Reference monitor. You know what it is, right?

What I hate about CISSP is a ton of crap that is marked as 'for the purpose of CISSP exam'. It relates to areas, mostly non-technical ones, that do not have established, well-known and widely accepted standards and procedures, like forensics investigation procedures, etc. However, sometimes it is so regarding even well established technical things, like, for the purpose of CISSP you should consider SSL/TLS to be a part of transport layer which is NUTS. In order to pass the exam you have to have top-notch knowledge of technical things because you'll certainly miss around 20% of this ambiguous crap if you attempt to pass it relying solely on your real world experience. But enough of ranting, let's test your knowledge of reference monitor concept.

Which characteristics do NOT identify a reference monitor?
A) analysis

isolation
C) verifiability
D) vulnerability

Possible answers are any combinations of one or two answers from the list provided, i.e. answer is A or answer is C and D, etc.

What's you answer? Explain if possible.

Find more posts tagged with

Comments

g33k3r

Defined from the Eric Conrad Study Guide:

"mediates all access between subjects and objects. It enforces the system's security policy, such as preventing a normal user from writing to a restricted file, such as the system password file."

Given this limited definition I'd choose D. The other three seem to offer some 'mediation' functionality between subjects and objects.

I had to look this one up and I still don't feel confident this is even correct.

gespenstern

g33k3r wrote: »

Given this limited definition I'd choose D.

Indeed, this definition is really limited. Wikipedia has one that's less limited, naming four characteristics that a reference monitor must have. Wording varies from source to source, but basically these are
- non-bypassable, meaning that no subject can access any object in a trusted system bypassing the reference monitor;
- evaluable (verifiable), meaning that it should be small and easy to analyze by system analysts for peer-review in order to avoid stupid mistakes in code;
- always on, always invoked, they insist that it is crucial while I don't see how it is not "non-bypassable", it means basically that is always on and non, crap, bypassable;
- tamperproof, this, again, sort of intersects with verifiable because the only method that human managed to invent to make code tamperproof is to ask another, preferably smarter human to peer review it, test it and verify that it doesn't contain stupid mistakes.

So your answer is D and it brings following question, in what sense vulnerability is a characteristic of a reference monitor? Maybe in a sense that it should not be vulnerable and be vulnerability free, in other words, tamperproof? It is kinda twisted logic here, but who knows, these practice questions surprise me all the time.

g33k3r

Seems like a test of semantics. Even with my limited definition and Wikipedia it still isn't clear which worries me if this is the type of questions to expect when sitting for the exam.

jt2929

D seems pretty clear to me. Is a reference monitor a vulnerability? No. You could also go about this question by picking out the answer that doesn't fit with the others. As g33k3r said, A, B, and C all offer a characteristic that enforces the security policy. Vulnerability has nothing to do with enforcing system's security policy, which a reference monitor does.

gespenstern

jt2929 wrote: »

D seems pretty clear to me.

Okay, I tend to agree, that D sticks out of four and is probably the answer, but could it be that there are more? C looks legit because reference monitor must be verifiable, but what about A and B? Do they relate to reference monitor itself, to what it in essence is, or to what it does? Probably to reference monitor itself, but that's a stretch, it's hard to tell from the question what "identify" really means, but C (verifiability) certainly relates to what reference monitor is, so let's guess for now that all possible answers are similar in this regard.

In what sense on earth "analysis" and "isolation" identify the reference monitor itself? Analysis is a process and not a property (like verifiability) so what could analysis mean here? Or, if they identify reference monitor by what it does, does reference monitor analyze something? Well, kind of, it certainly analyzes access requests and checks them for validity and checks if they correspond to access control lists of objects that those access requests try to access...

And isolation? Which is either a state or a process, is reference monitor in the state of isolation from something? Well, certainly, it is an entity that is clearly distinct from all other operating system modules and data and thus isolated but isn't it obvious?

I'm lost here, I would appreciate if techexams forum members open their AiO or CBK and look for something reference monitor definition that may have "for the purpose of CISSP exam" on it.

NetworkNewb

Not sure if this link will work but I'll try. Page 311 talks about it

https://books.google.com/books?id=vMgTAgAAQBAJ&pg=PA311&lpg=PA311&dq=cissp+reference+monitor+isolation&source=bl&ots=hYWH_IXKw6&sig=Bcsgqg4Sf2y1KxoKNJ93VIvx9Sg&hl=en&sa=X&ved=0CCwQ6AEwAmoVChMIm83K3LDsxgIVyVyICh28jAuD#v=onepage&q=reference%20monitor&f=false

jt2929

gespenstern wrote: »

Okay, I tend to agree, that D sticks out of four and is probably the answer, but could it be that there are more?

No, I don't think there could be more. I think you are driving yourself crazy here and looking too deep into the possible answers, but let's go through them using the definition from Conrad's book quoted above:

A) Analysis - The RM "mediates all access between subjects and objects". Surely this capability takes some kind of analysis to determine if a subject is allowed access to an object.

Isolation - The RM prevents "a normal user from writing to a restricted file". So the RM isolates the restricted file from the other user-accessible files. Also, the RM itself should be isolated from normal user access since it enforces the security policy.
C) Verifiability - Straight from the Conrad book: "Secure systems can evaluate (verify) the security of the reference monitor".
D) Vulnerability - Nothing related to the RM, therefore the 'best' answer.

I don't have my AIO book in front of me to look up what Shon Harris says on the subject. I hope this helps.

gespenstern

NetworkNewb wrote: »

Not sure if this link will work but I'll try. Page 311 talks about it

Thanks, that's exactly what I'm talking about. For reasons unknown, "for the purpose of CISSP exam" you need to consider a reference monitor concept the way CISSP sees it, just like this book suggests:

"The reference monitor function should exhibit isolation, completeness and verifiability".

It goes on to explain what these three properties mean:

"Isolation is required because of the following:
- It can't be of public access. The less access the better.
- It must provide a sense of completeness to provide the whole information and process cycles.
- It must be verifiable to provide security, audit, and accounting functions".

Right away, by just reading this without any in-depth understanding of what these properties really mean, we can easily choose the correct answer which would be "A and D" only because they do not identify a reference monitor according to this book. You can find word "isolation" and word "verifiability" there, but can't find "analysis" and "vulnerability" so everything is clear.

What's not clear (rant mode on) is why do (ISC)2 chooses this weird definition of a reference monitor. Let's break it down here.

1. Verifiability. I put it first because it's easy to rule it out. That's the only property that could be found in (ISC)2 definition and all other definitions of a reference monitor concept. And it's easy to understand: because of high importance a reference monitor should be reviewed thoroughly to contain no errors in algorithm to avoid flaws in logic that could lead to vulnerabilities, bypasses, etc.

2. Completeness. Whole passage about completeness in this book already looks weird because it seems that the author tried to explain isolation in a series of points, starting his phrase in such a way like he/she wants to break down why isolation is required, but strangely proceeds to break down other properties despite his manifested intention. Anyways. Explanation provided in this book doesn't make any sense to me from systems engineering point of view, so I'll stick with Wikipedia, which mentions "completeness" as part of "verifiability" which makes sense, because as I already mentioned in 1) a reference monitor should be verified because of its importance. Should it be complete? Hell, yes, it should, EVERY piece of software should be complete, but since we know that errare humanum est, we'd better verify if it really is, especially in important cases. So I'd argue that mentioning just "completeness" is pointless and misleading, it should be at least "verified completeness" but it's easy to see that word "completeness" is excessive, because we always verify software against its idea of proper functionality expressed in specifications and documentations. Why would (ISC)2 want to separate "completeness" from "verifiability" and point it out as a single, distinct property of a reference monitor? No idea. But as I already mentioned, mainstream definition of a reference monitor isn't flawless either, but at least it's mainstream and more logical.

3. Isolation. It can't be of public access, the less access, the better. What? They mean it should be isolated from other operating system modules comprising operating system? No ****, that's a valuable property, sounds like designers of operating systems tend to put everything into one single heap. Anyways, it makes sense, but doesn't it make sense regarding almost any other critical OS component? Are we talking properties that make a reference monitor distinct from other modules that are not a reference monitor? What's the point in stating obvious? Or maybe it's not that obvious? Anyways, on a more serious note, they probably talk about putting reference monitor into Ring 0 here, basically, saying that it shouldn't be accessed by less privileged subjects in any way, which, by the way, falls part into "non-bypassable" and "tamperproof" properties...

In the end I'd like to cite TCSEC and Wikipedia here, that both give a more standard, more accepted definition, and what's the most important, more logical definition of a reference monitor properties:

Wiki:

The properties of a reference monitor are captured by the acronym NEAT, which means:

- The reference validation mechanism must be Non-bypassable, so that an attacker cannot bypass the mechanism and violate the security policy.
- The reference validation mechanism must be Evaluable, i.e., amenable to analysis and tests, the completeness of which can be assured (verifiable). Without this property, the mechanism might be flawed in such a way that the security policy is not enforced.
- The reference validation mechanism must be Always invoked. Without this property, it is possible for the mechanism to not perform when intended, allowing an attacker to violate the security policy.
- The reference validation mechanism must be Tamper-proof. Without this property, an attacker can undermine the mechanism itself and thence violate the security policy.

TCSEC:

"The Anderson report went on to define the reference validation mechanism as
"an implementation of the reference monitor concept . . . that validates
each reference to data or programs by any user (program) against a list of
authorized types of reference for that user." It then listed the three design
requirements that must be met by a reference validation mechanism:
a.
The reference validation mechanism must be tamper proof.
b.
The reference validation mechanism must always be invoked.
c.
The reference validation mechanism must be small enough to be
subject to analysis and tests, the completeness of which can
be assured."

It can be seen that it lacks wiki's "non-bypassable", but it's clear that if it's always invoked and tamperproof then it's non-bypassable by definition.

Again, why would (ISC)2 choose to pursue its own definitions (this reference monitor situation is just a single example out of many) of pretty much well-known and established concepts? It certainly makes the exam harder to pass for people who do self-study and even do not self-study at all but rely on their real world experience. Thus, making bootcamps, books and similar stuff more in demand, forcing people to memorize useless crap "for the purpose of CISSP exam".

Yeah, I know why it happens and I hate it. Just wanted to point it out one more time.

gespenstern

jt2929 wrote: »

No, I don't think there could be more.

There's more. Right answer is A and D and it's based on (ISC)2 own definition of reference monitor.

nk_vn

To me this is a typical case of

“One of those obtuse CBK-own-definition questions”™

I met them several times during my study, and I just dismissed them as a waste of time. They are unlikely to make or brake the exam...