Term
| What is important about the program status word (PSW)? |
|
Definition
| The PSW sets a bit that indicates to the CPU whether an instruction should run in user mode (also called problem state) or privileged mode (also called kernel or supervisor mode). |
|
|
Term
|
Definition
| The computer has more than one CPU |
|
|
Term
| What is multiprogramming? |
|
Definition
| An operating system can load more than one program in memory at a time. |
|
|
Term
|
Definition
| An application has the ability to run multiple threads simultaneously. |
|
|
Term
| What are the two modes of multiprocessing? |
|
Definition
Symmetric mode - the processors are handed work as needed. Think load balancing.
Asymmetric mode - at least one processor is dedicated solely to a specific task or application.
|
|
|
Term
|
Definition
| A set of instructions that is actually running. It is the collection of instructions and assigned resources. |
|
|
Term
|
Definition
| An operating system can handle requests from several different processes loaded into memory at the same time. |
|
|
Term
| What are the two types of multitasking? |
|
Definition
Cooperative multitasking - required processes to voluntarily release the resources they were using.
Preemptive multitasking - the operating system controls how long a process can use a resource (time sharing).
|
|
|
Term
| What does it mean when a process is in the "running state"? |
|
Definition
| The CPU is executing its instructions and data. |
|
|
Term
| What does it mean when a process is in the "ready state"? |
|
Definition
| It is waiting to send instructions to the CPU. |
|
|
Term
| What state is a process in when waiting for input data? |
|
Definition
| A process waiting for input data is in the "blocked state". |
|
|
Term
| How does a process know when it can communicate with the CPU? |
|
Definition
| Though the use of interrupts. |
|
|
Term
| What are absolute addresses? |
|
Definition
| The physical memory addresses used by the CPU. |
|
|
Term
| What are logical addresses? |
|
Definition
| The indexed memory addresses used by software. |
|
|
Term
| What are relative addresses? |
|
Definition
| Relative addresses are based on a known address with an offset value applied. |
|
|
Term
| What is a memory manager? |
|
Definition
| Maps logical addresses (software) to physical addresses (CPU). |
|
|
Term
| What is a memory leak and why is it a concern? |
|
Definition
| A memory leak occurs when an application fails to indicate to the system its memory segment is no longer in use. It is a concern because it could lead to a Denial of Service. |
|
|
Term
| What are two countermeasures that protect against memory leaks? |
|
Definition
Develop better code that releases memory properly.
Use a garbage collector program that identifies unused memory and forces its release.
|
|
|
Term
|
Definition
A combination of RAM and the use of secondary (nonvolatile) storage like the computer's hard drive, external drives or CD-ROMs.
|
|
|
Term
| What is the danger with virtual memory? |
|
Definition
| If the secondary storage is not properly wiped after use, it could reveal sensitive information. |
|
|
Term
| What are protection rings? |
|
Definition
| Protection rings provide strict boundaries and definitions for what the processes that work within each ring can access and what operations they can successfully execute. Think kernel mode (privileged or supervisor) vs. user mode. |
|
|
Term
| What are the different Execution Domains? |
|
Definition
- Ring 0 - Operating system kernel
- Ring 1 - Remainder of OS
- Ring 2 - Drivers/utilities
- Ring 3 - Apps/software and user activity
|
|
|
Term
| What is the difference between an execution domain and a protection ring? |
|
Definition
| They are both essentially the same. The execution domain is directly correlated to the protection ring. The lower the protection ring number, the higher privilege and the larger the domain (The OS kernel has more available resources than applications). |
|
|
Term
| How are layering and data hiding related? |
|
Definition
They are terms used when talking about protection mechanisms for OSs. Processes can only exchange data through well-defined APIs). No API interface = no communication between layers/programs.
|
|
|
Term
|
Definition
| Trusted Computing Base is defined as the total of all protection mechanisms within a computer system. It includes hardware, software and firmware. |
|
|
Term
| Where does TCB originate? |
|
Definition
|
|
Term
| What does the TCB address? |
|
Definition
| The level of trust a system provides, in a security sense. |
|
|
Term
|
Definition
A communication channel between a program or a user and the kernel. |
|
|
Term
|
Definition
The code in it cannot bust out of it and no other process can bust in |
|
|
Term
| What is the security perimeter? |
|
Definition
| An imaginary boundary that divides the trusted from the untrusted. |
|
|
Term
| What is the security kernel? |
|
Definition
| It is made up of all the components that fall within the TCB (hardware, software and firmware). It implements and enforces the reference monitor's concepts - access mediation of all subjects to objects in the system (avoid unauthorized and destructive access as well as allow authorized access) |
|
|
Term
| What is the reference monitor? |
|
Definition
| An abstract machine that ensures all subjects have the necessary access rights before accessing objects. |
|
|
Term
| What are the main requirements of the security kernel? |
|
Definition
1. It must provide isolation for the tamperproof processes.
2. It must be invoked for every access attempt and be impossible to circumvent.
3. It must be small enough to be completely and comprehensively tested and verified. |
|
|
Term
| In terms of security architecture, what is a security policy? |
|
Definition
| A set of rules and practices that dictates how sensitive information and resources are managed, protected and distributed. It expresses exactly what the security level should be by setting the goals of what the security mechanisms are supposed to accomplish. |
|
|
Term
| What is a multilevel security policy? |
|
Definition
One that prevents information from flowing from a higher security level to a lower one.
|
|
|
Term
| What is the concept of least privilege as it pertains to security architecture? |
|
Definition
| A process will have no more privileges than necessary to be able to fulfill its functions. |
|
|
Term
| What is the relationship between a security policy and a security model? |
|
Definition
| A security policy provides abstract goals while a security model provides the do's and don'ts necessary to fulfill those goals. |
|
|
Term
Of the following security models, which one is informal and used more as a framework?
Bell-LaPadula
Biba
Clark-Wilson |
|
Definition
|
|
Term
| What is the state machine model? |
|
Definition
|
It is used to describe the behavior of a system to different inputs. It will ensure the system that uses this model will be in a secure state at all times – boot up, command execution, shut down and even failing! Such a system will only allow a change of state after (a) authorization is checked and (b) consequence of this change (still secure state after change?) is checked - think conditional statements "if condition then update".
|
|
|
Term
| What is it called when activities can alter the state of a system? |
|
Definition
|
|
Term
| What is the name of the first mathmatical security model? |
|
Definition
|
|
Term
| What part(s) of the CIA triad does the Bell-LaPadula model enforce? |
|
Definition
|
|
Term
| On what type of access control is Bell-LaPadula based? |
|
Definition
| MAC (Mandatory Access Control) |
|
|
Term
| In access control terms, what does the word dominate mean? |
|
Definition
|
|
Term
| What rule states that a subject cannot read data at a higher security level? |
|
Definition
|
|
Term
| What rule states that a subject cannot write information to a lower security level? |
|
Definition
| *-property rule (star property) |
|
|
Term
| What rule states that a subject with read/write capabilities can only do so at the same security level? |
|
Definition
| strong star property rule |
|
|
Term
| What is the *-integrity (star integrity) axiom? |
|
Definition
A subject cannot write data to an object with a higher integrity level.
|
|
|
Term
| What is the simple integrity axiom? |
|
Definition
| A subject cannot read data from a lower integrity level. |
|
|
Term
| What is the invocation property? |
|
Definition
| A subject cannot request service (invoke) to subjects of higher integrity. |
|
|
Term
| Which goal of integrity models does Biba address? |
|
Definition
| The first goal - prevent unauthorized users from making modifications |
|
|
Term
| What are the main goals of integrity models? |
|
Definition
1. Prevent unauthorized users from making modifications.
2. Prevent authorized users from making improper modifications.
3. Maintain internal and external consistency. |
|
|
Term
| What elements make up the Clark-Wilson Model? |
|
Definition
Users (subjects)
Transformation procedures (TPs)
Constrained data items (CDIs)
Unconstrained data item s (UDIs)
Integrity verification procedures (IVPs) |
|
|
Term
|
Definition
| Transformation procedures are programmed abstract operations, such as read, write, and modify. It can also be refered to as the software that authenticates a user and then carries out the operation on behalf of the user. |
|
|
Term
|
Definition
| Constrained data items can be manipulated only by TPs. Users are not allowed to modify CDIs directly. |
|
|
Term
|
Definition
| A user (subject) cannot modify an object (CDI) without using a program (TP). |
|
|
Term
|
Definition
| Unconstrained data items do not require as high a level of protection as CDIs and thus can be directly manipulated by the user or subject. |
|
|
Term
|
Definition
| Integrity verification procedures ensure that all critical data follow the application's defined integrity rules. IVPs check that the data remains consistent after a change is applied. |
|
|
Term
| Using TPs to modify CDIs is called what? |
|
Definition
| A well-formed transaction. |
|
|
Term
| What is a requirement within software running under the Clark-Wilson model? |
|
Definition
|
|
Term
| What is the Access Control Matrix Model? |
|
Definition
| A security model in which access decisions are based on object's ACLs and subjects' capability tables. |
|
|
Term
| What is the Information Flow Model? |
|
Definition
| A model in which information is not restricted in its flow to only go to and from entities in a way which does not negate the security policy. |
|
|
Term
| What is the Noninterference Model? |
|
Definition
| A model that states that commands and activities performed at one security level should be be seen by, or affect, subjects or objects at a different security level. |
|
|
Term
| What is the Brewer and Nash Model? |
|
Definition
| This model is also called the Chinese Wall model. It was created to protect against conflicts of interest by users' access attempts. The model was created by Microsoft to fix the conflict of interest between the Office Suite and Operating System development teams. |
|
|
Term
| What is the Graham-Denning Model? |
|
Definition
| A model that shows how subjects and objects should be created and deleted. It also addresses how to assign specific access rights. |
|
|
Term
| What is the Lattice model? |
|
Definition
A model that protects confidentiality by defining upper and lower bounds of access (need to know) in a MAC based, clearance based approach.
For example based on your clearance your least upper bound may allow you to read a file, your greatest lower bound may NOT allow you to write to it. |
|
|
Term
| What is the Take-Grant model? |
|
Definition
| A model that implements a directed graph of how a subject can grant and take ownership of objects. |
|
|
Term
| Security modes are used in which type of system? |
|
Definition
| Mandatory access control (MAC) |
|
|
Term
| What should be considered when determining the mode of an operating system? |
|
Definition
The types of users directly or indirectly connection to the system.
The type of data (classification levels, compartments, and categories) processed on the system.
The clearance levels, need to know, and formal access approvals the users will have. |
|
|
Term
| What is dedicated security mode? |
|
Definition
| All users have a clearance for, and a formal need to know about, all data process within the system. This mode deals with only one level of data classification and ALL users must have this level of clearance to access the system. |
|
|
Term
| What is system high-security mode? |
|
Definition
| When all users have a security clearance to access the information but may not have a need to know for all the information processed on the system. |
|
|
Term
| What is compartmented security mode? |
|
Definition
| All users have the clearance to access all information processed by the system but may be restricted from accessing some information because they do not need to know it to perform the functions of their jobs. Compartments are categories of data with a limited number of subjects cleared to access data at each level. |
|
|
Term
| What is a Compartmented Mode Workstation (CPW) |
|
Definition
| It enable users to process multiple compartments of data at the same time if they have the necessary clearance. |
|
|
Term
| What is multilevel security mode? |
|
Definition
This mode permits two or more classification levels of information to be processed at the same time when not all of the users have the clearance or formal approval to access all the information being processed by the system.
The user cannot access all the data on the system, only what they are cleared to access.
|
|
|
Term
| What is the difference between compartmented security and multilevel security? |
|
Definition
Compartmented security requires the user to have a clearance level that dominates all data on the system.
Multilevel security only requires the user to have clearance to access the data with which they will be working. |
|
|
Term
| Which security model is an example of multilevel security? |
|
Definition
|
|
Term
| What does TCSEC stand for? |
|
Definition
| Trusted Computer System Evaluation Criteria |
|
|
Term
| Which document contains the published criteria of the TCSEC? |
|
Definition
|
|
Term
| What are the divisions of assurance levels provided for in the TCSEC? |
|
Definition
A. Verified protection - the highest level of assurance
B. Mandatory protection
C. Discretionary protection
D. Minimal security - lowest level of assurance. Systems that are rated at this level have failed to meet the criteria for the higher divisions |
|
|
Term
| What topics are included in the criteria for an Orange Book evaluation? |
|
Definition
Security policy - must be explicit, well defined and enforced
Identification - Subjects must be uniquely identified
Labels - Access control labels must be associated properly with objects
Documentation - Must be provided (test, design and spec docs, user guides and manuals)
Accountability - Audit data must be captured
Life-cycle assurance - software, hardware and firmware must be able to be tested individually
Continuous protection - security mechanisms and the whole system must perform predictably, acceptably and continuously.
|
|
|
Term
| What are the two assurance ratings that fall under Division C of the Orange Book? |
|
Definition
C1 - Discretionary Security Protection - access control is based on individuals and/or groups.
C2 - Controlled Access Protection (higher rating than C1) - Logical access control mechanisms. Object reuse must also be invoked. |
|
|
Term
| What are the assurance ratings that fall under Division B of the Orange Book? |
|
Definition
B1 - Labeled Security - data objects must contain a classification label and each subject must have a clearance level.
B2 - Structured Protection - system must not allow covert channels. A trusted path must exist for logon and authentication processes. Operator and administration functions are separated within the system for more trusted and protected operational functionality.
B3 - Security Domains - more grainular protection mechanisms and unecessary code is removed. The reference monitor plays a key role in this raiting. |
|
|
Term
| What is the main difference between a rating of A1 and B3? |
|
Definition
| A1 rated systems have gone through a formal review process and more stringent change configuration is put in place. |
|
|
Term
| What replaced the TCSEC as a evaluation methodology/standard? |
|
Definition
|
|
Term
| What is the Information Technology Security Evaluation Criteria (ITSEC)? |
|
Definition
| It was the first attempt at establishing a single standard for evaluating security atributes of systems and products by many European countries. |
|
|
Term
| What is the difference between the rating systems of TCSEC and ITSEC? |
|
Definition
| ITSEC evaluates and system's functionality and assurance mechanisms individually, providing a different rating for each. TCSEC puts functionality and assurance together under one rating. |
|
|
Term
| How is functionality viewed under ITSEC? |
|
Definition
| In terms of the system's security objectives, functions and mechanisms. |
|
|
Term
| How is assurance viewed under ITSEC? |
|
Definition
| The correctness and effectiveness of the security mechanisms and functionality. |
|
|
Term
| Which evaluation standard is mostly used today? |
|
Definition
| ISO 15408 - "Common Criteria" |
|
|
Term
| What is the Common Criteria? |
|
Definition
| An international standard for evaluation comprised of pieces of TCSEC, ITSEC, Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) and the Federal Criteria). |
|
|
Term
| What rating levels make up the Common Criteria? |
|
Definition
EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4 - Methodically designed, tested and reviewed
EAL5 - Semiformally designed and tested
EAL6 - Semiformally verified design and tested
EAL7 - Formally verified design and tested |
|
|
Term
| What does the Common Criteria use in its evaluation process? |
|
Definition
| Protection profiles and security targets. |
|
|
Term
| What are protection profiles? |
|
Definition
| mechanisms used to describe real-world needs of a product not currently available on the market. |
|
|
Term
| What are security targets? |
|
Definition
| Vendor's written explaination of the security functionality and assurance mechanisms that meet a needed security solution. "This is what our product does and how it does it." |
|
|
Term
|
Definition
| The comprehensive technical evaluation of the security components and their compliance for the purpose of accreditation. |
|
|
Term
| What is the goal of certification? |
|
Definition
| Ensure a system, product or network is right for the customer's purposes. |
|
|
Term
|
Definition
| The formal acceptance of the adequacy of a system's overall security and functionalty by management. |
|
|
Term
| What are covert channels? |
|
Definition
| Ways for a subject to access information in an unauthorized manner. They are used to bypass the information flow of the security model. |
|
|
Term
| What are some types of covert channels? |
|
Definition
Storage - processes are able to communicate through some type of storage space on the system.
Timing - processes are able to relay information by modulating its use of system resources. |
|
|
Term
| What can a user do to counter covert channels? |
|
Definition
| Not much. Covert channels must be addressed when the system is constructed and developed. |
|
|
Term
| What are maintenance hooks? |
|
Definition
| A type of backdoor that the programmer left for easy access to the code. |
|
|
Term
| What can be done to counter maintenance hooks? |
|
Definition
| The developer/programmer needs to remove these prior to the software/program goes into production. Because this does not always happen, quality assurance testing should be mindful of the existance of backdoors. Users can further help protect themselves against backdoors by using HIDS, file system encryption and implementing auditing. |
|
|
Term
| What are Time-of-Check/Time-of-Use (TOC/TOU) attacks? |
|
Definition
These deal with the sequence steps systems use to complete tasks. It takes advantage of the dependency on the timing of events in multitasking operating systems.
Example: If an attacker can get in between the authentication and the open of a file and exchange the non-critical file that is opened with a sensitive one, he is able to view the protected content. |
|
|
Term
| What is another name for TOC/TOU? |
|
Definition
|
|
Term
| What is a race condition? |
|
Definition
When multiple processes compete for the same resource.
Example: If an attacker disturbs the order successfully, he/she could be authorized before authenticated. |
|
|
Term
| What can be done to avoid asynchronous attacks? |
|
Definition
The operating system should apply software locks to the items it will use while carrying out its "checking" tasks.
|
|
|
Term
| What is a buffer overflow? |
|
Definition
| When too much data are accepted as input to an application/operating system. |
|
|
Term
| When attempting to execute a buffer overflow, what are some common commands an attacker would use to craft the attack? |
|
Definition
| x90, NOP, NOOP. All of these indicate a "no operation" command and are used to help fill the memory stack and cause the overflow. |
|
|
Term
| What is the best countermeasure for protecting against buffer overflows? |
|
Definition
Proper programming that includes bounds checking (input validation).
|
|
|
