architecture security and design

SECURITY ARCHITECTURE & MODELS

Question 1

1. Which TCSEC (Orange Book) level requires the system to clearly identify functions of security administrator to perform security-related functions?

a) C2

b) B1

c) B2

d) B3


Question 1: Answer

d) B3

TCSEC B2 level specifies that the system must support separate operator and administrator roles but only level B3 (and A1) requires the system to clearly identify functions of security administrator to perform security-related functions.


Question 2

2. Which of the following statements pertaining to the trusted computing base (TCB) is false?

a) It addresses the level of security a system provides.

b) It originates from the Orange Book.

c) It includes hardware, firmware and software.

d) A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity.


Question 2: Answer

a) It addresses the level of security a system provides.

The TCB addresses the level of trust, not the level of security.


Question 3

3. The Orange Book is founded upon which security policy model?

a) The Biba Model

b) The Bell LaPadula Model

c) Clark-Wilson Model

d) TEMPEST


Question 3: Answer

b) The Bell LaPadula Model

The Bell-LaPadula model is the security policy model on which the Orange Book requirements are based. From the Orange Book definition, "A formal state transition model of computer security policy that describes a set of access control rules."


Question 4

4. Which security model introduces access to objects only through programs?

a) The Biba model

b) The Bell-LaPadula model

c) The Clark-Wilson model

d) The information flow model


Question 4: Answer

c) The Clark-Wilson model

The Clark-Wilson model prevents authorized users from making unauthorized modifications by requiring them to go through programs to modify objects.


Question 5

5. What does it mean if a system uses "Trusted Recovery"?

a) A single account on the system has the administrative rights to recover or reboot the system after a crash.

b) A failure or crash of the system cannot be used to breach security.

c) The recovery process is done from media that have been locked in a safe.

d) There is no such principle as "Trusted Recovery" in security.


Question 5: Answer

b) A failure or crash of the system cannot be used to breach security.

Systems with Trusted Recovery must fail gracefully and not leave the information in an unprotected state when they do so (i.e. a box that functions as a firewall, and which routes packets after the firewall process has crashed is not using Trusted Recovery.)


Question 6

6. What is necessary for a subject to have read access to an object in a Multi-Level Security Policy?

a) The subject's sensitivity label must dominate the object's sensitivity label

b) The subject's sensitivity label subordinates the object's sensitivity label

c) The subject's sensitivity label is subordinated by the object's sensitivity label

d) The subject's sensitivity label is dominated by the object's sensitivity label


Question 6: Answer

a) The subject's sensitivity label must dominate the object's sensitivity label

The subject's sensitivity label must dominate the object's sensitivity label for a subject to have read access to an object in a Multi-Level Security Policy


Question 7

7. Which criteria effort was the first to introduce the notions of integrity and availability?

a) The Information Technology Security Evaluation Criteria

b) The Canadian Trusted Computer Product Evaluation Criteria

c) The Trusted Computer System Evaluation Criteria

d) The Common Criteria


Question 7: Answer

b) The Canadian Trusted Computer Product Evaluation Criteria

The first (1987) version of the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) is an extension of the TCSEC, in which the notions of integrity and availability first surface in an evaluation standard.


Question 8

8. At what Orange Book evaluation levels are configuration management required?

a) C1 and above

b) C2 and above

c) B1 and above

d) B2 and above


Question 8: Answer

d) B2 and above

Systems passing evaluation at B2 and above must have mathematical and automated proof that the design specifications actually match the system policies.


Question 9

9. What does the * (star) property mean in the Bell-LaPadula model?

a) No write up

b) No read up

c) No write down

d) No read down


Question 9: Answer

c) No write down

The *- (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down).


Question 10

10. According to the Orange Book, which security level is the first to require a system to protect against covert timing channels?

a) A1

b) B3

c) B2

d) B1


Question 10: Answer

b) B3

B1 does not address covert channels.

B2 requires a system to protect against covert storage channels but does not address covert timing channels.

B3 and A1 both address covert storage channels and covert timing channels and must perform a covert channel analysis for both types.


Question 11

11. Which of the following security models does not concern itself with the flow of data?

a) The information flow model

b) The Biba model

c) The Bell-LaPadula model

d) The noninterference model


Question 11: Answer

d) The noninterference model

The concept of noninterference is implemented to ensure that any actions that take place at one security level should not be seen by, or interfere with, subjects or objects a lower level. This type of model does not concern itself with the flow of data, but with what a subject knows about the state of the system. The Bell-LaPadula and Biba models use an information flow model.


Question 12

12. Which of the following statements pertaining to the ITSEC is false?

a) The functionality is rated from F1 to F10.

b) It is only used in Europe, not internationally.

c) The assurance is rated from E1 to E10.

d) Most ITSEC ratings can be mapped to the Orange Book ratings, but ITSEC took a step farther and added more levels to address specific needs not covered by the TCSEC.


Question 12: Answer

c) The assurance is rated from E1 to E10.

Information Technology Security Evaluation Criteria (ITSEC) is used only in Europe. Whereas TCSEC combines functionality and assurance, ITSEC separates these two attributes and rates them separately. Functionality is rated from F1 to F10 and assurance is rated from E0 (D) to E6 (A1), not E1 to E10.


Question 13

13. Which TCSEC level introduces formal covert channel analysis?

a) B1

b) B2

c) B3

d) A1


Question 13: Answer

d) A1

Although B2 and B3 are concerned with covert channels, only level A1 involves a formal covert channel analysis.


Question 14

14. Which of the following addresses a portion of the primary memory by specifying the actual address of the memory location?

a) direct addressing

b) absolute addressing

c) implied addressing

d) indexed addressing


Question 14: Answer

a) direct addressing

Direct addressing addresses a portion of the primary memory by specifying the actual address of the memory location.


Question 15

15. What mechanism does a system use to compare the security labels of a subject and an object?

a) Validation Module

b) Reference Monitor

c) Clearance Check

d) Security Module


Question 15: Answer

a) Reference Monitor

A reference monitor compares the sensitivity labels of subjects and objects to determine if the subject has rights to access the object.


Question 16

16. Which of the following Orange Book ratings represents the highest security level?

a) B1

b) B2

c) F6

d) C2


Question 16: Answer

b) B2

The classification goes from A (highest) to D (lowest) and can have numbered divisions, where a higher number represents a new set of requirements, thus a higher security level.


Question 17

17. Device labels are required for which of the following Orange Book ratings?

a) C2

b) B1

c) B2

d) D6


Question 17: Answer

c) B2

B2: Structured Protection: Security policy clearly defined; subjects and devices require labels and system must not allow covert (storage) channels; Trusted Facility Management which means a separation of SysAdmin and SysOperator roles.

B1: Labeled Security: each data object has a classification label and each subject has a clearance label; system checks one against the other.


Question 18

18. What can be defined as an abstract machine that mediates all access to objects by subjects to ensure that subjects have the necessary access rights and to protect objects from unauthorized access?

a) The reference monitor

b) The security kernel

c) The trusted computing base

d) The security domain


Question 18: Answer


The reference monitor is an abstract machine that mediates all access to objects by subjects to ensure that subjects have the necessary access rights.

It also protects objects from unauthorized access and destructive modifications.

The security kernel is made up of mechanisms that fall under the TCB and enforces the reference monitor concept.

A security domain defines which objects are available to a subject.


Question 19

19. What does the * (star) integrity axiom mean in the Biba model?

a) No read up

b) No write down

c) No read down

d) No write up


Question 19: Answer

d) No write up

The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up).


Question 20

20. CC stands for:

a) enCrypted Communication

b) Common Criteria for Information Security Evaluation

c) Certificate Creation

d) Circular Certificate rollover


Question 20: Answer

b) Common Criteria for Information Security Evaluation

Everything else are invalid.


Question 21

21. What can best be described as a domain of trust that shares a single security policy and single management?


b) A security domain

c) The security kernel

d) The security perimeter


Question 21: Answerb) A security domain

A security domain is a domain of trust that shares a single security policy and single management. The reference monitor is an abstract machine which must mediate all access to subjects to objects, be protected from modification, be verifiable as correct, and is always invoked. The security kernel is the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. The security perimeter includes the security kernel as well as other security-related system functions that are within the boundary of the trusted computing base. System elements that are outside of the security perimeter need not be trusted.


Question 22

22. What is another name for the Orange Book?

a) The Trusted Computer System Evaluation Criteria (TCSEC)

b) The Trusted Computing Base (TCB)

c) The Information Technology Security Evaluation Criteria (ITSEC)

d) The Common Criteria (CC)


Question 22: Answer

a) The Trusted Computer System Evaluation Criteria (TCSEC)

The Trusted Computer System Evaluation Criteria (TCSEC) was developed by the U.S. Department of Defense and published in a book with an orange cover, thus the name Orange Book.


Question 2323. Which of the following describes a logical form of separation used by secure computing systems?

a) Processes use different levels of security for input and output devices.

b) Processes are constrained so that each cannot access objects outside its permitted domain.

c) Processes conceal data and computations to inhibit access by outside processes.

d) Processes are granted access based on granularity of controlled objects.


Question 23: Answer

b) Processes are constrained so that each cannot access objects outside its permitted domain.

Constrained processes so that each cannot access objects outside its permitted domain describes a logical form of separation used by secure computing systems.


Question 24

24. Mandatory Access requires that sensitivity labels be attached to all objects. Which of the following would be designated as objects on a MAC system?

a) Files, directories, processes, and sockets

b) Devices, processes and sockets

c) Users, windows, and programs

d) Files, directories and devices


Question 24: Answer

d) Files, directories and devices

MAC designates things that can take an action (users, programs and processes) as subjects, and the things that they can act upon (files, directories, devices, windows, and sockets) as objects. Both subjects and objects in MAC systems must have an associated sensitivity label.

USING THIS TEMPLATE

See the notes pane or view the full notes page (View menu) for detailed help on this template.

architecture security and design

Documents