Security models Flashcards

1
Q

Trusted Computing Base (TCB)

A

hardware, software and controls that work together to enforce security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Reference Montitor

A

Part of TCP verifies all access between subjects and objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

State Machine Model

A

System that is always secure regardless of what state it’s in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

information flow model

A

based on controlling flow of information between different levels of security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Noninterference model

A

Concerned with preventing subjects at higher security level interfering with a subject at a lower level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Take-grant model

A

Controls how rights can be passed from one subject to another or to an object. Uses a directed graph visualize this.

Includes following rights:
Take
Grant
Create
Delete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Access control matrix

A

Table of subjects and objects showing what each subject can do to each object. Each column is an access control list showing for a given object. Each row is a subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Bell-LaPadula Model

A

Designed to support DoD multi-level security policies. Focused only on confidentiality. Also lattice based. Also based on the state machine model. Also a type of mandatory access control.

Simple Security Property: No read up.
Star Property: No write down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Biba model

A

Focused on integrity and not confidentiality. Multilevel model built on information flow model. Opposite of the Bell-LaPadula Model.

Simple Security Property: No read down
Star Property: No write up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Clark-Wilson Model

A

Uses a security triplet: Subject/Program/object. It enforces segregation of duties and is commonly used in commercial applications. Mostly focused on data integrity but can also cover confidentiality. Uses following items:

Constrained data items
Unconstrained data item
Integrity Verification Procedure
Transformation Procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Brewer Nash Model

A

Used with databases. Dynamically changes access based on previous actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Goguen–Meseguer Model

A

An integrity model. The basis for noninterference models. Based on creating domain or set of objects a subject can access. Subjects are grouped by domain. Similar subjects are grouped into domains. Domains can’t interfere with each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Sutherland Model

A

Integrity model. Uses noninterference to enforce integrity. I defines sets of secure systems states.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Graham–Denning Model

A

Focuses on the secure creation of subjects and objects using 8 protection rules. Securely create/delete subjects and objects. Securely provide read, grant, delete and transfer rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Harrison–Ruzzo–Ullman Model

A

focuses on the assignment of object access rights to subjects as well as the resilience of those assigned rights. It is an extension of the Graham–Denning model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Common Criteria

A

Defines 7 levels of test/verification of a systems security.

17
Q

Common Criterial Protection Profile

A

Security Requirements

18
Q

Common Criterial Security Targets

A

What a vendor says are the security capabilities of a product/service.

19
Q

Common Criteria Evaluation Assurance Levels

A

7 levels of verification of product or service security capabilities. Testing that verifies the security targets.

EAL1: Functionally tested
EAL2: Structurally tested
EAL3: Methodically tested
EAL4: Methodically designed, tested and reviewed
EAL5: Semi formally designed and tested
EAL6: Semi formally verified, designed and tested
EAL7: Formally verified, designed and tested

20
Q

Common Criteria TOE

A

Target of Evaluation