If an operating system permits shared resources such as memory to be used sequentially by multiple users/application or subjects without a refresh of the objects/ memory area, what security problem is MOST likely to exist?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Allowing objects to be used sequentially by multiple users without a refresh of the objects can lead to disclosure of residual data.
It is important that steps be taken to eliminate the chance for the disclosure of residual data.
Object reuse refers to the allocation or reallocation of system resources to a user or, more appropriately, to an application or process.
Applications and services on a computer system may create or use objects in memory and in storage to perform programmatic functions.
In some cases, it is necessary to share these resources between various system applications.
However, some objects may be employed by an application to perform privileged tasks on behalf of an authorized user or upstream application.
If object usage is not controlled or the data in those objects is not erased after use, they may become available to unauthorized users or processes.
Disclosure of residual data and Unauthorized obtaining of a privileged execution state are both a problem with shared memory and resources.
Not clearing the heap/stack can result in residual data and may also allow the user to step on somebody's session if the security token/identify was maintained in that space.
This is generally more malicious and intentional than accidental though.The MOST common issue would be Disclosure of residual data.
The following answers are incorrect: Unauthorized obtaining of a privileged execution state.
Is incorrect because this is not a problem with Object Reuse.
Data leakage through covert channels.
Is incorrect because it is not the best answer.
A covert channel is a communication path.
Data leakage would not be a problem created by Object Reuse.In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.
The term, originated in 1973 by Lampson is defined as "(channels) not intended for information transfer at all, such as the service program's effect on system load." to distinguish it from Legitimate channels that are subjected to access controls by COMPUSEC.
Denial of service through a deadly embrace.
Is incorrect because it is only a detractor.
References: Hernandez CISSP, Steven (2012-12-21)
Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4174-4179)
Auerbach Publications.
Kindle Edition.
and https://www.fas.org/irp/nsa/rainbow/tg018.htm and http://en.wikipedia.org/wiki/Covert_channel.
If an operating system allows shared resources such as memory to be used sequentially by multiple users or applications without refreshing the memory area, the security problem that is MOST likely to exist is A. Disclosure of residual data.
Memory that has been used by one user or application may contain sensitive information that could be disclosed to another user or application that shares the same memory area. This is known as residual data, and it can pose a significant security risk if it falls into the wrong hands.
For example, if a user logs into a system and enters sensitive information such as a password, that information may be stored in memory temporarily. If another user or application then accesses that same memory area, they may be able to access the password information that was previously stored there, allowing them to gain unauthorized access to the system.
To prevent disclosure of residual data, it is important for operating systems to implement proper memory management techniques, such as refreshing memory areas after they have been used. Additionally, access controls should be in place to restrict access to memory areas to only those users or applications that require it. Failure to implement these security measures can lead to significant security vulnerabilities and potential data breaches.