Re: I-0463: Hardware Inclusion In A TOE With FPT_SEP

Subject: Re: I-0463: Hardware Inclusion In A TOE With FPT_SEP
From: "NIAP Interpretations Board" <ccevs-nib@nist.gov>
Date: Tue, 20 Aug 2002 14:23:16 -0700
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal
Reply-to: cc-cmt@nist.gov



  This transaction consists of a proposal for a NIAP Interpretation of a
  Common Criteria document. It is being posted in accordance with the
  procedures of the IWG.

  Comments on this proposal are welcomed and should be posted to this
  transaction chain.  If any party wishes to post a comment anonymously,
  the comment should be mailed to cc-cmt@nist.gov in a form suitable
  for posting.  All comments should be posted no later than Monday,
  September 23, 2002.


                      CCITSE/CEM  GUIDANCE (PROPOSED)


     _________________________________________________________________

               I-0463: Hardware Inclusion In A TOE With FPT_SEP
     _________________________________________________________________

TYPE:                 Guidance
NUMBER:               I-0463
STATUS:               Reposted for External Review

TITLE:                Hardware Inclusion In A TOE With FPT_SEP
PREVIOUS POSTING:      [cc-cmt 00252]
PREVIOUS POSTING:      [cc-cmt TBD]
COMMENTS DUE BY:      Monday, September 23, 2002 to cc-cmt@nist.gov

RELATED TO:           <None>

ISSUE:

   Must hardware be included in a TOE that includes FPT_SEP as one of the
   TOE's SFRs?

STATEMENT

   All TOE Objectives (which map to Security Functional Requirements)
   must be met by the TSF. It is not acceptable to meet a TOE Objective
   by a requirement allocated to the IT environment.

   Hence, if FPT_SEP is included as an objective for the TOE, then one of
   the following conditions should be met:

    1. The underlying platform should be included.
    2. An argument should be made that FPT_SEP is satisfied independent
       of the underlying platform.
    3. The provision of support for FPT_SEP should be explicitly stated
       as objectives for the Operational Environment/IT Environment.

SPECIFIC INTERPRETATION

   No criteria changes required. This guidance is supported by the CEM
   Work Unit ASE_REQ.1-20 as interpreted by CCIMB-INTERP-0058.

SUPPORT:

   CEM Work Unit ASE_REQ.1-20 requires that the security requirements
   rationale provide a justification that every security objective for
   the TOE is satisfied by the TOE security requirements. There is no
   provision for security objectives for the TOE being satisfied by
   requirements on the IT environment.

   Of particular interest is the FPT_SEP requirement. FPT_SEP.1.1 says
   "The TSF shall maintain a security domain for its own execution that
   protects it from interference and tampering by untrusted subjects". If
   this requirement is allocated to the application TOE, this means the
   application is 100% responsible for providing such protection,
   completely independent of the behavior of applications on the
   underlying abstract machine (operating system, hardware). For an
   operating system TOE, this means the TOE provides the protection
   independent of the behavior of anything else running on the hardware.

   Similarly, FPT_SEP.1.2 talks about enforcing separation between the
   security domains of subjects in the TSC (which is typically
   interpreted to refer to process address spaces, for operating
   systems). If this is allocated to the TOE but not the hardware, this
   means the TOE must provide the capability independent of the hardware.

   With respect to hardware being required to meet FPT_SEP: Although with
   current technology hardware support is always used to achieve domain
   separation and process separation, the ability to provide such
   separation through software mechanisms alone is conceivable. However,
   if hardware is excluded, there must be a clear argument that the
   hardware in no way contributes to the software's satisfaction of
   FPT_SEP, or there must be an explicit objective for the operational
   environment to provide the necessary support.

   With respect to applications claiming FPT_SEP: In order to do so, one
   must be able to show that the application provides mechanisms that
   implement FPT_SEP independent of any operating system support. With
   current technology, however, operating system support is usually
   required to achieve FPT_SEP, and hence, FPT_SEP should be allocated to
   the IT Environment (Operational Environment), or the extent to which
   the operating system provides support for FPT_SEP should be detailed
   in the Objectives for the Operational Environment (IT Environment).

Prev by Date: Introduction to CC-CMT Mailings
Next by Date: Re: I-0347: Including Sensitive Information In Audit Records
Prev by thread: RE: I-0463: Hardware Inclusion In A TOE With FPT_SEP
Next by thread: Re: I-0463: Hardware Inclusion In A TOE With FPT_SEP

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov