Evaluating SystemsReading Material• Chapter 21 Computer Security: Art andScience• The orange book and the whole rainbowseries− http://www.radium.ncsc.mil/tpep/library/rainbow/• The common criteria− Lists all evaluated protection profiles and products− http://www.commoncriteriaportal.orgOutline• Motivation for system evaluation• Specific evaluation systems− TCSEC/Orange Book− Interim systems− Common CriteriaEvaluation Goals• Oriented to purchaser/user of system• Assurance that system operates asadvertisedExample: Used Car• How do you evaluate a used car?− Repair/service records (vendor-supplieddocumentation)− Test drive (self-evaluation)− Mechanic (independent verification)• Certified used cars− “Get peace of mind with Honda's 150-pointinspection”Formal Evaluation• Provide a systematic framework for systemevaluation− More consistent evaluation− Better basis for comparing similar product• Trusted third party system for evaluation• Originally driven by needs of government andmilitaryTCSEC: 1983-1999• Trusted Computer System Evaluation Criteria(TCSEC) also called the Orange Book− Specifies evaluation classes (C1, C2, B1, B2, B3,A1)− Specifies functionality and assurancerequirements for each class• Functional Model builds on− BLP (mandatory labeling)− Reference MonitorsTCSEC Functional Requirements• DAC• Object Reuse− Sufficient clearing of objects between uses in resource pool− E.g. zero pages in memory system• MAC and Labels• Identification and Authentication• Audit− requirements increase at higher classes• Trusted Path− Non-spoofable means to interact with TCB− Ctl-Alt-Del in WindowsTCSEC Assurance Requirements• Configuration Management− For TCB• Trusted Distribution− Integrity of mapping between master and installations• System Architecture− Small and modular• Design Specification – vary between classes• Verification – Vary between classes• Testing• Product DocumentationTCSEC Classes• D – Catch all (aka “you fail”)• C1 – Discretionary Protection− Identification and authentication and DAC− Minimal Assurance• C2 – Control access protection− Adds object reuse and auditing− More testing requirements− Windows NT 3.5 evaluated C2TCSEC Classes• B1 – Labeled Security Protection− Adds MAC for some objects− Stronger testing requirements. Information model ofsecurity policy.− Trusted Unixes tended to be B1• B2 – Structured protection− MAC for all objects. Additional logging. Trusted Path.Least privilege.− Covert channel analysis, configuration management, moredocumentation, formal model of security policyTCSEC Classes• B3 – Security Domains− Implements full RVM. Requirements on codemodularity, layering, simplicity.− More stringent testing and documentation.• A1 – Verified protection− Same functional requirements as B3− Significant use of formal methods in assurance− Honeywell’s SCOMPTCSEC Evaluation process• Originally controlled by government− No fee to vendor− May reject evaluation application if product not ofinterest to government or doesn’t meet preliminarytests• Later introduced fee-based evaluation labs• Evaluation phases− Design analysis – no source code access− Test analysis− Final reviewTCSEC Evaluation Issues• Evaluating a specific configuration− E.g., Window NT, no applications installed, no network− New patches, versions require re-certification• RAMP introduced to ease re-certifications• Long time for evaluation− Sometimes product was obsolete before evaluation finished• Criteria Creep− B1 means something more in 1999 than it did in 1989• Narrow scope− Operating systems for military, MLSInterim Efforts in the ’90s• Canadian Trusted Computer ProductEvaluation Criteria (CTCPEC)• Information Technology Security EvaluationCriteria (ITSEC) – Western Europe• Commercial International SecurityRequirements (CISR) – AmEx and EDS• Federal Criteria – NSA and NISTFIPS 140• Framework for evaluating CryptographicModules• Still in Use• Addresses− Functionality− Assurance− Physical securityOpenSSL FIPS-140 certification• OpenSSL certified under FIPS-140− Certification obtained Feb 2007• Process took five (!) years− Certified version is 0.9.7, 3 years old• Problems− Process slow− Public comments process used by competitors toderail certificationCommon Criteria – 1998 to today• Pulls together international evaluation efforts− Evaluations mean something between countries− Economies of scale• Three top level documents− Common Criteria Documents• Describe functional and assurance requirements. DefinesEvaluation Assurance Levels (EALs)− CC Evaluation Methodology (CEM)• More details on the valuation. Complete through EAL5 (atleast)− Evaluation Scheme• National specific rules for how CC evals are performed in thatcountry• Directed by NIST in USCC Terminology• Target of Evaluation (TOE)− The product being evaluated• TOE Security Policy (TSP)− Rules that regulate how assets are managed,protected, and distributed in a product• TOE Security Functions (TSF)− Implementation of the TSP− Generalization of the TCBProtection Profile (PP)• Profile that describes the security requirements for aclass of products− List of evaluated PP’shttp://www.commoncriteriaportal.org/public/expert/index.php?menu=6• Replaces the fixed set of classes from TCSEC• ISSO created some initial profiles to match TCSECclasses− Controlled Access Protection Profile (CAPP) correspondsto C2− Labeled Security Protection Profile (LSPP) corresponds toB1Protection Profile• A list of:− Threats− Assumptions− Organizational policies− Objectives− Assurance requirements• Along with rationale• PP’s are evaluated by CLEFsProduct evaluation• Define a security target (ST)− May leverage an evaluated protection profile− Define objectives for a specific product− Must include rationale• Evaluated with respect to the STCC Functional Requirements• Defined in a taxonomy− Top level 11 classes• E.g., FAU – Security audit and FDP – User DataProtection− Each class divided into families• E.g., FDP_ACC – Access control policy− Each family divided into components• E.g., FDP_ACC.2 – Complete access control− Each component contains requirements anddependencies on other requirementsCC Assurance Requirements•
View Full Document