1 James Arnold/ Terrie Diaz 25 September 2007 Common Criteria: Optional Security Requirements and Functions?

Slides:



Advertisements
Similar presentations
Jeremy S. Bradbury, James R. Cordy, Juergen Dingel, Michel Wermelinger
Advertisements

Yokogawa Network Solutions Presents:
Service Manager for MSPs
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Auditing Concepts.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Planning, Configuring, And Troubleshooting DHCP.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
1 Terrie Diaz/ James Arnold 27 September 2007 Threats, Policies, and Assumptions in the Common Criteria What is the target of evaluation anyhow?
Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
4/25/ Application Server Issues for the Project CSEP 545 Transaction Processing for E-Commerce Philip A. Bernstein Copyright ©2003 Philip A. Bernstein.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Understanding Active Directory
VMware vCenter Server Module 4.
Managing DHCP. 2 DHCP Overview Is a protocol that allows client computers to automatically receive an IP address and TCP/IP settings from a Server Reduces.
Working with Drivers and Printers Lesson 6. Skills Matrix Technology SkillObjective DomainObjective # Understanding Drivers and Devices Install and configure.
Chapter 11: Creating and Managing Shared Folders BAI617.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
DAY 15: ACCESS CHAPTER 2 Larry Reaves October 7,
CSE 303 – Software Design and Architecture
10/4/2015Tables1 Spring, 2008 Modified by Linda Kenney 4/2/08.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Lecture 2 Process Concepts, Performance Measures and Evaluation Techniques.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
1 IBM Software Group ® Mastering Requirements Management with Use Cases Module 10: Structure the Use-Case Model.
Module 4: Systems Development Chapter 12: (IS) Project Management.
Unit – I CLIENT / SERVER ARCHITECTURE. Unit Structure  Evolution of Client/Server Architecture  Client/Server Model  Characteristics of Client/Server.
Mark Aslett Microsoft Introduction to Application Compatibility.
Session objectives Discuss whether or not virtualization makes sense for Exchange 2013 Describe supportability of virtualization features Explain sizing.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Module 7 Active Directory and Account Management.
COMP106 Assignment 2 Proposal 1. Interface Tasks My new interface design for the University library catalogue will incorporate all of the existing features,
Introduction to Microsoft Management Console (MMC) MMC is a common console framework for management applications. MMC provides a common environment for.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
FlexElink Winter presentation 26 February 2002 Flexible linking (and formatting) management software Hector Sanchez Universitat Jaume I Ing. Informatica.
1 Relational Databases and SQL. Learning Objectives Understand techniques to model complex accounting phenomena in an E-R diagram Develop E-R diagrams.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Programme Objectives Analyze the main components of a competency-based qualification system (e.g., Singapore Workforce Skills) Analyze the process and.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Managing and Monitoring DHCP.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
1 Using Common Criteria Protection Profiles. 2 o A statement of user need –What the user wants to accomplish –A primary audience: mission/business owner.
Liang, Introduction to Java Programming, Sixth Edition, (c) 2007 Pearson Education, Inc. All rights reserved Chapter 11 Object-Oriented.
Best Practices for Implementing Unicenter NSM r11.1 in an HA MSCS Environment Part I -Last Revision April 24, 2006.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
Introduction to Active Directory
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Boris Ulík Technology Solutions Professional Microsoft Slovakia Microsoft ® System Center 2012: System Center Endpoint Protection 2012.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
IBM Systems Group © 2004 IBM Corporationv 3.04 This presentation is intended for the education of IBM and Business Partner sales personnel. It should not.
1 The XMSF Profile Overlay to the FEDEP Dr. Katherine L. Morse, SAIC Mr. Robert Lutz, JHU APL
Auditing Concepts.
Chapter 9: Transport Layer
Chapter 11 Object-Oriented Design
Click to edit Master subtitle style
8ICCC Update for IEEE P2600 Brian Smithson Ricoh Americas Corporation
James Arnold/ Jean Petty 27 September 2007
Presentation transcript:

1 James Arnold/ Terrie Diaz 25 September 2007 Common Criteria: Optional Security Requirements and Functions?

2 Topics  Introduction  Overview of Options –Options in Products –Options in Requirements  Summary  Recommendations  Conclusions Note that the presentation applies both to Common Criteria version 2.3 as well as version 3.1. The examples were drawn from version 3.1.

3 Introduction  The Common Criteria (CC) is about evaluating products, known as targets of evaluation (TOEs), in the context of specific requirements. –The TOE is limited to an “evaluated configuration.” –Many requirements apply to the entire TOE at all times.  However, a TOE might support many configurations or modes of operation where, in effect, its security functions are variable.  This presentation explores the potentially variable nature of TOEs and how that might be addressed in the context of CC evaluations.

4 Overview of Options  Options in Products –Most products have options to some degree, some of which have been historically accommodated in Common Criteria evaluations and others of which are commonly avoided.  Options in Requirements –While many requirements in the Common Criteria do not accommodate options, there are some that directly support TOE options and others that less obviously support the possibility of options.  Each of these topics is explored in more detail.

5 Options in Products  Product options are generally considered to complicate the notion of “evaluated configuration.” –This is particularly true when the options serve to change the security functions, or behavior thereof.  Product options often result in (sometimes difficult) choices about what is going to be included within the evaluated configuration for the sake of cost and time. –This is particularly true when the options result in combinatorial analysis or testing situations.

6 Options in Products – Components  Optional product components –Present or absent in their entirety –Might or might not include security functionality –Choices made At the time of purchase At the time of installation At the time of use  Examples –Labeling services (e.g., Solaris® Trusted Extensions) –Product-specific agents (e.g., for an intrusion detection system) IBM and DB2 are registered trademarks of International Business Machines Corporation in the United States and/or other countries.

7 Options in Products – Functions  Optional product functions –Enabled, disabled, or alternate behavior –Might or might not include security functionality –Choices made At the time of purchase At the time of installation At the time of use  Examples –Network services (NAT, DHCP, remote access, etc.) –Licensed feature (e.g., IBM® DB2® LBAC) –Audit function Solaris is a registered trademark of Sun Microsystems, Inc. in the United States and/or other countries.

8 Options in Products – Environment  Optional supporting components (in the environment) –Might or might not include supporting security functionality –Choices made At the time of purchase At the time of installation At the time of use  Examples –Execution platforms (e.g., host for applications) –IT services (DBMS, LDAP, cryptographic library, etc.) –Clients (e.g., choice of Web browser)

9 Options in Products – Effects  Effects of optional components and functions –Can add or remove entire security functions –Can augment or impair (i.e., change) existing security functions –Best case: no bearing on security functions  Effects of optional environment components –Can serve to change TOE security functions –Can serve to change the TOE implementation –Best case: the TOE implementation and security functions remain unchanged  In general, the range of options in the TOE and its environment can yield a wide range of possibilities.

10 Options in Products – Results of Security Function Changes  Add, remove, or change security functions –This type of variability represents a problem when determining and constructing appropriate requirements for the TOE. Need to address any necessary security management control of potential changes in security functions within the requirements Need to address the possibility of changes in security function behavior within the requirements –This type of variability can also yield a combinatorial problem where functions are interdependent, and their functions might potentially change relative to other changes.

11 Options in Products – Results of TOE Implementation Changes  Change the TOE implementation –This type of variability will most likely yield a situation where each TOE implementation would need to be individually tested and, perhaps, analyzed, since the TOE behavior may have changed due to changes in its implementation to accommodate a different environment element.

12 Options in Requirements  Regardless of any options that might be available for a given TOE, the Common Criteria requires the specification of specific requirements for each TOE to be evaluated.  In many cases, the CC requirements do not accommodate TOE options. –In general, the CC requirements dictate that the TOE Security Functions (TSF) shall do something specific without any allowance for options or conditions that might be available in the TOE. –But, there are some CC requirements that can accommodate variability in TOE security functions.

13 Options in Requirements – No Options  Requirements offering no TOE options –Requirements with no operations (i.e., assignment or selection) without a “be able to” caveat Example: “FPT_PHP.1.1 The TSF shall provide unambiguous detection of physical tampering that might compromise the TSF.” This example requirement leaves no room for any options that might serve to remove or impair the corresponding function. If an optional component, for example, were to implement the indicated function, it would have to always be present and working in the evaluated configuration in order to fulfill this requirement. In practice, while this feature may be useful to some users, it may be unnecessary for others.

14 Options in Requirements – No Options  Requirements offering no TOE options (cont) –Requirements with limited operations (some assignments or most selections) without a “be able to” caveat Example: “FAU_SAR.3.1 The TSF shall provide the ability to perform [selection: searches, sorting, ordering] of audit data based on [assignment: criteria with logical relations].” Even though the requirement author can make a selection and complete an assignment, this example requirement leaves no room for options regarding the provision of the applicable review function. If, for example, the TOE could support either searching or sorting, but not at the same time (i.e., they are mutually exclusive configuration options), this requirement could not be satisfied.

15 Options in Requirements – Limited Options  Requirements offering limited TOE options –Requirements with less limited operations (many assignments) without a “be able to” caveat may offer limited or indirect TOE options Example: “FPR_PSE.1.1 The TSF shall ensure that [assignment: set of users and/or subjects] are unable to determine the real user name bound to [assignment: list of subjects and/or operations and/or objects].” In this case, the requirement author could potentially caveat the users/subjects and/or the list of subjects/operations/objects in the applicable operations such that they are limited to when the option is enabled. For example, users could be unable to determine the real user name bound to operations implemented within an optional component or by an optional feature so that the requirement remains satisfied.

16 Options in Requirements – General Options  Requirements offering general TOE options –Requirements with a “be able to” caveat tend to offer flexibility Example: “FPT_STM.1.1 The TSF shall be able to provide reliable time stamps.” In this case, the requirement is that the TSF has to be capable of providing reliable time stamps, but it doesn’t necessarily have to be able to do so all the time. This might seem a poor example by itself, but FAU_GEN.1, which depends on FPT_STM.1, also has the caveat “be able to.” –The implication being that the TSF must be able to generate reliable time stamps when it is also configured to generate audit events. –As such, both audit and reliable time stamp generation might be configurable components or functions that need not necessarily always be present in order to fulfill their corresponding requirements.

17 Options in Requirements – User-defined Options  Requirements offering user-definable TOE options –Requirements with assignments where rules are to be defined offer flexibility to the requirement author to support TOE options Example: “FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment for each operation, the security attribute-based relationship that must hold between subject and information security attributes].” In this case, the rules can be defined such that variations in TOE components and TOE functions are accommodated. Even when the rule must apply to “all” subjects and/or objects, the notion of “all” isn’t necessarily static and would automatically adjust to any applicable changes in the TOE or its configuration.

18 Options in Requirements – Combinations  The previous examples are for requirement elements, while the Common Criteria presents requirements in terms of components which include one or more elements. –While a given element might allow flexibility, another element in the same requirement component might not. Example: FAU_GEN.1.1 indicates “The TSF shall be able to…” FAU_GEN.1.2 indicates “The TSF shall record…” In this case, the second element applies to audit records generated in the first element, and if the first element doesn’t generate records, it doesn’t apply even though it is not present as a “shall be able” type of requirement. –For the most part, the requirement authors seem to have taken this into account.

19 Summary  It is common for options to be offered for products when purchased, installed, and used. –As such, a given product could have many possible configurations, involving potentially different TOE implementations and security functions.  The Common Criteria requirements have been designed either to offer no, limited, general, or user- defined flexibility in terms of supporting the potential for options available within a given TOE. –As such, the Common Criteria supports some flexibility with regard to TOE options when defining the “evaluated configuration.”

20 Summary (cont)  While the Common Criteria (CC) requirements offer some measure of flexibility, there are certainly cases where the CC requirements do not facilitate options that TOEs can, and often do, offer.  As a result –Product “evaluated configurations” are limited to a relatively small number of specific options –Products are being evaluated multiple times with different options (i.e., different “evaluated configurations”) –The CC requirements are being extended with alternate requirements that facilitate actual TOE options

21 Recommendations  Products should be evaluated as close as possible to the manner in which they are expected to be used. –All TOE implementations should be addressed. –All TOE options should be addressed.  Optional components and functions should be generally accommodated in evaluations. –There likely is a commercial reason those options exist.

22 Recommendations - Combinations  Unfortunately, combinatorial problems have always been a difficult issue in evaluations. –When the TOE itself is different (e.g., Windows® vs. UNIX® application), it is likely that each different implementation would need to be tested separately. However, if the behavior is the same, the analysis would likely be the reusable, depending on the assurance level of the evaluation. –When the TOE implementation is the same and the supporting environment components differ, analysis and testing can be limited in cases where any potential differences can be rationalized as not being security-relevant. –When TOE component or function combinations are involved, if they are not security-relevant, there should be no particular issue. However, if security functions are affected, it is best when those functions are modular and it can be determined they don’t affect other functions; otherwise, much more analysis (and perhaps testing) would be required to address the combinations. Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries. UNIX is a registered trademark of The Open Group in the United States and/or other countries.

23 Recommendations – Variable Security Functions  When the options available for a given TOE allow changes in its security functions that cannot be accommodated by the requirements available in the Common Criteria: –The approach taken in the Certificate Issuing and Management Components Family of Protection Profiles (CIMCPP) could be used to, in effect, define multiple TOEs (or “evaluated configurations”), develop a superset of requirements, and then selectively assign each requirement to the applicable TOEs. In effect, a single evaluation would then be performed that simultaneously addresses multiple TOEs with overlapping requirements. –The evaluated configuration could be defined inclusive of available TOE options, and any requirements that are not adequately flexible could be explicitly modified to accommodate the necessary flexibility.

24 Recommendations – Common Criteria  In the future, the Common Criteria should take into account that it is important to evaluate security functions regardless of whether they will be used by all TOE users.  In general, the Common Criteria requirements should be more carefully crafted to accommodate flexibility that is necessary to fully support the way products can be and are actually used.

25 Conclusions  Historically, the “evaluated configurations” of many products have been too limited, largely to simplify the evaluation.  As a result, products are often not being evaluated in the manner in which they are most often used.  There are ways to broaden the scope of “evaluated configurations” using the existing Common Criteria requirements, though they are not necessarily simple.  The Common Criteria should be revised to better accommodate optional capabilities in order to encourage the evaluation of products as closely as possible to their intended environments.  Unfortunately, just as it must require substantive effort to implement a product in multiple environments, it will require more evaluation effort to evaluate the product in those environments.

26 Contact James Arnold SAIC Accredited Testing & Evaluation Labs AVP/Technical Director Terrie Diaz SAIC Accredited Testing & Evaluation Labs Quality Assurance Director