CHAPTER 4_Security Architecture and Design Flashcards Preview

CISSP_TEST > CHAPTER 4_Security Architecture and Design > Flashcards

Flashcards in CHAPTER 4_Security Architecture and Design Deck (285):
1

covert channel

A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system’s security policy.

2

Division D: Minimal Protection

There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions.

3

dynamic RAM (DRAM)

One problem is that these capacitors cannot keep their charge for long. Therefore, a memory controller has to "recharge" the values in the capacitors, which just means it continually reads and writes the same values to the capacitors. If the memory controller does not "refresh" the value of 1, the capacitor will start losing its electrons and become a 0 or a corrupted value. This explains how dynamic RAM (DRAM) works. The data being held in the RAM memory cells must be continually and dynamically refreshed so your bits do not magically disappear. This activity of constantly refreshing takes time, which is why DRAM is slower than static RAM.

4

View

Representation of a whole system from the perspective of a related set of concerns.

5

Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the ISO/IEC 42010 standard. He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities.

26. Which of the following best describes the standard Charlie’s team needs to comply with?

A. International standard on system design to allow for better quality, interoperability, extensibility, portability, and security

B. International standard on system security to allow for better threat modeling

C. International standard on system architecture to allow for better quality, interoperability, extensibility, portability, and security

D. International standard on system architecture to allow for better quality, extensibility, portability, and security

Extended Questions:

CORRECT C. ISO/IEC 42010 has the goal of internationally standardizing the use of system architecture instead of product developers coming up with their own individual approaches. A disciplined approach to system architecture allows for better quality, interoperability, extensibility, portability, and security.

WRONG A is incorrect because the answer specifically states "design" instead of "architecture." Some people mistakenly think that these are the same things, but architecture takes place before design. Architecture works at a higher, more strategic level compared to design. Software development is becoming a more disciplined industry and it is moving toward formal architecture requirements.

WRONGB is incorrect because the standard identified in the question does not deal with threat modeling. ISO/IEC 42010 addresses system architecture requirements and guidelines.

WRONG D is not the best answer since it is not as complete as answer C. This standard does address interoperability issues, which is not listed in this answer.

6

supervisor mode).

The program status word (PSW) holds different condition bits. One of the bits indicates whether the CPU should be working in user mode (also called problem state) or privileged mode (also called kernel or supervisor mode). The crux of this chapter is to teach you how operating systems protect themselves. They need to protect themselves from applications, software utilities, and user activities if they are going to provide a stable and safe environment. One of these protection mechanisms is implemented through the use of these different execution modes. When an application needs the CPU to carry out its instructions, the CPU works in user mode. This mode has a lower privilege level, and many of the CPU’s instructions and functions are not available to the requesting application. The reason for the extra caution is that the developers of the operating system and CPU do not know who developed the application or how it is going to react, so the CPU works in a lower privilege mode when executing these types of instructions. By analogy, if you are expecting visitors who are bringing their two-year-old boy, you move all of the breakables that someone under three feet tall can reach. No one is ever sure what a two-year-old toddler is going to do, but it usually has to do with breaking something. An operating system and CPU are not sure what applications are going to attempt, which is why this code is executed in a lower privilege and critical resources are out of reach of the application’s code.

7

The memory manager has five basic responsibilities:

Relocation

  • Swap contents from RAM to the hard drive as needed (explained later in the "Virtual Memory" section of this chapter)
  • Provide pointers for applications if their instructions and memory segment have been moved to a different location in main memory

8

Virtual Machines

I would like my own simulated environment so I can have my own world.

If you have been into computers for a while, you might remember computer games that did not have the complex, lifelike graphics of today’s games. Pong and Asteroids were what we had to play with when we were younger. In those simpler times, the games were 16-bit and were written to work in a 16-bit MS-DOS environment. When our Windows operating systems moved from 16-bit to 32-bit, the 32-bit operating systems were written to be backward compatible, so someone could still load and play a 16-bit game in an environment that the game did not understand. The continuation of this little life pleasure was available to users because the operating systems created virtual environments for the games to run in.

9

Security policy

Strategic tool used to dictate how sensitive information and resources are to be managed and protected.

10

Trusted Computing Base

The trusted computing base (TCB) is a collection of all the hardware, software, and firmware components within a system that provide some type of security and enforce the system’s security policy. The TCB does not address only operating system components, because a computer system is not made up of only an operating system. Hardware, software components, and firmware components can affect the system in a negative or positive manner, and each has a responsibility to support and enforce the security policy of that particular system. Some components and mechanisms have direct responsibilities in supporting the security policy, such as firmware that will not let a user boot a computer from a USB drive, or the memory manager that will not let processes overwrite other processes’ data. Then there are components that do not enforce the security policy but must behave properly and not violate the trust of a system. Examples of the ways in which a component could violate the system’s security policy include an application that is allowed to make a direct call to a piece of hardware instead of using the proper system calls through the operating system, a process that is allowed to read data outside of its approved memory space, or a piece of software that does not properly release resources after use.

11

Viewpoint

A specification of the conventions for constructing and using a view. A template from which to develop individual views by establishing the purposes and audience for a view and the techniques for its creation and analysis.

12

Evaluation assurance requirements

Establishes the type and intensity of the evaluation.

13

Multilevel security policies

Outlines how a system can simultaneously process information at different classifications for users with different clearance levels.

14

Simple security rule

A subject cannot read data within an object that resides at a higher security level (the "no read up" rule).

15

The goals of memory management are to

  • Provide an abstraction level for programmers
  • Maximize performance with the limited amount of memory available
  • Protect the operating system and applications loaded into memory

16

Countermeasures

Countermeasures Because all operating systems have some type of covert channel, it is not always feasible to get rid of them all. The number of acceptable covert channels usually depends on the assurance rating of a system. A system that has a Common Criteria rating of EAL 6 has fewer covert channels than a system with an EAL rating of 3, because an EAL 6 rating represents a higher assurance level of providing a particular degree of protection when compared to the EAL 3 rating. There is not much a user can do to counteract these channels; instead, the channels must be addressed when the system is constructed and developed.

17

does

Static RAM (SRAM) does not require this continuous-refreshing nonsense; it uses a different technology, by holding bits in its memory cells without the use of capacitors, but it does require more transistors than DRAM. Since SRAM does not need to be refreshed, it is faster than DRAM, but because SRAM requires more transistors, it takes up more space on the RAM chip. Manufacturers cannot fit as many SRAM memory cells on a memory chip as they can DRAM memory cells, which is why SRAM is more expensive. So, DRAM is cheaper and slower, and SRAM is more expensive and faster. It always seems to go that way. SRAM has been used in cache, and DRAM is commonly used in RAM chips.

18

Reference Monitor

Up to this point we have a CPU that provides a ringed structure and an operating system that places its components in the different rings based upon the trust level of each component. We have a defined security policy, which outlines the level of security we want our system to provide. We have chosen the mechanisms that will enforce the security policy (TCB) and implemented security perimeters (interfaces) to make sure these mechanisms communicate securely. Now we need to develop and implement a mechanism that ensures that the subjects that access objects within the operating system have been given the necessary permissions to do so. This means we need to develop and implement a reference monitor.

19

Target of evaluation

Product proposed to provide a needed security solution.

20

15. Operating systems can be programmed to carry out different methods for process isolation. Which of the following refers to a method in which an interface defines how communication can take place between two processes and no process can interact with the other’s internal programming code?

A. Virtual mapping

B. Encapsulation of objects

C. Time multiplexing

D. Naming distinctions

Extended Questions:

CORRECT B. When a process is properly encapsulated, no other process understands or interacts with its internal programming code. When process A needs to communicate with process B, process A just needs to know how to communicate with process B’s interface. An interface defines how communication must take place between two processes. As an analogy, think back to how you had to communicate with your third-grade teacher. You had to call her Mrs. SoandSo, say please and thank you, and speak respectfully to get whatever it was you needed. The same thing is true for software components that need to communicate with each other. They have to know how to communicate properly with each other’s interfaces. The interfaces dictate the type of requests that a process will accept and the type of output that will be provided. So, two processes can communicate with each other, even if they are written in different programming languages, as long as they know how to communicate with each other’s interface. Encapsulation provides data hiding, which means that outside software components will not know how a process works and will not be able to manipulate the process’s internal code. This is an integrity mechanism and enforces modularity in programming code.

WRONG A is incorrect because virtual mapping refers to how virtual to physical memory mapping takes place within an operating system. When an application needs memory to work with, it tells the operating system’s memory manager how much memory it needs. The operating system carves out that amount of memory and assigns it to the requesting application. The application uses its own address scheme, which usually starts at 0, but in reality, the application does not work in the physical address space that it thinks it is working in. Rather, it works in the address space that the memory manager assigns to it. The physical memory is the RAM chips in the system. The operating system chops up this memory and assigns portions of it to the requesting processes. Once the process is assigned its own memory space, then it can address this portion however it needs to, which is called virtual address mapping. Virtual address mapping allows the different processes to have their own memory space; the memory manager ensures that no processes improperly interact with another process’s memory. This provides integrity and confidentiality.

WRONG C is incorrect because time multiplexing is a technology that allows processes to use the same resources through an interleaved method. A CPU has to be shared among many processes. Although it seems as though all applications are executing their instructions simultaneously, the operating system is splitting up time shares between each process. Multiplexing means that there are several data sources and the individual data pieces are piped into one communication channel. In this instance, the operating system is coordinating the different requests from the different processes and piping them through the one shared CPU. An operating system has to provide proper time multiplexing (resource sharing) to ensure that a stable working environment exists for software and users.

WRONG D is incorrect because naming distinctions just means that the different processes have their own name or identification value. Processes are usually assigned process identification (PID) values, which the operating system and other processes use to call upon them. If each process is isolated, that means that each process has its own unique PID value.

21

Central processing unit (CPU)

A silicon component made up of integrated chips with millions of transistors that carry out the execution of instructions within a computer.

22

Random access memory (RAM)

Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.

23

Other Types of Covert Channels

Although we are looking at covert channels within programming code, covert channels can be used in the outside world as well. Let’s say you are going to attend one of my lectures. Before the lecture begins, you and I agree on a way of communicating that no one else in the audience will understand. I tell you that if I twiddle a pen between my fingers in my right hand, that means there will be a quiz at the end of class. If I twiddle a pen between my fingers in my left hand, there will be no quiz. It is a covert channel, because this is not a normal way of communicating and it is secretive. (In this scenario, I would twiddle the pen in both hands to confuse you and make you stay after class to take the quiz all by yourself. Shame on you for wanting to be forewarned about a quiz!)

24

CPU Operation Modes

As stated earlier, the CPU provides the ring structure architecture and the operating system assigns its processes to the different rings. When a process is placed in ring 0, its activities are carried out in kernel mode, which means it can access the most critical resources in a nonrestrictive manner. The process is assigned a status level by the operating system (stored as PSW) and when it needs to interact with the CPU, the CPU checks its status to know what it can and cannot allow the process to do. If the process has the status of user mode, the CPU will limit the process’s access to system resources and restrict the functions it can carry out on these resources.

25

Operating systems can carry out software I/O procedures in various ways. We will look at the following methods:

  • Programmed I/O
  • Interrupt-driven I/O
  • I/O using DMA
  • Premapped I/O
  • Fully mapped I/O

26

Packages—EALs

Functional and assurance requirements are bundled into packages for reuse. This component describes what must be met to achieve specific EAL ratings.

27

Transformation procedures (TPs)

Programmed abstract operations, such as read, write, and modify

28

Multithreading

Applications that can carry out multiple activities simultaneously by generating different instruction sets (threads).

29

open

Systems described as open are built upon standards, protocols, and interfaces that have published specifications. This type of architecture provides interoperability between products created by different vendors. This interoperability is provided by all the vendors involved who follow specific standards and provide interfaces that enable each system to easily communicate with other systems and allow add-ons to hook into the system easily.

30

Memory Management

To provide a safe and stable environment, an operating system must exercise proper memory management—one of its most important tasks. After all, everything happens in memory.

31

Cache memory

Fast and expensive memory type that is used by a CPU to increase read and write operations.

32

User mode (problem state)

Protection mode that a CPU works within when carrying out less trusted process instructions.

33

Static RAM (SRAM)

Static RAM (SRAM) does not require this continuous-refreshing nonsense; it uses a different technology, by holding bits in its memory cells without the use of capacitors, but it does require more transistors than DRAM. Since SRAM does not need to be refreshed, it is faster than DRAM, but because SRAM requires more transistors, it takes up more space on the RAM chip. Manufacturers cannot fit as many SRAM memory cells on a memory chip as they can DRAM memory cells, which is why SRAM is more expensive. So, DRAM is cheaper and slower, and SRAM is more expensive and faster. It always seems to go that way. SRAM has been used in cache, and DRAM is commonly used in RAM chips.

34

Operating System Components

An operating system provides an environment for applications and users to work within. Every operating system is a complex beast, made up of various layers and modules of functionality. It has the responsibility of managing the hardware components, memory management, I/O operations, file system, process management, and providing system services. We next look at each of these responsibilities that every operating system type carries out. However, you must realize that whole books are written on just these individual topics, so the discussion here will only scratch the surface.

35

Dedicated Security Mode

Our system only holds secret data and we can all access it.

A system is operating in a dedicated security mode if all users have a clearance for, and a formal need-to-know about, all data processed within the system. All users have been given formal access approval for all information on the system and have signed nondisclosure agreements (NDAs) pertaining to this information. The system can handle a single classification level of information.

36

8. The Zachman Architecture Framework is often used to set up an enterprise security architecture. Which of the following does not correctly describe the Zachman Framework?

A. A two-dimensional model that uses communication interrogatives intersecting with different levels

B. A security-oriented model that gives instructions in a modular fashion

C. Used to build a robust enterprise architecture versus a technical security architecture

D. Uses six perspectives to describe a holistic information infrastructure

Extended Questions:

CORRECT B. The Zachman Framework is not security oriented, but it is a good template to work with to build an enterprise security architecture because it gives direction on how to understand the enterprise in a modular fashion. This framework is structured and formal and is used as a tool to understand any type of enterprise from many different angles. The Zachman Framework was developed in the 1980s by John Zachman and is based on the principles of classical architecture that contains rules that govern an ordered set of relationships.

WRONG A is incorrect because the Zachman Framework is a two-dimensional model that addresses the what, how, where, who, when, and why from six different perspectives: the planner or visionary, the owner, the architect, the designer, the builder, and the working system. Together, this information gives a holistic view of the enterprise.

WRONG C is incorrect because the Zachman Framework is used to create a robust enterprise architecture, not a security architecture, technical or not. The framework is not security specific. Almost all robust enterprise security architectures work with the structure provided by the Zachman Framework in one way or another. When we talk about a robust security architecture, we are talking about one that deals with many components throughout the organization—not just a network and the systems within that network.

WRONG D is incorrect because the Zachman Framework uses six perspectives to build a holistic view of the enterprise. Those perspectives are the planner or visionary, owner, architect, designer, builder, and the working system. Those using the framework address what, how, where, who, when, and why as they relate to each of these perspectives. This is to ensure that regardless of the order in which they are put in place, components of the enterprise are organized and relationships are clearly defined so that they create a complete system. The framework does not just specify an information infrastructure.

37

16. Which of the following is not a responsibility of the memory manager?

A. Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments.

B. Limit processes to interact only with the memory segments assigned to them.

C. Swap contents from RAM to the hard drive as needed.

D. Run an algorithm to identify unused committed memory and inform the operating system that the memory is available.

Extended Questions:

CORRECT D. This answer describes the function of a garbage collector. A garbage collector is a countermeasure against memory leaks. It is software that runs an algorithm to identify unused committed memory and then tells the operating system to mark that memory as "available." Different types of garbage collectors work with different operating systems, programming languages, and algorithms. The portion of the operating system that keeps track of how different types of memory are used is called the memory manager. Its jobs are to allocate and deallocate different memory segments, enforce access control to ensure that processes are interacting only with their own memory segments, and swap memory contents from RAM to the hard drive. The memory manager has five basic responsibilities: relocation, protection, sharing, local organization, and physical organization.

WRONG A is incorrect because as part of its sharing responsibilities, the memory manager uses complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments. This is critical to protecting memory and the data in it, since two or more processes can share access to the same segment with potentially different access rights. The memory manager is also responsible for allowing many users with different levels of access to interact with the same application running in one memory segment.

WRONG B is incorrect because the memory manager is responsible for limiting process interactions to only those memory segments assigned to them. This responsibility falls under protection and helps prevent processes from gaining access to unpermitted segments. Another protection responsibility of the memory manager is to provide access control to memory segments.

WRONG C is incorrect because swapping contents from RAM to the hard drive as needed is a responsibility of the memory manager that falls under relocation. When RAM and secondary storage are combined, the result is virtual memory. The system uses hard drive space to extend its RAM memory space. Another relocation responsibility is to provide pointers for applications if their instructions and memory segment have been moved to a different location in main memory.

38

Functional requirements

Establishes a protection boundary, meaning the threats or compromises within this boundary to be countered. The product or system must enforce the boundary established in this section.

39

Programmable read-only memory (PROM)

Programmable read-only memory (PROM) is a form of ROM that can be modified after it has been manufactured. PROM can be programmed only one time because the voltage that is used to write bits into the memory cells actually burns out the fuses that connect the individual memory cells. The instructions are "burned into" PROM using a specialized PROM programmer device.

40

Process

Program loaded in memory within an operating system.

41

Why Put a Product Through Evaluation?

Submitting a product to be evaluated against the Orange Book, Information Technology Security Evaluation Criteria, or Common Criteria is no walk in the park for a vendor. In fact, it is a really painful and long process, and no one wakes up in the morning thinking, "Yippee! I have to complete all of the paperwork that the National Computer Security Center requires so my product can be evaluated!" So, before we go through these different criteria, let’s look at why anyone would even put themselves through this process.

42

Authentication

Protects against masquerading and playback attacks. Mechanisms include digital signatures, encryption, timestamp, and passwords.

43

Computer architecture

Computer architecture encompasses all of the parts of a computer system that are necessary for it to function, including the operating system, memory chips, logic circuits, storage devices, input and output devices, security components, buses, and networking interfaces. The interrelationships and internal working of all of these parts can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanisms. Thank goodness for the smart people who figured this stuff out! Now it is up to us to learn how they did it and why.

44

17. Several types of read-only memory devices can be modified after they are manufactured. Which of the following statements correctly describes the differences between two types of ROM?

A. PROM can only be programmed once, while EEPROM can be programmed multiple times.

B. A UV light is used to erase data on EEPROM, while onboard programming circuitry and signals erase data on EPROM.

C. The process used to delete data on PROM erases one byte at a time, while to erase data on an EPROM chip, you must remove it from the hardware.

D. The voltage used to write bits into the memory cells of EPROM burns out the fuses that connect individual memory cells, while UV light is used to write to the memory cells of PROM.

Extended Questions:

CORRECT A. Programmable read-only memory (PROM) is a form of ROM that can be modified after it has been manufactured. PROM can be programmed only one time because the voltage that is used to write bits into the memory cells actually burns out the fuses that connect the individual memory cells. The instructions are "burned into" PROM using a specialized PROM programmer device. Electrically erasable programmable read-only memory (EEPROM) can be rewritten. Its data storage can be erased and modified electrically by onboard programming circuitry and signals.

WRONG B is incorrect because a UV light is used to erase data on erasable and programmable read-only memory (EPROM). To erase an EPROM chip, you must remove the chip from the computer. The EPROM chip has a quartz window, which is where you point the UV light, which erases all of the data on the chip—not just portions of it. Electrically erasable programmable read-only memory (EEPROM) can be erased and modified electrically by onboard programming circuitry and signals.

WRONG C is incorrect because the process used to delete data from EEPROM—not PROM—involves erasing one byte at a time. This is a slow process, so a new form of memory was developed: flash memory. The second half of this answer is correct: To erase data on EPROM, you must remove it from the computer and wave a UV wand, which erases all of the data on the chip.

WRONG D is incorrect because the voltage that is used to write bits into the memory cells of PROM—not EPROM—burns out the fuses that connect the individual memory cells. The instructions are "burned into" PROM using a specialized PROM programmer device. Also UV light is used to erase data from EPROM—not write data to PROM. EPROM holds data that can be electrically erased or written to. To erase the data on the memory chip, you need your handy-dandy ultraviolet (UV) light device that provides just the right level of energy. The EPROM chip has a quartz window, which is where you point the UV light. Although playing with UV light devices can be fun for the whole family, we have moved on to another type of ROM technology that does not require this type of activity.

45

Thread

Instruction set generated by a process when it has a specific activity that needs to be carried out by an operating system. When the activity is finished, the thread is destroyed.

46

Open system

Designs are built upon accepted standards to allow for interoperability.

47

Invocation property

A subject cannot request service (invoke) of higher integrity.

48

Goals of Integrity Models : The following are the three main goals of integrity models:

  • Prevent unauthorized users from making modifications
  • Prevent authorized users from making improper modifications (separation of duties)
  • Maintain internal and external consistency (well-formed transaction)

49

Arithmetic logic unit (ALU)

Component of the CPU that carries out logic and mathematical functions as they are laid out in the programming code being processed by the CPU.

50

Harrison-Ruzzo-Ullman (HRU)

The Harrison-Ruzzo-Ullman (HRU) model deals with access rights of subjects and the integrity of those rights. A subject can carry out only a finite set of operations on an object. Since security loves simplicity, it is easier for a system to allow or disallow authorization of operations if one command is restricted to a single operation. For example, if a subject sent command X, which only required the operation of Y, this is pretty straightforward and allows the system to allow or disallow this operation to take place. But, if a subject sent a command M and to fulfill that command, operations N, B, W, and P had to be carried out, then there is much more complexity for the system to decide if this command should be authorized. Also the integrity of the access rights needs to be ensured, so in this example if one operation cannot be processed properly, the whole command fails. So while it is easy to dictate that subject A can only read object B, it is not always so easy to ensure each and every function supports this high-level statement. The HRU model is used by software designers to ensure that no unforeseen vulnerability is introduced and the stated access control goals are achieved.

51

2. Certain types of attacks have been made more potent by which of the following advances to microprocessor technology?

A. Increased circuits, cache memory, and multiprogramming

B. Dual-mode computation

C. Direct memory access I/O

D. Increases in processing power

Extended Questions:

CORRECT D. Due to the increase of personal computer and server processing power, it is now possible to be more successful in brute-force and cracking attacks against security mechanisms that would not have been possible a few years ago. Today’s processors can execute an amazing number of instructions per second. These instructions can be used to attempt to crack passwords or encryption keys or instructions to send nefarious packets to victim systems.

WRONG A is incorrect because increased circuits, cache memory, and multiprogramming do not make certain types of attacks more potent. Multiprogramming means that more than one program or process can be loaded into memory at the same time. This is what allows you to run your antivirus software, word processor, firewall, and e-mail client simultaneously. Cache memory is a type of memory used for high-speed writing and reading activities. When the system assumes (through its programmatic logic) that it will need to access specific information many times throughout its processing activities, it will store the information in cache memory so that it is easily and quickly accessible.

WRONG B is incorrect because the answer is a distracter. There is no real dual-mode computation when examining the advances in microprocessors.

WRONG C is incorrect because direct memory access (DMA) is a way of transferring instructions and data between I/O (input/output) devices and the system’s memory without using the CPU. This speeds up data transfer rates significantly. DMA basically offloads work from the CPU by ensuring that more simple instructions are interpreted and executed through other processing capabilities within the computer system. This is not an advancement to microprocessor technology.

52

EAL4

Methodically designed, tested, and reviewed

53

Bell-LaPadula model

This is the first mathematical model of a multilevel security policy that defines the concept of a secure state and necessary modes of access. It ensures that information only flows in a manner that does not violate the system policy and is confidentiality focused.

54

State Machine Models

No matter what state I am in, I am always safe.

In state machine models, to verify the security of a system, the state is used, which means that all current permissions and all current instances of subjects accessing objects must be captured. Maintaining the state of a system deals with each subject’s association with objects. If the subjects can access objects only by means that are concurrent with the security policy, the system is secure. A state of a system is a snapshot of a system at one moment of time. Many activities can alter this state, which are referred to as state transitions. The developers of an operating system that will implement the state machine model need to look at all the different state transitions that are possible and assess whether a system that starts up in a secure state can be put into an insecure state by any of these events. If all of the activities that are allowed to happen in the system do not compromise the system and put it into an insecure state, then the system executes a secure state machine model.

55

The Orange Book

The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book with an orange cover, which is called, appropriately, the Orange Book. (We like to keep things simple in security.) Customers used the assurance rating that the criteria present as a metric when comparing different products. It also provided direction for manufacturers so they knew what specifications to build to, and provides a one-stop evaluation process so customers do not need to have individual components within the systems evaluated.

56

The simple security rule

A subject cannot read data at a higher security level (no read up).

57

A Few Threats to Review

Now that we have talked about how everything is supposed to work, let’s take a quick look at some of the things that can go wrong when designing a system.

58

Compartmented Security Mode

Our system has various classifications of data, and each individual has the clearance to access all of the data, but not necessarily the need to know.

A system is operating in compartmented security mode when all users have the clearance to access all the information processed by the system in a system high-security configuration, but might not have the need-to-know and formal access approval. This means that if the system is holding secret and top-secret data, all users must have at least a top-secret clearance to gain access to this system. This is how compartmented and multilevel security modes are different. Both modes require the user to have a valid need-to-know, NDA, and formal approval, but compartmented security mode requires the user to have a clearance that dominates (above or equal to) any and all data on the system, whereas multilevel security mode just requires the user to have clearance to access the data she will be working with.

59

The following list shows the different types of functionalities and assurance items tested during an evaluation:

  • Security functional requirements
  • Identification and authentication
  • Audit
  • Resource utilization
  • Trusted paths/channels
  • User data protection
  • Security management
  • Product access
  • Communications
  • Privacy
  • Protection of the product’s security functions
  • Cryptographic support
  • Security assurance requirements
  • Guidance documents and manuals
  • Configuration management
  • Vulnerability assessment
  • Delivery and operation
  • Life-cycle support
  • Assurance maintenance
  • Development
  • Testing

60

Accreditation

Formal acceptance of the adequacy of a system’s overall security by management.

61

read

As mentioned earlier, the invocation property in the Biba model states that a subject cannot invoke (call upon) a subject at a higher integrity level. Well, how is this different from the other two Biba rules? The "*-integrity axiom (no write up) dictates how subjects can modify objects. The simple integrity axiom (no read down) dictates how subjects can read objects. The invocation property dictates how one subject can communicate with and initialize other subjects at run time. An example of a subject invoking another subject is when a process sends a request to a procedure to carry out some type of task. Subjects are only allowed to invoke tools at a lower integrity level. With the invocation property, the system is making sure a dirty subject cannot invoke a clean tool to contaminate a clean object.

62

Common Criteria

International standard used to assess the effectiveness of the security controls built into a system from functional and assurance perspectives.

63

Premapped I/O

Premapped I/O Premapped I/O and fully mapped I/O (described next) do not pertain to performance, as do the earlier methods, but provide two approaches that can directly affect security. In a premapped I/O system, the CPU sends the physical memory address of the requesting process to the I/O device, and the I/O device is trusted enough to interact with the contents of memory directly, so the CPU does not control the interactions between the I/O device and memory. The operating system trusts the device to behave properly. Scary.

64

Extended data out DRAM (EDO DRAM)

This is faster than DRAM because DRAM can access only one block of data at a time, whereas EDO DRAM can capture the next block of data while the first block is being sent to the CPU for processing. It has a type of "look ahead" feature that speeds up memory access.

65

31. Which of the following best describes why there was a performance issue in the context of the scenario?

A. Bloated programming code

B. I/O and memory location procedures

C. Mode transitions

D. Data and address bus architecture

Extended Questions:

CORRECT C. A mode transition is when the CPU has to change from processing code in user mode to kernel mode. This is a protection measure, but it causes a performance hit because all of the information on the new process has to be loaded into the registers for the CPU to work with. Transitions between modes are at the discretion of the executing thread when the transition is from a level of high privilege to one of low privilege (kernel to user mode), but transitions from lower to higher levels of privilege can take place only through secure, hardware-controlled "gates" that are carried out by executing special instructions or when external interrupts are received.

WRONG A is incorrect. While bloated (extra) programming code can cause performance issues in many situations, that is not what this question is focusing on. When comparing operating system architectures and associated performance issues, the focus comes down to how specific functions are carried out and how efficient those procedures are—not the amount of code needed to carry out the function.

WRONG B is incorrect because I/O and memory location do not have a direct correlation to operating system kernel architecture. The specific reason that many operating system vendors changed their products’ architecture had to do with the performance issues of mode transitions the CPU had to continually carry out.

WRONG D is incorrect because data and address bus architecture was not the specific reason that vendors moved to a microkernel architecture. This question is zeroing in on how much code ran in kernel versus user mode and how transitions took place, which has nothing to do with the bus architectures.

66

Unconstrained data items (UDIs)

Can be manipulated by users via primitive read and write operations

67

Register

Small, temporary memory storage units integrated and used by the CPU during its processing functions.

68

Cooperative multitasking

Multitasking scheduling scheme used by older operating systems to allow for computer resource time slicing. Processes had too much control over resources, which would allow for the programs or systems to "hang."

69

some

A system is operating in system high-security mode when all users have a security clearance to access the information but not necessarily a need-to-know for all the information processed on the system. So, unlike in the dedicated security mode, in which all users have a need-to-know pertaining to all data on the system, in system high-security mode, all users have a need-to-know pertaining to some of the data.

70

Time-of-Check/Time-of-Use Attacks

Specific attacks can take advantage of the way a system processes requests and performs tasks. A time-of-check/time-of-use (TOC/TOU) attack deals with the sequence of steps a system uses to complete a task. This type of attack takes advantage of the dependency on the timing of events that take place in a multitasking operating system.

71

System Architecture

In Chapter 2 we covered enterprise architecture frameworks and introduced their direct relationship to system architecture. As explained in that chapter, an architecture is a tool used to conceptually understand the structure and behavior of a complex entity through different views. An architecture description is a formal description and representation of a system, the components that make it up, the interactions and interdependencies between those components, and the relationship to the environment. An architecture provides different views of the system, based upon the needs of the stakeholders of that system.

72

Security Models

An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policymakers into a set of rules that a computer system must follow.

73

data hiding

Layered operating systems provide data hiding, which means that instructions and data (packaged up as procedures) at the various layers do not have direct access to the instructions and data at any other layers. Each procedure at each layer has access only to its own data and a set of functions that it requires to carry out its own tasks. If a procedure can access more procedures than it really needs, this opens the door for more successful compromises. For example, if an attacker is able to compromise and gain control of one procedure and this procedure has direct access to all other procedures, the attacker could compromise a more privileged procedure and carry out more devastating activities.

74

Security Architecture Requirements

In the 1970s computer systems were moving from single user, stand-alone, centralized and closed systems to multiuser systems that had multiprogramming functionality and networking capabilities. The U.S. government needed to ensure that all of the systems that it was purchasing and implementing were properly protecting its most secret secrets. The government had various levels of classified data (secret, top secret) and users with different clearance levels (Secret, Top Secret). It needed to come up with a way to instruct vendors on how to build computer systems to meet their security needs and in turn a way to test the products these vendors developed based upon those same security needs.

75

The strong star property rule

A subject can perform read and write functions only to the objects at its same security level.

76

Virtual memory

Combination of main memory (RAM) and secondary memory within an operating system.

77

Base registers

Beginning of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

78

When you get back from lunch, your boss hands you the same paper with the following:

  • Discretionary access control-based operating system
  • Provides role-based access control functionality
  • Capability of protecting data classified at "public" and "confidential" levels
  • Does not allow unauthorized access to sensitive data or critical system functions
  • Enforces least privilege and separation of duties
  • Provides auditing capabilities
  • Implements trusted paths and trusted shells for sensitive processing activities
  • Enforces identification, authentication, and authorization of trusted subjects
  • Implements a capability-based authentication methodology
  • Does not contain covert channels
  • Enforces integrity rules on critical files

79

trusted computing base (TCB)

The trusted computing base (TCB) is a collection of all the hardware, software, and firmware components within a system that provide some type of security and enforce the system’s security policy. The TCB does not address only operating system components, because a computer system is not made up of only an operating system. Hardware, software components, and firmware components can affect the system in a negative or positive manner, and each has a responsibility to support and enforce the security policy of that particular system. Some components and mechanisms have direct responsibilities in supporting the security policy, such as firmware that will not let a user boot a computer from a USB drive, or the memory manager that will not let processes overwrite other processes’ data. Then there are components that do not enforce the security policy but must behave properly and not violate the trust of a system. Examples of the ways in which a component could violate the system’s security policy include an application that is allowed to make a direct call to a piece of hardware instead of using the proper system calls through the operating system, a process that is allowed to read data outside of its approved memory space, or a piece of software that does not properly release resources after use.

80

Nonrepudiation

Ensures that a sender cannot deny sending a message. Mechanisms include encryption, digital signatures, and notarization.

81

Relocation

• Swap contents from RAM to the hard drive as needed (explained later in the "Virtual Memory" section of this chapter)

82

The security kernel is made up of hardware, software, and firmware components that fall within the TCB, and it implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. The security kernel is the core of the TCB and is the most commonly used approach to building trusted computing systems. The security kernel has three main requirements:

  • It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.
  • It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.
  • It must be small enough to be tested and verified in a complete and comprehensive manner.

83

Lattice Model

A lattice is a mathematical construct that is built upon the notion of a group. The most common definition of the lattice model is "a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set."

84

20. Widgets Inc.’s software development processes are documented and the organization is capable of producing its own standard of software processes. Which of the following Capability Maturity Model Integration levels best describes Widgets Inc.?

A. Initial

B. Repeatable

C. Defined

D. Managed

Extended Questions:

CORRECT C. Capability Maturity Model Integration (CMMI) is a process improvement concept that consists of a collection of techniques used in the process of software development of an organization to design and further enhance software. The CMMI provides a standard for software development process where the level of maturity of the development process can be measured. The CMMI is classified into five levels which are Initial, Repeatable, Defined, Managed, and Optimized. The categorization of these levels depends upon the maturity of the software development and its quality assurance. The basis of Defined level (CMMI Level 3) is that the organizations are capable of producing their own standard of software processes. These processes are improved with the passage of time.

WRONG A is incorrect because the processes in the Initial level (CMM Level 1) are not organized or documented and are hence chaotic. The organizations having CMMI Level 1 are expected to thrive only due to the extraordinary performance of individuals. This makes the environment of the processes more unstable. This level has a very limited scope and is used for unique projects. Success is not likely to be repeated at this level.

WRONG B is incorrect because at the Repeatable level (CMMI Level 2), the processes are documented in a better manner and so the success is repetitive; however, the organization is not yet capable of producing its own standard of software processes. This level ensures that the processes are maintained during the downtime, ensuring that the project is implemented according to the plan.

WRONGD is incorrect because at the Managed level (CMMI Level 4), organizations are able to monitor and control their own processes involved in the software development. It allows management to point out ways to adjust the processes of a particular project in such a way that there is no considerable loss on its quality or diversion from the main specifications. At the final level, Optimized (CMMI Level 5), processes are managed for improvement.

85

Memory Leaks

Many of the main operating systems use some form of data execution prevention (DEP), which can be implemented via hardware (CPU) or software (operating system). The actual implementations of DEP varies, but the main goal is to help ensure that executable code does not function within memory segments that could be dangerous. It is similar to not allowing someone suspicious in your house. You don’t know if this person is really going to do something malicious, but just to make sure you will not allow him to be in a position where he could bring harm to you or your household. DEP can mark certain memory locations as "off limits" with the goal of reducing the "playing field" for hackers and malware.

Memory Leaks

86

Noninterference model

This formal multilevel security model states that commands and activities performed at one security level should not be seen by, or affect, subjects or objects at a different security level.

87

System Security Architecture

Up to this point we have looked at system architectures, CPU architectures, and operating system architectures. Remember that a system architecture has several views to it, depending upon the stakeholder’s individual concerns. Since our main concern is security, we are going to approach system architecture from a security point of view and drill down into the core components that are part of most computing systems today. But first we need to understand how the goals for the individual system security architectures are defined.

88

System High-Security Mode

Our system only holds secret data, but only some of us can access all of it.

A system is operating in system high-security mode when all users have a security clearance to access the information but not necessarily a need-to-know for all the information processed on the system. So, unlike in the dedicated security mode, in which all users have a need-to-know pertaining to all data on the system, in system high-security mode, all users have a need-to-know pertaining to some of the data.

89

Process Scheduling

Scheduling and synchronizing various processes and their activities is part of process management, which is a responsibility of the operating system. Several components need to be considered during the development of an operating system, which will dictate how process scheduling will take place. A scheduling policy is created to govern how threads will interact with other threads. Different operating systems can use different schedulers, which are basically algorithms that control the timesharing of the CPU. As stated earlier, the different processes are assigned different priority levels (interrupts) that dictate which processes overrule other processes when CPU time allocation is required. The operating system creates and deletes processes as needed, and oversees them changing state (ready, blocked, running). The operating system is also responsible for controlling deadlocks between processes attempting to use the same resources.

90

*-integrity axiom

A subject cannot write data to an object at a higher integrity level (referred to as "no write up").

91

Microkernel architecture

Reduced amount of code running in kernel mode carrying out critical operating system functionality. Only the absolutely necessary code runs in kernel mode, and the remaining operating system code runs in user mode.

92

strong star property rule

The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classification must be equal.

93

Special registers

Temporary memory location that holds critical processing parameters. They hold values as in the program counter, stack pointer, and program status word.

94

Process Management

Well, just look at all of these processes squirming around like little worms. We need some real organization here!

Operating systems, software utilities, and applications, in reality, are just lines and lines of instructions. They are static lines of code that are brought to life when they are initialized and put into memory. Applications work as individual units, called processes, and the operating system also has several different processes carrying out various types of functionality. A process is the set of instructions that is actually running. A program is not considered a process until it is loaded into memory and activated by the operating system. When a process is created, the operating system assigns resources to it, such as a memory segment, CPU time slot (interrupt), access to system application programming interfaces (APIs), and files to interact with. The collection of the instructions and the assigned resources is referred to as a process. So the operating system gives a process all the tools it needs and then loads the process into memory and it is off and running.

95

Limit registers

Ending of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.

96

Harrison-Ruzzo-Ullman model

This model shows how a finite set of procedures can be available to edit the access rights of a subject.

97

Mode transition

When the CPU has to change from processing code in user mode to kernel mode. This is a protection measure, but it causes a performance hit.

98

central processing unit (CPU)

The central processing unit (CPU) is the brain of a computer. In the most general description possible, it fetches instructions from memory and executes them. Although a CPU is a piece of hardware, it has its own instruction set that is necessary to carry out its tasks. Each CPU type has a specific architecture and set of instructions that it can carry out. The operating system must be designed to work within this CPU architecture. This is why one operating system may work on a Pentium Pro processor but not on an AMD processor. The operating system needs to know how to "speak the language" of the processor, which is the processor’s instruction set.

99

*-property rule

A subject cannot write to an object at a lower security level (the "no write down" rule).

100

compartmented security mode

A system is operating in compartmented security mode when all users have the clearance to access all the information processed by the system in a system high-security configuration, but might not have the need-to-know and formal access approval. This means that if the system is holding secret and top-secret data, all users must have at least a top-secret clearance to gain access to this system. This is how compartmented and multilevel security modes are different. Both modes require the user to have a valid need-to-know, NDA, and formal approval, but compartmented security mode requires the user to have a clearance that dominates (above or equal to) any and all data on the system, whereas multilevel security mode just requires the user to have clearance to access the data she will be working with.

101

Buffer Overflows

My cup runneth over and so does my buffer.

Today, many people know the term "buffer overflow" and the basic definition, but it is important for security professionals to understand what is going on beneath the covers.

102

Development assurance requirements

Identifies the specific requirements the product or system must meet during the development phases, from design to implementation.

103

11. Which of the following best defines a virtual machine?

A. A virtual instance of an operating system

B. A piece of hardware that runs multiple operating system environments simultaneously

C. A physical environment for multiple guests

D. An environment that can be fully utilized while running legacy applications

Extended Questions:

CORRECT A. A virtual machine is a virtual instance of an operating system. A virtual machine can also be called a guest, which runs in a host environment. The host environment—usually an operating system—can run multiple guests simultaneously. The virtual machines pool resources such as RAM, processors, and storage from the host environment. This offers many benefits, including enhanced processing power utilization. Other benefits include the ability to run legacy applications. For example, an organization may choose to run its legacy applications on an instance (virtual machine) of Windows XP long after it has rolled out Windows 7.

WRONG B is incorrect because a virtual machine is not a piece of hardware. A virtual machine is an instance of an operating system that runs on hardware. The host can run multiple virtual machines. So, basically, you can have one computer running different operating systems at the same time. One benefit of this is consolidation. Using virtual machines, you can consolidate the workloads of several under-utilized servers on to one host, thereby saving money on hardware and administrative management tasks.

WRONG C is incorrect because virtual machines provide and work within software emulation. The host provides the resources, such as memory, processor, buses, RAM, and storage for the virtual machines. The virtual machines share these resources but do not access them directly. The host environment, which is responsible for managing the system resources, acts as an intermediary between the resources and the virtual machines.

WRONG D is incorrect because many legacy applications are not compatible with specific hardware and newer operating systems. Because of this, the application commonly under-utilizes the server software and components. The virtual machines emulate an environment that allows legacy, and other, applications to fully use the resources available to them. This is a reason to use a virtual machine, but the answer does not provide its definition.

104

ISO/IEC 15408-1

ISO/IEC 15408-1 lays out the general concepts and principles of the CC evaluation model. This part defines terms, establishes the core concept of TOE, describes the evaluation context, and necessary audience. It provides the key concepts for PP, security requirements, and guidelines for the security target.

105

Biba model

A formal state transition model that describes a set of access control rules designed to ensure data integrity.

106

Memory Protection Issues

  • Every address reference is validated for protection.
  • Two or more processes can share access to the same segment with potentially different access rights.
  • Different instruction and data types can be assigned different levels of protection.
  • Processes cannot generate an unpermitted address or gain access to an unpermitted segment.

107

Memory segments

Most applications have several different functions. Word processing applications can open files, save files, open other programs (such as an e-mail client), and print documents. Each one of these functions requires a thread (instruction set) to be dynamically generated. So, for example, if Tom chooses to print his document, the word processing process generates a thread that contains the instructions of how this document should be printed (font, colors, text, margins, and so on). If he chooses to send a document via e-mail through this program, another thread is created that tells the e-mail client to open and what file needs to be sent. Threads are dynamically created and destroyed as needed. Once Tom is done printing his document, the thread that was generated for this functionality is broken down.

108

Logical organization

  • Segment all memory types and provide an addressing scheme for each at an abstraction level
  • Allow for the sharing of specific software modules, such as dynamic link library (DLL) procedures

109

Erasable programmable read-only memory (EPROM)

Erasable programmable read-only memory (EPROM) can be erased, modified, and upgraded. EPROM holds data that can be electrically erased or written to. To erase the data on the memory chip, you need your handy-dandy ultraviolet (UV) light device that provides just the right level of energy. The EPROM chip has a quartz window, which is where you point the UV light. Although playing with UV light devices can be fun for the whole family, we have moved on to another type of ROM technology that does not require this type of activity.

110

Continuity of operations

Ensures that the network is available even if attacked. Mechanisms include fault-tolerant and redundant systems and the capability to reconfigure network parameters in case of an emergency.

111

assurance evaluation

An assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated. There are different methods of evaluating and assigning assurance levels to systems. Two reasons explain why more than one type of assurance evaluation process exists: methods and ideologies have evolved over time, and various parts of the world look at computer security differently and rate some aspects of security differently. Each method will be explained and compared.

112

Cache Memory

I am going to need this later, so I will just stick it into cache for now.

Cache memory is a type of memory used for high-speed writing and reading activities. When the system assumes (through its programmatic logic) that it will need to access specific information many times throughout its processing activities, it will store the information in cache memory so it is easily and quickly accessible. Data in cache can be accessed much more quickly than data stored in other memory types. Therefore, any information needed by the CPU very quickly, and very often, is usually stored in cache memory, thereby improving the overall speed of the computer system.

113

10. Protection profiles used in the Common Criteria evaluation process contain five elements. Which of the following establishes the type and intensity of the evaluation?

A. Descriptive elements

B. Evaluation assurance requirements

C. Evaluation assurance level

D. Security target

Extended Questions:

CORRECT B. The Common Criteria use protection profiles in their evaluation process. This is a mechanism that is used to describe a real-world need of a product that is not currently on the market. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding evaluation assurance level (EAL) rating that the intended product will require. The protection profile describes the environmental assumptions, the objectives, and the functional and assurance level expectations. Each relevant threat is listed along with how it is to be controlled by specific objectives. The protection profile also justifies the assurance level and requirements for the strength of each protection mechanism. Evaluation assurance requirements establish the type and intensity of the evaluation. The other four sections in a protection profile are descriptive elements, rationale, functional requirements, and development assurance requirements.

WRONG A is incorrect because the descriptive elements section of a protection profile provides the name of the profile and a description of the security problem that is to be solved. The protection profile provides a means for a consumer, or others, to identify specific security needs; this is the security problem that is to be conquered. If someone identifies a security need that is not currently being addressed by any current product, that person can write a protection profile describing the product that would be a solution for this real-world problem. The protection profile goes on to provide the necessary goals and protection mechanisms to achieve the necessary level of security and a list of the things that can go wrong during this type of system development. This list is used by the engineers who develop the system, and then by the evaluators to make sure the engineers dotted every i and crossed every t.

WRONG C is incorrect because the evaluation assurance level (EAL) is not one of the five parts of a protection profile. An EAL is assigned to a product after it has been evaluated under the Common Criteria. The thorough and stringent testing increases in detailed-oriented tasks as the assurance levels increase. The Common Criteria have seven assurance levels: EAL 1, functionally tested; EAL 2, structurally tested; EAL 3, methodically tested and checked; EAL 4, methodically designed, tested, and reviewed; EAL 5, semiformally designed and tested; EAL 6, semiformally verified design and tested; and EAL 7, formally verified design and tested.

WRONG D is incorrect because security target is the vendor’s written explanation of the security functionality and assurance mechanisms that meet the needed security solution; in other words, "This is what our product does and how it does it." Like other evaluation criteria before it, the Common Criteria work to answer two basic questions about products being evaluated: what does its security mechanisms do (functionality), and how sure are you of that (assurance)? This system sets up a framework that enables consumers to clearly specify their security issues and problems; developers to specify their security solution to those problems; and evaluators to unequivocally determine what the product actually accomplishes.

114

9. John has been told to report to the board of directors with a vendor-neutral enterprise architecture framework that will help the company reduce fragmentation that results from the misalignment of IT and business processes. Which of the following frameworks should he suggest?

A. DoDAF

B. CMMI

C. ISO/IEC 42010

D. TOGAF

Extended Questions:

CORRECT D. The Open Group Architecture Framework (TOGAF) is a vendor-neutral platform for developing and implementing enterprise architectures. It focuses on effectively managing corporate data through the use of metamodels and service-oriented architecture (SOA). A proficient implementation of TOGAF is meant to reduce fragmentation that occurs due to misalignment of traditional IT systems and actual business processes. It also adjusts to new innovations and capabilities to ensure new changes can easily be integrated into the enterprise platform.

WRONG A is incorrect because the Department of Defense Architecture Framework (DoDAF) provides guidelines for the organization of enterprise architecture for the U.S. Department of Defense systems. All DoD weapons and IT systems are required to design and document enterprise architecture according to these guidelines. They are also suitable for large and complex integrated systems in military, private, or public sectors.

WRONG B is incorrect because Capability Maturity Model Integration (CMMI) is used during software development to design and further enhance software. The CMMI provides a standard for software development process where the level of maturity of the development process can be measured. It was developed by the Carnegie Mellon Software Engineering Institute and is an upgraded version of Capability Maturity Model (CMM).

WRONG C is incorrect because the ISO/IEC 42010 consists of a set of recommended practices intended to simplify the design and conception of software-intensive system architectures. This standard provides a type of language (terminology) to describe the different components of a software architecture and how to integrate it into the life cycle of development. Many times the overall vision of the architecture of a piece of software is lost as the developers get caught up in the actual development procedures. This standard provides a conceptual framework to follow for architecture development and implementation.

115

General registers

Temporary memory location the CPU uses during its processes of executing instructions. The ALU’s "scratch pad" it uses while carrying out logic and math functions.

116

Brewer and Nash model

This model allows for dynamically changing access controls that protect against conflicts of interest. Also known as the Chinese Wall model.

117

Life-cycle assurance

Software, hardware, and firmware must be able to be tested individually to ensure that each enforces the security policy in an effective manner throughout their lifetimes.

118

Continuous protection

The security mechanisms and the system as a whole must perform predictably and acceptably in different situations continuously.

119

Process Domain

The term domain just means a collection of resources. A process has a collection of resources assigned to it when it is loaded into memory (run time), as in memory addresses, files it can interact with, system services available to it, peripheral devices, etc. The higher the ring level that the process executes within, the larger the domain of resources that is available to it.

120

Architecture

Fundamental organization of a system embodied in its components, their relationships to each other and to the environment, and the principles guiding its design and evolution.

121

Buffer overflow

Too much data is put into the buffers that make up a stack. Common attack vector used by hackers to run malicious code on a target system.

122

Application Programming Interface (API)

An API is the doorway to a protocol, operating service, process, or DLL. When one piece of software needs to send information to another piece of software, it must format its communication request in a way that the receiving software understands. An application may send a request to an operating system’s cryptographic DLL, which will in turn carry out the requested cryptographic functionality for the application.

123

Address space layout randomization (ASLR)

Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities.

124

Closed systems

Systems referred to as closed use an architecture that does not follow industry standards. Interoperability and standard interfaces are not employed to enable easy communication between different types of systems and add-on features. Closed systems are proprietary, meaning the system can only communicate with like systems.

125

Microarchitecture

Specific design of a microprocessor, which includes physical components (registers, logic gates, ALU, cache, etc.) that support a specific instruction set.

126

Flash memory

Flash memory is a special type of memory that is used in digital cameras, BIOS chips, memory cards, and video game consoles. It is a solid-state technology, meaning it does not have moving parts and is used more as a type of hard drive than memory.

127

Nonmaskable interrupt

Interrupt value assigned to a critical operating system activity.

128

Message integrity

Protects the protocol header, routing information, and packet payload from being modified. Mechanisms include message authentication and encryption.

129

Hybrid microkernel architecture

Combination of monolithic and microkernel architectures. The microkernel carries out critical operating system functionality, and the remaining functionality is carried out in a client\server model within kernel mode.

130

state transitions

In state machine models, to verify the security of a system, the state is used, which means that all current permissions and all current instances of subjects accessing objects must be captured. Maintaining the state of a system deals with each subject’s association with objects. If the subjects can access objects only by means that are concurrent with the security policy, the system is secure. A state of a system is a snapshot of a system at one moment of time. Many activities can alter this state, which are referred to as state transitions. The developers of an operating system that will implement the state machine model need to look at all the different state transitions that are possible and assess whether a system that starts up in a secure state can be put into an insecure state by any of these events. If all of the activities that are allowed to happen in the system do not compromise the system and put it into an insecure state, then the system executes a secure state machine model.

131

The *-integrity axiom

A subject cannot modify an object in a higher integrity level (no write up).

132

19. The Information Technology Infrastructure Library (ITIL) consists of five sets of instructional books. Which of the following is considered the core set and focuses on the overall planning of the intended IT services?

A. Service Operation

B. Service Design

C. Service Transition

D. Service Strategy

Extended Questions:

CORRECT D. The fundamental approach of ITIL lies in the creation of Service Strategy, which focuses on the overall planning of the intended IT services. Once the initial planning has been concluded, the Service Design provides guidelines on designing valid IT services and overall implementation policies. The Service Transition stage is then initiated, where guidelines regarding evaluation, testing, and validation of the IT services are provided. This allows the transition from business environments into technology services. The Service Operation makes sure that all the decided services have met their objectives. Finally, the Continual Service Improvement points out the areas of improvements in the entire service life cycle. The Service Strategy is considered to be the core of ITIL. It consists of a set of guidelines that include best practices regarding strategy and value planning, design, and alignment between the IT and business approaches, market analysis, service assets, setting targets toward providing quality service to the clients, and implementation of service strategies.

WRONG A is incorrect because Service Operation refers to an important component of the life cycle in which the services are actually delivered. This part of the life cycle defines a set of guidelines that makes sure that the agreed levels of services are delivered to the customers. The various genres incorporated by Service Operation include Event Management, Problem Management, Access Management, Incident Management, Application Management, Technical Management, and Operations Management. Service Operation also balances between the conflicting goals, such as technology vs. business requirements, stability vs. response, cost vs. quality of service, and reactive vs. proactive activities.

WRONG B is incorrect because the Service Design comprises a set of optimal practices for the designing of IT services, including their processes, architectures, policies, and documentation in order to fulfill the current and future business requirements. The target of the Service Design is to design services according to their agreed business objectives, design such processes that can support life cycle, identification and management of risks, and involvement in the improvement of IT service quality as a whole.

WRONGC is incorrect because Service Transition focuses on delivering services proposed by business strategy into operational use. It also contains guidelines that enable the smooth transition of business model into technology services. If the requirements of a service have changed after its design, the Service Transition ensures that those requirements are delivered according to its modified design. The areas focused on by these guidelines include Transition Planning and Support, Change Management, Knowledge Management, Release and Deployment Management, Service Validation and Testing, Evaluation, along with the responsibilities of personnel involved with the Service Transition.

133

The Red Book

The Orange Book addresses single-system security, but networks are a combination of systems, and each network needs to be secure without having to fully trust each and every system connected to it. The Trusted Network Interpretation (TNI), also called the Red Book because of the color of its cover, addresses security evaluation topics for networks and network components. It addresses isolated local area networks and wide area internetwork systems.

134

Security Modes of Operation

A multilevel security system can operate in different modes depending on the sensitivity of the data being processed, the clearance level of the users, and what those users are authorized to do. The mode of operation describes the security conditions under which the system actually functions.

135

Programmable read-only memory (PROM)

Programmable read-only memory (PROM) is a form of ROM that can be modified after it has been manufactured. PROM can be programmed only one time because the voltage that is used to write bits into the memory cells actually burns out the fuses that connect the individual memory cells. The instructions are "burned into" PROM using a specialized PROM programmer device.

136

Interrupt-Driven I/O

Interrupt-Driven I/O If an operating system is using interrupt-driven I/O, this means the CPU sends a character over to the printer and then goes and works on another process’s request. When the printer is done printing the first character, it sends an interrupt to the CPU. The CPU stops what it is doing, sends another character to the printer, and moves to another job. This process (send character—go do something else—interrupt—send another character) continues until the whole text is printed. Although the CPU is not waiting for each byte to be printed, this method does waste a lot of time dealing with all the interrupts. So we excused those smart people and brought in some new smarter people, who came up with I/O using DMA.

137

Asymmetric mode multiprocessing

When a computer has two or more CPUs and one CPU is dedicated to a specific program while the other CPUs carry out general processing procedures.

138

Multilevel Security Mode

Our system has various classifications of data, and each individual has the clearance and need-to-know to access only individual pieces of data.

A system is operating in multilevel security mode when it permits two or more classification levels of information to be processed at the same time when not all of the users have the clearance or formal approval to access all the information being processed by the system. So all users must have formal approval, NDA, need-to-know, and the necessary clearance to access the data that they need to carry out their jobs. In this mode, the user cannot access all of the data on the system, only what she is cleared to access.

139

Preemptive multitasking

Multitasking scheduling scheme used by operating systems to allow for computer resource time slicing. Used in newer, more stable operating systems.

140

Program status word

Condition variable that indicates to the CPU what mode (kernel or user) instructions need to be carried out in.

141

Process states (ready, running, blocked)

Processes can be in various activity levels. Ready = waiting for input. Running = instructions being executed by CPU. Blocked = process is "suspended."

142

Information flow model

This is a model in which information is restricted in its flow to only go to and from entities in a way that does not negate or violate the security policy.

143

Sharing

  • Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments
  • Allow many users with different levels of access to interact with the same application running in one memory segment

144

Cause for Confusion

If you continue your studies in operating system architecture, you will undoubtedly run into some of the confusion and controversy surrounding these families of architectures. The intricacies and complexities of these arguments are out of scope for the CISSP exam, but a little insight is worth noting.

145

Memory Stacks

Each process has its own stack, which is a data structure in memory that the process can read from and write to in a last in, first out (LIFO) fashion. Let’s say you and I need to communicate through a stack. What I do is put all of the things I need to say to you in a stack of papers. The first paper tells you how you can respond to me when you need to, which is called a return pointer. The next paper has some instructions I need you to carry out. The next piece of paper has the data you must use when carrying out these instructions. So, I write down on individual pieces of paper all that I need you to do for me and stack them up. When I am done, I tell you to read my stack of papers. You take the first page off the stack and carry out the request. Then you take the second page and carry out that request. You continue to do this until you are at the bottom of the stack, which contains my return pointer. You look at this return pointer (which is my memory address) to know where to send the results of all the instructions I asked you to carry out. This is how processes communicate to other processes and to the CPU. One process stacks up its information that it needs to communicate to the CPU. The CPU has to keep track of where it is in the stack, which is the purpose of the stack pointer. Once the first item on the stack is executed, then the stack pointer moves down to tell the CPU where the next piece of data is located.

146

Division A: Verified Protection

Formal methods are used to ensure that all subjects and objects are controlled with the necessary discretionary and mandatory access controls. The design, development, implementation, and documentation are looked at in a formal and detailed way. The security mechanisms between B3 and A1 are not very different, but the way the system was designed and developed is evaluated in a much more structured and stringent procedure.

147

Division B: Mandatory Protection

Mandatory access control is enforced by the use of security labels. The architecture is based on the Bell-LaPadula security model, and evidence of reference monitor enforcement must be available.

148

Multitasking

Simultaneous execution of more than one program (process) or task by a single operating system.

149

The channel to transfer this unauthorized data is the result of one of the following conditions:

  • Improper oversight in the development of the product
  • Improper implementation of access controls within the software
  • Existence of a shared resource between the two entities which are not properly controlled

150

Bell-LaPadula vs. Biba

The Bell-LaPadula model is used to provide confidentiality. The Biba model is used to provide integrity. The Bell-LaPadula and Biba models are informational flow models because they are most concerned about data flowing from one level to another. Bell-LaPadula uses security levels, and Biba uses integrity levels. It is important for CISSP test takers to know the rules of Biba and Bell-LaPadula. Their rules sound similar: simple and * rules—one writing one way and one reading another way. A tip for how to remember them is that if the word "simple" is used, the rule is talking about reading. If the rule uses * or "star," it is talking about writing. So now you just need to remember the reading and writing directions per model.

151

Security functional requirements

Individual security functions which must be provided by a product.

152

5. Which of the following is a common association of the Clark-Wilson access model?

A. Chinese Wall

B. Access tuple

C. Read up and write down rule

D. Subject and application binding

Extended Questions:

CORRECT D. In the Clark-Wilson model, a subject cannot access an object without going through some type of application or program that controls how this access can take place. The subject (usually a user) is bound to the application and then is allowed access to the necessary objects based on the access rules within the application software. For example, when Kathy needs to update information held within her company’s database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to the software, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program, and object. This is triple, not tuple. Tuple is a row within a database.

WRONG A is incorrect because the Chinese Wall model is another name for the Brewer and Nash model, which was created to provide access controls that can change dynamically, depending upon a user’s previous actions, in an effort to protect against conflicts of interest by users’ access attempts. No information can flow between subjects and objects in a way that would result in a conflict of interest. The model states that a subject can write to an object if, and only if, the subject cannot read another object that is in a different dataset.

WRONG B is incorrect because the Clark-Wilson model uses access triple, not access tuple. The access triple is subject-program-object. It ensures that subjects can only access objects through authorized programs.

WRONG C is incorrect because the Clark-Wilson model does not have read up and write down rules. These rules are associated with the Bell-LaPadula and Biba models. The Bell-LaPadula model includes the simple security rule, which is no read up, and the star property rule, which is no write down. The Biba model includes the simple integrity axiom, which is no read down, and the star-integrity axiom, which is no write up.

153

Covert Channels

I have my decoder ring, cape, and pirate’s hat on. I will communicate to my spy buddies with this tribal drum and a whistle.

A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system’s security policy.

154

Simple integrity axiom

A subject cannot read data from a lower integrity level (referred to as "no read down").

155

protection profiles

The Common Criteria uses protection profiles in its evaluation process. This is a mechanism used to describe a real-world need for a product that is not currently on the market. The protection profile contains the set of security requirements, their meaning and reasoning, and the corresponding EAL rating that the intended product will require. The protection profile describes the environmental assumptions, the objectives, and the functional and assurance level expectations. Each relevant threat is listed along with how it is to be controlled by specific objectives. The protection profile also justifies the assurance level and requirements for the strength of each protection mechanism.

156

Software deadlock

Two processes cannot complete their activities because they are both waiting for system resources to be released.

157

Countermeasures : Because maintenance hooks are usually inserted by programmers, they are the ones who usually have to take them out before the programs go into production. Code reviews and unit and quality assurance testing should always be on the lookout for back doors in case the programmer overlooked extracting them. Because maintenance hooks are within the code of an application or system, there is not much a user can do to prevent their presence, but when a vendor finds out a back door exists in its product, it usually develops and releases a patch to reduce this vulnerability. Because most vendors sell their software without including the associated source code, it may be very difficult for companies who have purchased software to identify back doors. The following lists some preventive measures against back doors:

  • Use a host intrusion detection system to watch for any attackers using back doors into the system.
  • Use file system encryption to protect sensitive information.
  • Implement auditing to detect any type of back door use.

158

Information Technology Security Evaluation Criteria (ITSEC)

European standard used to assess the effectiveness of the security controls built into a system.

159

Al: Verified Design

Al: Verified Design The architecture and protection features are not much different from systems that achieve a B3 rating, but the assurance of an A1 system is higher than a B3 system because of the formality in the way the A1 system was designed, the way the specifications were developed, and the level of detail in the verification techniques. Formal techniques are used to prove the equivalence between the TCB specifications and the security policy model. A more stringent change configuration is put in place with the development of an A1 system, and the overall design can be verified. In many cases, even the way in which the system is delivered to the customer is under scrutiny to ensure there is no way of compromising the system before it reaches its destination.

160

Architectural description (AD)

Collection of document types to convey an architecture in a formal manner.

161

Microkernel

Core operating system processes run in kernel mode and the remaining ones run in user mode.

162

ISO/IEC 42010:2007

International standard that provides guidelines on how to create and maintain system architectures.

163

Instruction set

Set of operations and commands that can be implemented by a particular processor (CPU).

164

Data hiding

Use of segregation in design decisions to protect software components from negatively interacting with each other. Commonly enforced through strict interfaces.

165

Application programming interface

Software interface that enables process-to-process interaction. Common way to provide access to standard routines to a set of software programs.

166

7. The trusted computing base (TCB) ensures security within a system when a process in one domain must access another domain in order to retrieve sensitive information. What function does the TCB initiate to ensure that this is done in a secure manner?

A. I/O operational execution

B. Process deactivation

C. Execution domain switching

D. Virtual memory to real memory mapping

Extended Questions:

CORRECT C. Execution domain switching takes place when a CPU needs to move between executing instructions for a highly trusted process to a less trusted process or vice versa. The trusted computing base (TCB) allows processes to switch domains in a secure manner in order to access different levels of information based on their sensitivity. Execution domain switching takes place when a process needs to call upon a process in a higher protection ring. The CPU goes from executing instructions in user mode to privileged mode and back.

WRONG A is incorrect because input/output (I/O) operations are not initiated to ensure security when a process in one domain must access another domain in order to retrieve sensitive information. I/O operations include control of all input/output devices. I/O operations are functions within an operating system that allow input devices (such as a mouse or keyboard) and output devices (such as a monitor or printer) to interact with applications and with itself.

WRONG B is incorrect because process deactivation takes place when a process’s instructions are completely executed by the CPU or when another process with a higher priority calls upon the CPU. When a process is deactivated, the CPU’s registers must be filled with new information about the new requesting process. The data that is getting switched in and out of the registers may be sensitive, so the TCB components must make sure this takes place securely.

WRONG D is incorrect because memory mapping takes place when a process needs its instructions and data processed by the CPU. The memory manager maps the logical address to the physical address so that the CPU knows where the data is located. This is the responsibility of the operating system’s memory manager.

167

Hardware segmentation

Physically mapping software to individual memory segments.

168

Trusted Computer System Evaluation Criteria (TCSEC)

(aka Orange Book) U.S. DoD standard used to assess the effectiveness of the security controls built into a system. Replaced by the Common Criteria.

169

Systems Evaluation Methods

An assurance evaluation examines the security-relevant parts of a system, meaning the TCB, access control mechanisms, reference monitor, kernel, and protection mechanisms. The relationship and interaction between these components are also evaluated. There are different methods of evaluating and assigning assurance levels to systems. Two reasons explain why more than one type of assurance evaluation process exists: methods and ideologies have evolved over time, and various parts of the world look at computer security differently and rate some aspects of security differently. Each method will be explained and compared.

170

The Orange Book mainly addresses government and military requirements and expectations for their computer systems. Many people within the security field have pointed out several deficiencies in the Orange Book, particularly when it is being applied to systems that are to be used in commercial areas instead of government organizations. The following list summarizes a majority of the troubling issues that security practitioners have expressed about the Orange Book:

  • It looks specifically at the operating system and not at other issues like networking, databases, and so on.
  • It focuses mainly on one attribute of security—confidentiality—and not on integrity and availability.
  • It works with government classifications and not the protection classifications commercial industries use.
  • It has a relatively small number of ratings, which means many different aspects of security are not evaluated and rated independently.

171

Memory Protection Techniques

Since your whole operating system and all your applications are loaded and run in memory, this is where the attackers can really do their damage. Vendors of different operating systems (Windows, Unix, Linux, Macintosh, etc.) have implemented various types of protection methods integrated into their memory manager processes. For example, Windows Vista was the first version of Windows to implement address space layout randomization (ASLR), which was first implemented in OpenBSD.

172

Data bus

Physical connections between processing components and memory segments used to transmit data being used during processing procedures.

173

RAM

Memory sticks that are plugged into a computer’s motherboard and work as volatile memory space for an operating system.

174

Security target

Vendor’s written explanation of the security functionality and assurance mechanisms that meet the needed security solution—in other words, "This is what our product does and how it does it."

175

Memory Mapping

Okay, here is your memory, here is my memory, and here is Bob’s memory. No one use each other’s memory!

Because there are different types of memory holding different types of data, a computer system does not want to let every user, process, and application access all types of memory anytime they want to. Access to memory needs to be controlled to ensure data do not get corrupted and that sensitive information is not available to unauthorized processes. This type of control takes place through memory mapping and addressing.

176

separation of duties

A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of two operations: subtract money from one account and add it to a different account. By making sure the new values in her checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external consistency. The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If we follow our same example of banking software, if a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures.

177

reference monitor

The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modification. For a system to achieve a higher level of trust, it must require subjects (programs, users, processes) to be fully authorized prior to accessing an object (file, program, resource). A subject must not be allowed to use a requested resource until the subject has proven it has been granted access privileges to use the requested object. The reference monitor is an access control concept, not an actual physical component, which is why it is normally referred to as the "reference monitor concept" or an "abstract machine."

178

Naming distinctions

Naming distinctions just means that the different processes have their own name or identification value. Processes are usually assigned process identification (PID) values, which the operating system and other processes use to call upon them. If each process is isolated, that means each process has its own unique PID value. This is just another way to enforce process isolation.

179

Documentation

Documentation must be provided, including test, design, and specification documents, user guides, and manuals.

180

Security perimeter

Mechanism used to delineate between the components within and outside of the trusted computing base.

181

Read-only memory (ROM)

Read-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

182

Read-Only Memory

Read-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

183

Random access memory (RAM)

Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.

184

29. Which of the following best describes the type of technology the team should implement to increase the work effort of buffer overflow attacks?

A. Address space layout randomization

B. Memory induction application

C. Input memory isolation

D. Read-only memory integrity checks

Extended Questions:

CORRECT A. Address space layout randomization (ASLR) is a control that involves randomly arranging the positions of a process’s address space and other memory segments. It randomly arranges the positions of key data areas, usually including the base of the executable and position of system libraries, memory heap, and memory stacks, in a process’s address space. ASLR makes it more difficult for an attacker to predict target addresses for specific memory attacks.

WRONG B is incorrect because this is a distracter answer. This is not an official term or security item.

WRONG C is incorrect because while memory isolation may help in protecting against buffer overflows, that is not the specific reason for its existence. Memory isolation is carried out to protect against many different memory attacks. Address space layout randomization (ASLR) has been specifically designed to try and outwit attackers and to make it more difficult for them to know a system’s memory address scheme for exploitation purposes.

WRONG D is incorrect because this is a distracter answer. This is not an official term or security item.

The following scenario applies to questions 30, 31, and 32.

185

covert timing channel

In a covert timing channel, one process relays information to another by modulating its use of system resources. The two processes that are communicating to each other are using the same shared resource. So in our example, Process A is a piece of nefarious software that was installed via a Trojan horse. In a multitasked system, each process is offered access to interact with the CPU. When this function is offered to Process A, it rejects it—which indicates a 1 to the attacker. The next time Process A is offered access to the CPU, it uses it, which indicates a 0 to the attacker. Think of this as a type of Morse code, but using some type of system resource.

186

Open vs. Closed Systems

Computer systems can be developed to integrate easily with other systems and products (open systems) or can be developed to be more proprietary in nature and work with only a subset of other systems and products (closed systems). The following sections describe the difference between these approaches.

187

Rationale

Justifies the profile and gives a more detailed description of the real-world problem to be solved. The environment, usage assumptions, and threats are illustrated along with guidance on the security policies that can be supported by products and systems that conform to this profile.

188

No More Pencil Whipping

Many organizations are taking the accreditation process more seriously than they did in the past. Unfortunately, sometimes when a certification process is completed and the documentation is sent to management for review and approval, management members just blindly sign the necessary documentation without really understanding what they are signing. Accreditation means management is accepting the risk that is associated with allowing this new product to be introduced into the organization’s environment. When large security compromises take place, the buck stops at the individual who signed off on the offending item. So as these management members are being held more accountable for what they sign off on, and as more regulations make executives personally responsible for security, the pencil whipping of accreditation papers is decreasing.

189

microarchitecture

The microarchitecture contains the things that make up the physical CPU (registers, logic gates, ALU, cache, etc.). The CPU knows mechanically how to use all of these parts; it just needs to know what the operating system wants it to do. A chef knows how to use all of his pots, pans, spices, and ingredients, but he needs an order from the menu so he knows how to use all of these properly to achieve the requested outcome. Similarly, the CPU has a "menu" of operations the operating system can "order" from, which is the instruction set. The operating system puts in its order (render graphics on screen, print to printer, encrypt data, etc.), and the CPU carries out the request and provides the result.

190

unmapped I/O

I/O Using DMA Direct memory access (DMA) is a way of transferring data between I/O devices and the system’s memory without using the CPU. This speeds up data transfer rates significantly. When used in I/O activities, the DMA controller feeds the characters to the printer without bothering the CPU. This method is sometimes referred to as unmapped I/O.

191

Synchronous DRAM (SDRAM)

Synchronizes itself with the system’s CPU and synchronizes signal input and output on the RAM chip. It coordinates its activities with the CPU clock so the timing of the CPU and the timing of the memory activities are synchronized. This increases the speed of transmitting and executing data.

192

ISO/IEC 15408-3

ISO/IEC 15408-3 defines the assurance requirements, which are also organized in a hierarchy of classes, families, and components. This part outlines the evaluation assurance levels, which is a scale for measuring assurance of TOEs, and it provides the criteria for evaluation of protection profiles and security targets.

193

14. Which security architecture model defines how to securely develop access rights between subjects and objects?

A. Brewer-Nash

B. Clark-Wilson

C. Graham-Denning

D. Bell-LaPadula

Extended Questions:

CORRECT C. The Graham-Denning model addresses how access rights between subjects and objects are defined, developed, and integrated. It defines a set of basic rights in terms of commands that a specific subject can execute on an object. This model has eight primitive protection rights, or rules, on how these types of functionalities should take place securely. They are: how to securely create an object; how to securely create a subject; how to securely delete an object; how to securely delete a subject; how to securely provide the read access right; how to securely provide the grant access right; how to securely provide the delete access right; and how to securely provide transfer access rights. These things may sound insignificant, but when we are talking about building a secure system, they are very critical.

WRONG A is incorrect because the Brewer-Nash model is intended to provide access controls that can change dynamically depending upon a user’s previous actions. The main goal is to protect against conflicts of interest by users’ access attempts. For example, if a large marketing company provides marketing promotions and materials for two banks, an employee working on a project for Bank A should not be able to look at the information the marketing company has on its other bank customer, Bank B. Such action could create a conflict of interest because the banks are competitors. If the marketing company’s project manager for the Bank A project could view information on Bank B’s new marketing campaign, he may try to trump its promotion to please his more direct customer. The marketing company would get a bad reputation if it allowed its internal employees to behave so irresponsibly.

WRONG B is incorrect because the Clark-Wilson model is implemented to protect the integrity of data and to ensure that properly formatted transactions take place within applications. It works on the following premises: subjects can access objects only through authorized programs; separation of duties is enforced; auditing is required. The Clark-Wilson model addresses all three integrity goals: prevent unauthorized users from making modifications, prevent authorized users from making improper modifications, and maintain internal and external consistency.

WRONGD is incorrect because the Bell-LaPadula model was developed to address the U.S. military’s concern with the security of its systems and the leakage of classified information. The model’s main goal is to prevent sensitive information from being accessed in an unauthorized manner. It is a state machine model that enforces the confidentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subject’s clearance is compared to the object’s classification and then specific rules are applied to control how subject-to-object interactions take place.

194

Garbage collector

Tool that marks unused memory segments as usable to ensure that an operating system does not run out of memory.

195

Certification

Technical evaluation of the security components and their compliance to a predefined security policy for the purpose of accreditation.

196

ISO/IEC 15408-2

ISO/IEC 15408-2 defines the security functional requirements that will be assessed during the evaluation. It contains a catalog of predefined security functional components that maps to most security needs. These requirements are organized in a hierarchical structure of classes, families, and components. It also provides guidance on the specification of customized security requirements if no predefined security functional component exists.

197

Monolithic operating system architecture

All of the code of the operating system working in kernel mode in an ad hoc and nonmodularized manner.

198

Integrity verification procedures (IVPs)

Check the consistency of CDIs with external reality

199

Closed system

Designs are built upon proprietary procedures, which inhibit interoperability capabilities.

200

watchdog timer

The watchdog timer is an example of a critical process that must always do its thing. This process will reset the system with a warm boot if the operating system hangs and cannot recover itself. For example, if there is a memory management problem and the operating system hangs, the watchdog timer will reset the system. This is one mechanism that ensures the software provides more of a stable environment.

Thread Management

201

Assurance evaluation criteria

"Checklist" and process of examining the security-relevant parts of a system (TCB, reference monitor, security kernel) and assigning the system an assurance rating.

202

27. Which of the following is Charlie most likely concerned with in this situation?

A. Injection attacks

B. Memory block

C. Buffer overflows

D. Browsing attacks

Extended Questions:

CORRECT C. The C programming language is susceptible to buffer overflow attacks because some of its commands allow for direct pointer manipulations to take place. Specific commands can provide access to low-level memory addresses without carrying out bounds checking.

WRONG A is incorrect because the C programming language does not have any more vulnerabilities pertaining to injection attacks than any other languages. Injection attacks usually do not take place at the code level, but happen because an interface accepts data that are not properly filtered and validated.

WRONG B is incorrect because this is a distracter answer. There is no official programming language vulnerability referred to as "memory block."

WRONG D is incorrect because a browsing attack is when someone is reviewing various assets for sensitive data. This does not relate to a programming language, but how access control is implemented.

The following scenario applies to questions 28 and 29.

203

Graham-Denning model

This model shows how subjects and objects should be created and deleted. It also addresses how to assign specific access rights.

204

Security assurance requirements

Measures taken during development and evaluation of the product to assure compliance with the claimed security functionality.

205

Double data rate SDRAM (DDR SDRAM)

Carries out read operations on the rising and falling cycles of a clock pulse. So instead of carrying out one operation per clock cycle, it carries out two and thus can deliver twice the throughput of SDRAM. Basically, it doubles the speed of memory activities, when compared to SDRAM, with a smaller number of clock cycles. Pretty groovy.

206

Virtualization

Creation of a simulated environment (hardware platform, operating system, storage, etc.) that allows for central control and scalability.

207

Tim’s development team is designing a new operating system. One of the requirements of the new product is that critical memory segments need to be categorized as nonexecutable, with the goal of reducing malicious code from being able to execute instructions in privileged mode. The team also wants to make sure that attackers will have a difficult time predicting execution target addresses.

28. Which of the following best describes the type of protection that needs to be provided by this product?

A. Hardware isolation

B. Memory induction application

C. Data execution prevention

D. Domain isolation protection

Extended Questions:

CORRECT C. Data execution prevention (DEP) is a security feature included in modern operating systems. It is intended to prevent a process from executing code from a nonexecutable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example. DEP can mark certain memory locations as "off limits," with the goal of reducing the "playing field" for hackers and malware.

WRONG A is incorrect because memory hardware isolation has to be done at the hardware level, not just in an operating system. Some systems that require a high level of security can be designed to ensure that memory is not shared in any fashion. This requires hardware design, and the operating system (or other software) has to then be designed to use that specific hardware environment.

WRONG B incorrect because this is a distracter answer. This is not an official term or security issue.

WRONG D is incorrect because domain isolation does not deal specifically with memory protection as does data execution prevention (DEP). Domain isolation is not a specific technology, but a goal that operating systems attempt to accomplish. A domain is a set of resources that is available to an entity. Most people think of network domains in the Microsoft world, but a domain is just a set of resources. It is a general and old term. Domain isolation just means isolating one set of resources from another set of resources. This is commonly done so that one process cannot compromise another process’s resources.

208

Stakeholder

Individual, team, or organization (or classes thereof) with interests in, or concerns relative to, a system.

209

4. Virtual storage combines RAM and secondary storage for system memory. Which of the following is a security concern pertaining to virtual storage?

A. More than one process uses the same resource.

B. It allows cookies to remain persistent in memory.

C. It allows for side-channel attacks to take place.

D. Two processes can carry out a denial-of-service.

Extended Questions:

CORRECT A. When RAM and secondary storage are combined, the result is virtual memory. The system uses hard drive space—called swap space—that is reserved for the purpose of extending its RAM memory space. When a system fills up its volatile memory space, it writes data from memory onto the hard drive. When a program requests access to this data, it is brought from the hard drive back into memory in specific units, called page frames. Accessing data that is kept in pages on the hard drive takes more time than accessing data kept in memory because physical disk read/write access has to take place. There are internal control blocks, maintained by the operating system, to keep track of what page frames are residing in RAM, and what is available "offline," ready to be called into RAM for execution or processing, if needed. The payoff is that it seems as though the system can hold an incredible amount of information and program instructions in memory. A security issue with using virtual swap space is that two or more processes use the same resource and the data could be corrupted or compromised.

WRONG B is incorrect because virtual storage is not related to cookies. Virtual storage uses hard drive space to extend its RAM memory space. Cookies are small text files used mainly by Web browsers. The cookies can contain credentials for Web sites, site preference settings, or shopping histories. Cookies are also commonly used to maintain Web server-based sessions.

WRONG C is incorrect because a side-channel attack is a nonintrusive attack. In this type of attack, the attacker gathers information about how a mechanism (such as a smart card or encryption processor) works from the radiation that is given off, time taken to carry out processing, power consumed to carry out tasks, etc. This information is used to reverse-engineer the mechanism to uncover how it carries out its security tasks. This is not related to virtual storage.

WRONG D is incorrect because the biggest threat within a system that has shared resources between processes, as operating systems have to share memory between all resources, is that one process will negatively interfere with the other process’s resource. This is especially true with memory, since all data and instructions are stored there, whether they are sensitive or not. While it is possible for two processes to work together to carry out a denial-of-service attack, this is only one type of attack that can be carried out with or without the use of virtual storage.

210

The *-property rule

A subject cannot write to an object at a lower security level (no write down).

211

Protection

  • Limit processes to interact only with the memory segments assigned to them
  • Provide access control to memory segments

212

buffer overflow

A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.

213

Selective routing

Routes messages in a way to avoid specific threats. Mechanisms include network configuration and routing tables.

214

Layered operating system architecture

Architecture that separates system functionality into hierarchical layers.

215

Burst EDO DRAM (BEDO DRAM)

Works like (and builds upon) EDO DRAM in that it can transmit data to the CPU as it carries out a read option, but it can send more data at once (burst). It reads and sends up to four memory addresses in a small number of clock cycles.

216

The simple integrity axiom

A subject cannot read data at a lower integrity level (no read down).

217

Computer Architecture

Put the processor over there by the plant, the memory by the window, and the secondary storage upstairs.

Computer architecture encompasses all of the parts of a computer system that are necessary for it to function, including the operating system, memory chips, logic circuits, storage devices, input and output devices, security components, buses, and networking interfaces. The interrelationships and internal working of all of these parts can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanisms. Thank goodness for the smart people who figured this stuff out! Now it is up to us to learn how they did it and why.

218

Division C: Discretionary Protection

The C rating category has two individual assurance ratings within it, which are described next. The higher the number of the assurance rating, the greater the protection.

219

Trusted path

Trustworthy software channel that is used for communication between two processes that cannot be circumvented.

220

Abstraction

Abstraction means that the details of something are hidden. Developers of applications do not know the amount or type of memory that will be available in each and every system their code will be loaded on. If a developer had to be concerned with this type of detail, then her application would be able to work only on the one system that maps to all of her specifications. To allow for portability, the memory manager hides all of the memory issues and just provides the application with a memory segment. The application is able to run without having to know all the hairy details of the operating system and hardware it is running on.

221

Data confidentiality

Protects data from being accessed in an unauthorized method during transmission. Mechanisms include access controls, encryption, and physical protection of cables.

222

Interrupt

Software or hardware signal that indicates that system resources (i.e., CPU) are needed for instruction processing.

223

firmware

Read-only memory (ROM) is a nonvolatile memory type, meaning that when a computer’s power is turned off, the data are still held within the memory chips. When data are written into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.

224

Multiprogramming

Interleaved execution of more than one program (process) or task by a single operating system.

225

Monolithic

All operating system processes run in kernel mode.

226

Memory Types

Memory management is critical, but what types of memory actually have to be managed?

As stated previously, the operating system instructions, applications, and data are held in memory, but so are the basic input/output system (BIOS), device controller instructions, and firmware. They do not all reside in the same memory location or even the same type of memory. The different types of memory, what they are used for, and how each is accessed can get a bit confusing because the CPU deals with several different types for different reasons.

227

Programmable I/O

Programmable I/O If an operating system is using programmable I/O, this means the CPU sends data to an I/O device and polls the device to see if it is ready to accept more data. If the device is not ready to accept more data, the CPU wastes time by waiting for the device to become ready. For example, the CPU would send a byte of data (a character) to the printer and then ask the printer if it is ready for another byte. The CPU sends the text to be printed one byte at a time. This is a very slow way of working and wastes precious CPU time. So the smart people figured out a better way: interrupt-driven I/O.

228

Process Activity

Process 1, go into your room and play with your toys. Process 2, go into your room and play with your toys. No intermingling and no fighting!

Computers can run different applications and processes at the same time. The processes have to share resources and play nice with each other to ensure a stable and safe computing environment that maintains its integrity. Some memory, data files, and variables are actually shared between different processes. It is critical that more than one process does not attempt to read and write to these items at the same time. The operating system is the master program that prevents this type of action from taking place and ensures that programs do not corrupt each other’s data held in memory. The operating system works with the CPU to provide time slicing through the use of interrupts to ensure that processes are provided with adequate access to the CPU. This also makes certain that critical system functions are not negatively affected by rogue applications.

229

Symmetric mode multiprocessing

When a computer has two or more CPUs and each CPU is being used in a load-balancing method.

230

Fully Mapped I/O

Fully Mapped I/O Under fully mapped I/O, the operating system does not trust the I/O device. The physical address is not given to the I/O device. Instead, the device works purely with logical addresses and works on behalf (under the security context) of the requesting process, so the operating system does not trust the device to interact with memory directly. The operating system does not trust the process or device and it acts as the broker to control how they communicate with each other.

231

These modes are used in MAC systems, which hold one or more classifications of data. Several things come into play when determining the mode the operating system should be working in:

  • The types of users who will be directly or indirectly connecting to the system
  • The type of data (classification levels, compartments, and categories) processed on the system
  • The clearance levels, need-to-know, and formal access approvals the users will have

232

Security kernel

Hardware, software, and firmware components that fall within the TCB and implement and enforce the reference monitor concept.

233

18. There are different ways that operating systems can carry out software I/O procedures. Which of the following is used when the CPU sends data to an I/O device and then works on another process’s request until the I/O device is ready for more data?

A. I/O using DMA

B. Interrupt-driven I/O

C. Programmable I/O

D. Premapped I/O

Extended Questions:

CORRECT B. If an operating system is using interrupt-driven I/O (input/output), this means that the CPU sends data to an I/O device and then goes and works on another process’s request. When the I/O device is ready for more data, it sends an interrupt to the CPU. The CPU stops what it is doing, sends more data, and moves to another job. This process (send data—go, do something else—interrupt—send data) continues until the process is complete.

WRONG A is incorrect because direct memory access (DMA) is a way of transferring data between I/O devices and the system’s memory without using the CPU. This speeds up data transfer rates significantly. When used in I/O activities, the DMA controller feeds data to the I/O device without bothering the CPU. This method is sometimes referred to as unmapped I/O.

WRONG C is incorrect because if an operating system is using programmable I/O, this means that the CPU sends data to an I/O device and polls the device to see if it is ready to accept more data. If the device is not ready to accept more data, the CPU wastes time by waiting for the device to become ready. For example, the CPU would send a byte of data (a character) to the printer and then ask the printer if it is ready for another byte. The CPU sends the text to be printed one byte at a time. This is a very slow way of working and wastes precious CPU time.

WRONG D is incorrect because in a premapped I/O system, the CPU sends the physical memory address of the requesting process to the I/O device, and the I/O device is trusted enough to interact with the contents of memory directly. So the CPU does not control the interactions between the I/O device and memory. The operating system trusts the device to behave properly. Thus, premapped I/O does not pertain to performance, as do other methods, but provides an approach that can directly affect security. Fully mapped I/O also affects security. However, in this case, the operating system does not fully trust the I/O device. The physical address is not given to the I/O device. Instead, the device works purely with logical addresses and works on behalf (under the security context) of the requesting process. So the operating system does not trust the device to interact with memory directly. The operating system does not trust the process or device and acts as the broker to control how they communicate with each other.

234

Labels

Access control labels must be associated properly with objects.

235

Clark-Wilson model

This integrity model is implemented to protect the integrity of data and to ensure that properly formatted transactions take place. It addresses all three goals of integrity:

236

32. Which of the following best describes the last architecture described in this scenario?

A. Hybrid microkernel

B. Layered

C. Monolithic

D. Hardened and embedded

Extended Questions:

CORRECT A. The hybrid microkernel architecture is a combination of monolithic and microkernel architectures. The critical operating system functionality is carried out in a microkernel construct, and the remaining functionality is carried out in a client/server model running within kernel mode. This architecture allows for the critical operating system functions to run in kernel mode and not experience the performance issues with previous architectures.

WRONG B is incorrect because a layered operating system architecture focuses on constructing the functions of the operating system into hierarchical layers. This architecture does not focus on what is or is not running in kernel mode.

WRONG C is incorrect because the industry started with monolithic operating systems and evolved from it. A monolithic operating system does not segregate privileged and nonprivileged processes and does not use a kernel. MS-DOS is an example of a monolithic operating system.

WRONG D is incorrect because an operating system that is hardened and embedded is not a major architecture. The term "hardened" just means secured, and "embedded" means that the operating system’s functionalities are stripped down to only provide the basic and necessary functions required of the hardware the software is installed upon. Mobile phones and specialized hardware commonly have embedded operating systems.

237

Interrupts

Values assigned to computer components (hardware and software) to allow for efficient computer resource time slicing.

238

Maintenance Hooks

In the programming world, maintenance hooks are a type of back door. They are instructions within software that only the developer knows about and can invoke, and which give the developer easy access to the code. They allow the developer to view and edit the code without having to go through regular access controls. During the development phase of the software, these can be very useful, but if they are not removed before the software goes into production, they can cause major security issues.

239

Program counter

Holds the memory address for the following instructions the CPU needs to act upon.

240

Trusted computing base

A collection of all the hardware, software, and firmware components within a system that provide security and enforce the system’s security policy.

241

Isn’t the Orange Book Dead?

We have moved from the Orange Book to the Common Criteria in the industry, so a common question is, "Why do I have to study this Orange Book stuff?" The Orange Book was the first evaluation criteria and was used for 20 years. Many of the basic terms and concepts that have carried through originated in the Orange Book. And we still have several products with these ratings that eventually will go through the Common Criteria evaluation process.

242

ROM

Nonvolatile memory that is used on motherboards for BIOS functionality and various device controllers to allow for operating system-to-device communication. Sometimes used for off-loading graphic rendering or cryptographic functionality.

243

Harrison-Ruzzo-Ullman Model

The Harrison-Ruzzo-Ullman (HRU) model deals with access rights of subjects and the integrity of those rights. A subject can carry out only a finite set of operations on an object. Since security loves simplicity, it is easier for a system to allow or disallow authorization of operations if one command is restricted to a single operation. For example, if a subject sent command X, which only required the operation of Y, this is pretty straightforward and allows the system to allow or disallow this operation to take place. But, if a subject sent a command M and to fulfill that command, operations N, B, W, and P had to be carried out, then there is much more complexity for the system to decide if this command should be authorized. Also the integrity of the access rights needs to be ensured, so in this example if one operation cannot be processed properly, the whole command fails. So while it is easy to dictate that subject A can only read object B, it is not always so easy to ensure each and every function supports this high-level statement. The HRU model is used by software designers to ensure that no unforeseen vulnerability is introduced and the stated access control goals are achieved.

244

Race condition

Two or more processes attempt to carry out their activity on one resource at the same time. Unexpected behavior can result if the sequence of execution does not take place in the proper order.

245

Operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in client/server models within kernel mode.

30. Which of the following best describes the second operating system architecture described in the scenario?

A. Layered

B. Microkernel

C. Monolithic

D. Kernel based

Extended Questions:

CORRECT B. In the microkernel architecture, a reduced amount of code is running in kernel mode carrying out critical operating system functionality. Only the absolutely necessary code runs in kernel mode, and the remaining operating system code runs in user mode. Traditional operating system functions, such as device drivers, protocol stacks, and file systems, are removed from the microkernel to run in user space.

WRONG A is incorrect because a layered operating system architecture focuses on constructing the functions of the operating system into hierarchical layers. This architecture does not focus on what is or is not running in kernel mode.

WRONG C is incorrect because the industry started with monolithic operating systems and evolved from it. A monolithic operating system does not segregate privileged and nonprivileged processes and does not use a kernel. MS-DOS is an example of a monolithic operating system.

WRONG D is incorrect because while there is no official architecture called "kernel-based," this answer does not actually properly address the concept of reducing the amount of code that runs in kernel mode. The microkernel architecture specifically addressed this issue. A microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system.

246

Random Access Memory

Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write activities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.

247

Harrison-Ruzzo-Ullman (HRU)

The Harrison-Ruzzo-Ullman (HRU) model deals with access rights of subjects and the integrity of those rights. A subject can carry out only a finite set of operations on an object. Since security loves simplicity, it is easier for a system to allow or disallow authorization of operations if one command is restricted to a single operation. For example, if a subject sent command X, which only required the operation of Y, this is pretty straightforward and allows the system to allow or disallow this operation to take place. But, if a subject sent a command M and to fulfill that command, operations N, B, W, and P had to be carried out, then there is much more complexity for the system to decide if this command should be authorized. Also the integrity of the access rights needs to be ensured, so in this example if one operation cannot be processed properly, the whole command fails. So while it is easy to dictate that subject A can only read object B, it is not always so easy to ensure each and every function supports this high-level statement. The HRU model is used by software designers to ensure that no unforeseen vulnerability is introduced and the stated access control goals are achieved.

248

Network management

Monitors network performance and identifies attacks and failures. Mechanisms include components that enable network administrators to monitor and restrict resource access.

249

13. Virtualization offers many benefits. Which of the following incorrectly describes virtualization?

A. Virtualization simplifies operating system patching.

B. Virtualization can be used to build a secure computing platform.

C. Virtualization can provide fault and error containment.

D. Virtual machines offer powerful debugging capabilities.

Extended Questions:

CORRECT A. Virtualization does not simplify operating system patching. In fact, it makes it more complex because it adds at least an operating system. Each operating system commonly varies in version and configurations—increasing the complexity of patching. The operating systems for the servers themselves run as guests within the host environment. Not only do you have to patch and maintain the traditional server operating systems, but now you also have to patch and maintain the virtualization software itself.

WRONG B is incorrect because virtualization can be used to build a secure computing platform. Untrusted applications can be run in secure, isolated sandboxes within a virtual machine. The virtualization software "compartmentalizes" the individual guest operating systems and ensures that the processes for each guest do not interact with the other guest processes in an unauthorized manner.

WRONG C is incorrect because virtual machines can provide fault and error containment by isolating what is run within the specific guest operating systems. Developers and security researchers can proactively inject faults into software to study its behavior without impacting other virtual machines. For this reason, virtual machines are useful tools for research and academic experiments.

WRONG D is incorrect because virtual machines enable powerful debugging, as well as performance monitoring, by allowing you to put debugging and performance monitoring tools in the virtual machine monitor. There’s no need to set up complex debugging scenarios and the operating systems can be debugged without impacting productivity.

250

Layered

All operating system processes run in a hierarchical model in kernel mode.

251

central processing unit (CPU)

The central processing unit (CPU) is the brain of a computer. In the most general description possible, it fetches instructions from memory and executes them. Although a CPU is a piece of hardware, it has its own instruction set that is necessary to carry out its tasks. Each CPU type has a specific architecture and set of instructions that it can carry out. The operating system must be designed to work within this CPU architecture. This is why one operating system may work on a Pentium Pro processor but not on an AMD processor. The operating system needs to know how to "speak the language" of the processor, which is the processor’s instruction set.

252

Operating System Architectures

We started this chapter by looking at system architecture approaches. Remember that a system is made up of all the necessary pieces for computation: hardware, firmware, and software components. The chapter moved into the architecture of a CPU, which just looked at the processor. Now we will look at operating system architectures, which deal specifically with the software components of a system.

253

Dynamic link libraries (DLLs)

A set of subroutines that are shared by different applications and operating system processes.

254

Time-of-check/time-of-use (TOC/TOU) attack

Attacker manipulates the "condition check" step and the "use" step within software to allow for unauthorized activity.

255

Erasable programmable read-only memory (EPROM)

Erasable programmable read-only memory (EPROM) can be erased, modified, and upgraded. EPROM holds data that can be electrically erased or written to. To erase the data on the memory chip, you need your handy-dandy ultraviolet (UV) light device that provides just the right level of energy. The EPROM chip has a quartz window, which is where you point the UV light. Although playing with UV light devices can be fun for the whole family, we have moved on to another type of ROM technology that does not require this type of activity.

256

Address bus

Physical connections between processing components and memory segments used to communicate the physical memory addresses being used during processing procedures.

257

Process isolation

Protection mechanism provided by operating systems that can be implemented as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual memory mapping.

258

6. Which of the following correctly describes the relationship between the reference monitor and the security kernel?

A. The security kernel implements and enforces the reference monitor.

B. The reference monitor is the core of the trusted computing base, which is made up of the security kernel.

C. The reference monitor implements and enforces the security kernel.

D. The security kernel, aka abstract machine, implements the reference monitor concept.

Extended Questions:

CORRECT A. The trusted computing base (TCB) is the total combination of a system’s protection mechanisms. These are in the form of hardware, software, and firmware. These same components also comprise the security kernel. The reference monitor is an access control concept that is implemented and enforced by the security kernel via the hardware, software, and firmware. In doing so, the security kernel ensures that subjects have the appropriate authorization to access the objects they are requesting. The subject, be it a program, user, or process, should not be able to access a file, program, or resource it is requesting until it has proven that it has the appropriate access rights.

WRONG B is incorrect because the reference monitor is not the core of the trusted computing base (TCB). The core of the TCB is the security kernel, and the security kernel carries out the reference monitor concept. The reference monitor is a concept pertaining to access control. Since it is not a physical component, it is often referred to as an "abstract machine." The reference monitor mediates access between subjects and objects in an effort to ensure that subjects have the necessary rights to access objects and to protect objects from unauthorized access and destructive changes.

WRONG C is incorrect because the reference monitor does not implement and enforce the security kernel. Rather, the security kernel implements and enforces the reference monitor. The reference monitor is an abstract concept, while the security kernel is a combination of hardware, software, and firmware within the trusted computing base. The security kernel has three requirements, which are also the requirements of the reference monitor. The security kernel must tamperproof and isolate the processes executing the reference monitor concept. Likewise, the security kernel must be implemented so that it is invoked for every access attempt and cannot be circumvented. Finally, the security kernel must be small enough to enable its comprehensive testing and verification.

WRONG D is incorrect because abstract machine is not another name for the security kernel. Abstract machine is another name for the reference monitor, which can also be referred to as the reference monitor concept. The concept states that an abstract machine serves as the mediator between subjects and objects to ensure that the subjects have the necessary rights to access the objects they are requesting and to protect the objects from unauthorized access and modification. The security kernel is responsible for carrying out these activities.

259

Logical addresses

Indirect addressing used by processes within an operating system. The memory manager carries out logical-to-absolute address mapping.

260

Hybrid microkernel

All operating system processes run in kernel mode. Core processes run within a microkernel and others run in a client\server model.

261

Noninterference Model

Stop touching me. Stop touching me. You are interfering with me!

Multilevel security properties can be expressed in many ways, one being noninterference. This concept is implemented to ensure any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. This type of model does not concern itself with the flow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level.

262

12. Bethany is working on a mandatory access control (MAC) system. She has been working on a file that was classified as Secret. She can no longer access this file because it has been reclassified as Top Secret. She deduces that the project she was working on has just increased in confidentiality and she now knows more about this project than her clearance and need-to-know allows. Which of the following refers to a concept that attempts to prevent this type of scenario from occurring?

A. Covert storage channel

B. Inference attack

C. Noninterference

D. Aggregation

Extended Questions:

CORRECT C. Multilevel security properties can be expressed in many ways, one being noninterference. This concept is implemented to ensure that any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. So if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level. If a lower-level entity were aware of a certain activity that took place by an entity at a higher level and the state of the system changed for this lower-level entity, the entity might be able to deduce too much information about the activities of the higher state, which in turn is a way of leaking information.

WRONG A is incorrect because a covert channel allows for the ability to share information between processes that weren’t intended to communicate. Noninterference is a model intended to prevent covert channels along with other malicious ways of communication to take place. The model looks at the shared resources that the different users of a system will use and tries to identify how information can be passed from a process working at a higher security clearance to a process working at a lower security clearance. If two users are working on the same system at the same time, they will most likely have to share some type of resources. So the model is made up of rules to ensure that User A cannot carry out any activities that can allow User B to infer information she does not have the clearance to know.

WRONG B is incorrect because an inference attack refers to Bethany’s ability to infer that the project that she was working on was now Top Secret and has now increased in importance and secrecy. The question is asking for the concept that helps to prevent an inference attack. An inference attack occurs when someone has access to some type of information and can infer (or guess) something that she does not have the clearance level or authority to know. For example, let’s say that Tom is working on a file that contains information about supplies that are being sent to Russia. He closes out of that file and one hour later attempts to open the same file. During this time, the file’s classification has been elevated to Top Secret, so when Tom attempts to access it, he is denied. Tom can infer that some type of Top Secret mission is getting ready to take place with Russia. He does not have clearance to know this; thus, it would be an inference attack or "leaking information."

WRONG D is incorrect because aggregation is the act of combining information from separate sources. The combination of the data forms new information, which the subject does not have the necessary rights to access. The combined information can have a sensitivity that is greater than that of the individual parts. Aggregation happens when a user does not have the clearance or permission to access specific information but does have the permission to access components of this information. She can then figure out the rest and obtain restricted information.

263

Maskable interrupt

Interrupt value assigned to a noncritical operating system activity.

264

Traffic flow confidentiality

Ensures that unauthorized entities are not aware of routing information or frequency of communication via traffic analysis. Mechanisms include padding messages, sending noise, or sending false messages.

265

Descriptive elements

Provides the name of the profile and a description of the security problem to be solved.

266

maintenance hooks

In the programming world, maintenance hooks are a type of back door. They are instructions within software that only the developer knows about and can invoke, and which give the developer easy access to the code. They allow the developer to view and edit the code without having to go through regular access controls. During the development phase of the software, these can be very useful, but if they are not removed before the software goes into production, they can cause major security issues.

267

integrity

The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and confidentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels.

268

multilevel security mode

A system is operating in multilevel security mode when it permits two or more classification levels of information to be processed at the same time when not all of the users have the clearance or formal approval to access all the information being processed by the system. So all users must have formal approval, NDA, need-to-know, and the necessary clearance to access the data that they need to carry out their jobs. In this mode, the user cannot access all of the data on the system, only what she is cleared to access.

269

Formal Models

Using models in software development has not become as popular as once imagined, primarily because vendors are under pressure to get products to market as soon as possible. Using formal models takes more time during the architectural phase of development, extra time that many vendors feel they cannot afford. Formal models are definitely used in the development of systems that cannot allow errors or security breaches, such as air traffic control systems, spacecraft software, railway signaling systems, military classified systems, and medical control systems. This does not mean that these models, or portions of them, are not used in industry products, but rather that industry vendors do not always follow these models in the purely formal and mathematical way all the time.

270

domain

The term domain just means a collection of resources. A process has a collection of resources assigned to it when it is loaded into memory (run time), as in memory addresses, files it can interact with, system services available to it, peripheral devices, etc. The higher the ring level that the process executes within, the larger the domain of resources that is available to it.

271

Hardware Segmentation

Systems of a higher trust level may need to implement hardware segmentation of the memory used by different processes. This means memory is separated physically instead of just logically. This adds another layer of protection to ensure that a lower-privileged process does not access and modify a higher-level process’s memory space.

272

Reference monitor

Concept that defines a set of design requirements of a reference validation mechanism (security kernel), which enforces an access control policy over subjects’ (processes, users) ability to perform operations (read, write, execute) on objects (files, resources) on a system.

273

Maintenance hooks

Code within software that provides a back door entry capability.

274

Certification vs. Accreditation

We have gone through the different types of evaluation criteria that a system can be appraised against to receive a specific rating. This is a very formalized process, following which the evaluated system or product will be placed on an EPL indicating what rating it achieved. Consumers can check this listing and compare the different products and systems to see how they rank against each other in the property of protection. However, once a consumer buys this product and sets it up in their environment, security is not guaranteed. Security is made up of system administration, physical security, installation, configuration mechanisms within the environment, and continuous monitoring. To fairly say a system is secure, all of these items must be taken into account. The rating is just one piece in the puzzle of security.

275

Stack

Memory segment used by processes to communicate instructions and data to each other.

276

Kernel mode (supervisory state, privilege mode)

Mode that a CPU works within when carrying out more trusted process instructions. The process has access to more computer resources when working in kernel versus user mode.

277

guards

Software and hardware guards allow the exchange of data between trusted (high assurance) and less trusted (low assurance) systems and environments. Let’s say you are working on a MAC system (working in dedicated security mode of secret) and you need the system to communicate with a MAC database (working in multilevel security mode, which goes up to top secret). These two systems provide different levels of protection. If a system with lower assurance could directly communicate with a system of higher assurance, then security vulnerabilities and compromises could be introduced. So, a software guard can be implemented, which is really just a front-end product that allows interconnectivity between systems working at different security levels. (The various types of guards available can carry out filtering, processing requests, data blocking, and data sanitization.) Or a hardware guard can be implemented, which is a system with two NICs connecting the two systems that need to communicate. The guard provides a level of strict access control between different systems.

278

Data execution prevention (DEP)

Memory protection mechanism used by some operating systems. Memory segments may be marked as nonexecutable so that they cannot be misused by malicious software.

279

Identification

Individual subjects must be uniquely identified.

280

Control unit

Part of the CPU that oversees the collection of instructions and data from memory and how they are passed to the processing components of the CPU.

281

3. CPUs and operating systems can work in two main types of multitasking modes. What controls access and the use of system resources in preemptive multitasking mode?

A. The user and application

B. The program that is loaded into memory

C. The operating system

D. The CPU and user

Extended Questions:

CORRECT C. Operating systems started out as cooperative and then evolved into preemptive multitasking. With preemptive multitasking, used in Windows 9x, NT, 2000, and XP, as well as in Unix systems, the operating system controls how long a process can use a resource. The system can suspend a process that is using the CPU (or other system resources) and allow another process access to it through the use of time sharing. Thus, operating systems that use preemptive multitasking run the show, and one application does not negatively affect another application if it behaves badly. In operating systems that used cooperative multitasking, the processes had too much control over resource release, and when an application hung, it usually affected all the other applications and sometimes the operating system itself. Operating systems that use preemptive multitasking run the show, and one application does not negatively affect another application as easily.

WRONG A is incorrect because the user and application do not control access and the use of system resources in preemptive multitasking mode. The application, however, has more control over the use of system resources in cooperative multitasking mode. The operating system itself works in either preemptive or cooperative multitasking modes, not the applications or users.

WRONG B is incorrect because as described in answer A, a program does not run in a specific multitasking mode—the operating system does. Cooperative multitasking, used in Windows 3.1 and early Macintosh systems, required the processes to voluntarily release resources that they were using. This was not necessarily a stable environment because if a programmer did not write his code properly to release a resource when his application was done using it, the resource would be committed indefinitely to his application and thus unavailable to other processes.

WRONG D is incorrect because the user and CPU do not control access and the use of system resources. Instead, the operating system controls the processor time slices that different processes can be allocated. Multitasking is the way that the operating system uses access to the CPU, which can be either cooperative or preemptive.

282

1. Lacy’s manager has tasked her with researching an intrusion detection system for a new dispatching center. Lacy identifies the top five products and compares their ratings. Which of the following are the evaluation criteria most in use today for these types of purposes?

A. ITSEC

B. Common Criteria

C. Red Book

D. Orange Book

Extended Questions:

CORRECT B. The Common Criteria were created in the early 1990s as a way of combining the strengths of both the Trusted Computer System Evaluation Criteria (TCSEC) and Information Technology Security Evaluation Criteria (ITSEC) while eliminating their weaknesses. These evaluation criteria are more flexible than TCSEC and more straightforward than ITSEC. Because it is recognized globally, the Common Criteria help consumers by reducing the complexity of the ratings and eliminating the need to understand the definition and meaning of different ratings within various evaluation schemes. This also helps manufacturers because now they can build to one specific set of requirements if they want to sell their products internationally, instead of having to meet several different ratings with varying rules and requirements.

WRONG A is incorrect because ITSEC, or the Information Technology Security Evaluation Criteria, is not the most widely used. ITSEC was the first attempt at establishing a single standard for evaluating security attributes of computer systems and products by many European countries. Furthermore, ITSEC separates functionality and assurance in its evaluation, giving each a separate rating. It was developed to provide more flexibility than TCSEC, and addresses integrity, availability, and confidentiality in networked systems. While the goal of the ITSEC was to become the worldwide criteria for product evaluation, it did not meet that goal and has been replaced with the Common Criteria.

WRONG C is incorrect because the Red Book is a U.S. government publication that addresses security evaluation topics for networks and network components. Officially titled the Trusted Network Interpretation, the book provides a framework for securing different types of networks. Subjects accessing objects on the network need to be controlled, monitored, and audited.

WRONG D is incorrect because the Orange Book is a U.S. government publication that primarily addresses government and military requirements and expectations for operating systems. The Orange Book is used to evaluate whether a product contains the security properties the vendor claims it does and whether the product is appropriate for a specific application or function. The Orange Book is used to review the functionality, effectiveness, and assurance of a product during its evaluation, and it uses classes that were devised to address typical patterns of security requirements. It provides a broad framework for building and evaluating trusted systems with great emphasis on controlling which users can access a system. The other name for the Orange Book is the Trusted Computer System Evaluation Criteria (TCSEC).

283

Information Technology Security Evaluation Criteria (ITSEC)

The Information Technology Security Evaluation Criteria (ITSEC) was the first attempt at establishing a single standard for evaluating security attributes of computer systems and products by many European countries. The United States looked to the Orange Book and Rainbow Series, and Europe employed ITSEC to evaluate and rate computer systems. (Today, everyone is migrating to the Common Criteria, explained in the next section.)

284

Hypervisor

Central program used to manage virtual machines (guests) within a simulated environment (host).

285

Strong star property rule

For a subject to be able to read and write to an object, the subject’s clearance and the object’s classification must be equal.