Foundations of Computer SecurityLecture 80: Common Criteria EvaluationsDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 80: 1 Common Criteria EvaluationsAssurance LevelsEvaluation under the Common Criteria targets a specified level ofrigor. The vendor provides assurance that the corresponding rigorwas applied during development and test.EAL1: Functionally TestedEAL2: Structurally TestedEAL3: Methodologically Tested and CheckedEAL4: Methodologically Designed, Tested and ReviewedEAL5: Semiformally Designed and TestedEAL6: Semiformally Verified Design and TestedEAL7: Formally Verified Design and TestedLecture 80: 2 Common Criteria EvaluationsEvaluation LevelsLevel Requirements Functional High-level Low-level ImplementationSpecification Design DesignEAL1 Informal Informal Informal Informal InformalEAL2 Informal Informal Informal Informal InformalEAL3 Informal Informal Informal Informal InformalEAL4 Informal Informal Informal Informal InformalEAL5 Formal Semiformal Semiformal Informal InformalEAL6 Formal Semiformal Semiformal Semiformal InformalEAL7 Formal Formal Formal Semiformal InformalLecture 80: 3 Common Criteria EvaluationsThe CC CertificateIssuing a CC certification means that the government of thecountry where the evaluation is performed believes the evaluationwas conducted properly.Indicates a good faith effort to ensure the product meets theclaims of the vendor. Does not assure absolute correctness orsuitability to particular requirements. Does not preclude vendor“over-marketing.”Later versions may require re-testing.Lecture 80: 4 Common Criteria EvaluationsMutual RecognitionThe governments of 26 countries now formally recognize theCommon Criteria.Have mutual recognition of evaluations performed by labs in eachother’s countries, up to EAL4.Lecture 80: 5 Common Criteria EvaluationsTesting LabsProduct vendors cannot self-certify; evaluation tests must beperformed by an independent organization accredited to performCC testing. NIST is responsible for managing this process in theU.S.Evaluations are performed (for a fee) by commercial laboratoriesthat are certified by NIST (National Institute of Standards andTechnology).Independent labs test up to EAL4. Currently 10 labs in the U.S.,with one (atsec) in Austin.Testing costs are driven by a relatively small market, complexityand need for a skilled staff.EAL2 costs $100K to $170K and takes four to six monthsEAL4 costs $300K to $750K and takes one to two years.Lecture 80: 6 Common Criteria EvaluationsEvaluation above EAL4A product to be tested at EAL5/EAL6/EAL7 must have beendesigned using formal (mathematical) methods.Can’t reverse engineer the model from the code.Components should be kept small and independent.Extensive documentation is required.In the U.S., only NSA performs testing for EAL5 and higher. AU.S. agency would not accept a certification for EAL5 or aboveissued by another country.Lecture 80: 7 Common Criteria EvaluationsLessonsEvaluation Assurance Levels (1–7) define the care with whichthe product was developed and the rigor of the evaluationprocess.Certification by a country means that the evaluation wascarried out carefully and in good faith, not that the product issuitable or secure.Evaluations are performed by independent labs for a fee. Thelabs are licensed by the national testing authority.Lecture 80: 8 Common Criteria
View Full Document
Unlocking...