Presentation is loading. Please wait.

Presentation is loading. Please wait.

TM8104 IT Security EvaluationAutumn 20091 Evaluation - the Main Road to IT Security Assurance CC Part 3.

Published byRosalyn Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "TM8104 IT Security EvaluationAutumn 20091 Evaluation - the Main Road to IT Security Assurance CC Part 3."— Presentation transcript:

1 TM8104 IT Security EvaluationAutumn 20091 Evaluation - the Main Road to IT Security Assurance CC Part 3

2 TM8104 IT Security EvaluationAutumn 20092 Assurance definition Asssurance that the claimed security measures of the TOE are effective and implemented correctly is derived from knowledge about the - definition - construction - operation of the TOE

3 TM8104 IT Security EvaluationAutumn 20093 Measuring Assurance by: Active investigation of the: TOE by: Expert evaluators with increasing emphasis on: scope depth rigour

4 TM8104 IT Security EvaluationAutumn 20094 Assurance Structure Statements of Requirements Technical specification High-Level design Detailed design Implementation TOE Each Assurance Component Consists of: Developer Actions (.D) Activities to be performed by the developer - shall use, shall provide Content and Presentation of Evidence (.C) Evidence required for evaluation, what the evidence must demonstrate, and what information the evidence must convey - include, identify, describe, show, demonstrate Evaluator Actions (.E) Analysis implied by the evidence provided, and by the targeted level of assurance - confirm, determine Lower Levels of Abstraction

5 TM8104 IT Security EvaluationAutumn 20095 Organising the requirements Class Family Component Element - share a common intent different coverage of security objectives - share security objectives different in emphasis or rigour - describes a set of security requirements - describes indivisible security requirements

6 TM8104 IT Security EvaluationAutumn 20096 Class hierarchy Assurance class i 1< i < 7 Assurance family 1 Assurance family 2 Assurance family n Assurance component 1 Assurance component 2 Assurance component j Element 1 Element 2 Element k Element 1 Element 2 Element k 2 < n < 6 1 < j < 6 1 < k < 21

7 TM8104 IT Security EvaluationAutumn 20097 Assurance classes and families

8 TM8104 IT Security EvaluationAutumn 20098 Assurance class ACM Configuration Management CM Automation CM Capabilities CM Scope 1 2 1 1 2 2 3 3 4 CC Part 3 – page 71/86

9 TM8104 IT Security EvaluationAutumn 20099 Configuration management - integrity of the TOE ACM_AUT (2) CM automation establishes the level of automation used to control the configuration items ACM_CAP (4) CM capabilities define the characteristics of the CM system ACM_SCP (3) CM scope indicates the TOE items that need to be controlled by the CM system

10 TM8104 IT Security EvaluationAutumn 200910 ACM_AUT.1 Partial Configuration Management Automation Objectives - the automated tools must be able to support the numerous changes that occur during development, and ensure that the changes are authorised Dependencies - ACM_CAP.3 Authorization Controls Developer action elements: ACM_AUT.1.1D, ACM_AUT.1.2D Content and pres. of evidence:1.1C/1.4C Evaluator action elements: 1.1E

11 TM8104 IT Security EvaluationAutumn 200911 Assurance class ADO Delivery and Operation Delivery Installation, Generation and Start-Up 1 2 1 2 3 CC Part 3 – page 87/92

12 TM8104 IT Security EvaluationAutumn 200912 Delivery and operation - secure delivery, installation and operation of the TOE ADO_DEL (3) Delivery covers the procedures to maintain appropriate security during transfer of the TOE to the user ADO_IGS (2) Covers secure installation, generation and start-up procedures

13 TM8104 IT Security EvaluationAutumn 200913 Assurance class ADV Development Funct. Specification TSF Internals 1 2 3 1 4 2 5 3 6 High-Level Design 1 2 3 4 5 1 2 3 Impl. Representation Low-Level Design 1 2 3 Repr. Correspondence 1 2 3 CC Part 3 – page 93/128

14 TM8104 IT Security EvaluationAutumn 200914 Development - 1 - descriptions of the representation of the TSF at various levels of abstraction, and correspondence mappings ADV_FSP (6) Correspondence and consistency between the TSP, TSP model and functional specification ADV_HLD (5) Provides a description of the TSF in terms of major structural units ADV_IMP (3) Description of implementation in terms of source code, firmware construction documentation, hardware drawings, etc.

15 TM8104 IT Security EvaluationAutumn 200915 Development - 2 ADV_INT (3) Describes the internal structure of the TSF ADV_LLD (3) A description of the internal workings of the TSF in terms of modules, their interrelationships and dependencies ADV_RCR (3) Describes the correspondence between the various development representations

16 TM8104 IT Security EvaluationAutumn 200916 Assurance class AGD Guidance Documents Administrator Guidance User Guidance 1 1 CC Part 3 – page 129/133

17 TM8104 IT Security EvaluationAutumn 200917 Guidance documents - requirements for user and administrator guidance AGD_ADM (1) How to configure, maintain and administer the TOE in a correct manner for maximum security AGD_USR (1) Documentation for the non-administrative user of the TOE

18 TM8104 IT Security EvaluationAutumn 200918 Assurance class ALC Life Cycle Support Development Security Tools and Techniques 1 2 1 2 3 Flaw Remediation 1 2 3 4 1 2 3 Life Cycle Definition CC Part 3 – page 135/147

19 TM8104 IT Security EvaluationAutumn 200919 Life Cycle Support - the establishment of discipline and control in the process of refinement of the TOE during development and maintenance. ALC_DVS (2) Concerned with physical, procedural, personell and other security measures used in the development environment to protect the TOE ALC_FLR (4) Discovered flaws should be tracked and corrected by the developer ALC_LCD (3) Establishment of a model for developm. and maint. of the TOE ALC_TAT (3) Selection of tools for development, analysis and impl. of the TOE

20 TM8104 IT Security EvaluationAutumn 200920 Assurance class ATE Tests Coverage Independent Testing 1 2 1 2 3 Depth 1 2 3 4 1 Functional Tests 3 CC Part 3 – page 149/165

21 TM8104 IT Security EvaluationAutumn 200921 Tests - testing establishes whether the TSF exhibits the properties necessary to satisfy the functional requirements of the PP/ST ATE_COV (3) Deals with completeness of testing ATE_DPT (4) Decides the level of detail to which the TOE is tested ATE_FUN (1) Establishes that the TSF exhibits the properties necessary to satisfy the functional requirements of its PP/ST ATE_IND (3) Demonstrates that the security functions perform as specified

22 TM8104 IT Security EvaluationAutumn 200922 Assurance class AVA Vulnerability Assessment Covert Ch. Analysis Vulnerability Analysis 1 2 1 2 3 Misuse 1 2 1 Strength of TOE funct. 3 4 CC Part 3 – page 167/185

23 TM8104 IT Security EvaluationAutumn 200923 Vulnerability assessment - 1 - addresses the possible existence of exploitable covert channels, misuse, incorrect configuration of the TOE, and the ability for all security critical mechanisms to withstand direct attacks AVA_CCA (3) Is carried out to determine the existence and potential capacity of unintended signalling channels AVA_MSU (2) Investigates whether the TOE can be configured or used in a manner which is insecure

24 TM8104 IT Security EvaluationAutumn 200924 Vulnerability assessment - 2 AVA_SOF (1) Assessment of the strength of the security mechanisms AVA_VLA (4) Assessment to determine whether vulnerabilities identified could allow malicious users to violate the TSP

25 TM8104 IT Security EvaluationAutumn 200925 Assurance Family ADV_INT TSF Internals 1 2 3 Objectives - Component Levelling - Application Notes - - deals with the internal structure of the TSF modular construction, layering of software, minimization of circular dependencies, minimization of non-TSP enforcing software based on the amount of structure and minimization required “portions of the TSF”, interfaces, sub-systems, modules implementation units

26 TM8104 IT Security EvaluationAutumn 200926 Assurance Family ADV_INT TSF Internals 1 2 3 ADV_INT.1 Modularity Dependencies: ADV_IMP.1 Subset of the implementation of the TSF ADV_LLD.1 Descriptive low-level design Developer Action Elements: 1.1.D The developer shall the design and structure the TSF in a modular fashion that avoids unnecessary interactions between the modules of the design 1.2.D The developer shall provide an architectural description

27 TM8104 IT Security EvaluationAutumn 200927 Assurance Family ADV_INT TSF Internals 1 2 3 ADV_INT.1 Modularity Content and presentation of evidence: 1.1.C The architectural description shall identify the modules of the TSF 1.2.C The architectural description shall describe the purpose, interface, parameters and effects of each module of the TSF 1.3.C The architectural description shall describe how the TSF design provides for largely independent modules that avoid unnecessary interactions

28 TM8104 IT Security EvaluationAutumn 200928 Assurance Family ADV_INT ADV_INT.1 Modularity Evaluator actions: 1.1.E The evaluator shall confirm that the presentation provided meets all requirements for contents and presentation of evidence 1.2.E The evaluator shall determine the both the low-level design and the implementation representation are in compliance with the architectural description TSF Internals 1 2 3

29 TM8104 IT Security EvaluationAutumn 200929 Assurance Family ADV_INT TSF Internals 1 2 3 ADV_INT.2 Reduction of complexity ADV_INT.3 Minimisation of complexity

30 TM8104 IT Security EvaluationAutumn 200930 Assurance levels

31 TM8104 IT Security EvaluationAutumn 200931 Assurance Levels EAL1 - Functionally tested EAL2 - Structurally tested EAL3 - Methodically tested and checked EAL4 - Methodically designed, tested, and reviewed EAL5 - Semiformally designed and tested EAL6 - Semiformally verified design and tested EAL7 - Formally verified design and tested

32 TM8104 IT Security EvaluationAutumn 200932 Example: EAL3 Objectives: - to gain maximum assurance from positive security engineering at the design stage - to obtain a moderate level of independently assured security

33 TM8104 IT Security EvaluationAutumn 200933 Developers have to use: (1 of 17) ACM_CAP.3 Authorization controls Dependencies: ACM_SCP.1 TOE CM coverage ALC_DVS.1 Identification of security measures Developers action elements: Provide a reference for the TOE Use a CM system Provide CM documentation

34 TM8104 IT Security EvaluationAutumn 200934 Developers have to use: (2 of 17) ACM_SCP.1 TOE CM Coverage Dependencies: ACM_CAP.3 Authorisation controls Developers action elements: Provide CM documentation

35 TM8104 IT Security EvaluationAutumn 200935 Developers have to use: (3 of 17) ADO_DEL.1 Delivery procedures Dependencies: None Developers action elements: document procedures for delivery of the TOE or parts of it to the user Use the delivery procedures

36 TM8104 IT Security EvaluationAutumn 200936 Developers have to use: (4 of 17) ADO_IGS.1 Installation, generation and start-up procedures Dependencies: AGD_ADM.1 Administrator guidance Developers action elements: Provide document procedures necessary for secure installation, generation and start-up of the TOE

37 TM8104 IT Security EvaluationAutumn 200937 Developers have to use: (5 of 17) ADV_FSP.1 Informal functional specification Dependencies: ADV_RCR.1 Informal correspondence specification Developers action elements: Provide a functional specification Use a CM system Provide CM documentation

38 TM8104 IT Security EvaluationAutumn 200938 Developers have to use: ( 6 of 17) ADV_HLD.2 Security enforcing high-level design Dependencies: ADV_FSP.1 Informal functional specification Developers action elements: Provide high-level design of the TSF

39 TM8104 IT Security EvaluationAutumn 200939 Developers have to use: ( 7 of 17) ADV_RCR.1 Informal correspondence demonstration Dependencies: None Developers action elements: Provide an analysis of correspondence between all adjacent pairs of TSF representations that are provided

40 TM8104 IT Security EvaluationAutumn 200940 Developers have to use: ( 8 of 17) AGD_ADM.1 Administrator guidance Dependencies: ADV_FSP.1 Informal functional specification Developers action elements: Provide administrator guidance addressed to system administrative personnel

41 TM8104 IT Security EvaluationAutumn 200941 Developers have to use: ( 9 of 17) AGD_USR.1 User guidance Dependencies: ADV_FSP.1 Informal functional specification Developers action elements: Provide user guidance

42 TM8104 IT Security EvaluationAutumn 200942 Developers have to use: ( 10 of 17) ALC_DVS.1 Identification of security measures Dependencies: None Developers action elements: Produce development security documentation

43 TM8104 IT Security EvaluationAutumn 200943 Developers have to use: ( 11 of 17) ATE_COV.2 Analysis of coverage Dependencies: ADV_FSP.1 Informal functional specification ATE_FUN.1 Functional testing Developers action elements: Provide an analysis of the test coverage

44 TM8104 IT Security EvaluationAutumn 200944 Developers have to use: ( 12 of 17) ATE_DPT.1 Testing: high-level design Dependencies: ADV_HLD.1 Descriptive high-level design ATE_FUN.1 Functional testing Developers action elements: Provide the analysis of the depth of testing

45 TM8104 IT Security EvaluationAutumn 200945 Developers have to use: ( 13 of 17) ATE_FUN.1 Functional testing Dependencies: None Developers action elements: Test the TSF and document the results Provide test documentation

46 TM8104 IT Security EvaluationAutumn 200946 Developers have to use: ( 14 of 17) ATE_IND.2 Independent testing - sample Dependencies: ADV_FSP.1 Informal functional specification AGD_ADM.1 Administrator guidance AGD_USR.1 User guidance ATE_FUN.1 Functional testing Developers action elements: Provide the TOE for testing

47 TM8104 IT Security EvaluationAutumn 200947 Developers have to use: ( 15 of 17) AVA_MSU.1 Examination of guidance Dependencies: ADO_IGS.1 Inst., gen., and start-up procedures ADV_FSP.1 Informal functional specification AGD_ADM.1 Administrator guidance AGD_USR.1 User guidance Developers action elements: Provide guidance documentation

48 TM8104 IT Security EvaluationAutumn 200948 Developers have to use: ( 16 of 17) AVA_SOF.1 Strength of the TOE Security Function evaluation Dependencies: ADV_FSP.1 Informal functional specification ADV_HLD.1 Descriptive high-level design Developers action elements: Provide a strength of TSF analysis for each mechanism identified in the ST as having a strength of TOE security claim

49 TM8104 IT Security EvaluationAutumn 200949 Developers have to use: ( 17 of 17) AVA_VLA.1 Developer vulnerability analysis Dependencies: ADV_FSP.1 Informal functional specification ADV_HLD.1 Descriptive high-level design AGD_ADM.1 Administrator guidance AGD_USR.1 User guidance Developers action elements: Perform and document an analysis of the TOE deliverables searching for obvious ways in which a user can violate the TSP Document the disposition of obvious vulnerabilities

Download ppt "TM8104 IT Security EvaluationAutumn 20091 Evaluation - the Main Road to IT Security Assurance CC Part 3."

Similar presentations

© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.

© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
© Crown Copyright (2000) Module 2.3 Functional Testing.

© Crown Copyright (2000) Module 2.3 Functional Testing.
Security Requirements

Security Requirements
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Software Quality Assurance Plan

Software Quality Assurance Plan
Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,

Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
More CMM Part Two : Details.

More CMM Part Two : Details.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
1 norshahnizakamalbashah-19112007- CEM v3.1: Chapter 10 Security Target Evaluation.

1 norshahnizakamalbashah CEM v3.1: Chapter 10 Security Target Evaluation.
The Open Source Security Myth — And How to Make it A Reality Michael Davis Dynamic Security Concepts, Incorporated Track 3, 1300 Sunday, 1 August 2004.

The Open Source Security Myth — And How to Make it A Reality Michael Davis Dynamic Security Concepts, Incorporated Track 3, 1300 Sunday, 1 August 2004.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.

Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Configuration management. Reasons for software configuration management  it facilitates the ability to communicate  status of documents, coding, changes.

Configuration management. Reasons for software configuration management  it facilitates the ability to communicate  status of documents, coding, changes.
1 SYSTEM and MODULE DESIGN Elements and Definitions.

1 SYSTEM and MODULE DESIGN Elements and Definitions.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Software Requirements

Software Requirements
Fundamentals of Information Systems, Second Edition

Fundamentals of Information Systems, Second Edition

Similar presentations

Ads by Google