Re: expertise, resources, and motivation of attackers
Yokota,
Poorly written STs and PPs are being successfully evaluated.
Unfortunately, because an ST or PP is evaluated does not mean that it is
useful or correct.
You are right that the "T.TAMPER" example is too broad and
there is a need to better capture what kind of attackers this ST is
written to address. This can be done by a separate, general
statement, if it applies to all threats. This is what I did in
NISTIR 6462 (Guidance for COTS PPs, see
http://csrc.nist.gov/publications/nistir/index.html).
For your question "accepted to evaluate the rationale of SOF-claim
considering those asumptions and threat statements together" - Yes
most definitely that is acceptable. In fact, the SOF-claim should
be evaluated in light of sections 1, 2, 3, and 4 of the PP. These
four sections describe a security capability being provided. The
SOF-claim must be appropriate to providing that capability.
The example of an assumption "of SOF-basic" does not remove the
need to essentially evaluate the SOF-claim. For such an assumption,
the evaluation would include determining that the assumption is
consistent with the rest of the ST. Making this determination
requires coming to the conclusion that SOF-basic is
appropriate.
Cheers,
Gary
At 09:10 PM 11/29/02, you wrote:
Thanks Gary,
Yours are good examples of threat statements.
Let's me discuss the problem further.
I am looking at a ST that has been evaluated.
A threat is written like this:
"T.TAMPER An attacker may be able to tamper with TSF data or
program."
There is no expertise, resources, and motivation of attackers expressed
in
this statement.
I think this style of threat statement is the average in most STs that
has
been evaluated.
Then, how could we evaluate the rationale for the SOF-claim in such
STs,
using the CEM work-unit (ASE_REQ.1-17) ?
In compliance with the CEM, we need to consider "expertise,
resources,
and motivation of attackers"to evaluate the rationale for the
SOF-claim,
don't we?
I thought that another approach, in such case, is to seek a hint in
the
assumption
in the TOE security environment.
Since the assumption is for the environment of the TOE in order for the
TOE
to function
in a secure way, "expertise, resources, and motivation of
attackers" would
not
be expressed there.
However, I thought, we (evaluators) could be provided some hint
there about
"expertise, resources, and motivation of
attackers".
Some examples of assumptions are:
- it is assumed that administrator consoles in an area
restricted to only
administrator personnel;
- it is assumed that users have a certain minimum
clearance;
I am asking if we could be accepted to evaluate the rationale of
SOF-claim
considering those asumptions and threat statements together,
when "expertise, resources, and motivation of attackers"
are not clearly
expressed
in the threat statement.
P.S.
Pondering over about this, I found a drastic ST that has been
evaluated.
In the ST, there is a statement of assumptions as the
following.
- "A.THREAT_LEVEL The threat level for the TOE authentication
function is
assumed to be SOF-basic."
The CC evaluation is so much frexible !!!
Sometimes (or many often), it might be of no use for evaluators and
ST
authors
to think about the rationale for the SOF-claim.
Regard,
Yokota
**************************************************************************
* Opinions expressed are not intended to reflect an official
position
**************************************************************************
* Gary
Stoneburner
* Computer Security Division, National Institute of Standards &
Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD
20877-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
**************************************************************************
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov