Secure Engineering Flashcards
Open/Closed System
Proprietary software, harder to integrate with.
Confinement
Allows process to w/r to only certain memory locations and resources. Sandboxing
Bounds
The area in memory/resources process can operate
Isolation
When process is confined when enforcing bounds
Mandatory Access Control
Static attributes of the subject/object are considered to determine access. RBAC
Discretionary Access Control
Subject has some ability to define objects to access. Access control list - dynamic access rule set that hte subject can modify. Often relates to subject’s identity
Trusted System
all protection mechanisms work together
Assurance
Degree of confidence in satisfaction of security needs
Trusted computing base
Hardware + software + controls to enforce security policy
Subset of system. Small as possible. Doesn’t require all other systems be trutsted.
Security perimeter -> trusted paths.
Reference monitor validates access to every resources prior to granting. Stands between every subj/obj
Security kernel: collection of components in TCB that implement RefMon functins
Orange Book
DoD 5200.28 / TCB
State Machine Model
Always secure no matter what state it’s in. Finite state machine, each state evaluate
Information Flow Model
Based on SMM. Bell-LaPdaula and Biba models.
Designed to prevent unauthorized/insecure/restricted info flow, often between ddiff levels of security.
Noninterference model
Concerned w/ how actions of subject at higher securit level affect system state of actions of a subject at a lower security level.
Composition Theories
Cascading / Feedback / Hookup
Cascading: input for sy1 comes from output of sys2
Feedback: sys2 provides feedback input to sys1
Hookup: sys1 sends info to sys2, another external system
Take-Grant model
Directed graph how rights can be passed from one subject to another from a subject to an object.
Take rule, Grant Rule, Create Rule, Remove rule
Access Control Matrix
Table of subjects and objects indicating which actions the subject can perform.
Each column is an ACL. Each row is a capabilities list
Bell-LaPaluda Model
Focused on maintaining confidentiality. State machine model security
Simple Security Property: no read up
* security property: no write down (confinement property)
Discretionary security property: Access matrix to enforce DAC
Biba model
Addresses integrity. State machine model concept. Commercial orgs
Simple Integrity Prop: no read-down
* Integrity Property: no write-up
Drawbacks: only integrity (no CA). No internal threat handling. No access control mgmt. Doesn’t prevent covert channels
Clark-Wilson model
Commercial application. Subject/program/object (triple). Subjects access objects through programs. Integrity.
- Constrained Data Item
- Unconstraited data item.
- Integrity verification procedure
- Transformation procedures. only procedures allowed to modify a CDI.
Security labels. Restricted interface model.
Brewer and Nash (Chinese Wall) model
Puts a ‘wall’ around data from domains in the same conflict class.
At moment of action, access to any conflicting data is temporarily blocked.
Goguen-Meseguer Model
Integrity model. Noninterference theories/model. Users can only perform predetermined actions on predetermined objects
Sutherland Model
Integiry model. SMM + info flow model. Defines a set of system states, initial states, and state transitions…
Graham-Denning Model
Secure creation/deletion of subjects and objects.
Rules for: create and object/subj, delete and obj/subj, provide read/grant/delete/transfer access.
Usually defined in an Access Control matrix
TCSEC
repealed and replaced by Common Criteria. Orange book. Focused on confidentiality
Trusted Computer System Evaluation Criteria. Part of Rainbow Series
Categories:
- A: verified protection. Highest level of security
- B: mandatory protection
- C: discretionary protection
- D: minimal protection. Reserved for systems that have been evaluated but do not meet other category requirements
Levels
- D: Minimal Protection
- C1: Discretionary Protection
- C2: Controlled Access Protection
- B1: Labeled Security
- B2: Structured protection
- B3: Security domains
- A1: Verified protection
ITSEC
European model. Replaced with Common Criteria. Address CIA. Doesn’t required TBC. Coverage for maintaining targets of evaluation after changes without re-evaluating.
Functionality of system rated F-D to F-B3.
Assurance from E0 to E6.
Common Criteria
ISO 15408. Protection Profiles + Security Targets
PPs: security reqs and protections for a TOE. “I want”
STs: claims of security from the vendor. “I will”
3 parts:
- Intro and General Model
- Security Functional Requirements
- Security Assurance
EALs (eval assurance levels), EAL1-7.
Rainbow Series
Orange book: TCSEC
Red book: TCSEC for network connected systems.
Green book: password management guidelines.
Yellow: Guidance for applying TCSEC to spec environments
Tan Book: Audit in trusted systems
Discretionary protection
Categories C1-C2 of TCSEC.
Systems provide basic access control. Lacking more sophisticated/stringent controls.
C1: Discretionary security protection: controls access by User IDs/groups. Weaker
C2: Stronger than C1. users must be identified individually to gain access to objects. Enforces media cleaning.
Mandatory Protection
Categories B1,B2,B3
Provide more security controls than C or D systems. Based on Bell-LaPadula.
Labeled Security B1: each subj/obj has a label. Sufficient for classified data
Structured protection B2: B1 + no covert channels. Process isolated maintained, operators/admin functions are separated.
Security Domains B3: Further separate and isolate unrelated processes. Secret data.
Verified Protection
Category A1
Similar to B3, difference in dev cycle. Each phase of design is documented, evaluated, and verified before next step.
Certification
First phase in total evaluation process. Comprehensive evaluation of the technical and nontechnical security features of an IT system, other safeguards made in support of accrediation process.
Select criteria > apply to system components > eval results.
Accreditation
Degree to which system/cert meets the needs of an org Formal declaration.
Often done by 3rd party
Risk Management Framework (RMF)
DoD standard for cert/accredit
Committee on NS Systems Policy (CNSSP)
Standard for all other USG depts, consultants.
Cert/Accred systems phases
- Definition. Assigning personnel, documentation of mission need, created of a System Security Authorization Agreement (SSAA)
- Verification. Refine for SSAA, cert analysis
- Validation. Certification, development of a recommendation to the DAA, accreditation decision
- Post Accreditation. Maintenance of SSAA, change man, etc.
Memory Protection
A security capability of Info Systems.
Used to prevent an active process from interacting with an area of memory that was not specifically assigned/allocated to it.
Virtualization
Host multiple OSs within memory of a single host.
Trusted Platform Module
TPM: both specification for cryptoprocessor chip and name of impl of the specification.
TPM chip used to store and process crypto keys for purposes of a hardware supported/implemented hard drive encryption system.
Interfaces
constrained/restricted interface. Restricts what users can do or see based on privileges.
Fault Tolerance
Suffer a fault but continue to operate.
Add Redundant Array of Inexpensive Disks (RAID), or additional servers.
