Term
|
Definition
| EX: Invisible ink, hidden messages in lower-order bits in image |
|
|
Term
|
Definition
Cryptology is a branch of mathematics
Security is a system issue, uses cryptogoly |
|
|
Term
| Cryptography always involves two things |
|
Definition
| Transformation and secret |
|
|
Term
| Security should depend only on the |
|
Definition
|
|
Term
| Message Authentication Codes (MACs) |
|
Definition
Create a hash that includes all of the data and a secret shared between
sender and receiver. |
|
|
Term
|
Definition
| Additional block prepended and additional round of hashing |
|
|
Term
| What encryption algorithm makes brute force attacks harder? |
|
Definition
| DES, limits speed in which attacker can compute strings from passwords |
|
|
Term
|
Definition
| Try a list of common passwords |
|
|
Term
|
Definition
| Use hash chains to reduce storage requirement |
|
|
Term
| Computers can only verify a “token”. What's a token? |
|
Definition
Password
• Cardkey
• Fingerprint
• Other stuff |
|
|
Term
| What's the best technical way to get a "token"? |
|
Definition
|
|
Term
Encryption with a _____ is typically
done to sign a message |
|
Definition
|
|
Term
Encryption with a _____ is done for
secrecy |
|
Definition
|
|
Term
Trees (or web) of trust
• Public-key encryption
• Message authentication codes
• Passwords
are tools for |
|
Definition
|
|
Term
| Real protocols for authentication? |
|
Definition
| Real protocols for authentication |
|
|
Term
| Real protocols for secure communications |
|
Definition
|
|
Term
|
Definition
• Provide authentication (without encryption)
• Provide encryption (includes authentication) |
|
|
Term
| Digital signature is basically |
|
Definition
|
|
Term
| PGP encrypts message with |
|
Definition
|
|
Term
|
Definition
|
|
Term
| PGP uses compression for several reasons |
|
Definition
• Save message space
• Reduce encryption time
• Strengthen encryption: lower redundancy |
|
|
Term
| PGP uses four kinds of keys |
|
Definition
• Session keys (symmetric encryption)
• Public keys (from many users)
• Private keys (typically from one user)
• Passphrase-based conventional keys |
|
|
Term
| Session key generation is run in which mode? |
|
Definition
|
|
Term
|
Definition
Data fragmented into blocks of
214 bytes or less
❖ Compression applied (optional)
❖ MAC calculated
❖ Payload & MAC encrypted
❖ Header prepended
• Content type
• Major & minor version
• Compressed length |
|
|
Term
| Change Cipher Spec Protocol |
|
Definition
❖ Single message that contains a single byte
❖ Causes the pending state to be copied into the current state
• Updates the cipher information used by this connection
• State must have been set by the Handshake Protocol (more on this in a
bit) |
|
|
Term
|
Definition
❖ Conveys protocol-related alerts to the peer
❖ Alert messages are compressed and encrypted (and thus secure)
❖ Message consists of exactly two bytes
• Level: severity of the alert (warning or fatal)
• Alert code: what kind of alert is this?
• Unexpected message
• Bad record MAC
• Decompression failure
• Handshake failure
• Illegal parameter
• Other possible alerts… |
|
|
Term
| SSL Handshake Protocol first phase is |
|
Definition
establish
security capabilities
• Exchange info
• Find common ground for
secure message exchange |
|
|
Term
| SSL Handshake Protocol's Second phase is |
|
Definition
authenticate
server & exchange key |
|
|
Term
| SSL Handshake Protocol's third phase is |
|
Definition
authenticate
client and exchange key |
|
|
Term
| SSL Handshake Protocol Fourth phase: |
|
Definition
finish up
• Change_cipher_spec not
really part of the handshake
protocol |
|
|
Term
|
Definition
|
|
Term
| What is an intrusion, anyway? |
|
Definition
| is an attempt to gain illicit access to a computer system (typically via network) |
|
|
Term
|
Definition
❖ Masquerader
• Not authorized to use the computer
• Impersonates a legitimate user
❖ Misfeasor
• Legitimate user who abuses his privileges
• Legitimate user who accesses resources for which he’s not authorized
❖ Clandestine user
• Intruder who controls system completely
• Fixes up auditing and access controls to hide her accesses |
|
|
Term
|
Definition
❖ Illegal access
• Intruder gains access to resources for which he’s not authorized
• May not bother other users—only uses hardware and software, not data
• Often used as a stepping stone to other types of intrusions
❖ Data compromise
• Intruder gains access to data
• Intruder may even be able to plant false data
❖ Denial of service
• No access is actually gained, but…
• Legitimate users can’t gain access to the resources or data either! |
|
|
Term
|
Definition
❖ Individual networks are unencrypted
• No need for special software on computers
• Untrusted services can run locally
❖ Connections to other networks are encrypted
• Not all traffic need be encrypted
• Traffic to untrusted sites runs as normal
❖ Incoming traffic is scanned for intrusions
• Block traffic that might cause problems
• Control the content of packets that go by |
|
|
Term
|
Definition
secure end-to-end user traffic using both
authentication and encryption |
|
|
Term
|
Definition
• Strong security for traffic between firewalls
• Internal network has no overhead
• Resistant to bypass: if it’s in the firewall, no way to avoid using it
• Transparent to applications
• Transparent to users
• May be implemented on a smaller scale for individuals |
|
|
Term
• Mandatory access control
• Discretionary access control
• Role-based access control
Are types of what? |
|
Definition
|
|
Term
| Discretionary access control (DAC) is control access based on |
|
Definition
• Identity of requestor
• Access rules (authorizations) granted to requestor
• Rules may allow requestor to pass on its access to a different entity |
|
|
Term
| Mandatory access control (MAC) is control access based on |
|
Definition
security labels (labels based on security levels (clearances))
• Requestor can’t pass on access to others |
|
|
Term
| Role-based access control (RBAC) is control access based on |
|
Definition
roles
• Users assigned to roles
• Assignment may be dynamic: user may have to explicitly “activate” a permitted
role |
|
|
Term
| In access control terms a Unix user is a |
|
Definition
|
|
Term
| In access control terms a Unix file is a |
|
Definition
|
|
Term
| In access control terms a File access permissions is a |
|
Definition
|
|
Term
|
Definition
lists subjects, objects, and access rights.
Columns are access control
Rows are capabilities (tickets) |
|
|
Term
| An example of a protection domains is |
|
Definition
|
|
Term
| Rows of the table are called |
|
Definition
|
|
Term
| Rows of the table are called |
|
Definition
|
|
Term
| Rows of the table are called |
|
Definition
|
|
Term
|
Definition
| ❖ Database can only answer statistical queries |
|
|
Term
| Which database has the least amount of security? |
|
Definition
|
|
Term
| In databas terms, policies may support |
|
Definition
• Centralized administration: all policies controlled centrally
• Ownership-based administration: owner of a table controls access policies
• Decentralized administration: owner of a table can allow further delegation |
|
|
Term
| In database terms, access rights |
|
Definition
• Rights include create, insert, update, delete, read, write
• Granularity can vary: database, table, column, row
• Rights may be data-dependent |
|
|
Term
| Three basic categories of database users |
|
Definition
• Application owner: owns DB objects
• End user: operates on objects, but doesn’t own them
• Administrator: makes access decisions, but might not have access to data (by
default) |
|
|
Term
| Authentication can be done using any mechanism the DBMS supports |
|
Definition
• Login via password
• Access from a particular machine
• Access from a particular application
• Authenticating via public-key methods |
|
|
Term
| Security holes can occur when assumptions about identity are violated |
|
Definition
• Application credentials are copied
• DB administrator account is compromised
• “Backup user” account does real queries
• HVAC controls are allowed inside a “secure” network from which all
accesses are allowed… |
|
|
Term
|
Definition
authorized queries can lead to deduction of unauthorized
data
• Combining non-sensitive items allows construction of sensitive information
• Combining data items allows inference of sensitive data |
|
|
Term
| How to prevent compromise like query size restriction? |
|
Definition
| limit the size of the result set |
|
|
Term
| How do you prevent compromise like query set overlap control |
|
Definition
Keep a record of all previous queries
• Deny queries that have too large of an overlap with prior queries |
|
|
Term
| How do you prevent compromise in partitioning? |
|
Definition
| Partitioning groups records into disjoint groups |
|
|
Term
| How do you prevent compromise in perturbation |
|
Definition
| ❖ Instead of trying to prevent information leakage, make results fuzzy |
|
|
Term
| Securing cloud storage is possible with |
|
Definition
• Encryption to keep data safe from prying eyes
• Auditing to ensure that the provider still has your data |
|
|
Term
| Malcode that requires host program |
|
Definition
-Trapdoors
-Logic bombs
-Trojan horses
-Viruses |
|
|
Term
| Malcode that is independant |
|
Definition
|
|
Term
| ILoveYou, Melissa, Fizzer are examples of |
|
Definition
|
|
Term
|
Definition
| Program does something useful, but designer leaves a back door through which she can get it in user's stuff |
|
|
Term
|
Definition
| preserve access even after someone has finished the job |
|
|
Term
| Logic bombs are like trap doors in that |
|
Definition
program usually does what it’s supposed to
do |
|
|
Term
|
Definition
After a set of conditions are met, “bomb” goes off
• Program refuses to run
• Program runs, but gives incorrect output
• Program runs, but gives subtly incorrect output |
|
|
Term
|
Definition
Payroll program refuses to run unless “N. Coder” is on the payroll
• Payroll program stops, asks for password
on a certain date
• Payroll program rounds taxes down, gives
extra fractional cents to single person |
|
|
Term
|
Definition
• Consists of relatively small amount of code
• Code harmless on its own: needs a “host” program to replicate
• Damage often in the form of resource usage / denial of service |
|
|
Term
|
Definition
• Compressing itself
• Becoming polymorphic: changing
the bytes that make up its code
• Not acting until it’s ready to do
damage |
|
|
Term
| For detecting viruses you should look out for |
|
Definition
-Modification times of code
-MD5/SHA1 signature
-Sequences of bytes that appear in the virus
-Programs doing things they shouldn’t do |
|
|
Term
| How do worms differ from viruses? |
|
Definition
| typically use background processes (daemons) to run |
|
|
Term
| Buffer overflow attacks are basically |
|
Definition
| results from input that is longer than the implementor intended. |
|
|
Term
| Heap overflows can alter programs behavior by |
|
Definition
write values to adjacent variables
• Change permissions on an object
• Change a program’s state (and thus behavior)
• Change other “interesting” values |
|
|
Term
| Preventing buffer overflow attacks. Name three different ways |
|
Definition
Use run-time checks on all memory references
• Safe languages (Python, Java, Perl, etc.)
• Safe libraries for C (don’t use gets, strcpy, etc.)
❖ Separate code and data segments
• Make code segment unwriteable (once application loaded)
• Only allow jumps to code segment
• Turn off execution bits for data segment
• Check jumps as they happen (compiler-driven)
❖ Random placement of structures in memory
• Makes it more difficult to write an attack that works on every invocation
❖ Static analysis
• Check binary or source code
❖ “Canary words”: randomly-chosen values to detect when an overflow
occurs |
|
|
Term
| Example of a String format attacks |
|
Definition
val1 = “One thing”;
val2 = “Another”;
s = “%s -> %s”;
printf (s, val1, val2); |
|
|
Term
| Stack smashing is a type of |
|
Definition
|
|
Term
| Code injection exploits a bug by |
|
Definition
processing invalid data which causes the program to execute instructions not
originally intended by the designer |
|
|
Term
| What does Eval injection do? |
|
Definition
| pass valid code to be evaluated in a scripting language |
|
|
Term
| What does shell injection do? |
|
Definition
| pass a valid command to be run with exec (or similar) |
|
|
Term
| What does include file injection do? |
|
Definition
| pass the name of a file to be included (via HTML or otherwise) |
|
|
Term
| Best why to prevent SQL injection? |
|
Definition
| verify all inputs at the server side and use cryptographic techniques to verify veracity |
|
|
Term
| Cross-site scripting (XSS) is a type of |
|
Definition
|
|
Term
| Why is it important for server-side scripts to sanitize info from the user? |
|
Definition
the result can cause the client’s browser to do unpredictable things...
• Navigate to a URL
• Send data to a third site! |
|
|
Term
| Cross-site scripting injects code directing that information |
|
Definition
|
|
Term
|
Definition
| server-side or client-side |
|
|
Term
| An example of a XSS non-persistent attack |
|
Definition
| Send a link to someone that when clicked opens a script that runs a evil program. |
|
|
Term
| XSS example of a persistent attack |
|
Definition
| Url containing the script to run a bad program is already on a page that has been posted from a blog post or a comment |
|
|
Term
|
Definition
| set of software to maintain root access to a system |
|
|
Term
| Rootskits are typically installed via |
|
Definition
|
|
Term
| How do you typically recover from a rootkit attack |
|
Definition
| requires reinstalling the OS |
|
|
Term
|
Definition
❖ Intercept system calls
❖ Modify files on disk
❖ Actively counter attempts to “win back” the system |
|
|
Term
| So how can we classify malcode? |
|
Definition
• Understand techniques used by malcode
• Understand how to defend against them |
|
|
Term
| How should one prevent malcode from running |
|
Definition
• Virus scanners: recognize known malcode
• Firewalls: strip malcode from incoming packets
• Education: make users smarter |
|
|
Term
| How can you limit damage malcode can do? |
|
Definition
• Sandbox (“playpen”, “jail”): run malcode in protected virtual machine
• Reference monitors: enforce policy on execution
• System maintenance |
|
|
Term
How can we ensure that software is
run securely? |
|
Definition
❖ Constrain program behavior
❖ Make potentially harmful code less likely
❖ Ensure program integrity |
|
|
Term
| Reference monitors prevent against what kind of attack? |
|
Definition
|
|
Term
| How can you prevent against stack-smashing |
|
Definition
• Writes a “canary” word adjacent to the return address
• If word is modified, don’t return to the address |
|
|
Term
| What's a problem of using MemGuard? |
|
Definition
| can be inefficient when many words share the same page as the return address and can be slower |
|
|
Term
| What is Software fault isolation (SFI)? |
|
Definition
| Get memory safety by inserting checking instructions around loads, stores, and jumps |
|
|
Term
| What provides reference monitors for most security-critical resources? |
|
Definition
|
|
Term
| OS systems as reference monitors use very ___ -grained monitoring |
|
Definition
|
|
Term
|
Definition
a software construct that only allows access to a
limited set of resources |
|
|
Term
| What is the goal of sandboxing? |
|
Definition
| Limit the damage malcode can do |
|
|
Term
| If a vendor refuses to provide source code they may |
|
Definition
|
|
Term
| How can you tell program was written in the safe language? |
|
Definition
• Get the source code and compile it
• Special compilation service signs object files generated from the safe
language
• Verify that object files preserve safety properties of source language
(Java) |
|
|
Term
| What does Bytecode verifier do? |
|
Definition
❖ Checks that JVML code
satisfies Java™’s safety
properties
❖ Type safe – stack and variable
slots must store and load as
same type
❖ Memory safe (guaranteed by
instruction set)
❖ Control flow safe: jumps must
be within function, or call/return |
|
|
Term
| Biggest problem in security with Python |
|
Definition
| eval-type calls could be evaluating anything |
|
|
Term
| In Python, everything is a |
|
Definition
|
|
Term
| Often better to have testing done by someone who |
|
Definition
|
|
Term
| For error handling is typically easier to |
|
Definition
| do with exception handling rather than extensive checking |
|
|
Term
| With code to update a password record elevate to root only in the code |
|
Definition
| that actually updates the password file |
|
|
Term
| Users can control their execution environment with |
|
Definition
• Loaded libraries
• Default search paths for binaries
• Environment variables |
|
|
Term
| You might think that ls is a harmless program, but it need not be… |
|
Definition
libc can easily be modified and then used in a program that runs as
root! |
|
|
Term
| To ensure that code is from a “reputable” place you should |
|
Definition
| get it only from the author and use cryptographic techniques(Sign the code (actually a hash of the code) with the author’s private key and make the public key widely known |
|
|
Term
| What are the problems of signed code? |
|
Definition
how do we check the signature?
what if someone steals the private key?
what if the author knowingly (or unknowingly) signs malcode?
individual modules are signed, but collective program
has a security hole |
|
|
Term
| For content-derived names you should |
|
Definition
| Name code objects with cryptographic hashes |
|
|
Term
| Statistical anomaly detection |
|
Definition
• Produce a profile of the normal behavior of each user (or independent of
user)
• Notice statistical deviations from that behavior |
|
|
Term
|
Definition
• Think really hard and make up rules that describe intruder behavior
• Hope intruders can’t read and figure out the rules also
• Lay traps that normal users won’t trigger… |
|
|
Term
| How do you detect SYN floods |
|
Definition
| Firewall (or other gateway) notices large number of SYN packets but few ACK packets |
|
|
Term
|
Definition
Firewall temporarily suspends delivery of SYN packets. Unfortunately, nobody can connect to those hosts while they’re being
protected |
|
|
Term
| For network intrusion detection you should |
|
Definition
❖ Monitor activity on many hosts
❖ Aggregate audit records to detect anomalous behavior
• Innocuous behavior on several (individual) hosts may signal an intrusion
• Example: limited (or slow) port scan across many computers in sequence
❖ Managed Security Monitoring (Counterpane, Inc.) |
|
|
Term
| Network intrusion detection you should |
|
Definition
| scan computer sequentially |
|
|
Term
| Network intrusion detection you should |
|
Definition
| scan computer sequentially |
|
|
Term
| For network intrusion detection firewalls should |
|
Definition
| examines all packet, take action against intruder, should see all port scan packets destined for any computer |
|
|
Term
| If all of network attacks come from one IP address you should |
|
Definition
| check for network-type attacks coming from a small set of IP addresses |
|
|
Term
| Rule-based intrusion detection example is |
|
Definition
set up fake user accounts and passwords and make them more than one character different from “real” user names. If someone attempts to log into a fake account several times, it’s probably
an intruder |
|
|
Term
| Rule-based intrusion detection example of a simple rule is |
|
Definition
| all data sent to the SMTP (mail) port must be textual, and must have line length < 80 |
|
|
Term
Rule-based intrusion detection
example |
|
Definition
| Simple rule: incoming HTTP packets may not contain Java applets |
|
|
Term
| A problem with Rule-based intrusion detection is you can’t tell the difference between “good” and “bad” Java so what should you do? |
|
Definition
| Try to recognize incoming Java known as malicious. Also try to recognize attacks by keeping signatures of Java files that have come in recently, to prevent repeat offenders. |
|
|
Term
| A Rule-based intrusion detection for malware is |
|
Definition
| user-run programs should never change ownership of a file to root |
|
|
Term
| Intrusion detection & prevention is hard you should use |
|
Definition
|
|
Term
| Service control in firewalls |
|
Definition
• Determine which services can be accessed
• Disallow those that might be risky |
|
|
Term
| Direction control in firwalls |
|
Definition
• Control the direction in which certain services are available
• Network Address Translation may help with this… |
|
|
Term
| User control in firewalls |
|
Definition
Control access to services based on user
• Requires that users authenticate themselves somehow |
|
|
Term
| Behavior control in firewalls |
|
Definition
• Disallow dangerous behaviors
• Example: filter email for viruses
• Example: allow only certain types of HTTP requests |
|
|
Term
| The rules of firewall packet filters are based on |
|
Definition
• IP addresses
• Protocol
• Port number
• Packet content? |
|
|
Term
| What are the limits of firewall filtering |
|
Definition
❖ Firewall can only filter on individual packet contents
❖ May be vulnerable to address spoofing
Better solution: allow firewall to filter on entire sessions, not just individual packets |
|
|
Term
| Stateful Packet Inspection (SPI) |
|
Definition
Keep track of history of packets
• Allow filtering and actions based upon history! |
|
|
Term
| To protect your networks against intruders you should deploy |
|
Definition
• Application-level gateways (proxy servers)
• Circuit-level gateways (SOCKS)
• Bastion hosts
• Honeypots |
|
|
Term
| You should run applications on proxy server that relay information between inside and outside like |
|
Definition
| HTTP Proxy and mail servers |
|
|
Term
| To make security easier: single point to secure, but the drawbacks |
|
Definition
| Slower and you have to set up a proxy for every protocol |
|
|
Term
| Circuit-level gateway (SOCKS) |
|
Definition
❖ Proxy server requires one proxy per application
❖ Circuit gateway does its work at the TCP level |
|
|
Term
| What are the advantages for Circuit-level gateway (SOCKS) |
|
Definition
• Simpler than using a separate proxy for each service
• Other advantages of proxy server (monitoring, etc.) |
|
|
Term
| Drawbacks of Circuit-level gateway (SOCKS) |
|
Definition
• May require changes on client side
• Still somewhat slow: SOCKS server acts as relay |
|
|
Term
| This single server is often called a |
|
Definition
|
|
Term
| Bastion host can have simpler, more secure code |
|
Definition
• Proxies are often smaller than full servers
• Proxies need not perform disk access
• Proxies don’t permanently store any sensitive data
• Proxies can run as normal users (not root) |
|
|
Term
| For good defense how many firewalls and bastion hosts should you have |
|
Definition
|
|
Term
|
Definition
❖To keep the system safe, set up resources that an attacker can (relatively easily) get a hold of
❖ Make sure that these resources can’t lead to further breakins
❖ Keep the intruder on the system as long as possible to trace where he’s coming from! |
|
|
Term
| Disadvantage of making a honeypot on VM is |
|
Definition
| A smart hacker knows if the user is using a VM |
|
|
Term
| For honeypots in VM you should |
|
Definition
• Restrict calls that read or write the file system
• Limit the ability to create new processes or allocate memory
• Limit the programs that are available |
|
|
Term
| The issues of using VMs as sandboxes are |
|
Definition
• Performance is a bit slower
• Intruders may be able to compromise the underlying hypervisor: very
difficult to respond in this case!
• Taking down a hypervisor kills many VMs!
• Intruder may be able to override resource isolation |
|
|
Term
| What should you do if an intrusion is detected in sandbox? |
|
Definition
❖ Log intruder’s actions to a “safe” computer
❖ Contact system administrator (email and/or page)
❖ Shut down system
❖ Do several of the above |
|
|
Term
| How would you restore from an attack |
|
Definition
❖ Restore files from a backup
❖ Reinstall as much as you can
❖ Use a file system that doesn’t overwrite in place |
|
|
Term
| How would one perform a basic DoS attack? |
|
Definition
• Use buffer overflows to subvert local programs
• More common: use remote systems to send a flood of requests at the
server |
|
|
Term
| How do you deal with botnets? |
|
Definition
❖ Go after a botnet by attacking its control nodes
❖ Behavior-based tracking: figure out who’s sending messages to the
zombie computers
❖ Code analysis: read the code and use that to find the address on
the zombie computers |
|
|
Term
| What are the challenges in intrusion detection |
|
Definition
❖ The first thing a smart intruder will do is tamper with the intrusion
detection system!
❖ Few activities are either obviously normal or obviously malicious
❖ False positives dilemma |
|
|
Term
|
Definition
|
|
Term
|
Definition
| that it meets the necessary security requirements |
|
|
Term
| The different types of security policies are |
|
Definition
|
|
Term
| General goal of security policies is |
|
Definition
|
|
Term
|
Definition
❖ Information ranked by sensitivity
level
❖ Information access limited by
“need-to-know”
❖ Access to information requires |
|
|
Term
|
Definition
No security clearances (usually)
No dominance function (usually) |
|
|
Term
| Security model based on this approach is |
|
Definition
|
|
Term
| Bell-La Padula confidentiality model |
|
Definition
❖ Basis for Department of Defense
evaluation criteria
❖ Information flows up! |
|
|
Term
|
Definition
Ordering is on integrity: I(s) or I(o)
• Write: s can write o only if I(s) ≥ I(o)
• Read: if s has read access to o, s can have write access to p iff I(o) ≥ I(p) |
|
|
Term
| Bell-La Padula and Biba only address |
|
Definition
|
|
Term
| Security considerations have to be central in designing a |
|
Definition
|
|
Term
| Security in normal operating systems |
|
Definition
❖ User authentication
❖ Memory protection
❖ Access controls for files & I/O devices
❖ Allocation controls for objects
❖ Sharing enforcement: require users to share resources
❖ Guarantee of fair service
❖ Interprocess communication
❖ Self-protection: OS must guard its own data
❖ All of these are necessary for minimal security |
|
|
Term
| Centralize access control decisions in Mandatory (non-discretionary) access control is |
|
Definition
• Owner of an object can’t decide on access to it
• Access rights granted by higher-level policy
• Example: military security
• Users can’t determine the access rights for their own objects |
|
|
Term
| For deleting data it is best to |
|
Definition
• Overwrite space with a fixed pattern (usually 0s or 1s)
• Overwrite space several times with fixed or random pattern |
|
|
Term
| Intruder may spoof a login screen or other access mechanism, so what do you do to make it safe? |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| portion of the security kernel that actually controls accesses to objects |
|
|
Term
| TCB: all of the parts of the trusted OS that we have to trust |
|
Definition
• Security kernel / reference monitor (of course)
• Processes
• Memory management
• Interprocess communication
• Some files |
|
|
Term
|
Definition
Process activation
• Execution domain (protection domain) switching
• Memory protection
• I/O operations & protection |
|
|
Term
| Structuring OS for secure design tips |
|
Definition
❖ Layering is a good idea
• Put more secure-critical functions (as in the TCB) in the innermost layer
• Layers towards the outside are less trusted
• Can’t modify structures in inner layers
• Inner layers can (possibly) modify things in outer layers
❖ Trust the inner layers more
• Security kernel fully (?) trusted
• Outer layers not trusted as much
❖ Isolation improves security and trust |
|
|
Term
| A goal of securing your system is |
|
Definition
| make it more difficult to compromise |
|
|
Term
| For planning security you should set a plan with |
|
Definition
• Policy
• Current state
• Requirements
• Recommended controls
• Accountability
• Timetable
• Continuing attention |
|
|
Term
| What does the system need to do to ensure a “secure” environment? |
|
Definition
|
|
Term
|
Definition
|
|
Term
| Important to treat risk analytically |
|
Definition
• Risk impact: what if something bad happens?
• Risk probability: how likely is the risk to occur?
• Risk control: can we make the risk less likely to occur?
• How much does it cost to do this?
• Risk exposure: impact * probability |
|
|
Term
| Why is understanding risk difficult? |
|
Definition
❖ Risk is emotional
❖ Some risks are too infrequent to worry about
❖ People are bad at estimating risk
❖ People worry about things about which they can do nothing |
|
|
Term
| For risk analysis your assets are |
|
Definition
• Hardware & software
• Data
• People (time!) |
|
|
Term
| Policy must identify balance needs of groups like |
|
Definition
• Users: people who use the resources
• Owners: people who own the resources
• Beneficiaries: people who benefit from the resources |
|
|
Term
| What makes a good policy? |
|
Definition
❖ Coverage
❖ Realism
❖ Usefulness
❖ Durability
CRUD |
|
|
Term
| Non-technical threats often are |
|
Definition
• Localized (weather, vandalism, etc.)
• Somewhat random (though not always) |
|
|
Term
|
Definition
| See what’s on the screen using EM radiation |
|
|
Term
|
Definition
information that belongs to someone
• Book
• Movie
• Program
• Secret formula |
|
|
Term
| Intellectual property may be protected by |
|
Definition
• Copyright
• Patent
• Trade secret |
|
|
Term
|
Definition
❖ Designed to protect the expression of ideas
❖ Limited in time
❖ Public domain |
|
|
Term
| Copyrighted item is subject to |
|
Definition
|
|
