Computer and Network Security Common Criteria R. E. Newman Computer & Information Sciences & Engineering University Of Florida Gainesville, Florida 32611-6120 nemo@cise.ufl.edu
Common Criteria Consistent Terminology, Practices, Mechanisms 1
1 Definitions 1.1 Security vs. assurance vs. trust 2
Common Criteria Cooperative effort among Canada, France, Germany, The Netherlands, UK, USA (NSA, NIST) Figure 3 1: Defines sets of security criteria that may be used to define needs and claims Does NOT Specify development approach for products Specify particular forms or formats for product specification Specify evaluation methodology Guarantee fitness for use of an evaluated product
CC Terms Class grouping of families with a common focus Component smallest selectable set of elements for inclusion in PP, ST, or package Element an indivisible security requirement Evaluation assessment of PP, ST or TOE against defined criteria Figure 4 2: Evaluation Assurance Level (EAL) A package of assurance components from Part 3 representing a point on the CC predefined assurance scale Evaluation Scheme an administrative and regulatory framework under which the CC is applied Family a grouping of components that share security objectives but differ in emphasis or rigor Package a reusable set of either functional or assurance components (e.g., an EAL) that together satisfy a defined set of security objectives Protection Profile (PP) an implementation independent set of security requirements for a category of TOEs that meets specific customer needs
CC Terms Security Function (SF) a part or parts of the TOE relied upon to enforce a subset of rules of the TSP Security Function Policy (SFP) the security policy enforced by a SF Security Objective a statement of intent to counter identified threats and/or to satisfy identified organizational security policies or assumptions Figure 5 3: Security Target (ST) a set of security requirements and specifications to be used to evaluate an identified TOE Strength of Function (SOF) a qualification of a TOE SF expressing the minimum effort assumed to be required to defeat its underlying mechanisms Target of Evaluation (TOE) an IT product or system and its administrative and user guides that is subject to evaluation TOE Security Functions (TSF) the hardware, firmware, and software that enforce the TSP of a TOE TOE Security Policy a set of rules that regulate how assets are managed, protected, and distributed in a TOE
TOE Evaluation Process Evaluation Criteria Figure 6 4: Security Requirements (PP and ST) Develop TOE TOE and Evaluation Evidence Evaluate TOE Evaluation Scheme Evaluation Methodology Evaluation Results Operate TOE feedback
TOE Evaluation Representation Requirements At each level of refinement in the TOE specification and development process, representations must be detailed and complete enough to ensure: Figure 7 5: (a) Sufficiency that the refinement is a complete instantiation of the higher levels (i.e., all TSFs, properties, behaviors defined at a higher level must be demonstrably present at the lower level); (b) Necessity that the refinement is an accurate instantiation of higher levels (i.e., that there are no TSFs, properties or behaviors at the lower level that are not present at a higher level).
TOE Security Environment TSE includes all relevant laws, regulations, organizational security policies, customs, knowledge, expertise, and threats present or assumed (CONTEXT). The PP or ST writer must take into account: a) physical environment (including physical protection, personnel); Figure 8 6: b) assets requiring protection (direct and indirect); c) TOE purpose (product type and intended use). Security statements about the TOE made after threat, risk, and policy investigation: a) assumptions about the environment for the TOE to be considered secure; b) threats to asset security threat agent, presumed attack method, vulnerabilities exploited, assets attacked; c) applicable organizational policies and rules.
TOE Security Objectives Statement of goals regarding threats to counter or policies to meet based on the purpose of the TOE and its assumed environment Addresses all security concerns and declare which are to be handled by the TOE Figure 9 7: and which by its environment, based on engineering judgement, security policy, economic factors, risk acceptance decisions. Security objectives for environment met by non technical and procedural means Security objectives for TOE and its IT environment refined into IT Security Requirements
TOE IT Security Requirements Refinement of TOE security objectives for TOE and its IT environment, which, if met, would ensure that the TOE meet its security objectives. Decomposed into Functional Requirements and Assurance Requirements Functional requirements (part 2) include I&A, audit, non repudiation,... Figure 10 8: If TOE SFs are realized by probabilistic or permuational mechanisms (e.g., hash functions, passwords,...), then an SOF may be specified (SOF basic, SOF medium, SOF high) Levied on TSFs Assurance requirements (part 3) levied on a) actions of developer, b) evidence produced, and c) actions of evaluator; assurance derived from a) correctness of implementation of SFs b) efficacy of SFs
TOE Summary Specification Part of Security Target (ST) Figure 11 9: Defines instantiation of security requirements for TOE: High level definition of Security Functions (SFs) claimed to meet the functional requirements; and Assurance measures taken to meet assurance requirements.
Dependencies May exist between functional components May exist between assurance components Figure 12 10: May exist between functional and assurance components Arise when a component is not sufficient by itself and relies on the presence of another component Dependency descriptions are part of CC component definitions Must be satisfied when incorporating components into PPs and STs for completeness
Operations on Components Iteration may be used more than once with varying operations Figure 13 11: Assignment specification of a parameter to be filled in when component used Selection specification of items from a list given in the component Refinement addition of extra detail when component is used
Packages Intermediate combination of components Permits expression of a set of functional or assurance requirements that meet an Figure 14 12: identifiable subset of security objectives Intended for reuse May be used in larger packages, PPs, STs EALs (Evaluation Assurance Levels) are predefined assurance packages in Part 3. Each EAL is a baseline set of consistent assurance requirements for evaluation
Protection Profiles Consistent set of functional and assurance requirements from the CC, or stated explicitly, along with Figure 15 13: an EAL (perhaps augmented) Permit expression of security requirements for a set of TOEs that will comply fully with a set of security objectives Intended for reuse Contains rationale for objectives and requirements
Security Targets A consistent set of security requirements made by reference to a PP Figure 16 14: fby reference to CC functional and assurance components, or by explicit statement Contains the TOE Summary Specification, along with security requirements and objectives, and rationales for each Basis for agreement among all parties as to what security the TOE offers
Protection Profile Specification PP Introduction PP identification PP overview Figure 17 15: TOE Description TOE Security Environment Security Objectives Assumptions Threats Organizational security policies For the TOE For the environment IT Security Requirements PP Application Notes Rationale TOE Security Requirements Sec Reqts for the IT Env. For Security Objectives For Security Requirements TOE functional reqts TOE assurance reqts
Security Target Specification PP Introduction TOE Description ST identification ST overview CC conformance TOE Security Environment Assumptions Threats Organizational security policies Figure 18 16: Security Objectives IT Security Requirements For the TOE For the environment TOE Security Requirements Sec Reqts for the IT Env. TOE functional reqts TOE assurance reqts TOE Summary Specification TOE Security Functions Assurance measures PP Claims Rationale PP reference, PP tailoring, PP additions For Security Objectives For Security Requirements For TOE Summary Specifications For PP Claims