Re: PD-0091: Dependencies of Requirements on the IT Environment

["Dr.Ir. D.J. Out" <out@itsef.tno.nl>]

Nir Naaman wrote:
> On Wednesday, January 28 Dirk-Jan Out wrote:
> 
> 
>>This boils down to: you cannot generally use FPT_SEP in 
>>unmodified form in a software-only TOE as the CC is currently written.
>>
>>Work is ongoing in- and outside the CCIMB to rectify this. 
>>But in v2.1 (and v2.2) you will be stuck with this.
>>
> 
> 
> Note that the NSA/NIST Protection Profile Review Board (PPRB) "Protection
> Profile (PP) Consistency Guidance for Basic Robustness"  has a suggestion
> for FPT_SEP in software-only TOEs:
> 
> FPT_SEP_EXP.1 The TSF shall maintain a security domain that protects it from
> interference and tampering by untrusted subjects initiating actions through
> its own TSFI.
> FPT_SEP_EXP.2 The TSF shall enforce separation between the security domains
> of subjects in the TOE Scope of Control. 
> 
> I think that this together with I-0463 is consistent with what you're saying
> here.
> 
>     Nir

I don't think it does though I can see what it means.

Assuming that the term "TOE Scope of control" means TSF Scope of Control 
they are "the set of interactions that is under control of the TSP".
As the TSP is the set of SFRs, this set is not allowed to refer to the 
TSP and therefore the SFRs are also not allowed to refer to the TSC.

Therefore FPT_SEP_EXP.2 is circular: The TSF shall enforce separation 
between all subjects that it enforces separation on.

I think that a similar line of reasoning applies to TSFI and that 
FPT_SEP_EXP.1 is circular as well.

DJ

-- 
TNO ITSEF BV
P.O. Box 96864          tel +31 70 374 0304
2509 JG The Hague       fax +31 70 374 0651
The Netherlands         www.commoncriteria.nl