| Terms |
Definitions |
|
Common Criteria
|
ISO/IEC 15408.
|
|
c1
|
discretionary security protection, requires seperation of users and information and identification and authorization of individual entities
must supply a protected execution domain and have a way to validate the system's operational integrity
|
|
Ring 0
|
Operating System Kernel
|
|
Certification
|
Certification is the technical evaluation of security components within a product. Normally performed by independent reviewer. {371-372 - Slides 71-73}
|
|
b1
|
labeled security, mandatory access control is enforced by the use of security labels
|
|
Multitasking
|
Multitasking involves sharing the processor amoung all ready processes
|
|
Ring 3
|
Applications and user activity
|
|
Accreditation
|
Formal acceptance of product's overall security by management. Authorizes operation of the system. Based on specific conditions. {pp 371-372 - Slides 71-73}
|
|
psw
|
holds condition bits which indicate the mode the CPU should be working in
|
|
process isolation
|
a requirement for preemptive multitasking, this makes sure that processes cannot communicate in an insecure manner. if one process hangs it will not affect the other
|
|
The Bell-LaPadula model Subjects and Objects are assigned
|
labels.
|
|
What does the Clark-Wilson security model focus on
|
Integrity
|
|
Orange Book
|
Developed by DOD. Stand-alone mode. TCSEC. Based on Bell-LaPadula model (confidentiality but not integrity or availability)
|
|
E0-E6
|
Rating for assurance ITSEC. E0 is lowest, E6 is highest.
|
|
dominance
|
a subject can only perform an operation is the access class of the subject ____ the access class of the object.
|
|
trusted path
|
a communication channel between the user or program and the TCB kernel. The TCB ensures this channel cannot be compromise in any way - via a trusted shell
|
|
ds property
|
bell lapadula, specifies that specific permissions allow a subject to pass on permissions at its own discretion. these permissions are stored in an access matrix. (purpose is to allow an OS to be mac or dac)
|
|
address bus
|
the hardwired connection between the CPU and RAM (data travels via the data bus)
|
|
invocation property
|
biba model, subject cannot request service (invoke) to subjects of higher integrity. dictates how one subject can communicate with and initialize other subjects at run time
|
|
Protection Rings Support
|
The Availability, Integrity and confidentiality requirements of multitasking operating systems
|
|
What is the Biba security model concerned with?
|
Integrity
|
|
What is called the formal acceptance of the adequacy of a system's overall security by management?
|
Accreditation
|
|
Which access control model was proposed for enforcing access control in government and military applications?
|
Bell-LaPadula model
|
|
The Biba Model
|
Developed after the Bell-LaPadula model. Its a state machine model and is very similar to the Bell-LaPadula Model.
|
|
Which is best defined as an administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards?
|
Accreditation
|
|
Which evaluation class of the Trusted Network Interpretation (TNI) offers controlled access protection?
|
C2
|
|
The Indexed memory addresses that software uses are referred to as
|
Logical addresses
|
|
Which Orange Book evaluation level is described as "Discretionary Security Protection"?
|
C1
|
|
Covert Channels
|
Sending info in an unauthorized manner using a medium in an unintended way. Two types:
Timing and Storage {pp 345-346 - Slide 77}
|
|
virtualization
|
adds a layer between an OS and underlying computer hardware. a guest that is executed in the host environment. does not directly access resources, instead comunicates with the host environment responsible for managing system resources
transparent virtualization (runs stock os) and paravirtualization (special os with modified kernels)
|
|
reference monitor
|
an abstract machine that mediates all access objects subjects have with objects, both to ensure the necessary access rights and to protect the objects from unauthorized access (contains the rules for access to a system)
|
|
access matrix
|
a table that defines what access permissions exist between specific subjects and objects. Acts as a table look up for the operating system
|
|
goals of memory management
|
provide abstraction (details are hidden), maximize performance, protect op sys and the applications loaded in memory
|
|
A Limit Register (Memory Management)
|
Contains the ending address
|
|
The hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept.
|
The security kernel
|
|
Orange Book - B2
|
This class ("Structured Protection") requires more stringent authentication mechanisms and well-defined interfaces between layers. Subjects and devices require labels and the system must not allow covert channels.
|
|
The Physical memory address that the CPU uses are called
|
Absolute addresses.
|
|
information flow model
|
describes how information may flow in a secure system. data are thought of as being held in individual and discrete compartments. in bell lapadula these compartments are based on security levels and in biba these compartments are based on integrity levels
compartmentalized based on two factors: classifications
and categories. in order for access to occur, clearance must dominate classification and the subject's security profile must have one of the categories listed in the object's label (enforces need to know)
|
|
preemptive multitasking
|
system can suspend a process that is using the cpu and allow another process access to it through the use of time sharing
|
|
interrupt vector
|
a table of all I/O devices connected to CPU (i.o devices can be block - disk drive or character - streams of chars. like printer, nic, mouse, etc)
|
|
Graham Denning
|
bell and biba do not define how security and integrity ratings are defined or modified,nor do they provide a way to delegate or transfer access rights
this model defines a set of basic rights in terms of commands that a subject can execute on an object. has 8 primitive protection rights (rules):
how to securely create an object/subject
how to securely delete an object/subject
how to securely provide the read/grant/delete/transfer of access rights
|
|
Swap Space
|
The Reserved hard drive space used to to extend RAM capabilites.
|
|
The Biba Model adresses
|
The Integrity of data within applications.
|
|
The operational assurance requirements specified in the Orange Book are:
|
System architecture, System integrity, Covert channel analysis, Trusted facility management and Trusted recovery.
|
|
If an operating system permits executable objects to be used sequentially by multiple users without a refresh of the objects, what security problem is most likely to exist?
|
Disclosure of residual data
|
|
As per FDA data should be
|
Attributable, original, accurate, contemporaneous and legible.
|
|
Define Trusted facility management
|
The assignment of a specific individual to administer the security-related functions of a system.
|
|
Which is an ISO standard product evaluation criteria that supersedes several different criteria
|
The Common Criteria
|
|
Includes the security kernel as well as other security-related system functions that are within the boundary of the trusted computing base. System elements that are outside of the security perimeter need not be trusted.
|
The security perimeter
|
|
Solution to Rainbow Series and ITSEC
|
ISO/IEC 15408 - Common Criteria
|
|
state machine model
|
dictates that a model should start up securely, carry out secure transactions, and fail securely. If something is deemed unsafe, it should change to a more secure that for self preservation and protection (alterations to a state are referred to as state transitions)
|
|
difference between a and b3
|
overall design can be verified, extends to the delivery of the system
|
|
components of common criteria
|
protection profile - description of a needed security solution,
target of evaluation - product proposed to provide a needed security solution,
security target - vendor's written explanation of the security functionality and assurance mechanisms,
packages - eal's
|
|
return pointer
|
part of the stack, where to send the results of all the instructions
|
|
simple integrity axiom
|
a subject cannot read data from a lower integrity level, (no read down)
|
|
The National Computer Security Center (NCSC) an organization within the National Security Agency (NSA) is responsible for
|
Evaluating computer systems and products. The Trusted Product Evaluation program (TPEP) oversees the testing by approved entities of commercial products against a specific set of criteria.
|
|
Orange Book - B1
|
B1 is also called "Labeled Security" and each data object must have a classification label and each subject a clearance label. On each access attempt, the classification and clearance are checked to verify that the access is permissible.
|
|
The Trusted Computing Base (TCB) is defined as
|
The total(sum)combination of protection mechanisms within a computer system. The TCB includes hardware, software, and firmware.
|
|
B1 - Labeled Security
|
Each data object must contain a classification label and each subject must have a clearance label.
|
|
Which integrity model defines a constrained data item, an integrity verification procedure and a transformation procedure?
|
The Clark Wilson integrity model
|
|
The Security Kernel Mediates all access and
|
Functions between subjects and objects.
|
|
A set of objects that a subject is able to access
|
A Domain
|
|
The Orange book does NOT
|
Cover Networks and Communications. And Database management systems
|
|
The Bell-LaPadula Model is a
|
State machine model that enforces Confidentiality aspect of access control.
|
|
Programmable Read-Only Memory (PROM) is a form of
|
ROM(Read-Only Memory) that can be modified after it has been manufactured. PROM can only be programmed only one time.
|
|
Erasable and Programmable Read-Only Memory (EPROM) is a form of
|
Can be erased, modified and upgraded.
|
|
Direct addressing is
|
When a portion of primary memory is accessed by specifying the actual address of the memory location
|
|
Certification is a Technical review that assesses the security mechanisms and evalautes their effectivenes, where as
|
Accreditation is management's Official acceptance of the information in the Certification process findings.
|
|
dedicated security mode
|
all users have a clearance for and a formal need to know about all data processed within the system
ex: contains objects with one classification label only and all subjects must possess a clearance equal to the system's highest object
|
|
The Tranqulity principle (The Bell-LaPadula Model
|
Means that Subjects and Objects cannot change their security levels once they have been instantiated (created)
|
|
Primary storage refers to the combination of
|
RAM, Cache and the Processor Registers
|
|
Configuration management is also defined in the Orange Book BUT
|
As a Life Cycle Assurance Requirement and NOT an operational assurance requirement.
|
|
In the Bell-LaPadula Model the Subject's Label contains
|
Its Clearance Label (Top Secret, Secret, or Confidential)
|
|
Division B - Mandatory Protection
|
Mandatory access control is enfored by the use of security labels.
|
|
Components considered as part of the Trusted Computing Base (from the Orange Book) are?
|
Trusted hardware, Software and Firmware
|
|
Bell-LaPadula -Discretionary Security Property (ds-property).
|
This rule is based on named subjects and objects. It specifies that specific permissions allow a subject to pass on permissions to pass on permissions at its own discretion. These permissions are stored in an access matrix
|
|
A domain of trust that shares a single security policy and single management
|
A security domain
|
|
All Mandatory Access Control (MAC) systems are based on which Model?
|
The Bell-LaPadula model, because it allows for multilevel security to be integrated into the code.
|
|
TP, CDI, UDI, IVP
|
a TP is a well formed transaction and a constrained data item is data that requires integrity. Unconstrained data itms are data that do not require integrity. Assurance is based upon the integrity verification procedures that ensures that data are kept in a valid state (protects integrity)
|
|
Why do buffer overflows happen?
|
Because input data is not checked for appropriate length at time of input
|
|
C2 - Controlled Access Protection
|
The object reuse concept must also be invoked, meaning that any medium holding data must not contain any remnants of information after it is released for another subject to use. All data must be efficiently erased once the subject is doen with the medioum
|
|
Electrically Erasable and Programmable Read-Only Memory (EEPROM) is a form of
|
EEPROM Is similar to EPROM, but its data storage can be erased and modified electrically by onboard programming circuitry and signals.
|
|
In both the Bell-LaPadula and Biba Models if the word "* or Star is used
|
The Rule is talking about writing
|
|
The Bell-LaPaula Model's main goal was to
|
Prevent secret information from being accessed in an unauthorized manner. (Developed by the US gov)
|
|
Trusted facility management is an assurance requirement only for
|
Highly secure systems (B2, B3 and A1),
|
|
The following Models are concerned with integrity
|
The Biba model (introduced in 1977), The Sutherland model (published in 1986), The Brewer-Nash model (published in 1989)
|
|
What is necessary for a subject to have write access to an object in a Multi-Level Security Policy?
|
The subject's sensitivity label must be dominated by the object's sensitivity label
|
|
The Monolithic Operation system Architecture is commonly referred to as
|
The Big Mess Because of its lack of structure. MS-DOS is an example of a monolithic operation system
|
|
In C2 - Controlled Access Protection environment
|
Users are trusted but a certain level of accountability is required. C2 over is seen as the most reasonable class for commmercial applications, but the level of protection is still relatively weak.
|
|
What is referred to as an "Execution Domain"
|
A process that resides in a privileged domain to be able to execute its instructions and process its data with the assurance that programs in a different domain can NOT negatively affect its environment.
|
