Term
|
Definition
| International standard that provides guidelines on how to create and maintain system architectures. |
|
|
Term
| central processing unit (CPU) |
|
Definition
| A silicon component made up of integrated chips with millions of transistors that carry out the execution of instructions within a computer. |
|
|
Term
| arithmetic logic unit (ALU) |
|
Definition
| Component of the CPU that carries out logic and mathematical functions as they are laid out in the programming code being processed by the CPU. |
|
|
Term
|
Definition
| Part of the CPU that oversees the collection of instructions and data from memory and how they are passed to the processing components of the CPU. |
|
|
Term
|
Definition
| Small, temporary memory storage units integrated and used by the CPU during its processing functions. |
|
|
Term
|
Definition
| Temporary memory location the CPU uses during its processes of executing instructions. The ALU’s “scratch pad” it uses while carrying out logic and math functions. |
|
|
Term
|
Definition
| Temporary memory location that holds critical processing parameters. They hold values as in the program counter, stack pointer, and program status word. |
|
|
Term
|
Definition
| Holds the memory address for the following instructions the CPU needs to act upon. |
|
|
Term
|
Definition
| Memory segment used by processes to communicate instructions and data to each other. |
|
|
Term
|
Definition
| Condition variable that indicates to the CPU what mode (kernel or user) instructions need to be carried out in. |
|
|
Term
| User mode (problem state) |
|
Definition
| Protection mode that a CPU works within when carrying out less trusted process instructions. |
|
|
Term
| Kernel mode (supervisory state, privilege mode) |
|
Definition
| Mode that a CPU works within when carrying out more trusted process instructions. The process has access to more computer resources when working in kernel versus user mode. |
|
|
Term
|
Definition
| Physical connections between processing components and memory segments used to communicate the physical memory addresses being used during processing procedures. |
|
|
Term
|
Definition
| Physical connections between processing components and memory segments used to transmit data being used during processing procedures. |
|
|
Term
| Symmetric mode multiprocessing |
|
Definition
| When a computer has two or more CPUs and each CPU is being used in a load-balancing method. |
|
|
Term
| Asymmetric mode multiprocessing |
|
Definition
| When a computer has two or more CPUs and one CPU is dedicated to a specific program while the other CPUs carry out general processing procedures. |
|
|
Term
|
Definition
| Program loaded in memory within an operating system. |
|
|
Term
|
Definition
| Interleaved execution of more than one program (process) or task by a single operating system. |
|
|
Term
|
Definition
| Simultaneous execution of more than one program (process) or task by a single operating system. |
|
|
Term
|
Definition
| Multitasking scheduling scheme used by older operating systems to allow for computer resource time slicing. Processes had too much control over resources, which would allow for the programs or systems to “hang.” |
|
|
Term
|
Definition
| Multitasking scheduling scheme used by operating systems to allow for computer resource time slicing. Used in newer, more stable operating systems. |
|
|
Term
| Process states (ready, running, blocked) |
|
Definition
| Processes can be in various activity levels. Ready = waiting for input. Running = instructions being executed by CPU. Blocked = process is “suspended.” |
|
|
Term
|
Definition
| Values assigned to computer components (hardware and software) to allow for efficient computer resource time slicing. |
|
|
Term
|
Definition
| Interrupt value assigned to a noncritical operating system activity. |
|
|
Term
|
Definition
| Interrupt value assigned to a critical operating system activity. |
|
|
Term
|
Definition
| Instruction set generated by a process when it has a specific activity that needs to be carried out by an operating system. When the activity is finished, the thread is destroyed. |
|
|
Term
|
Definition
| Applications that can carry out multiple activities simultaneously by generating different instruction sets (threads). |
|
|
Term
|
Definition
| Two processes cannot complete their activities because they are both waiting for system resources to be released. |
|
|
Term
|
Definition
| Protection mechanism provided by operating systems that can be implemented as encapsulation, time multiplexing of shared resources, naming distinctions, and virtual memory mapping. |
|
|
Term
| Dynamic link libraries (DLLs) |
|
Definition
| A set of subroutines that are shared by different applications and operating system processes. |
|
|
Term
|
Definition
| Beginning of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries. |
|
|
Term
|
Definition
| Ending of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries. |
|
|
Term
|
Definition
| Memory sticks that are plugged into a computer’s motherboard and work as volatile memory space for an operating system. |
|
|
Term
|
Definition
| Nonvolatile memory that is used on motherboards for BIOS functionality and various device controllers to allow for operating system-to-device communication. Sometimes used for off-loading graphic rendering or cryptographic functionality. |
|
|
Term
|
Definition
| Physically mapping software to individual memory segments. |
|
|
Term
|
Definition
| Fast and expensive memory type that is used by a CPU to increase read and write operations. |
|
|
Term
|
Definition
| Hardware addresses used by the CPU. |
|
|
Term
|
Definition
| Indirect addressing used by processes within an operating system. The memory manager carries out logical-to-absolute address mapping. |
|
|
Term
|
Definition
| Memory construct that is made up of individually addressable buffers. Process-to-process communication takes place through the use of stacks. |
|
|
Term
|
Definition
| Too much data is put into the buffers that make up a stack. Common attack vector used by hackers to run malicious code on a target system. |
|
|
Term
| Address space layout randomization (ASLR) |
|
Definition
| Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities. |
|
|
Term
| Data execution prevention (DEP) |
|
Definition
| Memory protection mechanism used by some operating systems. Memory segments may be marked as nonexecutable so that they cannot be misused by malicious software. |
|
|
Term
|
Definition
| Tool that marks unused memory segments as usable to ensure that an operating system does not run out of memory. |
|
|
Term
|
Definition
| Combination of main memory (RAM) and secondary memory within an operating system. |
|
|
Term
|
Definition
| Software or hardware signal that indicates that system resources (i.e., CPU) are needed for instruction processing. |
|
|
Term
|
Definition
| Set of operations and commands that can be implemented by a particular processor (CPU). |
|
|
Term
|
Definition
| Specific design of a microprocessor, which includes physical components (registers, logic gates, ALU, cache, etc.) that support a specific instruction set. |
|
|
Term
| Application programming interface |
|
Definition
| Software interface that enables process-to-process interaction. Common way to provide access to standard routines to a set of software programs. |
|
|
Term
| Monolithic operating system architecture |
|
Definition
| All of the code of the operating system working in kernel mode in an ad hoc and nonmodularized manner. |
|
|
Term
| Layered operating system architecture |
|
Definition
| Architecture that separates system functionality into hierarchical layers. |
|
|
Term
|
Definition
| Use of segregation in design decisions to protect software components from negatively interacting with each other. Commonly enforced through strict interfaces. |
|
|
Term
|
Definition
| Reduced amount of code running in kernel mode carrying out critical operating system functionality. Only the absolutely necessary code runs in kernel mode, and the remaining operating system code runs in user mode. |
|
|
Term
| Hybrid microkernel architecture |
|
Definition
| Combination of monolithic and microkernel architectures. The microkernel carries out critical operating system functionality, and the remaining functionality is carried out in a client\server model within kernel mode. |
|
|
Term
|
Definition
| When the CPU has to change from processing code in user mode to kernel mode. This is a protection measure, but it causes a performance hit. |
|
|
Term
|
Definition
| Creation of a simulated environment (hardware platform, operating system, storage, etc.) that allows for central control and scalability. |
|
|
Term
|
Definition
| Central program used to manage virtual machines (guests) within a simulated environment (host). |
|
|
Term
|
Definition
| Strategic tool used to dictate how sensitive information and resources are to be managed and protected. |
|
|
Term
|
Definition
| A collection of all the hardware, software, and firmware components within a system that provide security and enforce the system’s security policy. |
|
|
Term
|
Definition
| Trustworthy software channel that is used for communication between two processes that cannot be circumvented. |
|
|
Term
|
Definition
| Mechanism used to delineate between the components within and outside of the trusted computing base. |
|
|
Term
|
Definition
| Concept that defines a set of design requirements of a reference validation mechanism (security kernel), which enforces an access control policy over subjects’ (processes, users) ability to perform operations (read, write, execute) on objects (files, resources) on a system. |
|
|
Term
|
Definition
| Hardware, software, and firmware components that fall within the TCB and implement and enforce the reference monitor concept. |
|
|
Term
| Multilevel security policies |
|
Definition
| Outlines how a system can simultaneously process information at different classifications for users with different clearance levels. |
|
|
Term
|
Definition
| This is the first mathematical model of a multilevel security policy that defines the concept of a secure state and necessary modes of access. It ensures that information only flows in a manner that does not violate the system policy and is confidentiality focused. |
|
|
Term
| Bell-LaPadula model - simple security rule |
|
Definition
| A subject cannot read data at a higher security level (no read up). |
|
|
Term
| Bell-LaPadula model - *-property rule |
|
Definition
| A subject cannot write to an object at a lower security level (no write down). |
|
|
Term
| Bell-LaPadula model - strong star property rule |
|
Definition
| A subject can perform read and write functions only to the objects at its same security level. |
|
|
Term
|
Definition
| A formal state transition model that describes a set of access control rules designed to ensure data integrity. |
|
|
Term
| Biba model - simple integrity axiom |
|
Definition
| A subject cannot read data at a lower integrity level (no read down). |
|
|
Term
| Biba model - *-integrity axiom |
|
Definition
| A subject cannot modify an object in a higher integrity level (no write up). |
|
|
Term
|
Definition
| This integrity model is implemented to protect the integrity of data and to ensure that properly formatted transactions take place. It addresses all three goals of integrity: |
|
|
Term
|
Definition
| This is a model in which information is restricted in its flow to only go to and from entities in a way that does not negate or violate the security policy. |
|
|
Term
|
Definition
| This formal multilevel security model states that commands and activities performed at one security level should not be seen by, or affect, subjects or objects at a different security level. |
|
|
Term
|
Definition
| This model allows for dynamically changing access controls that protect against conflicts of interest. Also known as the Chinese Wall model. |
|
|
Term
|
Definition
| This model shows how subjects and objects should be created and deleted. It also addresses how to assign specific access rights. |
|
|
Term
| Harrison-Ruzzo-Ullman model |
|
Definition
| This model shows how a finite set of procedures can be available to edit the access rights of a subject. |
|
|
Term
| Assurance evaluation criteria |
|
Definition
| “Checklist” and process of examining the security-relevant parts of a system (TCB, reference monitor, security kernel) and assigning the system an assurance rating. |
|
|
Term
| Trusted Computer System Evaluation Criteria (TCSEC) |
|
Definition
| (aka Orange Book) U.S. DoD standard used to assess the effectiveness of the security controls built into a system. Replaced by the Common Criteria. |
|
|
Term
| Information Technology Security Evaluation Criteria (ITSEC) |
|
Definition
| European standard used to assess the effectiveness of the security controls built into a system. |
|
|
Term
|
Definition
| International standard used to assess the effectiveness of the security controls built into a system from functional and assurance perspectives. |
|
|
Term
|
Definition
| Technical evaluation of the security components and their compliance to a predefined security policy for the purpose of accreditation. |
|
|
Term
|
Definition
| Formal acceptance of the adequacy of a system’s overall security by management. |
|
|
Term
|
Definition
| Designs are built upon accepted standards to allow for interoperability. |
|
|
Term
|
Definition
| Designs are built upon proprietary procedures, which inhibit interoperability capabilities. |
|
|
Term
|
Definition
| Code within software that provides a back door entry capability. |
|
|
Term
| Time-of-check/time-of-use (TOC/TOU) attack |
|
Definition
| Attacker manipulates the “condition check” step and the “use” step within software to allow for unauthorized activity. |
|
|
Term
|
Definition
| Two or more processes attempt to carry out their activity on one resource at the same time. Unexpected behavior can result if the sequence of execution does not take place in the proper order. |
|
|
