Security Architecture Flashcards
The rings are (theoretically) used as follows:
- Ring 0—Kernel
- Ring 1—Other OS components that do not fit into ring 0
- Ring 2—Device drivers
- Ring 3—User applications
Complex Instruction Set Computer (CISC)
Uses a large set of complex machine language instructions, which reduces the program size, x86 CPUs.
access calls to main memory are fewer as compared to RISC.
CISC is more powerful than RISC
Reduced Instruction Set Computer (RISC)
RISC uses a reduced set of simpler instructions.
the commands be shorter and simpler, requiring more individual instructions to perform a complex task
Time multiplexing
shares (multiplexes) system resources between
multiple processes, each with a dedicated slice of time.
security kernel has three main requirements
- Isolation: It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.
- Completeness: it must be invoked for every access attempt, impossible to circumvent, and must be implemented in a complete and foolproof way.
- Verifiability: It must be small enough to be tested and verified in a complete and comprehensive manner.
Type 1 hypervisor (bare metal)
is part of an OS that runs directly on host hardware.
VMWare ESX
Type 2 hypervisor
runs as an application on a normal OS, such as Windows . VMWare Workstation is Type7.
Service-Oriented Architecture (SOA)
environments “allow for a suite of interoperable services” to be used within multiple, separate systems from several business domains.
“Services are expected to be platform independent” - not dependent upon a particular programming language.
using standard means available within their programming language of choice.
Polyinstantiation
means the database will create two entries with the same primary key: one labeled secret and one labeled top secret.
Inference
is the ability to deduce (infer) sensitive or restricted information from observing available information.
An example of a “database inference control is polyinstantiation”.
Aggregation
is a mathematical process: a user combines information from separate resources to derive restricted information.
Aggregation is similar to inference, but there is a key difference, as no deduction is required. Aggregation asks every question and receives every answer, and the user assembles restricted information.
Note: to prevent aggregation and inference, we use cell suppression to hide specific cell that contain information.
Data mining
searches large amounts of data to determine patterns that would otherwise get lost in the noise.
Disadvantage: risk of a violation or privacy and integrity risk.
Zachman Framework for Enterprise Architecture
provides six frameworks for providing information security, asking what, how, where, who, when, and why and mapping those frameworks across rules, including planner, owner, designer, builder, programmer, and user.
These frameworks and roles are mapped to a matrix.
SABSA
a holistic life cycle for developing security architecture that begins with assessing business requirements and subsequently creating a “chain of traceability” through the phases of strategy, concept, design, implementation, and metrics.
Weakness of Bill-LaPadula
No mention of integrity and availability.
It doesn’t address need-to-know and no mechanism for a one-to-one mapping of subjects and objects
No policies for changing access data control.
Contains covert channels and Static in nature.
Clark–Wilson uses two primary concepts to ensure that security policy is enforced:
Well-formed transactions and
Certification, enforcement, and separation of duties.
access control triple are
Subject Transformation procedure (program) - well-formed transaction Constrained data item (object) - data that requires integrity.
In Clark–Wilson, the assurance is based
based upon integrity verification procedures (IVPs) that ensure that data are kept in a valid state.
In Clark–Wilson, an audit record is made and entered into the access control system to provide
both detective and recovery controls in case integrity is lost.
Within Clark–Wilson, certification monitors
certification monitors integrity
enforcement preserves integrity.
Clark–Wilson requires that users
are authorized to access and modify data.
It also requires that data is modified in only authorized ways.
Lipner
combines elements of Bell–LaPadula and Biba together with the idea of job functions or roles to protect both confidentiality and integrity.
Two ways to of implementing integrity:
Lipner’s first method, using only Bell–LaPadula model
Lipner’s second method combines Biba’s integrity model with Bell–LaPadula.
take–grant protection model
a directed graph uses states and state transitions in designing the protection system.
Created to show that it is possible to secure a computer system even when the number of subjects and objects is large.
Rules include take, grant, create, and remove are depicted as a protection graph which governs allowable actions.
Graham-Denning Model
concerned with how subjects and objects are created, how subjects are assigned rights or privileges, and how ownership of objects is managed.
It has three parts: objects, subjects, and rules.
Harrison–Ruzzo–Ullman (HRU) model
maps subjects, objects, and access rights to an access matrix. It is considered a variation to the Graham–Denning Model.
It differs from Graham–Denning because it considers subjects to be also objects.
Dedicated mode
One classification label only.
All users can access all data.
Clearance for all information.
Need to know for ALL data.
system high mode
The system contains objects of mixed labels (e.g., confidential, top secret,…).
All subjects must possess a clearance equal to the system’s highest object.
All users can access some data, based on need to know for SOME data.
compartmented mode
All subjects accessing the system have the necessary clearance.
All users can access some data, based on their need to know and approval.
Need to know for SOME data.
Use of information labels.
Objects are placed into “compartments” and require a formal (system-enforced) need to know to access. It use technical controls to enforce need to know
Multilevel mode
stores objects of differing sensitivity labels and allows system access by subjects with differing clearances.
The reference monitor mediates access between subjects and objects
The highest risk of all modes.
C1
Discretionary Security Protection
C2
Controlled Access Protection
B1
Labeled Security Protection
B2
Structured Protection
B3
Security domains
A1
Verified design
The equivalent ITSEC/TCSEC ratings are
Lowest E0
Highest E6
- E0: D
- F-C1,E1: C1
- F-C2,E2: C2
- F-B1,E3: B1
- F-B2,E4: B2
- F-B3,E5: B3
- F-B3,E6: A1
Target of evaluation (ToE)
the system or product that is being evaluated.
Security target (ST)—
the documentation describing the ToE, including the security requirements and operational environment.
Protection profile (PP)
An implementation-independent specification for future product., which contains a set of functional and assurance requirements for a specific category of products or systems, such as firewalls or intrusion detection systems.
Levels of evaluation
- EAL1. Functionally tested
- EAL2. Structurally tested
- EAL3. Methodically tested and checked
- EAL4. Methodically designed, tested, and reviewed
- EAL5. Semi-formally designed, and tested
- EAL6. Semi-formally verified, designed, and tested
- EAL7. Formally verified, designed, and tested
What is used to control the flow of information in the Clark-Wilson model?
the access triple rule
user, transformation procedure, and constrained data item.
Which component manages the authorized access associations between users and resources?
security kernel
Which entities control the flow of information in the lattice-based access control (LBAC) model?
n upper bound and a lower bound of authorized access for subjects.
Which two factors ensure that information is compartmentalized in the information flow model?
classification and need to know
What determines the security level that is needed to view an object?
classification
Which system evaluation methods analyze the functionality and assurance of products?
Common Criteria (CC) and Information Technology Security Evaluation Criteria (ITSEC)
Which security model ensures that the activities performed at a higher security level do not affect the activities at a lower security level?
the noninterference model
By implementing this model, the organization can be assured that covert channel communication does not occur
Which Rainbow Series book covers security issues for networks and network components?
the Red Book
Which access control model uses states and state transitions in designing the protection system?
the Take-Grant model
What are the four phases of NIACAP?
National Information Assurance Certification and Accreditation Process
definition, verification, validation, and post accreditation
Simple Object Access Protocol (SOAP)
is a protocol specification for exchanging structured information in the implementation of web services and networked environments.
Threat modeling vs. Vulnerability analysis
Threat modeling identifies potential threats and attack vectors.
Vulnerability analysis identifies weaknesses and lack of countermeasures.
What techniques can be used to enforce process isolation?
virtual memory,
object encapsulation treats a process as a “black box,”
Time multiplexing shares (multiplexes) system resources between multiple processes, each with a dedicated slice of time as an example.
EPROM
can be erased by ultraviolet light
EEPROM
ay be “flashed,” or erased and written to multiple times electronically. EEPROM is a modern type of ROM.
To prevent aggregation and inference, we use
cell suppression to hide specific cell that contain information.
Database inference control is
polyinstantiation.
Database aggregation controls may include
restricting normal users to a limited amount of queries.
hotfix
repairs to a computer during its normal operation so that the computer can continue to operate until a permanent repair can be made.
Patches
temporary fixes to a program.
Once more data is known about an issue, a service pack or hotfix may be issued to fix the problem on a larger scale.
A multilevel lattice model
A multilevel lattice model describes strict layers of subjects and objects and defines clear rules that allow or disallow interactions between them based on the layers they are in.
What is the purpose of ring protection?
used to control interactions between different execution domains with different levels of privilege, via API.
What is pipelining?
combines multiple steps into one combined process, allowing simultaneous fetch, decode, execute, and write steps for different instructions.
What is pipeline stage?
each stage in is called a pipeline
What is pipeline depth?
is the number of simultaneous pipeline stages that may be completed at once.
A CPU without pipelining would have to wait an entire cycle before performing another computation.
To ensure that integrity is attained, three following integrity goals:
1) Data is protected from modification by unauthorized users;
2) Data is protected from unauthorized modification by authorized users by implementing separation of duties, which divides an operation into different parts and requires different users to perform each part.
3) Data is internally and externally consistent.
To prevent aggregation and inference, we use
cell suppression to hide specific cell that contain information.
Database inference control is
polyinstantiation
Database aggregation controls may include
restricting normal users to a limited amount of queries.
