PD 0138: Sharing of Peripherals with Memory under the Peripheral Sharing PP

["Observation Decisions Review Board" <faigin@aero.org>]

[The ODRB issued the following PD during its May meeting. Any comments or 
corrections to this PD will be considered during the next ODRB meeting.]


PD 0138: Sharing of Peripherals with Memory under the Peripheral Sharing PP

ISSUE

The PSSHID PP specifies a single security function policy, called Data
Separation Security Function Policy. This policy is defined as follows: 

	Data Separation Security Function Policy (SFP):

	The TOE shall allow PERIPHERAL DATA and STATE INFORMATION to be
	transferred only between PERIPHERAL PORT GROUPS with the same
	ID. The TOE itself is not concerned with the USER'S information
	flowing between the SHARED PERIPHERALS and the SWITCHED
	COMPUTERS. It is only providing a CONNECTION between the HUMAN
	INTERFACE DEVICES and a selected COMPUTER at any given instant. 

Prior to this statement of the SFP, the PP states

	The TOE must not have, and in fact must specifically preclude,
	any features that permit USER information to be shared or
	transferred between COMPUTERS via the TOE. 

For this SFP there are associated objectives, O.CONF and O.CONNECT:

	O.CONF The TOE shall not violate the confidentiality of
	information which it processes. 

	Information generated within any PERIPHERAL GROUPCOMPUTER
	CONNECTION shall not be accessible by any other PERIPHERAL
	GROUP-COMPUTER CONNECTION. 

	O.CONNECT No information shall be shared between SWITCHED
	COMPUTERS via the TOE. This includes STATE INFORMATION, if such
	is maintained within the TOE. 

The rationale for O.CONF causes the issue at hand: 

	O.CONF If the PERIPHERALS can be CONNECTED to more than one
	COMPUTER at any given instant, then a channel may exist which
	would allow transfer of information from one to the other. This
	is particularly important for DEVICES with bi-directional
	communications channels such as KEYBOARD and POINTING DEVICES. 

	Since many PERIPHERALS now have embedded microprocessors or
	microcontrollers, significant amounts of information may be
	transferred from one COMPUTER system to another, resulting in
	compromise of sensitive information. An example of this is
	transfer via the buffering mechanism in many KEYBOARDS. 

The issue relates to what appears to be an additional threat
(information transfer via buffering mechanisms and other memory
associated with keyboards or pointing devices) that appears to require
that the TOE enforce flow between attached computers that takes place
using memory on the keyboard or mouse. If malware on computer 1 writes
to the keyboard memory, which is then read by malware on computer 2, the
data separation SFP is violated. It is not clear if this second
paragraph was intended to state something that the objective must block,
or if it was intended to scope the objective to state that this form of
transfer is outside the scope of the objective. As written, it is an
additional requirement for the objective. 

Given the wide and varied variety of human interface devices, it is
likely to be impossible for a practical TOE to incorporate protections
against such information flow as there does not appear to be any
standard means of accessing such device memory. Further, there is likely
no TOE that can claim conformance to this PP unless the TOE incorporates
a specific model of keyboard and pointing device that have been tested
to ensure that no information flow can be initiated. 

RESOLUTION

The particular PP in question is intended for use in benign
environments. This is made clear by the assumption: 

	A.SCENARIO Vulnerabilities associated with attached DEVICES
	(SHARED PERIPHERALS or SWITCHED COMPUTERS), or their CONNECTION
	to the TOE, are a concern of the application scenario and not of
	the TOE. 

However, consumers of such devices may mistakenly believe that
compliance devices can be used in a broader range of environments. As
such, the VR and VPL entry for compliant devices must make the
environmental limitations clear. 

RATIONALE

The concern about malware and data transfer through device memory is a
valid concern, and has been around since the days of terminals with
remotely programmable function keys. Such data storage creates
significant risk in non-benign environments (with potentially malicious
users) or in environments where there are peripherals shared across
security labels (such as periods processing).  

However, this PP explicitly excludes the risk from such peripheral
devices, pushing assessment of that risk to the parties that integrate
the system and approve the system for use in its eventual
environment. These parties need to be aware of the risk they are
accepting. 

To that end, the risk must be made clear in the validation documents
supplied to the consumer, specifically the Validation Report and the
Validation Product List entries: 

1. The Validation Report must make clear that the threat of leakage
   through peripheral memory is one of the threats not countered by
   compliant devices.

2. The Validation Report must provide guidance to the certifier (in the
   Validator's Comments) that any peripherals used with the validated
   product must be assessed for the potential of data leakage through
   accessible peripheral memory that remains uncleared when the
   peripheral is shared between computers. 

3. The VPL entry must include a paragraph indicating that products
   compliant with this profile do not include mechanisms to ensure that
   all peripheral memory is cleared when the device is switched between
   computers. It is the responsibility of integrators of the switch into
   a system to assess the risk of information transfer with compliance
   switches.