CHAPTER 4_Security Architecture and Design Flashcards

Question 1

Q

Bullets: Stack

Answer

A

Memory segment used by processes to communicate instructions and data to each other.

Question 2

Q

Bullets: Packages—EALs

Answer

A

Functional and assurance requirements are bundled into packages for reuse. This component describes what must be met to achieve specific EAL ratings.

Question 3

Q

Bullets: The *-property rule

Answer

A

A subject cannot write to an object at a lower security level (no write down).

Question 4

Q

Bullets: Rationale

Answer

A

Justifies the profile and gives a more detailed description of the real-world problem to be solved. The environment, usage assumptions, and threats are illustrated along with guidance on the security policies that can be supported by products and systems that conform to this profile.

Question 5

Q

Bullets: Noninterference model

Answer

A

This formal multilevel security model states that commands and activities performed at one security level should not be seen by, or affect, subjects or objects at a different security level.

Question 6

Q

Bullets: Unconstrained data items (UDIs)

Answer

A

Can be manipulated by users via primitive read and write operations

Question 7

Q

Bullets: Transformation procedures (TPs)

Answer

A

Programmed abstract operations, such as read, write, and modify

Question 8

Q

Emphasis: Isn’t the Orange Book Dead?

Answer

A

Isn’t the Orange Book Dead?We have moved from the Orange Book to the Common Criteria in the industry, so a common question is, “Why do I have to study this Orange Book stuff?” The Orange Book was the first evaluation criteria and was used for 20 years. Many of the basic terms and concepts that have carried through originated in the Orange Book. And we still have several products with these ratings that eventually will go through the Common Criteria evaluation process.

Question 9

Q

Explanations: Clark-Wilson Model

Answer

A

The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements:

Question 10

Q

Emphasis: Bell-LaPadula vs. Biba

Answer

A

Bell-LaPadula vs. BibaThe Bell-LaPadula model is used to provide confidentiality. The Biba model is used to provide integrity. The Bell-LaPadula and Biba models are informational flow models because they are most concerned about data flowing from one level to another. Bell-LaPadula uses security levels, and Biba uses integrity levels. It is important for CISSP test takers to know the rules of Biba and Bell-LaPadula. Their rules sound similar: simple and * rules—one writing one way and one reading another way. A tip for how to remember them is that if the word “simple” is used, the rule is talking about reading. If the rule uses * or “star,” it is talking about writing. So now you just need to remember the reading and writing directions per model.

Question 11

Q

Bullets: Monolithic

Answer

A

All operating system processes run in kernel mode.

Question 12

Q

Explanation Bullets: The following list shows the different types of functionalities and assurance items tested during an evaluation:

Answer

A

Security functional requirements
Identification and authentication
Audit
Resource utilization
Trusted paths/channels
User data protection
Security management
Product access
Communications
Privacy
Protection of the product’s security functions
Cryptographic support
Security assurance requirements
Guidance documents and manuals
Configuration management
Vulnerability assessment
Delivery and operation
Life-cycle support
Assurance maintenance
Development
Testing

Question 13

Q

Explanations: Programmable I/O

Answer

A

If an operating system is using programmable I/O, this means the CPU sends data to an I/O device and polls the device to see if it is ready to accept more data. If the device is not ready to accept more data, the CPU wastes time by waiting for the device to become ready. For example, the CPU would send a byte of data (a character) to the printer and then ask the printer if it is ready for another byte. The CPU sends the text to be printed one byte at a time. This is a very slow way of working and wastes precious CPU time. So the smart people figured out a better way: interrupt-driven I/O.

Question 14

Q

Emphasis: Programmable read-only memory (PROM)

Answer

A

Programmable read-only memory (PROM) is a form of ROM that can be modified after it has been manufactured. PROM can be programmed only one time because the voltage that is used to write bits into the memory cells actually burns out the fuses that connect the individual memory cells. The instructions are “burned into” PROM using a specialized PROM programmer device.

Question 15

Q

Bullets: Stakeholder

Answer

A

Individual, team, or organization (or classes thereof) with interests in, or concerns relative to, a system.

Question 16

Q

Explanations: Compartmented Security Mode

Answer

A

Our system has various classifications of data, and each individual has the clearance to access all of the data, but not necessarily the need to know.

Question 17

Q

Emphasis: Memory Protection Techniques

Answer

A

Memory Protection TechniquesSince your whole operating system and all your applications are loaded and run in memory, this is where the attackers can really do their damage. Vendors of different operating systems (Windows, Unix, Linux, Macintosh, etc.) have implemented various types of protection methods integrated into their memory manager processes. For example, Windows Vista was the first version of Windows to implement address space layout randomization (ASLR), which was first implemented in OpenBSD.

Question 18

Q

Explanation Bullets: The goals of memory management are to

Answer

A

Provide an abstraction level for programmers
Maximize performance with the limited amount of memory available
Protect the operating system and applications loaded into memory

Question 19

Q

Bullets: Symmetric mode multiprocessing

Answer

A

When a computer has two or more CPUs and each CPU is being used in a load-balancing method.

Question 20

Q

Explanations: Random Access Memory

Answer

A

Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.

Question 21

Q

Bullets: Labels

Answer

A

Access control labels must be associated properly with objects.

Question 22

Q

Emphasis: ISO/IEC 15408-2

Answer

A

ISO/IEC 15408-2 defines the security functional requirements that will be assessed during the evaluation. It contains a catalog of predefined security functional components that maps to most security needs. These requirements are organized in a hierarchical structure of classes, families, and components. It also provides guidance on the specification of customized security requirements if no predefined security functional component exists.

Question 23

Q

Emphasis: integrity

Answer

A

The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels.

Question 24

Q

Bullets: Trusted computing base

Answer

A

A collection of all the hardware, software, and firmware components within a system that provide security and enforce the system’s security policy.

Question 25

Q

Emphasis: CPU Operation Modes

Answer

A

CPU Operation ModesAs stated earlier, the CPU provides the ring structure architecture and the operating system assigns its processes to the different rings. When a process is placed in ring 0, its activities are carried out in kernel mode, which means it can access the most critical resources in a nonrestrictive manner. The process is assigned a status level by the operating system (stored as PSW) and when it needs to interact with the CPU, the CPU checks its status to know what it can and cannot allow the process to do. If the process has the status of user mode, the CPU will limit the process’s access to system resources and restrict the functions it can carry out on these resources.

Question 26

Q

Emphasis: Harrison-Ruzzo-Ullman (HRU)

Answer

A

The Harrison-Ruzzo-Ullman (HRU) model deals with access rights of subjects and the integrity of those rights. A subject can carry out only a finite set of operations on an object. Since security loves simplicity, it is easier for a system to allow or disallow authorization of operations if one command is restricted to a single operation. For example, if a subject sent command X, which only required the operation of Y, this is pretty straightforward and allows the system to allow or disallow this operation to take place. But, if a subject sent a command M and to fulfill that command, operations N, B, W, and P had to be carried out, then there is much more complexity for the system to decide if this command should be authorized. Also the integrity of the access rights needs to be ensured, so in this example if one operation cannot be processed properly, the whole command fails. So while it is easy to dictate that subject A can only read object B, it is not always so easy to ensure each and every function supports this high-level statement. The HRU model is used by software designers to ensure that no unforeseen vulnerability is introduced and the stated access control goals are achieved.

Question 27

Q

Bullets: Arithmetic logic unit (ALU)

Answer

A

Component of the CPU that carries out logic and mathematical functions as they are laid out in the programming code being processed by the CPU.

Question 28

Q

Explanations: Trust and Assurance

Answer

A

I trust that you will act properly; thus, I have a high level of assurance in you.Response: You are such a fool.

Question 29

Q

Explanations: Security Modes of Operation

Answer

A

A multilevel security system can operate in different modes depending on the sensitivity of the data being processed, the clearance level of the users, and what those users are authorized to do. The mode of operation describes the security conditions under which the system actually functions.

Question 30

Q

Emphasis: multilevel security mode

Answer

A

A system is operating in multilevel security mode when it permits two or more classification levels of information to be processed at the same time when not all of the users have the clearance or formal approval to access all the information being processed by the system. So all users must have formal approval, NDA, need-to-know, and the necessary clearance to access the data that they need to carry out their jobs. In this mode, the user cannot access all of the data on the system, only what she is cleared to access.

Question 31

Q

Emphasis: separation of duties

Answer

A

A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of two operations: subtract money from one account and add it to a different account. By making sure the new values in her checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external consistency. The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If we follow our same example of banking software, if a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures.

Question 32

Q

Bullets: Preemptive multitasking

Answer

A

Multitasking scheduling scheme used by operating systems to allow for computer resource time slicing. Used in newer, more stable operating systems.

Question 33

Q

Bullets: Identification

Answer

A

Individual subjects must be uniquely identified.

Question 34

Q

Bullets: Interrupt

Answer

A

Software or hardware signal that indicates that system resources (i.e., CPU) are needed for instruction processing.

Question 35

Q

Emphasis: Computer security

Answer

A

Computer security can be a slippery term because it means different things to different people. Many aspects of a system can be secured, and security can happen at various levels and to varying degrees. As stated in previous chapters, information security consists of the following main attributes:

Question 36

Q

Bullets: Brewer and Nash model

Answer

A

This model allows for dynamically changing access controls that protect against conflicts of interest. Also known as the Chinese Wall model.

Question 37

Q

Emphasis: Division A: Verified Protection

Answer

A

Division A: Verified ProtectionFormal methods are used to ensure that all subjects and objects are controlled with the necessary discretionary and mandatory access controls. The design, development, implementation, and documentation are looked at in a formal and detailed way. The security mechanisms between B3 and A1 are not very different, but the way the system was designed and developed is evaluated in a much more structured and stringent procedure.

Question 38

Q

Bullets: Traffic flow confidentiality

Answer

A

Ensures that unauthorized entities are not aware of routing information or frequency of communication via traffic analysis. Mechanisms include padding messages, sending noise, or sending false messages.

Question 39

Q

Bullets: Evaluation assurance requirements

Answer

A

Establishes the type and intensity of the evaluation.

Question 40

Q

Emphasis: Abstraction

Answer

A

Abstraction means that the details of something are hidden. Developers of applications do not know the amount or type of memory that will be available in each and every system their code will be loaded on. If a developer had to be concerned with this type of detail, then her application would be able to work only on the one system that maps to all of her specifications. To allow for portability, the memory manager hides all of the memory issues and just provides the application with a memory segment. The application is able to run without having to know all the hairy details of the operating system and hardware it is running on.

Question 41

Q

Bullets: Authentication

Answer

A

Protects against masquerading and playback attacks. Mechanisms include digital signatures, encryption, timestamp, and passwords.

Question 42

Q

Bullets: Security functional requirements

Answer

A

Individual security functions which must be provided by a product.

Question 43

Q

Emphasis: Read-Only Memory

Answer

A

Read-Only MemoryRead-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

Question 44

Q

Bullets: Clark-Wilson model

Answer

A

This integrity model is implemented to protect the integrity of data and to ensure that properly formatted transactions take place. It addresses all three goals of integrity:

Question 45

Q

Bullets: Virtual memory

Answer

A

Combination of main memory (RAM) and secondary memory within an operating system.

Question 46

Q

Explanations: Lattice Model

Answer

A

A lattice is a mathematical construct that is built upon the notion of a group. The most common definition of the lattice model is “a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set.”

Question 47

Q

Bullets: ISO/IEC 42010:2007

Answer

A

International standard that provides guidelines on how to create and maintain system architectures.

Question 48

Q

Goals of Integrity Models : The following are the three main goals of integrity models:

Answer

A

Prevent unauthorized users from making modifications
Prevent authorized users from making improper modifications (separation of duties)
Maintain internal and external consistency (well-formed transaction)

Question 49

Q

Emphasis: Operating System Architectures

Answer

A

Operating System ArchitecturesWe started this chapter by looking at system architecture approaches. Remember that a system is made up of all the necessary pieces for computation: hardware, firmware, and software components. The chapter moved into the architecture of a CPU, which just looked at the processor. Now we will look at operating system architectures, which deal specifically with the software components of a system.

Question 50

Q

Bullets: Cache memory

Answer

A

Fast and expensive memory type that is used by a CPU to increase read and write operations.

Question 51

Q

Emphasis: Why Put a Product Through Evaluation?

Answer

A

Why Put a Product Through Evaluation?Submitting a product to be evaluated against the Orange Book, Information Technology Security Evaluation Criteria, or Common Criteria is no walk in the park for a vendor. In fact, it is a really painful and long process, and no one wakes up in the morning thinking, “Yippee! I have to complete all of the paperwork that the National Computer Security Center requires so my product can be evaluated!” So, before we go through these different criteria, let’s look at why anyone would even put themselves through this process.

Question 52

Q

Explanation Bullets: Goals of Integrity Models

The following are the three main goals of integrity models:

Answer

A

Prevent unauthorized users from making modifications
Prevent authorized users from making improper modifications (separation of duties)
Maintain internal and external consistency (well-formed transaction)

Question 53

Q

Emphasis: strong star property rule

Answer

A

The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the “no read up” rule, and the *-property rule is referred to as the “no write down” rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classification must be equal.

Question 54

Q

Emphasis: Security Kernel

Answer

A

Security KernelThe security kernel is made up of hardware, software, and firmware components that fall within the TCB, and it implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. The security kernel has three main requirements:

Question 55

Q

Bullets: Time-of-check/time-of-use (TOC/TOU) attack

Answer

A

Attacker manipulates the “condition check” step and the “use” step within software to allow for unauthorized activity.

Question 56

Q

Emphasis: buffer overflow

Answer

A

A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.

Question 57

Q

Emphasis: Other Types of Covert Channels

Answer

A

Other Types of Covert ChannelsAlthough we are looking at covert channels within programming code, covert channels can be used in the outside world as well. Let’s say you are going to attend one of my lectures. Before the lecture begins, you and I agree on a way of communicating that no one else in the audience will understand. I tell you that if I twiddle a pen between my fingers in my right hand, that means there will be a quiz at the end of class. If I twiddle a pen between my fingers in my left hand, there will be no quiz. It is a covert channel, because this is not a normal way of communicating and it is secretive. (In this scenario, I would twiddle the pen in both hands to confuse you and make you stay after class to take the quiz all by yourself. Shame on you for wanting to be forewarned about a quiz!)

Question 58

Q

Bullets: *-integrity axiom

Answer

A

A subject cannot write data to an object at a higher integrity level (referred to as “no write up”).

Question 59

Q

Emphasis: Certification vs. Accreditation

Answer

A

Certification vs. AccreditationWe have gone through the different types of evaluation criteria that a system can be appraised against to receive a specific rating. This is a very formalized process, following which the evaluated system or product will be placed on an EPL indicating what rating it achieved. Consumers can check this listing and compare the different products and systems to see how they rank against each other in the property of protection. However, once a consumer buys this product and sets it up in their environment, security is not guaranteed. Security is made up of system administration, physical security, installation, configuration mechanisms within the environment, and continuous monitoring. To fairly say a system is secure, all of these items must be taken into account. The rating is just one piece in the puzzle of security.

Question 60

Q

Explanations: Security Models

Answer

A

An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policymakers into a set of rules that a computer system must follow.

Question 61

Q

Explanations: A Few Threats to Review

Answer

A

Now that we have talked about how everything is supposed to work, let’s take a quick look at some of the things that can go wrong when designing a system.

Question 62

Q

Explanations: Time-of-Check/Time-of-Use Attacks

Answer

A

Specific attacks can take advantage of the way a system processes requests and performs tasks. A time-of-check/time-of-use (TOC/TOU) attack deals with the sequence of steps a system uses to complete a task. This type of attack takes advantage of the dependency on the timing of events that take place in a multitasking operating system.

Question 63

Q

Bullets: Central processing unit (CPU)

Answer

A

A silicon component made up of integrated chips with millions of transistors that carry out the execution of instructions within a computer.

Question 64

Q

Bullets: The simple integrity axiom

Answer

A

A subject cannot read data at a lower integrity level (no read down).

Answer 65

A

Reference MonitorUp to this point we have a CPU that provides a ringed structure and an operating system that places its components in the different rings based upon the trust level of each component. We have a defined security policy, which outlines the level of security we want our system to provide. We have chosen the mechanisms that will enforce the security policy (TCB) and implemented security perimeters (interfaces) to make sure these mechanisms communicate securely. Now we need to develop and implement a mechanism that ensures that the subjects that access objects within the operating system have been given the necessary permissions to do so. This means we need to develop and implement a reference monitor.

Answer 66

A

This is faster than DRAM because DRAM can access only one block of data at a time, whereas EDO DRAM can capture the next block of data while the first block is being sent to the CPU for processing. It has a type of “look ahead” feature that speeds up memory access.

Answer 67

A

Works like (and builds upon) EDO DRAM in that it can transmit data to the CPU as it carries out a read option, but it can send more data at once (burst). It reads and sends up to four memory addresses in a small number of clock cycles.

Answer 68

A

ISO/IEC 15408-3 defines the assurance requirements, which are also organized in a hierarchy of classes, families, and components. This part outlines the evaluation assurance levels, which is a scale for measuring assurance of TOEs, and it provides the criteria for evaluation of protection profiles and security targets.

Answer 69

A

Central program used to manage virtual machines (guests) within a simulated environment (host).

Answer 70

A

A subject cannot write to an object at a lower security level (the “no write down” rule).

Answer 71

A

This model shows how a finite set of procedures can be available to edit the access rights of a subject.

Answer 72

A

This is the first mathematical model of a multilevel security policy that defines the concept of a secure state and necessary modes of access. It ensures that information only flows in a manner that does not violate the system policy and is confidentiality focused.

Answer 73

A

Okay, here is your memory, here is my memory, and here is Bob’s memory. No one use each other’s memory!

Answer 74

A

Response: Black magic. It uses eye of bat, tongue of goat, and some transistors.

Answer 75

A

The microarchitecture contains the things that make up the physical CPU (registers, logic gates, ALU, cache, etc.). The CPU knows mechanically how to use all of these parts; it just needs to know what the operating system wants it to do. A chef knows how to use all of his pots, pans, spices, and ingredients, but he needs an order from the menu so he knows how to use all of these properly to achieve the requested outcome. Similarly, the CPU has a “menu” of operations the operating system can “order” from, which is the instruction set. The operating system puts in its order (render graphics on screen, print to printer, encrypt data, etc.), and the CPU carries out the request and provides the result.

Answer 76

A

Segment all memory types and provide an addressing scheme for each at an abstraction level
Allow for the sharing of specific software modules, such as dynamic link library (DLL) procedures

Answer 77

A

Premapped I/O and fully mapped I/O (described next) do not pertain to performance, as do the earlier methods, but provide two approaches that can directly affect security. In a premapped I/O system, the CPU sends the physical memory address of the requesting process to the I/O device, and the I/O device is trusted enough to interact with the contents of memory directly, so the CPU does not control the interactions between the I/O device and memory. The operating system trusts the device to behave properly. Scary.

Answer 78

A

(aka Orange Book) U.S. DoD standard used to assess the effectiveness of the security controls built into a system. Replaced by the Common Criteria.

Answer 79

A

When the CPU has to change from processing code in user mode to kernel mode. This is a protection measure, but it causes a performance hit.

Answer 80

A

In state machine models, to verify the security of a system, the state is used, which means that all current permissions and all current instances of subjects accessing objects must be captured. Maintaining the state of a system deals with each subject’s association with objects. If the subjects can access objects only by means that are concurrent with the security policy, the system is secure. A state of a system is a snapshot of a system at one moment of time. Many activities can alter this state, which are referred to as state transitions. The developers of an operating system that will implement the state machine model need to look at all the different state transitions that are possible and assess whether a system that starts up in a secure state can be put into an insecure state by any of these events. If all of the activities that are allowed to happen in the system do not compromise the system and put it into an insecure state, then the system executes a secure state machine model.

Answer 81

A

System ArchitectureIn Chapter 2 we covered enterprise architecture frameworks and introduced their direct relationship to system architecture. As explained in that chapter, an architecture is a tool used to conceptually understand the structure and behavior of a complex entity through different views. An architecture description is a formal description and representation of a system, the components that make it up, the interactions and interdependencies between those components, and the relationship to the environment. An architecture provides different views of the system, based upon the needs of the stakeholders of that system.

Answer 82

A

Interrupt value assigned to a noncritical operating system activity.

Answer 83

A

Memory sticks that are plugged into a computer’s motherboard and work as volatile memory space for an operating system.

Answer 84

A

For a subject to be able to read and write to an object, the subject’s clearance and the object’s classification must be equal.

Answer 85

A

The Common Criteria uses protection profiles in its evaluation process. This is a mechanism used to describe a real-world need for a product that is not currently on the market. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding EAL rating that the intended product will require. The protection profile describes the environmental assumptions, the objectives, and the functional and assurance level expectations. Each relevant threat is listed along with how it is to be controlled by specific objectives. The protection profile also justifies the assurance level and requirements for the strength of each protection mechanism.

Answer 86

A

Values assigned to computer components (hardware and software) to allow for efficient computer resource time slicing.

Answer 87

A

Systems described as open are built upon standards, protocols, and interfaces that have published specifications. This type of architecture provides interoperability between products created by different vendors. This interoperability is provided by all the vendors involved who follow specific standards and provide interfaces that enable each system to easily communicate with other systems and allow add-ons to hook into the system easily.

Answer 88

A

Technical evaluation of the security components and their compliance to a predefined security policy for the purpose of accreditation.

Answer 89

A

Use of segregation in design decisions to protect software components from negatively interacting with each other. Commonly enforced through strict interfaces.

Answer 90

A

Ending of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

Answer 91

A

Designs are built upon proprietary procedures, which inhibit interoperability capabilities.

Answer 92

A

Identifies the specific requirements the product or system must meet during the development phases, from design to implementation.

Answer 93

A

Tool that marks unused memory segments as usable to ensure that an operating system does not run out of memory.

Answer 94

A

International standard used to assess the effectiveness of the security controls built into a system from functional and assurance perspectives.

Answer 95

A

Collection of document types to convey an architecture in a formal manner.

Answer 96

A

Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities.

Answer 97

A

I have my decoder ring, cape, and pirate’s hat on. I will communicate to my spy buddies with this tribal drum and a whistle.

Answer 98

A

• Swap contents from RAM to the hard drive as needed (explained later in the “Virtual Memory” section of this chapter)

Answer 99

A

Graham-Denning ModelRemember that these are all models, so they are not very specific in nature. Each individual vendor must decide how it is going to actually meet the rules outlined in the chosen model. Bell-LaPadula and Biba do not define how the security and integrity levels are defined and modified, nor do they provide a way to delegate or transfer access rights. The Graham-Denning model addresses some of these issues and defines a set of basic rights in terms of commands that a specific subject can execute on an object. This model has eight primitive protection rights, or rules of how these types of functionalities should take place securely, which are outlined next:

Answer 100

A

A system is operating in compartmented security mode when all users have the clearance to access all the information processed by the system in a system high-security configuration, but might not have the need-to-know and formal access approval. This means that if the system is holding secret and top-secret data, all users must have at least a top-secret clearance to gain access to this system. This is how compartmented and multilevel security modes are different. Both modes require the user to have a valid need-to-know, NDA, and formal approval, but compartmented security mode requires the user to have a clearance that dominates (above or equal to) any and all data on the system, whereas multilevel security mode just requires the user to have clearance to access the data she will be working with.

Answer 101

A

Process 1, go into your room and play with your toys. Process 2, go into your room and play with your toys. No intermingling and no fighting!

Answer 102

A

Small, temporary memory storage units integrated and used by the CPU during its processing functions.

Answer 103

A

Physical connections between processing components and memory segments used to transmit data being used during processing procedures.

Answer 104

A

Architecture that separates system functionality into hierarchical layers.

Answer 105

A

Computer security can be a slippery term because it means different things to different people. Many aspects of a system can be secured, and security can happen at various levels and to varying degrees. As stated in previous chapters, information security consists of the following main attributes:

Answer 106

A

This model shows how subjects and objects should be created and deleted. It also addresses how to assign specific access rights.

Answer 107

A

A subject cannot request service (invoke) of higher integrity.

Answer 108

A

Strategic tool used to dictate how sensitive information and resources are to be managed and protected.

Answer 109

A

Condition variable that indicates to the CPU what mode (kernel or user) instructions need to be carried out in.

Answer 110

A

Programmed I/O
Interrupt-driven I/O
I/O using DMA
Premapped I/O
Fully mapped I/O

Answer 111

A

There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions.

Answer 112

A

ISO/IEC 15408-1 lays out the general concepts and principles of the CC evaluation model. This part defines terms, establishes the core concept of TOE, describes the evaluation context, and necessary audience. It provides the key concepts for PP, security requirements, and guidelines for the security target.

Answer 113

A

It looks specifically at the operating system and not at other issues like networking, databases, and so on.
It focuses mainly on one attribute of security—confidentiality—and not on integrity and availability.
It works with government classifications and not the protection classifications commercial industries use.
It has a relatively small number of ratings, which means many different aspects of security are not evaluated and rated independently.

Answer 114

A

Naming distinctions just means that the different processes have their own name or identification value. Processes are usually assigned process identification (PID) values, which the operating system and other processes use to call upon them. If each process is isolated, that means each process has its own unique PID value. This is just another way to enforce process isolation.

Answer 115

A

The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modification. For a system to achieve a higher level of trust, it must require subjects (programs, users, processes) to be fully authorized prior to accessing an object (file, program, resource). A subject must not be allowed to use a requested resource until the subject has proven it has been granted access privileges to use the requested object. The reference monitor is an access control concept, not an actual physical component, which is why it is normally referred to as the “reference monitor concept” or an “abstract machine.”

Answer 116

A

Check the consistency of CDIs with external reality

Answer 117

A

All operating system processes run in a hierarchical model in kernel mode.

Answer 118

A

Operating System ComponentsAn operating system provides an environment for applications and users to work within. Every operating system is a complex beast, made up of various layers and modules of functionality. It has the responsibility of managing the hardware components, memory management, I/O operations, file system, process management, and providing system services. We next look at each of these responsibilities that every operating system type carries out. However, you must realize that whole books are written on just these individual topics, so the discussion here will only scratch the surface.

Answer 119

A

Interrupt value assigned to a critical operating system activity.

Answer 120

A

A formal state transition model that describes a set of access control rules designed to ensure data integrity.

Answer 121

A

Formal acceptance of the adequacy of a system’s overall security by management.

Answer 122

A

Improper oversight in the development of the product
Improper implementation of access controls within the software
Existence of a shared resource between the two entities which are not properly controlled

Answer 123

A

No More Pencil WhippingMany organizations are taking the accreditation process more seriously than they did in the past. Unfortunately, sometimes when a certification process is completed and the documentation is sent to management for review and approval, management members just blindly sign the necessary documentation without really understanding what they are signing. Accreditation means management is accepting the risk that is associated with allowing this new product to be introduced into the organization’s environment. When large security compromises take place, the buck stops at the individual who signed off on the offending item. So as these management members are being held more accountable for what they sign off on, and as more regulations make executives personally responsible for security, the pencil whipping of accreditation papers is decreasing.

Answer 124

A

Hardware, software, and firmware components that fall within the TCB and implement and enforce the reference monitor concept.

Answer 125

A

Erasable programmable read-only memory (EPROM) can be erased, modified, and upgraded. EPROM holds data that can be electrically erased or written to. To erase the data on the memory chip, you need your handy-dandy ultraviolet (UV) light device that provides just the right level of energy. The EPROM chip has a quartz window, which is where you point the UV light. Although playing with UV light devices can be fun for the whole family, we have moved on to another type of ROM technology that does not require this type of activity.

Answer 126

A

Ensures that the network is available even if attacked. Mechanisms include fault-tolerant and redundant systems and the capability to reconfigure network parameters in case of an emergency.

Answer 127

A

Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments
Allow many users with different levels of access to interact with the same application running in one memory segment

Answer 128

A

Protection mechanism provided by operating systems that can be implemented as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual memory mapping.

Answer 129

A

Put the processor over there by the plant, the memory by the window, and the secondary storage upstairs.

Answer 130

A

Indirect addressing used by processes within an operating system. The memory manager carries out logical-to-absolute address mapping.

Answer 131

A

Software, hardware, and firmware must be able to be tested individually to ensure that each enforces the security policy in an effective manner throughout their lifetimes.

Answer 132

A

The types of users who will be directly or indirectly connecting to the system
The type of data (classification levels, compartments, and categories) processed on the system
The clearance levels, need-to-know, and formal access approvals the users will have

Answer 133

A

A system is operating in system high-security mode when all users have a security clearance to access the information but not necessarily a need-to-know for all the information processed on the system. So, unlike in the dedicated security mode, in which all users have a need-to-know pertaining to all data on the system, in system high-security mode, all users have a need-to-know pertaining to some of the data.

Answer 134

A

Use a host intrusion detection system to watch for any attackers using back doors into the system.
Use file system encryption to protect sensitive information.
Implement auditing to detect any type of back door use.

Answer 135

A

Too much data is put into the buffers that make up a stack. Common attack vector used by hackers to run malicious code on a target system.

Answer 136

A

Mechanism used to delineate between the components within and outside of the trusted computing base.

Answer 137

A

A subject cannot read data within an object that resides at a higher security level (the “no read up” rule).

Answer 138

A

A specification of the conventions for constructing and using a view. A template from which to develop individual views by establishing the purposes and audience for a view and the techniques for its creation and analysis.

Answer 139

A

Mode that a CPU works within when carrying out more trusted process instructions. The process has access to more computer resources when working in kernel versus user mode.

Answer 140

A

The C rating category has two individual assurance ratings within it, which are described next. The higher the number of the assurance rating, the greater the protection.

Answer 141

A

The watchdog timer is an example of a critical process that must always do its thing. This process will reset the system with a warm boot if the operating system hangs and cannot recover itself. For example, if there is a memory management problem and the operating system hangs, the watchdog timer will reset the system. This is one mechanism that ensures the software provides more of a stable environment.Thread Management

Answer 142

A

As mentioned earlier, the invocation property in the Biba model states that a subject cannot invoke (call upon) a subject at a higher integrity level. Well, how is this different from the other two Biba rules? The “*-integrity axiom (no write up) dictates how subjects can modify objects. The simple integrity axiom (no read down) dictates how subjects can read objects. The invocation property dictates how one subject can communicate with and initialize other subjects at run time. An example of a subject invoking another subject is when a process sends a request to a procedure to carry out some type of task. Subjects are only allowed to invoke tools at a lower integrity level. With the invocation property, the system is making sure a dirty subject cannot invoke a clean tool to contaminate a clean object.

Answer 143

A

All of the code of the operating system working in kernel mode in an ad hoc and nonmodularized manner.

Answer 144

A

Flash memory is a special type of memory that is used in digital cameras, BIOS chips, memory cards, and video game consoles. It is a solid-state technology, meaning it does not have moving parts and is used more as a type of hard drive than memory.

Answer 145

A

Specific design of a microprocessor, which includes physical components (registers, logic gates, ALU, cache, etc.) that support a specific instruction set.

Answer 146

A

This is a model in which information is restricted in its flow to only go to and from entities in a way that does not negate or violate the security policy.

Answer 147

A

Under fully mapped I/O, the operating system does not trust the I/O device. The physical address is not given to the I/O device. Instead, the device works purely with logical addresses and works on behalf (under the security context) of the requesting process, so the operating system does not trust the device to interact with memory directly. The operating system does not trust the process or device and it acts as the broker to control how they communicate with each other.

Answer 148

A

Carries out read operations on the rising and falling cycles of a clock pulse. So instead of carrying out one operation per clock cycle, it carries out two and thus can deliver twice the throughput of SDRAM. Basically, it doubles the speed of memory activities, when compared to SDRAM, with a smaller number of clock cycles. Pretty groovy.

Answer 149

A

To provide a safe and stable environment, an operating system must exercise proper memory management—one of its most important tasks. After all, everything happens in memory.

Answer 150

A

The security kernel is made up of hardware, software, and firmware components that fall within the TCB, and it implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. The security kernel has three main requirements:

Answer 151

A

Every address reference is validated for protection.
Two or more processes can share access to the same segment with potentially different access rights.
Different instruction and data types can be assigned different levels of protection.
Processes cannot generate an unpermitted address or gain access to an unpermitted segment.

Answer 152

A

Code within software that provides a back door entry capability.

Answer 153

A

Outlines how a system can simultaneously process information at different classifications for users with different clearance levels.

Answer 154

A

A subject cannot read data from a lower integrity level (referred to as “no read down”).

Answer 155

A

Beginning of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

Answer 156

A

Program loaded in memory within an operating system.

Answer 157

A

Our system has various classifications of data, and each individual has the clearance and need-to-know to access only individual pieces of data.

Answer 158

A

Set of operations and commands that can be implemented by a particular processor (CPU).

Answer 159

A

Establishes a protection boundary, meaning the threats or compromises within this boundary to be countered. The product or system must enforce the boundary established in this section.

Answer 160

A

Temporary memory location the CPU uses during its processes of executing instructions. The ALU’s “scratch pad” it uses while carrying out logic and math functions.

Answer 161

A

Measures taken during development and evaluation of the product to assure compliance with the claimed security functionality.

Answer 162

A

Mandatory access control is enforced by the use of security labels. The architecture is based on the Bell-LaPadula security model, and evidence of reference monitor enforcement must be available.

Answer 163

A

Protects data from being accessed in an unauthorized method during transmission. Mechanisms include access controls, encryption, and physical protection of cables.

Answer 164

A

Systems Evaluation MethodsAn assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated. There are different methods of evaluating and assigning assurance levels to systems. Two reasons explain why more than one type of assurance evaluation process exists: methods and ideologies have evolved over time, and various parts of the world look at computer security differently and rate some aspects of security differently. Each method will be explained and compared.

Answer 165

A

The Orange BookThe U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book with an orange cover, which is called, appropriately, the Orange Book. (We like to keep things simple in security.) Customers used the assurance rating that the criteria present as a metric when comparing different products. It also provided direction for manufacturers so they knew what specifications to build to, and provides a one-stop evaluation process so customers do not need to have individual components within the systems evaluated.

Answer 166

A

Systems referred to as closed use an architecture that does not follow industry standards. Interoperability and standard interfaces are not employed to enable easy communication between different types of systems and add-on features. Closed systems are proprietary, meaning the system can only communicate with like systems.

Answer 167

A

Static RAM (SRAM) does not require this continuous-refreshing nonsense; it uses a different technology, by holding bits in its memory cells without the use of capacitors, but it does require more transistors than DRAM. Since SRAM does not need to be refreshed, it is faster than DRAM, but because SRAM requires more transistors, it takes up more space on the RAM chip. Manufacturers cannot fit as many SRAM memory cells on a memory chip as they can DRAM memory cells, which is why SRAM is more expensive. So, DRAM is cheaper and slower, and SRAM is more expensive and faster. It always seems to go that way. SRAM has been used in cache, and DRAM is commonly used in RAM chips.

Answer 168

A

Synchronizes itself with the system’s CPU and synchronizes signal input and output on the RAM chip. It coordinates its activities with the CPU clock so the timing of the CPU and the timing of the memory activities are synchronized. This increases the speed of transmitting and executing data.

Answer 169

A

Applications that can carry out multiple activities simultaneously by generating different instruction sets (threads).

Answer 170

A

Layered operating systems provide data hiding, which means that instructions and data (packaged up as procedures) at the various layers do not have direct access to the instructions and data at any other layers. Each procedure at each layer has access only to its own data and a set of functions that it requires to carry out its own tasks. If a procedure can access more procedures than it really needs, this opens the door for more successful compromises. For example, if an attacker is able to compromise and gain control of one procedure and this procedure has direct access to all other procedures, the attacker could compromise a more privileged procedure and carry out more devastating activities.

Answer 171

A

Systems of a higher trust level may need to implement hardware segmentation of the memory used by different processes. This means memory is separated physically instead of just logically. This adds another layer of protection to ensure that a lower-privileged process does not access and modify a higher-level process’s memory space.

Answer 172

A

In a covert timing channel, one process relays information to another by modulating its use of system resources. The two processes that are communicating to each other are using the same shared resource. So in our example, Process A is a piece of nefarious software that was installed via a Trojan horse. In a multitasked system, each process is offered access to interact with the CPU. When this function is offered to Process A, it rejects it—which indicates a 1 to the attacker. The next time Process A is offered access to the CPU, it uses it, which indicates a 0 to the attacker. Think of this as a type of Morse code, but using some type of system resource.

Answer 173

A

When a computer has two or more CPUs and one CPU is dedicated to a specific program while the other CPUs carry out general processing procedures.

Answer 174

A

Memory management is critical, but what types of memory actually have to be managed?

Answer 175

A

Process DomainThe term domain just means a collection of resources. A process has a collection of resources assigned to it when it is loaded into memory (run time), as in memory addresses, files it can interact with, system services available to it, peripheral devices, etc. The higher the ring level that the process executes within, the larger the domain of resources that is available to it.

Answer 176

A

Software and hardware guards allow the exchange of data between trusted (high assurance) and less trusted (low assurance) systems and environments. Let’s say you are working on a MAC system (working in dedicated security mode of secret) and you need the system to communicate with a MAC database (working in multilevel security mode, which goes up to top secret). These two systems provide different levels of protection. If a system with lower assurance could directly communicate with a system of higher assurance, then security vulnerabilities and compromises could be introduced. So, a software guard can be implemented, which is really just a front-end product that allows interconnectivity between systems working at different security levels. (The various types of guards available can carry out filtering, processing requests, data blocking, and data sanitization.) Or a hardware guard can be implemented, which is a system with two NICs connecting the two systems that need to communicate. The guard provides a level of strict access control between different systems.

Answer 177

A

Combination of monolithic and microkernel architectures. The microkernel carries out critical operating system functionality, and the remaining functionality is carried out in a client\server model within kernel mode.

Answer 178

A

Provides the name of the profile and a description of the security problem to be solved.

Answer 179

A

Ensures that a sender cannot deny sending a message. Mechanisms include encryption, digital signatures, and notarization.

Answer 180

A

Nonvolatile memory that is used on motherboards for BIOS functionality and various device controllers to allow for operating system-to-device communication. Sometimes used for off-loading graphic rendering or cryptographic functionality.

Answer 181

A

Memory segmentsMost applications have several different functions. Word processing applications can open files, save files, open other programs (such as an e-mail client), and print documents. Each one of these functions requires a thread (instruction set) to be dynamically generated. So, for example, if Tom chooses to print his document, the word processing process generates a thread that contains the instructions of how this document should be printed (font, colors, text, margins, and so on). If he chooses to send a document via e-mail through this program, another thread is created that tells the e-mail client to open and what file needs to be sent. Threads are dynamically created and destroyed as needed. Once Tom is done printing his document, the thread that was generated for this functionality is broken down.

Answer 182

A

Instruction set generated by a process when it has a specific activity that needs to be carried out by an operating system. When the activity is finished, the thread is destroyed.

Answer 183

A

Part of the CPU that oversees the collection of instructions and data from memory and how they are passed to the processing components of the CPU.

Answer 184

A

The security mechanisms and the system as a whole must perform predictably and acceptably in different situations continuously.

Answer 185

A

Vendor’s written explanation of the security functionality and assurance mechanisms that meet the needed security solution—in other words, “This is what our product does and how it does it.”

Answer 186

A

The Red BookThe Orange Book addresses single-system security, but networks are a combination of systems, and each network needs to be secure without having to fully trust each and every system connected to it. The Trusted Network Interpretation (TNI), also called the Red Book because of the color of its cover, addresses security evaluation topics for networks and network components. It addresses isolated local area networks and wide area internetwork systems.

Answer 187

A

A subject cannot modify an object in a higher integrity level (no write up).

Answer 188

A

Routes messages in a way to avoid specific threats. Mechanisms include network configuration and routing tables.

Answer 189

A

Temporary memory location that holds critical processing parameters. They hold values as in the program counter, stack pointer, and program status word.

Answer 190

A

A set of subroutines that are shared by different applications and operating system processes.

Answer 191

A

A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system’s security policy.

Answer 192

A

A subject cannot read data at a higher security level (no read up).

Answer 193

A

Protection mode that a CPU works within when carrying out less trusted process instructions.

Answer 194

A

Security Architecture RequirementsIn the 1970s computer systems were moving from single user, stand-alone, centralized and closed systems to multiuser systems that had multiprogramming functionality and networking capabilities. The U.S. government needed to ensure that all of the systems that it was purchasing and implementing were properly protecting its most secret secrets. The government had various levels of classified data (secret, top secret) and users with different clearance levels (Secret, Top Secret). It needed to come up with a way to instruct vendors on how to build computer systems to meet their security needs and in turn a way to test the products these vendors developed based upon those same security needs.

Answer 195

A

Interleaved execution of more than one program (process) or task by a single operating system.

Answer 196

A

Limit processes to interact only with the memory segments assigned to them
Provide access control to memory segments

Answer 197

A

Multitasking scheduling scheme used by older operating systems to allow for computer resource time slicing. Processes had too much control over resources, which would allow for the programs or systems to “hang.”

Answer 198

A

The term domain just means a collection of resources. A process has a collection of resources assigned to it when it is loaded into memory (run time), as in memory addresses, files it can interact with, system services available to it, peripheral devices, etc. The higher the ring level that the process executes within, the larger the domain of resources that is available to it.

Answer 199

A

Physical connections between processing components and memory segments used to communicate the physical memory addresses being used during processing procedures.

Answer 200

A

Monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor and restrict resource access.

Answer 201

A

Trustworthy software channel that is used for communication between two processes that cannot be circumvented.

Answer 202

A

Memory protection mechanism used by some operating systems. Memory segments may be marked as nonexecutable so that they cannot be misused by malicious software.

Answer 203

A

Physically mapping software to individual memory segments.

Answer 204

A

European standard used to assess the effectiveness of the security controls built into a system.

Answer 205

A

The central processing unit (CPU) is the brain of a computer. In the most general description possible, it fetches instructions from memory and executes them. Although a CPU is a piece of hardware, it has its own instruction set that is necessary to carry out its tasks. Each CPU type has a specific architecture and set of instructions that it can carry out. The operating system must be designed to work within this CPU architecture. This is why one operating system may work on a Pentium Pro processor but not on an AMD processor. The operating system needs to know how to “speak the language” of the processor, which is the processor’s instruction set.

Answer 206

A

Designs are built upon accepted standards to allow for interoperability.

Answer 207

A

Protects the protocol header, routing information, and packet payload from being modified. Mechanisms include message authentication and encryption.

Answer 208

A

“Checklist” and process of examining the security-relevant parts of a system (TCB, reference monitor, security kernel) and assigning the system an assurance rating.

Answer 209

A

Computer architecture encompasses all of the parts of a computer system that are necessary for it to function, including the operating system, memory chips, logic circuits, storage devices, input and output devices, security components, buses, and networking interfaces. The interrelationships and internal working of all of these parts can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanisms. Thank goodness for the smart people who figured this stuff out! Now it is up to us to learn how they did it and why.

Answer 210

A

An assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated. There are different methods of evaluating and assigning assurance levels to systems. Two reasons explain why more than one type of assurance evaluation process exists: methods and ideologies have evolved over time, and various parts of the world look at computer security differently and rate some aspects of security differently. Each method will be explained and compared.

Answer 211

A

The architecture and protection features are not much different from systems that achieve a B3 rating, but the assurance of an A1 system is higher than a B3 system because of the formality in the way the A1 system was designed, the way the specifications were developed, and the level of detail in the verification techniques. Formal techniques are used to prove the equivalence between the TCB specifications and the security policy model. A more stringent change configuration is put in place with the development of an A1 system, and the overall design can be verified. In many cases, even the way in which the system is delivered to the customer is under scrutiny to ensure there is no way of compromising the system before it reaches its destination.

Answer 212

A

Discretionary access control-based operating system
Provides role-based access control functionality
Capability of protecting data classified at “public” and “confidential” levels
Does not allow unauthorized access to sensitive data or critical system functions
Enforces least privilege and separation of duties
Provides auditing capabilities
Implements trusted paths and trusted shells for sensitive processing activities
Enforces identification, authentication, and authorization of trusted subjects
Implements a capability-based authentication methodology
Does not contain covert channels
Enforces integrity rules on critical files

Answer 213

A

Application Programming Interface (API)An API is the doorway to a protocol, operating service, process, or DLL. When one piece of software needs to send information to another piece of software, it must format its communication request in a way that the receiving software understands. An application may send a request to an operating system’s cryptographic DLL, which will in turn carry out the requested cryptographic functionality for the application.

Answer 214

A

Formal ModelsUsing models in software development has not become as popular as once imagined, primarily because vendors are under pressure to get products to market as soon as possible. Using formal models takes more time during the architectural phase of development, extra time that many vendors feel they cannot afford. Formal models are definitely used in the development of systems that cannot allow errors or security breaches, such as air traffic control systems, spacecraft software, railway signaling systems, military classified systems, and medical control systems. This does not mean that these models, or portions of them, are not used in industry products, but rather that industry vendors do not always follow these models in the purely formal and mathematical way all the time.

Answer 215

A

Holds the memory address for the following instructions the CPU needs to act upon.

Answer 216

A

A subject can perform read and write functions only to the objects at its same security level.

Answer 217

A

Software interface that enables process-to-process interaction. Common way to provide access to standard routines to a set of software programs.

Answer 218

A

System Security ArchitectureUp to this point we have looked at system architectures, CPU architectures, and operating system architectures. Remember that a system architecture has several views to it, depending upon the stakeholder’s individual concerns. Since our main concern is security, we are going to approach system architecture from a security point of view and drill down into the core components that are part of most computing systems today. But first we need to understand how the goals for the individual system security architectures are defined.

Answer 219

A

All of these different models can get your head spinning. Most people are not familiar with all of them, which can make it all even harder to absorb. The following are the core concepts of the different models:

Answer 220

A

If an operating system is using interrupt-driven I/O, this means the CPU sends a character over to the printer and then goes and works on another process’s request. When the printer is done printing the first character, it sends an interrupt to the CPU. The CPU stops what it is doing, sends another character to the printer, and moves to another job. This process (send character—go do something else—interrupt—send another character) continues until the whole text is printed. Although the CPU is not waiting for each byte to be printed, this method does waste a lot of time dealing with all the interrupts. So we excused those smart people and brought in some new smarter people, who came up with I/O using DMA.

Answer 221

A

If you continue your studies in operating system architecture, you will undoubtedly run into some of the confusion and controversy surrounding these families of architectures. The intricacies and complexities of these arguments are out of scope for the CISSP exam, but a little insight is worth noting.

Answer 222

A

Two processes cannot complete their activities because they are both waiting for system resources to be released.

Answer 223

A

Maintenance HooksIn the programming world, maintenance hooks are a type of back door. They are instructions within software that only the developer knows about and can invoke, and which give the developer easy access to the code. They allow the developer to view and edit the code without having to go through regular access controls. During the development phase of the software, these can be very useful, but if they are not removed before the software goes into production, they can cause major security issues.

Answer 224

A

Product proposed to provide a needed security solution.

Answer 225

A

Concept that defines a set of design requirements of a reference validation mechanism (security kernel), which enforces an access control policy over subjects’ (processes, users) ability to perform operations (read, write, execute) on objects (files, resources) on a system.

Answer 226

A

Documentation must be provided, including test, design, and specification documents, user guides, and manuals.

Answer 227

A

Core operating system processes run in kernel mode and the remaining ones run in user mode.

Answer 228

A

I/O Using DMA Direct memory access (DMA) is a way of transferring data between I/O devices and the system’s memory without using the CPU. This speeds up data transfer rates significantly. When used in I/O activities, the DMA controller feeds the characters to the printer without bothering the CPU. This method is sometimes referred to as unmapped I/O.

Answer 229

A

Fundamental organization of a system embodied in its components, their relationships to each other and to the environment, and the principles guiding its design and evolution.

Answer 230

A

Two or more processes attempt to carry out their activity on one resource at the same time. Unexpected behavior can result if the sequence of execution does not take place in the proper order.

Answer 231

A

Simultaneous execution of more than one program (process) or task by a single operating system.

Answer 232

A

Processes can be in various activity levels. Ready = waiting for input. Running = instructions being executed by CPU. Blocked = process is “suspended.”

Answer 233

A

In the programming world, maintenance hooks are a type of back door. They are instructions within software that only the developer knows about and can invoke, and which give the developer easy access to the code. They allow the developer to view and edit the code without having to go through regular access controls. During the development phase of the software, these can be very useful, but if they are not removed before the software goes into production, they can cause major security issues.

Answer 234

A

Audit data must be captured and protected to enforce accountability.

Answer 235

A

Methodically designed, tested, and reviewed

Answer 236

A

ISO/IEC15408 is the international standard that is used as the basis for the evaluation of security properties of products under the CC framework. It actually has three main parts:

Answer 237

A

Well, just look at all of these processes squirming around like little worms. We need some real organization here!

Answer 238

A

Computer systems can be developed to integrate easily with other systems and products (open systems) or can be developed to be more proprietary in nature and work with only a subset of other systems and products (closed systems). The following sections describe the difference between these approaches.

Answer 239

A

Read-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

Answer 240

A

All operating system processes run in kernel mode. Core processes run within a microkernel and others run in a client\server model.

Answer 241

A

Creation of a simulated environment (hardware platform, operating system, storage, etc.) that allows for central control and scalability.

Answer 242

A

Swap contents from RAM to the hard drive as needed (explained later in the “Virtual Memory” section of this chapter)
Provide pointers for applications if their instructions and memory segment have been moved to a different location in main memory

Answer 243

A

Reduced amount of code running in kernel mode carrying out critical operating system functionality. Only the absolutely necessary code runs in kernel mode, and the remaining operating system code runs in user mode.

Answer 244

A

Process SchedulingScheduling and synchronizing various processes and their activities is part of process management, which is a responsibility of the operating system. Several components need to be considered during the development of an operating system, which will dictate how process scheduling will take place. A scheduling policy is created to govern how threads will interact with other threads. Different operating systems can use different schedulers, which are basically algorithms that control the timesharing of the CPU. As stated earlier, the different processes are assigned different priority levels (interrupts) that dictate which processes overrule other processes when CPU time allocation is required. The operating system creates and deletes processes as needed, and oversees them changing state (ready, blocked, running). The operating system is also responsible for controlling deadlocks between processes attempting to use the same resources.

Answer 245

A

Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.

Answer 246

A

Representation of a whole system from the perspective of a related set of concerns.

Brainscape's Knowledge GenomeTM

CHAPTER 4_Security Architecture and Design Flashcards

Brainscape's Knowledge Genome^TM