I-0350: Clarification Of Resources/Objects For Residual Information Protection

Subject: I-0350: Clarification Of Resources/Objects For Residual Information Protection
From: "Interpretations Working Group" <ccevs-nib@nist.gov>
Date: Mon, 17 Sep 2001 09:04:04 -0700
Content-type: Multipart/Mixed; boundary=Message-Boundary-10820
Priority: normal

[The following is the ASCII version of the proposal. A pretty-printed PDF version is 
attached.]

  [NOTE: This proposal is being re-posted after being updated to reflect
  comments the IWG received on its previous posting, or comments arising
  from further IWG discussion of the proposal.]

  This transaction consists of a proposal for a NIAP Interpretation of a
  Common Criteria document. It is being posted in accordance with the
  procedures of the IWG.

  Comments on this proposal are welcomed and should be posted to this
  transaction chain.  If any party wishes to post a comment anonymously,
  the comment should be mailed to IWG@gibraltar.ncsc.mil in a form
  suitable for posting.  All comments should be posted no later than
  Monday, October 15, 2001.


                 CCITSE/CEM  NIAP INTERPRETATION (PROPOSED)


     _________________________________________________________________

I-0350: Clarification Of Resources/Objects For Residual Information Protection
     _________________________________________________________________

TYPE:                 NIAP Interpretation
NUMBER:               I-0350
STATUS:               Ready for External Repost after Interpretations Board
                      Rework/Review

TITLE:                Clarification Of Resources/Objects For Residual
                      Information Protection
COMMENTS DUE BY:      Monday, October 15, 2001 to cc-cmt@nist.gov

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause 6.9 FDP_RIP
                      CC v2.1 Part 2 Subclause F.9 FDP_RIP
RELATED TO:
     I-0041           Object Reuse Applies To All System Resources
     I-0356           FDP_RIP Annex: Reuse Of Subject Data Notes

ISSUE:

   The focus of the Residual information protection (FDP_RIP) family is
   not clearly stated in the Common Criteria. The focus of residual
   information protection is preventing leakage of information from one
   instantiation of a type of object to another instantiation of that
   type of object. This should include cleansing of the TSF-internal data
   structures that are used to construct objects and are visible through
   the object. However, this aspect doesn't come across clearly in the
   current words.

STATEMENT

   Residual information protection applies to those TSF-internal
   structures that are visible though the TSF-interface and are used to
   implement the object for whom residual information protection applies.

SPECIFIC INTERPRETATION

   To address this interpretation, the following changes are made to CC
   v2.1, Part 2 (additions marked _thusly_; deletions marked _[DEL:_
   thusly _:DEL]_ ):


     * In Subclause 6.9, paragraph 223 is replaced with the following:
       This family addresses the need to ensure that _information
       contained in a resource is not available when resources are
       deallocated from one object and reallocated to a different
       object_. _[DEL:_ deleted information is no longer accessible, and
       that newly created objects do not contain information that should
       not be accessible. _:DEL]_ _The term "resources" refers to those
       TSF-internal structures that are visible though the TSF-interface
       and are used to implement the object for whom residual information
       protection applies._ This family requires protection for
       information that has been logically deleted or released, but may
       still be present within the TOE.

     * In Subclause F.9, paragraph 887 is replaced with the following:
       This family addresses the need to ensure that _information
       contained in a resource is not available when resources are
       deallocated from one object and reallocated to a different
       object_. _[DEL:_ deleted information is no longer accessible, and
       that newly created objects do not contain information from
       previously used objects within the TOE. _:DEL]_ _The term
       "resources" refers to those TSF-internal structures that are
       visible though the TSF-interface and are used to implement the
       object for whom residual information protection applies._ This
       family _addresses all entities meeting the definition of object as
       provided in Part 1, Clause 2 (i.e., entities that contain or
       receive information, and are acted upon by subjects), but_ does
       not address objects stored off-line.

PROJECTED IMPACT:

   Negligible impact anticipated.

SUPPORT:

   This interpretation clarifies the meaning of resource as used in the
   FDP_RIP components. It clarifies that the focus of RIP is those
   portions of the structures that are externally visible.

   Additionally, this interpretation provides clarification with respect
   to the applicability of RIP to "subjects", which in an operating
   system are typically processes. Of particular concern are the
   TSF-structures used to construct subjects; the goal is to ensure that
   any externally-visible information is cleansed so that new subjects
   start out "clean".

   Note that subject residual information is also addressed through
   FPT_SEP. The distinction is that FDP_RIP addresses subject creation
   and destruction. FPT_SEP, on the other hand, addresses reuse of
   externally visible structures.

0350-pub.pdf

Prev by Date: I-0410: Auditing Of Subject Identity For Unsuccessful Logins
Next by Date: I-0409: Other Properties In FMT_MSA.3 Should Be Specified By Assignment
Prev by thread: I-0350: Clarification Of Resources/Objects For Residual Information Protection
Next by thread: Re: I-0350: Clarification Of Resources/Objects For Residual Information Protection

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov