Should reference monitor provide process isolation, or NOT? Trick question for CISSP exam?
-
Hello,
I came cross this question on CISSP practice exam and think that the answer is wrong. Any comments?
Which statements do NOT define the requirements of a security kernel?
a. The reference monitor should be verified as correct.
b. The reference monitor should provide process isolation.
c. The security kernel should be verified in a comprehensive manner.
d. A method to circumvent the security should be implemented by the reference monitor.CyberVista says correct answer is "b and d". But should't it be "d" only? The reference monitor should provide process isolation, isn't it?
Here is what google's ai think about the subject:
Both reference monitor and base and limit registers provide process isolation.
• Reference monitor is a security mechanism that mediates all accesses to objects by subjects. It is a central part of a computer system's security architecture and is responsible for enforcing the system's security policy. Process isolation is one of the security features that the reference monitor provides.
• Base and limit registers are hardware registers that are used to implement memory protection. They are used to define the boundaries of a process's address space. This prevents processes from accessing each other's memory.
Both reference monitor and base and limit registers provide process isolation, but they do so in different ways. The reference monitor is a software mechanism that is responsible for enforcing the system's security policy. The base and limit registers are hardware registers that are used to define the boundaries of a process's address space.
In modern operating systems, both reference monitor and base and limit registers are used to provide process isolation. The reference monitor provides a high-level security policy, while the base and limit registers provide a low-level mechanism for enforcing that policy.
Here are some of the advantages of using both reference monitor and base and limit registers to provide process isolation:
• Increased security: Process isolation is a critical security feature that can help to protect computer systems from malicious attacks. By using both reference monitor and base and limit registers, systems can achieve a high level of process isolation.
• Reduced complexity: Using both reference monitor and base and limit registers can help to reduce the complexity of security mechanisms. This is because the reference monitor can focus on enforcing the system's security policy, while the base and limit registers can focus on providing a low-level mechanism for enforcing that policy.
• Improved performance: Using both reference monitor and base and limit registers can help to improve the performance of security mechanisms. This is because the reference monitor can be implemented in software, while the base and limit registers can be implemented in hardware.
Here are some of the disadvantages of using both reference monitor and base and limit registers to provide process isolation:
• Increased cost: Using both reference monitor and base and limit registers can increase the cost of computer systems. This is because both mechanisms require additional hardware and software.
• Increased complexity: Using both reference monitor and base and limit registers can increase the complexity of computer systems. This is because both mechanisms add additional complexity to the system's architecture.
• Reduced flexibility: Using both reference monitor and base and limit registers can reduce the flexibility of computer systems. This is because both mechanisms can limit the types of applications that can be run on the system.
Overall, using both reference monitor and base and limit registers to provide process isolation can help to improve the security of computer systems. However, it is important to weigh the costs and benefits of using both mechanisms before making a decision. -
-
@Serkan-Bozkurt it does seem that in the context of this question and the information provided, that answer "b" is not correct. Maybe someone else can chime in on this as well.
-
So the conundrum here as to do with syntax and negatives. You must ask the question of what defines a security kernel.
A security kernel mediates all accesses to [the kernel], protects it from modification and verifies [the kernel] as correct. BothA
andC
do what is described for the security kernel.Does B? Yes, process isolation is result of implementing confinement via the reference monitor.
D would be the correct answer here. Having said that, read the explanation provided by cybervista to see if there is another reason they have posted that B is the correct answer.
I would have chosen D only.
-
B is correct answer because the question asked "not".