James Arnold/ Jean Petty 27 September 2007

Slides:



Advertisements
Similar presentations
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Advertisements

Submission Process. Overview Preparing for submission The submission process The review process.
CS 411W - Notes Product Development Documentation.
IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Common Criteria Cs5493(7493). CC: Background The need for independently evaluated IT security products and systems led to the TCSEC Rainbow series.
1 James Arnold/ Terrie Diaz 25 September 2007 Common Criteria: Optional Security Requirements and Functions?
OASIS Reference Model for Service Oriented Architecture 1.0
1 Module 5 How to identify essay Matakuliah: G1222, Writing IV Tahun: 2006 Versi: v 1.0 rev 1.
1 Terrie Diaz/ James Arnold 27 September 2007 Threats, Policies, and Assumptions in the Common Criteria What is the target of evaluation anyhow?
Purpose of the Standards
Internal Auditing and Outsourcing
1 Autumn 2008 TM8104 IT Security Evaluation Guide on the production of Protection Profiles Karin Sallhammar Q2S/NTNU 29/11/2003 Reference: ISO/IEC TR
S/W Project Management
Introduction to ISO New and modified requirements.
Authentication, Access Control, and Authorization (1 of 2) 0 NPRM Request (for 2017) ONC is requesting comment on two-factor authentication in reference.
Conformance Mark Skall Lynne S. Rosenthal National Institute of Standards and Technology
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
ISO 9001:2008 to ISO 9001:2015 Summary of Changes
1 15 quality goals for requirements  Justified  Correct  Complete  Consistent  Unambiguous  Feasible  Abstract  Traceable  Delimited  Interfaced.
Evaluation Proposal Defense Observations and Suggestions Yibeltal Kiflie August 2009.
1 Interim Report of the IWGDD May Overview: Pursuing Goals to Harness the Power of Digital Data for Science and Society The IWGDD recommends that.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.
Writing Exercise Try to write a short humor piece. It can be fictional or non-fictional. Essay by David Sedaris.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Abstract  An abstract is a concise summary of a larger project (a thesis, research report, performance, service project, etc.) that concisely describes.
RTI, MUMBAI / CH 61 REPORTING PROCESS DAY 6 SESSION NO.1 (THEORY ) BASED ON CHAPTER 6 PERFORMANCE AUDITING GUIDELINES.
Stages of Research and Development
The Common Criteria for Information Technology Security Evaluation
Writing a Critical Summary of an Article or Paper
CHAPTER OVERVIEW The Case Study Ethnographic Research
Document Development Cycle
Scrutiny of RIAs Problem Definition and Objectives
Classroom Assessment A Practical Guide for Educators by Craig A
SYSTEM ANALYSIS AND DESIGN
Competence Pack Guide to Assessment.
Requirements Analysis and Specification
Software Documentation
Training Course on Integrated Management System for Regulatory Body
FEASIBILITY STUDY Feasibility study is a means to check whether the proposed system is correct or not. The results of this study arte used to make decision.
CASE STUDY BY: JESSICA PATRON.
ISO 9001:2015 Auditor / Registration Decision Lessons Learned
Editing & Polishing your Assignment
HIGHLIGHTING THE KEY CHANGES
Project Charter I want to design a project
Alignment of Part 4B with ISAE 3000
Writing the Persuasive/Argumentative Essay
Risk Management with Minimum Weight
Chapter 5 Designing the Architecture Shari L. Pfleeger Joanne M. Atlee
CHAPTER 4 PROPOSAL.
CHAPTER 4 PROPOSAL.
Updates about Work Track 5 Geographic Names at the Top-Level
Project Management Process Groups
WHAT TO EXPECT: A CROWN CORPORATION’S GUIDE TO A SPECIAL EXAMINATION
Competence Pack Guide to Assessment.
An Introduction to Software Architecture
Quality Risk Management ICH Q9 Frequently Asked Questions (FAQ)
EER Assurance December 2018
Alignment of Part 4B with ISAE 3000
Open Archival Information System
Writing an Engineering Report (Formal Reports)
Parts of an Essay Ms. Ruttgaizer.
Sustainable Development
Assessment Literacy: Test Purpose and Use
Parts of an Essay.
Applied Software Project Management
Lesson 4 Synthesis Overview & Peer Evaluation
IEEE- P2600 PP Guidelines Suggested Format and Content
CHAPTER OVERVIEW The Case Study Ethnographic Research
Presentation transcript:

James Arnold/ Jean Petty 27 September 2007 Common Criteria: Security Target Level of Detail James Arnold/ Jean Petty 27 September 2007

Purpose of a Security Target Parts of a Security Target Topics Introduction Purpose of a Security Target Parts of a Security Target Level of Detail Summary and Conclusions Recommendations Note that the presentation was developed in accordance with Common Criteria version 3.1, but it substantially applies to version 2.3 as well.

Introduction Common Criteria (CC) Security Targets (STs) are intended to describe security problems and the products, known as targets of evaluation (TOEs), that mitigate those problems. STs include several layers of description, including a top-level product/TOE overview, a security problem statement, security objectives, security requirements, and finally, a TOE summary specification (TSS) that describes the security functions that satisfy the requirements. The CC includes requirements designed to ensure that the various details are consistent and support each other adequately. However, beyond some specific points of reference found in the ST evaluation requirements and guidance found in CCv3.1 Part 1 Annex A, the CC does not specifically dictate the level of detail required throughout the ST.

Introduction Due to a lack of specific guidance about lack of detail, it is common for developers, evaluators, and validators to disagree whether the detail present in a given Security Target (ST) is adequate. This presentation explores the appropriate level of detail that should be present throughout an ST, with emphasis on the description of how the product meets the identified requirements.

Purpose of a Security Target (ST) Each ST fulfills two general roles: Before and during the evaluation, the ST specifies “what is to be evaluated” After the evaluation, the ST specifies “what was evaluated” The ST is not a detailed nor complete specification of the TOE. The ST audience changes over time, from evaluators and validators to potential users of the TOE.

Parts of a Security Target (ST) In CCv3.1, an ST has seven major parts: Introduction Conformance claims Security problem definition Security objectives Extended components definition Security requirements TOE summary specification While these parts are identified and defined in terms of guidance and requirements, an ST does not have to be organized in this manner. This presentation will address each of these parts in turn, without regard for how an ST might actually be organized with the corresponding information.

Level of Detail The CC has specific requirements that must be satisfied for each part of the Security Target (ST). This presentation does not represent those requirements, but rather, focuses on areas where the requirements are not specific about the required level of detail. The CCv3.1 Part 1 Annex A provides guidance for the specification of STs. This presentation references, but does not reproduce, that guidance, providing additional guidance where it seems necessary. While this presentation addresses every part of the ST for completeness, most of the recommendations relative to the parts of the ST that have historically had the most problems: Requirements TOE Summary Specification

Level of Detail - Introduction The Introduction in CCv3.1 includes much of the Introduction and TOE description of CCv2.3. As such, it requires an appropriate introduction to the Security Target (ST) as well as a TOE overview and TOE description. CCv3.1 Part 1 Annex A Section A.4 provides good guidance for all parts of this section and no additional guidance seems necessary. Note that the notions of logical and physical boundaries that created problems when evaluating STs with CCv2.3 have been replaced in CCv3.1 to make them more clear: Physical scope – what the TOE is Logical scope – the security features of the TOE

Level of Detail – Conformance Claims The conformance claims (of CCv3.1) were included in the Introduction in CCv2.3 and include: A summary of Common Criteria conformance Any Protection Profile (PP) claims Any package (e.g., assurance level) claims CCv3.1 Part 1 Annex A Section A.5 provides good guidance for conformance claims.

Level of Detail – Security Problem Definition The security problem definition of CCv3.1 is essentially the same as the TOE Security Environment of CCv2.3. CCv3.1 Part 1 Annex A Section A.6 provides good guidance for the security problem definition. Note that historically there have been disputes as to whether Organizational Security Policies (OSPs) had to be associated with an actual organization. CCv3.1 resolves that issue by allowing that OSPs can be presumed to be imposed by a hypothetical organization. While the guidance is good for defining security problem, the scope of the security problems to be defined isn’t especially clear. The definition of the security problems should be limited to security problems the TOE was created to mitigate. In other words, the definition of security problems should be developed without consideration of the specific TOE, as though the TOE did not exist and we don’t know what form it might take. Historically, there has been a tendency to identify security problems about the TOE, its IT environment, users of the TOE, etc. that have nothing to do with why the TOE was developed.

Level of Detail – Security Objectives The security objectives of CCv3.1 and CCv2.3 are essentially the same, except that there is no longer a distinction between the IT and non-IT environment of the TOE. CCv3.1 Part 1 Annex A Section A.7 provides good guidance for the security objectives.

Level of Detail – Extended Components Definition The extended components definition of CCv3.1 was essentially an aspect of the Security Requirements in CCv2.3. CCv3.1 Part 1 Annex A Section A.8 provides good guidance for defining extended components. Note that the guidance is fairly brief, indicating that this part of the Security Target (ST) must define any extended components (but not the actual requirements). Between this guidance and the requirements for this part of the ST, it seems clear what must be presented.

Level of Detail – Security Requirements The security requirements of CCv3.1 and CCv2.3 are essentially the same. CCv3.1 Part 1 Annex A Section A.9 provides useful guidance for the security requirements. The guidance suggests that requirements serve as a basis for comparing TOEs through their Security Targets. This is good, though a concept not generally accepted among the U.S. validation community – who seem to insist comparison is supported only via Protection Profiles. The guidance suggests that the requirements are an “exact” description of how the TOE is to be evaluated. This is not really true, since even though it is standardized, it is still informal and subject to interpretation. Examples include specification of the roles exactly as implemented, specification of the precise access control rules and operations, etc.

Level of Detail – Security Requirements (cont) A common problem today is that evaluators are often faced with validation issues (e.g., insistence that the requirements are not detailed enough) and this guidance doesn’t mitigate those issues. It should be more clear that the requirements need not necessarily be TOE specific and as such do not have to include any implementation details specific to the TOE being evaluated (e.g., specific role names, specific privilege names). Security functional requirements should represent observable behaviors of the TOE. The CC complicates this with some functional requirements, for example: FDP_RIP.1 – it may not be readily determinable, nor perhaps even important, whether the TOE actually made a resource unavailable upon allocation or deallocation. Cryptographic requirements (e.g., FCS_COP.1) represent additional examples where requirements may be appropriate only when a function is offered directly to the users of the TOE. Examples include specification of the roles exactly as implemented, specification of the precise access control rules and operations, etc.

Level of Detail – TOE Summary Specification The TOE Summary Specification (TSS) of CCv3.1 and CCv2.3 are essentially the same. Unfortunately, there is no guidance that might curtail the all-too-common level of detail problems related to this part of the Security Target (ST). The Common Criteria indicates that the level of detail of this specification should enable potential consumers to understand the general form and implementation of the TOE. The meaning of implementation in this context is ambiguous. This means that, for example, the ST might indicate that a password is used for authentication, but not that the ST should delve into how that password mechanism is actually implemented within the TOE.

Level of Detail – TOE Summary Specification A common criticism of the TOE Summary Specification (TSS) is that it describes what the TOE does and not how the TOE does it. However, the distinction between “what” and “how” isn’t particularly helpful, since the actual meaning depends on perspective. For example, The requirements define what must be met, and the TSS summarizes how that is done. The TSS summarizes what the TOE does, and the underlying design documents explain how that happens. In general, when this comment appears, it really means, quite simply, that the reviewer wants more detail. It is not always, or even usually, clear what additional detail is being requested, nor whether it is appropriate.

Level of Detail – TOE Summary Specification The following guidance is offered for specification of the TOE summary specification (TSS) at an appropriate level of detail. The TSS must have at least as much detail as the corresponding requirements. If the requirements are sufficiently detailed, repeating or paraphrasing the requirements should suffice. The TSS generally should be limited to details about the TOE that could be perceived or determined by a user of the TOE. For example: Users would know how they authenticate themselves. Users could figure out the rules for access decisions, though they may be unaware of how the applicable attributes are actually realized inside the TOE. Users should be aware of the cryptographic algorithm used by the TOE when they interact with the TOE using non-TOE applications, but they might be unaware of algorithms used exclusively between TOE components. In other words, the TSS should focus on user-visible details of how the TOE works to fulfill the requirements (which should also focus on observable behaviors).

Level of Detail – Rationale Note that rationale has not been identified as a part of the ST since in CCv3.1 rationale is included within each part that requires rationale, rather than leaving it to the end of the Security Target. In each case, CCv3.1 Part 1 Annex A provides useful guidance for the corresponding rationale.

Summary and Conclusions CCv3.1 Part 1 Annex A represents a good improvement in guidance from the corresponding CCv2.3 Part 1 Annex C. For the most part, CCv3.1 Part 1 Annex A serves as a useful guide when determining how to develop a suitable Security Target. However, most historical issues or problems with Security Targets have been related to the level of detail in the TOE summary specification, and CCv3.1 actually provides less guidance than CCv2.3 in this regard. Without additional and agreed guidance, those problems will continue to plague evaluations.

Recommendations CCv3.1 Part 1 Annex A should generally be used as a guide for appropriately developing the content of Security Targets (STs). This presentation offers guidance that should be applied consistently when developing STs: Security problem definitions should be limited to the problem the TOE is intended to solve, and the ST author, evaluators and validators should not be looking to the TOE in order to identify additional problems to specify. Functional requirements should be specified without TOE-specific implementation details and should focus on observable functional behaviors, in order to promote comparability and increase the potential for reusing requirements among STs. The TOE Summary Specification should be presented to address the requirements while being limited to user-visible functional behavior, where possible. Furthermore, the CCv3.1 Part 1 Annex A should be revised to extend the guidance to help mitigate historical problems.

Contact James Arnold Jean Petty SAIC Accredited Testing & Evaluation Labs AVP/Technical Director James.L.Arnold.Jr@saic.com Jean Petty SAIC Accredited Testing & Evaluation Labs Senior Product Evaluator Jean.E.Petty@saic.com http://www.saic.com/infosec/common-criteria/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.