Re: A.NO_EVIL for TOE with limited privileges
- Subject: Re: A.NO_EVIL for TOE with limited privileges
- From: Richie <richtie@gmail.com>
- Date: Thu, 13 Jul 2006 12:22:04 +0200
- Content-Disposition: inline
- Content-Transfer-Encoding: 8bit
- Content-Type: text/plain; charset=WINDOWS-1252; format=flowed
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fRar0UtpZ5aGv8X0y0q12OR2tdF8cV7hN9biwsx1tWCbNOWJGyBkWPE/Sjbm4waG3Qh0VSLC6UtrdgrfpbDoMfLWYwkqIN9uYqBzPNnckLUUG/r2kvBvLwFJN9kREToRk964l959TXTKm6oPdtcOiYx2g+plGDnG86AMvn/8F1M=
- In-Reply-To: <007601c6a650$099dd150$0300a8c0@AlexDell>
- References: <002701c6a5f8$af470f20$6502a8c0@JBoone> <007601c6a650$099dd150$0300a8c0@AlexDell>
Hi all,
Mainly in repsonse to Alex's provocative contribution (nothing wrong
with a bit a provocation;) ) - I don't think anyone on this list is
under the illusion that "100% security" is a realistic goal of any
methodology or system. This is why risk analysis is so important in
information security.
Even with that in mind, I don't feel that assumptions like A.NO_EVIL
are papering over embarrassing cracks in such methodologies. The idea
is that by identifying these assumptions developers are able better
deal with a hostile environment. I'd agree with John's comments about
breaking up broad assumptions and meeting them with objectives for the
environment.
At some point I think most, if not all, systems rely on some kind of
trust anchor for their secure operation, if this can be defined and to
some extent controlled, so much the better.
/ Richard
On 13/07/06, Alex Ragen <aragen@netvision.net.il> wrote:
>
>
>
>
> Guys--
>
> It's assumptions like A.NO_EVIL that highlight the fact that in the real
> world there is no 100% security. Even EAL7 doesn't assure 100% security. And
> certainly what we write or don't write in the Security Target is not going
> to make a TOE more or less secure. No amount of academic hair-splitting is
> going to provide 100% security.
>
> Underlying all the explicit TOE assumptions is an implicit assumption that
> people in the organization with authority and capability are going to at
> least try to do their jobs properly. In the real world, some will try but
> screw up just the same, some won't even try, and some will deliberately
> undermine and sabotage. As long as everybody (Security Target writers,
> evaluators, customers, admins and user, etc.) understands that this is the
> environment we all live and work in, the TOE can provide the level of
> security it's designed to provide and that the evaluation has "proved" (at
> some level of assurance) to indeed provide, under the right circumstances.
> And it's up to the organization to minimize the risks, with policies and
> procedures and hiring practices etc.
>
> So what should we do, not assume A.NO_EVIL? Then we might as well all close
> up shop. How can you possibly design a security product that doesn't require
> somebody somewhere to use it correctly?
>
>
> — Alex
>
> ===================
>
> Alex Ragen, CISSP, ISSA
>
> alex@alexragen.com
>
> www.alexragen.com
>
> ===================
>
> ________________________________
>
>
> From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of John Boone
> Sent: Thursday, July 13, 2006 12:01 AM
>
> To: Multiple recipients of list
> Subject: RE: A.NO_EVIL for TOE with limited privileges
>
>
>
>
>
> Ms. Ruppel,
>
>
>
> I both agree and disagree (and am sometimes neutral), depending on where I
> start reading ... J
>
>
>
> If the proposed Guidance and corrective action are as you describe (second
> handedly), then it is a huge non sequitur. There is nothing in the
> assumption A.NO_EVIL that is really all that relevant to specific privilege
> level, given that all administrators have some elevation of privilege. So
> you make some good points that its removal isn't really justified, at least
> not for the stated reasons. And I agree that its removal might be
> counterproductive.
>
>
>
> On the other hand, A.NO_EVIL is a bit of a heavy-weight assumption, although
> it does seem to accurately describe some of the more relevant, real-world
> assumptions about administrators. I think a better action would be to break
> up A.NO_EVIL and, better yet, provide concrete objectives for the
> Environment to support it. However, in the end, it is just a convention -
> and there are multiple different ways to say the same thing in an ST. So it
> is difficult to find particular fault, especially without first-hand
> knowledge of all the reasoning. Threats may be perceived as having greater
> weight, although I think this is more a result of common CC usage rather
> than by design of the CC. Also, Assumptions can only be addressed by the
> Environment, whereas Threats can be addressed either by the TOE or
> Environment (or by both). So maybe that is part of the reasoning …
>
>
>
> Finally, I think the point about holding administrators accountable
> overstates the role of an ST in the operational environment. It is the
> operational organization that chooses to comply with the ST environment (or
> not). In the latter case, the organization has to accept the risk implied.
> It's not the other way around. In other words, I can't imagine an
> administrator saving his or her job because there was a missing assumption
> about being non-hostile.
>
>
>
> John Boone
>
> Principal Engineer
>
> Ashton Security Labs
>
>
>
>
>
>
>
>
>
> ________________________________
>
>
> From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of Michelle Ruppel
> Sent: Wednesday, July 12, 2006 4:12 PM
> To: Multiple recipients of list
> Subject: A.NO_EVIL for TOE with limited privileges
>
>
>
> Again, I would like to get input from the members of the CC-CMT on the
> following issue. ;)
>
>
>
> Issue: For TOEs that do not have an all powerful, root-like user, can the
> standard A.NO_EVIL (Administrators are non-hostile, appropriately trained
> and follow all administrator guidance…) assumption be used?
>
>
>
> I have been told that the new Guidance for writing Medium Robustness PPs
> implies that A.NO_EVIL is no longer allowed or needed. Instead a threat
> should be used about having an all powerful user and the TOE can mitigate
> this threat by using privileges or limited administrative users/roles.
>
>
>
> In my opinion, this assumption is useful when accompanying such a threat.
> Even if the TOE does not have an all powerful, root-like user, I still
> believe this is an important assumption. I know there are many
> organizations who have had breaches that would agree with me; I think this
> is a real world issue. Regardless of the aspects of access control,
> privilege control and role-based control enforced by the TOE, each
> individual administrator still has the obligation to follow the
> administrative guidance supplied for their part in the administration of the
> TOE and to be trustworthy/non-hostile.
>
>
>
> An assumption defined in the ST documents that there is an expectation that
> they do so, and provides the employer and end user with the responsibility
> and ability to hold them individually accountable. Why would we want to take
> the capability to hold the administrative users accountable away from the
> employer and end user?
>
>
>
> I look forward to reading your opinions/experiences.
>
>
>
> Thanks,
>
>
>
> - Michelle
>
>
>
> Michelle Ruppel
>
> Saffire Systems
>
> maruppel@saffiresys.com
>
>
>
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov