💾 Archived View for spam.works › mirrors › textfiles › hacking › fcscvol1.hac captured on 2023-11-04 at 13:19:31.
⬅️ Previous capture (2023-06-14)
-=-=-=-=-=-=-
FEDERAL CRITERIA
for
INFORMATION TECHNOLOGY SECURITY
VOLUME I
Protection Profile Development
Version 1.0
December 1992
This document is undergoing review and
is subject to modification or withdrawal.
The contents of this document should not
be referenced in other publications.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
&
NATIONAL SECURITY AGENCY
NOTES TO REVIEWERS
This is the first public draft of work in progress by the joint
National Institute of Standards and Technology (NIST) and
National Security Agency (NSA) Federal Criteria (FC) Project.
This draft Federal Criteria for Information Technology Security
is provided for preliminary review and comment by members of the
national and international computer security community. The
document will evolve into a new Federal Information Processing
Standard (FIPS) intended principally for use by the United States
Federal Government, and also by others as desired and
appropriate. The FIPS is intended to replace the Trusted Computer
System Evaluation Criteria (TCSEC) or "Orange Book."
Our objectives in presenting this draft material are threefold:
first, to give the community a clear view of the FC Project's
direction in moving beyond the TCSEC method of expressing
requirements in order to meet new IT security challenges; second,
to obtain feedback on the innovative approaches taken, the method
of presentation, and granularity; and third, to make a
substantial contribution to the dialogue among nations leading to
the harmonization of IT security requirements and evaluations.
It is important to note a few things about this preliminary FC
draft. First, it is a new and unpolished document and not intended
for any purpose except review and comment. Organizations should
not adopt any contents of this draft document for their use. It
is anticipated that the document will undergo extensive revision
as it works its way through the public FIPS approval process over
the next year or two. Second, the FC is being distributed in two
volumes. Volume I addresses the criteria development process and
is intended principally for use by developers of protection
profiles. The information in Volume I may also be of use to IT
product manufacturers and product evaluators. Volume II presents
completed IT product security criteria in the form of accepted
protection profiles.
The protection profiles associated with the final FIPS will help
consumers identify types of products that meet the protection
requirements within their particular organizations and
environments. However, the FIPS will be supplemented by a series
of implementing guidance documents, many of which will be
designed to help consumers make cost-effective decisions about
obtaining and appropriately using security-capable IT products.
As a preliminary draft of the new FC-FIPS, this document is not
intended for general distribution or compliance. The document
should not be considered a complete or finished product. Your
comments will be used by the Federal Criteria Working Group to
help raise the maturity level of this material prior to being
circulated for further public comment in the FIPS development
process.
ADDITIONAL NOTES TO REVIEWERS
Reviewers who provide substantive comments on the enclosed draft
FC by March 31, 1993 will be invited to attend an Invitational
Workshop on the Federal Criteria. This two-day workshop will be
held in the last week of April 1993 in the Washington-Baltimore
area at a location to be announced. All comments received by the
cut-off date will be correlated into major themes for discussion
by break-out groups at the workshop. The results will be used as
input into the process of re-drafting the FC for a second round of
comment prior to its being formalized as a FIPS.
Please send your comments (electronic format preferred) to
Nickilyn Lynch at the U.S. National Institute of Standards and
Technology (NIST), Computer Systems Laboratory (CSL).
Phone: (301) 975-4267
FAX: (301) 926-2733.
(Internet) Electronic Mail:
lynch@csmes.ncsl.nist.gov
Postal or Express Mail
(Hardcopy or 3.5", 1.44M diskette in MSDOS, Macintosh, or Sun
format):
Federal Criteria Comments
Attn: Nickilyn Lynch
NIST/CSL, Bldg 224/A241
Gaithersburg, MD 20899
Table of Contents
Chapter 1.
INTRODUCTION
1.1 Purpose
1.2 Scope
1.3 Audience
1.4 Organization of the Standard
Chapter 2.
IT SECURITY DEVELOPMENT
2.1 Overview
2.2 Functions and Assurance
2.3 Profile Development and Analysis
2.4 Product Development and Evaluation
2.5 System Development and Certification
Chapter 3.
PROTECTION PROFILES
3.1 Overview
3.2 Sources of Protection Profiles
3.3 Protection Profile Contents
3.4 Protection Profile Development
3.4.1 Environment Security Analysis
3.4.1.1 Expected Threats
3.4.1.2 Intended Method of Use and Environment
3.4.2 Component Requirement Synthesis
3.5 Protection Profile Analysis
3.5.1 Technical Soundness
3.5.2 Usefulness
3.5.3 Evaluation Capability
3.5.4 Distinctness
3.5.5 Consistency
3.6 Protection Profile Registration
Chapter 4.
FUNCTIONAL REQUIREMENTS
4.1 Overview
4.2 TCB Functional Components
4.2.1 Security Policy Support
4.2.1.1 Accountability Policy
4.2.1.1.1 Identification & Authentication (I&A)
4.2.1.1.2 System Entry
4.2.1.1.3 Trusted Path
4.2.1.1.4 Audit
4.2.1.2 Access Control Policy
4.2.1.2.1 Discretionary Access Control Policies
4.2.1.2.2 Non-Discretionary Access Control Policies
4.2.1.2.3 Covert Channel Handling
4.2.1.3 Availability Policy
4.2.1.3.1 Resource Allocation
4.2.1.3.2 Fault Tolerance
4.2.1.4 Security Management
4.2.2 Reference Mediation
4.2.3 TCB Logical Protection
4.2.4 TCB Physical Protection
4.2.5 TCB Self-Checking
4.2.6 TCB Start-Up and Recovery
4.2.7 TCB Privileged Operation
4.2.8 TCB Ease-of-Use
4.3 Rated Functional Components
4.3.1 Rated Identification & Authentication Components
4.3.2 Rated System Entry Components
4.3.3 Rated Trusted Path Components
4.3.4 Rated Audit Components
4.3.5 Rated Access Control Components
4.3.5.1 Rated Covert Channel Handling Components
4.3.6 Rated Resource Allocation Components
4.3.7 Rated Security Management Components
4.3.8 Rated Reference Mediation Components
4.3.9 Rated Logical TCB Protection Components
4.3.10 Rated Physical TCB Protection Components
4.3.11 Rated TCB Self Checking Components
4.3.12 Rated TCB Start-Up and Recovery Components
4.3.13 Rated TCB Privileged Operation Components
4.3.14 Rated TCB Ease-of-Use Components
4.4 Bibliographic Notes
Chapter 5.
DEVELOPMENT ASSURANCE REQUIREMENTS
5.1 Overview
5.2 Development Assurance Components
5.2.1 Development Process
5.2.1.1 TCB Property Identification
5.2.1.2 TCB Design
5.2.1.2.1 TCB Element Identification
5.2.1.2.2 TCB Interface Definition
5.2.1.2.3 TCB Modular Decomposition
5.2.1.2.4 TCB Structuring Support
5.2.1.2.5 TCB Design Disciplines
5.2.1.3 Implementation Support
5.2.1.4 TCB Testing and Analysis
5.2.1.4.1 Functional Testing
5.2.1.4.2 Penetration Analysis
5.2.1.4.3 Covert Channel Analysis
5.2.2 Operational Support
5.2.2.1 User Guidance
5.2.2.2 Administrative Guidance
5.2.2.3 Flaw Remediation
5.2.2.4 Trusted Generation
5.2.3 Development Environment
5.2.3.1 Life Cycle Definition
5.2.3.2 Configuration Management
5.2.3.3 Trusted Distribution
5.2.4 Development Evidence
5.2.4.1 TCB Protection Properties
5.2.4.2 Product Design and Implementation
5.2.4.3 Product Testing and Analysis
5.2.4.3.1 Functional Testing
5.2.4.3.2 Penetration Analysis
5.2.4.3.3 Covert Channel Analysis
5.2.4.4 Product Support
5.3 Rated Development Assurance Components
5.3.1 Development Process
5.3.1.1 Rated TCB Property Identification Components
5.3.1.2 Rated TCB Element Identification Components
5.3.1.3 Rated TCB Interface Definition Components
5.3.1.4 Rated Modular Decomposition Components
5.3.1.5 Rated TCB Structuring Support Components
5.3.1.6 Rated TCB Design Discipline Components
5.3.1.7 Rated Implementation Support Components
5.3.1.8 Rated Functional Testing Components
5.3.1.9 Rated Penetration Analysis Components
5.3.1.10 Rated Covert-Channel Analysis Components
5.3.2 Operational Support
5.3.2.1 Rated User Guidance Components
5.3.2.2 Rated Administrative Guidance Components
5.3.2.3 Rated Flaw Remediation Components
5.3.2.4 Rated Trusted Generation Components
5.3.3 Development Environment
5.3.3.1 Rated Life Cycle Definition Components
5.3.3.2 Rated Configuration Management Components
5.3.3.3 Rated Trusted Distribution Components
5.3.4 Development Evidence
5.3.4.1 Rated TCB Protection Property Evidence Components
5.3.4.2 Rated Product Design/Implementation Evidence Components
5.3.4.3 Rated Functional Testing Evidence Components
5.3.4.4 Rated Penetration Analysis Evidence Components
5.3.4.5 Rated Covert Channel Analysis Evidence Components
5.3.4.6 Rated Product Support Evidence Components
5.4 Bibliographic Notes
Chapter 6.
EVALUATION ASSURANCE REQUIREMENTS
6.1 Overview
6.2 Evaluation Assurance Components
6.2.1 Testing
6.2.1.1 Test Analysis Components
6.2.1.2 Independent Testing Components
6.2.2 Evaluation Review Requirements
6.2.2.1 Development Environment Review
6.2.2.2 Operational Support Review
6.2.3 Evaluation Analysis Requirements
6.2.3.1 Design Analysis
6.2.3.2 Implementation Analysis
6.3 Rated Evaluation Assurance Components
6.3.1 Rated Test Analysis Components
6.3.2 Rated Independent Testing Components
6.3.3 Rated Development Environment Review Components
6.3.4 Rated Operational Support Review Components
6.3.5 Rated Design Analysis Components
6.3.6 Rated Implementation Analysis Components
6.4 Bibliographic Notes
Chapter 7.
CONSTRUCTION OF PROTECTION PROFILES
7.1 Overview
7.2 Synthesis of Profile Components
7.2.1 Assignment
7.2.2 Refinement
7.2.3 Decomposition
7.2.4 Level-Selection
7.3 Dependency Analysis
7.3.1 Dependency Classification
7.3.2 Dependencies Among Functional Components
7.3.2.1 "Uses" Dependency among Functional Components
7.3.2.2 Policy-Property Dependency
7.3.2.3 Multiple Dependencies
7.3.3 Dependencies Among Assurance Components
7.3.3.1 "Uses" Dependency among Assurance Components
7.3.3.2 Assurance-Process Dependencies
7.3.4 Dependencies between Functions and Assurances
7.3.4.1 Relationship to other Function and Assurance Classifications
7.3.5 Examples of Using Dependency Analysis
7.4 Bibliographic Notes
GLOSSARY
ACRONYMS
Appendix A.
THREATS TO INFORMATION
Appendix B.
THE REFERENCE MONITOR CONCEPT
Appendix C.
DEFINING ACCESS CONTROL POLICIES
Appendix D.
MODULAR DECOMPOSITION
Appendix E.
PENETRATION ANALYSIS
Appendix F.
MOTIVATION FOR DEPENDENCY ANALYSIS
Appendix G.
EXAMPLE ASSURANCE PACKAGES
List of Figures
Figure 1. IT Security Development Activities
Figure 2. Protection Profile Development
Figure 3. Basis for Threat Analysis
Figure 4. Taxonomy of TCB Functions
Figure 5. Taxonomy of Development Assurances
Figure 6. Taxonomy of Evaluation Assurance Components
Figure 7. Examples of Uses Dependencies among Functional Components
Figure 8. Examples of Uses and Policy Properties Dependencies in Access
Control
Figure 9. Examples of Cyclic Dependencies and their Removal
Figure 10. Examples of Policy Property Dependencies
Figure 11. Examples of Uses Dependencies Among the TCSEC B2 Operational
Assurances
Figure 12. Examples of Uses Dependencies Among Components Corresponding
to B2 Operational Assurances
Figure 13. Example of Uses Dependencies among the Function and Assurance
Components Corresponding to the B3 Operational Assurances
Figure 14. Authorization of Subject References to Objects
List of Tables
Table 1. Protection Profile Structure
Table 2. Rated Functional Components
Table 3. Rating Summary for Development Assurance Components
Table 4. Common Threat Agents
Table 5. Inappropriate Disclosure Threats (Confidentiality Violations)
Table 6. Fault-and-Error Threats (Integrity Violations)
Table 7. Loss-of-Service Threats (Availability Violations)
Table 8. T1 Assurance Package
Table 9. T2 Assurance Package
Table 10. T3 Assurance Package
Table 11. T4 Assurance Package
Table 12. T5 Assurance Package
Table 13. T6 Assurance Package
Table 14. T7 Assurance Package
Table 15. Assurance Packages Summary
Chapter 1.
INTRODUCTION
1.1 Purpose
This Federal Information Processing Standard (FIPS) provides
a basis for developing, analyzing, and registering criteria
for information technology (IT) product security development
and evaluation. It explains how to use provided generic
requirements as building blocks to create unique sets of IT
product security criteria called protection profiles.
This standard builds on national and international IT product
security research and development by bringing together and
extending many concepts of this previous work. The FIPS has
four principal objectives.
a. Develop an extensible and flexible framework for defining
new requirements for IT product security. IT product
security criteria must respond to the challenges of
extensible computing environments. The standard must
provide a structured approach for specifying security
requirements for IT products employed in such environments.
b. Enhance existing IT product security development and
evaluation criteria. The fundamental principles of IT
product security must be reviewed and renewed for
application to new applications environments. The standard
must address selected IT product security requirements of
both Federal Government and private sector organizations.
c. Facilitate international harmonization of IT product
security development and evaluation criteria. Producers of
IT products competing in the international marketplace can
benefit from a harmonized set of IT security development
and evaluation criteria and an evaluation process that is
economical, efficient, and predictable. The standard must
meet U.S. Government and commercial security needs while
recognizing that many of those needs are also shared by the
government and commercial entities of other nations.
d. Preserve the fundamental principles of IT product security.
The fundamental principles of IT product security developed
during the past decades must be preserved. The standard
must be compatible with previous IT product security
requirements insofar as possible in order to protect
previous investments in the technology.
1.2 Scope
This standard addresses the full spectrum of IT product
security needs, to include confidentiality, integrity, and
availability. Confidentiality requirements protect against
inappropriate disclosure of information; integrity
requirements ensure the correctness and appropriateness of
information and/or its sources; and availability ensures that
information is present and usable within reasonable time
constraints.
This standard addresses the specification of internal
security controls (protection mechanisms) that are
implemented in the hardware, firmware, and software of an IT
product. For these internal controls to be effective, however,
adequate external security controls must be employed. IT
product security is complemented by these external controls
(which include physical, personnel, procedural, and
administrative security measures) and by a separate
certification and accreditation process. For an IT product,
the external security measures constitute assumptions and
boundary conditions that are part of the environment described
in a protection profile. These environmental assumptions and
boundary conditions are necessary to ensure IT products can
be used in such a way as to meet identified security needs.
This standard distinguishes IT product requirements from IT
system requirements. In general, an IT product is a hardware
and/or software package that can be purchased as an off-the-
shelf product and incorporated into a variety of systems. An
IT system is generally constructed from a number of hardware
and software components. For certain applications, it may be
possible to purchase a single IT product that satisfies all
customer requirements and, therefore, serve as a complete
system. In most cases, however, at least some IT product
customization and integration will be necessary to meet system
specific requirements.
>From a security perspective, the principal distinction
between products and systems lies in what is certain about
their operational environment. An IT product must be suitable
for incorporation into many potential IT systems. Thus, the
product developer can only make general assumptions about the
operational environment of a system in which the product may
be incorporated. These general assumptions include intended
method of use and generalized threats within the environment.
In contrast, an IT system must provide applications and meet
the requirements of a specific group of end-users within a
specific operational environment that has a specific set of
threat scenarios.
This standard addresses IT product requirements only. The
composition of multiple IT products into an IT system is
beyond the scope of this standard. Guidance for profile and
product composition will be addressed in future publications.
1.3 Audience
This document serves three primary customer groups with
respect to IT product security:
a. Consumers: Individuals or groups responsible for specifying
requirements for IT product security (e.g., policy makers
and regulatory officials, system architects, integrators,
acquisition managers, product purchasers, and end users).
b. Producers: Providers of IT product security (e.g., product
vendors, product developers, security analysts,
integrators, and value-added resellers).
c. Evaluators: Individuals or groups responsible for the
independent assessment of IT product security (e.g.,
product evaluators, system security officers, system
certifiers, and system accreditors).
Secondary audiences include technical educators, standards
bodies, and the research and development community.
1.4 Organization of the Standard
The remainder of this FIPS is organized as follows. Chapter 2
describes the activities of IT security development. Chapter
3 addresses the form and content of protection profiles.
Chapters 4, 5, and 6 provide detailed functional, development
assurance, and evaluation assurance component requirements
for use in constructing protection profiles. Chapter 7 is a
guide to constructing protection profiles using the component
requirements of Chapters 4 through 6. Several appendices
provide additional supporting guidance.
This standard is part of a series of FIPS publications.
Subsequent documents will be published as a Registry of
Profiles representing profiles that have been developed,
analyzed, and registered in accordance with this standard.
Additional profiles will be added to the registry as consumer
needs change and technology advances. Supporting guidelines
for the standard will be published as part of this FIPS series
or as other Federal agency publications.
Chapter 2.
IT SECURITY DEVELOPMENT
2.1 Overview
IT security development consists of three separate but related
activities that begin with consumer specification of
requirements for IT product security and end with installed
IT systems incorporating products that have been approved to
operate in a particular environment. The following list
describes these activities, shown in Figure 1:
a. Profile Development and Analysis. IT product security
requirements are specified in a structured format; analyzed
for completeness, consistency, and technical correctness;
and accepted into a registry of profiles.
b. Product Development and Evaluation. IT products are
developed (or may already exist) in response to a profile
and independently assessed to produce a rating regarding
the product's conformance to a profile's specific security
requirements.
c. System Development and Certification. One or more IT
products are combined into an IT system that has been
determined, from a security point of view, to be acceptable
for use in a specific environment and accredited for
operation.
This standard addresses the first of the three activities of
IT security development, (i.e., profile development and
analysis). Product development and evaluation as well as
system development and certification are beyond the scope of
this standard. Sections 2.4 and 2.5 briefly discuss these
activities to establish their relationship to profile
development.
In many cases, consumers will accept IT systems that contain
unevaluated IT products, thus bypassing two of the activities
of IT security development. This situation, however, places
more demands on the system development process and the final
certification and accreditation processes.
2.2 Functions and Assurance
This standard focuses on IT products that can potentially be
used in many diverse environments. These products are required
to support various organizational security policies and
address a diverse set of security requirements by providing
selected IT security features or services. Collectively,
these security features or services are known as protection
functions.
Specifying requirements for protection functions is a
necessary but insufficient way to ensure consumer confidence
that the resulting IT product will provide a viable solution
to a protection problem. It is also necessary to consider the
extent to which the protection functions can be relied upon.
Are the functions appropriate to counter the threats? Are the
functions sufficiently strong to counter the threats? Are the
functions implemented soundly? Are there any threats not
countered by the functions? The extent of this reliance is
known as assurance. Assurance is the basis for consumer
confidence or trust that an IT product is suitable, with
respect to security, for its intended use.
Three sources of IT product assurance have been identified:
protection functions built into the product, characteristics
of how the product was designed and developed, and results of
the independent examination of the product. These three
aspects of IT product assurance (i.e., what it contains, how
it was designed and developed, and how it was evaluated) are
related. The evaluation activity examines the results of the
IT product design, development, and implementation. Assurance
requirements vary in accordance with organizational security
policies, expected environment, and intended use of the IT
product. Producers, consumers, and evaluators of IT product
security perform different activities to obtain the requisite
assurance.
2.3 Profile Development and Analysis
During profile development and analysis, consumers and/or
producers define requirements for IT product security in a
unifying structure called a protection profile. A protection
profile contains IT product requirements for protection
functions, development assurance, and evaluation assurance.
These requirements can be framed in the context of a rationale
statement, which provides the overall justification for the
protection profile.
Acceptance of a newly developed protection profile requires
that the profile be carefully scrutinized for its usefulness,
both in content and form. It must also be analyzed for
completeness, consistency, and technical correctness.
Therefore, achieving profile acceptance will often require
iteration as the initial profile is refined. Profile revision
and analysis continues until an acceptable profile results.
The profile can then be entered into a registry as basis for
both product development and evaluation.
Some new profiles will have broad usefulness to the U.S.
Government. These profiles are candidates to become Federal
Information Processing Standards (FIPS). In these cases, the
public FIPS development and approval process will encompass
the profile analysis and registry mechanisms. For such
profiles, NIST and NSA, with security professionals from the
public and private sectors, will make use of invitational
workshops and public review to provide the quality control and
technical oversight that manages the proliferation of
protection profiles. Chapter 3 provides additional detail
that must be addressed during profile analysis, including
profiles that are in the process of becoming FIPS. However,
the specific details of that process are beyond the scope of
this standard.
Editor's Note: Although the process of profile
development and analysis is not fully mature, the
final version of the Federal Criteria will success-
fully answer questions such as the following: Will
all profiles be subjected to the same level of anal-
ysis? What methods of analysis and tools might be
employed? Will profiles be subject to modification?
How will new profiles be handled if they closely
resemble existing profiles in the registry? Who
will pay for profile analysis?
2.4 Product Development and Evaluation
During product development and evaluation, a producer will
incorporate protection functions into an IT product based on
the requirements of a protection profile selected from the
pool of registered profiles. Alternatively, a producer, who
has identified a market for an IT product unrelated to one of
the existing profiles, can undertake profile development and
analysis.
The requirements in a protection profile should be product
independent since many potential IT products may be able to
satisfy the requirements of a particular profile. The
comprehensive product description that explains how a
specific IT product meets the requirements of a given
protection profile is known as a security target. The security
target is a specification and elaboration of the more general
requirements in a protection profile and is, by definition,
product dependent. The security target is the primary means
of communicating specific product development information
(evidence) to independent evaluators or to consumers. The
development of product-specific security targets is beyond
the scope of this standard.
Subsequent to development, an independent evaluation of an IT
product may occur to produce a rating with respect to the
product's conformance to the specific security requirements
outlined in the protection profile. IT product evaluations may
be accomplished by one of several evaluation authorities, just
as profiles may be implemented by more than one producer.
Consequently, specific details regarding evaluation processes
are beyond the scope of this standard.
2.5 System Development and Certification
During system development and certification, IT products
typically will be combined with other IT products into system
configurations of varying degrees of complexity. The IT
products used during system development may or may not have
been formally evaluated. The completed IT systems will be
subsequently employed in specific operational environments.
An IT system must undergo an assessment and receive management
approval prior to becoming operational. The assessment and
management approval processes are known as system
certification and accreditation, respectively.
IT system certification is conducted in support of the
accreditation process. The extent to which a particular IT
system meets a set of security requirements for its mission
and operational environment is established by the
comprehensive assessment of its internal and external
security controls. In the Federal Government, a Designated
Approving Authority (DAA) receives the resulting
documentation to support the accreditation decision. In the
private sector, this information might be provided to an
equivalent designated management authority (e.g., corporate
executive officer, department head, or division manager).
IT system accreditation is the official management decision
to operate an IT system. The accreditation normally grants
approval for the IT system to operate (1) in a particular
security configuration, (2) with a prescribed set of
countermeasures (administrative, physical, personnel,
communications, emissions, and IT product internal security
controls), (3) against a defined threat with stated
vulnerabilities, (4) in a given operational context, (5) with
stated interconnections to other systems, (6) at an acceptable
level of risk for which the accrediting authority has formally
assumed responsibility, and (7) for a specified period of
time. The DAA formally accepts responsibility for the secure
operation of the system and officially declares that a
specified IT system will adequately protect against the
identified threats through the continuous use of
countermeasures. The accreditation decision affixes this
responsibility with the DAA and shows that due care has been
taken for security in accordance with applicable
organizational security policies.
Chapter 3.
PROTECTION PROFILES
3.1 Overview
A protection profile is an abstract specification of the
security aspects of a needed IT product. It is product
independent, describing a range of products that could meet
this same need. Required protection functions and assurances
must be bound together in a protection profile, with a
rationale describing the anticipated threats and intended
method of use. The protection profile specifies requirements
for the design, implementation, and use of IT products.
Protection profiles can be assembled from pre-specified or
unique functional and assurance components. A functional
component is a set of rated requirements for protection
functions to be implemented in an IT product (see Chapter 4).
An assurance component is a set of rated requirements for
development and evaluation activities conducted by producers
and evaluators during construction and independent assessment
of an IT product (see Chapters 5 and 6). For convenience,
groups of functional and assurance components can be assembled
into predefined packages (see Appendixes A and B). During
construction of the protection profile, additional
dependencies must be considered between functions and
assurances (see Chapter 7).
3.2 Sources of Protection Profiles
Consumers or producers within the Government or the private
sector develop protection profiles in response to a specific
need for information protection. Profile developers, or
sponsors, with a unique security need could propose a
protection profile for that need or, more typically, groups
of sponsors having similar needs could combine to propose one
profile that meets their common need. Multiple sponsors
supporting a single profile is an effective way to demonstrate
a larger market to potential IT product producers.
Unique protection profiles reflect the needs of diverse sets
of sponsors. For example, a banker's association might propose
a protection profile for secure electronic funds transfer, or
the Department of Defense might propose a protection profile
for military applications. A single protection may also apply
to many IT products, showing the diversity of potential
solutions for the requirements outlined in the profile.
A producer who identifies a market for IT product security can
also propose a profile to give consumers a means of referring
to a specific set of needs and to facilitate future evaluation
against those needs. The protection profile is intended to
respond to both the pull of consumer needs and to the push of
advancing technology. Ultimately, the protection profile is a
common reference among consumers, producers, and evaluators.
3.3 Protection Profile Contents
A protection profile contains five sections: descriptive
elements, rationale, functional requirements, development
assurance requirements, and evaluation assurance
requirements. The Descriptive Elements section provides
categorical and descriptive information necessary to
identify, categorize, register, and cross-reference a
protection profile in a registry of profiles. The narrative
description is a brief characterization of the profile,
including a description of the information protection problem
to be solved. This section applies to all potential users of
the profile to determine whether or not the profile is
applicable to a consumer's information protection needs.
The Rationale section provides the fundamental justification
for a protection profile, including threat, environment, and
usage assumptions. It also presents a more detailed
characterization of the protection problem to be solved by an
IT product meeting the requirements of the profile. This
section describes the protection problem in sufficient detail
for producers to understand the range of potential solutions
to the problem. It also provides information to consumers
regarding how IT products that successfully solve this problem
can be used to support an organization's security policy.
The Functional Requirements section establishes the
information protection boundary that must be provided by an
IT product. Expected threats to information within this
boundary must be countered by functions inside the protection
boundary. The more robust the expected threats, the greater
the required strength of the protection functions. The IT
product protection functions support an organization's
security policy when coupled with certain assumptions about
the product's intended use and anticipated operational
environment.
The Development Assurance Requirements section covers all
phases of an IT product's development, from the initial
product design through implementation. Specifically, the
development assurance requirements include the development
process, development environment, and operational support
requirements. In addition, since many assurance requirements
are not readily testable, it is necessary to study IT product
development evidence or documentation to verify that
requirements have been met. Development evidence requirements
are included in a protection profile to ensure that the producer
generates and retains appropriate documentation during product
development for subsequent analysis during evaluation and product
maintenance.
The Evaluation Assurance Requirements section specifies the type
and intensity of evaluation to be performed on an IT product
developed in response to a particular protection profile. In
general, for an IT product, the scope and intensity of evaluation
vary with the expected threat, intended method of use, and assumed
environment as defined by the profile developer in the rationale
section. Table 1 summarizes the contents of a protection profile.
Table 1. Protection Profile Structure
.-------------------------------------------------------------------------.
| Descriptive | Provides categorical and descriptive information |
| Elements | necessary to uniquely identify, register, and cross- |
| | reference a protection profile in a registery of |
| | profiles. Includes a description of the information |
| | protection problem to be solved. |
|--------------+----------------------------------------------------------|
| Rationale | Provides the fundamental justification for a protection |
| | profile, to include threat, environment, and usage |
| | assumptions. Addresses support for organization security |
| | policies. |
|--------------+----------------------------------------------------------|
| Functional | Establishes the boundary of responsibility for inform- |
| Requirements | ation protection that must be provided by an IT product, |
| | such that expected threats to information within this |
| | boundary are countered. |
|--------------+----------------------------------------------------------|
| Development | Specifies assurance requirements for all phases of an IT |
| Assurance | product's development from initial product design through|
| Requirements | implementation. Includes the development process, the |
| | development environment, operational support, and |
| | development evidence. |
|--------------+----------------------------------------------------------|
| Evaluation | Specifies assurance requirements for the kind and |
| Assurance | intensity of evaluation to be performed on an IT product |
| Requirements | developed in response to a protection profile in accord- |
| | ance with the expected threat, intended method of use, |
| | and assumed environment. |
`-------------------------------------------------------------------------'
3.4 Protection Profile Development
The requirements for protection functions, development assurance,
and evaluation assurance must be incorporated into a protection
profile. These requirements, specified by the rated functional and
assurance components, provide the basic building blocks for the
definition of a protection profile. The components must be
assembled into a consistent and coherent set that satisfies
specific security goals of the anticipated environments of product
use. The assembled components should counter expected threats,
eliminate vulnerabilities, support security policies, and satisfy
regulatory requirements defined in the anticipated environments of
use.
Figure 2 shows that protection profile development consists of two
stages: (1) an environment security analysis and (2) a component
requirement synthesis. The environment security analysis addresses
the identification of security requirements and provides
information necessary for the development of the profile rationale.
The component requirement synthesis addresses the selection of
appropriate functional and assurance components for the profile.
Developing a protection profile requires analysis of dependencies
among the functional components, among assurance components,
and between functional and assurance components (see Chapter
7).
3.4.1 Environment Security Analysis
During the environment security analysis stage, the sponsor
(i.e., profile developer) derives a set of environment-
specific security requirements based on expected threats and
vulnerabilities; intended method of IT product use;
environment assumptions; and policies, standards,
regulations, or directives (if any). Although these
requirements can be considered environment-specific, they
derive from several potential environments of product use, and
they capture the common security characteristics of those
environments. The result of the security analysis, the
environment-specific requirements, must characterize the
environments of use in a demonstrable way.
The selection of environment-specific security requirements
must be based on effectiveness of the security functions. The
sponsor must show that the requirements in the protection
profile satisfy the security objectives by countering the
expected threats and eliminating the anticipated
vulnerabilities. The effectiveness of the environment-
specific requirements is a primary justification that must be
provided in the profile rationale and an important
consideration in the acceptance of a profile. Other
considerations, such as the utility and relevance of the
anticipated environments of use, also apply to the profile
analysis.
3.4.1.1 Expected Threats
A threat is a classification of the capabilities, intentions,
and attack methods of adversaries to exploit (or any
circumstance or event with the potential to cause harm to)
information or an information system. Harm to information or
information systems due to threats may result because of
absence or failure of functional controls. The consequences
of threats may vary.
As suggested by Figure 3, the analysis of expected threats
starts at the boundary of the IT product's assumed
environment. The scope of the analysis continues inward
through the product's protection boundary to its protected
information resources. One result of the analysis is the
development of generic threat categories. These categories
can be ordered according to risk (probability of occurrence)
and level of severity. Appendix A provides a brief synopsis
of common threats to information technology.
3.4.1.2 Intended Method of Use and Environment
A protection profile must contain assumptions about the way
the product will be used and the environment in which it will
be placed. Assumptions should highlight significant
constraints. For example, in some environments, routine
product maintenance would be infeasible. These assumptions
will enable the profile's users to understand the significance
of the information being processed, the users and
administrators involved in the information processing, the
type of information processing, and the protection for the
processing environment and its relationship to the users.
Sample rationales might include the following:
Example 1: This IT product generally will be used to process
concurrent multiple levels of disclosure-sensitive and/or
manipulation-sensitive information (i.e., national security
information and/or information subject to organization
internal controls and external regulation). In the assumed
environment, sensitivity markings indicate the IT security
controls that must be applied to protect the information.
These sensitivity markings may be associated with objects that
range in size from data elements to files.
Example 2: The users and administrators have access to
multiple levels and types of information and processing
resources. Access authorization is based on attributes, such
as duties within roles, determination of need to know, trust
indicators (such as individual clearances or job
descriptions) and entry constraints (such as time, location,
terminal, and port).
Example 3: Information is processed on centralized general-
purpose shared computing resources allowing for both
interactive and batch processing. The operational mode is
concurrent multilevel processing. The user interface is
generally expected to be window-based. Use of a database
management system is anticipated. The database management
system need not be a part of the product offering, but a
description of how to integrate the database security
interface must be provided.
Example 4: The processing resources of the IT product,
including all terminations, will be located within user spaces
that have physical access controls. A restricted access
environment with unarmed guards should be assumed. The
possibility of the environment becoming hostile should be
considered (e.g., a U.S. Embassy in a foreign country).
Networking may be anticipated, but is not required as part of
the IT product offering.
3.4.2 Component Requirement Synthesis
During the second stage of protection profile development, the
environment-specific security requirements must be used in
conjunction with well-defined profile requirement
construction rules to select and tailor the generic functional
and assurance components provided in Chapters 4 through 6 of
this standard. The resulting profile specifies the protection
policy that must be supported within the IT product.
Not all environment-specific security requirements apply to
the selection of the functional and assurance components. The
environment-specific security requirements referred to in
this section are those requirements that may be used to select
functional and assurance components to be incorporated in a
protection profile.
The selection of components also involves dependencies among
components. Dependencies among functional components drive
the selection of the functional components. Dependencies
between functional and assurance components, and within the
assurance components affect assurance component selection.
Chapter 7 cites specific information on the techniques for
constructing protection profiles and the dependency
considerations between functional and assurance components.
3.5 Protection Profile Analysis
After a protection profile has been developed by a sponsor,
it must be analyzed. Protection profile analysis ensures that
the profile has the following characteristics: technical
soundness, usefulness, evaluation capability, distinctness,
and consistency.
The rationale section supports the profile analysis conducted
to assess whether the vulnerabilities constituting a
protection problem are adequately countered by the profile's
proposed protection functions and assurances. The profile
analysis determines that the risks identified in the
protection problem have been reduced to an acceptable level.
Profile analysis is important; many products may be created
in response to a protection profile.
As described in the following sections, the goals of
protection profile analysis are to ensure the following
characteristics:
a. Technical soundness. The elements of a protection profile
are technically sound and reasonably balanced, considering
the profile rationale (threat, usage, and environment
assumptions), and the functional and assurance
requirements.
b. Usefulness. IT products built to meet the requirements of
a protection profile will serve a useful purpose.
c. Evaluation capability. Implementation of a protection
profile's requirements can be evaluated. Consumers,
evaluators, and producers will understand how to determine
that the profile requirements have been met by a specific
IT product.
d. Distinctness. The protection profile is distinct, in that
it does not duplicate a need adequately described by
another profile.
e. Consistency. The protection profile is consistent with
other profiles in form and level of detail.
3.5.1 Technical Soundness
Determining technical soundness is a crucial part of the
analysis of a protection profile. The following three major
characteristics should be considered:
a. Strength or appropriateness of protection functions and
assurances. This characteristic is a judgment made by
comparing the profile rationale (threat, usage, environment
assumptions, and security policy) with the required
protection functions and assurances. It must be determined
that if the IT product is used as recommended, each stated
threat will be successfully addressed through the
prescribed combination of functional and assurance
requirements, taking into account assumptions about the
environment.
b. Internal consistency of profile requirements. This
characteristic is a judgment based on an overall analysis
of the protection profile to determine that the degree of
required protection functions is commensurate with the
degree of required assurance.
c. Requirement dependencies. This characteristic involves
dependencies that may exist among requirements and whether
any dependencies have not been considered in the
development of the protection profile. These dependencies
can be functional-functional, assurance-assurance, or
functional-assurance. Dependency analysis must be complete
and consistent.
Questions to be answered during the technical soundness
analysis might include the following: Are the functional
requirements sufficient to counter the expected threats? Are
any threats not countered adequately addressed in
environmental and/or other assumptions outside the domain of
the IT product? Is the degree of assurance compatible with the
threat expected and with the level of protection functions
required? Have all stated dependencies been addressed? Have
any dependencies been omitted? Are there inconsistencies in
protection functions resulting from an examination of
dependencies?
3.5.2 Usefulness
A management decision is necessary to commit the resources for
conducting a profile analysis. Consumers and producers may
determine the usefulness of a profile based on different
criteria. Determining the profitability of a market is clearly
a producer's responsibility. The protection profile analysis
is not intended to interfere with the producer's business
decisions. Usefulness analysis relies primarily on the
rationale section of the profile to express the need with
respect to threat, usage and environment assumptions.
The analysis also includes an assessment of development
feasibility. Protection profiles requiring research and
development efforts should be identified so that the profiles
will not raise expectations for near-term implementations.
Questions to be answered during the usefulness analysis might
include the following: Does this protection profile address a
real problem? Does this protection profile differ
significantly from existing profiles, or could the needs
described in this profile be met adequately by another
existing profile? If the demand is too small to support
commercial off-the-shelf products, what factors could induce
producers to develop products for a niche market?
Approximately how large is the demand for these products? Is
the protection profile readily implementable? Is the state of
technology sufficiently developed or is basic or applied
research and development necessary?
3.5.3 Evaluation Capability
The protection profile requirements must be reviewed to ensure
that IT products intended to satisfy the requirements in the
protection profile are capable of being evaluated. A
protection profile may be used as the basis for product
development. The evaluation capability analysis of the
profile can pay off by clearly defining what is expected
during the evaluation process. As far as possible,
requirements in the protection profile should be stated in
objective terms so the producer and the evaluator will be more
likely to agree on their interpretation of the requirements.
If certain requirements must be stated in subjective terms,
clear and explicit guidelines should be presented to explain
what factors should be considered to determine whether the
requirements have been met. Requirements should be simple,
declarative statements and for ease of reference,
requirements should be numbered or otherwise indexed. These
features will help to ensure that requirements will not be
overlooked, either during product design and development or
during evaluation.
Questions to be answered during the evaluation capability
analysis might include the following: Is the purpose or
objective of each requirement clear? What does each
requirement contribute to the overall IT product security? Is
the phrasing of each requirement clear and concise? Are the
criteria for success for each requirement self-evident or
explicitly provided? Is there a means by which it can be shown
that each protection requirement has been established in the
producer's IT product? Is each requirement objective? If a
requirement is subjective, is it accompanied by objective
factors to be considered when determining if the requirement
has been met?
3.5.4 Distinctness
A new protection profile is compared with existing profiles
to determine that it meets a unique need and that the
requirements of no other existing profile address that same
need. A protection profile, once registered, is not intended
to be changed (except for editorial changes that would not
affect any producers currently developing products to meet
that profile specification). This constraint is intended to
preserve a relatively stable and manageable set of
requirements. New needs must be met by new profiles. Similar
protection profiles are cross-referenced.
Questions to be answered during distinctness analysis might
include the following: Do the presumed threats described in
this profile very closely resemble those of any other existing
profile? If yes, is there a significant difference between the
two profiles? Do the required protection functions very
closely resemble those of any other existing profile? If yes,
does a significant difference exist between the two profiles?
Do the functional requirements and rationale sections of the
protection profile resemble another protection profile with
different assurance requirements? If yes, can assurance
requirements of the other profiles be changed?
3.5.5 Consistency
Protection profiles must be consistent with one another in
form and level of detail. This review analyzes the profile to
ensure that the properties associated with accepted
protection profiles are present. A clear and convincing case
must be made for allowing protection profiles whose form must
differ from the norm.
Questions to be answered during consistency analysis might
include the following: Is the protection profile complete? Are
the objectives and expected threats discussed reasonably
complete for the expected environments and intended method of
use? Can the threats be shown to be mitigated by attributes
of the IT product or its environment? Is the protection
profile internally consistent in its level of protection? Are
the form and degree of detail of the protection profile
consistent with the form and degree of detail of other
profiles?
3.6 Protection Profile Registration
To provide a relatively stable environment, a profile is
intended never to be changed once it is registered. However,
evaluation experience may identify errors and ambiguities
that need to be corrected. New information protection
requirements will be addressed by the development of new
profiles.
Protection profiles that have completed analysis will be
registered. Producers can select profiles for IT product
implementation. The profiles in the public registry can also
serve as templates for the development of new profiles.
Editor's Note: The specific details of profile reg-
istration are currently under development and have
not been completed. It is envisioned that the pro-
file registry could contain three independent reg-
istration types: (1) the complete protection
profiles, (2) functional packages, and (3) assur-
ance packages. Packages would identify any associ-
ated dependencies. The registration bodies that
approve the inclusion of new protection profiles
would also approve the registry of new packages for
protection functions and assurance.
Chapter 4.
FUNCTIONAL REQUIREMENTS
4.1 Overview
The functional requirements presented in this chapter enable the
definition of different protection profiles that can be used in
different environments of IT product use and address different
threats. These requirements allow protection profile extension and
refinement, which may become necessary as technology changes and as
experience is gained. They also enable the harmonization of this
standard with existing standards, such as the Canadian Trusted
Computer Product Evaluation Criteria (CTCPEC), the Information
Technology Security Evaluation Criteria (ITSEC), and the Trusted
Computer System Evaluation Criteria (TCSEC). Thus, these requirements
allow the definition of protection profiles that closely capture the
functional characteristics of IT products evaluated under the existing
standards.
The functional requirements defined in this chapter are grouped into
components of trusted computing bases (TCBs). The TCB is the totality
of an IT product's elements, comprising the hardware, firmware, and
software code and data structures responsible for enforcing the
product's protection functions. Thus, a functional component is a set
of requirements levied on either (1) one or more TCB functions that
can be invoked through the TCB interface (e.g., system call,
supervisor call) or (2) one or more internal modules or sections of
code and data structures of a TCB function.
The functional components defined in this standard are based on the
premise that the TCB is the only part of the product that needs to be
analyzed and evaluated to determine the protection characteristics of
a product. For this reason, this standard need not define more than
the desirable sets of functional components for TCBs. Since different
functions of a TCB help counter different threats, the analysis of the
TCB protection must identify the set of components that collectively
helps counter a specified set of threats. To make a protection profile
generally applicable to a wide set of products, the desirable
components included in a protection profile must be specified in a
product-independent manner, in terms of generic protection
requirements, rather than by specific mechanisms that may vary from
product to product. The threats countered by the TCB functional
components also must be defined in generic terms rather than by
specific threat instances that may vary from environment to
environment.
The functional components presented in this standard are derived from
existing security criteria and requirements of commercial and
non-commercial environments. To address a wide variety of protection
needs, each functional component is rated based on a set of
well-defined parameters. This rating is intended to capture the
desirable variations in the protection merits of component
requirements. This rating can also help clarify the relationships
between these requirements and those of existing standards.
This chapter is divided into four sections. The remainder of this
section groups the functional components of a TCB into eight classes
and describes the types of components in each class. The second
section presents a description of each type of functional component in
terms of the generic threats and vulnerabilities these components are
intended to counter or eliminate. The third section presents the rated
functional components. The last section includes a bibliography of
useful literature references. (Appendix B presents the reference
monitor concept and its role in product security, and Appendix C
presents the components required in defining an access control
policy.)
Classes of TCB Functions: Eight classes of TCB functions and
associated components with distinct protection requirements are
identified in the Taxonomy of TCB Functions (Figure 4). These classes
are: (1) security policy support, (2) reference mediation, (3) TCB
logical protection, (4) TCB physical protection, (5) TCB
self-checking, (6) TCB start-up and recovery, (7) TCB privileged
operation, and (8) TCB ease-of- use. It is important to note that all
but the first class of the components listed above are sometimes
considered to be operational assurances. However, a different point of
view is taken in this standard for two reasons. First, if a protection
relevant component requires that specific software, hardware, or
firmware elements (i.e., code, data structures) be part of the TCB,
then that component implements a necessary protection function, even
if it only indirectly contributes to the overall protection of the
product. Second, functional components actively help counter TCB
external threats or eliminate vulnerabilities, whereas assurance
components do not. Instead, the assurance components help identify and
eliminate potential vulnerabilities caused by errors of omission, or
commission, in TCB development, life cycle maintenance, and operation.
Therefore, the items in component classes two through eight are
categorized as functional components instead of operational
assurances.
Security Policy Support. This class of components defines four
functional components for basic security policy support at the
interfaces of typical TCBs: (1) accountability policy components,
which include the functional components of identification and
authentication (I&A), system entry control, trusted path, and audit,
(2) an access control policy component, (3) availability policy
components, which include resource allocation and fault tolerance
components, and (4) security management components. The degree to
which a product's TCB must implement the requirements of these
functional components depends upon the threat environment assumed and
the product's security objectives. Furthermore, the ability of a
product's TCB to correctly support a set of organizational security
policies depends jointly on (1) the product policies implemented by
the TCB functions (e.g., these policies must be consistent with those
of the organization), (2) the correct operation and input by system
administrative personnel (e.g., system start-up or recovery must be
performed properly; the user registration and the system entry
parameters must be set properly), and (3) the actions of the
unprivileged users themselves (e.g., choice of passwords, setting of
an object's default access rights, distribution of access rights).
Reference Mediation. The requirements of this component ensure that
all references issued by subjects external to the TCB (i.e.,
unprivileged subjects) to objects, resources, and services of a
product are validated by the TCB in accordance with the security
policies of the product. Satisfying the requirements of this component
establishes complete reference mediation (i.e., a reference of a
subject external to the TCB cannot circumvent the security policies of
the TCB).
TCB Logical Protection. The requirements of this component ensure that
at least one domain is available for the TCB's own execution, and that
the TCB is protected from external interference and tampering (e.g.,
by modification of TCB code or data structures) by unprivileged
subjects. Satisfying the requirements of this component makes the TCB
self-protecting. Therefore, an unprivileged subject cannot modify or
damage the TCB.
Note that the reference mediation and the TCB logical protection
components include the first two requirements of the reference
validation mechanism (see Appendix B). These two components, as well
as the security policy support, are necessary for all protection
profiles. The strong dependency of these two components on the
development assurance components is defined by the third requirement
of the reference validation mechanism (see Chapter 7; Appendix B).
TCB Physical Protection. The requirements of this component ensure
that the TCB is either protected from physical tampering and
interference or operates in a protected environment. Satisfying the
requirements of this component causes the TCB to be packaged and used
in such a manner that (1) physical tampering is detectable, or (2)
resistance to physical tampering is measurable based on defined work
factors. Without this component, the protection functions of a TCB
lose their effectiveness in environments where physical damage cannot
be prevented.
TCB Self-Checking. The requirements of this component ensure that
hardware, firmware, or software are available to validate the correct
operation of the TCB and the consistency of the TCB's protection data
structures. Satisfying the requirements of this component allows the
TCB to (1) detect corruption of protection-relevant code and data
structures resulting from various mechanism failures and (2) initiate
corrective action. This component is important because, unlike TCB
protection, corruption of protection-relevant code and data structures
resulting from mechanism failures can only be detected, not prevented.
TCB Start-Up and Recovery. The requirements of this component ensure
that the TCB can determine that the IT product is started without
protection compromise and can recover without protection compromise
after a detected failure or other discontinuity. Satisfying the
requirements of this component establishes that the initial and
recovered states of a TCB satisfy the security policy, reference
mediation, and TCB protection requirements. This component is
important because the start-up TCB state determines the protection of
subsequent states, and once the corruption of a protection-relevant
data structure by a failure is detected, TCB recovery action becomes
necessary.
TCB Privileged Operation. The requirements of this component ensure
that TCB functions operate with the fewest privileges necessary to
accomplish their purpose. Satisfying the requirements of this
component causes identification of system privileges required by each
TCB function and the addition of mechanisms that associate these
privileges with specific TCB functions, modules, or actions. This
component is important because it helps restrict the propagation of
errors and failures.
TCB Ease-of-Use. The requirements of this component enable the use of
the TCB by users, administrators, and their applications. Satisfying
the requirements of this component provides (1) fail-safe defaults
(i.e., defaults that deny access whenever a user or administrator
fails to specify access to subjects and objects), (2) user-defined
defaults, (3) well-defined interface conventions, (4) the users'
ability to reduce their own privileges, and (5) subject, object,
resource, and service protection in common configurations. Without
this component, the protection value of the TCB functions is
diminished since few users and applications would be able to employ
these functions effectively.
4.2 TCB Functional Components
The TCB functional components are presented in terms of the generic
threats and vulnerabilities they are intended to counter or eliminate.
Most protection profiles for IT products based on operating systems
will include most of the functional components presented in the
following subsections. Protection profiles for other types of IT
products may include only some of these components depending upon the
product's purpose.
4.2.1 Security Policy Support
The focus of information protection within an IT product is to support
an organization's security policies. This section describes TCB
functions and associated components (i.e., accountability, access
control, availability, and security management) that help support
organizational security policies. The generic functional components
have been written to be policy neutral (i.e., they are capable of
supporting a wide variety of protection policies). Specific product
policies or types of product policies (e.g., policies derived from the
DoD policy for confidentiality, a hospital's policy for privacy and
integrity of patient records, or a phone company's policy for
availability) can be defined by assigning a specific meaning to, or
refining the generic, policy neutral components. Details of profile
construction and synthesis of profile components from generic
components are provided in Chapter 7.
4.2.1.1 Accountability Policy
An IT product that supports accountability policies must include
functions capable of attributing responsibility for an action to an
accountable entity (i.e., the identified and authenticated individual
whose policy attributes may include name, role, group, and/or security
level). Accountability requirements may be satisfied in a product
through the use of the following functional components. Identification
and authentication components establish the authenticity of the
claimed identity by the user. System entry components provide the
appropriate time, location, and mode-of-entry context for the user's
interactions. Trusted path components ensure that nothing can
interfere with the interactions between the TCB and the authenticated
user. Audit components ensure that user interactions are recorded and
attributed to the accountable user identity. Each of these components
is discussed in more detail in the following subsections.
4.2.1.1.1 Identification & Authentication (I&A)
I&A components specify functional requirements for the TCB to verify
the claimed identity of individuals attempting system entry.
Identification and authentication is required to ensure that the
authenticated users are associated with the proper set of policy
attributes (e.g., identity, groups, roles, security or integrity
levels, time intervals, location). Thus, identification and
authentication enables the TCB to ensure that all individuals entering
a system and accessing its subjects, objects, and services are
authorized to do so by the system entry and TCB's protection policy,
and that the accountability policy can be enforced. In operating
systems, the I&A functions constitute the main part of the process
commonly known as "login," with the balance of the process consisting
of system entry and trusted path functions.
4.2.1.1.2 System Entry
The system entry components specify functional requirements for the
control of an identified and authenticated user's entry into the
system. The user's entry into the system typically consists of the
creation of one or more subjects that execute instructions in the
system on behalf of the user. At the end of the system entry
procedure, provided the system entry conditions are satisfied, the
created subjects bear the policy attributes determined by the I&A
functions. System entry conditions can be specified in terms of policy
attributes such as the user's identity, group or role membership,
confidentiality and integrity levels, time intervals, location, and
mode of access.
The system entry procedure may include warnings about unauthorized
attempts to gain access to the system. It may also display last login
data to the user, so that the user can determine whether the previous
successful login was performed by the user and not by an intruder who
successfully broke the user's password, for instance. The system entry
procedure may enable the control of (1) multiple simultaneous user
logins, (2) locking an interactive session during periods of user
inactivity, (3) time intervals during authorized user access, and (4)
location or port of user entry.
System entry control can help counter threats of inadvertent,
deliberate, or coerced access performed in an unauthorized manner by
an authenticated user. For example, the location and time of system
entry can be constrained in such a way that identified and
authenticated users located in areas of high exposure (e.g., public
areas) cannot display sensitive data, enter high-integrity commands,
or operate outside working hours. Similarly, controlling the mode of
system entry helps ensure that identified and authenticated users
cannot remotely start batch computations that would normally require
the user's attendance.
4.2.1.1.3 Trusted Path
Trusted path components specify functional requirements for ensuring
that users have direct, unencumbered communication with the TCB. A
trusted path may be required at login time and at other times during a
subject session. These trusted path exchanges may be initiated by a
user during a TCB interaction. However, a TCB or a trusted
application request for user input should also allow a user to
initiate and respond via the trusted path. A user's response via the
trusted path guarantees that untrusted applications cannot intercept
and/ or modify the user's response.
The threats countered by these components are unauthorized discovery
and/or modification of user-private information associated with
commands (e.g., login password, sensitivity of the user's actions),
and modification of commands and command parameters causing incorrect
user input to the TCB. Trusted path programs of the TCB may also be
invoked by trusted applications to ensure correct display of
information to the user. These programs may also allow the addition of
trusted application commands to the trusted path so that users could
communicate securely with these applications.
Absence of a trusted path may allow breaches of accountability in
environments where untrusted applications are used. These applications
can intercept user-private information, such as passwords, and use it
to impersonate other legitimate users. As a consequence,
responsibility for any system actions cannot be reliably assigned to
an accountable entity. Also, these applications could output erroneous
information on an unsuspecting user's display. Thus, subsequent user
actions may be erroneous and may lead to security breaches.
4.2.1.1.4 Audit
The audit components specify requirements for monitoring and, in some
cases, detecting real or potential violations of security policies in
organizations that use IT products containing audit functions. These
functions help monitor the use of access rights by authorized users,
and act as a deterrent against usage policy violations.
Auditing involves recognizing, recording, and analyzing user actions
that are considered, by audit administrators, to be critical to the
success of an organization's security policy. The resulting audit
records can be examined to determine which security-relevant user
actions took place and who was responsible for them. The audit
component requirements refer to the basic audit mechanisms, including
audit data protection, record format and event selection, as well as
to analysis tools, violation alarms, and real-time intrusion detection
systems, which use the basic mechanisms.
Recognition of auditable actions is based largely on administratively
supplied specifications of user actions and patterns of behavior whose
appropriateness is considered to be significant to the satisfaction of
an organization's security policy. The designers of an IT product must
either anticipate which actions and patterns are likely to be
considered important to organizations with respect to their security
policies, or provide an audit interface that allows trusted (and
possibly other) applications to recognize and pass audit data to the
TCB. Since the purpose of the audit mechanism is to audit user
actions, including administrative actions, designers of the audit
mechanism cannot uniformly assume that all authorized actions are
appropriate; consequently. some administrative actions must always be
audited.
The IT product must record each action that has been deemed auditable
along with accompanying information needed to un- derstand the
apparent purpose or effect of that action (e.g., user environment
variables, programs used to preprocess user input). Recorded audit
data must be protected by the TCB from inappropriate modification,
use, or destruction. To avoid re- pudiation, the mechanism by which
audit data is gathered must be known and reliable. Often this implies
the use of a trusted communications mechanism. At higher levels of
assurance, the auditing of key administrative actions should resist
all at- tacks by remote users and otherwise undetectable attacks by
users with access to the physical audit media (e.g., through the use
of write-once audit disks).
Finally, audit data must be available for analysis in a timely manner
and in a useful format, within policy constraints established for the
product. This requirement motivates the design of pre- and
post-processing software that organizes audit data into a presentable
format and/or delivers it to authorized users or processes acting on
their behalf.
4.2.1.2 Access Control Policy
The access control objectives of organizational security policies can
be divided into two classes, namely confidentiality and integrity.
These objectives determine whether the organization intends to prevent
unauthorized disclosure or unauthorized modification and destruction
of information. Often, organizational security policies include both
confidentiality and integrity objectives to varying degrees. These
policies reflect both security and system management goals that should
be satisfied by multiple IT products.
The extent to which an IT product's access control policy supports
high-level system and organizational security policy objectives varies
from product to product. Few commercial products are designed to
support a single specific organizational policy. Instead, commercial
products implement either low-level access control policies that can
be tailored to support high-level organizational policies or multiple
organizational policies that could be individually instantiated on a
system basis. For example, some products implement both the DoD
mandatory confidentiality policy (as modeled by Bell & LaPadula) and a
mandatory integrity policy (as modeled by Biba). When using such IT
products in environments where only the mandatory integrity policy
needs to be enforced, the DoD mandatory confidentiality policy could
be deconfigured (e.g., all authorization checks for DoD mandatory
confidentiality would pass and all options for displaying, or
requesting, confidentiality levels would be disabled). Similarly,
other organizational policies, such as the role-based access control
policies, could be configured in a product when the environment of
product use makes it necessary.
The access control policies in this section are IT product policies
implemented by TCB functional components and are distinguished from
the higher level system and organizational security policies, which
generally use product policies to help achieve the higher level
security objectives. Product access control policies are designed to
counter generic threats. These policies traditionally have been
classified as discretionary or non-discretionary, depending upon
whether the access control decisions regarding an object are primarily
based on actions of the unprivileged user and/or subject that created
the object or primarily based on administrative actions. Access
control policies of many products combine both discretionary and
non-discretionary policies to counter different types of threats and
eliminate various vulnerabilities.
4.2.1.2.1 Discretionary Access Control Policies
The generic threats addressed by discretionary access control policies
are those of unauthorized access, propagation or retention of access
rights to user's objects, and unauthorized creation or destruction of
subjects and objects. Discretionary access controls enable users and
applications to protect their objects from unauthorized access by
other users and applications. These controls are effective, provided
that malicious code is not introduced and used by a user or on behalf
of a user.
Discretionary access control policies cannot counter and are not
intended to address several generic threats and vulnerabilities such
as Trojan horse or virus propagation within a user application. This
is because these policies have traditionally imposed very few
restrictions on object sharing. Most commercially available IT
products that support only discretionary policies could not adequately
control or confine the actions of a Trojan horse or a virus within an
application. Furthermore, discretionary policies are not intended to
control the flow of information between a subject and/or object to
system variables that do not represent subjects and/or objects (e.g.,
internal variables of an operating system). Consequently, the use of
covert channels is a threat that cannot be countered by any
discretionary access control policy.
Discretionary access controls are also not intended to prevent
surrogate access to objects. As a typical example of surrogate access,
consider an object's owner who allows user A, but not user B, to read
the contents of one of the owner's objects. However, the object owner
cannot exercise any control over user A's discretion on how to use the
object contents. User A can transfer the contents of the owner's
object to user B in an authorized manner via the interprocess
communication facilities; or user A may simply copy the contents of
the owner's object into another object shared with user B. The object
owner cannot control user A's legitimate discretionary communications
with user B, and thus, the object owner cannot control the flow of
data to and from the object caused by user A on behalf of user B.
A range of discretionary policies have been used by various IT
products to satisfy different protection requirements. These policies
range from those where the owner (creator or controller) of an object
(and an application running on the owner's behalf) has complete
control over who can access that object to those where any possessor
of an access right to an object can freely distribute that access
right to, and subsequently revoke it from, other users and
applications.
Generic threats to access control not countered by discretionary
access controls are intended to be countered by non-discretionary
access controls. These non-discretionary access control policies are
discussed in the next section.
4.2.1.2.2 Non-Discretionary Access Control Policies
Non-discretionary access control policies are intended to counter
threats posed by malicious code (e.g., Trojan horses or virus codes)
within application programs, by surrogate subjects, and in general, to
counter both unauthorized access to objects and unauthorized flow of
information between subjects and objects, not just unauthorized
propagation of access rights. An IT product that provides
non-discretionary access control can confine the effects of malicious
code and the flow of information between subjects and objects as
specified by system administrators. In general, non- discretionary
controls are specified by security administrators and cannot be
changed over time by unprivileged subjects. Thus, the unprivileged
subject's discretion as to whether an object can be accessed is
limited by administrative controls. Also, an unprivileged user can
only exercise very limited access-control discretion. By selecting
certain policy attributes from the attribute sets defined by
administrators (e.g., role, session security level), the user selects
the access control attributes for subjects created for him/her to run
external to the TCB. Non-discretionary policies allow the basis for
determining whether a subject could have access to an object based
exclusively on the subject's and the object's non-discretionary policy
attributes. In this sense, non-discretionary access controls can
confine user and application program activity.
Unlike discretionary access controls, which typically do not offer
separate and explicit support for specific confidentiality and
integrity policies beyond distinguishing between attributes for
reading and writing objects, non- discretionary controls can
demonstrate support for high-level organizational policies. This is
due, in part, to the central (organizational) role played by system
administrators in the control of access authorization and object
sharing, as opposed to discretionary policies where individual object
creators, not system administrators, play this access authorization
and object-sharing-control role.
Various non-discretionary access control policies have been used in
different products. These policies range from the DoD mandatory
policies used to protect the confidentiality of classified documents
to separation of role and separation of duty policies intended to
protect the integrity of databases. Also, some products have a
capability to enforce both non- discretionary confidentiality and
integrity controls on the same or different sets of subjects and
objects.
Both non-discretionary confidentiality and integrity policies may, or
may not, adequately control the flow of information and the use of
covert channels. Not all non-discretionary policies are aimed at
controlling the use of covert channels. Should covert channels be
considered a threat, however, both non-discretionary confidentiality
and integrity policies require measures of covert channel handling.
These measures are discussed in the next section.
4.2.1.2.3 Covert Channel Handling
Covert-channel handling components include both technical requirements
(e.g., elimination, bandwidth reduction to acceptable levels,
deterrence of use by auditing covert storage channels), and
administrative or environmental requirements (e.g., exclusive use of
trusted software by trusted users in environments where all
unauthorized information flow must be prevented).
Covert-channel elimination requires that the design and/or
implementation of a system be changed so that covert channels are
removed from the product. These changes include (1) the elimination of
resource sharing between any subjects that could take part in covert
channel use by preallocating maximum resource demands to all such
subjects or by partitioning resources on a per-subject basis, and (2)
the elimination of interfaces, features, and mechanisms which can
cause covert leakage. Since covert-channel elimination may be
impractical for some channels, other handling functions may be useful
in a TCB (e.g., bandwidth limitation functions).
Covert-channel bandwidth limitation requires that the maximum, or
alternatively, the average bandwidth of any channel be reduced to a
limit deemed acceptable in the environment of product use. In
sensitive applications, bandwidth limitation may require that the
aggregated (i.e., combined) bandwidth of a product's covert channels
be reduced to an acceptable value. Bandwidths can be limited by (1)
deliberate introduction of noise in TCB functions used to exploit the
channels (e.g., use of random allocation algorithms for shared
resources such as indexes in shared tables, disk areas, and process
identifiers, or introduction of extraneous processes that modify
covert channel variables of a TCB in pseudo-random patterns), or (2)
deliberate introduction of delays in each TCB primitive of a real
channel.
Covert-channel auditing is a primary method used to discourage the use
of covert channels. This method assumes that the frequent use of a
channel can be unambiguously detected by audit mechanisms. Some covert
channels preclude the use of channel audit, elimination, and bandwidth
limitation methods. These channels typically include the timing
channels that arise from hardware-resource sharing (e.g., shared
busses, processor caches). Furthermore, in some environments, the
threat analysis may indicate that any use of covert channels cannot be
tolerated. However, in most commercial products it is impractical to
eliminate all covert channels. If such products are used in such
non-tolerant environments, the effect of covert-channel use must be
neutralized. This could be done by the exclusive use of trusted
product and application software. In such cases, evidence must be
provided to justify that the exclusive use of trusted application
software is sufficient to render the existing covert channels
ineffective.
4.2.1.3 Availability Policy
An IT product which supports availability policies must provide
protection functions capable of controlling the availability of the
product subjects, objects, resources, and services. Availability
components refer to policies for prevention, detection, and recovery
from unauthorized denial of service caused by unprivileged subjects.
These components also refer to the use of redundancy and recovery from
lack of availability caused by TCB failures. Because subjects and
objects are represented by, and consume, system resources such as
primary memory and disk space, CPU time, and shared TCB internal
tables and objects, the allocation of these resources must be
controlled to allow policy-ensured accesses to take place.
A product that controls the availability of subjects, objects, and
services may include TCB functions that prevent denial of service and
provide fault tolerance. The needed availability functions of a TCB
may include resource allocation containment and fault tolerant
services.
4.2.1.3.1 Resource Allocation
Resource allocation functions allow the TCB to control the use of
product resources by users and subjects such that denial of service
will not take place. Denial-of-service protection can be provided by
containing resource allocations in time and space, or by establishing
priority-based allocations.
Resource allocation rules may allow the creation of quotas or other
means of defining limits on the amount of resource space or time that
may be allocated on behalf of a specific user, process, or task. These
rules may provide for object quotas that constrain the number and/or
size of objects a specific user may allocate. Resource allocation
rules may control the allocation/deallocation of pre-assigned resource
blocks where these blocks are defined under the control of the TCB.
Under these rules, subjects and objects are assigned allocation
attributes so that the TCB can enforce appropriate quotas. Finally,
resource allocation rules may prioritize subject access to resources
so that subjects with the highest priorities are given preferential
access to these resources.
4.2.1.3.2 Fault Tolerance
TBD.
4.2.1.4 Security Management
The TCB of an IT product must support security management components
to enable administrative users to set up and control the secure
operation of the product. These components refer to TCB functions
associated with both administrator and operator roles, and have both
access control, audit, and availability relevance.
Security management components refer to the following types of
functions:
a. TCB generation, installation, configuration, and non- routine
maintenance (e.g., TCB manual recovery, installation of "patches"
correcting security flaws, repair of damaged TCB hardware and software
elements).
b. Definition and update of user security characteristics (e.g.,
unique identifiers associated with user names, user accounts, per-user
policy attributes, system entry parameters, availability parameters or
resource quotas).
c. Definition and update of security policy parameters (e.g.,
identification and authentication, system entry, access control, and
availability parameters).
d. Routine control and maintenance of product resources (e.g.,
enable and disable peripheral devices, mounting of removable storage
media, backup and recovery of user objects, and routine maintenance of
TCB hardware and software elements).
e. Auditing both privileged and unprivileged user actions, and
audit management (e.g., selection of audit events, management of audit
trails, audit trail analysis, and audit report generation).
The security management functions help counter the same threats as
those countered by the security policy functions (i.e.,
accountability, access control, and availability). This is the case
because the security management functions implement a significant part
of all the system security policies. In addition, when the security
management functions are partitioned into different administrative
roles, they help limit the potential damage caused by unskilled or
corrupt administrators.
4.2.2 Reference Mediation
Functions that implement a security policy provide effective
protection against unauthorized access only if all references (i.e.,
denoted by <action; object(s) > tuples) issued by subjects are
directed by the TCB code to the appropriate security policy modules
for validation. Should such references be incorrectly directed, or not
directed at all, to the required policy modules, policy enforcement
will be incorrect, incomplete, or absent, despite correct and complete
policy implementation. This would allow unprivileged subjects to
bypass security policy in a variety of unauthorized ways (e.g., bypass
certain access checks for a subset of the objects and subjects, bypass
all checks for a type of object whose protection was assumed by
applications, retain access rights beyond their intended expiration
time, and/or bypass audit).
Note that the requirements of the reference mediation component are
independent of the particular policies supported by a product.
4.2.3 TCB Logical Protection
The protection of the TCB from external interference and tampering is
a fundamental component of any secure product. Should unprivileged
subjects read or modify TCB elements (i.e., data structures and code),
the security policy might be circumvented or even modified in
potentially undetectable ways.
The reading of TCB internal variables, that is, variables that are not
part of any defined subject or object (e.g., internal TCB buffers,
table entries), would not be addressed by low- level product policies
defined solely in terms of subjects and objects. In this case, reading
by users or subjects outside the TCB would not be prohibited, even
though it could result in failure to support the organizational
policies. Similarly, modification of TCB internal variables may cause
(1) the introduction of miscreant code into the TCB, which can modify
product policies, (2) the modification of user and application-level
objects that depend on the consistency of the TCB internal variables,
(3) denial of service to users and applications, and/or (4) covert
transfer of information through the TCB in violation of
information-flow policy. Unauthorized acquisition of privileges might
allow the reading and modification of TCB internal variables and
objects (e.g., password files, group and/or role definition files,
files defining security and/or integrity levels) and might allow
unprivileged users to execute privileged functions.
To provide TCB isolation, all references to TCB internal entities and
all access rights passed by unprivileged subjects to the TCB must be
mediated in a non-circumventable manner. This particular form of
mediation is not specified as an access mediation requirement because
a cyclic dependency would be introduced between access mediation and
TCB protection. This is the case because the correct reference
mediation depends on TCB protection (see discussion in Chapter 7,
"Construction of Protection Profiles").
4.2.4 TCB Physical Protection
TCB physical protection components refer to restrictions of
unauthorized physical access to the TCB, and to deterrence of
unauthorized physical use, modification, or substitution of the TCB.
4.2.5 TCB Self-Checking
TCB self-checking functions are needed to detect the corruption of
protection-relevant code and data structures by various failures that
do not necessarily stop the product's operation (which would be
handled by TCB recoverability). These checks must be performed
because these failures may not necessarily be prevented. Such failures
can occur either because of unforeseen failure modes and associated
oversights in the design of hardware, firmware, or software, or
because of malicious corruption of the TCB due to inadequate physical
TCB protection.
4.2.6 TCB Start-Up and Recovery
TCB recovery components refer to the functions that respond to
anticipated failures or discontinuity of operations. These functional
components cannot handle "unanticipated" failures or discontinuity of
operation, and manual administrative procedures must be employed for
such events.
Recovery components reconstruct TCB secure states or prevent
transitions to insecure states as a direct response to occurrences of
expected failures, discontinuity of operation or start-up. Failures
that must be generally anticipated include (1) actions failures (e.g.,
actions that fail to complete because they detect exceptional
conditions during their operation); (2) unmaskable action failures
that always cause a system crash (e.g., persistent inconsistency of
critical system tables, uncontrolled transfers within TCB code caused
by transient failures of hardware or firmware, power failures,
processor failures); (3) non-volatile media failures causing part or
all of the media representing TCB objects to become inaccessible or
corrupt (e.g., disk head crash, persistent read/write failure caused
by misaligned disk heads, worn-out magnetic coating, dust on the disk
surface); and (4) discontinuity of operation caused by erroneous
administrative action or lack of timely administrative action (e.g.,
unexpected shutdowns by turning off power, ignoring the exhaustion of
critical resources, inadequate installed configuration).
4.2.7 TCB Privileged Operation
Functions that limit the privileges available to the TCB are primarily
intended to limit the damage that can be caused by errors and failures
of TCB mechanisms. To accomplish this, it is necessary to limit the
interactions among privileged TCB components to a minimum such that
improper use of privileges by a TCB function, module, or action as a
consequence of failures or accidents will have limited or no effect on
other components. For example, the association of privileges with
different administrative commands facilitates the separation of
administrative roles. Similarly, the association of different
privileges with TCB components that have no functional interaction,
such as audit trail and password management components, limits the
possibility of unwarranted interaction. As a consequence, if a
penetration of a component takes place, the likelihood that other
unrelated components are also penetrated may be diminished. The finer
the granularity of privileges and of privilege association with TCB
functional components, actions of components, and administrative
roles, the less chance of damage caused by errors, failures,
accidents, and penetrations.
4.2.8 TCB Ease-of-Use
The notion that an IT product must include functions which facilitate
and enhance the use of basic protection mechanisms is motivated by two
related observations. First, if a product's protection mechanisms are
complex, difficult to use, or have inadequate performance, they will
not be used by system administrators or by application programmers.
The mere presence of (potentially elaborate) security policies in a
product is insufficient to facilitate the development or use of secure
applications and the secure management of a product. An IT product
may still be vulnerable to inadvertent errors caused by difficulties
in using the product's protection functions. Second, functions that
facilitate and enhance the use of basic protection mechanisms may be
difficult to retrofit into a product because of their pervasiveness.
Instead, to be effective, these components must be included in the
initial product design.
4.3 Rated Functional Components
Functional components can be selected for inclusion in a profile based
on environment-specific requirements (see Chapter 3). To facilitate
this selection and compatibility with existing criteria, each of the
functional components of a TCB is rated. The rating of the TCB
functional components is based on the following four parameters: (1)
the scope of the requirement application, (2) the granularity of the
requirement, (3) the coverage of a requirement's features, and (4) the
strength of the requirement.
Scope. The scope of a requirement determines the entity subset to
which the requirement applies; i.e., (1) to all the users, subjects
and objects, (2) to all the TCB functions and application programming
interfaces, (3) to all TCB elements (i.e., hardware, firmware,
software, data structures and code), and (4) to all TCB
configurations, or only to a defined subset thereof. For example, the
access control, audit, availability, reference mediation, and
ease-of-use components may refer only to certain subsets of objects
and configurations; trusted path may include only certain subsets of
the TCB commands (only login commands but not change-of- password
commands or change-role commands); and the recovered secure state of
the TCB may include all the user objects or only a defined set.
Granularity. The granularity of a requirement determines the
entity-attribute subset to which the requirement applies (e.g.,
whether the requirement applies to all attributes of users, subjects
or objects, or only to a defined subset of attributes). Access
control, audit, and reference mediation may include only certain
attributes of subjects and objects, but not others. For example,
access control, audit, and reference mediation may refer to access
rights for objects and subjects, but not to object and subject status
variables; authentication may be based on group or role identities,
but not on individual user identity; privileges may be associated with
roles, but not with individual TCB functions or actions (e.g.,
function invocations).
Coverage. The coverage of a requirement determines the feature subset
included in that requirement. This is illustrated in the following
examples:
a. Access control may include only discretionary features of
authorization, administration of policy attributes (e.g., user
identities, groups, security and/or integrity levels, roles), and
object and/or subject creation and destruction, but not encapsulation.
b. Audit may include only post-processing analysis tools for
detecting accumulation of events (e.g., multiple failed logins) but
not real-time alarms.
c. Availability may include resource restrictions but not
prioritized resource allocation.
d. TCB protection may include only isolation features but not TCB
consistency features.
e. Physical TCB protection may include only attack detection and
deterrence features, but not attack countermeasures.
f. TCB self-checking may be periodical or continuous.
g. Recovery may be only manual, not automatic.
h. The ease-of-use mechanisms may include administrative and
application programming support features but may not minimize
performance penalties of using them.
Strength. The strength of a requirement supported by a function
defines the conditions under which that function withstands a defined
attack or tolerates failures. For example, the user authentication
function may withstand certain kinds of impersonation attacks but not
others (e.g., the password complexity rules may counter human guessing
attacks but not automated attacks using a dictionary). Other examples
include conditions in which conjunction of independent user
authentication mechanisms yields stronger authentication than the use
of either mechanism alone, or a certain encryption mechanism for
one-way function computation may have different work factor
characteristics than other encryption mechanisms. Similarly, the TCB
physical protection characteristics may vary according to different
work factor characteristics.
The strength of a requirement may also be used to differentiate access
control policies. For example, non- discretionary access controls are
typically stronger than discretionary access controls with respect to
their ability to counter attacks mounted by miscreant application code
executing programs on behalf of an unsuspecting user. However, this
notion of strength is not used to rate individual access control
components. Instead, it is used in the analysis of the protection
profiles (i.e., in assessing whether a chosen access control policy
can counter specific threats).
Rating implies some form of ordering. The independent application of
the scope, granularity, coverage, and strength parameters to
distinguish between the levels of functional components may not
necessarily lead to a linear ordering among these levels. To obtain
such an ordering these rating parameters are applied in the order in
which they are listed above. Whenever all rating parameters apply to a
given functional component, lower levels are distinguished by scope
and granularity and higher levels by coverage and strength. However,
this ordering of the rating parameters does not imply that each
component level represents a component extension resulting from the
application of a single rating parameter. Instead, a component level
change may represent a component extension resulting from the
application of several rating parameters characterizing the intent of
a functional component (e.g., support of a specific policy,
compatibility with existing standards and guidelines).
The above parameters and ordering are chosen to enable the rating of
functional components at levels of detail comparable to those of
existing standards (e.g., TCSEC, CTCPEC, ITSEC), thereby enabling
potential harmonization with these standards. However, the rating of
functional components does not restrict a profile developer to the
choices of rated components presented. As illustrated in Chapter 7, a
profile developer can synthesize new components from existing ones
(e.g., by assigning a specific meaning to a generic requirement, by
refining a requirement of a component, by augmenting a lower rated
component with an individual requirement of a higher rated component)
within the constraints of dependency analysis.
The means of rating each component are summarized in Table 2.
Table 2. Rated Functional Components
.--------------------------------------------------------------------------.
| | | Granu- | Cover- | |
| Functional Component | Scope | larity | age | Strength |
|=====================================|=======|========|========|==========|
| Security Policy Support | | | | |
|-------------------------------------+-------+--------+--------+----------|
| Accountability | | | | |
|-------------------------------------+-------+--------+--------+----------|
| Identification & Authentication | | | X | X |
|-------------------------------------+-------+--------+--------+----------|
| System Entry | | | X | |
|-------------------------------------+-------+--------+--------+----------|
| Trusted Path | X | | X | |
|-------------------------------------+-------+--------+--------+----------|
| Audit | | | X | X |
|-------------------------------------+-------+--------+--------+----------|
| Access Control | X | X | X | |
|-------------------------------------+-------+--------+--------+----------|
| Covert Channel Handling | X | | X | |
|-------------------------------------+-------+--------+--------+----------|
| Availability | | | | |
|-------------------------------------+-------+--------+--------+----------|
| Resource Allocation | X | | X | |
|-------------------------------------+-------+--------+--------+----------|
| Fault Tolerance | --- | --- | --- | --- |
|-------------------------------------+-------+--------+--------+----------|
| Security Management | | | X | X |
|-------------------------------------+-------+--------+--------+----------|
| Reference Mediation | X | X | X | |
|-------------------------------------+-------+--------+--------+----------|
| TCB Logical Protection | | | X | |
|-------------------------------------+-------+--------+--------+----------|
| TCB Physical Protection | | | X | X |
|-------------------------------------+-------+--------+--------+----------|
| TCB Self-checking | X | | X | |
|-------------------------------------+-------+--------+--------+----------|
| TCB Start-up and Recovery | | | X | |
|-------------------------------------+-------+--------+--------+----------|
| TCB Privileged Operation | | X | | |
|-------------------------------------+-------+--------+--------+----------|
| TCB Ease-of-Use | X | | X | |
`--------------------------------------------------------------------------'
4.3.1 Rated Identification & Authentication Components
Identification and authentication is a required component for most
security policies. Without this component, the threat of unauthorized
or inappropriate system entry and access to resources could not be
countered. However, weak identification and authentication functions
could not counter the threat of impersonation attacks by unauthorized
users. For this reason, identification and authentication components
are noted based on both the coverage and strength of the
authentication features. Furthermore, the combined use of more than
one type of authentication can provide greater control over
unauthorized access.
The features covered at level I&A-1 include only minimal forms of
individual user authentication. This level of I&A is intended for use
in products with limited capabilities, such as automated guards, where
basic I&A and system-entry audit are the primary functions supported.
In contrast, the features of level I&A-2 include policy attributes
that are determined on an individual basis, thereby providing basic
authorization. The use of this level is anticipated in most operating
systems where policy attributes, such as groups and security levels,
need to be authenticated for system entry. Level I&A-3 extends the
feature coverage of level I&A-2 by providing a well-defined set of
responses to authentication exceptions and a capability to maintain,
protect and display user status information. The use of this level is
anticipated to include products with well-defined access control and
availability policies as well as system-entry control. The level I&A-4
extends the feature coverage of level I&A-3 by requiring that
installable mechanisms be supported, and that a policy be enforced
that assigns a specific authentication procedure to each user, or to a
policy attribute of each user. Level I&A-5 strengthens level I&A-4 by
requiring that two or more identification and authentication
mechanisms authenticate certain user identities or other policy
attributes.
I&A-1 Minimal Identification and Authentication
1. The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB is expected
to mediate. The TCB shall be able to enforce individual
accountability by providing the capability to uniquely identify each
individual user. The TCB shall also provide the capability of
associating this identity with all auditable actions taken by that
individual.
2. The TCB shall use a protected mechanism (e.g., passwords) to
authenticate the user's identity.
3. The TCB shall protect authentication data so that it cannot be
used by any unauthorized user.
I&A-2 Identification, Authentication, and Authorization
1. The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB is expected
to mediate. The TCB shall be able to enforce individual
accountability by providing the capability to uniquely identify each
individual user. The TCB shall also provide the capability of
associating this identity with all auditable actions taken by that
individual.
2. The TCB shall maintain authentication data that includes
information for verifying the identity of individual users (e.g.,
passwords) as well as information for determining the product policy
attributes of individual users (e.g., groups, roles, security and/or
integrity levels, time intervals, location). These data shall be used
by the TCB to authenticate the user's identity and to ensure that the
attributes of subjects external to the TCB that may be created to act
on behalf of the individual user satisfy the product policy (e.g., the
subject security level and authorizations are dominated by the
clearance and authorization of that user).
3. The TCB shall protect authentication data so that it cannot be
used by any unauthorized user.
I&A-3 Exception-Controlled Identification and Authentication
1. The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB is expected
to mediate. The TCB shall be able to enforce individual
accountability by providing the capability to uniquely identify each
individual user. The TCB shall also provide the capability of
associating this identity with all auditable actions taken by that
individual.
2. The TCB shall maintain authentication data that includes
information for verifying the identity of individual users (e.g.,
passwords) as well as information for determining the product policy
attributes of individual users (e.g., groups, roles, security and/or
integrity levels, time intervals, location). These data shall be used
by the TCB to authenticate the user's identity and to ensure that the
attributes of subjects external to the TCB that may be created to act
on behalf of the individual user satisfy the product policy (e.g., the
subject security level and authorizations are dominated by the
clearance and authorization of that user).
3. The TCB shall protect authentication data so that it cannot be
used by any unauthorized user. The TCB shall appear to perform the
entire user authentication procedure even if the user identification
entered is invalid.
The TCB shall end the attempted login session if the user performs the
authentication procedure incorrectly for a number of successive times
(i.e., a threshold) specified by an authorized system administrator. A
default threshold shall be defined. When the threshold is exceeded,
the TCB shall send an alarm message to the system console and/or to
the administrator's terminal, log this event in the audit trail, and
delay the next login by an interval of time specified by the
authorized system administrator. A default time interval shall be
defined. The TCB shall provide a protected mechanism to disable the
user identity or account when the threshold of successive,
unsuccessful login attempts is violated more than a number of times
specified by the administrator. By default, this mechanism shall be
disabled (as it may cause unauthorized denial of service).
4. The TCB shall have the capability to maintain, protect, and
display status information for all active users (e.g., users currently
logged on, current policy attributes) and of all user accounts (i.e.,
enabled or disabled user identity or account).
I&A-4 Installable I&A Mechanisms
1. The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB is expected
to mediate. The TCB shall be able to enforce individual
accountability by providing the capability to uniquely identify each
individual user. The TCB shall also provide the capability of
associating this identity with all auditable actions taken by that
individual. Furthermore, the TCB shall have the capability of
associating a unique identity with each privileged subject.
2. The TCB shall maintain authentication data that includes
information for verifying the identity of individual users (e.g.,
passwords) as well as information for determining the product policy
attributes of individual users (e.g., groups, roles, security and/or
integrity levels, time intervals, location). These data shall be used
by the TCB to authenticate the user's identity and to ensure that the
attributes of subjects external to the TCB that may be created to act
on behalf of the individual user satisfy the product policy (e.g., the
subject security level and authorizations are dominated by the
clearance and authorization of that user).
The TCB shall be able to incorporate and use installable
authentication mechanisms, such as token-based cards, biometrics, or
trusted third- party mechanisms, in the place of or in addition to the
default authentication (e.g., password- based) mechanism, to
authenticate the user. The TCB shall be able to enforce separate user
authentication procedures based on specific policy attributes.
3. The TCB shall protect authentication data so that it cannot be used
by any unauthorized user. The TCB shall appear to perform the entire
user authentication procedure even if the user identification entered
is invalid.
The TCB shall end the attempted login session if the user performs the
authentication procedure incorrectly for a number of successive times
(i.e., a threshold) specified by an authorized system administrator. A
default threshold shall be defined. When the threshold is exceeded,
the TCB shall send an alarm message to the system console and/or to
the administrator's terminal, log this event in the audit trail, and
delay the next login by an interval of time specified by the
authorized system administrator. A default time interval shall be
defined. The TCB shall provide a protected mechanism to disable the
user identity or account when the threshold of successive,
unsuccessful login attempts is violated more than a number of times
specified by the administrator. By default, this mechanism shall be
disabled (as it may cause unauthorized denial of service).
4. The TCB shall have the capability to maintain, protect, and
display status information for all active users (e.g., users currently
logged on, current policy attributes) and of all user accounts (i.e.,
enabled or disabled user identity or account).
I&A-5 Multiple I&A Mechanisms
1. The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB is expected
to mediate. The TCB shall be able to enforce individual
accountability by providing the capability to uniquely identify each
individual user. The TCB shall also provide the capability of
associating this identity with all auditable actions taken by that
individual. Furthermore, the TCB shall have the capability of
associating a unique identity with each privileged subject.
2. The TCB shall maintain authentication data that includes
information for verifying the identity of individual users (e.g.,
passwords) as well as information for determining the product policy
attributes of individual users (e.g., groups, roles, security and/or
integrity levels, time intervals, location). These data shall be used
by the TCB to authenticate the user's identity and to ensure that the
attributes of subjects external to the TCB that may be created to act
on behalf of the individual user satisfy the product policy (e.g., the
subject security level and authorizations are dominated by the
clearance and authorization of that user).
The TCB shall be able to incorporate and use installable
authentication mechanisms, such as token-based cards, biometrics, or
trusted third- party mechanisms, in the place of or in addition to the
default authentication (e.g., password- based) mechanism, to
authenticate the user. The TCB shall be able to enforce separate user
authentication procedures based on specific policy attributes. Each
user shall be authenticated by two or more types of authentication
mechanisms; i.e., the authentication is successful only if all
mechanisms individually indicate successful authentication. The TCB
shall be able to enforce the use of these mechanisms on a
policy-attribute basis.
3. The TCB shall protect authentication data so that it cannot be used
by any unauthorized user. The TCB shall appear to perform the entire
user authentication procedure even if the user identification entered
is invalid.
The TCB shall end the attempted login session if the user performs the
authentication procedure incorrectly for a number of successive times
(i.e., a threshold) specified by an authorized system administrator. A
default threshold shall be defined. When the threshold is exceeded,
the TCB shall send an alarm message to the system console and/or to
the administrator's terminal, log this event in the audit trail, and
delay the next login by an interval of time specified by the
authorized system administrator. A default time interval shall be
defined. The TCB shall provide a protected mechanism to disable the
user identity or account when the threshold of successive,
unsuccessful login attempts is violated more than a number of times
specified by the administrator. By default, this mechanism shall be
disabled (as it may cause unauthorized denial of service).
4. The TCB shall have the capability to maintain, protect, and
display status information for all active users (e.g., users currently
logged on, current policy attributes) and of all user accounts (i.e.,
enabled or disabled user identity or account).
4.3.2 Rated System Entry Components
System entry control helps enhance accountability by providing a time,
space, and mode-of-entry context to each action for which the user is
held accountable. The additional constraints of system entry control
help gain increased confidence that the proper user is held
responsible for a set of authorized actions.
System entry by an identified and authenticated user shall be
controlled by the TCB. The conditions under which a user subject
(e.g., process) is created on behalf of an identified and
authenticated user shall be specified. The specification of these
conditions shall be based on users' policy attributes (e.g., groups,
roles, security and/or integrity levels, time intervals, location).
The system-entry components are rated based on the coverage of
specific conditions of system entry. For example, the features covered
at level SE-1 include only basic forms of system entry (e.g., system
entry conditions based on group or role membership, and security
and/or integrity levels). This level is intended for use in most IT
products that support system-entry control. Products that do not
implement explicit system-entry control rely on the identification and
authentication mechanism as the default system entry control. The
features of level SE-2 include, in addition to the entry conditions of
level SE-1, entry conditions defined in terms of the time and the
location of entry. The level SE-3 extends the feature coverage of
level SE-2 by requiring the explicit user ability to lock and unlock
the user's own interactive sessions. Primitive forms of such locking
by terminating and restarting a session are considered to have a
substantially narrower coverage than those intended at this level and
may be used only at lower levels.
SE-1 Basic System Entry Control
1. Prior to initiating the system login procedure, the TCB shall
display an advisory warning message to the user regarding unauthorized
use of the system and the possible consequences of failure to heed
this warning.
2. Before system entry is granted to a user, the identity of that
user shall be authenticated by the TCB. If the TCB is designed to
support multiple login sessions per user identity, the TCB shall
provide a protected mechanism to enable limiting the number of login
sessions per user identity or account with a default of a single login
session.
3. The TCB shall grant system entry only in accordance with the
authenticated user's policy attributes. The system entry conditions
shall be expressed in terms of users' policy attributes (e.g.,
greatest lower bound and least upper bound computations including the
user levels, terminal levels, system levels). If no explicit system-
entry conditions are defined, the system-entry default shall be used
(e.g., the correct user authentication).
4. The TCB shall provide a protected mechanism that enables
authorized administrators to display and modify the policy attributes
used in system-entry control for each user. The conditions under which
an unprivileged user may display these attributes shall be specified.
5. Upon a user's successful entry to the system, the TCB shall
display the following data to the user and shall not remove them
without user intervention: (1) the date, time, means of access and
port of entry of the last successful entry to the system; and (2) the
number of successive, unsuccessful attempts to access the system since
the last successful entry by the identified user.
6. The TCB shall either lock or terminate an interactive session
after an administrator- specified interval of user inactivity. The
default value for this interval shall be specified.
SE-2 Time and Location Based Entry Control
1. Prior to initiating the system login procedure, the TCB shall
display an advisory warning message to the user regarding unauthorized
use of the system and the possible consequences of failure to heed
this warning.
2. Before system entry is granted to a user, the identity of that
user shall be authenticated by the TCB. If the TCB is designed to
support multiple login sessions per user identity, the TCB shall
provide a protected mechanism to enable limiting the number of login
sessions per user identity or account with a default of a single login
session.
3. The TCB shall grant system entry only in accordance with the
authenticated user's policy attributes. The system entry conditions
shall be expressed in terms of users' policy attributes (e.g.,
greatest lower bound and least upper bound computations including the
user levels, terminal levels, system levels). If no explicit system-
entry conditions are defined, the system-entry default shall be used
(e.g., the correct user authentication). The TCB shall provide a
protected mechanism to allow or deny system entry based on specified
ranges of time. Entry conditions using these ranges shall be specified
using time-of-day, day-of-week, and calendar dates.
The TCB shall provide a protected mechanism to allow or deny system
entry based on location or port of entry. Conditions for system entry
via dial-up lines (e.g., lists of user identities authorized to enter
the system via dial-up lines), if any, shall be specified.
4. The TCB shall provide a protected mechanism that enables
authorized administrators to display and modify the policy attributes
used in system-entry control for each user. The conditions under which
an unprivileged user may display these attributes shall be specified.
5. Upon a user's successful entry to the system, the TCB shall
display the following data to the user and shall not remove them
without user intervention: (1) the date, time, means of access and
port of entry of the last successful entry to the system; and (2) the
number of successive, unsuccessful attempts to access the system since
the last successful entry by the identified user.
6. The TCB shall either lock or terminate an interactive session
after an administrator- specified interval of user inactivity. The
default value for this interval shall be specified.
SE-3 Session Locking and Unlocking
1. Prior to initiating the system login procedure, the TCB shall
display an advisory warning message to the user regarding unauthorized
use of the system and the possible consequences of failure to heed
this warning.
2. Before system entry is granted to a user, the identity of that
user shall be authenticated by the TCB. If the TCB is designed to
support multiple login sessions per user identity, the TCB shall
provide a protected mechanism to enable limiting the number of login
sessions per user identity or account with a default of a single login
session.
3. The TCB shall grant system entry only in accordance with the
authenticated user's policy attributes. The system entry conditions
shall be expressed in terms of users' policy attributes (e.g.,
greatest lower bound and least upper bound computations including the
user levels, terminal levels, system levels). If no explicit system-
entry conditions are defined, the system-entry default shall be used
(e.g., the correct user authentication). The TCB shall provide a
protected mechanism to allow or deny system entry based on specified
ranges of time. Entry conditions using these ranges shall be specified
using time-of-day, day-of-week, and calendar dates.
The TCB shall provide a protected mechanism to allow or deny system
entry based on location or port of entry. Conditions for system entry
via dial-up lines (e.g., lists of user identities authorized to enter
the system via dial-up lines), if any, shall be specified.
4. The TCB shall provide a protected mechanism that enables
authorized administrators to display and modify the policy attributes
used in system-entry control for each user. The conditions under which
an unprivileged user may display these attributes shall be specified.
5. Upon a user's successful entry to the system, the TCB shall
display the following data to the user and shall not remove them
without user intervention: (1) the date, time, means of access and
port of entry of the last successful entry to the system; and (2) the
number of successive, unsuccessful attempts to access the system since
the last successful entry by the identified user.
6. The TCB shall either lock or terminate an interactive session
after an administrator- specified interval of user inactivity. The
default value for this interval shall be specified. The TCB shall also
provide a mechanism for user- initiated locking of the user's own
interactive sessions (e.g., keyboard locking) that includes: (1)
clearing or over-writing display devices to make the current contents
unreadable; (2) requiring user authentication prior to unlocking the
session; and (3) disabling any activity of the user's data
entry/display devices other than unlocking the session.
4.3.3 Rated Trusted Path Components
The trusted path components are rated based on the scope and coverage
of the trusted-path interactions (e.g., user-TCB interactions
including the number and types of commands included in the trusted
path). Primitive forms of trusted path, such as terminating a login
session or powering off a workstation to guarantee trusted path
interaction, are considered to have a substantially narrower scope and
coverage than those enabling trusted path within a login session.
The rating of the trusted path components intends to guarantee at the
lowest level, TP-1, that a trusted communication channel exists from
the user to the TCB for initial identification purposes. For higher
levels, both the scope and the coverage of trusted path are extended.
At level TP-2, trusted path includes not only login commands but also
other commands that require protection (e.g., change of subject policy
attributes). Thus, the TCB guarantees the invocation of a trusted
communication channel from the user to the TCB for trusted sensitive
commands and their parameters. At level TP-3, the coverage of the
trusted path features is enlarged to enable trusted applications to
communicate with the user for the validation of specific TCB mediated
tasks (e.g., change of policy attributes, change of user registration
parameters). This means that a trusted application can use a separate,
trusted display feature, and that commands of the trusted application
can be introduced in the user-initiated trusted path.
TP-1 Login Trusted Path
The TCB shall support a trusted communication path between itself and
the user for initial identification and authentication. Communications
via this path shall be initiated exclusively by a user.
TP-2 Trusted User-to-TCB Communication
The TCB shall support a trusted communication path between itself and
users for use whenever a positive user-to-TCB connection is required
(e.g., login, change of policy attributes). Communications via this
trusted path shall be activated exclusively by a user or the TCB and
shall be logically isolated and unmistakably distinguishable from
other communication paths.
TP-3 Trusted Application-to-User Communication
The TCB shall support a trusted communication path between itself and
users for use whenever a positive user-to-TCB connection is required
(e.g., login, change of subject or object attributes). Communications
via this trusted path shall be activated exclusively by a user or the
TCB and shall be logically isolated and unmistakably distinguishable
from other communication paths.The TCB shall also support a trusted
communication path between trusted applications and users when a
trusted application-to-user connection is required (e.g., display or
input of application sensitive data).
4.3.4 Rated Audit Components
The audit components are rated based on the coverage of the
event-selection mechanisms and audit-analysis tools, and the strength
of monitoring user actions (e.g., degree to which active, real-time
monitoring is possible.) The audit requirements that follow are
divided into four parts: first, the protection of the audit trail and
the control of access to audit data; second, the definition of the
auditable events; third, format and recording of the audit data; and
fourth, the selection of audit events, and audit-data management,
analysis, and reporting.
Level AD-1 includes minimal audit requirements; i.e., requirements
that must be satisfied by all systems (to the extent to which they
incorporate relevant policy functions). The audit coverage is
extended at audit level AD-2 by extending the types of auditable
events and by the inclusion of additional audit management functions.
Audit function coverage is further extended at level AD-3 by the
requirements for availability of trusted audit tools that enhance
audit control (e.g., tools offering a graphical interface to the
auditor, tools that enable the auditor to perform consistency checking
of the selected events and of audit trails, tools that enhance the
ease-of-auditing). Level AD-4 extends the coverage of the audit
features of level AD-3 by requiring detection of accumulation of
security-relevant events and generation of alarms whenever such events
are detected. AD-5 represents an added level of auditing strength
since it requires that auditing be performed in real-time. Thus, real-
time intrusions can be detected.
AD-1 - Minimal Audit
1. The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit trail of
accesses to the objects it protects. The audit data shall be protected
by the TCB so that read access to it is limited to those who are
authorized for audit data.
2. The TCB shall be able to record the following types of events:
- use of the identification and authentication mechanisms;
- introduction of objects into a user's address space (e.g.,
file open, program initiation), and deletion of objects;
- actions taken by computer operators and system
administrators and/or system security officers.
If availability policies are supported, attempts to circumvent or
otherwise gain unauthorized access to resource-allocation limits shall
be audited.
If non-discretionary access control policies are supported, the TCB
shall be able to record any override of human-readable output
markings. When the non-discretionary access control policies aim to
control the flow of information between subjects, the TCB shall also
be able to audit the identified event that may be used in the
exploitation of covert channels.
3. For each recorded event, the audit record shall identify: date
and time of the event, user, type of event, and success or failure of
the event. For identification/authentication events the origin of
request (e.g., terminal ID) shall be included in the audit record. For
events that introduce an object into a user's address space and for
object deletion events the audit record shall include the name and
policy attributes of the object (e.g., object security level).
4. The system administrator shall be able to selectively audit
the actions of one or more users based on individual identity and/or
object policy attributes (e.g., object security level).
AD-2 Basic Audit
1. The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit trail of
accesses to the objects it protects. The audit data shall be protected
by the TCB so that read access to it is limited to those who are
authorized for audit data.
2. The TCB shall be able to record the following types of events:
- use of the identification and authentication mechanisms, and
system entry events;
- access control events selectable on a per user, per subject,
per object, and/or per policy attribute basis; i.e., introduction of
objects into a user's address space (e.g., file open, program
initiation), creation and deletion of subjects and objects;
distribution and revocation of access rights; changes of subject and
object policy attributes; acquisition and deletion of system
privileges;
-actions taken by computer operators and system administrators
and/or system security officers; i.e., privileged operations such as
the modification of TCB elements; accesses to TCB objects; changes of
policy attributes of users, TCB configuration and security
characteristics, and system privileges; selection and modification of
audited events.
The events that are auditable by default, and those that are required
for successful auditing of other events, which may not be disabled,
shall be defined. The TCB shall provide a protected mechanism that
displays the currently selected events and their defaults. The use of
this mechanism shall be restricted to authorized system
administrators.
If availability policies are supported, attempts to circumvent or
otherwise gain unauthorized access to resource-allocation limits shall
be audited.
If non-discretionary access control policies are supported, the TCB
shall be able to record any override of human-readable output
markings. When the non-discretionary access control policies aim to
control the flow of information between subjects, the TCB shall also
be able to audit the identified event that may be used in the
exploitation of covert channels.
3. For each recorded event, the audit record shall identify: date
and time of the event, user, type of event, and success or failure of
the event. For identification/authentication events the origin of
request (e.g., terminal ID) shall be included in the audit record. For
events that introduce an object into a user's address space and for
object deletion events the audit record shall include the name and
policy attributes of the object (e.g., object security level).
4. The TCB shall provide a protected mechanism to turn auditing
on and off, and to select and change the events to be audited and
their defaults, during the system operation. The use of this mechanism
shall be restricted to authorized system administrators. The system
administrator shall be able to selectively audit the actions of one or
more users based on individual identity and/or object policy
attributes (e.g., object security level). Audit review tools shall be
available to authorized system administrators to assist in the
inspection and review of audit data, and shall be protected from
unauthorized use, modification, or destruction.
The TCB shall also provide protected audit-trail management functions
that shall enable:
-creation, destruction, and emptying of audit trails; use of
warning points regarding the size of the audit data, and modification
of the audit trail size;
-formatting and compressing of event records;
-displaying of formatted audit trail data; and
-maintaining the consistency of the audit trail data after
system failures and discontinuity of operation.
AD-3 Audit Tools
1. The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit trail of
accesses to the objects it protects. The audit data shall be protected
by the TCB so that read access to it is limited to those who are
authorized for audit data.
2. The TCB shall be able to record the following types of events:
- use of the identification and authentication mechanisms, and
system entry events;
- access control events selectable on a per user, per subject,
per object, and/or per policy attribute basis; i.e., introduction of
objects into a user's address space (e.g., file open, program
initiation), creation and deletion of subjects and objects;
distribution and revocation of access rights; changes of subject and
object policy attributes; acquisition and deletion of system
privileges;
-actions taken by computer operators and system administrators
and/or system security officers; i.e., privileged operations such as
the modification of TCB elements; accesses to TCB objects; changes of
policy attributes of users, TCB configuration and security
characteristics, and system privileges; selection and modification of
audited events.
The events that are auditable by default, and those that are required
for successful auditing of other events, which may not be disabled,
shall be defined. The TCB shall provide a protected mechanism that
displays the currently selected events and their defaults. The use of
this mechanism shall be restricted to authorized system
administrators.
If availability policies are supported, attempts to circumvent or
otherwise gain unauthorized access to resource-allocation limits shall
be audited.
If non-discretionary access control policies are supported, the TCB
shall be able to record any override of human-readable output
markings. When the non-discretionary access control policies aim to
control the flow of information between subjects, the TCB shall also
be able to audit the identified event that may be used in the
exploitation of covert channels.
3. For each recorded event, the audit record shall identify: date
and time of the event, user, type of event, and success or failure of
the event. For identification/authentication events the origin of
request (e.g., terminal ID) shall be included in the audit record. For
events that introduce an object into a user's address space and for
object deletion events the audit record shall include the name and
policy attributes of the object (e.g., object security level).
4. The TCB shall provide a protected mechanism to turn auditing
on and off, and to select and change the events to be audited and
their defaults, during the system operation. The use of this mechanism
shall be restricted to authorized system administrators. The system
administrator shall be able to selectively audit the actions of one or
more users based on individual identity and/or object policy
attributes (e.g., object security level). Audit review tools shall be
available to authorized system administrators to assist in the
inspection and review of audit data, and shall be protected from
unauthorized use, modification, or destruction.
The TCB shall provide tools for audit data processing. These shall
include specifically designed tools: for verifying the consistency of
the audit data; for verifying the selection of audit events; for audit
trail management. The audit trail management tools shall enable:
-creation, destruction, and emptying of audit trails; use of
warning points regarding the size of the audit data, and modification
of the audit trail size;
-formatting and compressing of event records;
-displaying of formatted audit trail data; and
-maintaining the consistency of the audit trail data after
system failures and discontinuity of operation.
5. Audit review tools shall be available to authorized users to
assist in the inspection and review of audit data, and shall be
protected from unauthorized modification or destruction. The TCB shall
also provide tools for post-collection audit analysis (e.g., intrusion
detection) that shall be able to selectively review (1) the actions of
one or more users (e.g., identification, authentication, system-entry,
and access control actions); (2) the actions performed on a specific
object or system resource; and (3) all, or a specified set of, audited
exceptions; and (4) actions associated with a specific policy
attribute.The review tools shall be able to operate concurrently with
the system operation.
AD-4 Audit Alarms
1. The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit trail of
accesses to the objects it protects. The audit data shall be protected
by the TCB so that read access to it is limited to those who are
authorized for audit data.
2. The TCB shall be able to record the following types of events:
- use of the identification and authentication mechanisms, and
system entry events;
- access control events selectable on a per user, per subject,
per object, and/or per policy attribute basis; i.e., introduction of
objects into a user's address space (e.g., file open, program
initiation), creation and deletion of subjects and objects;
distribution and revocation of access rights; changes of subject and
object policy attributes; acquisition and deletion of system
privileges;
-actions taken by computer operators and system administrators
and/or system security officers; i.e., privileged operations such as
the modification of TCB elements; accesses to TCB objects; changes of
policy attributes of users, TCB configuration and security
characteristics, and system privileges; selection and modification of
audited events.
The events that are auditable by default, and those that are required
for successful auditing of other events, which may not be disabled,
shall be defined. The TCB shall provide a protected mechanism that
displays the currently selected events and their defaults. The use of
this mechanism shall be restricted to authorized system
administrators.
If availability policies are supported, attempts to circumvent or
otherwise gain unauthorized access to resource-allocation limits shall
be audited.
If non-discretionary access control policies are supported, the TCB
shall be able to record any override of human-readable output
markings. When the non-discretionary access control policies aim to
control the flow of information between subjects, the TCB shall also
be able to audit the identified event that may be used in the
exploitation of covert channels.
The TCB shall contain a mechanism that is able to monitor the
occurrence or accumulation of auditable events that may indicate an
imminent violation of the product's security policy. This mechanism
shall be able to immediately notify the security administrator when
thresholds are exceeded, and, if the occurrence or accumulation of
these security relevant events continues, the system shall take the
least disruptive action to terminate the event. That is, the TCB shall
be able to send a message to the system console and/ or the
administrator's terminal when thresholds are exceeded, or when audit
records are unable to be recorded, and, if the occurrence or
accumulation of these security-relevant events continue, the TCB shall
generate an alarm (this shall be the default) or initiate a secure
system shutdown.
3. For each recorded event, the audit record shall identify: date
and time of the event, user, type of event, and success or failure of
the event. For identification/authentication events the origin of
request (e.g., terminal ID) shall be included in the audit record. For
events that introduce an object into a user's address space and for
object deletion events the audit record shall include the name and
policy attributes of the object (e.g., object security level).
4. The TCB shall provide a protected mechanism to turn auditing
on and off, and to select and change the events to be audited and
their defaults, during the system operation. The use of this mechanism
shall be restricted to authorized system administrators. The system
administrator shall be able to selectively audit the actions of one or
more users based on individual identity and/or object policy
attributes (e.g., object security level). Audit review tools shall be
available to authorized system administrators to assist in the
inspection and review of audit data, and shall be protected from
unauthorized use, modification, or destruction.
The TCB shall provide tools for audit data processing. These shall
include specifically designed tools: for verifying the consistency of
the audit data; for verifying the selection of audit events; for audit
trail management. The audit trail management tools shall enable:
-creation, destruction, and emptying of audit trails; use of
warning points regarding the size of the audit data, and modification
of the audit trail size;
-formatting and compressing of event records;
-displaying of formatted audit trail data; and
-maintaining the consistency of the audit trail data after
system failures and discontinuity of operation.
5. Audit review tools shall be available to authorized users to
assist in the inspection and review of audit data, and shall be
protected from unauthorized modification or destruction. The TCB shall
also provide tools for post-collection audit analysis (e.g., intrusion
detection) that shall be able to selectively review (1) the actions of
one or more users (e.g., identification, authentication, system-entry,
and access control actions); (2) the actions performed on a specific
object or system resource; and (3) all, or a specified set of, audited
exceptions; and (4) actions associated with a specific policy
attribute.The review tools shall be able to operate concurrently with
the system operation.
AD-5 Real-Time Intrusion Detection
1. The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit trail of
accesses to the objects it protects. The audit data shall be protected
by the TCB so that read access to it is limited to those who are
authorized for audit data.
2. The TCB shall be able to record the following types of events:
- use of the identification and authentication mechanisms, and
system entry events;
- access control events selectable on a per user, per subject,
per object, and/or per policy attribute basis; i.e., introduction of
objects into a user's address space (e.g., file open, program
initiation), creation and deletion of subjects and objects;
distribution and revocation of access rights; changes of subject and
object policy attributes; acquisition and deletion of system
privileges;
-actions taken by computer operators and system administrators
and/or system security officers; i.e., privileged operations such as
the modification of TCB elements; accesses to TCB objects; changes of
policy attributes of users, TCB configuration and security
characteristics, and system privileges; selection and modification of
audited events.
The events that are auditable by default, and those that are required
for successful auditing of other events, which may not be disabled,
shall be defined. The TCB shall provide a protected mechanism that
displays the currently selected events and their defaults. The use of
this mechanism shall be restricted to authorized system
administrators.
If availability policies are supported, attempts to circumvent or
otherwise gain unauthorized access to resource-allocation limits shall
be audited.
If non-discretionary access control policies are supported, the TCB
shall be able to record any override of human-readable output
markings. When the non-discretionary access control policies aim to
control the flow of information between subjects, the TCB shall also
be able to audit the identified event that may be used in the
exploitation of covert channels.
The TCB shall contain a mechanism that is able to monitor the
occurrence or accumulation of auditable events that may indicate an
imminent violation of the product's security policy. This mechanism
shall be able to immediately notify the security administrator when
thresholds are exceeded, and, if the occurrence or accumulation of
these security relevant events continues, the system shall take the
least disruptive action to terminate the event. That is, the TCB shall
be able to send a message to the system console and/ or the
administrator's terminal when thresholds are exceeded, or when audit
records are unable to be recorded, and, if the occurrence or
accumulation of these security-relevant events continue, the TCB shall
generate an alarm (this shall be the default) or initiate a secure
system shutdown.
3. For each recorded event, the audit record shall identify: date
and time of the event, user, type of event, and success or failure of
the event. For identification/authentication events the origin of
request (e.g., terminal ID) shall be included in the audit record. For
events that introduce an object into a user's address space and for
object deletion events the audit record shall include the name and
policy attributes of the object (e.g., object security level).
4. The TCB shall provide a protected mechanism to turn auditing
on and off, and to select and change the events to be audited and
their defaults, during the system operation. The use of this mechanism
shall be restricted to authorized system administrators. The system
administrator shall be able to selectively audit the actions of one or
more users based on individual identity and/or object policy
attributes (e.g., object security level). Audit review tools shall be
available to authorized system administrators to assist in the
inspection and review of audit data, and shall be protected from
unauthorized use, modification, or destruction.
The TCB shall provide tools for audit data processing. These shall
include specifically designed tools: for verifying the consistency of
the audit data; for verifying the selection of audit events; for audit
trail management. The audit trail management tools shall enable:
-creation, destruction, and emptying of audit trails; use of
warning points regarding the size of the audit data, and modification
of the audit trail size;
-formatting and compressing of event records;
-displaying of formatted audit trail data; and
-maintaining the consistency of the audit trail data after
system failures and discontinuity of operation.
5. Audit review tools shall be available to authorized users to
assist in the inspection and review of audit data, and shall be
protected from unauthorized modification or destruction. The TCB shall
also provide tools for post-collection audit analysis (e.g., intrusion
detection) that shall be able to selectively review (1) the actions of
one or more users (e.g., identification, authentication, system-entry,
and access control actions); (2) the actions performed on a specific
object or system resource; and (3) all, or a specified set of, audited
exceptions; and (4) actions associated with a specific policy
attribute.The review tools shall be able to operate concurrently with
the system operation.
The TCB shall be able to perform real-time event reporting and
intrusion detection in support of the product's security policy. The
TCB shall include a real-time mechanism that is able to monitor the
occurrence or accumulation of security-relevant events that may
indicate an imminent security violation. This mechanism shall be able
to generate an alarm when thresholds are exceeded and, if the
occurrence or accumulation of these events persists, the TCB shall
take the least disruptive action to terminate the event(s).
4.3.5 Rated Access Control Components
Functional components implementing discretionary policies can be rated
based on their scope (e.g., whether it includes all subjects and
objects in a system, or only a defined subset; whether access control
includes subject and object attributes), and on their coverage (e.g.,
their ability to control the propagation and retention of access
rights for subjects and objects and their ability to encapsulate
objects within a subject such that access to the object is allowed
only by invoking the encapsulating subject.) In addition,
discretionary policy rating can also refer to the ability to control
access at a given subject granularity (e.g., at the individual user
and group, or role level) and object granularity (e.g., memory
partition, memory segment, file, record).
Non-discretionary access controls can be rated using the same generic
levels as those used for discretionary policies. However, the
granularity of subject and object to which non- discretionary access
controls apply can be significantly finer than that of discretionary
policies. Since non- discretionary policies control information flow,
they must control access to object status attributes such as object
size, existence, locking mode, and subject status attributes such as
process-suspended or process-active indicators.
Separation-of-role policies can use existing access control functions
of an IT product to implement its required rules. For this reason,
separation-of-role policies can be rated using the same generic levels
of subject and object granularity and scope as those used for
discretionary and non- discretionary policies (discussed below and in
Appendix C). In their simplest form, access control components
implementing separation of role policies are rated by the separation
of unprivileged subjects from those with administrative
responsibilities. These component requirements include separation of
product resources, of data, and of administrator-controlled policy
attributes. The rating will take into account the granularity of
separation between unprivileged subjects and those with administrative
responsibilities.
In rating the access control components, four levels are identified
using the definition of policies in Appendix C. The component rating
reflected by these levels is based on the scope, granularity, and
coverage of access control requirements. The choice of requirements at
each level is largely guided by the access control characteristics of
current commercially available products and by the goal of retaining
the ability to harmonize these requirements with other existing
standards.
Level AC-1 represents a minimal level of policy definition and
enforcement. That is, the authorization rules apply to a defined
subset of subjects and objects, and the administration of policy
(i.e., access control) attributes cover only a subset of the functions
defined at higher levels. Level AC-2 extends the coverage of access
control policies and associated attributes of level AC-1 by
recognizing that multiple policies could be supported within the same
product. This level also extends the coverage of attribute
administration largely to reflect object import and export. Level AC-3
enhances the scope of access control to all subjects and objects.
Instead of referring to only a defined subset of subjects and objects,
the requirements of this level refer to all subjects and objects. If
non-discretionary policies that aim at controlling information flow
are supported, then the requirement granularity at this level is
extended to include all subject and object policy and status
attributes. This level of access control is appropriate when
non-discretionary policies are used that support information flow
control. In such environments, lack of access control to subject and
object status variables constitute a significant source of covert
channels. However, this level retains the ability to define
authorization and attribute administration on a per type-of-object
basis. Level AC-4 extends the requirement coverage to include time-
and location-based access controls, as well as inclusion and exclusion
of user access rights whenever groups or roles are used. This level
also extends the requirements for object and subject creation and
destruction, adding explicit authorization, inheritance, space
availability, and attribute inheritance conditions. It is expected
that this level of access control would be used in products where
fine-grain access control policies are required.
AC-1 Minimal Access Control
1. Definition of Access Control Attributes
The TCB shall define and protect access control attributes for
subjects and objects. Subject attributes shall include named
individuals or defined groups or both. Object attributes shall include
defined access rights (e.g., read, write, execute) that can be
assigned to subject attributes.
2. Administration of Access Control Attributes.
The TCB shall define and enforce rules for assignment and modification
of access control attributes for subjects and objects. The effect of
these rules shall be that access permission to an object by users not
already possessing access permission is assigned only by authorized
users. These rules shall allow authorized users to specify and
control sharing of objects by named individuals or defined groups of
individuals, or by both, and shall provide controls to limit
propagation of access rights. These controls shall be capable of
including or excluding access to the granularity of a single user.
If different rules of assignment and modification of access control
attributes apply to different subjects and/or objects, the totality of
these rules shall be shown to support the defined policy.
3. Authorization of Subject References to Objects
The TCB shall define and enforce authorization rules for the mediation
of subject references to objects. These rules shall be based on the
access control attributes of subjects and objects. These rules shall,
either by explicit user action or by default, provide that objects are
protected from unauthorized access.
The scope of the authorization rules shall include a defined subset of
the product's subjects and objects and associated access control
attributes. The coverage of authorization rules shall specify the
types of objects and subjects to which these rules apply. If different
rules apply to different subjects and objects, the totality of these
rules shall be shown to support the defined policy.
4. Subject and Object Creation and Destruction
The TCB shall control the creation and destruction of subjects and
objects. These controls shall include object reuse. That is, all
authorizations to the information contained within a storage object
shall be revoked prior to initial assignment, allocation or
reallocation to a subject from the TCB's pool of unused storage
objects; information, including encrypted representations of
information, produced by a prior subjects' actions shall be
unavailable to any subject that obtains access to an object that has
been released back to the system.
5. Object Encapsulation
If the TCB supports mechanisms for object encapsulation, controls must
be available for: (1) access authorization to encapsulated objects;
(2) creation of encapsulated subsystems by users; and (3) invocation
of encapsulated subsystems.
AC-2 Basic Access Control
1. Definition of Access Control Attributes
The TCB shall define and protect access control attributes for
subjects and objects. Subject attributes shall include named
individuals or defined groups or both. Object attributes shall include
defined access rights (e.g., read, write, execute) that can be
assigned to subject attributes. If multiple access control policies
are supported, the access control attributes corresponding to each
individual policy shall be identified.
The subject and object attributes shall accurately reflect the
sensitivity and/or integrity of the subject or object.
2. Administration of Access Control Attributes
The TCB shall define and enforce rules for assignment and modification
of access control attributes for subjects and objects. The effect of
these rules shall be that access permission to an object by users not
already possessing access permission is assigned only by authorized
users. These rules shall allow authorized users to specify and
control sharing of objects by named individuals or defined groups of
individuals, or by both, and shall provide controls to limit
propagation of access rights. These controls shall be capable of
including or excluding access to the granularity of a single user.
The rules for assignment and modification of access control attributes
shall include those for attribute assignment to objects during import
and export operations (e.g., import of non-labeled sensitive data,
export of labeled information). If different rules of assignment and
modification of access control attributes apply to different subjects
and/or objects, the totality of these rules shall be shown to support
the defined policy.
3. Authorization of Subject References to Objects
The TCB shall define and enforce authorization rules for the mediation
of subject references to objects. These rules shall be based on the
access control attributes of subjects and objects. These rules shall,
either by explicit user action or by default, provide that objects are
protected from unauthorized access.
The scope of the authorization rules shall include a defined subset of
the product's subjects and objects and associated access control
attributes. The coverage of authorization rules shall specify the
types of objects and subjects to which these rules apply. If different
rules apply to different subjects and objects, the totality of these
rules shall be shown to support the defined policy.
If multiple policies are supported, the authorization rules for each
policy shall be defined separately. The TCB shall define and enforce
the composition of policies, including the enforcement of the
authorization rules (e.g., subject and object type coverage,
enforcement precedence).
4. Subject and Object Creation and Destruction
The TCB shall control the creation and destruction of subjects and
objects. These controls shall include object reuse. That is, all
authorizations to the information contained within a storage object
shall be revoked prior to initial assignment, allocation or
reallocation to a subject from the TCB's pool of unused storage
objects; information, including encrypted representations of
information, produced by a prior subjects' actions shall be
unavailable to any subject that obtains access to an object that has
been released back to the system.
5. Object Encapsulation
If the TCB supports mechanisms for object encapsulation, controls must
be available for: (1) access authorization to encapsulated objects;
(2) creation of encapsulated subsystems by users; and (3) invocation
of encapsulated subsystems
AC-3 Extended Access Control
1. Definition of Access Control Attributes
The TCB shall define and protect access control attributes for
subjects and objects. Subject attributes shall include named
individuals or defined groups or both. Object attributes shall include
defined access rights (e.g., read, write, execute) that can be
assigned to subject attributes. If multiple access control policies
are supported, the access control attributes corresponding to each
individual policy shall be identified.
The subject and object attributes shall accurately reflect the
sensitivity and/or integrity of the subject or object. The TCB shall
immediately notify a terminal user of each attribute change of any
subject associated with that user during an interactive session that
reflects a change in the sensitivity or integrity of that session
(e.g., a change of the user's security level). A terminal user shall
be able to query the TCB as desired for a display of the subject's
complete set of access control attributes (e.g., the complete
sensitivity label).
The TCB shall support the assignment of access control attributes
(e.g., minimum and maximum security levels) to all attached physical
devices. These attributes shall be used by the TCB to enforce
constraints imposed by the physical environments in which the devices
are located.
2. Administration of Access Control Attributes
The TCB shall define and enforce rules for assignment and modification
of access control attributes for subjects and objects. The effect of
these rules shall be that access permission to an object by users not
already possessing access permission is assigned only by authorized
users. These rules shall allow authorized users to specify and
control sharing of objects by named individuals or defined groups of
individuals, or by both, and shall provide controls to limit
propagation of access rights. These controls shall be capable of
including or excluding access to the granularity of a single user.
The rules for assignment and modification of access control attributes
shall include those for attribute assignment to objects during import
and export operations (e.g., import of non-labeled sensitive data,
export of labeled information). If different rules of assignment and
modification of access control attributes apply to different subjects
and/or objects, the totality of these rules shall be shown to support
the defined policy.
3. Authorization of Subject References to Objects
The TCB shall define and enforce authorization rules for the mediation
of subject references to objects. These rules shall be based on the
access control attributes of subjects and objects. These rules shall,
either by explicit user action or by default, provide that objects are
protected from unauthorized access.
The scope of the authorization rules shall include all subjects,
storage objects (e.g., processes, segments, devices) and associated
access control attributes that are directly or indirectly accessible
to subjects external to the TCB. If non-discretionary access control
policies are used that aim to control the flow of information between
subjects, the scope of the authorization rules shall also include all
policy and status attributes of subjects and storage objects (e.g.,
quotas, object existence, size, access time, creation and modification
time, locked/unlocked). If different rules apply to different
subjects and objects, the totality of these rules shall be shown to
support the defined policy.
If multiple policies are supported, the authorization rules for each
policy shall be defined separately. The TCB shall define and enforce
the composition of policies, including the enforcement of the
authorization rules (e.g., subject and object type coverage,
enforcement precedence).
4. Subject and Object Creation and Destruction
The TCB shall control the creation and destruction of subjects and
objects. These controls shall include object reuse. That is, all
authorizations to the information contained within a storage object
shall be revoked prior to initial assignment, allocation, reallocation
to a subject from the TCB's pool of unused storage objects;
information, including encrypted representations of information,
produced by a prior subjects' actions shall be unavailable to any
subject that obtains access to an object that has been released back
to the system.
5. Object Encapsulation
If the TCB supports mechanisms for object encapsulation, controls must
be available for: (1) access authorization to encapsulated objects;
(2) creation of encapsulated subsystems by users; and (3) invocation
of encapsulated subsystems.
AC-4 Fine-Grain Access Control
1. Definition of Access Control Attributes
The TCB shall define and protect access control attributes for
subjects and objects. Subject attributes shall include named
individuals or defined groups or both. Object attributes shall include
defined access rights (e.g., read, write, execute) that can be
assigned to subject attributes. If multiple access control policies
are supported, the access control attributes corresponding to each
individual policy shall be identified. The subject's access control
attributes also shall include time and location attributes that can be
assigned to authenticated user identities.
The subject and object attributes shall accurately reflect the
sensitivity and/or integrity of the subject or object. The TCB shall
immediately notify a terminal user of each attribute change of any
subject associated with that user during an interactive session that
reflects a change in the sensitivity or integrity of that session
(e.g., a change of the user's security level). A terminal user shall
be able to query the TCB as desired for a display of the subject's
complete set of access control attributes (e.g., the complete
sensitivity label).
The TCB shall support the assignment of access control attributes
(e.g., device labels) to all attached physical devices. These
attributes shall be used by the TCB to enforce constraints imposed by
the physical environments in which the devices are located.
2. Administration of Access Control Attributes
The TCB shall define and enforce rules for assignment and modification
of access control attributes for subjects and objects. The effect of
these rules shall be that access permission to an object by users not
already possessing access permission is assigned only by authorized
users. These rules shall allow authorized users to specify and
control sharing of objects by named individuals or defined groups of
individuals, or by both, and shall provide controls to limit
propagation of access rights (i.e., these rules shall define the
distribution, revocation, and review of access control attributes).
The controls defined by these rules shall be capable of specifying for
each named object, a list of individuals and a list of groups of named
individuals, with their respective access rights to that object.
Furthermore, for each named object, it shall be possible to specify a
list of named individuals and a list of groups of named individuals
for which no access to the object is given. These controls shall also
be capable of specifying access-time dependency (i.e., the effect of
the distribution and revocation of access control attributes take
place at a certain time and shall last for a specified period of
time), and/or access-location dependency (i.e., shall specify the
locations from which the distribution and revocation of privileges
shall take place).
The rules for assignment and modification of access control attributes
shall include those for attribute assignment to objects during import
and export operations (e.g., import of non-labeled sensitive data,
export of labeled information). If different rules of assignment and
modification of access control attributes apply to different subjects
and/or objects, the totality of these rules shall be shown to support
the defined policy.
3. Authorization of Subject References to Objects
The TCB shall define and enforce authorization rules for the mediation
of subject references to objects. These rules shall be based on the
access control attributes of subjects and objects. These rules shall,
either by explicit user action or by default, provide that objects are
protected from unauthorized access. These rules shall include
time-of-access and location-of-access controls defined for subjects
and objects.
The scope of the authorization rules shall include all subjects,
storage objects (e.g., processes, segments, devices) and associated
access control attributes that are directly or indirectly accessible
to subjects external to the TCB. If non-discretionary access control
policies are used that aim to control the flow of information between
subjects, the scope of the authorization rules shall also include all
policy and status attributes of subjects and storage objects (e.g.,
quotas, object existence, size, access time, creation and modification
time, locked/unlocked). If different rules apply to different
subjects and objects, the totality of these rules shall be shown to
support the defined policy.
If multiple policies are supported, the authorization rules for each
policy shall be defined separately. The TCB shall define and enforce
the composition of policies, including the enforcement of the
authorization rules (e.g., subject and object type coverage,
enforcement precedence).
4. Subject and Object Creation and Destruction
The TCB shall define and enforce rules for the creation and
destruction of subjects and objects. The controls defined by these
rules shall be capable of specifying for each subject and object: (1)
creation and destruction authorization; (2) object reuse; (3) space
availability (i.e., storage space shall be available for the creation
of a subject and object); (4) default subject or object attributes and
attribute inheritance rules (if any).
The rules for subject and object creation and destruction shall
specify their coverage in terms of the types of objects and subjects
to which they apply. If different rules and conditions apply to
different subjects and objects, the totality of these rules shall be
shown to support the defined policy properties. If multiple policies
are supported, these rules shall define the composition of policies
and how the conditions of the subject and object creation and
destruction are enforced (e.g., subject and object type coverage,
enforcement precedence).
5. Object Encapsulation
If the TCB supports mechanisms for object encapsulation, controls must
be available for: (1) access authorization to encapsulated objects;
(2) creation of encapsulated subsystems by users; and (3) invocation
of encapsulated subsystems.
4.3.5.1 Rated Covert Channel Handling Components
Covert channel handling requires that functions must be added to the
software and/or hardware and firmware elements of a TCB to help deter
the use of, limit the bandwidth of, or eliminate, covert channels. The
rating of the covert channel handling components is based both on the
scope of these requirements and their coverage (e.g., elimination,
bandwidth limitation, audit, administrative control, applicability to
timing channels or storage channels). The scope of level CCH- 1 is
limited to storage channels and the coverage is limited to functions
that deter covert channel use. Coverage is extended at level CCH-2 by
the addition of requirements of bandwidth limitation and storage
channel elimination for common system configurations. Level CCH-3
extends the requirements of level CCH-2 by including all channels, not
just covert storage channels.
CCH-1 Deterrence of Storage Channel Use
1. The TCB and privileged applications shall include functions
that help audit the use of covert storage channels. These functions
shall enable the identification of the transmitter, receiver, and
specific covert channels used (e.g., TCB and privileged application
element used to transmit information).
2. The functions added to the TCB and privileged applications for
storage channel auditing shall be identified for each channel and
shall be available in common product configurations. If audit
functions are not added to certain storage channels (e.g., hardware
storage channels), evidence must be provided to justify why these
channels do not represent a security threat for the intended use of
the product.
CCH-2 Storage Channel Audit and Bandwidth Limitation
1. The TCB and privileged applications shall include functions
that help audit the use of covert storage channels. These functions
shall enable the identification of the transmitter, receiver, and
specific covert channels used (e.g., TCB and privileged application
element used to transmit information). TCB functions that help limit
the bandwidth and/or eliminate covert storage channels shall also be
provided. The bandwidth limits for each channel shall be settable by
system administrators.
2. The functions added to the TCB and privileged applications for
storage channel auditing shall be identified for each channel and
shall be available in common product configurations. If audit
functions are not added to certain storage channels (e.g., hardware
storage channels), evidence must be provided to justify why these
channels do not represent a security threat for the intended use of
the product. TCB and privileged application functions that help limit
the bandwidth and/or eliminate covert storage channels shall also be
available in common product configurations.
If channel bandwidth limitation and channel elimination functions are
not added to certain storage channels (e.g., hardware storage
channels), evidence must be provided to justify why these channels do
not represent a security threat for the intended use of the product.
CCH-3 Timing Channel Audit and Bandwidth Limitation
1. The TCB and privileged applications shall include functions
that help audit the use of covert storage channels. These functions
shall enable the identification of the transmitter, receiver, and
specific covert channels used (e.g., TCB and privileged application
element used to transmit information). TCB functions that help limit
the bandwidth and/or eliminate covert storage channels shall also be
provided. The bandwidth limits for each channel shall be settable by
system administrators.
2. The functions added to the TCB and privileged applications for
storage channel auditing shall be identified for each channel and
shall be available in common product configurations. If audit
functions are not added to certain storage channels (e.g., hardware
storage channels), evidence must be provided to justify why these
channels do not represent a security threat for the intended use of
the product. TCB and privileged application functions that help limit
the bandwidth and/or eliminate covert storage or timing channels shall
also be available in common product configurations.
If channel bandwidth limitation and channel elimination functions are
not added to certain storage or timing channels (e.g., hardware
channels), evidence must be provided to justify why these channels do
not represent a security threat for the intended use of the product.
4.3.6 Rated Resource Allocation Components
The resource allocation component rating is concerned with the extent
and strength of containment control exerted over the availability and
distribution of product resources. The resource allocation components
are rated based on the scope of containment (e.g., defined set of
resources versus all resources) and the coverage of containment (e.g.,
resource restrictions, control, priorities, audit).
Level AR-1 defines basic requirements of resource allocation
restrictions in terms of a specified subset of system resources,
subjects and objects. Level AR-2 extends the scope of resource control
to all system resources and increases the coverage of the resource
allocation features by requiring the auditing and signaling of
attempted violations of resource allocation limits (or quotas). Level
AR-3 further extends the coverage of the resource allocation features
by introducing the requirement for prioritized allocation.
AR-1 Resource Restrictions
The TCB shall provide the capability to place restrictions on the
number of subjects and objects a user may have allocated at any given
time. The TCB shall control a defined set of system resources (e.g.,
memory, disk space) such that no one individual user can deny access
to another user's subject and object space. All subjects, objects, and
resources shall be defined with default space or time quotas and
quantity-of- resources attributes.
AR-2 Complete Resource Control
The TCB shall provide the capability to place restrictions on the
number of subjects and objects a user may have allocated at any given
time. The TCB shall control a defined set of system resources (e.g.,
memory, disk space) such that no one individual user can deny access
to another user's subject and object space. All subjects, objects, and
resources shall be defined with default space or time quota and
number-of- resources attributes. An individual user shall be unable to
deny access to any system resource by means of circumventing
resource-allocation limits, or otherwise manipulating the TCB, so as
to restrict the TCB's ability to offer services to other users and
objects.
AR-3 Prioritized Resource Allocations
The TCB shall provide the capability to place restrictions on the
number of subjects and objects a user may have allocated at any given
time. The TCB shall control a defined set of system resources (e.g.,
memory, disk space) such that no one individual user can deny access
to another user's subject and object space. All subjects, objects, and
resources shall be defined with default space or time quotas and
quantity-of- resources attributes. An individual user shall be unable
to deny access to any system resource by means of circumventing
resource-allocation limits, or otherwise manipulating the TCB, so as
to restrict the TCB's ability to offer services to other users and
objects. The TCB shall include resource-allocation priorities among
the subject attributes. Each subject shall be granted a priority
against which the TCB shall allocate resources. The TCB shall mediate
resource- allocation priorities in such a manner that access
requirements of the TCB and high-priority subjects shall be fulfilled
first, in a prioritized manner. All resources within the TCB
(hardware and software) shall be controlled in pre-assigned blocks.
4.3.7 Rated Security Management Components
The rating of the security-management components is based primarily on
the coverage, and strength of these components. For example, level
SM-3 is considered to be stronger than level SM-2 because the
separation of administrative and operator roles offers added
resistance to accidents or misdeeds. Level SM-3 also extends the
coverage of level SM-2 because it reflects the use of a wider policy
coverage. Level SM-4 extends the coverage and strength of level SM-3
because (1) it requires the availability of trusted tools for security
management (e.g., tools offering a graphical interface to the
administrator, tools enhancing system administration, and tools
enabling the administrator to perform consistency checking), and (2)
it further limits through fine-grain separation of administrative
roles the potential damage that can be caused by error or misdeed.
SM-1 Minimal Security Management
1. The TCB shall provide an installation mechanism for the
setting and updating of its configuration parameters, and for the
initialization of its protection-relevant data structures before any
user or administrator policy attributes are defined. It shall allow
the configuration of TCB internal databases and tables.
2. The TCB shall provide protected mechanisms for displaying and
modifying the security policy parameters.
3. The TCB shall provide protected mechanisms for manually
displaying, modifying, or deleting user registration and account
parameters. These parameters shall include unique user identifiers,
their account, and their associated user name and affiliation. The TCB
shall allow the manual enabling and disabling of user identities
and/or accounts.
4. The TCB shall provide protected mechanisms for routine control
and maintenance of system resources. That is, it shall allow the
enabling and disabling of peripheral devices, mounting of removable
storage media, backing-up and recovering user objects; maintaining the
TCB hardware and software elements (e.g., on site testing); and
starting and shutting down the system.
5. The use of the protected mechanisms for system administration
shall be limited to authorized administrative users.
SM-2 Basic Security Management
1. The TCB shall provide an installation mechanism for the
setting and updating of its configuration parameters, and for the
initialization of its protection-relevant data structures before any
user or administrator policy attributes are defined. It shall allow
the configuration of TCB internal databases and tables.
The TCB shall distinguish between normal mode of operation and
maintenance mode, and shall provide a maintenance-mode mechanism for
recovery and system start-up.
2. The TCB shall provide protected mechanisms for displaying and
modifying the security policy parameters. These parameters shall
include identification, authentication, system entry and access
control parameters for the entire system and for individual users.
The TCB shall have a capability to define the identification and
authentication policy on a system-wide basis (e.g., password minimum
and maximum lifetime, password length and complexity parameters). The
TCB mechanisms shall have the capability to limit: (1) maximum period
of interactive session inactivity, (2) maximum login or session time,
and (3) successive unsuccessful attempts to log in to the system.
If availability policies are supported, the TCB shall provide a
mechanism to control the availability of system resources via resource
quotas and quantity-of-resources limits.
3. The TCB shall provide protected mechanisms for manually
displaying, modifying, or deleting user registration and account
parameters. These parameters shall include unique user identifiers,
their account, and their associated user name and affiliation. The TCB
shall allow the manual enabling and disabling of user identities
and/or accounts.
The TCB shall provide a means to uniquely identify security policy
attributes. It shall also provide a means of listing all these
attributes for a user, and all the users associated with an attribute.
It shall be capable of defining and maintaining the security policy
attributes for subjects including: defining and maintaining privileges
for privileged subjects, discretionary and non-discretionary
attributes (e.g., definition and maintenance of group, role, and
secrecy and/or integrity level membership), and centralized
distribution, review and revocation of policy attributes.
4. The TCB shall provide protected mechanisms for routine control
and maintenance of system resources.It shall allow the enabling and
disabling of peripheral devices, mounting of removable storage media,
backing-up and recovering user objects; maintaining the TCB hardware
and software elements (e.g., on site testing); and starting and
shutting down the system.
5. The use of the protected mechanisms for system administration
shall be limited to authorized administrative users.
SM-3 Policy-oriented Security Management
1. The TCB shall provide an installation mechanism for the
setting and updating of its configuration parameters, and for the
initialization of its protection-relevant data structures before any
user or administrator policy attributes are defined. It shall allow
the configuration of TCB internal databases and tables.
The TCB shall distinguish between normal mode of operation and
maintenance mode, and shall provide a maintenance-mode mechanism for
recovery and system start-up. This mechanism shall include a means to
initialize administrative privileges and administrative
identification, authentication, and system-entry attributes.
2. The TCB shall provide protected mechanisms for displaying and
modifying the security policy parameters. These parameters shall
include identification, authentication, system entry and access
control parameters for the entire system and for individual users.
The TCB shall have a capability to define the identification
and authentication policy on a system-wide basis (e.g., password
minimum and maximum lifetime, password length and complexity
parameters). The TCB mechanisms shall have the capability to limit:
(1) maximum period of interactive session inactivity, (2) maximum
login or session time, and (3) successive unsuccessful attempts to log
in to the system. The TCB shall provide an administrative capability
to specify the authentication method on a per policy- attribute basis
whenever multiple identification and authentication methods are used;
e.g., via user passwords, tokens, or biometrics.
If the TCB is designed to support multiple login sessions per
user identity, the administrators shall be able to limit the number of
simultaneous login sessions on an authorization-attribute basis.
The TCB shall also have a capability to limit the successive
unsuccessful attempts to login from a specific port of entry, and/or
with a specific user identity or account.
If availability policies are supported, the TCB shall provide a
mechanism to control the availability of system resources via resource
quotas and quantity-of-resources limits.
3. The TCB shall provide protected mechanisms for manually
displaying, modifying, or deleting user registration and account
parameters. These parameters shall include unique user identifiers,
their account, and their associated user name and affiliation. The TCB
shall allow the automatic disabling of user identities and/ or
accounts, after a period during which the identity and/or account have
not been used. The time period shall be administrator specified, with
a specified default provided. The TCB shall allow the automatic
re-enabling of disabled user identities and/or accounts after an
administrator-specified period of time.
The TCB shall provide a means to uniquely identify security policy
attributes. It shall also provide a means of listing all these
attributes for a user, and all the users associated with an attribute.
It shall be capable of defining and maintaining the security policy
attributes for subjects including: defining and maintaining privileges
for privileged subjects, discretionary and non-discretionary
attributes (e.g., definition and maintenance of group, role, and
secrecy and/or integrity level membership), and centralized
distribution, review and revocation of policy attributes.
4. The TCB shall support separate operator and administrator
functions. The operator functions shall be restricted to those
necessary for performing routine operations. The operator functions
shall allow the enabling and disabling of peripheral devices, mounting
of removable storage media, backing-up and recovering user objects;
maintaining the TCB hardware and software elements (e.g., on-site
testing); and starting and shutting down the system.
5. The use of the protected mechanisms for system administration
shall be limited to authorized administrative users.
SM-4 Extended Security Management
1. The TCB shall provide an installation mechanism for the
setting and updating of its configuration parameters, and for the
initialization of its protection-relevant data structures before any
user or administrator policy attributes are defined. It shall allow
the configuration of TCB internal databases and tables.
The TCB shall distinguish between normal mode of operation and
maintenance mode, and shall provide a maintenance-mode mechanism for
recovery and system start-up. This mechanism shall include a means to
initialize administrative privileges and administrative
identification, authentication, and system-entry attributes.
2. The TCB shall provide protected mechanisms for displaying and
modifying the security policy parameters. These parameters shall
include identification, authentication, system entry and access
control parameters for the entire system and for individual users.
The TCB shall have a capability to define the identification
and authentication policy on a system-wide basis (e.g., password
minimum and maximum lifetime, password length and complexity
parameters). The TCB mechanisms shall have the capability to limit:
(1) maximum period of interactive session inactivity, (2) maximum
login or session time, and (3) successive unsuccessful attempts to log
in to the system. The TCB shall provide an administrative capability
to specify the authentication method on a per policy- attribute basis
whenever multiple identification and authentication methods are used;
e.g., via user passwords, tokens, or biometrics.
If the TCB is designed to support multiple login sessions per
user identity, the administrators shall be able to limit the number of
simultaneous login sessions on an authorization-attribute basis.
The TCB shall also have a capability to limit the successive
unsuccessful attempts to login from a specific port of entry, and/or
with a specific user identity or account.
If availability policies are supported, the TCB shall provide
a mechanism to control the availability of system resources via
resource quotas and quantity-of-resources limits.
3. The TCB shall provide protected mechanisms for manually
displaying, modifying, or deleting user registration and account
parameters. These parameters shall include unique user identifiers,
their account, and their associated user name and affiliation. The TCB
shall allow the automatic disabling of user identities and/or
accounts, after a period during which the identity and/or account have
not been used. The time period shall be administrator specified, with
a specified default provided. The TCB shall allow the automatic
re-enabling of disabled user identities and/or accounts after an
administrator-specified period of time.
The TCB shall provide a means to uniquely identify security
policy attributes. It shall also provide a means of listing all these
attributes for a user, and all the users associated with an attribute.
It shall be capable of defining and maintaining the security policy
attributes for subjects including: defining and maintaining privileges
for privileged subjects, discretionary and non-discretionary
attributes (e.g., definition and maintenance of group, role, and
secrecy and/or integrity level membership), and centralized
distribution, review and revocation of policy attributes.
The TCB shall provide trusted tools for system administration.
These shall include: tools for verifying the consistency of the user
registration and system configuration; tools for verifying the proper
system installation; tools for verifying that the TCB does not contain
extraneous programs and data.
The TCB shall include tools for determining whether the TCB is
in a secure initial state after start-up and recovery.
The TCB shall include tools for verifying the consistency of
users, subject, and objects policy attributes (e.g., cross checks
between subject and object attributes and registered user attributes).
4. The TCB shall support separate operator and administrator
functions. The operator functions shall be restricted to those
necessary for performing routine operations. The operator functions
shall allow the enabling and disabling of peripheral devices, mounting
of removable storage media, backing-up and recovering user objects;
maintaining the TCB hardware and software elements (e.g., on-site
testing); and starting and shutting down the system. The
administrative functions shall support separate security administrator
and auditor roles. The TCB shall enable the administrators to perform
their functions only after taking a distinct auditable action to
assume an administrator role. Non- security functions that can be
performed in the security administrative role shall be limited
strictly to those essential to performing the security role
effectively.
5. The use of the protected mechanisms and tools for system
administration shall be limited to authorized administrative users.
4.3.8 Rated Reference Mediation Components
The rating of the reference mediation components are largely based on
scope and granularity of references. At level RM-1, the scope of
mediation is limited to a defined subject and object subset (i.e., the
same subset as that defined by the access control components). At
level RM-2, the scope of mediation is extended to the complete set of
subjects and objects. At level RM-3, the granularity of references
includes defined subsets, or all: (1) objects, (2) object policy
attributes (e.g., access rights, security levels, quotas); and (3)
object status attributes (e.g., object existence, length, locking
state). Level RM-4 is derived by requiring a model of privilege
mediation. This level extends the coverage of level RM-3 and is
intended for use in a TCB that can be extended with privileged
processes of various applications.
RM-1 Mediation of References to a Defined Subject/Object Subset
1. The TCB shall mediate all references to subjects, objects,
resources, and services (e.g., TCB functions) described in the TCB
specifications. The mediation shall ensure that all references are
directed to the appropriate security-policy functions.
2. Reference mediation shall include references to the defined
subset of subjects, objects, and resources protected under the TCB
security policy, and to their policy attributes (e.g., access rights,
security and/or integrity levels, role identifiers).
3. References issued by privileged subjects shall be mediated in
accordance with the policy attributes defined for those subjects.
RM-2 Mediation of References to all Subjects and Objects
1. The TCB shall mediate all references to subjects, objects,
resources, and services (e.g., TCB functions) described in the TCB
specifications. The mediation shall ensure that all references are
directed to the appropriate security-policy functions.
2. Reference mediation shall include control of references to
all subjects, objects, and resources protected under the TCB security
policy, and to their policy attributes (e.g., access rights, security
and/or integrity levels, role identifiers, quotas).
3. References issued by privileged subjects shall be mediated in
accordance with the policy attributes defined for those subjects.
RM-3 Mediation of References to Subject and Object Attributes
1. The TCB shall mediate all references to subjects, objects,
resources, and services (e.g., TCB functions) described in the TCB
specifications. The mediation shall ensure that all references are
directed to the appropriate security-policy functions.
2. Reference mediation shall include control of references to
all subjects, objects, and resources protected under the TCB security
policy, to their policy (e.g., access rights, security and/or
integrity levels, role identifiers, quotas) and status attributes
(e.g., existence, length, locking state).
3. References issued by privileged subjects shall be mediated in
accordance with the policy attributes defined for those subjects.
RM-4 Mediation of Privileged Subject References
1. The TCB shall mediate all references to subjects, objects,
resources, and services (e.g., TCB functions) described in the TCB
specifications. The mediation shall ensure that all references are
directed to the appropriate security-policy functions.
2. Reference mediation shall include control of references to
all subjects, objects, and resources protected under the TCB security
policy, to their policy (e.g., access rights, security and/or
integrity levels, role identifiers, quotas) and status attributes
(e.g., existence, length, locking state).
3. References issued by privileged subjects shall be mediated in
accordance with the privilege model defined for those subjects.
4.3.9 Rated Logical TCB Protection Components
The rating of the TCB protection components is based on the coverage
of TCB requirements. Level P-1 of TCB protection has two basic
requirements, namely TCB isolation and noncircumventability of TCB
isolation functions. Level P-2 extends the coverage of level P-1 with
the requirements of ensuring the consistency of TCB global variables
and the elimination of undesirable TCB dependencies on unprivileged
user actions. These additional requirements help eliminate large
classes of TCB penetration means. Level P-3 eliminates an additional
class of penetration means that is generally more difficult to exploit
than those classes addressed in the previous two levels. The intent of
these levels is to reflect increasingly better functions for TCB
penetration resistance.
P-1 Basic TCB Isolation
The TCB shall maintain a domain for its own execution that protects it
from external interference and tampering (e.g., by reading or
modification of its code and data structures). The protection of the
TCB shall provide TCB isolation and noncircumventability of TCB
isolation functions as follows:
1. TCB Isolation requires that (1) the address spaces of the
TCB and those of unprivileged subjects are separated such that users,
or unprivileged subjects operating on their behalf, cannot read or
modify TCB data structures or code, (2) the transfers between TCB and
non-TCB domains are controlled such that arbitrary entry to or return
from the TCB are not possible; and (3) the user or application
parameters passed to the TCB by addresses are validated with respect
to the TCB address space, and those passed by value are validated with
respect to the values expected by the TCB.
2. Noncircumventability of TCB isolation functions requires
that the permission to objects (and/or to non-TCB data) passed as
parameters to the TCB are validated with respect to the permissions
required by the TCB, and references to TCB objects implementing TCB
isolation functions are mediated by the TCB.
P-2 TCB Isolation and Consistency
The TCB shall maintain a domain for its own execution that protects it
from external interference and tampering (e.g., by reading or
modification of its code and data structures). The protection of the
TCB shall provide TCB isolation and noncircumventability of TCB
isolation functions as follows:
1. TCB Isolation requires that (1) the address spaces of the
TCB and those of unprivileged subjects are separated such that users,
or unprivileged subjects operating on their behalf, cannot read or
modify TCB data structures or code, (2) the transfers between TCB and
non-TCB domains are controlled such that arbitrary entry to or return
from the TCB are not possible; and (3) the user or application
parameters passed to the TCB by addresses are validated with respect
to the TCB address space, and those passed by value are validated with
respect to the values expected by the TCB.
2. Non-circumventability of TCB isolation functions requires
that the permission to objects (and/or to non-TCB data) passed as
parameters to the TCB are validated with respect to the permissions
required by the TCB, and references to TCB objects implementing TCB
isolation functions are mediated by the TCB.
TCB protection shall also maintain the consistency of TCB global
variables and eliminate undesirable dependencies of the TCB on
unprivileged subject or user actions.
3. Consistency of TCB global variables requires that
consistency conditions defined over TCB internal variables, objects,
and functions hold before and after any TCB invocation.
4. Elimination of undesirable dependencies of the TCB on
unprivileged subject actions requires that any TCB invocation by an
unprivileged subject (or user) input to a TCB call may not place the
TCB in a state such that it is unable to respond to communication
initiated by other users.
P-3 TCB Isolation and Timing Consistency
The TCB shall maintain a domain for its own execution that protects it
from external interference and tampering (e.g., by reading or
modification of its code and data structures). The protection of the
TCB shall provide TCB isolation and noncircumventability of TCB
isolation functions as follows:
1. TCB Isolation requires that (1) the address spaces of the
TCB and those of unprivileged subjects are separated such that users,
or unprivileged subjects operating on their behalf, cannot read or
modify TCB data structures or code, (2) the transfers between TCB and
non-TCB domains are controlled such that arbitrary entry to or return
from the TCB are not possible; and (3) the user or application
parameters passed to the TCB by addresses are validated with respect
to the TCB address space, and those passed by value are validated with
respect to the values expected by the TCB.
2. Non-circumventability of TCB isolation functions requires
that the permission to objects (and/or to non-TCB data) passed as
parameters to the TCB are validated with respect to the permissions
required by the TCB, and references to TCB objects implementing TCB
isolation functions are mediated by the TCB.
TCB protection shall also maintain the consistency of TCB global
variables and eliminate undesirable dependencies of the TCB on
unprivileged subject or user actions.
3. Consistency of TCB global variables requires that
consistency conditions defined over TCB internal variables, objects,
and functions hold before and after any TCB invocation.
4. Elimination of undesirable dependencies of the TCB on
unprivileged subject actions requires that any TCB invocation by an
unprivileged subject (or user) input to a TCB call may not place the
TCB in a state such that it is unable to respond to communication
initiated by other users.
Furthermore, TCB protection shall maintain the timing consistency of
condition checks.
5. Timing consistency of condition checks requires that a
validation check holds at the instant when the TCB action depending on
that check is performed.
4.3.10 Rated Physical TCB Protection Components
The rating of the physical TCB protection is determined by the
coverage and strength of the physical protection requirements; i.e.,
on the ability to prevent, deter, detect, and counter physical attacks
against the product. Level PP-1 requires the availability of physical
protection functions and devices to support administrative and
environment measures of controlling access to the TCB of the product.
Level PP-2 extends the coverage of this requirement by specifying that
employed functions and devices shall have the ability to unambiguously
detect any attempt of physical tampering regardless of its outcome.
Level PP-3 increases the strength of the physical TCB protection by
requiring the use of physical countermeasures with well-defined work
factors. The intent of these requirements is to distinguish between
physical protection supporting administrative measures,
tamper-detection functions, and tamper-resistance functions.
PP-1 Administrative and Environment Protection
1. Administrative procedures and environmental features necessary for
establishing the physical security of a product's TCB shall be
defined.
2. Product functions and devices necessary to establish physical
control over the product's TCB shall be identified and provided.
PP-2 Detection of Physical Attack
1. Administrative procedures and environmental features necessary for
establishing the physical security of a product's TCB shall be
defined.
2. Product functions and devices necessary to establish physical
control over the product's TCB shall be identified and provided. TCB
devices allowing the unambiguous detection of physical tampering shall
be employed. These devices shall be shown to be physically
tamper-resistant and noncircumventable.
PP-3 Physical and Environmental Countermeasures
1. Administrative procedures and environmental features necessary for
establishing the physical security of a product's TCB shall be
defined.
2. Product functions and devices necessary to establish physical
control over the product's TCB shall be identified and provided. TCB
devices that provide countermeasures to physical tampering shall be
employed. The strength of these devices shall be determined based on
well-defined work factor parameters relevant to the supported
policies. For confidentiality policies, these devices shall resist
disclosure via theft, inspection of physical media, wiretapping,
and/or analysis of product emanations. For integrity policies, these
devices shall resist modification of hardware functionality and
modification of stored data via mechanical methods and/or electronic
jamming. For availability policies, these devices shall resist loss of
service via anticipated environmental stress (e.g., water damage,
fire, vibration, impact) or other forms of physical attack.
4.3.11 Rated TCB Self Checking Components
The TCB self-checking components are rated based on the scope of the
checking performed (i.e., hardware and/or firmware versus software)
and on the coverage of the checking methods (i.e., periodic or
continuous checking). At level SC-1, a minimal level of self-checking
is required (e.g., similar to those currently available on most
commercial workstations). Level SC-2 extends these requirements by
including power-on self tests, loadable tests, and operator-controlled
tests that are used to periodically validate the correct operation of
the TCB hardware and/or firmware elements. The scope of these tests is
extended at level SC-3 by the addition of configurable software and/or
firmware functions that perform periodic self tests. At level SC-4,
the self-test coverage is extended by requiring that hardware,
firmware, and/or software self tests be performed continuously during
the product operation.
SC-1 Minimal Self Checking
Hardware and/or software features shall be provided that can be used
to periodically validate the correct operation of the on-site hardware
and firmware elements of the TCB.
SC-2 Basic Self Checking
Hardware and/or software features shall be provided that can be used
to periodically validate the correct operation of the on-site hardware
and firmware elements of the TCB. These features shall include:
power-on tests, loadable tests, and operator-controlled tests.
The power-on tests shall test all basic components of the TCB hardware
and firmware elements including memory boards and memory
interconnections; data paths; busses; control logic and processor
registers; disk adapters; communication ports; system consoles, and
the keyboard speaker. These tests shall cover all components that are
necessary to run the loadable tests and the operator-controlled tests.
The loadable tests shall cover: processor components (e.g., arithmetic
and logic unit, floating point unit, instruction decode buffers,
interrupt controllers, register transfer bus, address translation
buffer, cache, and processor- to-memory bus controller); backplane
busses; memory controllers; and writable control memory for
operator-controlled and remote system- integrity testing.
Operator-controlled tests shall be able to initiate a series of
one-time or repeated tests, to log the results of these tests and, if
any fault is detected, to direct the integrity-test programs to
identify and isolate the failure.
SC-3 Software-Test Support
Hardware and/or software features shall be provided that can be used
to periodically validate the correct operation of the on-site hardware
and firmware elements of the TCB. These features shall include:
power-on tests, loadable tests, and operator-controlled tests.
The power-on tests shall test all basic components of the TCB hardware
and firmware elements including memory boards and memory
interconnections; data paths; busses; control logic and processor
registers; disk adapters; communication ports; system consoles, and
the keyboard speaker. These tests shall cover all components that are
necessary to run the loadable tests and the operator-controlled tests.
The loadable tests shall cover: processor components (e.g., arithmetic
and logic unit, floating point unit, instruction decode buffers,
interrupt controllers, register transfer bus, address translation
buffer, cache, and processor- to-memory bus controller); backplane
busses; memory controllers; and writable control memory for
operator-controlled and remote system- integrity testing.
Operator-controlled tests shall be able to initiate a series of
one-time or repeated tests, to log the results of these tests and, if
any fault is detected, to direct the integrity-test programs to
identify and isolate the failure.
Configurable software or firmware features shall be provided that can
be used to validate the correct operation of the on-site software
elements (i.e., code and data structures) of the TCB. These features
may include, but are not limited to, checksums and consistency checks
for TCB elements stored on storage media (e.g., disk-block consistency
conditions).
SC-4 Continuous Software-Test Support
Hardware and/or software features shall be provided that can be used
to periodically validate the correct operation of the on-site hardware
and firmware elements of the TCB. These features shall include:
power-on tests, loadable tests, and operator-controlled tests.
The power-on tests shall test all basic components of the TCB hardware
and firmware elements including memory boards and memory
interconnections; data paths; busses; control logic and processor
registers; disk adapters; communication ports; system consoles, and
the keyboard speaker. These tests shall cover all components that are
necessary to run the loadable tests and the operator-controlled tests.
The loadable tests shall cover: processor components (e.g., arithmetic
and logic unit, floating point unit, instruction decode buffers,
interrupt controllers, register transfer bus, address translation
buffer, cache, and processor- to-memory bus controller); backplane
busses; memory controllers; and writable control memory for
operator-controlled and remote system- integrity testing.
Operator-controlled tests shall be able to initiate a series of
one-time or repeated tests, to log the results of these tests and, if
any fault is detected, to direct the integrity-test programs to
identify and isolate the failure.
Configurable software or firmware features shall be provided that can
be used to validate the correct operation of the on-site software
elements (i.e., code and data structures) of the TCB. These features
may include, but are not limited to, checksums and consistency checks
for TCB elements stored on storage media (e.g., disk-block consistency
conditions).
Tests that detect possible inconsistencies of the TCB elements (i.e.,
data structures and code) shall be performed whenever the content or
structure of these elements are modified as consequence of a transient
failure during an unprivileged subject's action.
4.3.12 Rated TCB Start-Up and Recovery Components
The TCB start-up and recovery components are rated based on feature
coverage; i.e., whether manual (levels TR-1, TR-2) or automatic (level
TR-3) recovery and start-up in a secure state is provided, and whether
the loss of user objects during recovery can be minimized (level TR-5)
or just detected (level TR-4). Primitive forms of secure recovery,
where potentially all objects are lost during recovery, have a
narrower coverage than that intended to be provided by automated
procedures.
TR-1 Minimal Requirements for Recovery or Start-up
1. Procedures and/or mechanisms shall be provided to assure that,
after a TCB failure or other discontinuity, recovery without
protection compromise is obtained.
TR-2 Basic Requirements for Recovery or Start-up
1. Procedures and/or mechanisms shall be provided to assure that,
after a TCB failure or other discontinuity, recovery without
protection compromise is obtained.
2. If automated recovery and start-up is not possible, the TCB shall
enter a state where the only system access method is via
administrative interfaces, terminals, or procedures. Administrative
procedures shall exist to restore the system to a secure state (i.e.,
a state in which all the security-policy properties hold).
TR-3 Automated Recovery or Start-up
1. Procedures and/or mechanisms shall be provided to assure that,
after a TCB failure or other discontinuity, recovery without
protection compromise is obtained.
2. Automated procedures, under the control of the TCB, shall be
provided to assure that after a system failure, other discontinuity,
or start-up, a secure state is obtained without undue loss of system
or user objects. The security policy properties, or requirements, used
to determine that a secure state is obtained shall be defined.
TR-4 Object-Loss Detection
1. Procedures and/or mechanisms shall be provided to assure that,
after a TCB failure or other discontinuity, recovery without
protection compromise is obtained.
2. Automated procedures, under the control of the TCB, shall be
provided to assure that after a system failure, other discontinuity,
or start-up, a secure state is obtained without undue loss of system
or user objects. The security policy properties, or requirements, used
to determine that a secure state is obtained shall be defined. The
TCB shall include checkpoint functions for recovery. Upon recovery, it
shall be possible to discover which user objects are corrupted or
unaccessible due to the TCB failure, if any, and to automatically
notify the users.
TR-5 Object-Loss Minimization
1. Procedures and/or mechanisms shall be provided to assure that,
after a TCB failure or other discontinuity, recovery without
protection compromise is obtained.
2. Automated procedures, under the control of the TCB, shall be
provided to assure that after a system failure, other discontinuity,
or start-up, a secure state is obtained without undue loss of system
or user objects. The security policy properties, or requirements, used
to determine that a secure state is obtained shall be defined. The
TCB shall include checkpoint functions for recovery. Upon recovery, it
shall be possible to discover which user objects are corrupted or
unaccessible due to the TCB failure, if any, and to automatically
notify the users. The TCB functions that can be invoked through the
TCB interface shall be atomic (i.e., shall have the property that
either their invocation is completed correctly or the recovered system
state should be the one immediately prior to the execution of the TCB
function). The recovered secure state should minimize the corruption
and inaccessibility of user objects due to the TCB failure.
4.3.13 Rated TCB Privileged Operation Components
The TCB privileged operation components are rated based on the
granularity of privilege associated with individual TCB functions or
groups of functions (level PO-1), with modules of TCB functions and
operations of administrative roles (level PO-2), with individual
actions (level PO-3), and with individual code sections of an action
(level PO-4). The intent of these ratings is to separate (1) fine
granularity of privileges from coarser granularity and (2) the static
association of privileges with functions and modules from the run-time
association of privileges with actions (i.e., function invocations)
and sections of code within actions. Although the granularity of
privileges of a product is a design choice, the intent of these
requirements is to encourage use of fine granularity of privilege and
run-time association of privileges, at least for the TCB actions of
bypassing access controls.
PO-1 Privilege Association with TCB Functions
1. TCB privileges needed by individual functions, or groups of
functions, shall be identified. Privileged TCB calls or access to
privileged TCB objects, such as user and group registration files,
password files, security and integrity- level definition file, role
definition file, or audit-log file shall also be identified.
2. The identified privileged functions of a TCB functional component
shall be associated only with the privileges necessary to complete
their task.
PO-2 Privilege Association with TCB Modules
1. TCB privileges needed by individual functions, or groups of
functions, of a functional component shall be identified. Privileged
TCB calls or access to privileged TCB objects, such as user and group
registration files, password files, security and integrity-level
definition file, role definition file, audit-log file shall also be
identified. It shall be possible to associate TCB privileges with TCB
operations performed by administrative users.
2.The modules of a TCB function shall be associated only with the
privileges necessary to complete their task.
3. Support for product privilege implementation and association with
TCB modules provided by lower-level mechanisms or procedures (e.g.,
operating system, processors, language) shall be provided.
PO-3 Privilege Association with Individual Actions
1. TCB privileges needed by individual functions, or groups of
functions, of a functional component shall be identified. Privileged
TCB calls or access to privileged TCB objects, such as user and group
registration files, password files, security and integrity-level
definition file, role definition file, audit-log file shall also be
identified. It shall be possible to associate TCB privileges with TCB
operations performed by administrative users.
2. The modules of a TCB function shall be associated only with the
privileges necessary to complete their task.TCB privileges needed by
individual actions of a module (i.e., function invocations) shall be
identified (e.g., privileges shall be assigned to actions that bypass
access controls, such as disclosure and modification of user objects).
Each action shall be associated only with the privileges necessary to
complete its task.
3. Support for product privilege implementation and association with
TCB actions provided by lower-level mechanisms or procedures (e.g.,
operating system, processors, language) shall be provided.
PO-4 Dynamic Privilege Association with Individual Actions
1. TCB privileges needed by individual functions, or groups of
functions, of a functional component shall be identified. Privileged
TCB calls or access to privileged TCB objects, such as user and group
registration files, password files, security and integrity-level
definition file, role definition file, audit-log file shall also be
identified. It shall be possible to associate TCB privileges with TCB
operations performed by administrative users.
2. TCB privileges needed by actions of a functional component (i.e.,
function invocations) shall be identified (e.g., privileges shall be
assigned to actions that bypass access controls, such as disclosure
and modification of user objects). Each action shall be associated
only with the privileges necessary to complete its task. The
identified TCB privileges shall be used by each functional component
to restrict the propagation of errors and failures of security
mechanisms that may lead to protection policy violations. TCB
functions allowing each component to acquire individual privileges up
to the maximum necessary and allowed, and to drop those privileges
(e.g., functions implementing privilege bracketing) shall be defined.
These functions shall be used to limit the use of privileges that
allow the bypassing of security policy controls within the TCB.
3. Support for product privilege implementation and association
with TCB actions provided by lower- level mechanisms or procedures
(e.g., operating system, processors, language) shall be provided.
4.3.14 Rated TCB Ease-of-Use Components
The rating of the TCB ease of use components reflects the scope and
coverage of the protection functions in covering common product
configurations. At level EU-1, the requirements reflect the general
need for special administrative functions, not merely using an editor
to modify administrative files or default options for security
parameters. The coverage of the ease-of-use requirements is extended
at level EU-2 by providing for fail-safe defaults and user-settable
defaults for defined (privileged and unprivileged) subjects and
objects, and the means by which applications can protect themselves
and their objects from unauthorized use. The scope of the requirements
is extended at levels EU-3 and EU-4 by enlarging the set of subjects
and objects affected by this requirement to include subjects and
objects of common configurations, and all subjects and objects,
respectively.
EU-1 Ease of Security Management
1. The TCB shall provide well-defined actions to undertake
administrative functions. Default options shall be provided for
security parameters of administrative functions.
EU-2 Ease of Application Programming
1. The TCB shall provide well-defined actions to undertake
administrative functions. Default options shall be provided for
security parameters of administrative functions.
The TCB shall include fail-safe defaults for the policy attributes of
the defined subjects and objects, as well as user-settable defaults
for the defined subjects and objects.
2. The TCB shall provide well-defined application programming
interfaces and programming functions (e.g., libraries) for all its
policies to support the development of applications that can define
and enforce security policies on application- controlled subjects and
objects. The TCB shall enable user-controlled reduction of access
rights available to applications.
EU-3 Common Configuration Coverage
1. The TCB shall provide well-defined actions to undertake
administrative functions. Fail-safe default options shall be provided
for security parameters of administrative functions.
The TCB shall include fail-safe defaults for the policy attributes of
subjects, objects (e.g., devices) and services used in common system
configurations, as well as user-settable defaults for these subjects
and objects.
2. The TCB shall provide well-defined application programming
interfaces and programming functions (e.g., libraries) for all its
policies to support the development of applications that can define
and enforce security policies on application- controlled subjects and
objects. The TCB shall enable user-controlled reduction of access
rights available to applications.
EU-4 Complete Configuration Coverage
1. The TCB shall provide well-defined actions to undertake
administrative functions. Fail-safe default options shall be provided
for security parameters of administrative functions.
The TCB shall include fail-safe, user-settable defaults for the policy
attributes of all subjects, objects (e.g., devices), and services.
2. The TCB shall provide well-defined application programming
interfaces and programming functions (e.g., libraries) for all its
policies to support the development of applications that can define
and enforce security policies on application- controlled subjects and
objects. The TCB shall enable user-controlled reduction of permissions
available to applications.
4.4 Bibliographic Notes
TBD.
Chapter 5.
DEVELOPMENT ASSURANCE REQUIREMENTS
5.1 Overview
Development assurance is concerned with showing that a specific IT
product satisfies the functional requirements of a protection profile.
This chapter defines assurance requirements that are used in
protection profiles to define an IT product developer's (i.e.,
producer's) responsibilities in establishing the correctness of the
product's security functions. These requirements are partitioned into
components that identify unique concerns a developer must address
during the product design, implementation, documentation, support, and
maintenance. By addressing these concerns, the developer can increase
consumer and evaluator confidence that the product satisfies the
functional requirements of a protection profile. Varying degrees of
confidence can be established using different combinations and subsets
of the assurance components.
The assurance components defined in this standard have evolved from
computer security and engineering experience in demonstrating the
correctness of IT hardware and software protection functions. The
components also include requirements of existing criteria and reflect
the interpretations of those requirements in practice during the past
decade. The components are specified in a product- independent manner
and, thus, are applicable to a wide set of products and protection
functions. To enable the profile developers to establish varying
degrees of confidence in the correctness of product protection
functions, each assurance component is rated based on a set of
well-defined parameters. These ratings can also help establish the
relationships between, and the harmonization of, the assurance
requirements defined by this standard and those of existing standards.
This chapter is divided into four sections. The remainder of this
section defines four classes of development assurance components and
describes the types of components in each class. The second section
presents a description of each type of assurance component. The third
section contains the rated assurance components. The last section
includes a bibliography of useful literature references. (Appendices D
and E present some of the technical underpinnings used in deriving the
requirements of the modular decomposition and penetration analysis
components.)
Classes of Development Assurance. The development assurance components
have been partitioned into four classes reflecting distinct product
development tasks: (1) development process, (2) operational support,
(3) development environment, and (4) development evidence. The four
classes, and associated components, are illustrated in Figure 5
Development Process. The development process class consists of the
following four assurance components that identify specific activities
the developer must undertake during the design, implementation, and
analysis of an IT product: (1) TCB property identification, (2) TCB
design, which includes TCB element identification, interface
definition, modular decomposition, structuring support, and design
disciplines used, (3) TCB implementation support, and (4) TCB testing
and analysis, which includes security functional testing, penetration
analysis, and covert channel analysis. Since the development process
includes the primary assurances for the correct implementation of
protection functions, its components are included in most profiles.
The selection of different component levels within a profile is
determined by the assurance goals established for the profile, by the
dependencies among assurance components, and by the dependencies
between the profile functional and assurance components.
Operational Support. The operational support class consists of
assurance components that a developer must satisfy to enable users to
operate the product securely. This class includes the following four
components: (1) user guidance, (2) administrative guidance, (3) flaw
remediation, and (4) trusted generation. These components require the
developer to convey clearly the operational procedures for TCB
generation, installation, operation, and flaw correction. They also
require the developers to provide tools and/or procedures to properly
install and configure the product. The first two components of this
class are included in all profiles whereas the last two are included
in profiles that target medium and high-assurance products. The
selection of different component levels within a profile is largely
determined by assurance goals and by the dependencies among assurance
components.
Development Environment. The development environment class consists of
assurance components that refer to quality of the development,
maintenance, and distribution-control process for secure products.
This class includes the following three components: (1) life cycle
definition, (2) configuration management, and (3) trusted distribution
of the product. These components require that the developer enforces a
discernible engineering process to develop and maintain a product,
establishes control over the product configuration during development
and maintenance, and employs technical measures for the detection or
prevention of uncontrolled TCB modification during product
distribution. A key assurance aspect of these components is the extent
to which the development process and operational support requirements
are integrated into the developer's engineering processes. The
development environment components are included in profiles that
target medium and high-assurance products. The selection of different
component levels within a profile is largely determined by assurance
goals and by the dependencies among assurance components.
Development Evidence. The development evidence class consists of
assurance components that describe the documentation that a developer
must produce and maintain to show that the other assurance
requirements have been satisfied. The components of the development
evidence class establish the level of detail and scope of the
developer documentation and include requirements for evidence of: (1)
TCB protection properties, (2) product design and implementation, (3)
product testing and analysis, and (4) product support. These
components are included in all profiles. The selection of different
component levels within a profile is determined exclusively by the
dependencies among assurance components, since these levels must
mirror to a large extent the levels of the other development assurance
components.
5.2 Development Assurance Components
5.2.1 Development Process
5.2.1.1 TCB Property Identification
The identification of TCB properties is the prima facie assurance that
the consistency of the TCB's behavior with respect to the protection
profile's functional requirements can be established. These properties
are the baseline set of protection claims for a TCB. They enable the
generation of test conditions for security policy analysis and
penetration testing. They also help define the IT product's protection
capabilities in product documentation.
The first step to demonstrate that a product satisfies the functional
requirements of a protection profile is to produce the description of
the TCB protection properties. This is achieved by (1) identification
of the TCB elements intended to implement the functional requirements,
and (2) justification of how and why the identified elements implement
these requirements. Repeating this step for each functional
requirement of a protection profile produces a description of the set
of protection properties. Since a functional requirement can be
satisfied by different product architectures and operating systems,
the set of protection properties will illustrate both the developer's
philosophy of protection and the protection architecture choices made.
Demonstrating the consistency of the TCB behavior with the
requirements of the profile functional components can be performed
with different degrees of rigor. For example, consistency verification
can be performed by an informal process of tracing the requirements
within a product's TCB and providing a simple description of the
claimed TCB property. This informal process relies primarily on
informal functional requirements (i.e., as provided by the protection
profile) and on descriptions of TCB elements. The primary assurance
gained from this informal process is derived from the consistency and
coherence of the profile requirements, and from the explanation of why
the TCB elements satisfy those requirements. This explanation will
reveal whether the developer's interpretation of the profile
functional requirements in the product TCB is valid.
The degree of rigor with which the demonstration of consistency
between the TCB elements and the functional requirements can be
performed increases whenever formal or informal models of the
functional requirements are used. Models capture the essence of the
functional requirements by providing policy properties that must be
maintained by the TCB. For example, the Bell-LaPadula Model contains
two policy properties of mandatory access control. These examples are
the *-property (star property), which allows a subject write access to
an object only if the security level of the subject equals that of the
object, and the simple security condition, which allows a subject read
access to an object only if the security level of the subject
dominates that of the object. A discretionary access control model may
have a policy property stating that "only the owner of an object can
distribute or review permissions to that object." A TCB isolation
model may have an isolation property stating that "a parameter passed
by address to a TCB function invocation may only refer to the
invoker's space, and not to the TCB space or to another subject
space."
Tracing precise requirement properties among the TCB elements is
likely to be significantly more effective than tracing profile
requirement descriptions, which are informally expressed. However, the
precision with which the requirement properties are expressed by a
model generally depends on the type of model and the degree of model
formalism. Furthermore, the tracing process itself also depends on the
degree of precision and formalism with which the TCB elements are
described. For example, precision is enhanced by providing Descriptive
Interface Specifications (DIS) instead of informal descriptions of the
TCB interface found in product reference manuals, or by providing
Formal Interface Specifications (FIS) instead of the DIS. The use of
formal models and DIS/FIS of the TCB makes it possible to perform the
tracing process by (in)formally interpreting the requirements model in
the DIS/FIS. By showing that a documented (in)formal interpretation of
a requirement model in a TCB is valid, the properties of the TCB can
be stated (in)formally with a higher degree of rigor.
5.2.1.2 TCB Design
The TCB design component comprises several subcomponents that provide
product development assurance. These subcomponents are (1) element
identification, (2) interface definition, (3) modular decomposition,
(4) structuring support, and (5) design disciplines. Details of each
component follow.
5.2.1.2.1 TCB Element Identification
The importance of the TCB element identification as an assurance
component derives from the fact that all other assurance methods rely
on it either directly or indirectly. Intuitively, the TCB includes
all code and data structures that implement protection functions of a
TCB (i.e., functional components). Although this intuitive definition
of the TCB elements is precise, in practice the identification of
these elements can be a challenging activity for the following three
reasons.
First, TCBs may include code and data structures that are irrelevant
to the protection components. In practice, products often implement
functions and mechanisms that include security irrelevant elements and
whose main purpose is not protection. Separating the protection
relevant from the irrelevant elements within these functions can
sometimes be a very difficult task because of the complexity and
performance implications of the interfaces that are introduced between
the protection relevant and irrelevant elements of a function.
Although desirable for assurance purposes, in general, it may be
impractical to remove all security irrelevant code from the TCB.
Second, the TCB is defined with respect to a set of protection
requirements and a set of assurances necessary to demonstrate that the
TCB satisfies those requirements. A product may include protection
functions for which assurance is not required. Nevertheless, these
protection functions in practice become part of the TCB since they
affect the overall behavior of the product in other environments. For
example, separating different TCBs for functions implementing
different security policies may be impractical. The TCB of a product
may include protection functions to support confidentiality,
integrity, and availability to various degrees, but the only required
policy support assurances may be for confidentiality. Providing a
separate TCB for availability and integrity components is impractical
for most products and unjustifiable, based on the incremental
assurance benefits that might be derived from the removing these
components from the confidentiality TCB. In practice, the
determination of which components must be included in a TCB cannot be
made exclusively based on the specific-policy relevance of the code
and data structures.
Third, sometimes it is challenging to determine whether a functional
component is security-policy relevant without the benefit of a formal
model of a security policy. For example, if a formal state-transition
model is available, any TCB function whose execution may cause a state
transition is, by definition, security-relevant. However, in the
absence of a formal model, one can determine whether a function is
security-policy relevant only if the function implements security
policy checks. Among the functions that invoke other functions
implementing security or accountability checks indirectly, few are
required to be part of the TCB since, by definition, they could be
placed outside the TCB and could invoke a TCB system call.
Since many of the IT product TCBs will include both
protection-relevant and irrelevant elements, the identification of
these elements (1) must separate the protection-relevant elements from
the irrelevant ones (if any), and (2) must provide a rationale for the
retention of the protection-irrelevant elements within the TCB.
5.2.1.2.2 TCB Interface Definition
To analyze the protection of the TCB domain, one must first define
interface of the TCB to external subjects. This interface establishes
the boundary between the TCB elements and unprivileged subjects. The
TCB protection behavior is defined at this interface.
The definition of the TCB interface is required by several assurance
methods, including security and penetration analysis and testing,
interpretation of security requirements and models within a TCB, and
covert channel analysis and testing. Establishing the TCB interface
requires that all TCB elements be identified to determine whether they
present an interface (i.e., are visible) to an unprivileged subject.
The TCB interfaces typically consist of several components including
(1) the command interfaces, (2) the application programming interfaces
(i.e., system calls), and (3) the machine/processor interface (i.e.,
processor instructions). The command interface consists of the set of
TCB commands that can be input via user-oriented devices such as
keyboards, mouse devices, and joysticks; other command interfaces to a
TCB may include various sensor input interfaces for real-time devices
and processes external to the TCB. The application programming
interface consists of all the TCB system calls that an application
program can make, to include the signal, trap, and fault interfaces
which an application program may invoke. Similarly, the
machine/processor interface to the TCB consists of all instructions
that refer to TCB internal data structures, (e.g., memory registers,
segment and page tables), and processor registers (e.g., process
status registers, segment, page table, capability, cache, and
address-translation registers).
Determining the TCB interface cannot be simply performed by listing
all commands, system calls, and processor instructions. Not all
commands, system calls, or instructions may, in fact, represent a TCB
interface. For example, some commands and library calls may refer to
programs and data structures that are in user space. Similarly, some
instructions may refer to operands that are already loaded into
user-addressable registers and, therefore, need not include memory
protection checks. Some command and application program interfaces may
overlap and not represent distinct TCB interfaces. For example, two
distinct command interfaces that are implemented by command processors
running in user space may invoke the same application program
interfaces of the TCB. Consequently, the two distinct commands do not
provide distinct TCB interfaces. In some products, the TCB includes
the entire application and presents a command interface to its users
with no distinct application program interface or processor interface.
For example, in some real- time, process-control systems, the external
TCB interface may represent sensor input, but no external user or
application program input. In this case the TCB components and the TCB
external interface must still be identified because of attempts by
external processes to provide the sensor input.
The TCB interface definition requires that all TCB functions which are
visible outside the TCB be defined, including their calling
conventions, parameters, parameter types, order, and exceptions
signalled. The parameter types must include, in addition to the call
parameters, all of the subjects, objects, and access control
attributes affected by that call. Whenever covert channel analysis,
penetration analysis, and resource- constraint analysis are required,
the TCB interface definition must also include all effects of a call,
including the direct visibility and alterability of internal TCB
variables and functions. In these cases, the traditional definitions
of TCB interfaces provided in product reference manuals must be
augmented by additional elements. In all cases, all TCB interfaces
must be included. No interface may remain undocumented, and no
temporary interfaces for testing or performance monitoring, for
example, should be included.
5.2.1.2.3 TCB Modular Decomposition
Modular design and implementation constitutes a sound engineering
practice in general, and therefore, this technique represents sound
engineering practice for IT product development assurance. Reading,
understanding, maintaining, testing, and evolving a software product
is helped by modularity. "Understanding" includes identifying product
parts and their relationships, and determining important product
properties. Although modular design and implementation is not a
security-specific assurance, products that employ it offer the
following assurance advantages: (1) an incremental, divide-and-conquer
approach to determining correctness properties; (2) an incremental,
divide-and- conquer approach to product development, with many
individuals per development team possible; (3) replacement
independence of product parts based on well-defined interfaces and
uniform reference (i.e., references to modules need not change when
the modules change); and (4) an intuitive packaging of product
components with ease of navigation through the product, module by
module.
Appendix D provides some of the technical underpinnings used in
deriving the requirements of the TCB modular decomposition.
5.2.1.2.4 TCB Structuring Support
The TCB structuring using modular decomposition is necessary for
understanding, maintaining, testing, and evolving a product. However,
the modular decomposition does not necessarily reflect the run-time
enforcement of TCB structuring since the separation of modules may not
necessarily be supported by run-time mechanisms. The run-time
enforcement of internal TCB structuring adds a measure of assurance
that the TCB elements that are critical to the enforcement of the
protection functions are separated from non-critical elements. Also,
the use of run-time enforcement of TCB structuring helps separate
protection-critical elements of the TCB from each other, thereby
helping enforce the separation of protection concerns and minimizing
the common mechanisms shared between protection critical elements.
Run-time enforcement of TCB structuring is useful in cases when
compile-time structuring either cannot be enforced (e.g., the
programming language does not enforce modular decomposition) or can be
circumvented by transient hardware failures. In either case, software
errors may propagate through the entire TCB and corrupt
protection-critical elements. However, run-time enforcement of TCB
structuring is not considered to be a protection function because it
does not directly counter any security threat posed by unprivileged
subjects. Unlike the support for the least-privilege TCB operation,
which reduces the possibility that the penetration of a TCB functional
component affects other components, the run-time support for TCB
structuring has no direct protection use. Use of processor mechanisms
to support TCB structuring is desirable for minimizing the performance
penalties that will undoubtedly arise if these mechanisms were
provided by run-time software.
A key assurance requirement for run-time mechanisms that support TCB
structuring is that of conceptual simplicity and well-defined
semantics. Conceptually simple mechanisms are generally easy to
understand, and describe, define, or formally specify. Well-defined
semantics enable the rigorous analysis of TCB structuring and increase
the confidence that the internal TCB structuring is enforced
correctly. The use of architecture features for run-time enforcement
of TCB structuring into security kernels and privileged processes
ranges from process-isolation features to the use of ring or
domain-of-protection mechanisms. Among the architecture and operating
system features employed for enforcing the TCB structuring,
segmentation and paging has been used to separate logically distinct
storage objects with separate access- control attributes. The
separation of subsystem and module data structures and code within a
TCB is sometimes supported by ring or domain-of-protection mechanisms
with separate entry point support and protection (illustrated by ring
or domain gates). Thus, the TCB can be described in terms of the
different rings or domains of protection it employs for its
structuring into subsystems and modules, and in terms of the
segmentation or paging mechanisms it employs for structuring its
internal code and data structures into logically distinct storage
objects.
5.2.1.2.5 TCB Design Disciplines
Modularly decomposing the TCB provides many benefits. However, it
does not minimize the complexity of the TCB or remove the
protection-irrelevant elements from the TCB. Leaving
protection-irrelevant elements within a TCB necessarily results in a
significantly larger assurance effort because these elements must be
included in the TCB's analysis. Furthermore, modularly decomposing the
TCB does not necessarily minimize the sharing of global variables
between modules (i.e., the data structures used in a module need not
be "hidden" within the module), and does not necessarily help layer
the TCB (e.g., the cyclic dependencies among TCB modules cause lower
layers to require services of higher layers). Consequently, the
analysis of the TCB could become very complex for medium size (e.g.,
500K to 1M lines of source code) or large products (e.g., over 1M
lines of source code).
Several design disciplines enable the rigorous analysis of TCB
security properties which is necessary for high-assurance products.
First, the complexity of the TCB must be reduced by minimizing the
number of protection-irrelevant elements that are left within the TCB.
This requirement, together with the functional requirements of
reference mediation and TCB protection, is the basis for demonstrating
that the TCB implements the reference validation mechanism, which is
important for the rigorous analysis of access control policy
implementations (see Appendix B).
Second, the TCB structuring must employ the use of data hiding to
minimize the sharing of global variables within the TCB. This
requirement, together with the use of other design abstractions such
as functional and control abstractions, significantly enhances the
ability to structure the modules of a TCB into sets of (ordered)
layers and to precisely determine the protection properties of those
layers (e.g., derive abstraction and layer properties). As a result,
the formal analysis of the TCB modules becomes possible.
Third, extensive use of high-level synchronization constructs, such as
monitors and message passing, makes the analysis of the TCB behavior
possible despite the occurrence of asynchronous events. Further
structuring of TCB processes into threads decreases the cost of using
processes as a TCB structuring mechanism, thereby enhancing the
development of TCBs containing small independent modules sharing
process space.
5.2.1.3 Implementation Support
The implementation support component is an assurance method that can
be used to simplify the task of establishing the correspondence
between the product as built and the product design. The ultimate test
of the development process applied to a TCB is how well the TCB
implementation satisfies the protection profile requirements. Testing
can establish that the TCB implementation exhibits at least the
properties needed to satisfy the profile requirements. Analysis,
however, is needed to establish that the implementation does no more
than the profile requires. At a minimum, a complete analysis requires
that the source code be available. For more detailed analysis, the
system architecture and design are also necessary to simplify the task
of tracking the required TCB properties from requirements down to
implementation. As more rigor is brought to the process of design,
more analysis can be done at higher levels of abstraction. To complete
the chain and effectively leverage the previous analysis, the
implementation should be organized and packaged in the same manner as
the design to simplify the process of mapping the design to the
implementation.
5.2.1.4 TCB Testing and Analysis
A significant measure of product development assurance is derived from
the methods used to test and analyze a TCB provides. These methods,
which include (1) functional testing, (2) penetration analysis, and
(3) covert channel analysis, are described below.
5.2.1.4.1 Functional Testing
Functional testing is an assurance method for establishing that the
TCB interface exhibits the properties necessary to satisfy the
requirements of its protection profile. Functional testing is
especially valuable in providing assurance that the TCB satisfies at
least its functional protection requirements. It does establish that
the TCB does no more than expected. The developer's functional testing
objective is to uncover all design and implementation flaws that would
enable a user external to the TCB to violate the product security
policy. Such flaws would invalidate the developer's claim of
compliance with the protection profile. The developer should perform
functional testing whenever the TCB changes as a result of design
analysis, independent evaluation, product evolution, or repair of
security flaws identified by either consumers or previous functional
testing.
All approaches to security functional testing require the following
four major steps:
Test plan development. The test plans consist of test conditions, test
data including the expected test outcomes, and test coverage analysis.
Test plans must be developed for all TCB primitives exported at the
TCB interface.
Test program development. The test programs developed must reflect the
test conditions, test data, and coverage described in the test plans.
Test procedure description. The test procedures provide instructions
for using individual test programs, and complete test suites.
Test result analysis. The analysis of the test results verifies that
the test outputs correspond to the expected outcomes defined in the
test plans.
Functional testing should be done on a copy of the TCB that is
configured and installed as recommended in product documentation. The
product should be operating in a normal mode, as opposed to
maintenance or test mode. Tests should be done using user-level
programs that cannot read or write internal TCB data structures or
programs. New data structures and programs should also not be added to
a TCB for security testing purposes, and special TCB entry points that
are unavailable to external user programs should not be used. If a TCB
is tested in maintenance mode using programs that cannot be run at the
user level, the security tests would be meaningless because assurance
cannot be gained that the TCB performs user-level access control
correctly. If user-level test programs could read, write or add
internal TCB data structures and programs, as would be required by
traditional instrumentation testing techniques, the TCB would lose its
isolation properties. If user-level test programs could use special
TCB entry points not normally available to external users, the TCB
would become circumventable in the normal mode of operation.
Functional testing should be conducted according to procedures defined
in a test plan. Significant events during testing should be placed in
a test log. As testing proceeds sequentially through each test case,
the developer's test team should identify flaws and deficiencies that
will need to be corrected. After changing TCB elements (i.e.,
hardware, firmware, or software) to correct these flaws and
deficiencies, the developer should repeat the tests that identified
problem(s) as well as any other tests related to the changed TCB
elements. When the development team has corrected all functional
problems and has analyzed and retested all corrections, a test report
should be written and made a part of a functional testing report.
5.2.1.4.2 Penetration Analysis
The penetration analysis of a computer product is a separate assurance
concern from security policy design and/or implementation. Different
TCBs may exhibit the same degree of penetration resistance, but
implement widely different security policies, or may implement the
same policies, but exhibit different degrees of penetration
resistance. Furthermore, penetration analysis is an important
assurance component since the effectiveness of all security policies
rely on the penetration resistance of a TCB.
The penetration analysis of a TCB consists of the identification and
confirmation of flaws in the design and implementation of protection
functions that can be exploited by unprivileged users or application
programs. Unlike security policy analysis and security functional
testing, penetration analysis identifies TCB flaws that are not
necessarily related to security policy design and implementation. For
example, penetration analysis identifies vulnerabilities of reference
mediation and TCB protection functions independent of the functions
that implement security policy support. This implies that the type of
policy that controls the subjects' access to objects is relevant to
security functional analysis and testing, but not to penetration
testing. Instead, penetration testing concerns include whether TCB
elements may be surreptitiously viewed or modified, and whether TCB
internal functions, which are intended to be invisible outside the
TCB, can in fact be invoked under the control of unprivileged users or
applications. Furthermore, penetration analysis includes assessments
of the strength of TCB protection functions and of vulnerabilities of
protection function implementation and operational use.
Appendix E presents some of the technical underpinnings used in
deriving the requirements of the penetration analysis component.
5.2.1.4.3 Covert Channel Analysis
Covert channel analysis is an assurance component that is required
whenever nondiscretionary confidentiality or integrity policies are
used to control information flow. It consists of (1) the
identification of covert channels within a TCB, (2) the estimation of
the maximum bandwidth of each channel, and (3) the testing of the
covert channel handling functions.
Identifying a covert channel requires discovery of a TCB internal
variable and one or more TCB interfaces that permit the alteration and
viewing of variable values in violation of the information-flow policy
imposed by nondiscretionary access controls. Both storage and timing
channels use at least one variable for the transmission of the
information being transferred between the sender and receiver.
Multiple TCB interface functions may be necessary for viewing or
altering a variable because after viewing or altering a variable, the
sender and/or the receiver may have to set up the transmission
environment for sending and/or reading the next bit. The covert
channel variable may be a software, firmware, or hardware variable. In
addition to TCB primitives and variables implemented by kernel and
trusted processes, covert channels may use hardware-processor
instructions and user-visible registers. Thus, complete covert channel
analysis should take into account a product's underlying hardware
architecture, not just kernels and trusted processes. Therefore, the
primary goal of covert-channel identification is that of discovering
all TCB variables and TCB interfaces that can be used to alter or view
these variables. A secondary goal of covert channel identification is
that of determining the TCB elements where time delays, noise (e.g.,
randomized table indices and object identifiers, spurious load), and
audit code may be placed for decreasing the channel bandwidth and
monitoring its use.
The term "bandwidth" is introduced to denote the rate at which
information is transmitted through a channel. This use of the term
bandwidth can also be related to the notion of "capacity". The
capacity of a channel is its maximum possible error-free information
rate in bits per second. Thus, the primary goal of covert-channel
bandwidth estimation is to determine the maximum possible error-free
transmission rate, measured in bits-per-second, through a covert
channel. The maximum covert channel bandwidth can be estimated using
standard information theory methods. Performance measurements of the
TCB are generally necessary to determine parameters required by the
information theory methods.
Covert channel testing is required to demonstrate that covert channel
handling functions (e.g., elimination, bandwidth limitation, audit)
chosen by product designers operate correctly. Testing is also useful
to confirm that the potential covert channels discovered in the
product are in fact real channels. Furthermore, testing is useful when
the handling functions use variable bandwidth-reduction parameters
(e.g., delays) that system administrators (e.g., auditors) can set.
In contrast with maximum bandwidth estimation, which provides upper
bounds for covert channels before handling functions are used, covert
channel testing always requires that actual measurements be performed
to determine the covert-channel bandwidths after the chosen handling
functions are implemented in a product. (Of course, maximum bandwidth
estimation can also be used after handling functions are implemented
in a product.) Test plan documentation, including test conditions,
test environment set-up, test data, expected test outcome, and actual
test result documentation must be provided.
5.2.2 Operational Support
The operational support class of components addresses the developer's
and users' responsibilities subsequent to IT product delivery. The
developer's responsibilities include providing the necessary guidance
to the consumer regarding the proper configuration, initialization,
use, and administration of the IT product. The consumer is assumed to
follow this guidance, however, fail-safe defaults may be provided to
preclude consumer difficulties. An issue of concern to consumers is
the identification and remediation of security flaws that may be
discovered subsequent to IT product delivery. This component includes
requirements for such identification and remediation.
5.2.2.1 User Guidance
Requirements for user guidance help ensure that product users are able
to operate the product in a secure manner (e.g., the usage constraints
assumed by the protection profile must be clearly explained and
illustrated). The user is defined as a person who operates the
product, but has no special privileges to affect the configuration of
the product. The user for most IT products is assumed to be a person
with little or no computer experience, but this need not always be the
case.
User's guidance is the primary means available to the developer for
providing the IT product users with the necessary background and
specific information on how to correctly use the product's protection
functions. User guidance must do two things. First, it must explain
how the protection functions of a specific product work, so that users
are able to consistently and effectively protect their information.
Second, it must explain the user's role in maintaining the IT
product's security.
The scope of the user's guidance should be limited to documenting only
the protection functions available to all users and only the
responsibilities that all users have for product security. To
accomplish this, the user's guidance documentation should explain what
protection functions are present in the product and why, how the
protection functions work, and how to use the functions properly. The
material should be easy to locate in the IT product documentation and
should be clear, concise, and complete.
5.2.2.2 Administrative Guidance
Requirements for administrative guidance help ensure that the
environmental constraints assumed by the protection profile are
understood by administrators and operators of the IT product. The
administrator is defined as a person who has the special privileges
needed to affect the product configuration and set the user and
product security parameters. The operator is defined as a person who
has the special privileges needed to affect the routine operation of
the product after it has been configured. The administrator has the
primary responsibility for the security of the IT product. The
operator is often assumed to also have some responsibility for the
secure use of the IT product.
Administrative guidance is the primary means available to the
developer for providing the IT product administrators with detailed,
accurate information of how to: (1) configure and install an IT
product, (2) operate the IT product in a secure manner, (3) make
effective use of the product's privileges and protection mechanisms to
control access to administrative functions and databases, and (4)
avoid pitfalls and improper use of the administrative functions that
would compromise the TCB and user security.
Administrator guidance should clearly illustrate necessary
administrator actions (e.g., cite actual system commands and
procedures). Although a high level of detail in illustrating key
security concepts would benefit administrative users, the
administrator guidance should not become a training manual in the
areas of computer security and system administration. Administrator
familiarity with the notion of IT product security should be assumed.
Administrator guidance should include examples of both proper use and
warnings about consequences of misuse of administrative functions,
procedures, privileges, and databases. Administrator guidance should
be easy to locate in the IT product documentation and should be clear,
concise, and complete.
5.2.2.3 Flaw Remediation
Flaw remediation is an operational support assurance component for
ensuring that flaws discovered by the IT product consumers will be
tracked and corrected while the product is supported by the developer.
While compliance with the flaw remediation requirements of a
protection profile cannot be determined when a product is evaluated,
it is possible to evaluate the procedures and policies that a
developer has in place to track and repair flaws and distribute the
repairs to affected consumers.
There are three parts to the flaw remediation process. First, the
developer must be prepared to receive, validate, and track consumer
reports of TCB flaws. Second, the developer must be prepared to devote
resources to identifying one or more corrections to each flaw and
maintaining these correction(s) with the reported flaws. Finally, the
developer must have a process in place for distributing the flaw
corrections to affected consumers.
5.2.2.4 Trusted Generation
Trusted generation is an operational support assurance component for
ensuring that the copy of the IT product's TCB that is configured and
activated by the consumer will exhibit the same protection properties
as the master copy of the IT product's TCB that was evaluated for
compliance with the protection profile. The trusted generation
procedures must provide some confidence that the consumer will be
aware of what product configuration parameters can affect the
protection properties of the TCB. The procedures must encourage the
consumer to choose parameter settings that are within the bounds
assumed during the product evaluation.
5.2.3 Development Environment
The development environment class of components addresses the
developer's engineering processes for product life cycle management,
product configuration management, and trusted product distribution.
These components are reviewed below.
5.2.3.1 Life Cycle Definition
Life cycle definition is an assurance component for establishing that
the engineering practices used by a developer to produce the IT
product's TCB include the considerations and activities identified in
the development process and operational support requirements of the
protection profile. Consumer confidence in the correspondence between
the protection profile requirements and the product's TCB is greater
when security analysis and the production of evidence are done on a
regular basis as an integral part of the development process and
operational support activities.
The developer must explain the processes used to develop and maintain
the product's TCB. The developer must also define the tools being used
to analyze and implement the TCB. The higher levels of the component
also require that the processes used by the developer are disciplined
(i.e., consistent, measurable, and repeatable) to achieve quality
products. It must be emphasized that this component imposes no
constraints on the specific process chosen by the developer other than
that it be sufficient to incorporate the stated requirements of the
protection profile. This component simply establishes the degree of
rigor required for documenting and demonstrating compliance with the
developer's defined process.
5.2.3.2 Configuration Management
Configuration management is an assurance component for ensuring that
the IT product's TCB configuration remains consistent and complete
during the product life cycle, and that changes to the TCB do not
adversely affect the protection properties of the TCB. Configuration
management must ensure that additions, deletions, or changes to the
TCB do not compromise the correspondence between the TCB
implementation and the requirements of the protection profile. This is
accomplished in the configuration management component by requiring
that the developer have procedures and tools that ensure that the TCB
and its documentation are updated properly when the TCB changes.
Configuration management is a sound engineering practice that also
provides the final element of traceability between the protection
profile requirements and the product delivered to the consumer.
Specifically, configuration management provides confidence that the IT
product's TCB and documentation used for evaluation are the ones
prepared for distribution to consumers.
The requirement of configuration management refers to four separate
tasks: configuration identification, control, status accounting, and
auditing. For every change that is made to the IT product, the changed
version of the product, its functional requirements, and design must
be identified. Control over the product configuration means that every
change to the product documentation, hardware, software, or firmware
is the subject of review and approval by a change-control authority.
Configuration status accounting is responsible for recording and
reporting on the configuration of the product throughout the change.
Finally, through the process of configuration audit, the completed
change can be verified to be functionally correct and consistent with
the protection properties the IT product. The procedures and tools
used to implement the four tasks are documented in a configuration
management plan to ensure that development personnel understand their
responsibilities for configuration management. Any deviation from the
configuration management plan could contribute to the failure of the
configuration control of an IT product and compromise the trust in the
product's ability to satisfy the protection profile.
5.2.3.3 Trusted Distribution
Trusted distribution is an assurance component for ensuring that the
master copy of the IT product's TCB sent from the developer is the
same one received by the consumer. The trusted distribution component
is intended to counter the possibility that the TCB could be
intentionally subverted during shipment from the development
environment to the consumer.
At a minimum, the trusted distribution techniques must allow the
consumer to determine if the TCB copy received has been modified
during shipment. The trusted distribution techniques should also be
designed to prevent any modifications from occurring during shipment.
5.2.4 Development Evidence
The development evidence class of components addresses requirements
for the documentation of all development process, operational support,
and development environment activities. The requirements for evidence
are stated in four components: TCB Protection Property, Product
Development, Product Analysis and Testing, and Product Support. These
evidence components are elaborated below:
5.2.4.1 TCB Protection Properties
The documentation of the TCB protection properties includes the
definition of the functional component requirements, their modeling
(if any), and their interpretation within a product's TCB.
For each functional requirement of a protection profile, a
description, definition (an informal, descriptive specification), or a
formal specification of the TCB components and their operation
corresponding to that requirement must be provided. This
correspondence must be documented to the extent necessary to establish
that the functional requirements are, in fact, supported by TCB
elements and interfaces. Alternate ways of presenting the evidence of
this correspondence are possible. For example, the documentation may
select TCB elements and interfaces, and for each individual set of
selected elements and interfaces, it may identify the corresponding
functional component requirement.
The correspondence between the functional component requirements and
the TCB elements and interfaces can be established and documented in
varying degrees of rigor. In addition to the above, the developer must
document the (in)formal models of the functional component
requirements, when higher levels of development assurance are desired.
Providing specific models that satisfy the requirements of a profile
increases the degree of rigor with which the correspondence can be
established between the profile requirements and the TCB elements and
interfaces. The interpretation of a model in a TCB must also be
documented. However, as noted in the development assurance
components, not all functional requirements must be modeled. Thus, not
all aspects of this correspondence could be established at same degree
of rigor. (The required modeling areas are spelled out in the
assurance components.) Nevertheless, all aspects of the correspondence
between the functional requirements and TCB elements and interfaces
must be documented.
5.2.4.2 Product Design and Implementation
The TCB design evidence includes the documentation of the (1)
interface, (2) elements, (3) modular decomposition, (4) structuring
support, and (5) design disciplines used. The TCB implementation
evidence includes (1) the source code, and (2) the processor hardware
and firmware specifications. In addition to the documentation for each
stage of the development process, the design and implementation
evidence should contain descriptions/definitions/specifications of the
correspondences between the TCB design and the implementation.
In principle, the product design and implementation should follow a
development sequence beginning with the specification of the TCB
protection properties and ending with the implementation code and
processor specifications. In practice, however, the different
development sequences may, in fact, be executed in successive
refinements, with specifications and correspondences between design
and implementation being performed out of sequence. Alternative
development sequences are acceptable, provided that they lead to
products whose structures are accurately reflected in the design and
implementation documentation.
5.2.4.3 Product Testing and Analysis
The product testing and analysis evidence consists of the
documentation of functional testing, penetration analysis, and
covert-channel analysis.
5.2.4.3.1 Functional Testing
Functional testing evidence includes test plans, test results, and
test documentation. Each test plan consists of (1) the description,
definition or specification of the test conditions, (2) the test data,
and (3) a description of the test coverage. The test results contain
the actual outcome of each test run. The test plans must be documented
and, in some cases, maintained under configuration management.
5.2.4.3.2 Penetration Analysis
The penetration analysis evidence includes penetration test plans and
results, the documentation of the penetration testing method and
tools, and when appropriate, the scenario of the discovered
penetration flaws. The cause of a every discovered penetration flaw,
or class of penetration flaws, must also be documented.
5.2.4.3.3 Covert Channel Analysis
The covert-channel analysis evidence includes, in addition to
covert-channel test plans and results, the documentation of the
covert-channel identification method and tools, covert- channels
found, and bandwidth estimation. All storage and timing channels found
must be described in terms of the covert transmission scenarios (e.g.,
variables altered and viewed, source of time modulation). The cause of
each covert channel, or class of covert channels, must also be
documented.
5.2.4.4 Product Support
The product support evidence consists of the development environment
and operational support documentation and tools. The development
environment evidence includes the documentation of the product
life-cycle process, configuration management procedures enforced, and
the trusted distribution mechanisms and procedures used. This evidence
also includes the identification of (1) the tools used in the product
development, configuration management, and trusted distribution, and
(2) the characteristics that make those tools suitable for development
of protection in IT products.
The operational support evidence includes the User's Guide and the
Trusted Facility Manual, the documentation describing the flaw
remediation policies and procedures, and the documentation describing
the trusted product generation. It also includes the description of
the tools used (if any) in the product flaw remediation and trusted
generation.
5.3 Rated Development Assurance Components
Each development assurance component addresses a unique IT
development, support, or maintenance method available to an IT product
developer (producer) for establishing the functional correctness of a
specific product. Although these methods change over time as these
disciplines mature, evolve, and new disciplines are introduced, all
existing and future methods can be rated by generic characteristics.
The extent to which such methods are used in a product development,
maintenance, and operation can be determined by the extent to which
the requirements of each method are satisfied. For this reason, the
assurance components are rated according to the extent to which their
requirements are satisfied. The rating of the assurance components
included herein is based on the following four parameters: (1) the
scope of the assurance method used, (2) the precision, or level of
detail, used in, or allowed by, applying a specific method, (3) the
coverage of the method, and (4) the strength of the particular method
employed.
1. Scope. The scope of a method determines whether the method applies
to all functional-component properties and to all steps of the product
development, maintenance, or operation processes. For example, a
specific design analysis method or a specific testing method may be
applied to security-policy properties, but not to TCB protection or
reference mediation properties; and a covert channel identification
method and tool may apply only to the design-specification step of the
development process, but not to the implementation step. Similarly, a
configuration-control method may apply only to source code or to
design specifications, test plans, documentation, source code, and
hardware specifications; and a guidance manual (e.g., Trusted Facility
Manual) referring to product operation may, or may not, include all
system administration properties or requirements.
2. Precision. The precision in applying a method determines the level
of detail at which the method is applied in product development,
maintenance, or operation. For example, an analysis method may be
applied to a description of a functional component, to an informal
specification, or to a formal specification; it may require a formal
or an informal model of the functional-component properties; it may
require that formal correspondence between different levels of product
design be established or only that informal correspondences be
established; it may require that these correspondences show that all
TCB properties are preserved by the correspondence or only that some
properties are preserved. Similarly, the degree of precision in
applying the method may require that the design, coding, and
configuration-control methods be described or defined; that they be
applied to TCB functions, subsystems, or individual low-level modules,
or only to TCB functions. Or, the degree of precision of the
operational method for flaw discovery, tracking, and repair may
indicate whether specific response-time deadlines are provided for
flaw repair.
3. Coverage. The coverage of a method determines the extent to which
the method is applied to a functional component, that is, whether the
method is fully or only partially applied to a functional component.
For example, security testing may use all test conditions required by
a functional-component description or model, or only a subset of those
conditions; or the test data may cover all positive and negative
outcomes of a test condition or only a subset of those outcomes.
Similarly, configuration management may require that all
change-control conditions be applied to the configuration items or
that only a subset of those conditions be applied. Or, the
operational method of flaw discovery, tracking, and repair may, or may
not, use all conditions of flaw discovery, tracking, and repairs, or
only a subset of these conditions (e.g., use an explicit
protection-problem report step, take into account the consumer
protection requirements whenever protection flaws are repaired, and
maintain flaw reports and corrections under configuration management).
4. Strength. The strength of a method used may vary according to the
characteristics of the method. For example, test methods based on data
flow coverage are inherently stronger than those based on
boundary-value coverage (e.g., data-flow testing vs. monolithic
functional testing). Covert-channel identification methods that
eliminate false flows (i.e., formal flow violations) are inherently
stronger than those that allow the discovery of false flows. Methods
for estimating the maximum covert-channel bandwidth based on
information theory are inherently stronger than those exclusively
based on performance measurements. Configuration management methods
and tools that automatically enforce all change-control conditions are
inherently stronger than those that require operator-controlled
enforcement. Compilers that enforce programming conventions and
disciplines (e.g., type checking for user-defined, abstract data
types) are inherently stronger than those that merely perform syntax
checking.
The above parameters are chosen because, although general in nature,
they facilitate the rating of the assurance components at levels of
detail comparable to those of existing standards, thereby enabling
potential harmonization with these standards. Other rating parameters
that are equally suitable may exist. The parameters used to rate each
development assurance component are summarized in Table 3.
Table 3. Rating Summary for Development Assurance Components
.----------------------------------------------------------------------.
| | | Prec- | Cover- | |
| Development Assurance Components | Scope | ision | age | Strength |
|======================================================================|
| Development Process |
|----------------------------------+-------+-------+--------+----------|
| TCB Property Definition | | X | X | |
|----------------------------------+-------+-------+--------+----------|
| TCB Design |
|----------------------------------+-------+-------+--------+----------|
| TCB Element Identification | | | X | |
|----------------------------------+-------+-------+--------+----------|
| TCB Interface Definition | | X | | |
|----------------------------------+-------+-------+--------+----------|
| TCB Modular Decomposition | | X | X | |
|----------------------------------+-------+-------+--------+----------|
| TCB Structuring Support | X | X | | |
|----------------------------------+-------+-------+--------+----------|
| TCB Design Disciplines | | | X | |
|----------------------------------+-------+-------+--------+----------|
| TCB Implementation Support | | X | X | |
|----------------------------------+-------+-------+--------+----------|
| TCB Testing and Analysis |
|----------------------------------+-------+-------+--------+----------|
| Functional Testing | | X | X | |
|----------------------------------+-------+-------+--------+----------|
| Penetration Analysis | X | X | X | X |
|----------------------------------+-------+-------+--------+----------|
| Covert Channel Analysis | X | X | X | X |
|----------------------------------+-------+-------+--------+----------|
| Operational Support |
|----------------------------------+-------+-------+--------+----------|
| User Security Guidance | | | | |
|----------------------------------+-------+-------+--------+----------|
| Administrative Guidance | | | X | |
|----------------------------------+-------+-------+--------+----------|
| Flaw Remediation | | X | X | X |
|----------------------------------+-------+-------+--------+----------|
| Trusted Generation | | | X | X |
|----------------------------------+-------+-------+--------+----------|
| Development Environment |
|----------------------------------+-------+-------+--------+----------|
| Life Cycle Definition | | X | X | |
|----------------------------------+-------+-------+--------+----------|
| Configuration Management | | X | X | X |
|----------------------------------+-------+-------+--------+----------|
| Trusted Distribution | | | | X |
|----------------------------------+-------+-------+--------+----------|
| Development Evidence |
|----------------------------------+-------+-------+--------+----------|
| TCB Protection Properties | | X | X | |
|----------------------------------+-------+-------+--------+----------|
| Product Design & Implementation | X | X | X | |
|----------------------------------+-------+-------+--------+----------|
| Product Testing & Analysis |
|----------------------------------+-------+-------+--------+----------|
| Functional Testing | | X | X | |
|----------------------------------+-------+-------+--------+----------|
| Penetration Analysis | X | X | X | X |
|----------------------------------+-------+-------+--------+----------|
| Covert Channel Analysis | X | X | X | X |
|----------------------------------+-------+-------+--------+----------|
| Product Support | | X | X | X |
`----------------------------------------------------------------------'
5.3.1 Development Process
5.3.1.1 Rated TCB Property Identification Components
The TCB property identification components are rated based on the
precision and coverage of the methods for TCB property identification.
At level PD-1, the TCB properties are informally defined by
interpreting the functional component requirements within the TCB. At
level PD-2, precision is extended by the use of informal models of
functional requirements and by requiring definitions, instead of
descriptions, of the TCB element operations. At level PD-3, both the
precision and coverage are extended. Precision is extended by
requiring the use of formal models of functional requirements, and by
the use of Descriptive Interface Specifications (DIS) for the TCB.
Coverage of the interpretation method is extended by including a
demonstration, by coherent arguments, that the TCB operation defined
in the DIS is consistent with the appropriate formal models. At level
PD-4, both precision and the coverage of the interpretation method are
further extended. Precision is further extended by requiring the use
of Formal Interface Specifications (FIS) for the TCB; coverage of the
interpretation method is extended by including a proof that the TCB
operation, as defined by the FIS, is consistent with the appropriate
formal models, and by requiring that no TCB elements remain uncovered
by the this interpretation.
PD-1 Property Description
The developer shall interpret the functional requirements of the
protection profile within the product TCB. For each functional
requirement, the developer shall: (1) identify the TCB elements and
their TCB interfaces (if any) that implement that requirement; (2)
describe the operation of these TCB elements, and (3) explain why the
operation of these elements is consistent with the functional
requirement.
PD-2 Informal Property Identification
The developer shall provide informal models for the functional
components and sub-components of the profile. At a minimum, an
informal model of the access control components shall be provided.
Each informal model shall include (abstract) data structures and
operations defining each functional component or sub-component, and a
description of the model properties. The developer shall interpret
(e.g., trace) the informal models within the product TCB. For each
model entity, the developer shall: (1) identify the TCB elements and
their TCB interfaces (if any) that implement that entity; (2) define
the operation of these TCB elements, and (3) explain why the operation
of these elements is consistent with the model properties. The
developer's interpretation of each informal model, which defines the
TCB properties, shall identify all TCB elements that do not correspond
to any model entity and shall explain why these elements do not render
the TCB properties invalid.
For the components that are not informally modeled, the developer
shall interpret the functional requirements of the protection profile
within the product TCB. For each functional requirement, the developer
shall: (1) identify the TCB elements and their TCB interfaces (if any)
that implement that requirement; (2) describe the operation of these
TCB elements, and (3) explain why the operation of these elements is
consistent with the functional requirement. The developer's
interpretation of each functional requirement, which describes the TCB
properties, shall identify all TCB elements that do not correspond to
any functional requirement and shall explain why these elements do not
render the TCB properties invalid.
PD-3 Property Specification by Model Interpretation
The developer shall provide formal models for the functional
components and sub-components of the profile. At a minimum, a formal
model of the access control components shall be provided. The
properties of the formal models shall be clearly stated. The developer
shall provide an interpretation of the models in the DIS of the
product's TCB. For each model entity, the developer shall: (1)
identify the TCB elements and their DIS (if any) that implement that
entity; (2) define the operation of these TCB elements, and (3)
demonstrate, by coherent arguments, that the DIS of these elements is
consistent with the model properties. The developer's interpretation
of each formal model, which specifies the TCB properties, shall
identify all TCB and DIS elements (if any) that do not correspond to
any model entity and shall explain why these elements do not render
the TCB properties invalid.
An informal model of reference mediation and TCB protection shall be
provided. For the components that are not modeled, the developer shall
interpret the functional requirements of the protection profile within
the product TCB. For each functional requirement, the developer shall:
(1) identify the TCB elements and their TCB interfaces (if any) that
implement that requirement; (2) describe the operation of these TCB
elements, and (3) explain why the operation of these elements is
consistent with the functional requirement. The developer's
interpretation of each functional requirement, which describes the TCB
properties, shall include all the TCB elements.
PD-4 Formal Specification of TCB Properties
The developer shall provide formal models for the functional
components and sub-components of the profile. At a minimum, a formal
model of the access control components shall be provided. The
properties of the formal models shall be clearly stated. The developer
shall provide a formal interpretation of the models in the FIS of the
product's TCB. For each model entity, the developer shall: (1)
identify the TCB elements and their FIS (if any) that implement that
entity; (2) specify the operation of these TCB elements, and (3) prove
that the FIS of these elements is consistent with the model
properties. The developer's interpretation of each formal model, which
specifies the TCB properties, shall identify all TCB and FIS elements
(if any) that do not correspond to any model entity and shall explain
why these elements do not render the TCB properties invalid.
An informal model of reference mediation and TCB protection shall be
provided. For the components that are not modeled, the developer shall
interpret the functional requirements of the protection profile within
the product TCB. For each functional requirement, the developer shall:
(1) identify the TCB elements and their TCB interfaces (if any) that
implement that requirement; (2) describe the operation of these TCB
elements, and (3) explain why the operation of these elements is
consistent with the functional requirement. The developer's
interpretation of each functional requirement, which describes the TCB
properties, shall include all the TCB elements.
5.3.1.2 Rated TCB Element Identification Components
The TCB element identification components are rated based on the
coverage of the identification method. That is, the two levels of
identification requirements are distinguished by whether the retention
of protection-irrelevant elements within the TCB is justified.
ID-1: TCB Element Identification
The developer shall identify the TCB elements (i.e., software,
hardware/firmware code and data structures). Each element must be
unambiguously identified by its name, type, release, and version
number (if any).
ID-2: TCB Element Justification
The developer shall identify the TCB elements (i.e., software,
hardware/firmware code and data structures). Each element must be
unambiguously identified by its name, type, release, and version
number (if any).
The developer shall justify the protection relevance of the identified
elements (i.e., only elements that can affect the correct operation of
the protection functions shall be included in the TCB). If
protection-irrelevant elements are included in the TCB, the developer
shall provide a rationale for such inclusion.
5.3.1.3 Rated TCB Interface Definition Components
The TCB interface definition components are rated based on the
precision of the interface definition method. The precision of the
interface definition methods required at level IF-2 is higher than
that of level IF-1, because level IF-2 requires a Descriptive
Interface Specification, not just an informal interface description.
Similarly the precision of the interface definition methods required
at level IF-3 is higher than that of level IF-2, because level IF-3
requires a Formal Interface Specification, not just a Descriptive
Interface Specification.
IF-1: Interface Description
The developer shall describe all external (e.g., command, software,
and I/O) administrative (i.e., privileged) and non-administrative
interfaces to the TCB. The description shall include those components
of the TCB that are implemented as hardware and/or firmware if their
properties are visible at the TCB interface.
The developer shall identify all call conventions (e.g., parameter
order, call sequence requirements) and exceptions signaled at the TCB
interface.
IF-2: Interface Descriptive Specification
The developer shall define all external (e.g., command, software, and
I/O) administrative (i.e., privileged) and non-administrative
interfaces to the TCB.
The developer shall provide and maintain a descriptive interface
specification (DIS) of the TCB that completely and accurately
describes the TCB in terms of exceptions, error messages, and effects.
The DIS shall identify the TCB call conventions (e.g., parameter
order, call sequence requirements), and exceptions signaled. The DIS
shall also include the TCB call identifier, parameter types (e.g.,
input, output), the effect of the call, TCB call conventions (e.g.,
parameter order, call sequence requirements), and exceptions handled
and signaled. It shall be shown to be an accurate description of the
TCB interface.
The DIS shall include those components of the TCB that are implemented
as hardware and/or firmware if their properties are visible at the TCB
interface.
If the TCB consists of a kernel and privileged processes, the
developer shall separately identify and define the interfaces for the
kernel and each privileged process.
Whenever covert-channel analysis, penetration analysis, and
resource-constraint analysis are required, the TCB interface
definition must also include all effects of a call including the
direct visibility and alterability of internal TCB variables and
functions.
IF-3: Formal Interface Specification
The developer shall define all external (e.g., command, software, and
I/O) administrative (i.e., privileged) and non-administrative
interfaces to the TCB.
The developer shall provide and maintain a descriptive interface
specification (DIS) of the TCB that completely and accurately
describes the TCB in terms of exceptions, error messages, and effects.
The DIS shall identify the TCB call conventions (e.g., parameter
order, call sequence requirements), and exceptions signaled. The DIS
shall also include the TCB call identifier, parameter types (e.g.,
input, output), the effect of the call, TCB call conventions (e.g.,
parameter order, call sequence requirements), and exceptions handled
and signaled. It shall be shown to be an accurate description of the
TCB interface.
A Formal Interface Specification (FIS) of the TCB shall be maintained
that accurately describes the TCB in terms of the call identifier,
parameter types (e.g., input, output), the effect of the call, TCB
call conventions (e.g., parameter order, call sequence requirements),
and exceptions signaled.
The DIS and FIS shall include those components of the TCB that are
implemented as hardware and/or firmware if their properties are
visible at the TCB interface.
If the TCB consists of a kernel and privileged processes, the
developer shall separately identify and define the interfaces for the
kernel and each privileged process.
Whenever covert-channel analysis, penetration analysis, and
resource-constraint analysis are required, the TCB interface
definition must also include all effects of a call including the
direct visibility and alterability of internal TCB variables and
functions.
5.3.1.4 Rated Modular Decomposition Components
The modular decomposition components are rated based on the precision
and coverage of the decomposition method. The granularity of the
modular TCB decomposition at level MD-1, which delimits the precision
of the decomposition method, refers to subsystem-level decomposition.
The decomposition granularity is refined at level MD-2, as each
subsystem is further decomposed into constituent modules. Level MD-2
also extends the coverage of the decomposition method by requiring
that inter-module relationships be used in the decomposition method.
Level MD-3 further extends the coverage of the decomposition method by
requiring that the inter-module correctness dependencies be analyzed
(see Appendix D).
MD-1: Subsystem Decomposition
The developer shall describe the TCB structure in terms of its design
and implementation subsystems and the functional relationships between
those subsystems. The developer shall identify the specific TCB
protection functions (if any) associated with each subsystem and the
TCB interfaces (if any) implemented by each subsystem. The developer
shall describe the interfaces between the subsystems.
For each subsystem, the developer shall describe: the role or purpose
of the subsystem, the set of related functions performed by the
subsystem, and the subsystem interface (i.e., the set of invocable
functions, calling conventions, parameters, global variables, and
results).
MD-2: Module-level Decomposition
The developer shall design the TCB as a small number (e.g., 10 to 100)
of design and implementation subsystems that have well-defined
functional relationships and shared-data dependencies. The developer
shall identify the specific TCB protection functions (if any)
associated with each subsystem and the TCB interfaces (if any)
implemented by each subsystem.
The developer shall design each subsystem as a set of modules. For
each module, the developer shall describe: the role or purpose of the
module, the set of related functions performed by the module, and the
module interface (i.e., the set of invocable functions, calling
conventions, parameters, global variables, and results). The developer
shall identify the protection functions of, and describe the
interfaces between, these modules. The developer shall choose the
modules so that the set of functions implemented by the module, the
module's contribution to the TCB protection properties, and the
interface(s) to the module can be described concisely (e.g., the
module shall have a single purpose). The TCB structuring into modules
shall be based on well- defined module relationships; for example, the
contains relation (e.g., A is part of B) or the "uses" relation (e.g.,
A is correct only if B is correct).
MD-3: Module Relationship Analysis
The developer shall design the TCB as a small number (e.g., 10 to 100)
of design and implementation subsystems that have well-defined
functional relationships and shared-data dependencies. The developer
shall identify the specific TCB protection properties and functions
associated with each subsystem and the TCB interfaces (if any)
implemented by each subsystem.
The developer shall design each subsystem as a set of modules. For
each module, the developer shall describe: the role or purpose of the
module, the set of related functions performed by the module, and the
module interface (i.e., the set of invocable functions, calling
conventions, parameters, global variables, and results). The developer
shall identify the protection functions of, and describe the
interfaces between, these modules. The developer shall choose the
modules so that the set of functions implemented by the module, the
module's contribution to the TCB protection properties, and the
interface(s) to the module can be described concisely (e.g., the
module shall have a single purpose). The TCB structuring into modules
shall be based on well- defined module relationships; for example, the
contains relation (e.g., A is part of B), the "uses" relation (e.g., A
is correct only if B is correct). The developer shall analyze the
correctness dependencies among these modules. This analysis may
include, but is not restricted to, service and environmental
dependencies.
5.3.1.5 Rated TCB Structuring Support Components
The TCB structuring support components are rated based on the scope
and precision of the supporting mechanisms used in TCB structuring.
Ascending levels are assigned to mechanisms supporting TCB process
isolation, TCB modularity, and storage objects to reflect the degrees
of usefulness in TCB structuring added by these mechanisms. The
precision and conceptual simplicity of these mechanisms are assigned
to the highest level reflecting their importance in the rigorous
analysis of TCB structuring support.
At level SP-1, the structuring of the TCB includes the minimal
requirement of process isolation. Level SP-2 extends the support for
TCB structuring by including the separation of protection critical
elements and use of processor support for logically distinct storage
objects. Level SP-3 extends the precision requirements in the
definition of the protection mechanisms for TCB structuring support
SP-1: Process Isolation
The TCB shall maintain process isolation.
SP-2: Support for Storage Objects
The TCB shall maintain process isolation. The TCB shall separate those
elements that are protection- critical from those that are not.
Features in hardware, such as segmentation, shall be used to support
logically distinct storage objects with separate access-control
attributes (e.g., readable, writable).
SP-3: Structured Protection Mechanisms
The TCB shall maintain process isolation. The TCB shall separate those
elements that are protection- critical from those that are not.
Features in hardware, such as segmentation, shall be used to support
logically distinct storage objects with separate access-control
attributes (e.g., readable, writable). The TCB shall employ a
complete, conceptually simple, protection mechanism with precisely
defined semantics. This mechanism shall play a central role in
enforcing the internal structuring of the TCB and the product.
5.3.1.6 Rated TCB Design Discipline Components
The TCB design discipline components are rated based on the coverage
of the disciplines used for TCB structuring. The requirements range
from TCB complexity minimization to the use of data hiding, layering,
and high-level synchronization constructs.
At level DD-1, the design disciplines covered include that of
minimizing the TCB complexity, of maximizing the use of data hiding,
and of employing well-defined exception handling techniques. Level
DD-2 extends this coverage by including the use of layering,
high-level synchronization primitives, and
multi-tasking/multi-threaded modules.
DD-1: Specification of Disciplines Used
The developer shall design the product to minimize the complexity of
the TCB. System engineering shall be directed towards excluding from
the TCB modules that are not protection critical.
The TCB design shall reflect use of modern software engineering
techniques, such as data hiding and abstraction (i.e., data,
functional, and control abstractions) and well-defined
exception-handling.
DD-2: Extended Disciplines for TCB Structuring
The developer shall design the product to minimize the complexity of
the TCB. System engineering shall be directed towards excluding from
the TCB modules that are not protection critical.
The TCB design shall reflect use of modern software engineering
techniques), such as data hiding and abstraction (i.e., data,
functional, and control abstractions) and well-defined
exception-handling. The TCB design shall also include use of layering
(including a rationale for each layering violation), high-level
synchronization constructs, and multi-tasking/ multi-threading.
5.3.1.7 Rated Implementation Support Components
The implementation support components are rated according to the
precision and coverage in maintaining the implementation elements of
the TCB. At IM-1, the developer is only required to maintain the
implementation data used to generate a physical instantiation of the
TCB. IM-2 extends precision and coverage by requiring that the
implementation data be organized to reflect the TCB subsystem
structure and be identified as distinct configuration items. IM-3
further extends precision by requiring that the implementation data
reflect the TCB module structure. Finally, IM-4 further extends the
coverage of the maintenance method by requiring that the coding
standards be identified and enforced, and that the implementation data
modules use the same naming conventions as the design data to help
establish a link between the design and the implementation.
IM-1: Source Data Support
The developer shall maintain engineering diagrams and source code (as
applicable) for all TCB elements.
IM-2: Subsystem Correspondence Support
The developer shall maintain engineering diagrams and source code (as
applicable) for all TCB elements. The diagrams and source code for
each subsystem of the TCB shall be identified and provided as
configuration items.
IM-3: Module Correspondence Support
The developer shall maintain engineering diagrams and source code (as
applicable) for all TCB elements. The diagrams and source code for
each module of the TCB shall be identified and provided as
configuration items.
IM-4: Naming Support For Design Correspondence
The developer shall maintain engineering diagrams and source code (as
applicable) for all TCB elements. The developer shall identify the
programming languages used to develop the TCB software and reference
the definitions of those languages. The developer shall identify any
implementation dependent options of the programming language
compiler(s) used in the TCB source code. The developer shall describe
coding standards followed during the implementation of the product and
shall ensure that all source code complies with these standards. The
diagrams and source code for each module of the TCB shall be
identified and provided as configuration items. The diagrams and
source code shall be named using the same conventions as those used in
the TCB design. The developer shall explain how the programming
languages used help establish the correspondence between the TCB
implementation and design.
5.3.1.8 Rated Functional Testing Components
The functional testing components are rated according to the precision
and coverage of the testing method. The scope of testing is constant:
all functions (as represented by TCB properties) required by the
protection profile must be tested. The strength of the testing method
is assumed to be the same: testing is always used to show the presence
of desired functionality. The precision of testing refers to the
accuracy of the TCB properties and the interface definition (i.e., the
interface description, DIS, or FIS) used to derive test conditions and
data. The coverage of testing refers to the extent to which each
function is tested (e.g., whether all or only a defined set of
boundary conditions are tested).
At FT-1, the goal is to produce functional evidence that the TCB is
capable of satisfying the protection profile requirements. At FT-2,
the coverage of the testing is increased by requiring the tests to
sample more of the range of TCB inputs. Coverage is also increased by
requiring that tests for previously discovered TCB flaws be executed
for all subsequent versions of the TCB (i.e., by regression testing).
Precision is extended at level FT-3by requiring that interface
specifications (i.e., DIS, FIS) be used to generate the test
conditions and data.
FT-1: Conformance Testing
The developer shall test the TCB interface to show that all claimed
protection functions work as stated in the TCB interface description.
The developer shall correct all flaws discovered by testing and shall
retest the TCB until the protection functions are shown to work as
claimed.
FT-2: TCB Interface Testing
The developer shall test the TCB interface to show that all claimed
protection functions work as stated in the TCB interface description
or specification. The tests shall exercise the boundary conditions of
the protection functions. The developer test procedures shall include
the tests used to demonstrate the absence of all flaws discovered in
previous versions of the TCB.
The developer shall correct all flaws discovered by testing and shall
retest the TCB to show that all discovered flaws have been eliminated,
no new flaws have been introduced, and the protection functions work
as claimed.
FT-3: Specification-Driven TCB Interface Testing
The developer shall test the TCB interface to show that all claimed
protection functions work as stated in the TCB interface description
or specification. The tests shall exercise the boundary conditions of
the protection functions. The developer shall generate the test
conditions and data from the Descriptive or Formal Interface
Specification(s). The developer test procedures shall include the
tests used to demonstrate the absence of all flaws discovered in
previous versions of the TCB.
The developer shall correct all flaws discovered by testing and shall
retest the TCB to show that all discovered flaws have been eliminated,
no new flaws have been introduced, and the protection functions work
as claimed.
5.3.1.9 Rated Penetration Analysis Components
The penetration analysis components are rated based on the scope,
precision, coverage, and strength of the analysis methods used. The
scope and precision of the level PA-1 is limited to penetration
testing methods referring only to unprivileged user and application
programming interfaces of the TCB. The precision of penetration
testing is limited to that derived from documentation of the TCB
interface (e.g., system reference manuals). The coverage may be
limited to the testing of known classes of penetration flaws found in
other TCBs of the same, or different, types of products (e.g., generic
penetration flaws).
At level PA-2, both the precision and the coverage of penetration
testing are extended. The sources of design and implementation
information include, in addition to system reference manuals and TCB
interface description, the DIS, source code, and hardware and firmware
specifications. The test conditions are systematically generated using
the flaw- hypothesis method using the TCB interface specification.
Level PA-3 augments penetration testing with penetration- resistance
verification methods. In particular, penetration resistance properties
are defined and condition (validation) check specifications are
written for each property. The DIS and source code are then verified
to establish that the verification conditions are in fact implemented.
Level PA-4 represents a significant extension in the strength of the
penetration analysis. That is, it requires that the penetration
resistance properties of a TCB be verified formally using analysis
tools. This level assumes that the design and implementation of a TCB
is free of flaws that would cause penetration, and is intended to
demonstrate that TCB interfaces are resistant to penetration. As such,
it represents the highest level of penetration analysis assurance.
PA-1 Basic Penetration Testing
The developer shall define the TCB configuration, interface, and
protection functions that are subject to penetration testing. For each
test, the developer shall identify the goal of the test and the
criteria for successful penetration. The developer shall identify all
product documentation (e.g., system reference manuals) used to define
penetration-test conditions, and shall document all test conditions,
data (e.g., test set-up, function call parameters, and test outcomes),
and coverage.
The penetration testing shall include, at a minimum, known classes of
penetration flaws found in other TCBs (e.g., generic penetration
flaws). For each uncovered flaw, the developer shall define and
document scenarios of flaw exploitation, and shall identify all
penetration outcomes resulting from that scenario.
PA-2 Flaw-Hypothesis Testing
The developer shall define the TCB configuration, interface, and
protection functions that are subject to penetration testing. For each
test, the developer shall identify the goal of the test and the
criteria for successful penetration. The developer shall illustrate
how, in addition to system reference manuals and TCB interface
description, the DIS, source code, and hardware and firmware
specifications are used to define penetration-test conditions. For
each test, the developer shall document all test conditions, data
(e.g., test set-up, function call parameters, and test outcomes), and
coverage.
The developer shall generate the test conditions from flaw-hypotheses
derived by negating assertions of TCB design capabilities and by
providing counter examples that show that these assertions are false.
The developer shall confirm the flaw hypotheses by checking design and
implementation documentation, by defining the test data and running
test programs, or by referring to known classes of penetration flaws
found in other TCBs. The refutation of any hypothesis shall be
documented.
For each uncovered flaw, the developer shall define and document
scenarios of flaw exploitation and shall identify all penetration
outcomes resulting from that scenario. The cause of the flaw shall be
identified and documented.
PA-3 Penetration Analysis
The developer shall define the TCB configuration, interface, and
protection functions that are subject to penetration testing and
verification. For each test, the developer shall identify the goal of
the test and the criteria for successful penetration. The developer
shall illustrate how, in addition to system reference manuals and TCB
interface description, the DIS, source code, and hardware and firmware
specifications are used to define penetration-test conditions. For
each test, the developer shall document all test conditions, data
(e.g., test set-up, function call parameters, and test outcomes), and
coverage.
The developer shall generate the test conditions from flaw-hypotheses
derived by negating assertions of TCB design capabilities and by
providing counter examples that show that these assertions are false.
The developer shall confirm the flaw hypotheses by checking design and
implementation documentation, by defining the test data and running
test programs, or by referring to known classes of penetration flaws
found in other TCBs. The refutation of each hypothesis shall be
documented.
The developer shall derive penetration-resistance properties and
conditions by interpreting reference mediation and TCB protection
requirements in the product's TCB. The penetration-resistance
properties and conditions shall also reflect the strength of
functional components (e.g., strength of the identification and
authentication).
The developer shall verify that the penetration- resistance conditions
are implemented by the TCB functions. All uncovered flaws in
implementing the penetration-resistance conditions shall be
documented. For each uncovered flaw, the developer shall define and
document scenarios of flaw exploitation and shall identify all
penetration outcomes resulting from that scenario. The cause of the
flaw shall be identified and documented.
PA-4 Analysis of Penetration Resistance
The developer shall define the TCB configuration, interface, and
protection functions that are subject to penetration testing and
verification. For each test, the developer shall identify the goal of
the test and the criteria for successful penetration. The developer
shall illustrate how, in addition to system reference manuals and TCB
interface description, the DIS, source code, and hardware and firmware
specifications are used to define penetration-test conditions. For
each test, the developer shall document all test conditions, data
(e.g., test set-up, function call parameters, and test outcomes), and
coverage.
The developer shall generate the test conditions from flaw-hypotheses
derived by negating assertions of TCB design capabilities and by
providing counter examples that show that these assertions are false.
The developer shall confirm the flaw hypotheses by checking design and
implementation documentation, by defining the test data and running
test programs, or by referring to known classes of penetration flaws
found in other TCBs. The refutation of each hypothesis shall be
documented.
The developer shall use the DIS, FIS, source code, and hardware and
firmware specifications to derive and specify penetration-resistance
conditions, and shall document all such conditions. The developer
shall derive penetration-resistance properties and conditions by
interpreting reference mediation and TCB protection requirements in
the product's TCB. The penetration-resistance properties and
conditions shall also reflect the strength of functional components
(e.g., strength of the identification and authentication).
The developer shall verify that the penetration- resistance conditions
are implemented by the TCB functions. Tools shall be used to verify
the penetration-resistance properties of the FIS and source code. The
tools shall be capable of checking whether a set of
penetration-resistance conditions is implemented by the FIS and/or
source code of a TCB function. All uncovered flaws in implementing the
penetration-resistance conditions shall be documented. For each
uncovered flaw, the developer shall define and document scenarios of
flaw exploitation and shall identify all penetration outcomes
resulting from that scenario. The cause of the flaw shall be
identified and documented.
5.3.1.10 Rated Covert-Channel Analysis Components
The covert channel analysis components are rated based on the scope,
precision, coverage, and strength of the analysis methods. The scope
and precision of level CCA-1are limited to storage channels identified
in TCB reference manuals and DIS, and the strength of maximum
bandwidth estimation is limited to that provided by informal
engineering measurements. The scope of identification method is
increased at level CCA-2 by including both storage and timing channels
and, consequently, enlarging the scope of the sources of information
used (e.g., by introducing processor and hardware specifications). At
level CCA-3, the precision and coverage of the covert identification
are extended to include analysis of FIS and specification-to-code
correspondence. Also, the strength of the maximum bandwidth estimation
is increased by the requirement to use information theory methods.
CCA-1 Analysis of Covert Storage Channels
1. Identification: The developer shall identify all sources of
information used in covert-storage- channel analysis. These sources
shall include TCB reference manuals and DIS. The developer shall
define the identification method used. The developer shall demonstrate
that the chosen identification method is sound (e.g., it leads to the
discovery of all covert storage channels in the DIS or source
documentation) and repeatable (i.e., independent evaluators can use
the method on the same sources of covert-storage-channel information
and can obtain the same results.) The developer shall define scenarios
of use for each covert storage channel.
2. Bandwidth Measurement or Engineering Estimation: The developer
shall define the method used for covert-storage-channel bandwidth
estimation. In measuring TCB performance for covert-channel-bandwidth
estimation, the developer shall satisfy the following assumptions. The
maximum bandwidth estimation shall be based on the assumptions that
the storage channel is noiseless, that the senders and receivers are
not delayed by the presence of other processes in the product, and
that the sender-receiver synchronization time is negligible. The
choice of informal estimation methods shall define and justify the
coding method and, therefore, the distribution of "0s" and "1s" in all
transmissions.
The developer shall select TCB primitives to be measured for bandwidth
determination from real scenarios of covert-storage-channel use. The
developer shall specify TCB measurement environment for the bandwidth
measurements. This specification shall include: (1) the speed of the
product functions, (2) the product configuration, (3) the sizes of the
memory and cache components, and (4) the product initialization. The
sensitivity of the measurement results to configuration changes shall
be documented. The covert-storage-channel measurements shall include
the fastest TCB function calls for altering, viewing, and setting up
the transmission environment; the demonstrably fastest process
(context) switch time shall also be included in the bandwidth
measurements. All measurements shall be repeatable.
3. Covert Channel Testing: The developer shall test all the use of all
identified covert storage channels to determine whether the handling
functions work as intended.
CCA-2 Timing Channel Analysis
1. Identification: The developer shall identify all sources of
information used in covert-channel analysis. These sources shall
include TCB reference manuals and DIS. The sources of information and
methods of identification shall include processor specifications
whenever the identification method includes source code and hardware
analysis. The developer shall define the identification method used.
The developer shall demonstrate that the chosen identification method
is sound (e.g., it leads to the discovery of all covert channels in
the DIS or source documentation) and repeatable (i.e., independent
evaluators can use the method on the same sources of covert-channel
information and can obtain the same results.) The developer shall
define scenarios of use for each covert channel. The developer shall
also define timing channel scenarios, and shall identify all functions
that provide independent sources of timing (e.g., CPUs, I/O
processors).
2. Bandwidth Measurement or Engineering Estimation: The developer
shall define the method used for covert-channel bandwidth estimation.
In measuring TCB performance for covert-channel- bandwidth estimation,
the developer shall satisfy the following assumptions. The maximum
bandwidth estimation shall be based on the assumptions that the covert
channel is noiseless, that the senders and receivers are not delayed
by the presence of other processes in the product, and that the
sender-receiver synchronization time is negligible. The choice of
informal estimation methods shall define and justify the coding method
and, therefore, the distribution of "0s" and "1s" in all
transmissions.
The developer shall select TCB primitives to be measured for bandwidth
determination from real scenarios of covert-channel use. The developer
shall specify TCB measurement environment for the bandwidth
measurements. This specification shall include: (1) the speed of the
product functions, (2) the product configuration, (3) the sizes of the
memory and cache components, and (4) the product initialization. The
sensitivity of the measurement results to configuration changes shall
be documented. The covert-channel measurements shall include the
fastest TCB function calls for altering, viewing, and setting up the
transmission environment; the demonstrably fastest process (context)
switch time shall also be included in the bandwidth measurements. All
measurements shall be repeatable.
3. Covert Channel Testing: The developer shall test all the use of all
identified covert channels to determine whether the handling functions
work as intended.
CCA-3 Formal Covert Channel Analysis
1. Identification: The developer shall identify all sources of
information used in covert-channel analysis. These sources shall
include TCB reference manuals, DIS, and FIS. The sources of
information and methods of identification shall include processor
specifications whenever the identification method includes source code
and hardware analysis. The developer shall define the identification
method used. The developer shall define the identification method
used. The developer shall demonstrate that the chosen identification
method is sound (e.g., it leads to the discovery of all covert
channels in the FIS or source documentation) and repeatable (i.e.,
independent evaluators can use the method on the same sources of
covert-channel information and can obtain the same results.) The
method shall be applied on the FIS of the TCB, and shall include
syntactic information-flow analysis (with or without the use of
semantic analysis) or noninterference analysis. The identification of
covert channels shall include specification-to- code correspondence.
The developer shall define scenarios of use for each cover channel.
The developer shall also define timing channel scenarios, and shall
identify all functions that provide independent sources of timing
(e.g., CPUs, I/O processors).
2. Bandwidth Measurement or Engineering Estimation: The developer
shall define the method used for covert-channel bandwidth estimation.
The method shall be based on information theory methods. In measuring
TCB performance for covert- channel-bandwidth estimation, the
developer shall satisfy the following assumptions. The maximum
bandwidth estimation shall be based on the assumptions that the covert
channel is noiseless, that the senders and receivers are not delayed
by the presence of other processes in the product, and that the
sender-receiver synchronization time is negligible.
The developer shall select TCB primitives to be measured for bandwidth
determination from real scenarios of covert channel use. The developer
shall specify TCB measurement environment for the bandwidth
measurements. This specification shall include: (1) the speed of the
product functions, (2) the product configuration, (3) the sizes of the
memory and cache components, and (4) the product initialization. The
sensitivity of the measurement results to configuration changes shall
be documented. The covert-channel measurements shall include the
fastest TCB function calls for altering, viewing, and setting up the
transmission environment; the demonstrably fastest process (context)
switch time shall also be included in the bandwidth measurements. All
measurements shall be repeatable.
3. Covert Channel Testing: The developer shall test all the use of all
identified covert channels to determine whether the handling functions
work as intended.
5.3.2 Operational Support
5.3.2.1 Rated User Guidance Components
The user guidance component is unrated since it contain only one
level.
UG-1: User Guide
The developer shall provide a User Guide which describes all
protection services provided and enforced by the TCB. The User Guide
shall describe the interaction between these services and provide
examples of their use. The User Guide may be in the form of a summary,
chapter or manual. The User Guide shall specifically describe user
responsibilities. These shall encompass any user responsibilities
identified in the protection profile.
5.3.2.2 Rated Administrative Guidance Components
The rating of the administrative guidance components reflect, to a
large degree, the rating of the security management components. At
AG-1, the coverage of the Trusted Facility Manual (TFM) must include
an explanation of how the TCB can be installed and used to support an
organization's security policy. This explanation must include a
discussion of how to set the security parameters for all TCB functions
and how to use the audit trail to discover policy violations (see the
administrative functions of components SM-1 and SM-2). At AG- 2, TFM
coverage is extended to include a discussion of how to set additional
policy parameters, how to use the separate administrator and operator
roles and privileges, and how to securely generate the TCB (see the
administrative functions of component SM-3). Finally, at AG-3, which
assumes a product with fine-grained privileges, the TFM coverage is
increased to include the use of those privileges in implementing
extensive administrative policies (see the administrative functions of
component SM-4).
AG-1: Basic Administrative Guidance
The developer shall provide a Trusted Facility Manual intended for the
product administrators that describes how to use the TCB security
services (e.g., Access Control, System Entry, or Audit) to enforce a
system security policy. The Trusted Facility Manual shall include the
procedures for securely configuring, starting, maintaining, and
halting the TCB. The Trusted Facility Manual shall explain how to
analyze audit data generated by the TCB to identify and document user
and administrator violations of this policy. The Trusted Facility
Manual shall explain the privileges and functions of administrators.
The Trusted Facility Manual shall describe the administrative
interaction between security services.
The Trusted Facility Manual shall be distinct from User Guidance, and
encompass any administrative responsibilities identified in security
management.
AG-2: Detailed Administrative Guidance
The developer shall provide a Trusted Facility Manual intended for the
product administrators and operators that describes how to use the TCB
security services (e.g., Access Control, System Entry, or Audit) to
enforce a system security policy. The Trusted Facility Manual shall
include the procedures for securely configuring, starting,
maintaining, and halting the TCB. The Trusted Facility Manual shall
explain how to analyze audit data generated by the TCB to identify and
document user and administrator violations of this policy. The
Trusted Facility Manual shall explain the unique security-relevant
privileges and functions of administrators and operators. The Trusted
Facility Manual shall describe the administrative interaction between
security services.
The Trusted Facility Manual shall identify all hardware, firmware,
software, and data structures comprising the TCB. The detailed audit
record structure for each type of audit event shall be described. If
covert channel handling is required, the Trusted Facility Manual shall
explain how to configure the product to mitigate, eliminate, or audit
covert channel exploitation. The Trusted Facility Manual shall
describe the cautions about and procedures for using the TCB as a base
for site-specific secure applications. The Trusted Facility Manual
shall describe procedures for securely regenerating the TCB after any
part is changed (e.g., due to adding devices or installing flaw
corrections to the TCB software).
The Trusted Facility Manual shall be distinct from User Guidance, and
encompass any administrative responsibilities identified in security
management.
AG-3: Role-Based Administrative Guidance
The developer shall provide a Trusted Facility Manual intended for the
product administrators and operators that describes how to use the TCB
security services (e.g., Access Control, System Entry, or Audit) to
enforce a system security policy. The Trusted Facility Manual shall
include the procedures for securely configuring, starting,
maintaining, and halting the TCB. The Trusted Facility Manual shall
explain how to analyze audit data generated by the TCB to identify and
document user and administrator violations of this policy. The
Trusted Facility Manual shall explain the unique security-relevant
privileges and functions of administrators and operators. The Trusted
Facility Manual shall also explain the distinct security-relevant
privileges and functions of the TCB and how they can be selectively
granted to provide fine-grained, multi-person or multi-role system and
application administration policies. The Trusted Facility Manual
shall describe the administrative interaction between security
services.
The Trusted Facility Manual shall identify all hardware, firmware,
software, and data structures comprising the TCB. The detailed audit
record structure for each type of audit event shall be described. If
covert channel handling is required, the Trusted Facility Manual shall
explain how to configure the product to mitigate, eliminate, or audit
covert channel exploitation. The Trusted Facility Manual shall
describe the cautions about and procedures for using the TCB as a base
for site-specific secure applications. The Trusted Facility Manual
shall describe procedures for securely regenerating the TCB after any
part is changed (e.g., due to adding devices or installing flaw
corrections to the TCB software).
The Trusted Facility Manual shall be distinct from User Guidance, and
encompass any administrative responsibilities identified in security
management.
5.3.2.3 Rated Flaw Remediation Components
The flaw remediation components are rated according to the precision,
coverage and strength of the procedures used to identify and correct
flaws, and disseminate corrections to affected consumers. At FR-1, the
developer is responsible for establishing procedures to accept reports
of flaws, find corrections to those flaws, and disseminate the flaw
corrections to consumers who specifically request the corrections. At
FR-2, the precision of the developer-consumer interaction is increased
by requiring that the developer identify and publicize specific points
of contact for product security concerns. Coverage is increased by
requiring a remediation policy that distinguishes protection-relevant
changes to the product from other changes. At FR-3, the coverage of
both flaw repair and customer interaction procedures is increased by
considering the customer's security policies and by relating each
entry in the flaw tracking and repair database to the consumers who
might be affected. At FR-4, precision and coverage are extended by
requiring the developer to notify consumers of flaw discovery and to
distribute corrections of the discovered flaws within specific time
limits. Finally, at FR-5, the method is strengthened by requiring that
the flaw remediation procedures be tightly coupled to the rest of the
development process through the configuration management system.
FR-1: Basic Flaw Remediation
Flaw Tracking Procedures: The developer shall establish a procedure to
track all reported protection flaws in each release of the product.
The tracking system shall include a description of the nature and
effect of each flaw and the status of finding a correction to the
flaw.
Flaw Repair Procedures: The developer shall establish a procedure to
identify corrective actions for protection flaws.
Consumer Interaction Procedures: The developer shall provide flaw
information and corrections to registered consumers.
FR-2: Flaw Reporting Procedures
Flaw Tracking Procedures: The developer shall establish a procedure to
track all reported protection flaws with each release of the product.
The tracking system shall include a description of the nature and
effect of each flaw and the status of finding a correction to the
flaw.
Flaw Repair Procedures: The developer shall establish a procedure to
identify corrective actions for protection flaws. This procedure shall
include a policy to separate protection-relevant from non-protection
relevant corrections, changes, or upgrades to the product.
Consumer Interaction Procedures: The developer shall establish a
procedure for accepting consumer reports of protection problems and
requests for corrections to those problems. The developer shall
designate one or more specific points of contact for consumer reports
and inquiries about protection issues involving the product. This
procedure and the designated points of contact shall be provided in
the consumer documentation (e.g., the TFM or the SFUG).
FR-3: Systematic Flaw Remediation
Flaw Tracking Procedures: The developer shall establish a procedure to
track all reported protection flaws with each release of the product.
The tracking system shall include a description of the nature and
effect of each flaw and the status of finding a correction to the
flaw.
Flaw Repair Procedures: The developer shall establish a procedure to
identify corrective actions for protection flaws. This procedure shall
include a policy to separate protection-relevant from non-protection
relevant corrections, changes, or upgrades to the product. The
developer shall have a policy that when a consumer's system must be
used to diagnose and repair any problem, the developer personnel will
abide by that consumer's system security policy.
Consumer Interaction Procedures: The developer shall establish a
procedure for accepting consumer reports of protection problems and
requests for corrections to those problems. This procedure shall also
provide for automatic distribution of problem reports, for which
corrections have been found, to registered consumers who might be
affected by the problem. The developer shall designate one or more
specific points of contact for consumer reports and inquiries about
protection issues involving the product. These procedures and the
designated points of contact shall be provided in the consumer
documentation (e.g., the TFM or the SFUG).
FR-4: Timely Flaw Remediation
Flaw Tracking Procedures: The developer shall establish a procedure to
track all reported protection flaws with each release of the product.
The tracking system shall include a description of the nature and
effect of each flaw and the status of finding a correction to the
flaw.
Flaw Repair Procedures: The developer shall establish a procedure to
identify corrective actions for protection flaws. This procedure shall
include a policy to separate protection-relevant from non-protection
relevant corrections, changes, or upgrades to the product. The
developer shall have a policy that when a consumer's system must be
used to diagnose and repair any problem, the developer personnel will
abide by that consumer's system security policy.
Consumer Interaction Procedures: The developer shall establish a
procedure for accepting consumer reports of protection problems and
requests for corrections to those problems. This procedure shall
establish strict time intervals for automatically distributing the
problem reports to registered consumers who might be affected by the
problem and subsequently distributing the corrections that are found
to these same consumers. The developer shall designate one or more
specific points of contact for consumer reports and inquiries about
protection issues involving the product. These procedures and the
designated points of contact shall be provided in the consumer
documentation (e.g., the TFM or the SFUG).
FR-5: Controlled Protection State
Flaw Tracking Procedures: The developer shall establish a procedure to
track all reported protection flaws with each release of the product.
The tracking system shall include a description of the nature and
effect of each flaw and the status of finding a correction to the
flaw. The tracking system shall be incorporated into the configuration
management system.
Flaw Repair Procedures: The developer shall establish a procedure to
identify corrective actions for protection flaws. This procedure shall
include a policy to separate protection-relevant from non-protection
relevant corrections, changes, or upgrades to the product. The
developer shall have a policy that when a consumer's system must be
used to diagnose and repair any problem, the developer personnel will
abide by that consumer's system security policy.
Consumer Interaction Procedures: The developer shall establish a
procedure for accepting consumer reports of protection problems and
requests for corrections to those problems. This procedure shall
establish strict time intervals for automatically distributing the
problem reports to registered consumers who might be affected by the
problem and subsequently distributing the corrections that are found
to these same consumers. The developer shall designate one or more
specific points of contact for consumer reports and inquiries about
protection issues involving the product. These procedures and the
designated points of contact shall be provided in the consumer
documentation (e.g., the TFM or the SFUG).
5.3.2.4 Rated Trusted Generation Components
The trusted generation components are rated according to the coverage
and strength of the methods used to generate the baseline TCB. The
goal is to produce an operational TCB that does not invalidate the
protection properties established for the baseline TCB. At TG-1, the
developer must provide procedures for generating an operational TCB
from the delivered product. At TG-2, the coverage of the system
generation method is increased by requiring the developer to have the
system generation parameters default to their most restrictive
settings, thereby requiring the consumer to take a positive action to
reduce the protection provided by the TCB. At TG-3, the coverage and
strength of the generation method are increased by requiring the
developer to provide a tool that can be used after the TCB is
generated to determine if the TCB parameters are within the ranges of
a secure state. Finally, at TG-4, coverage and strength are further
extended by requiring that the product periodically execute the
parameter checking tool and alert an administrator or operator when
the TCB configuration parameters are out of range.
TG-1: Basic Trusted Generation
The developer shall establish and document the procedures that a
consumer must perform to generate an operational TCB from the
delivered copy of the master TCB. The consumer documentation shall
identify any system parameters, which are initialized or set during
system generation, that affect the TCB's conformance to the protection
profile and state the acceptable ranges of values for those
parameters.
TG-2: Trusted Generation With Fail-Safe Defaults
The developer shall establish and document the procedures that a
consumer must perform to generate an operational TCB from the
delivered copy of the master TCB. The consumer documentation shall
identify any system parameters, which are initialized or set during
system generation, that affect the TCB's conformance to the protection
profile and state the acceptable ranges of values for those
parameters. The product shall be delivered with each of these
parameters set to its fail-safe defaults.
TG-3: Trusted Generation With Secure State Review
The developer shall establish and document the procedures that a
consumer must perform to generate an operational TCB from the
delivered copy of the master TCB. The consumer documentation shall
identify any system parameters, which are initialized or set during
system generation, that affect the TCB's conformance to the protection
profile and state the acceptable ranges of values for those
parameters. The product shall be delivered with each of these
parameters set to its fail-safe defaults. The developer shall provide
the consumer with a capability to review the product security state
(e.g., by providing a program, which could be executed after
generating and starting the TCB, that determines the consistency of
the protection-relevant parameters).
TG-4: Trusted Generation With Secure State Monitoring
The developer shall establish and document the procedures that a
consumer must perform to generate an operational TCB from the
delivered copy of the master TCB. The consumer documentation shall
identify any system parameters, which are initialized or set during
system generation, that affect the TCB's conformance to the protection
profile and state the acceptable ranges of values for those
parameters. The product shall be delivered with each of these
parameters set to its most protective value. The developer shall
provide the consumer with a capability to monitor the product security
state (e.g., by providing a program, which is periodically and
automatically executed after generating and starting the TCB, that
determines the consistency of the protection- relevant parameters).
5.3.3 Development Environment
5.3.3.1 Rated Life Cycle Definition Components
The life-cycle definition components are rated according to the
precision and coverage of the engineering process used to develop the
product. Coverage refers to the extent to which the engineering
process incorporates the development and operational support
requirements of a protection profile. Precision refers to the
accuracy that can be brought to measuring the developer's conformance
to the claimed process including the specification of the programming
environment. At LC-1, the developer is required to describe the
process used to develop the product, and show how all of the
development and operational support requirements of the protection
profile are satisfied as that process is followed. No constraints are
placed on the engineering process chosen by the developer. At LC-2,
the precision and coverage are extended by requiring the developer to
use a well-defined process that provides for effective identification
of the engineering requirements as the product is developed. Finally,
at LC-3, precision and coverage are further extended by requiring a
standard engineering process, which includes well-defined coding
standards, whose use can be measured.
LC-1: Developer-Defined Life Cycle Process
The developer shall describe the process used to develop and maintain
the product. The process shall incorporate a security policy that
states the technical, physical, procedural, personnel, and other
measures used by the developer to protect the product and its
documentation. The developer shall trace each development process and
support process requirement of the protection profile to the part, or
parts, of the developer's process where the requirement is satisfied.
The developer shall identify the programming languages used to develop
the TCB software.
LC-2: Standardized Life Cycle Process
The developer shall develop and maintain the product using a well
defined, standardized engineering process. The developer shall explain
why the process was chosen and how the developer uses it to develop
and maintain the product. The process shall incorporate a security
policy that states the technical, physical, procedural, personnel, and
other measures used by the developer to protect the product and its
documentation. The developer shall demonstrate that each development
process and support process requirement of the protection profile is
satisfied by some part, or parts, of the developer's process. The
developer shall identify the programming languages used to develop the
TCB software and reference the definitions of those languages. The
developer shall identify any implementation dependent options of the
programming language compiler(s) used to implement the TCB software.
LC-3: Measurable Life Cycle Process
The developer shall develop and maintain the product using a well
defined, standardized, and measurable engineering process. The
developer shall explain why the process was chosen and how the
developer uses it to develop and maintain the product. The developer
shall comply with the engineering process standard. The process shall
incorporate a security policy that states the technical, physical,
procedural, personnel, and other measures used by the developer to
protect the product and its documentation. The developer shall
demonstrate that each development process and support process
requirement of the protection profile is satisfied by some part, or
parts, of the developer's process. The developer shall identify the
programming languages used to develop the TCB software and reference
the definitions of those languages. The developer shall identify any
implementation dependent options of the programming language
compiler(s) used to implement the TCB software and reference the
definitions of those languages.The developer shall describe coding
standards followed during the implementation of the product and shall
ensure that all source code complies with these standards.
5.3.3.2 Rated Configuration Management Components
The configuration management components are rated according to the
precision, coverage, and strength of the configuration management
methods. Level CM-1 includes basic configuration management methods
that rely on an informal mapping between the various parts of the TCB
source data, documentation, and evidence. At CM-2, the precision and
strength of configuration management are increased by requiring that a
rigorous mapping between configuration items be used, and that the
source data configuration be controlled using automated techniques. At
CM-3, coverage and strength are extended by requiring the use of a
formal acceptance procedure for generating and maintaining source
data. Finally, at CM-4, the strength of the overall configuration
management process is enhanced by requiring that it conform to
developer-defined safeguards to protect the master copy.
CM-1: Procedural Control and Generation
The developer shall establish configuration control and generation
procedures for developing and maintaining the TCB. The procedures
shall be employed to ensure that changes to the TCB are consistent
with the product's protection properties and security policy. The
developer shall employ these procedures to track changes to
development evidence, implementation data (e.g., source code and
hardware diagrams), executable versions of the TCB, test documentation
and procedures, identified flaws, and consumer documentation.
The configuration control procedures shall permit the regeneration of
any supported version of the TCB.
CM-2: Automated Source Code Control
The developer shall establish configuration control and generation
procedures for developing and maintaining the TCB. The procedures
shall be employed to ensure that changes to the TCB are consistent
with the product's protection properties and security policy. The
developer shall employ these procedures to track changes to
development evidence, implementation data (e.g., source code and
hardware diagrams), executable versions of the TCB, test documentation
and procedures, identified flaws, and consumer documentation. The
procedures shall include automated tools to control the software
source code that comprises the TCB.
The configuration control procedures shall assure a consistent mapping
among documentation and code associated with the current version of
the TCB and permit the regeneration of any supported version of the
TCB.
CM-3: Comprehensive Automated Control
The developer shall establish configuration control and generation
procedures employing automated tools for developing and maintaining
the TCB. The procedures shall be employed to ensure that changes to
the TCB are consistent with the product's protection properties and
security policy. The developer shall employ these tools to track and
control changes to development evidence, implementation data (e.g.,
source code and hardware diagrams), executable versions of the TCB,
test documentation and procedures, identified flaws, and consumer
documentation. The procedures shall include a formal acceptance
process for protection-relevant changes.
The configuration control procedures shall assure a consistent mapping
among documentation and code associated with the current version of
the TCB and permit the regeneration of any supported version of the
TCB. The developer shall provide tools for the generation of a new
version of the TCB from source code. Also, tools shall be available
for comparing a newly generated version with the previous TCB version
to ascertain that only the intended changes have been made in the code
that will actually be used as the new version of the TCB.
CM-4: Extended Configuration Management
The developer shall establish configuration control and generation
procedures employing automated tools for developing and maintaining
the TCB. The procedures shall be employed to ensure that all changes
to the TCB are consistent with the product's protection properties and
security policy. The developer shall employ these tools to track and
control changes to development evidence, implementation data (e.g.,
source code and hardware diagrams), executable versions of the TCB,
test documentation and procedures, identified flaws, and consumer
documentation. The procedures shall include a formal acceptance
process for protection-relevant changes.
The configuration control procedures shall assure a consistent mapping
among documentation and code associated with the current version of
the TCB and permit the regeneration of any supported version of the
TCB. The developer shall provide tools for the generation of a new
version of the TCB from source code. Also, tools shall be available
for comparing a newly generated version with the previous TCB version
to ascertain that only the intended changes have been made in the code
that will actually be used as the new version of the TCB. The
developer shall use a combination of technical, physical, and
procedural safeguards to protect the master copy or copies of all
material used to generate the TCB from unauthorized modification or
destruction.
5.3.3.3 Rated Trusted Distribution Components
The rating of the trusted distribution components is based on the
strength the trusted distribution methods; i.e., on the ability to
detect or prevent modifications of the consumer's copy of the TCB from
being modified while it is transferred from the development
environment to the consumer's environment. At TD-1 the developer is
responsible for establishing procedures and/or using technical
measures that will allow a consumer to detect tampering or
modification of the TCB during transfer. At TD-2, stronger methods are
required to ensure that tampering with the TCB during transfer is
prevented.
TD-1: TCB Modification Detection During Distribution
The developer shall establish procedures and employ appropriate
technical measures to detect modifications to any TCB-related
software, firmware, and hardware, including updates, that is
transferred from the development environment to a consumer's site.
TD-2: TCB Modification Prevention During Distribution
The developer shall establish procedures and employ appropriate
technical measures to prevent modifications to any TCB-related
software, firmware, and hardware, including updates, that is
transferred from the development environment to a consumer's site.
5.3.4 Development Evidence
The rating of the development evidence parallels, to a large extent,
the rating of the development process, development environment, and
operational support. Thus, the number of evidence levels required to
reflect the process, environment and operational ratings must reflect
these ratings.
The rating considerations that lead to the articulation of the
development-evidence levels are similar to those used for the
development process. For this reason they will not be repeated here.
5.3.4.1 Rated TCB Protection Property Evidence Components
EPP-1 Evidence of TCB Correspondence to the Functional Requirements
The developer shall provide documentation which describes the
correspondence between the functional component requirements and the
TCB elements and interfaces. The TCB properties, which are defined by
this correspondence, shall be explained in this documentation.
EPP-2 Evidence of Informal Model Interpretation in the TCB
The developer shall provide documentation which describes the
correspondence between the functional component requirements and the
TCB elements and interfaces. The developer shall also provide an
informal access control model and its interpretation within the TCB.
The TCB properties, which are defined by this correspondence, shall be
explained in this documentation.
EPP-3 Evidence of Formal Model Interpretation in the DIS
The developer shall provide documentation which describes the
correspondence between the functional component requirements and the
TCB elements and interfaces. This documentation shall describe how the
TCB implements the reference monitor concept. The developer shall also
provide a formal access-control model and an informal reference
mediation and TCB protection model. The TCB properties, which are
defined by this correspondence and the interpretation of these models
within the DIS of the TCB shall be documented by the product
developer.
EPP-4 Evidence of Formal Model Interpretation in the FIS
The developer shall provide documentation which describes the
correspondence between the functional component requirements and the
TCB elements and interfaces. This documentation shall describe how the
TCB implements the reference monitor concept.The developer shall also
provide a formal access-control model and an informal reference
mediation and TCB protection model. The TCB properties, which are
defined by this correspondence and the interpretation of these models
within the DIS and FIS of the TCB shall be documented by the product
developer.
5.3.4.2 Rated Product Design/Implementation Evidence Compo- nents
EPD-1: Description Of The TCB External Interface
The developer shall provide an accurate description of the functions,
effects, exceptions and error messages visible at the TCB interface.
The developer shall provide a list of the TCB elements (hardware,
software, and firmware).
EPD-2: Specification Of The TCB External Interface
The developer shall provide TCB Design Specifications that include: a
list of the TCB elements (hardware, software, and firmware
configuration items); a description of the policy allocations,
functions, and interactions among the major TCB subsystems; and module
level descriptions of all software and hardware in the TCB.
The developer shall provide a Descriptive Interface Specification
(DIS) that describes the functions, effects, exceptions and error
messages visible at the TCB interface. The developer shall show that
the DIS is an accurate representation of the TCB's external
interfaces.
The developer shall provide a description of the TCB's implementation
and an explanation of how it corresponds to the TCB design.
EPD-3: Analysis Of The TCB External Interface
The developer shall provide TCB Design Specifications that include: a
list of the TCB elements (hardware, software, and firmware
configuration items); a list of protection services provided to the
TCB by hardware, software, and firmware that is not part of the TCB;
an explanation of the techniques and criteria used during the modular
decomposition of the TCB; a description of the policy allocations,
functions, and interactions among the major TCB subsystems; and module
level descriptions of all software and hardware in the TCB.
The developer shall provide a Descriptive Interface Specification
(DIS) that describes the functions, effects, exceptions and error
messages visible at the TCB interface. The developer shall show that
the DIS is an accurate representation of the TCB's external
interfaces.
The developer shall provide TCB Implementation Data consisting of the
engineering diagrams for all hardware included in the TCB and the
source code used to generate the TCB software and firmware.
EPD-4: Policy Consistency Of The DIS
The developer shall provide TCB Design Specifications that include: a
list of the TCB elements (hardware, software, and firmware
configuration items); a list of protection services provided to the
TCB by hardware, software, and firmware that is not part of the TCB;
an explanation of the techniques and criteria used during the modular
decomposition of the TCB; a description of the policy allocations,
functions, and interactions among the major TCB subsystems; and module
level descriptions of all software and hardware in the TCB.
The developer shall provide a Descriptive Interface Specification
(DIS) that describes the functions, effects, exceptions and error
messages visible at the TCB interface and includes a convincing
argument that the DIS is consistent with the formal model of the
policy. The developer shall show that the DIS is an accurate
representation of the TCB's external interfaces.
The developer shall provide TCB Implementation Data consisting of the
engineering diagrams for all hardware included in the TCB and the
source code used to generate the TCB software and firmware. The
developer shall show that the TCB software, firmware, and hardware
implement the documented TCB design.
EPD-5: Policy Consistency Of The FIS
The developer shall provide a Descriptive Interface Specification
(DIS) that describes the functions, effects, exceptions and error
messages visible at the TCB interface and includes a convincing
argument that the DIS is consistent with the formal model of the
policy. The developer shall show that the DIS is an accurate
representation of the TCB's external interfaces.
The developer shall provide a Formal Interface Specification (FIS)
that rigorously defines the protection functions available at the TCB
interface in terms of: the protection properties implemented by each
function, the precise semantics for invoking each function, the
effects of each function (i.e., returned values and effect on the TCB
state), and the possible exceptions and error messages returned by
each function. The FIS shall be accompanied by a convincing argument
that it is consistent with the formal model of the product protection
policy. This argument shall be constructed using both manual and
machine-assisted specification and verification methods. Machine-
assisted specification and verification methods shall be approved by
the product evaluation authority.
The developer shall provide TCB Design Specifications that include: a
list of the TCB elements (hardware, software, and firmware
configuration items); a list of protection services provided to the
TCB by hardware, software, and firmware that is not part of the TCB;
an explanation of the techniques and criteria used during the modular
decomposition of the TCB; a description of the policy allocations,
functions, and interactions among the major TCB subsystems; module
level descriptions of all software and hardware in the TCB; and an
argument that the design implements exactly the functions specified in
the FIS.
The developer shall provide TCB Implementation Data consisting of the
engineering diagrams for all hardware included in the TCB and the
source code used to generate the TCB software and firmware. The
developer shall show, through either manual or machine-assisted
correspondence methods, that the TCB software, firmware, and hardware
implement the documented TCB design.
5.3.4.3 Rated Functional Testing Evidence Components
EFT-1: Evidence of Conformance Testing
The developer shall provide evidence of the functional testing that
includes the test plan, the test procedures, and the results of the
functional testing.
EFT-2: Evidence of Test Configuration Control
The developer shall provide evidence of the functional testing that
includes the test plan, the test procedures, and the results of the
functional testing. The test plans, procedures, and results shall be
maintained under the same configuration control as the TCB software.
EFT-3: Evidence of Specification-Driven Testing
The developer shall provide evidence of the functional testing that
includes the test plan, the test procedures, and the results of the
functional testing. The test, plans, procedures, and results shall be
maintained under the same configuration control as the TCB software.
The test plans shall identify the TCB specification used in the
derivation of the test conditions, data, and coverage analysis.
5.3.4.4 Rated Penetration Analysis Evidence Components
EPA-1: Evidence of Penetration Testing
The developer shall provide evidence of penetration testing. The
evidence shall identify all product documentation on which the search
for flaws was based. The penetration evidence shall describe the
scenarios for exploiting each potential flaw in the system and the
penetration test conditions, data (e.g., test set-up, function call
parameters, and test outcomes), coverage, and conclusions derived from
each scenario.
EPA-2: Evidence of Flaw-Hypothesis Generation and Testing
The developer shall provide evidence of penetration testing. The
penetration evidence shall identify all product documentation and
development evidence on which the search for flaws was based. The
penetration evidence shall describe the scenarios for exploiting each
potential flaw in the system and the penetration test conditions, data
(e.g., test set-up, function call parameters, and test outcomes),
coverage, and conclusions derived from each scenario. The penetration
evidence shall summarize both refuted and confirmed flaws hypothesis.
EPA-3: Evidence of Penetration Analysis
The developer shall provide evidence of penetration testing. The
penetration evidence shall identify all product documentation and
development evidence on which the search for flaws was based. The
penetration evidence shall describe the scenarios for exploiting each
potential flaw in the system and the penetration test conditions, data
(e.g., test set-up, function call parameters, and test outcomes),
coverage, and conclusions derived from each scenario. The penetration
evidence shall summarize both refuted and confirmed flaws hypothesis
and identify TCB elements where the TCB implementation of the
penetration-resistance conditions is flawed.
EPA-4: Evidence of Formal Penetration Analysis
The developer shall provide evidence of penetration testing. The
penetration evidence shall identify all product documentation and
development evidence on which the search for flaws was based. The
penetration evidence shall describe the scenarios for exploiting each
potential flaw in the system and the penetration test conditions, data
(e.g., test set-up, function call parameters, and test outcomes),
coverage, and conclusions derived from each scenario. The penetration
evidence shall summarize both refuted and confirmed flaws hypothesis
and identify TCB elements where the TCB implementation of the
penetration-resistance conditions is flawed. The penetration evidence
shall include the results of mechanically validating the
implementation of the penetration resistance conditions specified for
the TCB.
5.3.4.5 Rated Covert Channel Analysis Evidence Components
ECC-1: Evidence of Covert Storage Channel Analysis and Han- dling
The developer's documentation shall present the results of the
covert-storage-channel analysis and the trade-offs involved in
restricting these channels. All auditable events that may be used in
the exploitation of known covert storage channels shall be identified.
The developer shall provide the bandwidths of known
covert-storage-channels whose use is not detectable by the auditing
mechanism. The documentation of each identified storage channel shall
consist of the variable that can be viewed/altered by the channel and
the TCB interface functions that can alter or view that variable. The
measurements of each TCB function call used by covert-storage channels
must be documented and the bandwidth computation shall be included for
each channel. The measurement environment should be documented as
specified. Test documentation shall include results of testing the
effectiveness of the methods used to reduce covert-storage-channel
bandwidths.
ECC-2: Evidence of Covert Channel Analysis and Handling
The developer's documentation shall present the results of the covert
channel analysis and the trade-offs involved in restricting these
channels. All auditable events that may be used in the exploitation
of known covert channels shall be identified. The developer shall
provide the bandwidths of known covert channels whose use is not
detectable by the auditing mechanism. The documentation of each
identified covert channel shall consist of the variables, timing
sources, and the TCB interface functions that can be used to transmit
information. The measurements of each TCB function call used by covert
channels must be documented and the bandwidth computation shall be
included for each channel. The measurement environment should be
documented as specified. Test documentation shall include results of
testing the effectiveness of the methods used to reduce covert-channel
bandwidths.
5.3.4.6 Rated Product Support Evidence Components
EPS-1: Evidence of Basic Product Support
The developer shall provide evidence that describes the policies,
procedures, and plans established by the developer to satisfy the
Operational Support and Development Environment requirements of the
protection profile.
EPS-2: Evidence of Defined Product Support
The developer shall provide documentation that defines the policies,
procedures, plans, and tools established by the developer to satisfy
the Operational Support and Development Environment requirements of
the protection profile.
EPS-3: Evidence of Measured Product Support
The developer shall provide documentation that defines, explains, and
justifies the policies, procedures, plans, and tools established by
the developer to satisfy the Operational Support and Development
Environment requirements of the protection profile. The documentation
shall also explain how the developer periodically evaluates compliance
with the established procedures, policies, and plans.
5.4 Bibliographic Notes
TBD.
Chapter 6.
EVALUATION ASSURANCE REQUIREMENTS
Editor's Note: This chapter represents an initial attempt to
consolidate many different ideas regard- ing evaluations and
articulate a simple structure for levying requirements on the
evaluation process. The material is presented to stimulate the debate
and analysis regarding what should be required of product evaluations.
6.1 Overview
Product evaluation is the process of validating that an IT product,
and the context in which it is developed and supported, conforms to
the requirements of a protection profile. Since only the protection
functions and quality of the product mitigate against risk, the
consumer's understanding of residual risk in any system employing the
product is largely dependent upon a producer's claims and/or upon
product evaluation information. Quality, in this context, is focused
on appropriateness, correctness, and simplicity of design with respect
to functional requirements, and correctness, effectiveness, and
efficiency of implementation with respect to design. When this
information is provided by a source independent of the product's
producer, the consumer generally has a greater degree of confidence
regarding the degree of conformance claimed by the producer.
This chapter addresses the protection profile section for evaluation
assurance which contains requirements derived from the generic
components presented later in this chapter. These generic requirements
may be tailored with respect to the profile requirements for
protection functions and development assurance. Each protection
profile can be separately tailored for evaluation. Thus, all IT
products produced to conform to a particular protection profile will
be commonly evaluated at a level of assurance commensurate with the
profile's requirements for protection functions and development
assurance. This evaluation assurance level is agreed upon during
profile registration by the participants to the registration process
(e.g., producers, profile developers, evaluation authorities).
The evaluation assurance requirements contained in a protection
profile specify the minimum requirements that must be satisfied during
an evaluation process. This document adopts the philosophy that if a
protection function or development assurance requirement is placed on
a producer, then the satisfaction of such a requirement must be
evaluated. Incremental evaluation assurance is accomplished by
changing the scope and intensity of examination to make the evaluated
aspects of the product's TCB, its internals, its interfaces, and its
production processes increasingly visible.
Evaluation assurance requirements do not by themselves define a
particular approach to product evaluation. There are conceivably many
different approaches to product evaluation to provide varying levels
of assurance. Any approach is defined by both evaluation methods and
the business process that incorporates those methods. Since the
business process is one that should remain flexible, the requirements
specified in this document are not intended to completely define a
specific process. Rather, they articulate requirements on methods that
can be used with a variety of business processes.The specific process
is largely the result of business decisions made by an evaluation
authority, often in conjunction with the producer and/or consumer,
regarding the most appropriate and cost-effective manner to accomplish
the evaluation assurance goals within the available resources.
This chapter is divided into four sections. The remainder of this
section groups the evaluation assurance components of a TCB into three
classes and describes the types of components in each class. The
second section presents a description of each type of evaluation
assurance component in terms of the functional and development
assurance requirements these components are intended to verify. The
third section presents the rated evaluation assurance components. The
last section includes a bibliography of useful literature references.
Classes of Evaluation Assurance: The product evaluation components
address three classes of evaluation methods (i.e., testing, review,
and analysis) and establish generic evaluation requirements based on
those methods. Test analysis and independent testing were grouped due
to the similarity of their requirements. The product evaluation
components are depicted in Figure 6.
Testing. This class of components defines two evaluation assurance
components: (1) test analysis components, and (2) independent testing
components. These two components determine whether the product's TCB
meets the functional protection requirements as defined in the
functional requirements section of the protection profile. These
components also assess whether activities required for TCB property
definition and TCB testing & analysis (both found in the development
process section of development assurance component section of the
protection profile) verification have been accomplished. These
components further assess whether these activities have been
documented in accordance with the development evidence requirements of
the development assurance section of the profile.
Review. This class of components defines two evaluation assurance
components: (1) development environment components, and (2)
operational support components. These two components validate
compliance with the operational support and development support
aspects of the development assurance requirements section of the
protection profile.
Analysis. This class of components defines two evaluation assurance
components: (1) design analysis components and (2) implementation
analysis components. These two components validate compliance with the
TCB design and TCB implementation support aspects of the development
assurance requirements section of the protection profile.
6.2 Evaluation Assurance Components
Editor's Note: The components included in this sec- tion are provided
to serve as examples and are, in some cases, incomplete. Comments
regarding their structure and content are desired from all review-
ers. An effort was made to concentrate only on eval- uation
requirements and to exclude any process- oriented areas (though some
process-oriented impli- cations may remain). The requirement for
specifying these components is to make them generic (i.e., suitable
for a variety of evaluation processes) and to be able to place them in
context with the other profile requirements (i.e., evaluation
requirements should be commensurate with the functional require- ments
and development assurance requirements).
6.2.1 Testing
Evaluation testing requirements will apply in all protection profiles.
Testing of the product and its protection functions is a
responsibility of the producer. The producer may also have the product
beta-tested by independent sources. Evaluation testing includes (1)
the analysis of the appropriateness, coverage, consistency and
completeness of the beta-test site's test suite and/or the producer's
test suite, the data resulting from conducting these tests, and (2)
the independent application and analysis of testing by the evaluation
team. The evaluation process will be required to assess the producer's
testing results and may be required to independently perform some
level of testing of the product. An example of such an evaluation
testing requirement would be where the evaluation team must execute
the producer's functional tests and then re-execute them after any
discovered errors (either with the tests or the product) have been
corrected.
Evaluation testing may be as simple as a pass or fail conformance test
suite against which the products must be tested. For more
comprehensive functional testing, the evaluators may be required to
functionally test aspects of the product not covered by the producer's
testing. The product's TCB, with respect to its ability to resist
penetration, will also require a range of penetration analysis and
testing. Such testing begins with known generic flaws and proceeds to
hypotheses that are refuted or confirmed. Again, the evaluators may
analyze the product's tests and test results, rerun all or a selected
set of such tests, or develop additional tests not covered by other
testing. If covert channel handling methods are incorporated into a
product to limit bandwidth, the effectiveness of those methods in
reducing channel bandwidths must also be tested. In general, the more
robust and/or resilient the product's protection is expected to be,
the more significant the level of testing that should be performed.
6.2.1.1 Test Analysis Components
Test analysis establishes the testing analysis requirements needed to
determine whether the product meets the functional protection
requirements as defined in the protection profile. The producer will
always perform this functional testing. Functional testing is based
on the operational product, the TCB's functional properties, the
product's operational support guidance, and other producer's
documentation as defined by the development evidence requirements.
Functional test analysis is based on the achieved test results as
compared to the expected results derived from the development
evidence. Penetration test analysis is based on known generic
penetration flaws and a set of flaw hypotheses established for the
specific product implementation. Covert channel bandwidth testing is
based on the bandwidth prior to the application of covert channel
handling method and the bandwidth that results after such application.
6.2.1.2 Independent Testing Components
Independent testing establishes the testing requirements performed by
a testing agent not associated with the producer. These requirements
determine whether the product's TCB meets the functional protection
requirements as defined in the protection profile. Testing is based on
the operational product, the TCB's functional properties, the
product's operational support guidance, and other producer's
documentation as defined by the development evidence requirements.
6.2.2 Evaluation Review Requirements
This aspect of evaluation assurance addresses validating compliance
with the development assurance requirements. Evaluation reviews
simply check for a process, discipline, or form of documentation by
examining evidence that validates presence or absence. Two aspects of
compliance are reviewed; (1) compliance with development environment
requirements and (2) compliance with operational support requirements.
6.2.2.1 Development Environment Review
The development environment review establishes the level of review
required to determine whether the product meets the requirements as
defined in the protection profile's development assurance subsections
for development environment. This includes the components life-cycle
definition, configuration management, and trusted distribution. An
example of such review would be configuration management audits
performed by the evaluation team to ensure that a configuration
management plan is being properly applied. At a certain level, the
evaluation team must conduct a configuration audit of all the
software, firmware, and hardware required to be kept under
configuration control according to the (approved) configuration
management plan. Similar requirements would apply to trusted
distribution and life cycle management.
6.2.2.2 Operational Support Review
The operational support review establishes the level of review
required to determine whether the product meets the requirements as
defined in the protection profile's development assurance subsections
for operational support. This includes the components for user and
administrative guidance, flaw discovery, tracking, and repair
procedures, and trusted generation.
6.2.3 Evaluation Analysis Requirements
This aspect of evaluation assurance addresses validating compliance
with two aspects of the development assurance requirements. Analysis
requirements are established to determine whether the product meets
the development assurance requirements. The analysis is based on the
producer's documentation, as defined by the development evidence
requirements. The two aspects analyzed are: (1) compliance with TCB
design requirements and (2) compliance with TCB implementation support
requirements.
6.2.3.1 Design Analysis
Design analysis requirements specify the objectives for evaluating a
product from a design perspective (i.e., without examination of the
product implementation). These requirements also address the adequacy
of required design documentation. A design analysis may range from a
relatively simple functional overview (e.g., a black-box perspective
of the TCB) to a detailed analysis of internal design details,
modularity, layering, etc. The level of evaluation analysis required
for producer-supplied documentation will be commensurate with the
product's design requirements as set forth in the protection profile's
development assurance section.
6.2.3.2 Implementation Analysis
Implementation analysis requirements address areas such as code
analysis. An example of such analysis is a requirement wherein the
evaluation team must examine at least 50% of the TCB's code to
ascertain whether the TCB meets the modularity requirements. The
selected code must be a representative set of the TCB and (as
appropriate) include samples of code from several different
programmers.
6.3 Rated Evaluation Assurance Components
6.3.1 Rated Test Analysis Components
This component establishes the testing analysis requirements to
determine whether the product meets the functional protection
requirements as defined in the protection profile. This component is
required for all evaluations as it assumes that the producer will
always perform functional testing.
TA-1: Elementary Test Analysis
The evaluator shall assess whether the producer has performed the
activities defined in the development assurance requirements of the
protection profile for functional testing and whether the producer has
documented these activities as defined in the development evidence
requirements of the protection profile. The evaluator shall analyze
the results of the producer's testing activities for completeness of
coverage and consistency of results. The evaluator shall determine
whether the product's protection properties, as described in the
product documentation have been tested. The evaluator shall assess
testing results to determine whether the product's TCB works as
claimed.
TA-2: Enhanced Test Analysis
The evaluator shall assess whether the producer has performed the
activities defined in the development assurance requirements of the
protection profile for functional testing and penetration analysis,
and whether the producer has documented these activities as defined in
the development evidence requirements of the protection profile. The
evaluator shall analyze the results of the producer's testing
activities for completeness of coverage and consistency of results,
and general correctness (e.g., defect trend from regression testing).
This analysis shall examine the testability of requirements, the
adequacy of the tests to measure the required properties, the
deviation of the actual results obtained from the expected results,
and a general interpretation of what the testing results mean. The
evaluator shall determine whether the product's protection properties,
as described in the product documentation, and all relevant known
penetration flaws have been tested. The evaluator shall assess testing
results to determine whether the product's TCB works as claimed, and
whether there are any remaining obvious ways (i.e., ways that are
known, or that are readily apparent or easily discovered in product
documentation) for an unauthorized user to bypass the policy
implemented by the TCB or otherwise defeat the product's TCB.
TA-3: Extended Test Analysis
The evaluator shall assess whether the producer has performed the
activities defined in the development assurance requirements of the
protection profile for functional testing and penetration analysis,
and whether the producer has documented these activities as defined in
the development evidence requirements of the protection profile. The
evaluator shall analyze the results of the producer's testing
activities for completeness of coverage and consistency of results,
and general correctness (e.g., defect trend from regression testing).
This analysis shall examine the testability of requirements, the
adequacy of the tests to measure the required properties, the
deviation of the actual results obtained from the expected results,
and a general interpretation of what the testing results mean. The
evaluator shall determine whether the product's protection properties,
as defined at the TCB interface (i.e., by the DIS), and all relevant
known penetration flaws have been tested. The evaluator shall
independently develop, test, and document additional flaw hypotheses.
The evaluator shall assess testing results to determine whether the
product's TCB works as claimed, that the TCB's implementation is
consistent with the DIS, and whether there are any obvious ways (i.e.,
ways that are known, or that are readily apparent or easily discovered
in product documentation) for an unauthorized user to bypass the
policy implemented by theTCB or otherwise defeat the product's TCB,
and whether all discovered TCB flaws have been corrected and no new
TCB flaws introduced. The evaluator shall determine whether the
product is relatively resistant to penetrations.
TA-4: Comprehensive Test Analysis
The evaluator shall assess whether the producer has performed the
activities defined in the development assurance requirements of the
protection profile for functional testing and penetration analysis,
and whether the producer has documented these activities as defined in
the development evidence requirements of the protection profile. The
evaluator shall analyze the results of the producer's testing
activities for completeness of coverage and consistency of results,
and general correctness (e.g., defect trend from regression testing).
This analysis shall examine the testability of requirements, the
adequacy of the tests to measure the required properties, the
deviation of the actual results obtained from the expected results.
The analysis shall extend to trace all defects identified, corrected,
and retested. The analysis shall include an assessment of test
coverage and completeness, and defect frequency. The results of
testing shall be interpreted in terms that express product performance
and protection adequacy. The evaluator shall determine whether the
product's protection properties, as defined for all
protection-relevant modules of the TCB, and all relevant known
penetration flaws have been tested. The evaluator shall independently
develop, test, and document additional flaw hypotheses. The evaluator
shall assess testing results to determine whether the product's TCB
works as claimed, that the TCB's implementation is consistent with the
DIS, and whether there are any obvious ways (i.e., ways that are
known, or that are readily apparent or easily discovered in product
documentation) for an unauthorized user to bypass the policy
implemented by theTCB or otherwise defeat the product's TCB, and
whether all discovered TCB flaws have been corrected and no new TCB
flaws introduced. No design flaws and no more than a few correctable
implementation flaws may be found during testing and there shall be
reasonable confidence that few remain. If covert channel handling
methods have been implemented, the testing results shall show that the
methods used to reduce covert channel bandwidths have been effective
for all evaluated configurations. The evaluator shall determine
whether the product is relatively resistant to penetrations.
TA-5: Formal Test Analysis
The evaluator shall assess whether the producer has performed the
activities defined in the development assurance requirements of the
protection profile for functional testing and penetration analysis,
and whether the producer has documented these activities as defined in
the development evidence requirements of the protection profile. The
evaluator shall analyze the results of the producer's testing
activities for completeness of coverage and consistency of results,
and general correctness (e.g., defect trend from regression testing).
This analysis shall examine the testability of requirements, use of
the FIS for test derivation, the adequacy of the tests to measure the
required properties, the deviation of the actual results obtained from
the expected results. The analysis shall extend to trace all defects
identified, corrected, and retested. The analysis shall include an
assessment of test coverage and completeness, and defect frequency.
The results of testing shall be interpreted in terms that express
product performance and protection adequacy. The evaluator shall
determine whether the product's protection properties, as defined for
the entire TCB, and all relevant known penetration flaws have been
tested. The evaluator shall independently develop, test, and document
additional flaw hypotheses. The evaluator shall assess testing results
to determine whether the product's TCB works as claimed, that the
TCB's implementation is consistent with the FIS, and whether there are
any obvious ways (i.e., ways that are known, or that are readily
apparent or easily discovered in product documentation) for an
unauthorized user to bypass the policy implemented by theTCB or
otherwise defeat the product's TCB, and whether all discovered TCB
flaws have been corrected and no new TCB flaws introduced. No design
flaws and no more than a few correctable implementation flaws may be
found during testing and there shall be reasonable confidence that few
remain. If covert channel handling methods have been implemented, the
testing results shall show that the methods used to reduce covert
channel bandwidths have been effective for all evaluated
configurations. The evaluator shall determine whether the product is
completely resistant to penetrations.
6.3.2 Rated Independent Testing Components
This component establishes the independent testing requirements to
determine whether the product's TCB meets the functional protection
requirements as defined in the protection profile.
IT-1: Elementary Independent Testing
A tester, independent of the producer or evaluator, shall perform
functional and elementary penetration testing. This testing shall be
based on the product's user and administrative documentation, and on
relevant known penetration flaws. Satisfactory completion consists of
demonstrating that all user-visible security enforcing functions and
security-relevant functions work as described in the product's user
and administrative documentation and that no discrepancies exist
between the documentation and the product. Test results of the
producer shall be confirmed by the results of independent testing.
The evaluator may selectively reconfirm any test result.
If the independent testing is performed at beta- test sites, the
producer shall supply the beta- test plan and the test results. The
evaluator shall review the scope and depth of beta testing with
respect to the required protection functionality, and shall verify
independence of both the test sites and the producer's and beta- test
user's test results. The evaluator shall confirm that the test
environment of the beta-test site(s) adequately represents the
environment specified in the protection profile.
IT-2: Enhanced Independent Testing
The evaluator shall independently perform functional and elementary
penetration testing to confirm test results. This testing may be
selective and shall be based on (1) the results of other independent
and/or producer testing, (2) the TCB's DIS, (3) other product design
and implementation documentation, (4) the product's user and
administrative documentation, and (5) relevant known penetration
flaws. Satisfactory completion consists of demonstrating that all TCB
functions work as described in the product's relevant documentation,
that test results are consistent, and that no discrepancies exist
between the documentation and the product.
If the independent testing is performed at beta- test sites, the
producer shall supply the beta- test plan and the test results. The
evaluator shall review the scope and depth of beta testing with
respect to the required protection functionality, and shall verify
independence of both the test sites and the producer's and beta- test
user's test results. The evaluator shall also confirm that the test
environment of the beta-test site(s) adequately represents the
environment specified in the protection profile.
IT-3: Comprehensive Independent Testing.
The evaluator shall independently perform functional and elementary
penetration testing to confirm test results. This testing may be
selective and shall be based on (1) the results of other independent
and/or producer testing, (2) the TCB's DIS, (3) other product design
and implementation documentation, (4) the product's user and
administrative documentation, (5) relevant known penetration flaws,
and (6) evaluator-developed TCB penetration flaw hypotheses and
corresponding tests that attempt to exploit the hypothesized flaws.
Satisfactory completion consists of demonstrating that all TCB
functions work as described in the product's relevant documentation,
that test results are consistent, and that no discrepancies exist
between the documentation and the product. Satisfactory penetration
test completion shall be determined by the subjective judgement (which
may be supported algorithmically) of the evaluator. Test duration
agreements may further constrain this judgement. Categorization of an
actual penetration flaw shall be based on the reproducibility of that
flaw. Flaws that are discovered, but are not reproducible shall remain
categorized as potential penetration flaws. All actual penetration
flaws must be corrected and retested.
The evaluator shall provide a penetration test plan document that
describes the additional evaluator-developed flaw hypotheses and
associated tests. The evaluator shall execute these tests and shall
report any discovered flaws to the producer as part of the testing
results. At the conclusion of penetration testing, the evaluator shall
provide copies of this penetration test plan and its test results to
the producer. The producer shall ensure that this test plan and its
test results are incorporated into the rest of the product's testing
documentation and that such documentation is available for further
analysis throughout the life of the product.
If the product has incorporated covert channel handling, the evaluator
shall test for covert channel bandwidth reductions to determine the
effectiveness of handling method(s) in reducing the bandwidths of
identified covert channels for all evaluated configurations.
If the independent testing is performed at beta- test sites, the
producer shall supply the beta- test plan and the test results. The
evaluator shall review the scope and depth of beta testing with
respect to the required protection functionality, and shall verify
independence of both the test sites and the producer's and beta- test
user's test results. The evaluator shall also confirm that the test
environment of the beta-test site(s) adequately represents the
environment specified in the protection profile.
IT-4: Formal Independent Testing.
The evaluator shall independently perform functional and elementary
penetration testing to confirm test results. This testing shall be
based on (1) the results of producer or other independent testing, (2)
the TCB's FIS, (3) the product's design and implementation
documentation, (4) the product's user and administrative
documentation, (5) relevant known penetration flaws, and (6)
evaluator-developed TCB penetration flaw hypotheses and corresponding
tests that attempt to exploit the hypothesized flaws. Satisfactory
completion consists of demonstrating that all TCB functions work as
described in the product's relevant documentation, that the TCB
functions are consistent with the FIS, that test results are
consistent, and that no discrepancies exist between the documentation
and the product. Satisfactory penetration test completion shall be
determined by the subjective judgement of the evaluator (which may be
supported algorithmically). Test duration agreements may further
constrain this judgement. Categorization of an actual penetration flaw
shall be based on the reproducibility of that flaw. Flaws that are
discovered, but are not reproducible shall remain categorized as
potential penetration flaws. All actual penetration flaws must be
corrected and retested.
The evaluator shall provide a penetration test plan document that
describes the additional evaluator-developed flaw hypotheses and
associated tests. The evaluator shall execute these tests and shall
report any discovered flaws to the producer as part of the testing
results. At the conclusion of penetration testing, the evaluator shall
provide copies of this penetration test plan and its test results to
the producer. The producer shall ensure that this test plan and its
test results are incorporated into the rest of the product's testing
documentation and that such documentation is available for further
analysis throughout the life of the product.
If the product has incorporated covert channel handling, the evaluator
shall test for covert channel bandwidth reductions to determine the
effectiveness of handling method(s) in reducing the bandwidths of
identified covert channels.
If the independent testing is performed at beta- test sites, the
producer shall supply the beta- test plan and the test results. The
evaluator shall review the scope and depth of beta testing with
respect to the required protection functionality, and shall verify
independence of both the test sites and the producer's and beta- test
user's test results. The evaluator shall also confirm that the test
environment of the beta-test site(s) adequately represents the
environment specified in the protection profile.
6.3.3 Rated Development Environment Review Components
This component establishes the level of review required to determine
whether the product meets the requirements as defined in the
protection profile's development assurance subsections for development
environment including life-cycle definition and configuration
management, and trusted distribution.
DER-1: Elementary Development Environment Review
The evaluator shall review the producer's development and maintenance
process description documentation to determine the degree of
discipline enforced upon and within the process, and to determine the
protection characteristics associated with the product's development
and maintenance. The results of this review shall establish, for the
evaluator, the producer's development environment, its policies, and
the degree of enforcement maintained during development execution.
DER-2: Enhanced Development Environment Review
The evaluator shall review the producer's development and maintenance
process description documentation and shall conduct a random audit of
the producer's processes using the evidence generated by each process
to determine the degree of discipline enforced upon and within the
process, and to determine the protection characteristics associated
with the product's development and maintenance. The results of this
review shall establish, for the evaluator, the producer's development
environment, its policies, and the degree of enforcement maintained
during development execution. The results of this review shall also
confirm the producer's general conformance with relevant development
environment requirements.
DER-3: Comprehensive Development Environment Review
The evaluator shall review the producer's development and maintenance
process description documentation and shall conduct a complete audit
of the producer's processes using the evidence generated by each
process to determine the degree of discipline enforced upon and within
the process, and to determine the protection characteristics
associated with the product's development and maintenance. The results
of this review shall establish, for the evaluator, the producer's
development environment, its policies, and the degree of enforcement
maintained during development execution. The review shall also confirm
the producer's complete conformance with all relevant development
environment requirements.
6.3.4 Rated Operational Support Review Components
This component establishes the level of review required to determine
whether the product meets the requirements as defined in the
protection profile's development assurance subsections for operational
support including user and administrative guidance, flaw discovery,
tracking, and repair procedures, and trusted generation.
OSR-1 Elementary Operational Support Review
The evaluator shall review all documentation focused on the activities
of product use (e.g., Users Manuals) and product administration
including installation, operation, maintenance, and trusted recovery
(e.g., Trusted Facility Management Manuals). This review shall assess
the clarity of presentation, difficulty in locating topics of
interest, ease of understanding, and completeness of coverage. The
need for separate manuals dedicated to protection-relevant aspects of
the product should be assessed for effectiveness.
This component should also address flaw remediation and trusted
generation. [[TBD.]]
OSR-2 Enhanced Operational Support Review
The evaluator shall review all documentation focused on the activities
of product use (e.g., Users Manuals) and product administration
including installation, operation, maintenance, and trusted recovery
(e.g., Trusted Facility Management Manuals). This review shall assess
the clarity of presentation, difficulty in locating topics of
interest, ease of understanding, and completeness of coverage. The
need for separate manuals dedicated to protection-relevant aspects of
the product should be assessed for effectiveness. The evaluator shall
randomly select a sample of the documented protection-relevant
features and procedures and execute them to determine if their
descriptions are accurate and correct.
This component should also address flaw remediation and trusted
generation. [[TBD.]]
OSR-3 Comprehensive Operational Support Review
The evaluator shall review all documentation focused on the activities
of product use (e.g., Users Manuals) and product administration
including installation, operation, maintenance, and trusted recovery
(e.g., Trusted Facility Management manuals. This review shall assess
the clarity of presentation, difficulty in locating topics of
interest, ease of understanding, and completeness of coverage. The
need for separate manuals dedicated to protection-relevant aspects of
the product should be assessed for effectiveness. The evaluator shall
execute all documented protection-relevant features and procedures to
determine if their descriptions are accurate and correct.
This component should also address flaw remediation and trusted
generation. [[To be written.]]
6.3.5 Rated Design Analysis Components
This component establishes the analysis requirements to determine
whether the product meets the design requirements as defined in the
development process assurance section of the protection profile,
including the TCB property definition and TCB design requirements. The
analysis is based on the producer's documentation, as defined by the
development evidence requirements.
DA-1: Elementary Design Analysis
The evaluator shall determine whether the producer has performed the
activities defined in the development process assurance requirements
of the protection profile for TCB property definition and TCB design.
The evaluator shall determine whether the producer has documented
these activities as defined in the development evidence requirements
of the protection profile. The evaluator shall analyze the results of
the producer's activities for completeness and consistency of design
with respect to requirements.
DA-2: Enhanced Design Analysis
The evaluator shall determine whether the producer has performed the
activities defined in the development process assurance requirements
of the protection profile for TCB property definition and TCB design.
The evaluator shall determine whether the producer has documented
these activities as defined in the development evidence requirements
of the protection profile. The evaluator shall analyze the results of
the producer's activities for completeness, consistency, and
correctness of design with respect to requirements.
DA-3: Comprehensive Design Analysis
The evaluator shall determine whether the producer has performed the
activities defined in the development process assurance requirements
of the protection profile for TCB property definition and TCB design.
The evaluator shall determine whether the producer has documented
these activities as defined in the development evidence requirements
of the protection profile. The evaluator shall analyze, with the help
of formal methods and appropriate automated tools, the results of the
producer's activities for completeness, consistency, and correctness
of design with respect to requirements (e.g., validating the formal
verification of the design).
6.3.6 Rated Implementation Analysis Components
This component establishes the implementation analysis required to
determine whether the product meets the requirements as defined in the
TCB implementation requirements in a protection profile's development
assurance section. The analysis is based on the implemented code and
on the producer's documentation, as defined by the development
evidence requirements.
CI-1: Elementary Implementation Analysis
The evaluator shall conduct a code inspection on a small sample of
randomly selected product code. The assessment shall focus on clarity
of the coding style, adherence to coding standards, coding
documentation, and on possible software defects that may be present
with respect to the product's informal design. The inspection shall be
performed to obtain only a sample of possible software defects, not to
capture all such possible defects. The evaluator shall report all
discovered defects to the producer; the assessment shall report the
number of defects found per line of code inspected from the random
sample size. Use of producer-provided code inspection results can
supplement this sample inspection. All trapdoors built into the
product for maintenance purposes shall be identified by the producer
and shown to be protected by the product.
CI-2: Enhanced Implementation Analysis
The evaluator shall conduct a code inspection on a moderate sample of
randomly selected product code. The assessment shall focus on clarity
of the coding style, adherence to coding standards, coding
documentation, and on possible software defects that may be present
with respect to the product's informal design and model. The
inspection shall be performed to obtain only a sample of possible
software defects, not to capture all such possible defects. The
evaluator shall report all discovered defects to the producer; the
assessment shall report the number of defects found per line of code
inspected from the random sample size. Use of producer-provided code
inspection results can supplement this sample inspection. All
trapdoors built into the product for maintenance purposes shall be
identified by the producer and shown to be protected by the product.
CI-3: Comprehensive Implementation Analysis
The evaluator shall conduct an inspection on a moderate sample of
randomly selected product code. The assessment shall focus on the
clarity of the coding style, adherence to coding standards, coding
documentation, and on possible software defects that may be present
with respect to the product's formal design and model. The inspection
shall be performed to obtain only a sample of possible software
defects, not to capture all such possible defects. The evaluator shall
report all discovered defects to the producer; the assessment shall
report the number of defects found per line of code inspected from the
random sample size. Use of producer-provided code inspection results
can supplement this inspection. All trapdoors built into the product
for maintenance purposes shall be identified by the producer and shown
to be protected by the product. The producer shall correct all
discovered defects and the corrected software reinspected. A rigorous
analysis of the implementation's correspondence to the verified design
shall be performed by the evaluator to validate correctness. Such
analysis may be supported by appropriate automated tools.
6.4 Bibliographic Notes
TBD.
Chapter 7.
CONSTRUCTION OF PROTECTION PROFILES
7.1 Overview
The functional and assurance components and their ratings defined in
previous chapters provide the basic building blocks for the definition
of protection profiles. The definition of a protection profile
consists of assembling different functional and assurance components
into a consistent and coherent set that satisfies specific security
goals of the anticipated environments of product use. The assembled
components and their requirements are generally intended to counter
threats, eliminate vulnerabilities, support security standards, and
satisfy regulatory requirements defined in the anticipated
environments of use.
During profile construction, environment-specific requirements are
used to select and synthesize the functional and the assurance
components for IT product development (see Chapter 3). It should be
noted that not all environment- specific requirements are relevant to
the selection of the functional and assurance components. For example,
some environment-specific requirements may address only problems of
organization management and IT product use that have no direct impact
on IT product requirements. The environment- specific requirements
referred to in this section are those that help select IT product
component requirements for profile inclusion.
This chapter describes the concerns that arise, and the steps that
must be taken, in synthesizing profile functional and assurance
components. It also illustrates the selection of these components by
several examples. The chapter is divided into three sections. The
first section describes several steps for synthesizing profile
components. The second section addresses the notion of dependency
analysis for profile components and component requirements. The third
section contains a bibliography of useful literature references
related to dependency analysis.
7.2 Synthesis of Profile Components
Different Levels of Abstract Requirements. The environment- specific
requirements are used in selecting the functional and assurance
components. These requirements can be stated at a level of abstraction
that is higher than, lower than, or similar to that of the functional
and assurance components. This variance in levels of abstraction
exists because these requirements can be expressed in an unrestricted
form. The requirements may be more abstract because they may reflect
high-level security control objectives, organizational policies,
regulations and directives. For example, environment-specific
requirements may state that the computing facilities must reflect the
separation of roles defined within an organization, or must reflect a
document classification policy mandated by government directives.
Similarly, the requirements may state that the control of access to
documents processed within a computing facility must conform with a
particular document processing policy (e.g., ORGCON).
Environment-specific requirements may be less abstract than those used
in the functional and assurance components. Some may reflect the need
to support a specific security standard or guideline (e.g., password
guideline) while others may require a set of specific features and
assurances deemed necessary in the environments of IT product use. For
example, commercial security environments may require a specific set
of: password complexity rules, location- and time-based access control
rules, and security management rules. Other environments may mandate
the use of a specific subject and object labeling policy, may require
specific import or export policies for labeled objects, may mandate
the use of specific forms of acceptance testing and test coverage, or
may mandate a specific form of configuration management and trusted
distribution.
Environment-specific requirements may have the same level of
abstraction as that of the functional and assurance components because
they may be derived from requirements of existing product standards.
For example, some environment-specific requirements may be expressed
by the requirements of the Trusted Computer System Evaluation Criteria
(TCSEC) classes B2, B3, or A1, for high-assurance defense
environments.
Different Requirement Classifications. The environment- specific
requirements may be partitioned into components in a different manner
than that used in the partitioning of the product generic
requirements. Since the profile requirements ultimately drive the
profile component selection, the different component partitionings
must be resolved to ensure that the profile addresses all
environment-specific requirements. The partitioning of generic product
requirements into components and the rating of those components imply
that, when interpreted at the product- requirement level, the
environment-specific requirements must be expressed in terms of these
components and their levels. For example, the environment-specific
requirement class of "reliability of service" may contain specific
requirements of limited service degradation, control of resource
consumption, automated crash recovery based on checkpoint restart, and
periodic back-up and restore operations. In terms of the product
component requirements, the "reliability of service" requirement will
be covered by the availability, trusted recovery, and security
management components.
The partitioning of environment-specific requirements into product
component requirements must take into account the rating of the
component requirements because certain specific requirements may, in
fact, be covered by individual requirements of multiple levels. For
example, environment- specific requirements of access control may
include all component level AC-2 (basic access control) and location-
dependent authorization, which is a requirement included in component
level AC-4 (fine-grain access control). Consequently, if component
level AC-3 (extended access control) is selected, the
environment-specific requirement would not be satisfied by the
resulting profile, and if level AC-4 is selected, the resulting
profile becomes overspecified because the requirements of AC-4 are
unnecessarily included. The resolution of this problem is discussed
in the next section.
The question of how the environment-specific requirements can be used
to construct functional and assurance requirements for inclusion in a
profile arises naturally, given the unconstrained level of abstraction
in the environment- requirement definition. A key step in profile
synthesis is that of selecting the functional and assurance
components. The selection process is informal and, for this reason
must be carefully justified in constructing and accepting a profile.
When the level of the environment-specific requirements is close to
that of the component requirements, two selection steps, assignment
and refinement, are used.
7.2.1 Assignment
The assignment of environment-specific requirements to generic
component requirements is performed when a component requirement
corresponds to an environment-specific requirement. The correspondence
is determined by analyzing the intent and motivation for both the
environment-specific requirement and the product component
requirement. A match of the motivation and intent for these
requirements triggers the selection of the component requirement.
An assignment of environment-specific requirements to a component
requirement also takes place when a component requirement is given a
specific meaning. That is, a generic requirement of a component, which
may require the definition of a rule, condition, or constant, becomes
specific.
Example 1: Assignment of specific constants
In the identification and authentication component of the Commercial
Security Protection Profile CS-2, the following italicized
requirements assign specific default constants to successive
unsuccessful login attempts and to the default of the required delay:
The TCB shall end the attempted login session if the user performs the
authentication procedure incorrectly for a number of successive times
(i.e., a threshold) specified by an authorized system administrator.
The default threshold shall be three times. When the threshold is
exceeded, the TCB shall send an alarm message to the system console
and/or to the administrator's terminal, log this event in the audit
trail, and delay the next login by an interval of time specified by
the authorized system administrator. The default time interval shall
be 60 seconds. The TCB shall pro- vide a protected mechanism to
disable the user identity or account when the threshold of succes-
sive, unsuccessful login attempts is violated more than a number of
times specified by the adminis- trator. By default, this mechanism
shall be dis- abled (as it may cause unauthorized denial of service).
Also, in the access control component of the Commercial Security
Protection Profile CS-2, the following italicized requirement
identifies a specific subject attribute (i.e., group identity) to
which access rights are assigned:
Object attributes shall include defined access rights (i.e., read,
write, execute) that can be assigned to subject attributes. The TCB
shall be able to assign object access rights to group identities.
Example 2: Assignment of specific authorization rules
In the access control component of the Commercial Security Protection
Profile CS-2, the following italicized requirement assigns specific
authorization rules for subject references to objects:
The TCB shall define and enforce authorization rules for the mediation
of subject references to objects. These rules shall be based on the
access control attributes of subjects and objects.
At a minimum, the authorization rules shall be defined as follows:
a. The access rights associated with a user identifier shall take
precedence over the access rights associated with any groups of which
that user identifier is a member.
b. When a user identifier can be an active member of multiple
groups simultaneously, or if the access rights associated with the
user identifier conflict with the access rights associated with any
group in which the user is a member, it shall be possible for a system
administrator to configure rules that combine the access rights to
make a final access control decision.
c. The TCB shall provide a protected mechanism to specify default
access rights for user identifiers not otherwise specified either
explicitly by a user identifier or implicitly by group membership.
Example 3: Assignment of specific conditions
In the access control component of the Commercial Security Protection
Profile CS-2, the following italicized requirement assigns specific
conditions to the rule for assignment and modification of access
control attributes for subjects and objects.
The effect of these rules shall be that access rights to an object by
users not already possessing access permission is assigned only by
authorized users.
Only the current owner or system administrators can modify access
control attributes of objects.
There should be a distinct access right to modify the contents of an
object's access control list (e.g., an "ownership" or "control"
right).
The component requirements are assigned a null environment- specific
requirement whenever an environment-specific requirement is not
assigned for a component. A null assignment implies that the component
is not included in a profile (unless another component, which is
required by another environment-specific requirement, depends upon
it).
Example 4: Null assignment
In the Commercial Security Protection Profiles (CS-1, CS-2, CS-3),
several assurance components were not selected for inclusion. The
modular decomposition component, TCB structuring support, and TCB
design disciplines were not selected because this profile does not
require assurances about the internal TCB structure.
When an environment-specific requirement is assigned, it is possible
that the component requirements used include some features that are
not explicitly selected (i.e., an exact match is not possible). In
this case, a do not care is assigned to the features and/or assurances
not selected.
Example 5: "Do not care" assignment
In Example 2, the assignment of the specific authorization rules
refers only to the selection of subject attributes for access
authorization and does not include any specification of the object
subset to which the authorization applies. This implies that a "do not
care" is assigned to the generic requirement of identifying the
authorization scope in the access control component. Similarly, a "do
not care" assignment is implicitly made in Example 3. Although
specific conditions are assigned to the rule for modification of
access control attributes, a specific condition or rule was not
assigned for attribute modification during object import and/ or
export operations.
7.2.2 Refinement
The refinement of a component requirement is necessary when the
environment-specific requirements are less abstract (i.e., more
specific) than the component requirements. As a consequence, one or
more environment-specific requirements are added to a single component
requirement. This represents a refinement of a component requirement.
Note that the refinement of a component requirement differs from the
assignment of environment-specific requirements to components. For
example, a refinement of a component requirement may not assign any
specific meaning to a requirement rule, condition, or constant.
Instead, the refinement provides an elaboration of a generic component
requirement in a specific environment.
Example 6: Refinement of the trusted path component
In the Commercial Security Protection Profile CS-2, the following
italicized requirement refines the Trusted Path component TP-1
requirement:
The TCB shall support a trusted communication path between itself and
the user for initial identification and authentication. Communications
via this path shall be initiated exclusively by a user.
The TCB shall provide a protected mechanism by which a data
entry/display device may force a direct connection between the port to
which it is connected and the authentication mechanism.
Example 7: Refinement of the authorization rules
In the Commercial Security Protection Profile CS-2, the following
italicized requirement refines the requirement for authorization rule
definition and enforcement:
The TCB shall define and enforce authorization rules for the mediation
of subject references to objects. These rules shall be based on the
access control attributes of subjects and objects.
For each object, the authorization rules of the TCB shall be based on
a protected mechanism to specify a list of user identifiers or groups
with their spe- cific access rights to that object (i.e., an access
control list).
The assignment and refinement rules become necessary whenever the
level of abstraction of the environment-specific requirements differs
from that of the generic product components. However, when the
partitioning or classification of environment specific requirements
differs from that of the functional and assurance components, two
additional selection steps, decomposition and level-selection, are
used.
7.2.3 Decomposition
The decomposition of a specific requirement becomes necessary when
that requirement must be assigned to multiple components of the
generic product requirements during the interpretation process.
Examples of decomposition are provided by both the specific
requirements of the commercial domain illustrated in the NIST Minimum
Security Functionality Requirements (MSFR) release 1.1 and by the
specific requirements of labeled protection found in the TCSEC.
Example 8: MSFR requirement decomposition into generic components
1. MSFR System Integrity Requirement -> Functional Components (AC, P,
AD, SC, SM)
Requirement Component (paragraph)
Separate process and address spaces P-1 (1) Verification of installed
software using SC-3
checksums & digital signatures Restrict use of supervisory states P-1
(1) Audit use of operator consoles AD-2 (2) TCB software modification
restricted to SM-1 (4)
administrative users System maintenance limited to SM-1 (4,5)
administrative users Validate correct operation of hardware SC-1
& firmware elements
2. Data Integrity Requirement -> Functional Components (AC, SC, SM,
ESU)
Requirement Component (paragraph)
Record date & time object last modified AC-4 (3) Check file system and
storage medium SC-3
integrity Display of system parameters and flags SM-1 (2,3)
Directory/path search order ESU-2 (1)
3. Reliability of Service -> Function Components ((AR, AF), TR, SM)
Requirement Component (paragraph)
Degraded service operation AF (TDB) Controlled consumption of disk
space, AR-1
CPU usage Recovery after system failure TR-1 Data backup & restore
SM-1 (4) Checkpoint restarts TR-4 (2)
Example 9: Decomposition of labeled component requirements into
generic components
1. TCSEC Device Labeling Requirement (B2) -> Functional Components
(AC, SE)
Requirement Component
The TCB shall support the assignment of AC-2 (2), minimum and maximum
security levels to all attached physical devices.
These security levels shall be used by I&A-2 (2) the TCB to enforce
constraints imposed by the physical environments in which the devices
are located.
7.2.4 Level-Selection
The rating of functional and assurance components requires that
specific component levels be selected when the environment-specific
requirements are interpreted at the product level. However, an
environment-specific requirement may exceed the requirements of a
single level and may include individual requirements of higher levels.
Whenever this happens, the selection of the component level follows a
"low water mark" rule. That is, the selected level is the highest
complete level required, but is augmented by individual requirements
of higher levels. This leads to the development of new components from
existing requirements, and ensures that the rating criteria used for
the component levels does not impair flexibility in profile
construction. Provided that an environment-specific requirement leads
to the selection of at least one complete level (e.g., the low-water
mark), different individual requirements of a higher level of the same
component can be selected to augment the selected low-water- mark
level.
Example 10: Low-water-mark selection of component levels for MSFR
requirements
Access control requirements of the Commercial Security Protection
Profiles CS-2 and CS-3 were derived from the specific requirements of
the MSFR by using low-water-mark selection of levels.
CS-2: AC-2+: These rules shall, either by explicit user action or
by default, provide that objects are protected from unauthorized
access.
These rules shall allow authorized users to specify and control
sharing of objects by named individuals or defined groups of
individuals, or by both, and shall provide controls to limit
propagation of access rights, (i.e., these rules shall define the
distribution, revocation, and review of access control attributes).
The controls defined by these rules shall be capable of specifying for
each named object, a list of individuals and a list of groups of named
individuals, with their respective access rights to that object.
Furthermore, for each named object, it shall be possible to specify a
list of named individuals and a list of groups of named individuals
for which no access to the object is given [AC-4]. These controls
shall be capable of including or excluding access to the granularity
of a single user.
CS-3: AC-2+: If multiple access control policies are supported, the
access control attributes corresponding to each individual policy
shall be identified. The subject and object attributes shall
accurately reflect the sensitivity and/or integrity of the subject or
object. The subject's access control attributes also shall include
time and location attributes that can be assigned to authenticated
user identities [AC-4].
The TCB shall define and enforce authorization rules for the mediation
of subject references to objects. These rules shall be based on the
access control attributes of subjects and objects. These rules shall,
either by explicit user action or by default, provide that objects are
protected from unauthorized access. These rules shall include
time-of-access and location-of-access controls defined for subjects
and objects [AC-4].
The rating of the functional and assurance components can also cause
multiple levels of the same component to be selected when the
environment-specific requirements are interpreted at the product
level. Whenever this happens, the selection of the component level
follows a "high water mark" rule. That is, the selected level is the
maximum of all the levels separately selected from the same component.
Example 11: High-water-mark selection of component levels for TCSEC
requirements
The system architecture requirements of the TCSEC class B3 include the
following specific requirements:
TCSEC System Architecture Requirement (B3) --> Modular Decomposition
(MD)
Requirement Component
The TCB shall be structured into MD-2 well-defined modules
and Significant system engineering shall be MD-3 directed
towards minimizing the complexity of the TCB and excluding from the
TCB modules that are not protection-critical.
The TCB structuring into modules requires the selection of assurance
component MD-2. The minimization of the TCB complexity and the
exclusion of protection-irrelevant modules from the TCB lead to the
selection of the assurance component MD-3 because module exclusion
requires the analysis of the correctness dependencies between modules.
This is required to determine whether a protection-relevant module
does not depend directly or indirectly on a module deemed to be
protection-irrelevant and scheduled for removal from the TCB. Since
the modular decomposition level MD-3 includes the requirements of
level MD-2, level MD-3 is the high-water-mark level and thus it must
be selected.
The system architecture and design specification and verification
requirements of the TCSEC class A1 include the following specific
requirements:
TCSEC System Architecture Requirement (A1) - > Interface Definition
(IF-2)
TCSEC Design Specification Requirement (A1) - > Interface Definition
(IF-3)
Requirement Component
The user interface shall be completely IF-2 defined and all elements
identified.
A formal top-level specification (FTLS) IF-3 of the TCB shall be
maintained that accurately describes the TCB in terms of exceptions,
error messages, and effects.
Since the interface definition level IF-3 includes the requirements of
level IF-2, level IF-3 is the high-water-mark level and thus, it must
be selected.
Note that the decomposition and level-selection may require assignment
and refinement and vice-versa. For example, the "low water mark" level
selection, assignment, and refinement are illustrated by the
requirements of access-control attribute administration in component
AC-2+ of profiles CS-2 and CS-3.
7.3 Dependency Analysis
The analysis of the dependencies between functional and assurance
components must be performed during profile construction. Such
analysis helps (1) avoid inadequate, or incorrect, profile
specification, (2) avoid overspecification of a profile, (3) determine
the effect of profile changes (e.g., addition or removal of individual
components or component requirements), and (4) analyze the
compatibility of different protection profiles and harmonize different
sets of component requirements (see Appendix E). This section
illustrates and classifies functional and assurance dependencies.
Examples are provided to show the use of dependency analysis in
profile-compatibility analysis and profile-change analysis. This
section is intended to enable protection profile developers to define
consistent and coherent profiles that can be evaluated and used by
independent organizations. It is further intended to motivate the
analysis required when comparing different standards addressing
information protection in IT products or when ensuring the
preservation of previous investments (e.g., maintaining compatibility
with the TCSEC).
7.3.1 Dependency Classification
Dependencies among the components of a product appear (1) among the
functional components, (2) among assurance components, and (3) between
the functional components and assurance components. Dependencies may
also exist between the functional and assurance components and the
product definition and operation. These dependencies help enlarge the
application of a profile definition to widely-used products that might
otherwise be considered inadequate for a specific protection profile.
These dependencies can be analyzed in a similar manner as those of the
first three classes, as this class does not introduce new dependency
types. The role of classifying these dependencies is (1) to help
achieve consistency and coherent profile definition, and (2) to
decrease profile-definition susceptibility to inconsistent component
classification of a component either as function or as an assurance.
Dependencies are classified into several types that are reminiscent of
those that appear in the correctness analysis of large systems and
products. This classification helps identify the important
dependencies that are necessary to achieve the consistency and
coherence of a protection profile.
7.3.2 Dependencies Among Functional Components
Dependencies among functional components arise because the functions
that implement a component depend on functions implementing other
components, or because different functions implementing different
components must implement the same policy (properties) or
requirement(s), individually or together. Thus,a distinction is made
between the "uses" and "policy property" types of dependencies. There
exists a "uses" dependency between two functional components, A and B,
if the correctness of functions implementing A assumes the correctness
of functions implementing B. There exists a "policy property"
dependency between two functional components, A and B, if functions
implementing both A and B must implement, either individually or
together, a property or a condition required by the policy (e.g., the