8 - Security Models, Design, and Capabilities

Question 1

What is an Object and a Subject?

Answer 1

• An object is the resource a user or process wants to access.
• A subject is the user or process that makes a request to access a resource.

Question 2

What is Transitive Trust?

Answer 2

The concept that if A trusts B and B trusts C, then A inherits the trust of C through the transitive property.

Question 3

What is the difference between Open and Closed systems?

Answer 3

• Closed Systems are designed to work well with a narrow range of other systems, generally all from the same manufacturer. The standards are generally proprietary and not normally disclosed. Can be more secure since vulnerabilities are not often known but these systems require specific knowledge to operate.
• Open Systems are designed using agreed-upon industry standards and are much easier to integrate with systems from different manufacturers that support the same standards. More vulnerable to attacks but more people know how to maintain and work on these systems.
• Can also be applied to source code:
  
  • Open Source: where the source code and internal logic are exposed to the logic. Depends on public inspection for errors.
  • Closed Source: Where the source code and internal logic are not open to the public. Depends on vendors/programmers for errors.

Question 4

What are some methods for ensuring CIA for memory/data?

Answer 4

• Confinement: This allows a process to read from and write to only certain memory locations and resources (aka Sandboxing).
  
  • Can be applied via OS, a service, or through a VM
• Bounds: The limits on where a process can access memory addresses and resources. The bounds state the area within which a process is contained
  
  • Processes are bounded by the authority level it is given in an OS. There may be only two authority levels: kernel and user.
  • Bounds can logical or physical in nature.
• Isolation: Prevents an application from accessing the memory or resources of another application, whether good or bad.
  *

Question 5

What is a Control?

Answer 5

A control uses access rules to limit the access of a subject to an object. Access rules state which objects are valid for each subject. Also, an object might be valid for one type of access and be invalid for another type of access.

Question 6

What is a Trusted System?

Answer 6

A Trusted System is where all the protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.

Question 7

What is Assurance?

Answer 7

The degree of confidence in satisfaction of security needs. Assurance must be continually maintained, updated, and reverified. This is true if a system experiences a known change or if a significant amount of time has passed.

Question 8

What is a Security Model?

Answer 8

A Security Model provides a way for designers to map abstract statements into a security policy that prescribes the algorithms and data structures necessary to build hardware and software.

A security model gives software designers something against which to measure their design and implementation.

Question 9

What are Tokens, Capabilities Lists, and Labels?

Answer 9

• A token is a separate object that is associated with a resource and describes its security attributes.
• A capabilities list maintains a row of security attributes for each controlled object.
• A security label is a label that is generally a permanent part of the object.

Question 10

What is a Trusted Computing Base?

Answer 10

A Trusted Computing Base is a combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy.

A subset of a complete system that is ideally as small as possible so it can be easily analyzed to meet specs and requirements. TCB components in a system are responsible for controlling access to the system and also must provide methods to access resources both inside and outside the TCB itself.

Question 11

What is a Security Perimeter?

Answer 11

A Security Perimeter is an imaginary boundary that separates the TCB from the rest of the system. It ensures that no insecure communications or interactions occur between the TCB and the remaining elements of the computer system.

For the TCB to communicate with the rest of the system, it must create secure channels, also called Trusted Paths which is a channel established with strict standards to allow necessary communications to occur without exposing the TCB to security vulnerabilities.

Question 12

What is a Reference Monitor and a Kernel?

Answer 12

• The Reference Monitor validates access to every resource prior to granting access requests.
• The Security Kernel is a collection of components in the TCB that work together to implement reference monitor functions. It launches appropriate components to enforce reference functionality and resist all known attacks.

Question 13

What is a State Machine Model?

Answer 13

A State Machine Model describes a system that is always secure no matter what state it is in. Based on the CS model of Finite State Machine (FSM) which combines an external input with an internal machine state to model all kinds of complex systems.

The next state is a function of the current state and an input:

Next State = F(input, current state)

Question 14

What is the Information Flow Model?

Answer 14

The Information Flow Model focuses on the flow of information which is based on the State Machine Model.

These are designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security (multilevel models).

Question 15

What is a Noninterference Model?

Answer 15

A Noninterference Model is concerned with how the actions of a subject at a higher security level affect the system state or the actions of a subject at a lower security level.

Question 16

What are Composition Theories?

Answer 16

Composition Theories are built on the notion of how inputs and outputs between multiple systems relate to one another.

• Cascading: Input from one system comes from the output of another system.
• Feedback: One system provides input to another system, which reciprocates by reversing those roles (A –> B; B –> A)
• Hookup: One system sends input to another system but also sends input external entities.

Question 17

What is the Take-Grant Model?

Answer 17

It is a directed graph that simulates how rights can be passed from one subject to another or from a subject to an object. Likewise, a subject with a take right can take a right from another subject.

These graphs can help you determine where leakage can occur (unintentional distribution of permissions)

Question 18

What is an Access Control Matrix?

Answer 18

An Access Control Matrix is a table of subjects and objects that indicates actions or functions that each subject can perform on each object.

Each column of the matrix is an Access Control List (ACL).

Each row of the matrix is a Capabilities List.

Question 19

What is the Bella-LaPadula Model?

Answer 19

A multilevel policy security policy that states that a subject with any level of clearance can access resources at or below its clearance level. Within the higher levels, access is granted only on a need-to-know basis.

There are 3 basic properties:

• Simple Security Property: A subject may not read info at a higher sensitivity level (no read up)
• The * (Star) Property: A subject may not write info to an object at a lower sensitivity level (no write down)
• The Discretionary Security Property: A system uses an access matrix to enforce discretionary access control.

Question 20

What is the Biba Model?

Answer 20

The Biba Model was created to address integrity. There are 2 properties:

1. The Simple Integrity Property: States that subject cannot read an object at a lower integrity level (no read-down)
2. The * (Star) Integrity Property: A subject cannot modify an object at a higher integrity level (no write-up).

Question 21

What is the Clark-Wilson Model?

Answer 21

The Clark-Wilson Model defines each data item and allows modifications through only a small set of programs. It uses a three-part relationship of subject/program/object known as the access control triple (or triple) where subjects do not have direct access to objects. Objects can be accessed only through programs. Uses a restricted interface model which uses classification-based restrictions to offer only subject-specific authorized information and functions.

A subject is able to access objects only by using a program, interface, or access portal. Each program has specific limitations on what it can and cannot do to an object, this is known as a constrained interface.

1. Constrained Data Item (CDI): Any data item whose integrity is protected by the security model.
2. Unconstrained Data Item (UDI): Any data item that is not controlled by the security model. (unvalidated input or any output)
3. Integrity Verification Procedure (IVP): A procedure that scans data items and confirms their integrity.
4. Transformation Procedures (TPs): The only procedures that are allowed to modify a CDI. This forms the backbone of Clark-Wilson Model

Question 22

What is the Brewer and Nash Model?

Answer 22

The Brewer and Nash Model (aka Chinese Wall) permits access controls to change dynamically based on a user’s previous activity. It does this to prevent any conflicts of interest that could cause issues (user who has access to company A data should not have access to their competitor’s data at company B). Creates conflict classes in an integrated database to monitor for conflicts of interest.

Question 23

What is the Goguen-Meseguer Model?

Answer 23

The Goguen-Meseguer Model is a noninterference model that only allows subjects to perform predetermined actions against predetermined objects.

Members of one domain may not interfere with the activities of members from another domain.

Question 24

What is the Graham-Denning Model?

Answer 24

The Graham-Denning Model is based on 8 secure rules:

1. Securely create an object.
2. Securely create a subject.
3. Securely delete an object.
4. Securely delete a subject.
5. Securely provide the read access right.
6. Securely provide the grant access right.
7. Securely provide the delete access right.
8. Securely provide the transfer access right.

Question 25

What is the Rainbow Series assessment?

Answer 25

A set of publications by the Department of Defense (DoD) that laid out security standards known by its colorful colors of books. * **Orange Book**: DoD Trusted Computer System Evaluation Criteria * **Green Book**: DoD Password Management Guidelines * **Yellow Book**: Guidance for Applying TCSEC in Specific Environments * **Tan Book**: A Guide to Understanding Audit in Trusted System * **Bright Blue Book**: Trusted Product Evaluation: A Guide for Vendors * **Light Blue Book**: PC Security Considerations * **Neon Orange Book**: A Guide to Understanding Discretionary Access Controls in Trusted Systems * **Aqua Book**: Glossary of Computer Security Terms * **Red Book**: Trusted Network Interpretation * **Amber Book**: A Guide to Understanding Configuration Management in Trusted Systems * **Burgundy Book**: A Guide to Understanding Design Documentation in Trusted Systems * **Lavender Book**: A Guide to Understanding Trusted Distribution in Trusted Systems * **Venice Blue Book**: Computer Security Subsystem Interpretation of the TCSEC

Question 26

What is TCSEC? What are the categories of enhanced protection?

Answer 26

TCSEC combines the functionality and assurance rating of the confidentiality protection offered by a system into four major categories: 1. **Category A**: Verified protection. Highest level of security 1. **A1**: Each phase in the development cycle is very controlled and documented to guarantee security. 2. **Category B**: Mandatory Protection: More granularity of control. 1. **B1**: Labeled Security: Uses labels to apply for access 2. **B2**: Structured Protection: Admin and operator functions are separated, and process isolation is maintained. 3. **B3**: Security Domains: Admin functions are separated from user functions, minimal code is used to reduce vulnerabilities. 3. **Category C**: Discretionary Protection 1. **C1**: Discretionary Protection: Controls access by user IDs and/or groups. 2. **C2**: Controlled Access Protection: Users must be identified individually to gain access, systems must enforce media cleansing, and strict logon procedures must be enforced. 4. **Category D**: Minimal protection (reserved for systems that have been evaluated but do not meet requirements to belong to any other category)

Question 27

What is ITSEC?

Answer 27

**ITSEC** (*Information Technology Security Evaluation Criteria*) is a European system of evaluating systems based on their functionality (F-D through F-B3) and assurance (E0 through E6). A system being evaluated is a *Target of Evaluation* (TOE). ITSEC addresses concerns about CIA and does not require a system's security components to be isolated within a TCB.

Question 28

What is the Common Criteria (CC)?

Answer 28

The **Common Criteria** defines various levels of testing and confirmation of the system's security capabilities, and the number of the level indicates what kind of testing and confirmation has been performed. Considered to be an international standard: * Eliminates duplicate evaluations by different countries * Makes evals more cost-effective * Keeps standards high * Increase availability

Question 29

What are the key elements of Common Criteria?

Answer 29

* **Protection Profiles (PP)**: The security requirements and protections ("I Want" from a customer) * **Security Targets (ST)**: Claims of security from the vendor ("I will provide" from the vendor)

Question 30

What are the different areas of Common Criteria?

Answer 30

1. **Part 1**: Introduction and General Model describes general concepts and the underlying model. 2. **Part 2**: Security Functional Requirements describes various functional requirements 3. **Part 3**: Security Assurance covers assurance requirements

Question 31

What are the Common Criteria Assurance Levels?

Answer 31

* **EAL1**: Functionally Tested * **EAL2**: Structurally Tested * **EAL3**: Methodically Tested and Checked * **EAL4**: Methodically Designed, Tested and Reviewed * **EAL5**: Semi-Formally Designed and Tested * **EAL6**: Semi-Formally Verified, Designed, and Tested * **EAL7**: Formally Verified, Designed, and Tested

Question 32

What are PCI and ISO standards?

Answer 32

* **PCI-DSS (Payment Card Industry Data Security Standard)**: * Collection of requirements for improving the security of electronic payment transactions. * **ISO (International Organization for Standardization)**: * A worldwide standards-setting group of representatives from various national standards organizations who define standards for industrial and commercial equipment, software, protocols, management, etc. * Issues 6 main products: * International Standards * Technical Reports * Technical Specs * Publicly Available Specs * Technical Corrigenda * Guides

Question 33

What are Certification and Accreditation?

Answer 33

* **Certification**: The comprehensive evaluation of the technical and non-technical security features of an IT system and other safeguards. * Choose criteria * Analyze each component (test hardware, software, and configuration) * Evaluate the environment system is in * Certification is only valid for a system in a particular environment and configuration. Any changes invalidate the certification. * **Accreditation**: * The formal declaration by the *designated approving authority* (**DAA**) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. * Internal Approval Authority: Authorization Offical (AO) * External Approval Authority: Security Control Assessor (SCA)

Question 34

What are the 2 major government Certification/Accreditation Standards in place?

Answer 34

* **Risk Management Framework (***RMF***)**: Mainly used by the DoD * **Committee on National Security Systems Policy (***CNSSP***)**: Used by other government branches, agencies, consultants, and contractors * These processes are divided into 4 phases: * **Phase 1 - Definition**: Assignment of personnel, documenting the mission, registration, negotiation, and creation of a *System Security Authorization Agreement* (**SSAA**) that guides the entire certification and accreditation process. * **Phase 2 - Verification**: Includes refinement of the SSAA, systems development activities, and certification analysis. * **Phase 3 - Validation**: Certification evaluation of the system, development of recommendation to the DAA, and the DAA's accreditation decision. * **Phase 4 - Post Accredidation**: Maintenance of SSAA, system operation, change management, and compliance validation.

Question 35

What are some Security Capabilities that information systems have?

Answer 35

* **_Memory Protection_**: Used to prevent an active process from interacting with an area of memory that was not specifically assigned or allocated to it. * **_Virtualization_**: Used to host one or more OS within the memory of a single host computer. The benefits include scalability, using exact versions of OS, quick recovery from a crash, and launching individual instances of servers or services when needed. * **_Trusted Platform Module_**: Used to store and process cryptographic keys for the purposes of a hardware-supported/implemented hard drive encryption system. If the hard drive is removed from the system, it cannot be decrypted without the original chip. * A TPM is an example of a **Hardware Security Module** (*HSM*) which is a cryptoprocessor used to manage store/manage digital encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication. * **_Interfaces_**: A *constrained or restricted interface* is implemented within an application to restrict what users can do or see based on their privileges. This is an implementation of the Clark-Wilson model of security. * **_Fault Tolerance_**: The ability of a system to suffer a fault but continue to operate. This is achieved by adding redundant components. This is an essential element of security design.