National Information Assurance Partnership

Transcription

1 Natinal Infrmatin Assurance Partnership TM Cmmn Criteria Evaluatin and Validatin Scheme Validatin Reprt Apple Cmputer Mac OS X Versin Reprt Number: CCEVS-VR Dated: 13 January 2005 Versin: 1.0 Natinal Institute f Standards and Technlgy Natinal Security Agency Infrmatin Technlgy Labratry Infrmatin Assurance Directrate 100 Bureau Drive 9800 Savage Rad STE 6740 Gaithersburg, MD Frt Gerge G. Meade, MD

2 2

3 Table f Cntents 1. Executive Summary Evaluatin Details Identificatin f the TOE Security Plicy Security Audit Audit Generatin Audit Management User Data Prtectin Discretinary Access Cntrl DAC Attributes DAC Algrithm DAC Plicies Residual Data Prtectin Identificatin and Authenticatin Lgn Prcess User Subject Binding Passwrd and Accunt Management Security Management Prtectin f the TOE Security Functins Abstract Machine Testing Reference Mediatin Dmain Separatin Time Assumptins and Clarificatin f Scpe Usage Assumptins Architectural Infrmatin Dcumentatin Design dcumentatin Guidance dcumentatin Cnfiguratin Management dcumentatin Delivery and Operatin dcumentatin Life Cycle Supprt dcumentatin Test dcumentatin Vulnerability Assessment dcumentatin Security Target IT Prduct Testing Vendr Testing Evaluatr Testing Evaluated Cnfiguratin Results f the Evaluatin Validatin Cmments/Recmmendatins Security Target List f Acrnyms Bibligraphy

4 4

5 1. Executive Summary This reprt dcuments the NIAP validatrs assessment f the CCEVS evaluatin f the Apple Mac OS X versin and Apple Mac OS X Server versin Mac OS X and Mac OS X Server enfrce the same security functins, the nly differences lie in perfrmance; therefre, bth will be referred t as Mac OS X thrughut this reprt. The evaluatin fr Mac OS X was perfrmed by Science Applicatins Internatinal Crpratin (SAIC) in the United States and was cmpleted n 27 December The evaluatin was cnducted in accrdance with the requirements f the Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin, versin 2.1, Evaluatin Assurance Level 3 (EAL3), and the Cmmn Evaluatin Methdlgy fr IT Security Evaluatin (CEM), Part 2, Versin 1.0. The Target f Evaluatin (TOE) als cnfrms t the Cntrlled Access Prtectin Prfile (CAPP), versin 1.d, Octber 8, The TOE includes the Mac OS X perating system, supprting hardware, and thse applicatins necessary t manage, supprt and cnfigure the perating system. The TOE is a subset f the Mac OS X prduct as defined in the administratr guidance. Apple prvides several Mac OS X sftware applicatins that are cnsidered utside the scpe f the defined TOE and thus nt part f the evaluated cnfiguratin. Services utside this evaluatin include: services; web server services; remte apple events; print sharing services; file sharing services; and classic prgramming supprt (Old Macintsh OS cmpatibility supprt). Mac OS X Server cntains a watchdg timer t restart services and prvide stability; hwever, this timer is disabled in the evaluated cnfiguratin. In additin, Darwin, the pen surce UNIX-based cre that Mac OS X is built upn, nly supprts the HFS+ filesystem in the evaluated cnfiguratin. Furthermre, while Mac OS X supprts a wide range f prtcls and netwrk services, nly TCP/IP and the NFS (Netwrk Filesystem), DNS (Dmain Name Service), and SSH (Secure Shell) services are supprted in the evaluated cnfiguratin. Mac OS X prvides the fllwing five security functins, which are described in Sectin 3 f this reprt: Security Audit User Data Prtectin Identificatin and Authenticatin Security Management Prtectin f the TOE Security Functins SAIC is an apprved NIAP Cmmn Criteria Testing Labratry (CCTL). The CCTL cncluded that the Cmmn Criteria assurance requirements fr Evaluatin Assurance Level 3 (EAL3) have been met and that the cnclusins in its Evaluatin Technical Reprt are cnsistent with the evidence prduced. 5

6 This Validatin Reprt is nt an endrsement f the Mac OS X by any agency f the US Gvernment and n warranty f the prduct is either expressed r implied. 6

7 1.1 Evaluatin Details Table 1 prvides the required evaluatin identificatin details. Table 1. Evaluatin Details Item Identificatin Evaluatin Scheme US Cmmn Criteria Evaluatin and Validatin Scheme (CCEVS) Target f Evaluatin Apple Mac OS X versin and Apple Mac OS X Server versin EAL EAL3 Prtectin Prfile Cntrlled Access Prtectin Prfile (CAPP), versin 1.d, Octber 8, 1999 Security Target Apple Mac OS X Versin Security Target, Versin 1.0, 13 December 2005 Develper Apple Cmputer, Inc. 1 Infinite Lp; Cupertin, CA Evaluatrs SAIC - Cmmn Criteria Testing Labratry 7125 Gateway Drive, Suite 300 Clumbia, MD Validatr Catalina M. Gmlka Mitretek Systems, Inc., Falls Church, VA Dates f Evaluatin June 2002 t 27 December 2004 Cnfrmance Result Part 2 cnfrmant, Part 3 cnfrmant, and EAL3 cnfrmant Cmmn Criteria (CC) Versin Part 1: Intrductin and General Mdel, Versin 2.1, August 1999, CCIMB Cmmn Evaluatin Methdlgy (CEM) Versin Evaluatin Technical Reprt Part 2: Security Functinal Requirements, Versin 2.1, August 1999, CCIMB Part 3: Security Assurance Requirements, Versin 2.1, August 1999, CCIMB Part 1: Intrductin and General Mdel, Versin 0.6, 97/01/11, CEM-97/017 Part 2: Evaluatin Methdlgy, Versin 1.0, August 1999, CEM-99/045 Part 2: Evaluatin Methdlgy, Supplement: ALC_FLR - Flaw Remediatin, Versin 1.1, February 2002, CEM-2001/0015R Evaluatin Technical Reprt fr Apple Cmputer Mac OS X v and Mac OS X Server v Part 1 (Nn-Prprietary) Versin 1.0 December 2004 Evaluatin Technical Reprt fr Apple Cmputer Mac OS X v and Mac OS X Server v Part 2 ( SAIC and Apple Prprietary) Versin 1.0 December

8 2. Identificatin f the TOE The Mac OS X Versin includes the Mac OS X perating system, supprting hardware, and thse applicatins necessary t manage, supprt and cnfigure the perating system. The TOE is a subset f the Mac OS X prduct as defined in the administratr guidance. Apple prvides several Mac OS X sftware applicatins that are cnsidered utside the scpe f the defined TOE and thus nt part f the evaluated cnfiguratin. Services utside this evaluatin include: services; web server services, remte apple events, print sharing services, file sharing services, and classic prgramming supprt (Old Macintsh OS cmpatibility supprt). Mac OS X Server cntains a watchdg timer t restart services and prvide stability; hwever, this timer is disabled in the evaluated cnfiguratin. The fllwing hardware platfrms are included in the evaluated cnfiguratin: Mac OS X versin emac G4 imac G3 imac G4 imac G5 ibk G3 ibk G4 PwerBk G3 PwerBk G4 Pwer Mac G3 Pwer Mac G4 Cube Pwer Mac G4 (Single prcessr) Pwer Mac G4 Dual Prcessr Pwer Mac G5 (Single prcessr) Pwer Mac G5 Dual Prcessr Mac OS X Server versin Pwer Mac G4 (Single prcessr) Pwer Mac G4 Dual Prcessr Pwer Mac G5 (Single prcessr) Pwer Mac G5 Dual Prcessr Xserve G4 (Single prcessr) Xserve G4 Dual Prcessr Xserve G5 (Single prcessr) Xserve G5 Dual Prcessr 8

9 The fllwing is the sftware installed n the machines fr testing f the TOE: Mac OS X v with Cmmn Criteria Tls Package Mac OS X Server v with Cmmn Criteria Tls Package 3. Security Plicy The Mac OS X prvides the fllwing five security functins: Security Audit User Data Prtectin Identificatin and Authenticatin Security Management Prtectin f the TOE Security Functins 3.1 Security Audit The audit security functin prvides fr the generatin and management f audit. Bth f these areas are described in this sectin Audit Generatin Mac OS X maintains all audit recrds in ne r mre audit files. The audit files are managed by the audit daemn. The audit daemn is called by bth kernel-mde and user-mde prcesses t add audit recrds t the audit trail. When an audit recrd is created, the time stamp n the audit recrd is retrieved frm the time daemn described in Sectin The audit files are prtected by discretinary access cntrl (DAC) s that nly administratrs can access the audit trail. Table 2 is a list f auditable events fr which audit recrds may be generated. Table 2. Auditable Events Event Start-up and shutdwn f audit functins Reading f infrmatin frm the audit recrds Unsuccessful attempts t read infrmatin frm the audit recrds All mdificatins t the audit cnfiguratin that ccur while the audit cllectin functins are perating Actins taken due t exceeding a threshld Actins taken due t the audit strage failure All requests t perfrm an peratin n an bject cvered by the SFP (The identity f the bject will als be included as part f the audit recrd) Rejectin r acceptance by the TSF f any tested secret All use f authenticatin mechanism All use f the user identificatin mechanism, including the identity prvided during successful attempts (The rigin f the attempt will als be included as part f the audit recrd) Success and failure f binding user security attributes t a subject 9

10 All mdificatins f the values f security attributes Mdificatins f the default setting f permissive r restrictive rules All mdificatins f the initial value f security attributes All mdificatins t the values f TSF data (The new value f the TSF data will als be included in the audit recrd) All attempts t revke security attributes Mdificatins t the grup f users that are part f a rle Every use f the rights f a rle (The rle and the rigin f the request will als be included in the audit recrd) Executin f the tests f the underlying machine and the results f the test Changes t the time The fllwing infrmatin is cntained within each audit recrd: Date Time Event type User Identifier (UID) Prcess ID (PID) Success r failure The administratr has tw ptins when cnfiguring hw the audit trail will be managed. The administratr can specify a rtatin scheme amng the audit files. If the last in a series f audit files is full, Mac OS X will g back t the first audit file t start writing and verwrite any previusly recrded data. The secnd ptin is nce all audit files are filled, Mac OS X will halt. When the audit trail reaches 80% capacity, a message is written t the syslg t alert the administratr that the audit trail is reaching capacity Audit Management The audit trail is prtected s that nly the administratr can access and manage the audit trail. The administratr has a number f graphical tls t manage the audit trail. The audit tls prvide the fllwing capabilities: Audit maintenance the administratr can create, clear, and delete the audit trail. Audit selectin the administratr can select which audit events t recrd and can refine the selectin based n user identity and success r failure f the audit event. Audit review the administratr can review the cntents f the audit trail. The audit trail viewing tl permits the administratr t search and srt the audit trail based n user identity. 10

11 3.2 User Data Prtectin The Mac OS X enfrces a discretinary access cntrl (DAC) plicy n prcesses acting n the behalf f users, files, directries, named pipes, symblic links, unnamed pipes, shared memry segment, prcesses, SysV/Psix semaphres, ntificatins, BSD lcks, at jbs, crntab files, and print queue entries, and all peratins amng subjects and bjects cvered by the DAC plicy. The DAC plicy refers t a plicy that allws authrized users and authrized administratrs t cntrl access t bjects n the basis f individual user identity r membership in a grup. The user data prtectin security functin als prvides residual infrmatin prtectin. This sectin describes bth aspects f the security functin Discretinary Access Cntrl The DAC mechanism is used t cntrl access between subjects and named bjects. DAC is a mechanism that cntrls access based n user and bject identities. This sectin first identifies the attributes that are used when making DAC decisins and then describes the DAC plicy fr each type f bject DAC Attributes DAC decisins are based upn the attributes f subjects and bjects. The DAC relevant attributes f a subject are: Real UID UID established at lgn Saved UID UID saved when a setuid perfrmed Saved GID - GID saved when a setgid perfrmed PID Prcess identifier Effective UID Currently active UID Real GID - GID established at lgn Effective GID - Currently active GID Grup list List f grups t which user belngs Prcess umask Default permissins The DAC-specific attributes f the named bjects depend upn the type f bject. The fllwing list identifies the bject types fllwed by their assciated DAC attributes. File System Objects (files, directries, named pipes, symblic links, unnamed pipes) Owner Owning grup Permissin bits Prcess Objects Real UID Effective UID 11

12 Saved UID PID Real GID Interprcess Cmmunicatin (IPC) Mechanisms (shared memry segments, SysV/Psix semaphres, ntificatins, BSD lcks) Owner's UID Owning GID Creatr's UID Creatr's GID Permissin bits Nn-kernel bjects (at jbs, crntab files, and print queue entries) Owner DAC Algrithm DAC checks are made using either permissins bit checks r simple cmparisns. This sectin describes hw permissin bit checking ccurs. Simple cmparisns are nt described as they are straightfrward and will be identified when they are used. Permissin bits divide permissins int three categries and users int three relative grups. The three categries f permissins are read, write, and execute. They are dented as "r" fr read, "w" fr write, and "x" fr execute. The three relative grups are the wner f the file, the wner's grup, and every ther user. When a check is perfrmed against the permissin bits, the wner bits are checked first, fllwed by the grup bits, and cncluded with the ther bits. The first set f permissins matched is the permissin granted DAC Plicies File System Objects File system bjects fllw the DAC algrithm described in this sectin with ne exceptin; administratrs are always granted permissin t file system bjects. In rder t access a file system bject, a subject must pass the permissins bit check. Additinally, in rder t read data frm an bject with a pathname, a subject must have execute/search access t each directry in an bject's pathname, and read access t the file. In rder t write data int an bject, a subject must have execute/search access t each directry in the pathname, and write access t the file. Directry bjects have a special bit, called a sticky bit. When the sticky bit is set, nly the wner f the directry may delete anything within the directry. After a subject gains access t a file system bject, the subject receives a file descriptr. In the file descriptr is a pinter t the file bject and the permissin granted. Whenever the subject makes future requests fr the same bject, the file descriptr is checked t determine that the subject is attempting t use nly the permissins granted during the access check. In the case f unnamed pipes, n name exists in the namespace s all access ccurs via file descriptrs. An unnamed pipe is nly accessible thrugh the file descriptrs given t the prcess that created it and the creating 12

13 prcess' descendants. Because it has n name in the file system namespace, it has n pathname thrugh which it can be accessed by unrelated prcesses Access checks are perfrmed slightly differently n symblic links. The access checks are stred n the pathname stred in the symblic link, nt n the link itself Prcesses A prcess can always read its wn attributes. It can change its real UID and effective UID if it is rt (UID=0) r if the requested value is equal t its real r saved UID. A prcess can als change its real GID, effective GID, and grup list if it is rt. There is ne instance where prcesses access ne anther. One prcess can always read the attributes f anther prcess if it can name the target prcess using its PID IPC Mechanisms Each IPC bject includes a structure that cntains: (a) the creatr's effective UID and GID, (b) an wner effective UID and GID, and (c) a set f permissin bits fr creatr and wner, creatr's grup and wner's grup, and thers. The wner UID and GID is initially set t the creatr's UID and GID. Access is granted accrding t the permissin bits Nn-Kernel Objects All nn-kernel bjects, at jbs, crntab files, and print queue entries, have their wner set t the user that submitted the request. All access is checked against the wner f the bject. Only the wner r rt may access any nn-kernel bject Default DAC Only the wner r the administratr can mdify the access cntrl attributes assciated with an bject. The file system DAC permissin bits are set t the value f the subject s umask at creatin. The umask cntains the initial permissin settings and may be set as restrictively as the subject wants. The varius IDs assciated with bjects are taken frm the creating subject s attributes. If a subject changes the permissins f an bject, the changes take affect n the next access check against the bject. S, if a subject has a file descriptr pen fr an bject and attempts t use the file descriptr, the ld permissins will remain in affect until the subject clses the bject. If the subject clses the bject and then attempts t re-pen it, the new permissins wuld then be enfrced Residual Data Prtectin Mac OS X ensures that all previusly allcated memry is cleared befre is it allcated t a user prcess. File system bjects are created with all fields initialized at creatin time, verwriting the existing infrmatin. Additinally, an end f file marker prevents users frm accessing data beynd the current file bundary. Other bjects that use memry are cleared upn allcatin. This includes prcess addresses space and executin cntext, as well as IPC memry spaces. 3.3 Identificatin and Authenticatin All users n Mac OS X are identified and authenticated befre they can access any system service. Mac OS X maintains a user database with the user identifier, grup memberships, authenticatin 13

14 data, and security-relevant rles. The fllwing features are prvided by Mac OS X: lgn, user attribute management, and passwrd and accunt management. Each f these is described in the fllwing sectins Lgn Prcess The lgn prcess ensures that befre a user uses any TSF-mediated functins, that user is identified and authenticated t Mac OS X. Users can either lg nt the system lcally r via a netwrk service. When users lg n at a lcal terminal, they are presented with a graphical interface requesting their user name and passwrd. The user name is eched back t the screen while the passwrd is bscured frm the user with dts. Authenticatin can take place using lcal passwrds. When a user requests sme netwrk services, the user must be authenticated. Netwrk services either trust the identity f the client prcess r perfrm authenticatin n their wn. The client prcess ssh passes an identity, which is trusted n the remte server, and is nt required t reauthenticate unless the authenticatin fails; if authenticatin fails, the user is prmpted fr a passwrd. Other netwrk services/prtcls in the evaluated cnfiguratin are unauthenticated. Thse unauthenticated services/prtcls are: TCP/IP, NFS, and DNS. The TCP/IP prtcl relies n higher level services t perfrm authenticatin, NFS perfrms access checks based n the credentials f the requesting user, and DNS des nt require authenticatin as it simply respnds t name requests User Subject Binding A prcess is used t assciate users with subjects within the TOE. A prcess is an abstractin fr a running prgram. A prcess s resurces include a virtual address space, threads, and file descriptrs. In Mac OS X, a prcess is based n ne Mach task and ne r mre Mach threads. Every thread within a prcess has access t the address space and file descriptrs. The fllwing security relevant attributes are assciated with a prcess: Real UID Saved UID Saved grup identifier (GID) PID Effective UID Real GID Effective GID Grup list Prcess umask. There are three ways that a new subject can be created: a lgn, a frk r exec, r a batch jb is activated. When a lgn ccurs, a prcess is created n behalf f the requesting user and attributes are assigned at creatin. When a running prcess issues a frk r exec, the calling prcess is created and assigned a new PID. Lastly, when a batch jb is activated, a new prcess is created n behalf f the requesting user with the attributes f the requestr. 14

15 In mst cases, the security attributes f a subject are derived frm its creatr; hwever, using a setuid r setgid prgram, r issuing the su cmmand are exceptins. When executing a setuid r setgid prgram, the effective UID r GID, respectively, f the prcess will be changed. The new effective ID is taken frm the file wner f the file being executed. Successful executin f the su prgram allws the subject t take n the targeted identity Passwrd and Accunt Management User accunt infrmatin is stred in the NetInf database. The fllwing infrmatin is stred fr each user: User name User ID Passwrd Grups The grup infrmatin indicates if a user is part f the admin grup. Being a member f the admin grup makes a user an administratr, the nly defined rle n the system. There are tw cases where users are permitted t perfrm certain rle-like functins; thse are users authrized by the DAC Plicy t mdify bject security attributes, and users are authrized t mdify their wn authenticatin data. In these tw special cases, users d nt have t be the member f any grup. All infrmatin is stred in files prtected by DAC. Additinally, the passwrd data is stred in encrypted frmat. Only the administratr has access t update the user accunt infrmatin. Changes t the authenticatin database take affect the next time a user lgs n. If the administratr needs t immediately revke a user s accunt attributes, the user must be frced t lg ff s the changes can take affect. Passwrds are initially assigned by the administratr and can be changed at any time by the administratr. Users are permitted t change their wn passwrds by supplying their current passwrd and selecting a new passwrd. The new passwrd must have at least five characters. All characters are significant. 3.4 Security Management Mac OS X supprts security management by prviding an administratr t manage the security functins. The administratr is authrized t perfrm all management functins including establishing and maintaining user accunts, mdifying access rights, and managing the audit trail. The administratr accunt is realized via the use f a grup. Members f the admin grup are cnsidered t be administratrs. 3.5 Prtectin f the TOE Security Functins The TOE prtectin mechanisms security functin prvides abstract machine testing, reference mediatin, dmain separatin, and reliable time stamps. Each functin is described in this sectin. 15

16 3.5.1 Abstract Machine Testing Since hardware and firmware are included in the TOE, bth have tests t demnstrate their security features perate as claimed. These evaluatin test suites include tests fr memry prtectin and prcessr privileged instructins. The tests are made available t the administratr t run at the administratr s request. Apple als prvides a set f hardware diagnstics t test that the hardware is perating crrectly. The tests are run during system start-up and are called pwer-n self tests (POST) Reference Mediatin The MAC OS X architecture is based n kernel-mde architecture. The kernel executes in the kernel mde f the prcessr, which is the mst privileged mde. Untrusted prcesses run in the user mde f the prcessr. The mechanism fr entering the kernel mde als transfers cntrl t the kernel, which then arbitrates any requests fr service and access t resurces based n the security plicy and the file descriptr submitted by the user prcesses. When untrusted prcesses access system resurces in user-mde, they d s thrugh well defined server interfaces s that the security plicy is enfrced n the untrusted prcesses Dmain Separatin The sftware prtin f the TOE uses several executin dmains t prtect itself frm external interference and tampering. The kernel runs in the privileged mde (i.e., kernel-mde) prvided by the evaluated prcessr architectures. A system call trap is sftware interrupt peratin that causes a cntext switch frm user-mde int kernel-mde. In kernel-mde, a prcess can nly execute the kernel defined cde sequence that fllws frm a system call. All TOE trusted servers (e.g., printing) and Administratr tls execute in a prcess, which is prtected thrugh the address space islatin mechanisms f the kernel. Each prcess is allcated a separate address space that is nt shared unless specific access is granted Time The system time is maintained and exprted by the kernel using the time daemn. This system time is used in the audit trail t maintain an accurate accunting f when audit events ccurred. Additinally the netwrk time daemn and netwrk time prtcl (NTP) are used t synchrnize clcks amng netwrked cmputers. 4. Assumptins and Clarificatin f Scpe This sectin describes the security aspects f the envirnment in which Mac OS X is expected t perate. 16

17 4.1 Usage Assumptins This sectin cntains assumptins regarding the security envirnment and the intended usage f Mac OS X. Mac OS X is assured t prvide effective security measures in a cperative nnhstile envirnment nly if it is installed, managed, and used crrectly. The peratinal envirnment must be managed in accrdance with assurance requirements dcumentatin fr delivery, peratin, and user/administratr guidance. Mac OS X is intended fr use in areas that have physical cntrl and mnitring. Table 3 identifies the specific cnditins that are assumed t exist in an envirnment where Mac OS X is emplyed. Physical Assumptins A.LOCATE A.PROTECT Persnnel Assumptins A.MANAGE A.NO_EVIL_ADM A.COOP Table 3. Assumptins The prcessing resurces f the TOE will be lcated within cntrlled access facilities which will prevent unauthrized physical access. The TOE hardware and sftware critical t security plicy enfrcement will be prtected frm unauthrized physical mdificatin. There will be ne r mre cmpetent individuals assigned t manage the TOE and the security f the infrmatin it cntains. The system administrative persnnel are nt careless, willfully negligent, r hstile, and will fllw and abide by the instructins prvided by the administratr dcumentatin. Authrized users pssess the necessary authrizatin t access at least sme f the infrmatin managed by the TOE and are expected t act in a cperating manner in a benign envirnment. Cnnectivity Assumptins A.PEER Any ther systems with which the TOE cmmunicates are assumed t be under the same management cntrl and perate under the same security plicy cnstraints. CAPP-cnfrmant TOEs are applicable t netwrked r distributed envirnments nly if the entire netwrk perates under the same cnstraints and resides within a single management dmain. There are n security requirements which address the need t trust external systems r the cmmunicatins links t such systems. A.CONNECT All cnnectins t peripheral devices reside within the cntrlled access facilities. CAPP-cnfrmant TOEs nly address security cncerns related t the manipulatin f the TOE thrugh its authrized access pints. Internal cmmunicatin paths t access pints such as terminals are assumed t be adequately prtected. 17

18 5. Architectural Infrmatin Validatin Reprt Mac OS X is built upn an pen surce, UNIX-based cre called Darwin. Darwin integrates a number f technlgies, including the Mach 3.0 kernel, perating system services based n BSD UNIX, and netwrking facilities. Darwin prvides an advanced memry prtectin and management system. Darwin ensures reliability by prtecting applicatins with a rbust architecture that allcates a unique address space fr each applicatin r prcess. The Mach kernel augments standard virtual memry semantics with the abstractin f memry bjects. This enables Mac OS X t manage separate applicatin envirnments simultaneusly. Device drivers are created using an bject-riented prgramming framewrk called I/O Kit. Drivers created with I/O Kit easily acquire true plug and play, dynamic device management ( ht plugging ), and pwer management. I/O Kit als prvides hardware access t high-level applicatin sftware. Fr netwrk prtcl develpers, Darwin prvides the Netwrk Kernel Extensin (NKE) facility. This allws develpers t create netwrking mdules and even entire prtcl stacks that can be dynamically laded and unladed. NKEs als make it pssible t cnfigure prtcl stacks autmatically and easily mnitr and mdify netwrk traffic. At the data-link and netwrk layers, they can als receive ntificatins f asynchrnus events frm device drivers. While Darwin ffers supprt fr multiple file systems, nly the HFS+ filesystem is supprted in the evaluated cnfiguratin. Darwin als supplies the fllwing advanced functinality: Preemptive and cperative multitasking via the Mach kernel Symmetric multiprcessing (SMP) augmented by supprt fr multi-threading Real-time supprt guaranteeing lw-latency access t prcessr resurces fr time-sensitive media applicatins While Mac OS X supprts a wide range f prtcls and netwrk services, nly TCP/IP and the NFS (Netwrk Filesystem), DNS (Dmain Name Service), and SSH (Secure Shell) services are supprted in the evaluated cnfiguratin. Figure 1 prvides an verview f the architecture f Mac OS X. Figure 1. Mac OS X Architecture The system cmpnents perfrm the fllwing functins: 18

19 Aqua This prvides the graphical interface t bth users and administratrs. Applicatin Envirnments This layer prvides an applicatin envirnment fr users. An applicatin envirnment cnsists f the framewrks, libraries, and services (alng with assciated APIs) necessary fr the runtime executin f prgrams develped with thse APIs. The applicatin envirnments have dependencies n all underlying layers f system sftware. There are five applicatin envirnments prvided: 1. Carbn a set f prgramming interfaces derived frm earlier Mac OS APIs that has been mdified t wrk with Mac OS X, especially its kernel envirnment. 2. Cca a native set f Mac OS X APIs that access Mac OS X features using an bject framewrk. 3. Classic - prvides a cmpatibility envirnment that allws legacy applicatins t execute n Mac OS X. The Classic envirnment is essentially a virtual machine that allws legacy applicatins t execute in a simulated envirnment where lder APIs are translated t Mac OS X APIs. This envirnment is nt included in the evaluated cnfiguratin since lder versins f the perating system are nt included in the evaluatin. 4. Java prvides develpment and runtime envirnments and an applicatin framewrk that allw applicatins develped in Java t execute n Mac OS X. 5. BSD Cmmands a native implementatin f a cmmand line BSD cmmand envirnment. Applicatin Services -This layer cntains the graphics and windwing envirnment f Mac OS X. This envirnment is respnsible fr screen rendering, printing, event handling, and lw-level windw and cursr management. It als hlds libraries, framewrks, and backgrund servers useful in the implementatin f graphical user interfaces. Cre Services - The Cre Services layer includes a number f Carbn managers that ffer lw-level services t all applicatin envirnments. These services include cperative and preemptive threading, resurce management, memry management, and file-system peratins. Darwin - The kernel envirnment is the lwest layer f system sftware. The kernel envirnment prvides essential perating-system functinality t the layers abve it, such as: Preemptive multitasking Advanced virtual memry with memry prtectin and dynamic memry allcatin Symmetric multiprcessing Multi-user access File systems based n VFS (Virtual File System) Device drivers Netwrking Basic threading packages 19

20 6. Dcumentatin The fllwing is a list f the evaluatin evidence, each f which was issued by the develper (and spnsr). 6.1 Design dcumentatin Dcument Versin Date Cmpnent Specificatins: Administrative Tls 7 27 December 2004 Daemns Nvember 2004 Filesystem Octber 2004 Hardware 3 13 December 2004 I/O Kit 5 11 January 2005 BSD/System V Inter-Prcess Cmmunicatin 8 24 Nvember 2004 Memry Management 4 8 June 2004 Micrkernel 12 2 September 2004 Netwrking 6 19 Nvember 2004 Prcess Management September 2004 Security Framewrk May 2004 User Interface April 2004 SSH December 2004 DNS March 2004 High Level Design Overview 5 14 December Guidance dcumentatin Dcument Versin Date Cmmn Criteria Cnfiguratin and Administratin January Cnfiguratin Management dcumentatin Dcument Versin Date Apple Cnfiguratin Management Plan December Delivery and Operatin dcumentatin Dcument Versin Date Apple Delivery Prcedures Nvember

21 6.5 Life Cycle Supprt dcumentatin Dcument Versin Date Apple Life Cycle Manual December Test dcumentatin Dcument Versin Date Test Plan Cmpnent Test Specificatins: December 2004 Admin Tls (GUI) 2 30 Nvember 2004 Admin Tls (CLI) Test 2 19 Nvember 2004 Daemns Test 3 13 Nvember 2004 File System Test 7 13 Nvember 2004 NFS Filesystem Test 3 12 Nvember 2004 Hardware Test 1 13 Nvember 2004 I/O Kit Test 3 22 Nvember 2004 IPC Test 4 12 Nvember 2004 Memry Management Test 3 11 Nvember 2004 Micrkernel Test 5 19 Nvember 2004 Netwrking Test 4 12 Nvember 2004 Prcess Management Test 6 27 December 2004 Security Framewrk Test 3 12 Nvember 2004 User Netwrking Test 3 13 Nvember Vulnerability Assessment dcumentatin Dcument Versin Date Strength f Functin Analysis Apple Cmputer Mac OS X and Mac OS X Server Vulnerability Analysis December Nvember Security Target Dcument Versin Date Apple Cmputer Mac OS X v and Mac OS X Server v Security Target December

22 7. IT Prduct Testing This sectin describes the testing effrts f the vendr and the Evaluatin Team. 7.1 Vendr Testing The vendr s apprach t testing the Mac OS X security functins is based n testing the cmpnents identified in the design evidence. These tests demnstrate the security-relevant behavir f Mac OS X at the interfaces identified in the functinal specificatin and defined in the high-level design. The functinal and high-level designs are presented as a set f cmpnent specificatins. Each such specificatin describes the purpse and functinality f the cmpnent, identifies and describes its interfaces that are part f the TSFI, maps the interfaces t security functins, and describes the test cases fr each interface. Testing was therefre based n exercising each f the TSFIs and demnstrating that the specified security behavir (in terms f checks, effects and errrs) has been implemented. The vendr s tests cnsisted primarily f autmated test suites that exercise the majrity f the TSFIs. These were supplemented by manual tests t exercise aspects f the administratr and user GUIs and the CLI. The vendr addressed test depth by testing the security checks and effects f each interface with detailed knwledge abut the check r effect. Specific knwledge f security checks and effects is identifiable in the cmpnent specificatins. In additin, each test prcedure descriptin explains hw it achieves depth in its Variatin Overview sectin. Tests were rganized accrding t cmpnent, and t security-relevant interface within each cmpnent, with individual test cases crrespnding t thse described in the cmpnent specificatins. Each test prcedure specificatin als includes instructins fr running its tests, elabrating n the general instructins prvided in the Test Plan. Each test prcedure specificatin als detailed the expected results frm running the tests. An autmated test suite was used t execute the specified test cases and reprt the results fr each test. Test results were then viewed using a graphical user interface by pening the results file in a web brwser and navigating t the cmpnent s test result pages. 7.2 Evaluatr Testing The Evaluatin Team executed all autmated vendr test prcedures per the evaluated cnfiguratin as described in the Apple Cmputer Mac OS X versin Test Plan. The tests were run against the TOE versins identified belw: G5 Prcessr: PwerMac G4 Prcessr: imac PwerBk PwerMac Xserve 22

23 The Evaluatin Team als develped and executed its wn set f tests in rder t ensure that security plicies were prperly enfrced. Tests were develped fr the Audit, Identificatin & Authenticatin, and TOE Prtectin Mechanisms security functins. The Evaluatin Team s gal was t gain additinal cnfidence in Apple s test results and t prvide independent cnfirmatin f thse results. N Independent Tests were develped fr the User Data Prtectin and Security Management security functins. The Evaluatin Team determined that the test prcedures used by the vendr were sufficient. All tests were successful, with the actual results matching the expected results. 8. Evaluated Cnfiguratin The evaluated cnfiguratin cnsisted f the cmpnents identified belw: Hardware Cmpnent: Mac OS X versin : emac G4, imac G3, imac G4, imac G5, ibk G3, ibk G4, PwerBk G3, PwerBk G4, Pwer Mac G3, Pwer Mac G4 Cube, Pwer Mac G4 (single prcessr), Pwer Mac G4 Dual Prcessr, Pwer Mac G5 (single prcessr), Pwer Mac G5 Dual Prcessr Mac OS X Server versin : Pwer Mac G4 (single prcessr), Pwer Mac G4 Dual Prcessr, Pwer Mac G5 (single prcessr), Pwer Mac G5 Dual Prcessr, Xserve G4 (single prcessr), Xserve G4 Dual Prcessr, Xserve G5 (single prcessr), Xserve G5 Dual Prcessr Sftware Cmpnent: Mac OS X v with Cmmn Criteria Tls Package Mac OS X Server v with Cmmn Criteria Tls Package T btain additinal details abut the evaluated cnfiguratin, please refer t the Cmmn Criteria Cnfiguratin and Administratin v1.0. The Validatr wuld like t nte that the Evaluatin Team has nt cnducted tests n the G3 systems. The develper included the G3 systems in the set f cnfiguratins and has prvided full test results fr each claimed cnfiguratin. The Evaluatin Team reviewed the test results fr all claimed cnfiguratins and cnfirmed that all actual results matched the expected results. The G3 system is a subset f the G4, therefre the Evaluatin Team did nt deem it necessary t cnduct team testing n a G3 system. 23

24 9. Results f the Evaluatin Validatin Reprt The Mac OS X satisfies all f the EAL3 assurance requirements against which it was evaluated. The EAL3 assurance requirements include the fllwing: Assurance Class Cnfiguratin Management (ACM) Delivery and Operatin (ADO) Develpment (ADV) Guidance Dcuments (AGD) Life cycle supprt (ALC) Tests (ATE) Vulnerability assessment (AVA) Table 4. EAL3 Assurance Cmpnents Assurance Cmpnents ACM_CAP.3 Authrizatin cntrls ACM_SCP.1 TOE CM cverage ADO_DEL.1 Delivery prcedures ADO_IGS.1Installatin, generatin, and start-up prcedures ADV_FSP.1 Infrmal functinal specificatin ADV_HLD.2 Security enfrcing high-level design ADV_RCR.1 Infrmal crrespndence demnstratin AGD_ADM.1 Administratr guidance AGD_USR.1 User guidance ALC_DVS.1 Identificatin f security measures ATE_COV.2 Analysis f Cverage ATE_DPT.1 Testing: high-level design ATE_FUN.1 Functinal testing ATE_IND.2 Independent testing - sample AVA_MSU.1 Examinatin f guidance AVA_SOF.1 Strength f TOE security functin evaluatin AVA_VLA.1 Develper vulnerability analysis The Security Target prvides a detailed descriptin f hw Mac OS X meets each f the listed cmpnents. 24

25 10. Validatin Cmments/Recmmendatins The Validatr determined that the evaluatin and all f its activities were perfrmed in accrdance with the CC, the CEM and CCEVS practices. The Validatr agrees that the CCTL presented apprpriate ratinales t supprt the Evaluatin Results presented in Sectin 5 f the ETR, Part 1, and the Cnclusins presented in Sectin 6 f the ETR, vlume 1. The Validatr, therefre, cncludes that the evaluatin and the Pass results fr the TOE identified belw is cmplete and crrect: Mac OS X v and Mac OS X Server v The Validatr wuld like t acknwledge that the TOE is a subset f the Mac OS X prduct as defined in the administratr guidance. Apple prvides several Mac OS X sftware applicatins that are cnsidered utside the scpe f the defined TOE and thus nt part f the evaluated cnfiguratin. Services utside the evaluatin cnfiguratin include: services; web server services; remte apple events; print sharing services; file sharing services; and classic prgramming supprt (Old Macintsh OS cmpatibility supprt). Als, Mac OS X Server cntains a watchdg timer t restart services and prvide stability; hwever, this timer is disabled in the evaluated cnfiguratin. In additin, the pen surce UNIX-based cre that Mac OS X is built upn nly supprts the HFS+ filesystem in the evaluated cnfiguratin. Furthermre, while Mac OS X supprts a wide range f prtcls and netwrk services, nly TCP/IP and the NFS (Netwrk Filesystem), DNS (Dmain Name Service), and SSH (Secure Shell) services are supprted in the evaluated cnfiguratin. 11. Security Target The Security Target is entitled, Apple Cmputer Mac OS X v and Mac OS X Server v Security Target, versin 1.0, 13 December

26 12. List f Acrnyms API Applicatin Prgram Interface BSD Berkeley Sftware Distributin CAPP Cntrlled Access Prtectin Prfile CCEVS Cmmn Criteria Evaluatin and Validatin Scheme CCIMB Cmmn Criteria Interpretatins Management Bard CCTL Cmmn Criteria Testing labratry CEM Cmmn Evaluatin Methdlgy CLI Cmmand Line Interface DAC Discretinary Access Cntrl DNS Dmain Name Service EAL3 Evaluatin Assurance Level 3 GID Saved Grup Identifier GUI Graphical User Interface HFS Hierarchical Filesystem IPC Interprcess Cmmunicatin NFS Netwrk Filesystem NIAP Natinal Infrmatin Assurance Partnership NKE Netwrk Kernel Extensin NTP Netwrk Time Prtcl PID Prcess Id POST Pwer-n Self Tests SAIC Science Applicatins Internatinal Crpratin SFP Security Functin Plicy SMP Symmetric Multiprcessing SSH Secure Shell TOE Target f Evaluatin TSF TOE Security Functin TSFIs TOE Security Functin Interfaces UID User Identifier VFS Virtual Filesystem 26

27 13. Bibligraphy The fllwing dcuments were used in cmpiling this Validatin Reprt: Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin, Versin 2.1, August 1999: Part 1: Intrductin and General Mdel Part 2: Security Functinal Requirements Part 3: Annexes Part 4: Security Assurance Requirements Cmmn Evaluatin Methdlgy fr Infrmatin Technlgy Security: Part 1: Intrductin and General Mdel, Versin 0.6, 11 January 1997 Part 2: Evaluatin Methdlgy, Versin 1.0, August 1999 Apple Cmputer Mac OS X v and Mac OS X Server v Security Target, versin 1.0, 13 December 2004 Evaluatin Technical Reprt fr Apple Cmputer Mac OS X v and Mac OS X Server v Part 2 (SAIC and Apple Prprietary), Versin 1.0, 27 December 2004 Evaluatin Technical Reprt fr Apple Cmputer Mac OS X v and Mac OS X Server v Part 1 (Nn-Prprietary), Versin 1.0, 27 December 2004 Evaluatin Team Test Plan fr Apple Cmputer Mac OS X and Mac OS X Server v ETR Part 2 Supplement (SAIC and Apple Prprietary), Versin 1.0, 27 December