Security Evaluation - CSM27 Computer Security › teaching › 2007-08 › csm27 › 08eval › s… · Fundamental Concepts Outline 1 Overview 2 Fundamental Concepts 3 The Common

Security EvaluationCSM27 Computer Security

Dr Hans Georg Schaathun

University of Surrey

Autumn 2007

Dr Hans Georg Schaathun Security Evaluation Autumn 2007 1 / 25

Overview

Outline

1 Overview

2 Fundamental Concepts

3 The Common Criteria

4 Closing Words


Overview

Session objectives

Discuss advantages and limitations of security evaluationsClarify fundamental concepts and terminology in securityevaluationGive an overview of the Common Criteria, enabling students tofind appropriate documentation when needed


Overview

Can we trust a secure product/system?

Do you trust the manufacturer?Can you scrutinise and evaluate the product/system yourself?Is there an indenpendent evaluation or certification?

What is the difference between product and system?What practical difference does it make for the evaluator?


Overview





Overview





Overview

Evaluation Standards

TCSEC (Orange Book) – USA 1983–1999CTCSEC – Canada 1989ITSEC – Europe 1991–2001 (EU Council 1995)Common Criteria – Canada, France, Germany, the Netherlands,UK, and USA, 1998–

International treaty: Common Criteria Recognition AgreementEvaluation Scheme needed to joinReplaces TCSEC, ITSEC, ...


Fundamental Concepts

Outline

1 Overview



4 Closing Words



Target

Productgeneric productsgeneric requirementsSecurity Classes (TCSEC)Protection Profile (Common Criteria)

Systemlocal and individual requirementsdialogue between security expert and non-expert user



Target





Target





Target





Target





Target





Target





Purpose

Distinctions in the Orange Book

Evaluation assess achievement of claimed propertiesCertification suitability for a given applicationAccreditation acceptance for a given application



Method

We have to avoidDifferent results from different evaluationsSecurity bugs found after a positive evaluation

Goals: Reproducability and RepeatabilityTwo methodologiesProduct-oriented (aka. investigational) considers the final product

Establishes trust in a particular productProcess-oriented (aka. audit-oriented) considers the development

process(Potentionally) Establishes trust in a particularproducer



Method







Method







Organisational Framework

Government Agencies (initial US approach)Private Enterprises with Government Accreditation

Government Certificates (UK 1991)Private Certification (Germany)

What is the contract between . . . ?SponsorEvaluatorManufacturer



Organisational Framework

Government Agencies (initial US approach)Private Enterprises with Government Accreditation

Government Certificates (UK 1991)Private Certification (Germany)

What is the contract between . . . ?SponsorEvaluatorManufacturer



Organisational Challenges

Consistency across independent agenciesDifferent people make different interpretations

Interpretation driftDifferent interpretations at different times



Structure

Functionality Which features are provided?Effectiveness Are the features appropriate for the requirements?Assurance How thorough/certain is the evaluation?

The orange book couples the three considerations into discretesecurity classesITSEC makes the three considerations separately

Flexible framework; open for new requirements



Structure

Functionality Which features are provided?Effectiveness Are the features appropriate for the requirements?Assurance How thorough/certain is the evaluation?

The orange book couples the three considerations into discretesecurity classesITSEC makes the three considerations separately

Flexible framework; open for new requirements


The Common Criteria

Outline

1 Overview



4 Closing Words


The Common Criteria

The Common Criteria

International TreatyCommon standards documents

CC documentsCC Evaluation Methodology (CEM)

Member states may have different implementationsEvaluation Scheme or National Scheme


The Common Criteria

Basic Concepts

Protection Profile (PP) describes the protection needed in a givenapplication scenario

Security Target (ST) describes the protection provided by (classes of)systems/products

ST implements a PP


The Common Criteria

Security Functional Requirements

This part of the CC defines the required structure andcontent of security functional components for the purpose ofsecurity evaluation. It includes a catalogue of functionalcomponents that will meet the common security functionalityrequirements of many IT products.


The Common Criteria

Security Functional Requirements

This part of the CC defines the required structure andcontent of security functional components for the purpose ofsecurity evaluation. It includes a catalogue of functionalcomponents that will meet the common security functionalityrequirements of many IT products.


The Common Criteria

Functional Requirements ClassesAn example

Communications class (two families)Non-repudiation of originNon-repudiation of receipt

Cryptographic supportSecurity AuditUser data protection. . .


The Common Criteria

Functional Requirements ClassesAn example

Communications class (two families)Non-repudiation of originNon-repudiation of receipt

Cryptographic supportSecurity AuditUser data protection. . .


The Common Criteria

Security Assurance Requirements

This CC Part 3 defines the assurance requirements of theCC. It includes the evaluation assurance levels (EALs) thatdefine a scale for measuring assurance for component TOEs,the composed assurance packages (CAPs) that define ascale for measuring assurance for composed TOEs, theindividual assurance components from which the assurancelevels and packages are composed, and the criteria forevaluation of PPs and STs.


The Common Criteria

Security Assurance Requirements

This CC Part 3 defines the assurance requirements of theCC. It includes the evaluation assurance levels (EALs) thatdefine a scale for measuring assurance for component TOEs,the composed assurance packages (CAPs) that define ascale for measuring assurance for composed TOEs, theindividual assurance components from which the assurancelevels and packages are composed, and the criteria forevaluation of PPs and STs.


The Common Criteria

Assurance Classes

APE: Protection Profile EvaluationASE: Security Target Evaluation

Seven classes relating to product or systemDevelopmentDelivery and OperationTests. . .


The Common Criteria

Assurance Classes

APE: Protection Profile EvaluationASE: Security Target Evaluation

Seven classes relating to product or systemDevelopmentDelivery and OperationTests. . .


The Common Criteria

Evaluation Assurance Levels

EAL1: Functionally TestedEAL2: Structurally TestedEAL3: Methodically Tested and CheckedEAL4: Methodically Designed, Tested, and ReviewedEAL5: Semiformally Designed and TestedEAL6: Semiformally Verfied Design TestedEAL7: Formally Verified Design and TestedLevels 5-7 have not been standardised internationally yet


The Common Criteria




The Common Criteria




Closing Words

Outline

1 Overview



4 Closing Words


Closing Words

Do we need evaluation standards?

ControversialRequirement for government applications

The standards are tokens of government trustStandardisation essential for public sector markets

Little enthusiasm outside public sector [Gollmann]Some exceptional industries do want standardised evaluation

At present: Smart Card ManufacturerEvaluation covers one version and one configuration

Evaluation takes time – probably not most recent version


Closing Words

Do we need evaluation standards?

ControversialRequirement for government applications

The standards are tokens of government trustStandardisation essential for public sector markets

Little enthusiasm outside public sector [Gollmann]Some exceptional industries do want standardised evaluation

At present: Smart Card ManufacturerEvaluation covers one version and one configuration

Evaluation takes time – probably not most recent version


Closing Words

Cost and Benefit

Expensive : 10%–40% of development costFees to the evaluatorProduction of supporting documentationDelay to market

Criterion in certain marketsAll depends on the customer

Is the money better spent elsewhere?Security Management, etc.?

Are Quality Standards an alternative?


Closing Words

Exercise sheet

Refer to the Common Criteria portalhttp://www.commoncriteriaportal.org/. Choose oneprotection profile (PP) which interests you, and the security targets(ST) of a product implementing this PP. Compare the PP and the ST,and identify any differences. Based on this comparison, what is youropinion of the product? For which applications is the product suitable?


http://www.commoncriteriaportal.org/

Closing Words

Discussion Exercise

Compare Evaluation and ConsultancyConsultants advise clients on suitable solutions for theirapplications (including security requirements).Where would you draw the boundary between evaluation andconsultancy?

What do consultants do?What does an evaluation do?

Are there any situations where you would clearly choose one overthe other?


Documents

Security Evaluation - CSM27 Computer Security › teaching › 2007-08 › csm27 › 08eval › s… · Fundamental Concepts Outline 1 Overview 2 Fundamental Concepts 3 The Common