RE: A.NO_EVIL for TOE with limited privileges

Subject: RE: A.NO_EVIL for TOE with limited privileges

From: Nir Naaman <nir.naaman@metasec.com>

Date: Thu, 13 Jul 2006 23:49:57 +0200

Content-type: multipart/alternative; boundary="Boundary_(ID_+WugvrJfNt2TUYhThQgDCA)"

In-reply-to: <002501c6a5ee$18f8dd00$0408000a@Desktop>

Thread-index: Acal9CW3MDzaC8tVRyi0Jrw0Oc/zCAAzt1VQ

Just a note: CCv3.0 redefines TOE as: "a product that has been installed and is being operated according to its guidance." (CCv3.0 Part 1)

Since TOE was defined even in CCv2 to include its guidance, it was pretty nonsensical to assume that the TOE would not be operated according to its guidance.

Administrator is defined as "an entity that has complete trust with respect to all policies implemented by the TSF. " (CCv3.0 Part 3)

I would note that this does not mean that there is an assumption that administrators are non-hostile; I must say, some of the administrators I've known have been pretty hostile people. It simply means that they are in a position of trust.

In any case, by this definition, a TOE that does not have an all powerful user is a TOE that has users but not administrators. There are many examples I can think of for TOEs of this nature - the TOE must be removed from its operational environment for any administration to be performed.

It seems that A.NO_EVIL will have to be evolved to be used effectively in CCv3.

Perhaps: NOE.ADEQUATE_TRAINING - TOE owners will ensure that users are appropriately trained and incentivized to fulfill their security-related responsibilities?

Regards,

Nir

From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of Michelle Ruppel
Sent: Wednesday, July 12, 2006 10:12 PM
To: Multiple recipients of list
Subject: A.NO_EVIL for TOE with limited privileges

Again, I would like to get input from the members of the CC-CMT on the following issue. ;)

Issue: For TOEs that do not have an all powerful, root-like user, can the standard A.NO_EVIL (Administrators are non-hostile, appropriately trained and follow all administrator guidance…) assumption be used?

I have been told that the new Guidance for writing Medium Robustness PPs implies that A.NO_EVIL is no longer allowed or needed. Instead a threat should be used about having an all powerful user and the TOE can mitigate this threat by using privileges or limited administrative users/roles.

In my opinion, this assumption is useful when accompanying such a threat. Even if the TOE does not have an all powerful, root-like user, I still believe this is an important assumption. I know there are many organizations who have had breaches that would agree with me; I think this is a real world issue. Regardless of the aspects of access control, privilege control and role-based control enforced by the TOE, each individual administrator still has the obligation to follow the administrative guidance supplied for their part in the administration of the TOE and to be trustworthy/non-hostile.

An assumption defined in the ST documents that there is an expectation that they do so, and provides the employer and end user with the responsibility and ability to hold them individually accountable. Why would we want to take the capability to hold the administrative users accountable away from the employer and end user?

I look forward to reading your opinions/experiences.

Thanks,

- Michelle

Michelle Ruppel

Saffire Systems

maruppel@saffiresys.com

Follow-Ups:

Re: A.NO_EVIL for TOE with limited privileges
- From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>

References:

A.NO_EVIL for TOE with limited privileges
- From: "Michelle Ruppel" <maruppel@saffiresys.com>