Re: CC request for interpretation: testing while in normal mode?
- Subject: Re: CC request for interpretation: testing while in normal mode?
- From: "NIAP Interpretations Board" <email@example.com>
- Date: Wed, 23 Oct 2002 08:46:25 -0700
- Content-description: Mail message body
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=US-ASCII
- Priority: normal
- Reply-to: firstname.lastname@example.org
The most accurate answer is, unfortunately, that there is no answer. This is
an area that the CC does not address and for which there are no approved
interpretations as of yet. However, there is a RI, number 211, which addresses
part of this of the question.
The abstract machine testing (FPT_AMT.1) and TSF testing
(FPT_TST.1) requirements state the "the TSF shall run" a suite of
tests. If the TSF is going to "run" the tests and the tests are
required to do useful things, must the tests themselves be
considered part of the TSF? Similarly, must recovery tools
(including the "operating system" upon which they run) that are used
to meet trusted recovery requirements (FPT_RCV.2) be considered part
of the TSF? If tests don't necessarily have to be part of the TSF,
but portions of the "test harness" need policy exemption privileges,
do those portions of the test harness have to be part of the TSF?
There is an advantage to have the flexibility to use tests and
recovery tools that are third-party or non-TSF. This would reduce
the required documentation and CM burdens.
NOTE: This raises a good point: the TSF includes everything that
contributes to security, which includes the off-line tests. However,
this implies that such tests are also subject to all other
requirements on the TSF, including ADV_INT, ALC, etc., which doesn't
seem appropriate for self-tests and integrity tests.
Someone could also take a more active role and actually write a draft
interpretation for I-0453: TSF And Support Code, which deals with this
To help with these efforts the NIB offers the following input. So called "test
scaffolding", while part of the TSF, need not be subjected to the same level of
rigor of analysis as the rest of the TSF if it can be shown that the risks
incurred as a result of that lack of attention are mitigated.
In the case of running tests prior to start-up and general user access, it is
reasonable to accept that measures such as disconnection of network devices
from the network, disabling of modems, and generally limiting access only to
the console device would eliminate any external threats. Likewise access
controls on the lab would provide physical security such that the evaluator
could assume that no unauthorized persons would be running tests. As for
Trojan horse type attacks, a description of some chain of custody of the
operating system disks used to the boot the machine, as well as the same for
the copies of the test programs, should be sufficient evidence that the risk is
Date Index |
Thread Index |
Problems or questions? Contact email@example.com