It’s assumptions like A.NO_EVIL that highlight the fact that in the real world there is no 100% security. Even EAL7 doesn’t assure 100% security. And certainly what we write or don’t write in the Security Target is not going to make a TOE more or less secure. No amount of academic hair-splitting is going to provide 100% security.
Underlying all the explicit TOE assumptions is an implicit assumption that people in the organization with authority and capability are going to at least try to do their jobs properly. In the real world, some will try but screw up just the same, some won’t even try, and some will deliberately undermine and sabotage. As long as everybody (Security Target writers, evaluators, customers, admins and user, etc.) understands that this is the environment we all live and work in, the TOE can provide the level of security it’s designed to provide and that the evaluation has “proved” (at some level of assurance) to indeed provide, under the right circumstances. And it’s up to the organization to minimize the risks, with policies and procedures and hiring practices etc.
So what should we do, not assume A.NO_EVIL? Then we might as well all close up shop. How can you possibly design a security product that doesn’t require somebody somewhere to use it correctly?
Alex Ragen, CISSP, ISSA
[mailto:email@example.com] On Behalf Of John
I both agree and disagree (and am sometimes neutral), depending on where I start reading ... J
If the proposed Guidance and corrective action are as you describe (second handedly), then it is a huge non sequitur. There is nothing in the assumption A.NO_EVIL that is really all that relevant to specific privilege level, given that all administrators have some elevation of privilege. So you make some good points that its removal isn’t really justified, at least not for the stated reasons. And I agree that its removal might be counterproductive.
On the other hand, A.NO_EVIL is a bit of a heavy-weight assumption, although it does seem to accurately describe some of the more relevant, real-world assumptions about administrators. I think a better action would be to break up A.NO_EVIL and, better yet, provide concrete objectives for the Environment to support it. However, in the end, it is just a convention - and there are multiple different ways to say the same thing in an ST. So it is difficult to find particular fault, especially without first-hand knowledge of all the reasoning. Threats may be perceived as having greater weight, although I think this is more a result of common CC usage rather than by design of the CC. Also, Assumptions can only be addressed by the Environment, whereas Threats can be addressed either by the TOE or Environment (or by both). So maybe that is part of the reasoning …
Finally, I think the point about holding administrators accountable overstates the role of an ST in the operational environment. It is the operational organization that chooses to comply with the ST environment (or not). In the latter case, the organization has to accept the risk implied. It’s not the other way around. In other words, I can’t imagine an administrator saving his or her job because there was a missing assumption about being non-hostile.
Ashton Security Labs
firstname.lastname@example.org [mailto:email@example.com] On
Behalf Of Michelle Ruppel
Again, I would like to get input from the members of the CC-CMT on the following issue. ;)
Issue: For TOEs that do not have an all powerful, root-like user, can the standard A.NO_EVIL (Administrators are non-hostile, appropriately trained and follow all administrator guidance…) assumption be used?
I have been told that the new Guidance for writing Medium Robustness PPs implies that A.NO_EVIL is no longer allowed or needed. Instead a threat should be used about having an all powerful user and the TOE can mitigate this threat by using privileges or limited administrative users/roles.
In my opinion, this assumption is useful when accompanying such a threat. Even if the TOE does not have an all powerful, root-like user, I still believe this is an important assumption. I know there are many organizations who have had breaches that would agree with me; I think this is a real world issue. Regardless of the aspects of access control, privilege control and role-based control enforced by the TOE, each individual administrator still has the obligation to follow the administrative guidance supplied for their part in the administration of the TOE and to be trustworthy/non-hostile.
An assumption defined in the ST documents that there is an expectation that they do so, and provides the employer and end user with the responsibility and ability to hold them individually accountable. Why would we want to take the capability to hold the administrative users accountable away from the employer and end user?
I look forward to reading your opinions/experiences.