Question 1

A capability list for a domain is ____________________

Accepted Answer

A) a list of operations together with the list of processes allowed to run the operations on those objects. B) a list of objects together with the list of processes allowed to access those objects. C) a list of objects together with the operations allowed on those objects. D) a list of triplet . A) a list of operations together with the list of processes allowed to run the operations on those objects. B) a list of objects together with the list of processes allowed to access those objects. C) a list of objects together with the operations allowed on those objects. D) a list of triplet . C

Question 2

Explain the need-to-known principle.

Accepted Answer

The need-to-know principle means that at any time, a process should be able to access only those objects that it currently requires to complete its task. This rule is useful in limiting the amount of damage a faulty process or an attacker can cause in the system.

Question 3

How does Linux use system-call filtering?

Accepted Answer

A code can be added to the kernel to perform an inspection at the system-call gate, restricting a caller to a subset of system calls deemed safe or required for that caller's function. Specific system-call profiles can be constructed for individual processes. The Linux mechanism SECCOMP-BPF uses the Berkeley Packet Filter language to load a custom profile through Linux's proprietary prctl system call. This filtering can be effectively enforced if called from within a run-time library when it initializes or from within the loader itself before it transfers control to the program's entry point.

Question 4

Rings of protection separate functions into domains and order them hierarchically.

Accepted Answer

A) True 
 B)False

Question 5

________________ is not a protection mechanism.

Accepted Answer

A)  System Integrity Protection 
B)  Intrusion Prevention 
C)  System-Call Filtering 
D)  Sandboxing 
A)  System Integrity Protection 
B)  Intrusion Prevention 
C)  System-Call Filtering 
D)  Sandboxing

Question 6

The ability to copy an access right from one domain to another may be realized as follows

Accepted Answer

A)  A right R is copied from domain A to domain B and R is removed from domain A. The right R could be copied from domain B to another domain. 
B)  A right R is copied from domain A to domain B, but the right R could not be copied from domain A to another domain. 
C)  A right R is copied from domain A to domain B, but the right R could not be copied from domain B to another domain. 
D)  none of the above 
A)  A right R is copied from domain A to domain B and R is removed from domain A. The right R could be copied from domain B to another domain. 
B)  A right R is copied from domain A to domain B, but the right R could not be copied from domain A to another domain. 
C)  A right R is copied from domain A to domain B, but the right R could not be copied from domain B to another domain. 
D)  none of the above

Question 7

root user can modify mandatory access control (MAC)

Accepted Answer

A) True 
 B)False

Question 8

What capability is not used by Linux?

Accepted Answer

A)  permitted 
B)  mapped 
C)  effective 
D)  inherited 
A)  permitted 
B)  mapped 
C)  effective 
D)  inherited

Question 9

Explain a confinement problem.

Accepted Answer

The confinement problem is a problem of

Question 10

Describe domain switching.

Accepted Answer

The association between proces

Question 11

What does compartmentalization mean?

Accepted Answer

Compartmentalization is the pr

Question 12

Describe the idea of the sandboxing.

Accepted Answer

Sandboxing involves running processes in

Question 13

Describe the idea of SIP (System Integrity Protection).

Accepted Answer

SIP restricts access to system files and

Question 14

What protection mechanism is used to ensure that operating-system distributions and patches have not be changed?

Accepted Answer

It is code signing, which is the digital

Question 15

Which of the following is an advantage of compiler-based enforcement of access control?

Accepted Answer

A)  Protection schemes are programmed as opposed to simply declared. 
B)  Protection requirements are dependent of the facilities provided by a particular operating system. 
C)  The means for enforcement needs to be provided by the designer of the subsystem. 
D)  Access privileges are closely related to the linguistic concept of a data type. 
A)  Protection schemes are programmed as opposed to simply declared. 
B)  Protection requirements are dependent of the facilities provided by a particular operating system. 
C)  The means for enforcement needs to be provided by the designer of the subsystem. 
D)  Access privileges are closely related to the linguistic concept of a data type.

Question 16

A protection domain is a collection of access rights, each of which is ___________________

Accepted Answer

A) a pair B) a pair C) a triplet D) a triplet A) a pair B) a pair C) a triplet D) a triplet

Question 17

The default set of access rights are used if no entry in the access list is found.

Accepted Answer

A) True 
 B)False

Question 18

What is the difference between mechanisms and policies?

Accepted Answer

A)  Mechanisms determine what will be done, while policies decide when it will be done 
B)  Mechanisms determine how something will be done, while policies decide what will be done 
C)  Mechanisms determine how something will be done, while policies decide why something will be done 
D)  Mechanisms determine what will be done, while policies decide how it will be done 
A)  Mechanisms determine what will be done, while policies decide when it will be done 
B)  Mechanisms determine how something will be done, while policies decide what will be done 
C)  Mechanisms determine how something will be done, while policies decide why something will be done 
D)  Mechanisms determine what will be done, while policies decide how it will be done

Question 19

Which of the following is true of the Java programming language in relation to protection?

Accepted Answer

A)  When a class is loaded, the JVM assigns the class to a protection domain that gives the permissions of that class. 
B)  It does not support the dynamic loading of untrusted classes over a network. 
C)  It does not support the execution of mutually distrusting classes within the same JVM. 
D)  Methods in the calling sequence are not responsible for requests to access a protected resource. 
A)  When a class is loaded, the JVM assigns the class to a protection domain that gives the permissions of that class. 
B)  It does not support the dynamic loading of untrusted classes over a network. 
C)  It does not support the execution of mutually distrusting classes within the same JVM. 
D)  Methods in the calling sequence are not responsible for requests to access a protected resource.

Question 20

Object means __________

Accepted Answer

A)  hardware object or software object 
B)  process or threat 
C)  software object only 
D)  process only 
A)  hardware object or software object 
B)  process or threat 
C)  software object only 
D)  process only

A capability list for a domain is ____________________

Explain the need-to-known principle.

How does Linux use system-call filtering?

Rings of protection separate functions into domains and order them hierarchically.

________________ is not a protection mechanism.

The ability to copy an access right from one domain to another may be realized as follows

root user can modify mandatory access control (MAC)

What capability is not used by Linux?

Explain a confinement problem.

Describe domain switching.

What does compartmentalization mean?

Describe the idea of the sandboxing.

Describe the idea of SIP (System Integrity Protection).

What protection mechanism is used to ensure that operating-system distributions and patches have not be changed?

Which of the following is an advantage of compiler-based enforcement of access control?

A protection domain is a collection of access rights, each of which is ___________________

The default set of access rights are used if no entry in the access list is found.

What is the difference between mechanisms and policies?

Which of the following is true of the Java programming language in relation to protection?

Object means __________

Introduction

Operating-System Structures

Processes

Threads Concurrency

Cpu Scheduling

Synchronization Tools

Synchronization Examples

Deadlocks

Main Memory

Virtual Memory

Mass-Storage Structure

Io Systems

File-System Interface

File-System Implementation

File-System Internals

Security

Filters

Exam 17: Protection

A capability list for a domain is ____________________

Explain the need-to-known principle.

How does Linux use system-call filtering?

Rings of protection separate functions into domains and order them hierarchically.

________________ is not a protection mechanism.

The ability to copy an access right from one domain to another may be realized as follows

root user can modify mandatory access control (MAC)

What capability is not used by Linux?

Explain a confinement problem.

Describe domain switching.

What does compartmentalization mean?

Describe the idea of the sandboxing.

Describe the idea of SIP (System Integrity Protection).

What protection mechanism is used to ensure that operating-system distributions and patches have not be changed?

Which of the following is an advantage of compiler-based enforcement of access control?

A protection domain is a collection of access rights, each of which is ___________________

The default set of access rights are used if no entry in the access list is found.

What is the difference between mechanisms and policies?

Which of the following is true of the Java programming language in relation to protection?

Object means __________

Introduction

Operating-System Structures

Processes

Threads Concurrency

Cpu Scheduling

Synchronization Tools

Synchronization Examples

Deadlocks

Main Memory

Virtual Memory

Mass-Storage Structure

Io Systems

File-System Interface

File-System Implementation

File-System Internals

Security

Filters