Term
What is important about the program status word (PSW)? |
|
Definition
The PSW sets a bit that indicates to the CPU whether an instruction should run in user mode (also called problem state) or privileged mode (also called kernel or supervisor mode). |
|
|
Term
|
Definition
The computer has more than one CPU |
|
|
Term
What is multiprogramming? |
|
Definition
An operating system can load more than one program in memory at a time. |
|
|
Term
|
Definition
An application has the ability to run multiple threads simultaneously. |
|
|
Term
What are the two modes of multiprocessing? |
|
Definition
Symmetric mode - the processors are handed work as needed. Think load balancing.
Asymmetric mode - at least one processor is dedicated solely to a specific task or application.
|
|
|
Term
|
Definition
A set of instructions that is actually running. It is the collection of instructions and assigned resources. |
|
|
Term
|
Definition
An operating system can handle requests from several different processes loaded into memory at the same time. |
|
|
Term
What are the two types of multitasking? |
|
Definition
Cooperative multitasking - required processes to voluntarily release the resources they were using.
Preemptive multitasking - the operating system controls how long a process can use a resource (time sharing).
|
|
|
Term
What does it mean when a process is in the "running state"? |
|
Definition
The CPU is executing its instructions and data. |
|
|
Term
What does it mean when a process is in the "ready state"? |
|
Definition
It is waiting to send instructions to the CPU. |
|
|
Term
What state is a process in when waiting for input data? |
|
Definition
A process waiting for input data is in the "blocked state". |
|
|
Term
How does a process know when it can communicate with the CPU? |
|
Definition
Though the use of interrupts. |
|
|
Term
What are absolute addresses? |
|
Definition
The physical memory addresses used by the CPU. |
|
|
Term
What are logical addresses? |
|
Definition
The indexed memory addresses used by software. |
|
|
Term
What are relative addresses? |
|
Definition
Relative addresses are based on a known address with an offset value applied. |
|
|
Term
What is a memory manager? |
|
Definition
Maps logical addresses (software) to physical addresses (CPU). |
|
|
Term
What is a memory leak and why is it a concern? |
|
Definition
A memory leak occurs when an application fails to indicate to the system its memory segment is no longer in use. It is a concern because it could lead to a Denial of Service. |
|
|
Term
What are two countermeasures that protect against memory leaks? |
|
Definition
Develop better code that releases memory properly.
Use a garbage collector program that identifies unused memory and forces its release.
|
|
|
Term
|
Definition
A combination of RAM and the use of secondary (nonvolatile) storage like the computer's hard drive, external drives or CD-ROMs.
|
|
|
Term
What is the danger with virtual memory? |
|
Definition
If the secondary storage is not properly wiped after use, it could reveal sensitive information. |
|
|
Term
What are protection rings? |
|
Definition
Protection rings provide strict boundaries and definitions for what the processes that work within each ring can access and what operations they can successfully execute. Think kernel mode (privileged or supervisor) vs. user mode. |
|
|
Term
What are the different Execution Domains? |
|
Definition
- Ring 0 - Operating system kernel
- Ring 1 - Remainder of OS
- Ring 2 - Drivers/utilities
- Ring 3 - Apps/software and user activity
|
|
|
Term
What is the difference between an execution domain and a protection ring? |
|
Definition
They are both essentially the same. The execution domain is directly correlated to the protection ring. The lower the protection ring number, the higher privilege and the larger the domain (The OS kernel has more available resources than applications). |
|
|
Term
How are layering and data hiding related? |
|
Definition
They are terms used when talking about protection mechanisms for OSs. Processes can only exchange data through well-defined APIs). No API interface = no communication between layers/programs.
|
|
|
Term
|
Definition
Trusted Computing Base is defined as the total of all protection mechanisms within a computer system. It includes hardware, software and firmware. |
|
|
Term
Where does TCB originate? |
|
Definition
|
|
Term
What does the TCB address? |
|
Definition
The level of trust a system provides, in a security sense. |
|
|
Term
|
Definition
A communication channel between a program or a user and the kernel. |
|
|
Term
|
Definition
The code in it cannot bust out of it and no other process can bust in |
|
|
Term
What is the security perimeter? |
|
Definition
An imaginary boundary that divides the trusted from the untrusted. |
|
|
Term
What is the security kernel? |
|
Definition
It is made up of all the components that fall within the TCB (hardware, software and firmware). It implements and enforces the reference monitor's concepts - access mediation of all subjects to objects in the system (avoid unauthorized and destructive access as well as allow authorized access) |
|
|
Term
What is the reference monitor? |
|
Definition
An abstract machine that ensures all subjects have the necessary access rights before accessing objects. |
|
|
Term
What are the main requirements of the security kernel? |
|
Definition
1. It must provide isolation for the tamperproof processes.
2. It must be invoked for every access attempt and be impossible to circumvent.
3. It must be small enough to be completely and comprehensively tested and verified. |
|
|
Term
In terms of security architecture, what is a security policy? |
|
Definition
A set of rules and practices that dictates how sensitive information and resources are managed, protected and distributed. It expresses exactly what the security level should be by setting the goals of what the security mechanisms are supposed to accomplish. |
|
|
Term
What is a multilevel security policy? |
|
Definition
One that prevents information from flowing from a higher security level to a lower one.
|
|
|
Term
What is the concept of least privilege as it pertains to security architecture? |
|
Definition
A process will have no more privileges than necessary to be able to fulfill its functions. |
|
|
Term
What is the relationship between a security policy and a security model? |
|
Definition
A security policy provides abstract goals while a security model provides the do's and don'ts necessary to fulfill those goals. |
|
|
Term
Of the following security models, which one is informal and used more as a framework?
Bell-LaPadula
Biba
Clark-Wilson |
|
Definition
|
|
Term
What is the state machine model? |
|
Definition
It is used to describe the behavior of a system to different inputs. It will ensure the system that uses this model will be in a secure state at all times – boot up, command execution, shut down and even failing! Such a system will only allow a change of state after (a) authorization is checked and (b) consequence of this change (still secure state after change?) is checked - think conditional statements "if condition then update".
|
|
|
Term
What is it called when activities can alter the state of a system? |
|
Definition
|
|
Term
What is the name of the first mathmatical security model? |
|
Definition
|
|
Term
What part(s) of the CIA triad does the Bell-LaPadula model enforce? |
|
Definition
|
|
Term
On what type of access control is Bell-LaPadula based? |
|
Definition
MAC (Mandatory Access Control) |
|
|
Term
In access control terms, what does the word dominate mean? |
|
Definition
|
|
Term
What rule states that a subject cannot read data at a higher security level? |
|
Definition
|
|
Term
What rule states that a subject cannot write information to a lower security level? |
|
Definition
*-property rule (star property) |
|
|
Term
What rule states that a subject with read/write capabilities can only do so at the same security level? |
|
Definition
strong star property rule |
|
|
Term
What is the *-integrity (star integrity) axiom? |
|
Definition
A subject cannot write data to an object with a higher integrity level.
|
|
|
Term
What is the simple integrity axiom? |
|
Definition
A subject cannot read data from a lower integrity level. |
|
|
Term
What is the invocation property? |
|
Definition
A subject cannot request service (invoke) to subjects of higher integrity. |
|
|
Term
Which goal of integrity models does Biba address? |
|
Definition
The first goal - prevent unauthorized users from making modifications |
|
|
Term
What are the main goals of integrity models? |
|
Definition
1. Prevent unauthorized users from making modifications.
2. Prevent authorized users from making improper modifications.
3. Maintain internal and external consistency. |
|
|
Term
What elements make up the Clark-Wilson Model? |
|
Definition
Users (subjects)
Transformation procedures (TPs)
Constrained data items (CDIs)
Unconstrained data item s (UDIs)
Integrity verification procedures (IVPs) |
|
|
Term
|
Definition
Transformation procedures are programmed abstract operations, such as read, write, and modify. It can also be refered to as the software that authenticates a user and then carries out the operation on behalf of the user. |
|
|
Term
|
Definition
Constrained data items can be manipulated only by TPs. Users are not allowed to modify CDIs directly. |
|
|
Term
|
Definition
A user (subject) cannot modify an object (CDI) without using a program (TP). |
|
|
Term
|
Definition
Unconstrained data items do not require as high a level of protection as CDIs and thus can be directly manipulated by the user or subject. |
|
|
Term
|
Definition
Integrity verification procedures ensure that all critical data follow the application's defined integrity rules. IVPs check that the data remains consistent after a change is applied. |
|
|
Term
Using TPs to modify CDIs is called what? |
|
Definition
A well-formed transaction. |
|
|
Term
What is a requirement within software running under the Clark-Wilson model? |
|
Definition
|
|
Term
What is the Access Control Matrix Model? |
|
Definition
A security model in which access decisions are based on object's ACLs and subjects' capability tables. |
|
|
Term
What is the Information Flow Model? |
|
Definition
A model in which information is not restricted in its flow to only go to and from entities in a way which does not negate the security policy. |
|
|
Term
What is the Noninterference Model? |
|
Definition
A model that states that commands and activities performed at one security level should be be seen by, or affect, subjects or objects at a different security level. |
|
|
Term
What is the Brewer and Nash Model? |
|
Definition
This model is also called the Chinese Wall model. It was created to protect against conflicts of interest by users' access attempts. The model was created by Microsoft to fix the conflict of interest between the Office Suite and Operating System development teams. |
|
|
Term
What is the Graham-Denning Model? |
|
Definition
A model that shows how subjects and objects should be created and deleted. It also addresses how to assign specific access rights. |
|
|
Term
What is the Lattice model? |
|
Definition
A model that protects confidentiality by defining upper and lower bounds of access (need to know) in a MAC based, clearance based approach.
For example based on your clearance your least upper bound may allow you to read a file, your greatest lower bound may NOT allow you to write to it. |
|
|
Term
What is the Take-Grant model? |
|
Definition
A model that implements a directed graph of how a subject can grant and take ownership of objects. |
|
|
Term
Security modes are used in which type of system? |
|
Definition
Mandatory access control (MAC) |
|
|
Term
What should be considered when determining the mode of an operating system? |
|
Definition
The types of users directly or indirectly connection to the system.
The type of data (classification levels, compartments, and categories) processed on the system.
The clearance levels, need to know, and formal access approvals the users will have. |
|
|
Term
What is dedicated security mode? |
|
Definition
All users have a clearance for, and a formal need to know about, all data process within the system. This mode deals with only one level of data classification and ALL users must have this level of clearance to access the system. |
|
|
Term
What is system high-security mode? |
|
Definition
When all users have a security clearance to access the information but may not have a need to know for all the information processed on the system. |
|
|
Term
What is compartmented security mode? |
|
Definition
All users have the clearance to access all information processed by the system but may be restricted from accessing some information because they do not need to know it to perform the functions of their jobs. Compartments are categories of data with a limited number of subjects cleared to access data at each level. |
|
|
Term
What is a Compartmented Mode Workstation (CPW) |
|
Definition
It enable users to process multiple compartments of data at the same time if they have the necessary clearance. |
|
|
Term
What is multilevel security mode? |
|
Definition
This mode permits two or more classification levels of information to be processed at the same time when not all of the users have the clearance or formal approval to access all the information being processed by the system.
The user cannot access all the data on the system, only what they are cleared to access.
|
|
|
Term
What is the difference between compartmented security and multilevel security? |
|
Definition
Compartmented security requires the user to have a clearance level that dominates all data on the system.
Multilevel security only requires the user to have clearance to access the data with which they will be working. |
|
|
Term
Which security model is an example of multilevel security? |
|
Definition
|
|
Term
What does TCSEC stand for? |
|
Definition
Trusted Computer System Evaluation Criteria |
|
|
Term
Which document contains the published criteria of the TCSEC? |
|
Definition
|
|
Term
What are the divisions of assurance levels provided for in the TCSEC? |
|
Definition
A. Verified protection - the highest level of assurance
B. Mandatory protection
C. Discretionary protection
D. Minimal security - lowest level of assurance. Systems that are rated at this level have failed to meet the criteria for the higher divisions |
|
|
Term
What topics are included in the criteria for an Orange Book evaluation? |
|
Definition
Security policy - must be explicit, well defined and enforced
Identification - Subjects must be uniquely identified
Labels - Access control labels must be associated properly with objects
Documentation - Must be provided (test, design and spec docs, user guides and manuals)
Accountability - Audit data must be captured
Life-cycle assurance - software, hardware and firmware must be able to be tested individually
Continuous protection - security mechanisms and the whole system must perform predictably, acceptably and continuously.
|
|
|
Term
What are the two assurance ratings that fall under Division C of the Orange Book? |
|
Definition
C1 - Discretionary Security Protection - access control is based on individuals and/or groups.
C2 - Controlled Access Protection (higher rating than C1) - Logical access control mechanisms. Object reuse must also be invoked. |
|
|
Term
What are the assurance ratings that fall under Division B of the Orange Book? |
|
Definition
B1 - Labeled Security - data objects must contain a classification label and each subject must have a clearance level.
B2 - Structured Protection - system must not allow covert channels. A trusted path must exist for logon and authentication processes. Operator and administration functions are separated within the system for more trusted and protected operational functionality.
B3 - Security Domains - more grainular protection mechanisms and unecessary code is removed. The reference monitor plays a key role in this raiting. |
|
|
Term
What is the main difference between a rating of A1 and B3? |
|
Definition
A1 rated systems have gone through a formal review process and more stringent change configuration is put in place. |
|
|
Term
What replaced the TCSEC as a evaluation methodology/standard? |
|
Definition
|
|
Term
What is the Information Technology Security Evaluation Criteria (ITSEC)? |
|
Definition
It was the first attempt at establishing a single standard for evaluating security atributes of systems and products by many European countries. |
|
|
Term
What is the difference between the rating systems of TCSEC and ITSEC? |
|
Definition
ITSEC evaluates and system's functionality and assurance mechanisms individually, providing a different rating for each. TCSEC puts functionality and assurance together under one rating. |
|
|
Term
How is functionality viewed under ITSEC? |
|
Definition
In terms of the system's security objectives, functions and mechanisms. |
|
|
Term
How is assurance viewed under ITSEC? |
|
Definition
The correctness and effectiveness of the security mechanisms and functionality. |
|
|
Term
Which evaluation standard is mostly used today? |
|
Definition
ISO 15408 - "Common Criteria" |
|
|
Term
What is the Common Criteria? |
|
Definition
An international standard for evaluation comprised of pieces of TCSEC, ITSEC, Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) and the Federal Criteria). |
|
|
Term
What rating levels make up the Common Criteria? |
|
Definition
EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4 - Methodically designed, tested and reviewed
EAL5 - Semiformally designed and tested
EAL6 - Semiformally verified design and tested
EAL7 - Formally verified design and tested |
|
|
Term
What does the Common Criteria use in its evaluation process? |
|
Definition
Protection profiles and security targets. |
|
|
Term
What are protection profiles? |
|
Definition
mechanisms used to describe real-world needs of a product not currently available on the market. |
|
|
Term
What are security targets? |
|
Definition
Vendor's written explaination of the security functionality and assurance mechanisms that meet a needed security solution. "This is what our product does and how it does it." |
|
|
Term
|
Definition
The comprehensive technical evaluation of the security components and their compliance for the purpose of accreditation. |
|
|
Term
What is the goal of certification? |
|
Definition
Ensure a system, product or network is right for the customer's purposes. |
|
|
Term
|
Definition
The formal acceptance of the adequacy of a system's overall security and functionalty by management. |
|
|
Term
What are covert channels? |
|
Definition
Ways for a subject to access information in an unauthorized manner. They are used to bypass the information flow of the security model. |
|
|
Term
What are some types of covert channels? |
|
Definition
Storage - processes are able to communicate through some type of storage space on the system.
Timing - processes are able to relay information by modulating its use of system resources. |
|
|
Term
What can a user do to counter covert channels? |
|
Definition
Not much. Covert channels must be addressed when the system is constructed and developed. |
|
|
Term
What are maintenance hooks? |
|
Definition
A type of backdoor that the programmer left for easy access to the code. |
|
|
Term
What can be done to counter maintenance hooks? |
|
Definition
The developer/programmer needs to remove these prior to the software/program goes into production. Because this does not always happen, quality assurance testing should be mindful of the existance of backdoors. Users can further help protect themselves against backdoors by using HIDS, file system encryption and implementing auditing. |
|
|
Term
What are Time-of-Check/Time-of-Use (TOC/TOU) attacks? |
|
Definition
These deal with the sequence steps systems use to complete tasks. It takes advantage of the dependency on the timing of events in multitasking operating systems.
Example: If an attacker can get in between the authentication and the open of a file and exchange the non-critical file that is opened with a sensitive one, he is able to view the protected content. |
|
|
Term
What is another name for TOC/TOU? |
|
Definition
|
|
Term
What is a race condition? |
|
Definition
When multiple processes compete for the same resource.
Example: If an attacker disturbs the order successfully, he/she could be authorized before authenticated. |
|
|
Term
What can be done to avoid asynchronous attacks? |
|
Definition
The operating system should apply software locks to the items it will use while carrying out its "checking" tasks.
|
|
|
Term
What is a buffer overflow? |
|
Definition
When too much data are accepted as input to an application/operating system. |
|
|
Term
When attempting to execute a buffer overflow, what are some common commands an attacker would use to craft the attack? |
|
Definition
x90, NOP, NOOP. All of these indicate a "no operation" command and are used to help fill the memory stack and cause the overflow. |
|
|
Term
What is the best countermeasure for protecting against buffer overflows? |
|
Definition
Proper programming that includes bounds checking (input validation).
|
|
|