Conklin Sec+ Ch. 12 - 14
Mobile OSs come in two main types:
Apple's iOS and Google's Android OS.
PRC stands for
Platform Configurations Register (PRC).
Common Criteria stands for
Common Criteria for Information Technology Security Evaluation
SED stands for
self-encrypting disk (SED)
__ and __ are methods of implementing cryptographic protection on hard disk drives and other similar storage media with the express purpose of protecting the data even if the disk drive is removed from the machine.
Full disk encryption (FDE); self-encrypting disks (SEDs)
What is the primary purpose of the TPM?A. To store encryption keys and make them inaccessible via normal software channels B. To ensure platforms can run in a trusted environment C. To facilitate storage of keys in the machine's normal storage D. To safely use system-provided key generation and storage and random number generation capabilities
A
Describe Wi-Fi-Enabled MicroSD Cards
A class of Wi-Fi-enabled MicroSD cards was developed to eliminate the need to move the card from device to device to move the data. Primarily designed for digital cameras, these cards are very useful for creating Wi-Fi devices out of devices that had an SD slot. These devices work by having a tiny computer embedded in the card running a stripped-down version of Linux. One of the major vendors in this space uses a stripped-down version of BusyBox and has no security invoked at all, making the device completely open to hackers. Putting devices such as these into an enterprise network can introduce a wide variety of unpatched vulnerabilities.
For reasons of economics, portability, and functionality, the vast majority of appliances OSs are built using a __ OS.
Linux-based
Which of the following is true concerning verification? (Choose all that apply.) A. Ensuring the code does what the code is supposed to do, verification, is more complex than just running the program and looking for runtime errors. B. Verification also checks whether the program specification captures the requirements from the customer. C. Verification is simple on a case-by-case basis, but when a program has many interdependent calculations, verifying that the results match the desired design model can be a fairly complex task. D. Verification is the process of checking that the software developed meets the model specification.
A, C, and D. Ensuring the code does what the code is supposed to do,verification, is more complex than just running the program and looking for runtime errors. The program results for a given set of inputs need to match the expected results per the system model. For instance, if applying a simple mathematical operation, is the calculation correct? This is simple to verify on a case-by-case basis, but when a program has many interdependent calculations, verifying that the result matches the desired design model can be a fairly complex task. Verification is the process of checking that the software developed meets the model specification.Validation is the process of checking whether the program specification captures the requirements from the customer.
Code analysis can be performed at which of the following levels of development? (Choose all that apply.)A. Unit levelB. Subsystem levelC. System level D. Complete application
ABCD
Secure Boot performs all of the following except: A. It provides all approved drivers needed. B. It enables attestation that drivers haven't changed since they were approved. C. It only allows signed drivers and OS loaders to be invoked. D. It blocks malware that attempts to alter the boot process.
A. Secure Boot does not provide all drivers; rather, it ensures they are signed and unchanged.
Which of the following are elements of software development that will help to improve the security of code? (Choose all that apply.) A. Input validationB. Proper error and exception handlingC. Cross-site scripting mitigationsD. Patch management
ABC
Microsoft has two mechanisms that are part of the OS to control which users can use which applications: • User account level control: Enforced via
AppLocker, a service that allows granular control over which users can execute which programs. Through the use of rules, an enterprise can exert significant control over who can access and use installed software.
Describe Appliance OSs
Appliances are stand-alone devices, wired into the network and designed to run an application to perform a specific function on traffic. These systems operate as headless servers, preconfigured with applications that run and perform a wide range of security services on the network traffic that they see. For reasons of economics, portability, and functionality, the vast majority of appliances OSs are built using a Linux-based OS. As these are often customized distributions, keeping them patched becomes a vendor problem because most IT people aren't properly trained to manage that task. Enterprise class intrusion detection appliances, loss prevention appliances, backup appliances, and more, are all examples of systems that bring Linux OSs into the enterprise, but not under the enterprise patch process, for the maintenance is a vendor issue.
Which of the following is not true about HSMs? A. They are devices used to manage or store encryption keys. B. Their limiting factor is performance. C. They allow the use of keys without exposing them to host-based threats. D. They typically have tamper-protection mechanisms to prevent physical access.
B
Which of the following statements is not true?A. Embedded systems are designed with a single control purpose in mind and typically have no additional functionality. B. Embedded systems are free of risk or security concerns. C. Embedded is the name given to a computer that is included as an integral part of a larger system. D. Embedded systems can be as complex as the tens of interconnected embedded systems in a modern automobile.
B
Where should all errors/exceptions be trapped and handled?A. In the main program or routing that called the routine that generated the error/exceptionB. In the generating routine itselfC. In a special routine designed to handle all errors/exceptionsD. In a separate routine designed to handle each specific error/exception
B. All errors/exceptions should be trapped and handled in the generating routine.
What term is used to refer to testing a system under a controlled speed environment?
Load testing
Which of the following is a more formal, larger software update that addresses many software problems, often containing enhancements or additional capabilities as well as fixes for known bugs? A. HotfixB. Service packC. PatchD. Rollup
C
Which of the following is true about what is known as dead code?A. Dead code is code that is never executed and thus can be removed from the program without a negative impact. B. Dead code is code that is never executed but should remain in the program because removing it may have unintended consequences. C. Dead code is code that while it may be executed, the results that it produces are never used elsewhere in the program. There are compiler options that can remove dead code, which is called dead code elimination, but these must be used with care because dead code elimination may have unintended consequences. D. Dead code is code that while it may be executed, the results that it produces are never used elsewhere in the program. It should be removed through automated or manual means to improve the program.
C. Dead code is code that while it may be executed, the results that it obtains are never used elsewhere in the program. There are compiler options that can remove dead code, called dead code elimination, but these options must be used with care because dead code elimination may have unintended consequences.
Which of the following methodologies is a structured process that is built around user stories that are used to architect requirements in an iterative process that uses acceptance testing to create incremental advances? A. AgileB. ScrumC. Extreme Programming (XP)D. Waterfall
C. Extreme programming (XP) is a structured process that is built around user stories. These stories are used to architect requirements in an iterative process that uses acceptance testing to create incremental advances. Agile methods are not a single development methodology, but a whole group of related methods. Designed to increase innovation and efficiency of small programming teams, Agile methods rely on quick turns involving small increases in functionality. The waterfall model is a development model based on simple manufacturing design. The work process begins with the requirements analysis phase and progresses through a series of four more phases, with each phase being completed before progressing to the next phase. The Scrum programming methodology is built around a 30-day release cycle.
What distinguishes real-time operating systems (RTOSs) from general- purpose operating systems? A. Unlike RTOSs, most general-purpose operating systems handle interrupts within defined time constraints. B. Unlike general-purpose OSs, most RTOSs are capable of multitasking by design. C. Unlike RTOSs, most general-purpose operating systems are multitasking by design. D. Unlike general-purpose OSs, RTOSs are designed to handle multiple threads.
C. One thing that distinguishes real-time operating systems (RTOSs) from general-purpose operating systems is that most general-purpose operating systems are designed for multitasking.
Which of the following is true about printers and multifunction devices?A. They rely on the computer to manage the printing and scanning processes. B. Because of their long history and widespread use, security is designed into these products. C. These devices communicate in a bidirectional fashion, accepting print jobs and sending back job status, printer status, and so forth. D. So far, they have not been shown to be hackable or capable of passing malware from the printer to the computer.
C. Printers and multifunction devices communicate in a bidirectional fashion, accepting print jobs and sending back job status, printer status, and so forth.
Which of the following is not true about systems on a chip?A. They provide the full functionality of a computing platform on a single chip. B. They typically have low power consumption and efficient design. C. Programming of SoC systems can occur at several different levels and thus potential risks are easily mitigated. D. Because these devices represent computing platforms with billions of devices worldwide, they have become a significant force in the marketplace.
C. Programming of SoC systems can occur at several different levels and thus potential risks are difficult to mitigate.
__ encompasses the processes used to inspect code for weaknesses and vulnerabilities. __ can be divided into two forms: static and dynamic.
Code analysis
Describe Compiled vs. Runtime Code
Compiled code is code that is written in one language, then run through a compiler and transformed into executable code that can be run on a system. Compilers can do many things to optimize code and create smaller, faster- running programs on the actual hardware. But compilers have problems with dynamic code capable of changing at runtime. Interpreters create runtime codethat can be executed via an interpreter engine, like a Java virtual machine (JVM), on a computer system. Although slower than compilers in execution, there are times that interpreters excel. To run a program with a compiler, the compiler first has to compile the source program into the target program and then load and execute the target program. These steps must all occur, and can take time. With an interpreter, the interpreter manages the conversion of the high-level code into the machine code on the fly, removing the compile steps. So, while an interpreter may be slow at running the code, if a lot of changes are happening that force recompiles, it can be faster. In today's world, we have both compilers and interpreters for most languages, so that the correct tool can be used for the correct situation. We also have systems such as just-in-time compilers and bytecode interpreters that blur the traditional categorizations of compilers and interpreters.
Describe Continuous Integration
Continuous integration is the DevOps manner of continually updating and improving the production code base. By using high levels of automation, and safety nets of automated backout routines, continuous integration allows the DevOps team to test and update even very minor changes without a lot of overhead. Instead of running a few large updates, with many integrated and potentially cross-purpose update elements, all squeezed into a single big package, the DevOps team runs a series of smaller, single-purpose integrations throughout the process. This means that when testing, the team can isolate the changes to a small, manageable number, without the significance of multiple potential interactions. This can make DevOps more secure by reducing interaction errors and other errors that are difficult to detect and time consuming to track down.
Fuzz testing works best in which of the following testing environments?A. White box testingB. Gray box testingC. Black box testing D. Fuzz testing works equally well in all of the above.
D
Which of the following is an initial step in the input validation process that creates the canonical form, or simplest form, of a string before processing? A. Implementing stored proceduresB. Code signingC. Code reuseD. Normalization
D
Why is UEFI preferable to BIOS? A. UEFI resides on the hardware, making it faster than BIOS. B. UEFI is stored in volatile hardware storage. C. UEFI has limited ability to deal with high-capacity storage and high- bandwidth communications and thus is more optimized. D. UEFI has more security designed into it, including provisions for secure booting.
D
Which of the following is not true regarding hardware roots of trust? A. They are secure by design. B. They have very specific functionality. C. They are typically implemented in hardware that is isolated from the operating system. D. They provide security only at their level, not to higher layers of a system.
D. Hardware roots of trust are built on the principle that if one "trusts" one layer, that layer can be used to promote security to higher layers of a system.
Describe Data Exposure
Data exposure is the loss of control over data from a system during operations. Data must be protected during storage (data at rest), during communication (data in transit), and at times during use. It is up to the programming team to chart the flow of data through a system and ensure that it is protected from exposure throughout the process. Exposed data can be lost to unauthorized parties (a failure of confidentiality) or, equally dangerous, can be changed by an unauthorized party (a failure of integrity). Protection of the data will typically be done using various forms of cryptography, which is covered in Chapter 26.
Describe Model Verification
Ensuring the code does what the code is supposed to do, verification, is more complex than just running the program and looking for runtime errors. The program results for a given set of inputs need to match the expected results per the system model. For instance, if applying a simple mathematical operation, is the calculation correct? This is simple to verify on a case-by-case basis, but when a program has many interdependent calculations, verifying that the result matches the desired design model can be a fairly complex task. Validation and verification are the terms used to describe this testing. Validation is the process of checking whether the program specification captures the requirements from the customer. Verification is the process of checking that the software developed meets the model specification. Performing model verification testing is important, as this is the assurance that the code as developed meets the design requirements.
XP stands for
Extreme Programming
FDE stands for
Full disk encryption (FDE)
Fuzz testing also can be classified as generation-based or mutation-based. (describe)
Generation-based fuzz testing uses the specifications of input streams to determine the data streams that are to be used in testing. Mutation-based fuzz testing takes known good traffic and mutates it in specific ways to create new input streams for testing. Each of these has its advantages, and the typical fuzzing environment involves both used together.
Network components use a network operating system to provide the actual configuration and computation portion of networking. There are many vendors of networking equipment, and each has its own proprietary operating system. Cisco has the largest footprint with its __, the operating system that runs on all Cisco routers and switches.
IOS, internetworking operating system
Describe Integrity Measurement
Integrity measurement is the measuring and identification of changes to a specific system away from an expected value. From the simple changing of data as measured by a hash value to the TPM-based integrity measurement of the system boot process and attestation of trust, the concept is the same. Take a known value, perform a storage of a hash or other keyed value, and then, at time of concern, recalculate and compare. In the case of a TPM-mediated system, where the TPM chip provides a hardware-based root of trust anchor, the TPM system is specifically designed to calculate hashes of a system and store them in a Platform Configurations Register (PRC). This register can be read later and compared to a known, or expected, value, and if they differ, there is a trust violation. Certain BIOSs, UEFIs, and boot loaders can work with the TPM chip in this manner, providing a means of establishing a trust chain during system boot.
There are several ways to classify fuzz testing. (2)
It can be classified as smart testing or dumb testing, indicating the type of logic used in creating the input values. Smart testing uses knowledge of what could go wrong, and malforms the inputs using this knowledge. Dumb testing just uses random inputs.
Describe Kiosk OSs
Kiosks are stand-alone machines, typically operating a browser instance on top of a Windows OS. These machines are usually set up to autologin to a browser instance that is locked to a website that allows all of the functionality desired. These are commonly used for interactive customer service applications, such as interactive information sites, menus, and so on. The OS on a kiosk needs to be able to be locked down to minimal functionality so that users can't make any configuration changes. It also should have elements such as autologin and an easy way to construct the applications.
Describe Security Automation
One of the key elements of DevOps is automation. DevOps relies upon automation for much of its efficiencies. Security automation can do the same for security with respect to improving efficiencies that automation has in DevOps. Automating routine and extensive security processes allows fewer resources to cover more environment in a more effective and efficient manner. Automation removes the manual labor that costs money to employ, especially skilled cybersecurity personnel. And rather than replacing the personnel with scripts, the use of automation allows the personnel to spend their time doing value-added work such as analysis. Take the issues associated with patching systems. One has to identify which patches belong on which systems, apply the patches and then verify periodically that the system is working and systems are patched. All of these steps can be highly automated, making a small group capable of patching and monitoring patch levels on a large base of systems.
In the case of a TPM-mediated system, where the TPM chip provides a hardware-based root of trust anchor, the TPM system is specifically designed to calculate hashes of a system and store them in a
Platform Configurations Register (PRC).
Describe RTOS
Real-time operating systems (RTOSs) are designed for systems where the processing must occur in real time and data cannot be queued or buffered for any significant length of time. RTOSs are not general-purpose machines, but are programmed for a specific purpose. They still have to deal with contention, and they have scheduling algorithms to deal with timing collisions, but in general an RTOS processes each input as it is received, or within a specific time slice defined as the response time. Examples of RTOS are from something as common as an anti-lock braking computer in a car, to as complex as a robotic system used on an assembly line. Most general-purpose computer operating systems are capable of multitasking by design. This includes Windows and Linux. Multitasking systems make poor real-time processors, primarily because of the overhead associated with separating tasks and processes. Windows and Linux may have interrupts, but these are the exception, not the rule, for the processor. RTOS-based software is written in a completely different fashion, designed to emphasize the thread in processing rather than handling multiple threads. The security implications surrounding RTOS systems lie in their timing. Should an event do something that interferes with the system's ability to respond within its time allotment, then the system itself can fail in its task. RTOS systems also tend to be specific to the degree that updates and patches tend not to be common as the manufacturer of the system does not provide that level of support. As items such as cars become more networked, these weaknesses are becoming apparent and one can expect this situation to change over time.
There are many different methods and variations, but some of the major forms of Agile development are (2)
Scrum and Extreme Programming (XP). XP is built around the people side of the process, while Scrum is centered on the process perspective.
One of the challenges in securing an OS is that it has myriad drivers and other add-ons that hook into it and provide specific added functionality. If you do not properly vet these additional programs before installation, this pathway can provide a means by which malicious software can attack a machine. And since these attacks can occur at boot time, at a level below security applications such as antivirus software, they can be very difficult to detect and defeat. UEFI offers a solution to this problem, called
Secure Boot. Secure Boot is a mode that, when enabled, only allows signed drivers and OS loaders to be invoked. Secure Boot requires specific setup steps, but once enabled, it blocks malware that attempts to alter the boot process. Secure Boot enables the attestation that the drivers and OS loaders being used have not changed since they were approved for use. Secure Boot is supported by Microsoft Windows and all major versions of Linux.
SDLM stands for
Software Development Life Cycle Methodology (SDLM)
Describe Static Code Analyzers
Static code analysis is when the code is examined without being executed. This analysis can be performed on both source code and object code bases. The term "source code" is typically used to designate the high-level language code, although technically, source code is the original code base in any form, from high-level language to machine code. Static analysis can be performed by humans or tools, although humans are limited to the high-level language, while tools can be used against virtually any form of code base.Static code analysis is frequently performed using automated tools. These tools are given a variety of names, but are commonly called static code analyzers or source code analyzers. Sometimes, extra phrases, such as "binary scanners" or "byte code scanners," are used to differentiate the tools. Static tools use a variety of mechanisms to search for weaknesses and vulnerabilities. Automated tools can provide advantages when checking syntax, approved function/library calls, and examining rules and semantics associated with logic and calls. They can catch elements a human could overlook.
Describe Stored Procedures
Stored procedures are precompiled methods implemented within a database engine. Stored procedures act as a secure coding mechanism because they offer an isolation of user input from the actual SQL statements being executed. This is the primary defense mechanism against SQL injection attacks, separation of user input from the SQL statements. User-supplied input data is common in interactive applications that use databases. This input can allow the user to define the specificity of search, match, and so forth. But what cannot happen is to allow a user to write the actual SQL code that is executed. There are too many things that could go wrong, too much power to allow a user to directly wield it, and eliminating SQL injection attacks by "fixing" input has never worked. All major database engines support stored procedures. Stored procedures have a performance advantage over other forms of data access. The downside is that stored procedures are written in another language, SQL, and a database programmer typically is needed to implement the more complex ones.
Describe SoC
System on a chip (SoC) refers to a complete computer system miniaturized on a single integrated circuit, designed to provide the full functionality of a computing platform on a single chip. This includes networking and graphics display. Some SoC solutions come with memory, while others have the memory separate. SoCs are very common in the mobile computing market (both phones and tablets) because of their low power consumption and efficient design. Some SoC brands have become household names because mobile phone companies have advertised their inclusion in a system, such as the Snapdragon processor in Android devices. Quad-core and eight-core SoC systems are already in place, and they even have advanced designs such as quad plus one, where the fifth processor is slower and designed for simple processes and uses extremely small amounts of power. So when the quad cores are not needed, there is not significant energy usage. The programming of SoC systems can occur at several different levels. Dedicated OSs and applications can be written for them, such as the Android fork of Linux, which is specific to the mobile device marketplace. Because these devices represent computing platforms with billions of devices worldwide, they have become a significant force in the marketplace. The security implications of SoC-based systems is associated not with the specifics of SoC, but in the fact that they are ubiquitous in our technology-driven lives. Security issues are handled by the device, not the specific SoC aspect itself.
Examples of roots of trust include (2)
TPM chips in computers and Apple's Secure Enclave coprocessor in its iPhones and iPads. Apple also uses a signed Boot ROM mechanism for all software loading.
Describe The agile model
The agile model is not a single development methodology, but a whole group of related methods. Designed to increase innovation and efficiency of small programming teams, Agile methods rely on quick turns involving small increases in functionality. The use of repetitive, small development cycles can enable different developer behaviors, which in turn can result in more efficient development. There are many different methods and variations, but some of the major forms of Agile development are Scrum and Extreme Programming (XP). XP is built around the people side of the process, while Scrum is centered on the process perspective. More information on the foundations of the agile method, see the Agile Manifesto (http://agilemanifesto.org/).
Kiosks are stand-alone machines, typically operating a browser instance on top of a __ OS.
Windows
(Dion) what versions of Windows started being considered a trusted OS? what versions of Mac OS?
Windows.7 and higher. Mac OS X 10.6 and newer.
Wireless keyboards operate via a short-range wireless signal between the keyboard and the computer. The main method of connection is via either
a USB Bluetooth connector, in essence creating a small personal area network (PAN), or a 2.4-GHz dongle.
Fuzzing (or fuzz testing) is
a brute force method of addressing input validation issues and vulnerabilities. The basis for fuzzing a program is the application of large numbers of inputs to determine which ones cause faults and which ones might be vulnerable to exploitation. Fuzz testing can be applied to anywhere data is exchanged to verify that input validation is being performed properly. Network protocols can be fuzzed, file protocols can be fuzzed, and web protocols can be fuzzed. The vast majority of browser errors are found via fuzzing. Fuzz testing works well in white, black, or gray box testing, as it can be performed without knowledge of the specifics of the application under test. Fuzz testing works by sending a multitude of input signals and seeing how the program handles them. Specifically, malformed inputs can be used to vary parser operation and to check for memory leaks, buffer overflows, and a wide range of input validation issues. Since input validation errors are one of the top issues in software vulnerabilities, fuzzing is the best method of testing against these issues, such as cross-site scripting and injection vulnerabilities. There are several ways to classify fuzz testing. It can be classified as smart testing or dumb testing, indicating the type of logic used in creating the input values. Smart testing uses knowledge of what could go wrong, and malforms the inputs using this knowledge. Dumb testing just uses random inputs.
Code analysis can be performed at virtually any level of development, from unit level to subsystem to system to complete application. The higher the level, the greater the test space and more complex the analysis. When the analysis is done by teams of humans reading the code, typically at the smaller unit level, it is referred to as
a code review. Code analysis should be done at every level of development, because the sooner that weaknesses and vulnerabilities are discovered, the easier they are to fix. Issues found in design are cheaper to fix than those found in coding, which are cheaper to fix than those found in final testing, and all of these are cheaper to fix than errors discovered after the software has been deployed.
DevOps is a combination of development and operations, and a blending of tasks performed by a company's __ and __ teams.
application development ; systems operations
UEFI offers a solution to this problem, called Secure Boot. Secure Boot is a mode that, when enabled, only allows signed drivers and OS loaders to be invoked. Secure Boot requires specific setup steps, but once enabled, it blocks malware that attempts to alter the boot process. Secure Boot enables the __ that the drivers and OS loaders being used have not changed since they were approved for use.
attestation
Proper input validation is especially well suited for the following vulnerabilities: (6)
buffer overflow, reliance on untrusted inputs in a security decision, cross-site scripting (XSS), cross-site request forgery (XSRF), path traversal, and incorrect calculation of buffer size. Input validation may seem suitable for various injection attacks, but given the complexity of the input and the ramifications from legal but improper input streams, this method falls short for most injection attacks. What can work is a form of recognition and whitelisting approach, where the input is validated and then parsed into a standard structure that is then executed. This restricts the attack surface to not only legal inputs, but also expected inputs.
A modern vehicle has not a single computer in it, but actually hundreds of them, all interconnected on a
bus. The controller area network (CAN) bus is designed to allow multiple microcontrollers to communicate with each other without a central host computer. Before the CAN bus was invented, individual microcontrollers were used to control the engine, emissions, transmission, braking, heating, electrical, and other systems, and the wiring harnesses used to interconnect everything became unwieldy. Robert Bosch developed the CAN bus for cars, specifically to address the wiring harness issue, and when first deployed in 1986 at BMW, the weight reduction was over 100 pounds.As of 2008, all new U.S. and European cars must use a CAN bus, per SAE regulations, a mandate engineers have willingly embraced as they continue to add more and more subsystems. The CAN bus has a reference protocol specification, but recent auto hacking discoveries have shown several interesting things. First, in defending allegations that some of its vehicles could suddenly accelerate without driver action, Toyota's claim that the only way to make a vehicle accelerate quickly is to step on the gas pedal, that software alone won't do it, was proven to be false. Hackers have demonstrated almost complete control over all functions of their Prius using computers and CAN bus commands. Second, every automobile manufacturer has interpreted/ignored the reference protocol specification to varying degrees. Finally, as demonstrated by hackers at DEF CON, it is possible to disable cars in motion, over the Internet, as well as fool around with the entertainment console settings and other systems.
A modern vehicle has not a single computer in it, but actually hundreds of them, all interconnected on a bus. The __ bus is designed to allow multiple microcontrollers to communicate with each other without a central host computer.
controller area network (CAN)
CAN stands for
controller area network (CAN)
Compiled code is code that is written in one language, then run through a compiler and transformed into executable code that can be run on a system. Compilers can do many things to optimize code and create smaller, faster- running programs on the actual hardware. But compilers have problems with
dynamic code capable of changing at runtime.
Dynamic analysis is performed while the software is executed, either on a target system or an emulated system. The system is fed specific test inputs designed to produce specific forms of behaviors. Dynamic analysis can be particularly important on systems such as __, where a high degree of operational autonomy is expected.
embedded systems
Monitoring and managing firmware security is a time-intensive task because (2)
few tools exist for that purpose, and even fewer for automation of the task. This makes physical security of the system and its peripheral hardware important.
Memory management comprises the actions used to control and coordinate computer memory, assigning memory to variables and reclaiming it when it is no longer being used. Errors in memory management can result in a program that has a memory leak, and the leak can grow over time, consuming more and more resources. The routine to clean up memory that has been allocated in a program but is no longer needed is called
garbage collection.
Trusted OSs are most commonly used by
government agencies and contractors for sensitive systems that require this level of protection.
Whitelisting is easier to employ from the aspect of the identification of applications that are allowed to run—__ can be used to ensure the executables are not corrupted.
hash values
Medical devices, such as lab equipment and infusion pumps and other computer-controlled equipment, have been running on computer controls for years. The standard of choice has been an embedded Linux kernel that has been stripped of excess functionality and pressed into service in the embedded device. One of the problems with this approach is
how to patch this kernel when vulnerabilities are found. Another, related problem is that as the base system gets updated to a newer version, the embedded system stays trapped on the old version. This requires regression testing for problems, and most manufacturers will not undertake such labor-intensive chores.
The main sources of EMPs would be (3)
industrial equipment on the same circuit, solar flares, and nuclear bursts high in the atmosphere.
Enterprise class __(3) and more, are all examples of systems that bring Linux OSs into the enterprise, but not under the enterprise patch process, for the maintenance is a vendor issue.
intrusion detection appliances, loss prevention appliances, backup appliances,
One of the major weaknesses of the waterfall model is that
it is difficult to incorporate late in the cycle changes from a customer, making the development process inflexible.
During the design phase, the development team should make decisions as to the appropriate level of reuse. For some complex functions, such as cryptography, reuse is the preferred path. In other cases, where the lineage of a component cannot be established, then the risk of use may outweigh the benefit. Additionally, the inclusion of previously used code, sometimes referred to as __, can reduce development efforts and risk.
legacy code
The waterfall methodology is particularly poorly suited for complex processes and systems where
many of the requirements and design elements will be unclear until later stages of development. It is useful for small, bite-sized pieces, and in this manner is incorporated within other models such as the spiral, incremental, and Agile methods. One of the major weaknesses of the waterfall model is that it is difficult to incorporate late in the cycle changes from a customer, making the development process inflexible.
SoCs are very common in the __ market because of their low power consumption and efficient design.
mobile computing (both phones and tablets)
A lot of hardware has firmware that provides the necessary software instructions to facilitate the hardware functionality. Firmware is a source of program code for the system, and if an adversary changes the firmware, this can result in an open attack vector into the trusted core of the enterprise. This is because
most systems will trust the firmware of a trusted system. Monitoring and managing firmware security is a time-intensive task because few tools exist for that purpose, and even fewer for automation of the task. This makes physical security of the system and its peripheral hardware important.
One of the interesting security problems with wireless mice and keyboards has been the development of the
mousejacking attack. This is when an attacker performs a man-in-the-middle attack on the wireless interface and can control the mouse and or intercept the traffic. When this attack first hit the environment, manufacturers had to provide updates to their software interfaces to block this form of attack. Some of the major manufacturers, like Logitech, took this effort for their mainstream product line, but a lot of mice that are older were never patched. And smaller vendors have never addressed the vulnerability, so it still exists.
Network components use a __ to provide the actual configuration and computation portion of networking.
network operating system
HSMs have tamper protection mechanisms to prevent physical access to the secrets they protect. Because of their dedicated design, they can offer
significant performance advantages over general-purpose computers when it comes to cryptographic operations. When an enterprise has significant levels of cryptographic operations, HSMs can provide throughput efficiencies.
Every OS, from Linux to Windows, requires
software updates, and each OS has different methods of assisting users in keeping their systems up to date.
Code analysis encompasses the processes used to inspect code for weaknesses and vulnerabilities. Code analysis can be divided into two forms: (describe)
static and dynamic. Static analysis involves examination of the code without execution. Dynamic analysis involves the execution of the code as part of the testing. Both static and dynamic analyses are typically performed with tools, which are much better at the detailed analysis steps needed for any but the smallest code samples.
Static code analysis is frequently performed using automated tools. These tools are given a variety of names, but are commonly called
static code analyzers or source code analyzers.
Medical devices are manufactured under strict regulatory guidelines that are designed for
static systems that do not need patching, updating, or changes. Any change would force a requalification, a lengthy, time-consuming, and expensive process. As such, these devices tend to never be patched. With the advent of several high-profile vulnerabilities, including Heartbleed and Bash shell attacks, most manufacturers simply recommended that the devices be isolated and never connected to an outside network. In concept, this is fine, but in reality this can never happen, as all the networks in a hospital or medical center are connected. A recent recall of nearly a half million pacemakers in 2017 for a software vulnerability that would allow a hacker to access and change the performance characteristics of the device is proof of the problem. The good news is that the devices can be updated without removing them, but it will take a doctor's visit to have the new firmware installed.
The most common criteria used to define a trusted OS is
the Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria, or CC), a harmonized security criteria recognized by many nations, including the United States, Canada, Great Britain, and most of the EU countries, as well as others.
There are two main enumerations of common software errors:
the Top 25 list maintained by MITRE, and the OWASP Top Ten list for web applications. Depending on the type of application being evaluated, these lists provide a solid starting point for security analysis of known error types. MITRE is the repository of the industry-standard list for standard programs, and OWASP for web applications.
Validation is
the process of checking whether the program specification captures the requirements from the customer.
EXAM TIP: This chapter presented a cornucopia of different embedded systems. For the exam, remember three main elements:
the technology components, SoC and RTOS; the connectivity component—Internet of Things; and the different marketplaces, home automation, wearables, medical devices, vehicles, and aviation.
Code testing is
the verification that the code meets to functional requirements as laid out in the requirements process. While code analysis makes certain the code works properly doing what it is supposed to do and only what it is supposed to do, code testing makes certain it meets the business requirements.
Programming today is, to a great extent, an exercise in using __ and __
third-party libraries and software development kits (SDKs). (This is because once code has been debugged and proven to work, rewriting it is generally not a valuable use of time. Also, some fairly complex routines, such as encryption, have vetted, proven library sets that remove a lot of risk from programming these functions. Using these proven resources can reduce errors and vulnerabilities in code, making this a positive move for secure development. Using third-party elements brings baggage in that is code you have not developed and don't necessarily have all the dependency details. If the development team manages dependencies correctly, the benefits greatly outweigh the risks.)
The lure of doing validation on the client side is
to save the round-trip communication time, especially for input errors such as missing values. Applications commonly have client-side code to validate the input as correct in terms of it being complete and approximately correct. This validation on the client side does not mean that the data is safe to use, only that it appears that the data has been completely filled in. All input validation with respect to completeness, correctness, and security checks must be done on the server side, and must be done before the user input is used in any way.
All major database engines support stored procedures. Stored procedures have a performance advantage over other forms of data access. The downside is that stored procedures are
written in another language, SQL, and a database programmer typically is needed to implement the more complex ones.
Vendors typically follow a hierarchy for software updates: (3) (describe)
• Hotfix This term refers to a (usually) small software update designed to address a specific problem, such as a buffer overflow in an application that exposes the system to attacks. Hotfixes are typically developed in reaction to a discovered problem and are produced and released rather quickly. • Patch This term refers to a more formal, larger software update that can address several or many software problems. Patches often contain enhancements or additional capabilities as well as fixes for known bugs. Patches are usually developed over a longer period of time. • Service pack This refers to a large collection of patches and hotfixes rolled into a single, rather large package. Service packs are designed to bring a system up to the latest known good level all at once, rather than requiring the user or system administrator to download dozens or hundreds of updates separately.
Microsoft has two mechanisms that are part of the OS to control which users can use which applications:
• Software restrictive policies: Employed via group policies and allow significant control over applications, scripts, and executable files. The primary mode is by machine and not by user account. • User account level control: Enforced via AppLocker, a service that allows granular control over which users can execute which programs. Through the use of rules, an enterprise can exert significant control over who can access and use installed software.
You must meet several key requirements to ensure that the system hardening processes described in this section achieve their security goals. These are OS independent and should be a normal part of all system maintenance operations: (4)
• The base installation of all OS and application software comes from a trusted source, and is verified as correct by using hash values. • Machines are connected only to a completely trusted network during the installation, hardening, and update processes. • The base installation includes all current patches and updates for both the OS and applications. • Current backup images are taken after hardening and updates to facilitate system restoration to a known state.