data.

Question 30

Verified Protection

Answer 30

Category A1

Similar to B3, difference in dev cycle. Each phase of design is documented, evaluated, and verified before next step.

Question 31

Certification

Answer 31

First phase in total evaluation process. Comprehensive evaluation of the technical and nontechnical security features of an IT system, other safeguards made in support of accrediation process.

Select criteria > apply to system components > eval results.

Question 32

Accreditation

Answer 32

Degree to which system/cert meets the needs of an org Formal declaration.
Often done by 3rd party

Question 33

Risk Management Framework (RMF)

Answer 33

DoD standard for cert/accredit

Question 34

Committee on NS Systems Policy (CNSSP)

Answer 34

Standard for all other USG depts, consultants.

Question 35

Cert/Accred systems phases

Answer 35

1. Definition. Assigning personnel, documentation of mission need, created of a System Security Authorization Agreement (SSAA)
2. Verification. Refine for SSAA, cert analysis
3. Validation. Certification, development of a recommendation to the DAA, accreditation decision
4. Post Accreditation. Maintenance of SSAA, change man, etc.

Question 36

Memory Protection

Answer 36

A security capability of Info Systems.

Used to prevent an active process from interacting with an area of memory that was not specifically assigned/allocated to it.

Question 37

Virtualization

Answer 37

Host multiple OSs within memory of a single host.

Question 38

Trusted Platform Module

Answer 38

TPM: both specification for cryptoprocessor chip and name of impl of the specification.

TPM chip used to store and process crypto keys for purposes of a hardware supported/implemented hard drive encryption system.

Question 39

Interfaces

Answer 39

constrained/restricted interface. Restricts what users can do or see based on privileges.

Question 40

Fault Tolerance

Answer 40

Suffer a fault but continue to operate.

Add Redundant Array of Inexpensive Disks (RAID), or additional servers.