Unit 2 - Introduction to Computer Security

Question 1

What is computer security?

Answer 1

Computer security is the protection of the items that a subject values, called the assets ofa computer or computer systems.

Assets: hardware, software,data,people,processes,reputation,…: their value is subjective:based on the asset owner’s or user’s perspective.

Another definition: Computer security deals with the prevention and detection of unauthorizedaccess by users of a computer system.

Question 2

What are the three different types of security violations?

Answer 2

In 1972 James Anderson identified three different types of security violation in computer systems:

• unauthorised information release;
• unauthorised information modification;
• unauthorised denial of use

Question 3

What is a security policy?

Answer 3

A statement that defines the security objectives of an organization; it has to state what needs to be protected; it may also indicate how this is to be done.

Question 4

Why might security violations occur?

Answer 4

Security violations mightoccur because of:

• inadequate physical controls (enabling an attacker to gain physical access to the target system);
• inadequate controls within the computer system (enabling an attacker to make unauthorised access to information stored and processed within the system, as well as to the system itself).

Question 5

What is a bug?

Answer 5

A software bug is an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.

Examples: mistakes and errors in a program’s source code, its design, in components,and operating systems

The term “bug” was used in an account by Grace Hopper, who publicized the cause of a malfunction in an early electromechanical computer.

“In 1946, when Hopper was released from active duty, she joined the Harvard Faculty at the Computation Laboratory where she continued her work on the Mark II and Mark III. Operators traced an error in the Mark II to a moth trapped in a relay, coining the term bug. This bug was carefully removed and taped to the log book. Stemming from the first bug,today we call errors or glitches in a program a bug.”

Question 6

What is a vulnerability?

Answer 6

Avulnerability is a flaw in the design or implementation of a computer system that could lead to a security violation.

Examples of vulnerabilities include:

• program bugs, i.e. errors in programs (including both design errors and implementation errors);
• misuse of program features, i.e. features designed for a valid purpose but which can be misused;
• configuration errors;
• poor choices for passwords;
• flawed management of passwords.

A vulnerability represents a threat to the security of a system.

Question 7

What is the lifecycle of a vulnerability?

Answer 7

A vulnerability life goes through several phases:

• Discovery-time: the time of the discovery of the vulnerability, and recognized to pose a security threat.
• Exploit-time: the earliest date an exploit for a vulnerability is available.
• Disclosure-time: first date a vulnerability is disclosed on a channel, which is freely available,trusted,and it has undergone a deep analysis.
• Patch-time: the earliest date the vendor/developer releases a fix, a patch or a workaround that provides protection for the vulnerability.

Question 8

What is a zero-day vulnerability?

Answer 8

A zero-day vulnerability (0-day vulnerability) is an undisclosed computer-software vulnerability that attackers can exploit to adversely affect computer programs, data, additional computers or a network. It is known as a “zero-day” because it is not publicly reported or announced before becoming active, leaving the software’s author with zero days in which to create patches or advise workarounds to mitigate against its actions. Zero-day attacks can occur because a vulnerability window exists between the time a threat is released and the time security vendors release patches.Zero-day attacks are a severe threat.

Question 10

Where can you find a list of known vulnerabilities?

Answer 10

Common Vulnerabilities and Exposures (CVE) - Database of known security vulnerabilities and exposures

Question 11

What is CVSS?

Answer 11

Common Vulnerability Scoring System (CVSS) - Standard measurement system to score vulnerability impact

Question 12

What is exposure?

Answer 12

An information security “exposure” is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation of a reasonable security policy. An “exposure” describes a state in a computing system (or set of systems) that is not a vulnerability, but either:

• allows an attacker to conduct information gathering activities
• allows an attacker to hide activities
• includes a capability that behaves as expected, but can be easily compromised
• is a primary point of entry that an attacker may attempt to use to gain access to the system or data
• is considered a problem according to some reasonable security policy

Question 13

What are some examples of exposures?

Answer 13

Examples of exposures include:

• running services such as finger (useful for information gathering, though it works as advertised)
• inappropriate settings for Windows NT auditing policies (where “inappropriate” is enterprise-specific)
• running services that are common attack points (e.g., HTTP, FTP, or SMTP)
• use of applications or services that can be successfully attacked by brute force methods (e.g., use of trivially broken encryption,or a small key space).

Question 14

What are the three metrics CVSS is composed of?

Answer 14

• Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constantover time and user environments.
• Temporal: represents the characteristics of a vulnerability that change over time but not among user environments.
• Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment.

Question 15

What are some other vulnerability scoring systems?

Answer 15

ERT/CC produces a numeric score ranging from 0 to 180 but considers such factors as whether the Internet infrastructure is at risk and what sort of preconditions are required to exploitthe vulnerability.

The SANS vulnerability analysis scale considers whether the weakness is found in default configurations or clientor server systems.

Microsoft’s proprietary scoring system tries to reflect the difficulty of exploitation and the overall impactofthe vulnerability

Question 16

What is the CVSS vector?

Answer 16

When the base metrics are assigned values, the base equation calculates a score ranging from 0 to 10,and a vector is created.

The vector facilitates the “open” nature of the framework. It is a text string that contains the values assigned to each metric, and it is used to communicate exactly how the score for each vulnerability is derived.

Question 17

What is the latest version of CVSS and what did it include?

Answer 17

The new version is CVSS v3.0.

New metrics such as Scope (S) and User Interaction (UI) were added including old metrics such as Authentication (Au) being changed to newer ones such as Privileges Required(PR).

The Environmental Metrics group also saw an new addition with the Modified Base Metrics, allowing analysts to customize CVSS scores based on the host that has been affected in the analyst’s organisation,making it contextual when required to be

Question 18

What is a threat?

Answer 18

A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.

In computer security a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm.

A threat can be either “intentional” (e.g., an individual cracker or a criminal organization) or “accidental” (e.g., the possibility of a computer malfunctioning, or natural disasters, such as an earthquake,a fire, or a tornado).

Question 19

What must an attacker know in order to exploit a vulnerability?

Answer 19

A vulnerability might be exploited by an attacker to create a security violation. In order to exploitthe vulnerability:

• the attacker must know about the vulnerability:
  
  • for example, if an attacker doesn’t know of the existence of a potential buffer over-run in a program, then the attacker cannot exploit this vulnerability;
• the attacker must be able to exploitthe vulnerability:
  
  • if the computer system can detect buffer over-runs at run-time, then a buffer over-run vulnerability cannotbe exploited.

Question 20

Where can attacks come from and which pose the biggest threat?

Answer 20

When we discuss security, we will often refer to attackers, i.e. active opponents of system security.

There are, of course, many types of attacker, each of which poses different threats. It is important to be aware of possible attacks from both insiders (individuals with legitimate access to parts of system) and outsiders (other parties).

Insider attacks are a huge threat in practice,and are difficultto defend against

Question 21

What are the phases of an attack?

Answer 21

• Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
• Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
• Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USBdrives)
• Exploitation: Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
• Installation: Malware weapon installs access point (e.g., “backdoor”) usable by intruder.
• Command and Control: Malware enables intruder to have “hands on the keyboard” persistent access to target network.
• Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration,data destruction,or encryption for ransom.

Question 22

What is STRIDE?

Answer 22

STRIDE is a system developed by Microsoft for thinking about computer security threats. It provides a mnemonic for security threats in six categories.

Spoofing: an agent pretends to be somebody else (e.g., to avoid responsibility or misuse authority).

Tampering: violates the integrity of an asset (e.g., security settings are changed).

Repudiation: an agent denies having performedan action to escape responsibility.

Information disclosure: violates the confidentiality of an asset.

Denial of service: violates the availability ofan asset.

Elevation of privileges: an agent gains more privileges beyond its entitlement

Question 23

What is DREAD?

Answer 23

DREAD is part of a system for risk-assessing threats that provides a mnemonic for risk rating using five categories:

Damage - how bad would an attack be?

Reproducibility - how easy is it to reproduce the attack?

Exploitability - how much work is it to launch the attack?

Affected users - how many people will be impacted?

Discoverability - how easy is it to discover the threat?

E.g. (damage): If a threat exploitoccurs,how much damage will be caused? 0 = Nothing 5 = Individual user data is compromised or affected. 10 = Complete system or data destruction

Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS+ DISCOVERABILITY)/ 5

Question 24

What does an attacker need to ensure access?

Answer 24

An attacker must have three things to ensure access: method, opportunity and motive.

Method (how): skills, knowledge,tools,…

Opportunity (when): time and access to execute an attack

Motive (why) :a reason to want to attack, Money, Fame, Self-esteem, Politics, Terror

Question 25

What is a countermeasure?

Answer 25

A countermeasure (control) is an action, device, process, procedure, technique, or mechanism thatremoves (or partially address/reduce) a vulnerability. E.g.: a patch to a software vulnerability A threat is blocked by control of a vulnerability. If the defender removes (controls/patches) a vulnerability, the attacker cannot attack.

Question 26

What is risk analysis?

Answer 26

The notion of assessing the importance of each threat to a system, thereby leading to an assessment of whether it should be combated, is the essence of Risk Analysis. Risk Analysis involves not just listing possible threats, but also assessing the likelihood oftheir being realised,and also the potential costto the system user. The product of the probability of occurrence and the cost of the threat’s realisation gives an indication of the ‘cost’ of the threat. If combating the threat will cost significantly more than the cost of the threat, then it will probably not be worth taking countermeasures. I.e. the cost of living with some threats (e.g., low level theft which can be quantified) may be less then the cost of combating them. There exist risk analysis tools, e.g. CRAMM, which mechanise the risk analysis process by leading the user through a series of questions, the answers to which are processed by the tool.

Question 27

What is the standard risk model?

Answer 27

Standard risk model: Risk = Likelihood \* Impact Impact: the potential harm (the amountof damage) an attack can cause. Factors for estimating likelihood * Threat: skills,motive,opportunity,… * Vulnerability: easy of discovery, easy of exploit, awareness, detection, stealthiness Factors for estimating impact: * Technical impact: loss of integrity, confidentiality,availability * Business impact: financial damage, reputation damage, non-compliance, privacy violation

Question 28

What is CIA?

Answer 28

There are three well-established goals for computer security: * Confidentiality – i.e. prevention of unauthorised information release; * Integrity – i.e. prevention of unauthorised information modification; * Availability – i.e. prevention ofunauthoriseddenial of use. These security goals map one-to-one to the three types of security violation identified by James Anderson. Each security goal is met if the corresponding security violation does notoccur. Unfortunately, it is difficult to anticipate all possible ways in which an attacker might (try to) cause a security violation. Achieving these goals is therefore difficult in practice.

Question 29

What is confidentiality?

Answer 29

Confidentiality is about preventing users reading information to which they are not entitled. Traditionally, the notions of security and confidentiality were often confused. For example, in a military environment, security was traditionally associated with keeping information secret, e.g. by using ciphers to protect communicated information. The general notion of security as being something broader than just confidentiality is something that has evolved with the broader use of computing from the 1960s onwards.

Question 30

What is integrity?

Answer 30

There are various definitions for Integrity. However, most of them come down to some formal version of requiring that things are as they should be. In the context of computing, integrity is about preventing users writing information when they do not have the necessary authorisation. In this sense it is the formal dual of confidentiality (which is about preventing unauthorised reading of information). In the context of a computer system, integrity can be defined as ensuring that the system state has not been modified by those notauthorised to do so. In the context of data communication, data integrity has acquired a subtly distinct meaning. Typically, in this context integrity refers to the detection (and subsequent correction) of modifications to transmitted data, since if data is sent through a public channel,preventing modifications (deliberate or accidental) is normally impossible. Integrity is often a prerequisite for other security properties. For example, if the integrity of an Operating System’s access control system could be violated, then file confidentiality mightbe breached.

Question 31

What is availability?

Answer 31

Availability can be defined as ensuring that the services provided by a system are accessible on demand by an authorised entity. Availability covers areas beyond the normal scope of security. For example, much of the technology required to ensure availability comes from areas such as fault tolerant computing. For the purposes of security we are primarily concerned with preventing attackers preventing legitimate users gaining access to their systems. Such attacks are known as denial of service (DoS) attacks. I.e. we are mainly concerned with defeating deliberate rather than accidental loss of availability. This gives a useful analogy with data integrity where security is normally concerned with protecting systems against deliberate loss of integrity (caused by malicious parties) rather then accidental loss of integrity, which is typically combated using a combination of non security technologies such as error-control coding and back-up procedures. Examples of denial of service attacks include Internet ‘flooding’ attacks, where the attacker(s) overwhelm a server by sending it large numbers of connection requests (an example of a Distributed DoS (DDoS) attack). Availability may often be the most important security property, but there are relatively few effective mechanisms available to help provide it.

Question 32

What are some other security goals?

Answer 32

There are a number of other important goals and issues relating to security, arguably not covered by CIA. These include: * Authentication; * accountability (non-repudation); * reliability (including fault tolerance) * security event management(relating to auditability).

Question 33

What is accountability?

Answer 33

The traditional trio of security services (or goals), i.e. Confidentiality, Integrity and Availability, are all primarily concerned with preventing undesired events. However, in practice not all improper actions can be prevented, since authorised actions may cause security violations, and new security flaws are very often found in current systems. Thus, in order to deal with security breaches as and when they occur, users must be held accountable for their actions,including system misuse. This is typically done by securely identifying users, and keeping an audit trail of security-relevant events, i.e. a sequence of ‘records’ containing event information. In the event of a security violation, the audit trail can be inspected for evidence to help identify the perpetrator of fraud. Also, in the event of disputes, the audit trail may help resolve ‘who did what’.

Question 34

What is reliability?

Answer 34

Security is related to reliability and safety. These are notions used in connection with systems which must perform properly even in adverse conditions, e.g. nuclear power station and aircraft control systems. Because of possible confusion in the scope of terms such as reliability and security, dependability is sometimes used to encompass both security and reliability. Not only are the goals of security and reliability related, but similar methods are often used for evaluation of systems with respect to their security and reliability properties. For example, the issue of assurance is vital in both secure and reliable systems, and, at the highest level, in both cases this is dealt with using formal methods

Question 35

What are some other aspects of security?

Answer 35

* security event reporting (i.e. putting in place a defined procedure for reporting and managing security breaches or other suspicious events); * security awareness training (i.e. training staff to be aware of security and privacy issues,including their legal obligations);and * business continuity planning (BCP), which includes disaster recovery planning (i.e. putting in place measures to allow rapid resumption of IT functions after a major event, such as a natural disaster

Question 36

What is privacy?

Answer 36

In the past, the word privacy was often used as a synonym for confidentiality. However, today the word is usually used to refer to the protection of personal data, or Personally Identifiable Information (PII) as it is known. Privacy covers a range of topics, including giving users control over their own PII, and requirements on data holders to look after PII properly. Privacy in this sense is not really part of security, although enforcing privacy relies on the provision of security. That is, protecting user privacy requires the correct implementation of security measures, but security does not necessarily require user’s privacy rights to be enforced.

Question 37

What do the terms confidentiality, privacy and secrecy mean?

Answer 37

“**Confidentiality** involves an obligation to protect some other person’s or organization’s secrets if you know them.” “**Privacy** is the ability and/or right to protect your personal information and extends to the ability and/or right to prevent invasions of your personal space (the exact definition of which varies quite sharply from one country to another). Privacy can extend to families butnot to legal persons such as corporations.” “**Secrecy** is a technical term which refers to the effect of the mechanisms used to limit the number of principals who can access information, such as cryptography or computer access controls.”

Question 38

What is unlinkability, anonymity and pseudonymity?

Answer 38

**Unlinkability**: two or more items of interest (e.g., messages, actions, events, users) are unlinkable if an attacker cannot sufficiently distinguish whether they are related or not. **Anonymity**: a subject (user) is anonymous if it cannot be identified within a given anonymity setof subject. When transactions or communications provide with linkable anonymity, then we are dealing essentially with pseudonyms: if the link between true names and identifiers (pseudonyms) is persistent and unforgeable, that is only a particular user (group of users) can use a pseudonym,we call such a property **pseudonymity**.

Question 39

What is PII?

Answer 39

PII is any information aboutan individual maintained by an agency,including: 1. any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth,mother’s maiden name,or biometric records 2. any other information that is linked or linkable to an individual, such as medical,educational,financial,and employmentinformation.

Question 40

What is sensitive PII?

Answer 40

Sensitive PII is PII, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Not all PII is sensitive. For example, information on a business card or in a public phone directory is PII, but in most cases not Sensitive PII, because it is usually widely available public information.

Question 41

What is network security?

Answer 41

Network security is primarily concerned with the protection of data in transit. A number of measures can be used to provide such protection (typically based on the use of cryptography): * messages can be encrypted to preventunauthorised users from readingdata; * messages can include integrity checks so that modification to the data can be detected; * protocols can be designed so that an exchange of messages leads to mutual authentication and/or key exchange,thereby ‘bootstrapping’ other security services

Question 42

What is computer security concerned with?

Answer 42

Computer security is primarily concerned with the protection of data stored (and processed) in main memory or in secondary memory. A variety of measures can be used to provide such protection (typically rule-based): * traditionally, cryptographic techniques (e.g. encryption and MACing) are rarely used as the main method of protection, although techniques from network security are used in distributed systems to secure the messages that are exchanged between system components (and encryption is sometimes used to protect entire storage media); * authorisation policies are used to determine whether an attempt to read or modify data is authorised; * access control mechanisms are used to enforce the intent of authorisation policies

Question 43

What are the two categories of security techniques?

Answer 43

There are two fundamental categories of security techniques: * **preventative measures**: which aim to enforce (maintain) security, i.e. to prevent bad things from happening; * **reactive measures**: which aim to detect and react to security breaches after they have occurred. In practice, it is necessary to deploy both types of technique, since, while prevention of security breaches is clearly the goal, it can never be guaranteed. Detection is perhaps the most challenging aspect since only once issues have been detected can appropriate countermeasures be taken.

Question 44

How do computer security services protect a resource?

Answer 44

Most computer security services build a logical or ‘virtual’ wall around a protected resource. The system designers: * define particular entry points to the resource; * place a guard (typically a program) at each entry point – these guards (which are examples of security controls) need to be trusted.

Question 45

Why is memory protection important?

Answer 45

Authentication and authorisation services are implemented by the operating system. The programs that provide these services, and the data these services maintain, reside in main memory. Hence: * if the contents of main memory cannot be protected, then these services can be compromised; * if these services can be compromised then security violations can occur. As a result, memory protection is arguably the fundamental protection mechanism in computer security.

Question 46

Whay is authentication important?

Answer 46

The correctidentification ofusers is a prerequisite for authorisation and audit: * if the authentication service can be bypassed or tricked, then unauthorised users can masquerade as authorised users; * if you don’t know the identity of a user you cannot tell whether or not the user should be allowed to access a protected resource, and you cannot determine with confidence who accessed a resource in the past(i.e. auditing is notreliable); * without auditfacilities itis impossible to provide accountability (User) authentication provides a vital link between a user’s identity and the programs executed by the user. This link is crucial for access control, audit and other operating system functions. However, in practice, authentication mechanisms are often quite weak. For example, passwords remain the dominant technique for user authentication, despite the fact that the technology is often easily broken.

Question 47

What is the authorisation service responsible for and what else can it be referred to as?

Answer 47

The security policy in force (i.e. the current set of rules governing how security should be managed in a system) may specify that users have certain access rights to particular files or other resources. For example,the policy might specify that: * bob can read data.txt; * sally can read and write data.txt The authorisation service is responsible for encoding and enforcing the access policy (whatever itis). The correctoperation ofthe service relies on: * memory protection, since the encoded policy mustbe protected from modification; * authentication, since it must be able to reliably identify the authorised users who are the subjects of the security policy. In practice,this service is often referred to as the access control system.

Question 48

What is the relationship between the user, the operating system (and the authentication and authorisation services), the file system, and the underlying hardware (including the memory protection service)?

Answer 48

Question 49

Why do you need to detect a security violation?

Answer 49

So far we have only considered preventativemeasures. In particular: * memory protection prevents unauthorised access to memory locations; * authentication prevents unauthorised use ofa computer system; * authorisation prevents unauthorised use of computer resources. We also need to detect if a security violation has occurred, so that we can: * respond to the violation; * patch the vulnerability that led to the violation; * restore the system to a secure state.

Question 50

What are some detection services?

Answer 50

Detection services include audit,intrusion detection and tamper detection: * audit services typically record events generated by the authentication and authorisation services; * pattern matching can be used to detect anomalous or unusual system behaviour (this is what intrusion detection systems do); * cryptographic techniques can be used to detect changes to stored data or programs (in much the same way as changes to data during transmission can be detected).

Question 51

What do event detection services involve?

Answer 51

Event detection services involve three main activities: * logging events; * analysing events; and * notifying administrators when possible suspicious behaviour is detected. These activities are determined by the system configuration process, that determines: * which user accounts do you monitor and which events do you record? * what should your analysis achieve? * who do you alert when the analysis reveals a security problem? These activities need to be governed by an enterprise audit policy.

Question 52

What is the security policy in regards to the OS?

Answer 52

The security functionality in an OS is typically configurable, e.g. to allow users to specify access control settings to files and other resources managed by the system. The term security policy refers to a particular set of configuration options for a computer system. The security policy should reflect the security objectives of the owner of the system and of the data it processes. Indeed, the term security policy is sometimes also used to refer to the underlying rules (objectives) that the system owner wishes to enforce. Of course, if the system does not have the configuration options to enforce the objectives of the system owner then there is a problem! This underlines the need for the purchaser of a system to have in mind any particular security objectives when makingthe purchasing decision.

Question 53

What is a reference monitor, subject and object?

Answer 53

The concept of a reference monitor was introduced in the early 1970s. It is defined to be: * *the computer subsystem that enforces the authorised relationships between the subjects and objects of a system;* The authorised relationships are defined in the security policy, i.e. the implicit or explicit set of rules defining who is allowed to do what. The reference monitor enforces the security policy. In this context the subjects are parties which want to access a resource (e.g. to read a file or execute a program),and the objects are the resources (e.g.files).

Question 54

What is the reference validation mechanism?

Answer 54

A reference monitor is an abstract concept. An implementation of a reference monitor is called a reference validation mechanism in the Orange Book. The reference validation mechanism is also more commonly known as the security kernel or access control mechanism. The Orange Book identifies the following ‘ideal’ list of design requirements for a reference validation mechanism: * it should be tamper-proof; * it should notbe possible to circumvent; * it should be possible to prove its correctness.

Question 55

What is the trusted computing base?

Answer 55

A computing platform (i.e. the computer hardware and the operating system) provides security functions on behalf ofits owners/authorised users. * It allows authorised users to access shared resources on request; * It can support many different types of resources and many different types of userresource interaction; * It can provide confidentiality and integrity services for stored data; The part of a computer system that is responsible for controlling access to computing resources is called the trustedcomputing base (TCB). The TCB clearly includes the reference validation mechanism. The term TCB is widely used in the context of building secure computer systems. We take our definition from the Orange Book. The Orange Book states that: * *The heart of a trusted computer system is the Trusted Computing Base (TCB) which contains all of the elements of the system responsible for supporting the security policy and supporting the isolation of objects (code and data) on which the protection is based.*

Question 56

What does the TCB include?

Answer 56

The TCB includes: * the data that is used to encode the security policy; * that part of the operating system (or other software) that implements the reference monitor; * the hardware and those parts of the operating system that protect the reference monitor and the security policy.

Question 57

Why is isolation of objects necessary?

Answer 57

Isolation of objects is necessary to protect one object from another, and to prevent a subject with access to one object gaining access to another object. The isolation of objects which reside in main memory relies on memory protection. Memory protection relies on: * correct translation of virtual addresses to physical addresses; * data structures maintained by the operating system. Therefore,the TCB includes: * the memory management unitofthe processor; * that part of the operating system responsible for maintaining page tables. In addition,the TCB will typically include: * the authentication system; * the file system (or that part of the operating system responsible for mediating access to files).

Question 58

What is the trusting computing base (external sources)?

Answer 58

The TCB is the total combination of protection mechanisms with a computer system. Elements of the TCB enforce the security policy of the system and do not violate it -------------------------------------------------------------------------- The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. By contrast, parts of a computer system outside the TCB must not be able to misbehave in a way that would leak any more privileges than are granted to them in accordance to the security policy. The careful design and implementation of a system's trusted computing base is paramount to its overall security. Modern operating systems strive to reduce the size of the TCB so that an exhaustive examination of its code base (by means of manual or computer-assisted software audit or program verification) becomes feasible. The term trusted computing base goes back to Rushby,[1] who defined it as the combination of kernel and trusted processes. The latter refers to processes which are allowed to violate the system's access-control rules. -------------------------------------------------------------------------- In other words, a given piece of hardware or software is a part of the TCB if and only if it has been designed to be a part of the mechanism that provides its security to the computer system. In operating systems, this typically consists of the kernel (or microkernel) and a select set of system utilities (for example, setuid programs and daemons in UNIX systems). In programming languages that have security features designed in such as Java and E, the TCB is formed of the language runtime and standard library

Question 59

What is a trusted entity?

Answer 59

A trusted entity (in the context of computer security) is defined to be an entity that can break the security policy butis trusted not to do so; * the operating system is trusted; * some ‘superuser’ computer accounts, such as root in Unix systems, are trusted; * all trusted programs and trusted users must be thoroughly checked to establish trustworthiness. Roughly speaking,all trusted programs are contained in the TCB: * to reduce the threat posed by trusted programs (and to minimise the size of the TCB), the number oftrusted programs should be as small as possible.