DAN CISSP NOTES - 2018
Domain 3 Security Engineering bounds; that process runs in isolation.
Do you know these already? If no, please refer back to your
resources, if yes, march on:
Secure system design principles, system capabilities and
architecture, security models (BLP, Biba, Clark-Wilson, etc...),
TCB, Evaluation models (TCSEC, ITSEC and CC), Certification
and Accreditation Systems, Vulnerabilities, Threats, and
Countermeasures, Cryptography (Symmetric, Asymmetric and
Hashing), Physical security requirements.
System Engineering is interdisciplinary approach to translating
DOMAIN 3 | SECURITY ENGINEERING
users’ needs into the definition of a system, its architecture and
design through an iterative process that result in an effective
operational system. Systems engineering applies over the
entire life cycle, from concept development to final disposal
ISO/IEC 15288:2008 An international system engineering
standard covering processes and lifecycle stages. It defines a
set of processes divided into four categories: technical, project,
agreement, and enterprise.
System Capabilities
Confinement (Sandboxing) allows a process to read from and
write to only certain memory locations and resources.
Can be implemented through:
-The OS itself (process isolation, memory protection)
-Confinement applications and services.
-Virtualization (VMware)
Bounds (Kernel or User?) the bound of a process consist of
limits set on the memory addresses and resources it can
access.
Logical segmentation of memory area for each process to use,
more secure ð physical bounds (...and more expensive)
Isolation when a process is confined through enforcing access
ii. It must be invoked for every access attempt (impossible to
Any behaviour will affect ONLY the memory and resources
associated with the isolated process.
Fundamental Concepts of Security Models
WHAT | Explicit set of rules that a computer can follow to
implement the fundamental security concepts that makes up the
security policy.
HOW | provides a way for designers to map abstract
statements into a security policy.
WHY | Developers can be sure their security implementation
supports the security policy.
T C B ð Orange Book (a combination of hardware, software,
and controls that work together to form a trusted base to
enforce your security policy)
It should be as small as possible so that it can be easily
verified.
TCB’s Security Perimeter is an imaginary boundary that
separates the TCB from the rest of the system.
Trusted Paths are secure channel that communicates the TCB
with the rest of the system.
According to the TCSEC, trusted paths are required for high
trust level systems such as those at level B2 or higher of
TCSEC.
Reference Monitor (The Law) is part of the TCB that validates
access to every resource prior to granting access requests.
Security Kernel (The enforcer) is collection of components in
the TCB that work together to implement reference monitor
functions (H/W and S/W)
The Security Kernel requirements:
i. It must provide isolation and the processes must be
tamperproof.
circumvent, foolproof)
iii. It must be small enough to be easily verified
16
State Machine Model
State of a machine is captured in order to verify the security of a
system.
State consists of all current permissions and instances of
subjects accessing the objects.
Always secure no matter what state it is in!
Finite state machine (FSM) (external input + internal machine
state) = all kinds of complex systems.
State transition (accepting input or producing output) = new
state.
This model is the basis for most other security models.
Bell-LaPadula Model
remember these keywords regarding BLP
(Confidentiality, DoD, Information flow, Lattice, 1st mathematical
model, Multilevel, Secure state)
The BLP model prevents the leaking transfer of classified info.
It does not address covert channels.
Two Access Rules:
Simple Security Property – no read up
Security Property (“Star*” Security Property) – no write down
Two Object Label Rules:
-Strong and Weak Tranquillity Property - security labels will
not change while the system is operating.
-Weak Tranquillity Property - security labels will not change in
a way that conflict with defined security properties.
Exception to BLP: A trusted subject is allowed to violate the *
Security Property and perform a write-down, which is necessary
when performing valid object declassification or reclassification.
Advance and Protect The Profession