Click to edit Master title style Click to edit Master text styles Second Mastertextformat level bearbeiten Third Zweite level Fifth Vierte level Fünfte Helmut Kurth Modeling Security Functional Requirements atsec information security 1 1 1
Click to edit Outline Master title style Click The CC to edit paradigm Master text an attempt styles of an explanation Putting Second Mastertextformat it level into context bearbeiten a basis for modeling SFRs Third Mapping Zweite level the model to part 2 Fourth Deficiencies Drittelevel of CC part 2 components and how to Fifth overcome Vierte level them Suggestions Fünfte for improvement There is still a long way to perfection! 2 2 2
Click to CC edit Paradigms Master title style User: Click to edit Master text styles Second Mastertextformat level bearbeiten Third Zweite level Subject: Fourth Drittelevel Fifth Vierte level User-subject Fünfte binding: active entity outside of the TOE that requests services from the TOE (human user or external IT system). Active entity within the TOE but outside of the TSF (such that services requested by a subject are mediated by the TSF. Service of the TSF that binds a user to a subject such that the subject may request services on behalf of the user. Open issues: Trusted subjects ; subjects not operating on behalf of a user. 3 3 3
Click to CC edit Paradigms Master title style Object: Click to edit Master text styles Second Mastertextformat level bearbeiten Third Resource: Zweite level Information: Fifth Vierte level Fünfte Open issues Passive entity controlled by the TSF. Entity managed and controlled by the TSF. Anything a user may extract from the TOE by using services. Difference between objects and resources ; entities that are sometimes passive (are operated upon), sometimes active; relation between information and the objects/resources they are stored in or processed by. 4 4 4
Click to CC edit Paradigms Master title style Security Click to edit attributes Master text styles Second Mastertextformat level bearbeiten and resources. Third Zweite level User Fifth Vierte level data Fünfte May exists for users, subjects, information, objects, sessions, Are managed by the TSF and used as part of the rules defining the security policy enforced by the TSF Data stored in resources or objects controlled by the TSF but were the TSF do not interpret the data TSF data Data stored in resources or objects controlled by the TSF which is used by the TSF as part of its operation Example: security attributes, TSF internal state 5 5 5
Click Problems to edit with Master the Paradigm title style No Click guidance to edit Master is provided text styles how to define/identify subjects, Second objects, Mastertextformat level resources, bearbeiten information, security attributes. Third No Zweite mapping level from the paradigms to the security Fourth functional Drittelevel components is provided No Fifth Vierte consistency level check between the paradigm and the functional components has been performed Fünfte This is one reason why part 2 of the CC is so hard to apply! 6 6 6
Click to New edit Approach Master title style Let s Click stay to edit with Master the terms text styles used in the paradigm Let s Second Mastertextformat develop level a model bearbeiten of what we want to have as Third security Zweite level functions Fourth Only Dritte when level this is done attempt to map the model to part Fifth 2 Vierte of the level CC! Starting with part 2 of the CC when developing your model will Fünfte bring you into trouble! What we suggest is a step-by-step approach to develop security functional requirements based on the CC paradigm 7 7 7
Click Policy to elements edit Master in title context style Click to edit Master text styles Second Mastertextformat level bearbeiten User Third Zweite 1 level Subject Fifth Vierte level Fünfte User 2 TSF TOE Resource Object Object 8 8 8
Click User-subject to edit Master binding title style Click to edit Master text styles Second Mastertextformat level bearbeiten User Third Zweite 1 level Subject Fifth Vierte level Fünfte User requests binding and presents required credentials TSF TOE Resource Object TSF binds subject to user User requests TSF services via subject Object 9 9 9
TSF Click data to edit and Master policy title elements style Click to edit Master text styles Second Mastertextformat level bearbeiten User U Subject S Object O Type Third Zweite.. Type level Type Attribute 1 Attribute 1 Attribute 1 Attribute Fourth Dritte 2 level Attribute 2 Attribute 2... Attribute Fifth Vierte n Attribute level m Attribute p Fünfte TSF state Resource R Type. Attribute 1 Attribute 2. Attribute q Channel Type. Attribute 1 Attribute 2. Attribute r TSF architecture TSF rules TSF event monitors 10 10 10
Additional policy elements Click to edit Master title style Mastertitelformat - Communication Channels bearbeiten - Communication Click to edit Master channels text styles Second Mastertextformat level bearbeiten Third Zweite level Requires integrity protection Fifth Vierte level Requires replay protection Fünfte Requires data authentication Designates logical communication channels May be characterized by security attributes like Requires confidentiality protection. May have rules that determine initialization, management, use and termination of the channel 11 11 11
Additional policy elements Click to edit Master title style Mastertitelformat - Event Monitoring bearbeiten - Defines Click to edit events Master the TSF text styles needs to react upon Second Mastertextformat Attempted level violation bearbeiten of the policy Third Zweite Detected level failure of abstract machine or device Reaching a specific state. Fifth Vierte level Defines the rules how to react to events Fünfte Generate audit entry Send message to external user Modify state and/or security attributes of policy elements Go to a specific state. 12 12 12
Additional policy elements Click to edit Master title style Mastertitelformat - TSF architecture bearbeiten - Additional Click to edit rules Master to achieve text styles security objectives Second Mastertextformat level bearbeiten Third Zweite Separation level of different subject Non bypassability TSF internal information flow control Fifth Vierte level Consistency of TSF data Fünfte Separation between TSF and non-tsf portion of the TOE Availability of services One may well argue that they are outside of the policy, but they are still required to satisfy valid security objectives 13 13 13
Removed policy element Click to edit Master title style Mastertitelformat - Session bearbeiten - Term Click to used edit for Master traditional text styles types of terminal session Can Second Mastertextformat (with level some interpretation) bearbeiten also be used for session Third level Zweite protocols level Fourth Paradigm Drittelevel can be addressed by the new (broader) Fifth channel Vierte level paradigm Session establishment Fünfte Selection of session attributes Limitation on concurrent sessions Session locking Session termination Access banner, Access history 14 14 14
Removed policy element Click to edit Master title style Mastertitelformat - Information bearbeiten - Does Click to not edit really Master fit with text the styles other elements Paradigm Second Mastertextformat level section states bearbeiten is required for modeling Third information Zweite level flow control Fourth Dritte This is level usually modeled via object and resource security Fifth Vierte level Fünfte attributes attributes and access / use of the objects and resources with rules on the automatic initialization and management of those Requires support by architectural aspects Is therefore removed as an element of the paradigms 15 15 15
Click Developing to edit a Master security title policy style Step Click 1 to edit Element Master definition text styles Second Mastertextformat level bearbeiten channels Third Zweite level Fifth Vierte level Fünfte Start with an initial set of users, subjects, objects, resources, Start with an initial set of security attributes for each Quite often one will identify that different types or classes of users, subjects, objects, resources and channels have different security attributes. Identify the types required Define rules for creation, management and deletion of each element (if applicable) Usually additional security attributes are identified by this process Define rules for the initial values and the management of security attributes 16 16 16
Click Developing to edit a Master security title policy style Click Step 2 to edit User Master interaction text styles Second Mastertextformat level bearbeiten Third Zweite Credentials level to present Fifth Vierte level Channels to be used Fünfte Rules for channel establishment Define the rules for users to interact with the TSF Rules when credentials are required User-subject binding rules (if required) Setting the channel attributes Other security relevant actions performed during channel establishment (like key establishment, access banner display) 17 17 17
Click Developing to edit a Master security title policy style Step Click 3 to edit Object Master and text resource stylesusage rules Second Mastertextformat level bearbeiten users Third Zweite level Fifth Vierte objects, level resources, and channels used Fünfte Define the rules for use of objects, resources by subjects and Usually different per object type and per resource type Rules are usually based on security attributes of users, subjects, Rules may also use TSF state information (like time, specific state like maintenance state, etc.) Record the TSF state variables used Definition of rules quite often identifies additional security attributes of the elements involved Go back and define how those attributes are initialized and managed 18 18 18
Click Developing to edit a Master security title policy style Click Step 4 to edit Import Master and text export styles of objects Second Mastertextformat level bearbeiten Third Zweite level channel Fifth Vierte level Fünfte When import and export is allowed Export means: it is transferred out of the control of the TSF without sending it to a user connected to the TSF via a defined Import means: it is accepted from some unknown source Define requirements for import and export of objects What is required to be with the object when imported or exported For example a defined set of security attributes How the object is transformed and checked when imported For example decrypted, integrity check, authenticity check, etc. How the object is transformed when exported For example encrypted, digitally signed, etc. 19 19 19
Click Developing to edit a Master security title policy style Step Click 5 to edit Event Master definition, text styles monitoring and management Second Mastertextformat Identify level the events that bearbeiten need to be monitored Third Zweite For each level event, define the actions to be performed when an event happens, like Write an audit record Fifth Vierte level Send a message to a user Fünfte Change the TSF state Change security attributes of policy elements. 20 20 20
Click Developing to edit a Master security title policy style Click Step 6 to TSF edit internals Master text styles Second Mastertextformat level bearbeiten architecture) Third Zweite level Separation Fourth Dritte Reference level mediation Availability requirements Fifth Vierte level Fünfte Privacy Identify objectives that require to addressed by TSF internals (TSF Information flow control requirements TSF internal integrity and consistency checks Automated rules for modifying security attributes and TSF state variables Some of those need to be supported by the rules defining the use of resources For example information flow control requirements and privacy requirements may need support from rules defining usage of objects and resources 21 21 21
Click Mapping to edit Master to CC part title 2style Basic Click to question: edit Master text styles Second Mastertextformat level bearbeiten of part 2? Third Zweite level Fourth Dritte paradigms level Fifth Vierte level Answer: Fünfte Once all this defined, can it mapped to the components Should be possible for the elements taken from the part 2 It is only partly possible Part 2 was not developed by putting the elements of the paradigm into context and consistently derive components from such a model 22 22 22
Click Attempted to edit Master mapping title style Step Click 1 to edit Element Master definition text styles Second Mastertextformat Element level definition bearbeiten Third Zweite level Fifth Vierte level Partly covered by FMT_MSA Fünfte Assumed to exist by part 2, no formal requirement to list element types and their security attributes Element creation and initialization Management of security attributes Partly covered by several components in the FMT family Not consistently addressed (too limited in the rules one can define) 23 23 23
Click Attempted to edit Master mapping title style Click Step 2 to edit User Master interaction text styles Second Mastertextformat Partly addressed level by bearbeiten FIA Third Zweite level Partly addressed by FTA Fifth Vierte Partly level addressed by FTP Fünfte View of authentication is too narrow Too much related to the classical terminal session Not sufficient to model all security attributes of channels and their management 24 24 24
Click Attempted to edit Master mapping title style Step Click 3 to edit Object Master and text resource stylesusage rules Second Mastertextformat Partly addressed level by bearbeiten FDP and FRU Third Zweite level Management aspects partly covered by FMT Fifth Vierte security level policies Fünfte FRU also contains requirements on TSF internals Many components are too restrictive to be applicable to many For example access control is restricted to access of subjects to objects, ignoring that there may be direct access of users usage of resources is similar to access to object and requires similar flexibility in the definition of the rules 25 25 25
Click Attempted to edit Master mapping title style Click Step 4 to edit Import Master and text export styles of objects Second Mastertextformat Can be level partly mapped bearbeiten to Third Zweite FDP_ETC level and FDP_ITC FDP_UCT and FDP_UIT FCO Fifth Vierte level Fünfte Also here more flexibility in the definition of the rules is required 26 26 26
Click Attempted to edit Master mapping title style Step Click 5 to edit Event Master definition, text styles monitoring and management Second Mastertextformat Partly covered level by FAU bearbeiten Third Zweite Some level requirements in FAU are related to the TSF internals Parts of FDP_SDI FDP_IFF.6 Fifth Vierte FIA_AFL level Fünfte Several components in the FPT family FRU_FLT Also here flexibility is missing and the aspect is not addressed consistently 27 27 27
Click Attempted to edit Master mapping title style Click Step 6 to edit TSF Master internals text styles Second Mastertextformat Mainly level addressed by bearbeiten FPT Third Zweite Parts of level FAU_STG FDP_ITT FDP_RIP Fifth Vierte level FDP_SDI Fünfte Parts of FPR Parts of FRU Many TSF internals need to be supported by usage rules and management functions! 28 28 28
Click to edit Conclusion Master title style We Click have to edit defined Master a framework text styles for the definition of Second security Mastertextformat level functional requirements bearbeiten based on the paradigms Third defined Zweite level in CC part 2 Fourth We Dritte have level identified that the structure of the components in part 2 do not follow a clear model Fifth Vierte level We have identified that many components from part 2 do Fünfte not present sufficient flexibility to model everything one can define with out framework Still most components of part 2 fit in our framework some re-arrangement would enhance the understanding of part 2 29 29 29
Click Suggested to edit Master future title work style Test Click the to edit framework Master text with styles different types of IT products Second and Mastertextformat enhance level it where bearbeiten necessary Third Arrange Zweite level the components of part 2 around the framework Fourth Change Drittelevel components where more flexibility is required Remove Fifth Vierte level redundant components Add Fünfte missing components 30 30 30