Book - Chapter 13

Question 1

What is the Trusted Computer Security Evaluation Criteria?

Answer 1

The Trusted Computer Security Evaluation Criteria (TCSEC, Orange Book) were the first evaluation criteria to gain wide acceptance. Several criteria have since been developed to react to perceived shortcomings of the Orange Book and to the changes in the use of IT systems. The desire to unify the different criteria that have arisen has led to the Common Criteria

Question 2

What is a product?

Answer 2

off-the-shelf components that can be used in a variety of applications and have to meet generic security equirements (e.g. an operating system)

Question 3

What is a system?

Answer 3

collections of products assembled to meet the specific requirements of a given application

Question 4

What situations should evaluation methods prevent from arising?

Answer 4

1. An evaluated product is later found to contain a serious flaw.
2. Different evaluations of the same product disagree in their assessment of the product.

Repeatability (re-evaluation by the same team gives the same result) and reproducibility (re-evaluation by a different team gives the same result) are therefore often stated as requirements of an evaluation methodology.

Question 5

What are some different evaluation methods?

Answer 5

Security evaluation can be product-oriented or process-oriented.

Product-oriented (investigational) methods examine and test the product. They may tell more about the product than process-oriented methods, but different evaluations may well give different results.

Process (audit) oriented methods look at documentation and the process of product development. They are cheaper and it is much easier to achieve repeatable results, but the results themselves may not be very valuable.

Question 6

What is evaluation criteria?

Answer 6

Evaluation criteria capture the procedures to follow when performing security tests.

Question 7

With regards to the Orange Book, what do the terms evaluation, certification and accreditation mean?

Answer 7

• evaluation – assessing whether a product has the security properties claimed for it; this is the test of a security product;
• certification – assessing whether an (evaluated) product is suitable for a given application; this is the best practice recommendation;
• accreditation – deciding that a (certified) product will be used in a given application; this is the executive decision.

Question 8

What assurance does a security evaluation aim for?

Answer 8

Security evaluation aims to give assurance that a product/system is secure. Security and assurance may be related to:

• functionality – the security features of a system, e.g. discretionary access control, mandatory access control, authentication, auditing.
• effectiveness – are the mechanisms used appropriate for the given security requirements? For example, is user authentication by password sufficient or does the application require a cryptographic challenge-response protocol?
• assurance – the thoroughness of the evaluation.

Question 9

What does security evaluation examine?

Answer 9

Security evaluation examines the security-relevant part of a system, i.e. the trusted computing base

Question 10

With regards to the Orange Book, how many security divisions and security classes are there?

Answer 10

There are four security divisions and seven security classes. The security classes are defined incrementally. All requirements of one class are automatically included in the requirements of all higher classes. Products in higher security classes provide more
security mechanisms and higher assurance through more rigorous analysis.

Question 11

What are the four security divisions in regards to the Orange Book?

Answer 11

Question 12

In regards to the Orange Book, what do C2 systems provide?

Answer 12

C2 systems make users individually accountable for their actions, enforcing discretionary access control at the granularity of single users. C2 was regarded as the most reasonable class for commercial applications although intrinsically giving rather weak assurance guarantees. Most major vendors offered C2-evaluated versions of their operating systems or database management systems

Question 13

In regards to the Orange Book, what is division B intended for?

Answer 13

Division B is intended for products that enforce mandatory access control policies on classified data. Testing and documentation have to be much more thorough than for
division C. An informal or formal model of the security policy is required. All flaws uncovered in testing must be removed.

Question 14

In regards to the Orange Book, what do B1 systems provide?

Answer 14

Class B1 is not very demanding with respect
to the structure of the TCB. Hence, complex software systems such as multi-level secure Unix systems – System V/MLS (from AT&T) and operating systems from vendors like Hewlett-Packard, DEC, and Unisys – or database management systems – Trusted
Oracle 7, INFORMIX-Online/Secure, and Secure SQL Server (from Sybase) – received B1 certificates.

Question 15

In regards to the Orange Book, what do B2 systems provide?

Answer 15

Class B2 increases assurance requirements. A formal model of the security policy and a Descriptive Top Level Specification (DTLS) of the system are required, as is a modular system architecture. The TCB shall provide distinct address spaces to isolate processes, with support at the hardware level. A covert channel analysis has to be conducted and events potentially creating a covert channel have to be audited. Security testing shall establish that the TCB is relatively resistant to penetration. The Trusted XENIX operating system from Trusted Information Systems was rated B2.

Question 16

In regards to the Orange Book, what do B3 systems provide?

Answer 16

B3 systems are highly resistant to penetration. Many of the new elements in class B3 have to do with security management. For higher assurance, a convincing argument shall establish the consistency between the formal model of the security policy and the informal DTLS.

Question 17

In regards to the Orange Book, what do A1 systems provide?

Answer 17

Class A1 is functionally equivalent to B3. It achieves the highest assurance level through the use of formal methods. Formal specification of policy and system, together with consistency proofs, show with a high degree of assurance that the TCB is correctly implemented. Evaluation for class A1 requires:

• a formal model of the security policy;
• a Formal Top Level Specification (FTLS), including abstract definitions of the functions of the TCB;
• consistency proofs between model and FTLS (formal, where possible);
• that the TCB implementation has informally shown to be consistent with the FTLS;
• a formal analysis of covert channels (informal for timing channels) – continued existence of covert channels has to be justified and bandwidth may have to be limited.

Question 18

What are rainbow series?

Answer 18

The Orange Book is part of a collection of documents on security requirements, security management and security evaluation published by the US National Security Agency and
National Computer Security Center, originally developed for the evaluation of systems that process classified government data. The documents in this series are known by the colour of their cover and, as there are plenty of them, they became known as the rainbow series. The concepts and terminology introduced in the Orange Book were adapted to the specific aspects of database management systems and of computer networks in the Trusted Database Management System Interpretation (Lavender/Purple Book) and in the Trusted Network Interpretation (Red Book)

Question 19

Who it ITSEC?

Answer 19

The harmonized European Information Technology Security Evaluation Criteria were the result of Dutch, English, French and German activities in defining national security evaluation criteria. A first draft was published in 1990 and the Information
Technology Security Evaluation Criteria (ITSEC) were formally endorsed as a Recommendation by the Council of the European Union on 7 April 1995. As a European document, ITSEC exists in a number of translations, which adds to the difficulties of uniformly interpreting the criteria.

ITSEC is a logical progression from the lessons learned in various Orange Book interpretations. The Orange Book was found to be too rigid, and ITSEC strives to provide a framework for security evaluation that can deal with new sets of security requirements when they arise.

Question 20

What is the Target of Evaluation?

Answer 20

The term Target of Evaluation (TOE) was introduced in ITSEC. It stands for the product or system submitted for security evaluation.

Question 21

What are the ITSEC evaluation levels?

Answer 21

Seven evaluation levels, E0 to E6, express the level of confidence in the correctness of the implementation of security functions. E0 stands for inadequate confidence. For each evaluation level, the criteria enumerate items to be delivered by the sponsor to the evaluator. The evaluator shall ensure that these items are provided, taking care that any requirements for content and presentation are satisfied, and that the items clearly provide, or support the production of, the evidence that is called for. Close cooperation between the sponsor/developer and the evaluator is recommended.

Question 22

What is the federal criteria?

Answer 22

They took the next logical step, giving more guidance in the definition of evaluation classes but retaining some degree of flexibility. They stick to the evaluation of products and to the linkage between function and assurance in the definition of evaluation classes. They try to overcome the rigid structure of the Orange Book through the introduction of product-independent protection profiles.

Question 23

What are the sections of a protection profile within the federal criteria?

Answer 23

• Descriptive elements – the ‘name’ of the protection profile, including a description of the information protection problem to be solved.
• Rationale – the fundamental justification of the protection profile, including threat, environment, and usage assumptions, a more detailed description of the information protection problem to be solved, and some guidance on the security policies that can be supported by products conforming to the profile.
• Functional requirements – these establish the protection boundary that must be provided by the product, such that expected threats within this boundary can be countered.
• Development assurance requirements – for all development phases from the initial design through to implementation, including the development process, the development environment, operational support and development evidence.
• Evaluation assurance requirements – specify the type and intensity of the evaluation.

Question 24

What is the common criteria?

Answer 24

For security evaluation to be commercially attractive, evaluation results should be recognized as widely as possible. A first step in this direction is agreement on a common set of evaluation criteria. Thus, various organizations in charge of national security evaluations came together in the Common Criteria Editing Board (CCEB) and produced the Common Criteria [58] in an effort to align existing and emerging evaluation criteria such as TCSEC, ITSEC, CTCPEC, and the Federal Criteria. In 1999, the Common Criteria (CC) became the international standard (ISO 15048). The CCEB has been succeeded by the CC Implementation Board (CCIB).

Question 25

What is the common criteria security target?

Answer 25

The Security Target (ST) expresses security requirements for a specific TOE, e.g. by reference to a protection profile.

The ST is the basis for any evaluation. The Evaluation Assurance Level (EAL) defines what has to be done in an evaluation.

Question 26

What are the common criteria protection profiles?

Answer 26

To guide decision-makers, information about security objectives, rationale, threats and threat environment, and further application notes are collected in a Protection Profile (PP). This is a (reusable) set of security requirements that meet specific user needs.

Today, there exist PPs for a wide variety of systems. They can be generic, e.g. for an infrastructure product such as an operating system, or specific to a single application. The CC evaluation of Windows mentioned in Chapter 8 used the Controlled Access Protection Profile version 1.d that has its origins in the Orange Book class C2. At the other end of the spectrum, there are PPs for taxi on-board computers (in Dutch)
or for electronic health cards (some in German). The scope of PPs spans single-level and multi-level operating systems, database management systems, firewalls, intrusion detection systems, trusted platform modules, biometric verification mechanisms, postage meters, automatic cash dispensers, electronic wallets, secure signature-creation devices,
machine readable travel documents, and several aspects of smart card security.

Question 27

What is the structure of a common criteria protection profile?

Answer 27

Question 28

What are the descriptions of the seven common criteria EALs?

Answer 28

• EAL1 – functionally tested The tester receives the TOE, examines the documentation and performs some tests to confirm the documented functionality. Evaluation should not require any assistance from the developer. The outlay for evaluation should be minimal.
• EAL2 – structurally tested The developer provides test documentation and test results from a vulnerability analysis. The evaluator reviews the documentation and repeats some of these tests. The effort required from the developer is small and a complete development record need not be available.
• EAL3 – methodically tested and checked The developer uses configuration management, documents security arrangements for development, and provides high-level design documentation and documentation on test coverage for review. This level is intended for developers who already follow good development practices but do not want to implement further changes to their practices.
• EAL4 – methodically designed, tested, and reviewed The developer provides low level design documentation and a subset of security functions (TCB) source code for evaluation. Secure delivery procedures have to be in place. The evaluator performs an independent vulnerability analysis. Usually EAL4 is the highest level that is economically feasible for an existing product line. Developers have to be ready to incur additional security-specific engineering costs.
• EAL5 – semiformally designed and tested The developer provides a formal model of the security policy, a semiformal high-level design and functional specification as well as the full source code of the security functions. A covert channel analysis has to be conducted. The evaluator performs independent penetration testing. For evaluation at this level, it helps if the TOE has been designed and developed with the intention of achieving EAL5 assurance. The additional costs of evaluation beyond the costs of the development process itself ought not to be large.
• EAL6 – semiformally verified design and tested The source code must be well structured and the access control implementation (reference monitor) must have low complexity. The evaluator has to conduct more intensive penetration testing. The cost of evaluation should be expected to increase.
• EAL7 – formally verified design and tested The developer provides a formal functional specification and a high-level design. The developer has to demonstrate or prove correspondence between all representations of the security functions. The security functions must be simple enough for formal analysis. This level can typically only be achieved with a TOE that has a tightly focused security functionality and is amenable to extensive formal analysis.

Question 29

What is the order of the evaluation criteria?

Answer 29

TCSEC, ITSEC, Federal Criteria & Common Criteria