Re: I-0463: Hardware Inclusion In A TOE With FPT_SEP

Subject: Re: I-0463: Hardware Inclusion In A TOE With FPT_SEP
From: Tim Bergendahl <tbergend@mitre.org>
Date: Mon, 05 Aug 2002 15:31:15 -0400
CC: "Bergendahl,Timothy J." <tbergend@mitre.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Organization: The MITRE Corporation
References: <3D2C1E21.29507.BB4F89@localhost>


All,

MITRE Valdiators Position

The proposed guidance has resulted in extensive discussion, with
numerous valid points being made. We believe the proposal should be
returned to the NIB for further consideration. One focus of such
consideration should be the second sentence under STATEMENT, namely:

"Hence, only if an argument can be made that FPT_SEP is satisfied
independent of the hardware would it be acceptable to exclude hardware
from the TOE for which FPT_SEP is a TOE SFR."

What is needed in the proposed guidance is at least one example of such
an argument (i.e., where FPT_SEP is satisfied independent of the
hardware). Perhaps a starting point would be to re-visit the use of
FPT_SEP in the UK's Oracle DBMS PP.

--Tim Bergendahl--

NIAP Interpretations Board wrote:
> 
>   This transaction consists of a proposal for a NIAP Interpretation of a
>   Common Criteria document. It is being posted in accordance with the
>   procedures of the IWG.
> 
>   Comments on this proposal are welcomed and should be posted to this
>   transaction chain.  If any party wishes to post a comment anonymously,
>   the comment should be mailed to ccevs-cmt@nist.gov in a form suitable
>   for posting.  All comments should be posted no later than Monday,
>   August 5, 2002.
> 
>                       CCITSE/CEM  GUIDANCE (PROPOSED)
> 
> 
> ________________________________________________________________
> _
> 
>                I-0463: Hardware Inclusion In A TOE With FPT_SEP
> 
> ________________________________________________________________
> _
> 
> TYPE:                 Guidance
> NUMBER:               I-0463
> STATUS:               Ready for External Review
> 
> TITLE:                Hardware Inclusion In A TOE With FPT_SEP
> COMMENTS DUE BY:      Monday, August 5, 2002 to ccevs-cmt@nist.gov
> 
> RELATED TO:           <None>
> 
> ISSUE:
> 
>    Must hardware be included in a TOE that includes FPT_SEP as one of the
>    TOE's SFRs?
> 
> STATEMENT
> 
>    All TOE Objectives (which map to Security Functional Requirements)
>    must be met by the TSF. It is not acceptable to meet a TOE Objective
>    by a requirement allocated to the IT environment.
> 
>    Hence, only if an argument can be made that FPT_SEP is satisfied
>    independent of the hardware would it be acceptable to exclude hardware
>    from the TOE for which FPT_SEP is a TOE SFR.
> 
> SPECIFIC INTERPRETATION
> 
>    No criteria changes required. This guidance is supported by the CEM
>    Work Unit ASE_REQ.1-20 as interpreted by CCIMB-INTERP-0058.
> 
> SUPPORT:
> 
>    CEM Work Unit ASE_REQ.1-20 requires that the security requirements
>    rationale provide a justification that every security objective for
>    the TOE is satisfied by the TOE security requirements. There is no
>    provision for security objectives for the TOE being satisfied by
>    requirements on the IT environment.
> 
>    Of particular interest is the FPT_SEP requirement. FPT_SEP.1.1 says
>    "The TSF shall maintain a security domain for its own execution that
>    protects it from interference and tampering by untrusted subjects". If
>    this requirement is allocated to the application TOE, this means the
>    application is 100% responsible for providing such protection,
>    completely independent of the behavior of applications on the
>    underlying abstract machine (operating system, hardware). For an
>    operating system TOE, this means the TOE provides the protection
>    independent of the behavior of anything else running on the hardware.
> 
>    Similarly, FPT_SEP.1.2 talks about enforcing separation between the
>    security domains of subjects in the TSC (which is typically
>    interpreted to refer to process address spaces, for operating
>    systems). If this is allocated to the TOE but not the hardware, this
>    means the TOE must provide the capability independent of the hardware.
> 
>    With respect to hardware being required to meet FPT_SEP: Although with
>    current technology hardware support is always used to achieve domain
>    separation and process separation, the ability to provide such
>    separation through software mechanisms alone is conceivable. However,
>    if hardware is excluded, there must be a clear argument that the
>    hardware in no way contributes to the software's satisfaction of
>    FPT_SEP.
> 
>    With respect to applications claiming FPT_SEP: In order to do so, one
>    must be able to show that the application provides mechanisms that
>    implement FPT_SEP independent of any operating system support. With
>    current technology, however, operating system support is usually
>    required to achieve FPT_SEP, and hence, FPT_SEP should be allocated to
>    the IT Environment (Operational Environment).

References:
- I-0463: Hardware Inclusion In A TOE With FPT_SEP
  - From: "NIAP Interpretations Board" <ccevs-nib@nist.gov>

Prev by Date: Re: I-0388: What Is The Difference Between "Sort" And "Order"?
Next by Date: Re: I-0460: Empty Selections Or Assignments/One Or More
Prev by thread: I-0463: Hardware Inclusion In A TOE With FPT_SEP
Next by thread: RE: I-0463: Hardware Inclusion In A TOE With FPT_SEP

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov