SingleSingle SiteSite SecuritySecurity TargetTarget
How to
Jose Emilio Rico
Epoche & Espri
� Site certification
� Current methodology and well known SARs’
(ALC) issues in CC.
� The manufacturing model
Agenda
� The manufacturing model
� The Site Certification process
� Single SST template
� Conclusions
September 2013 14 ICCC Orlando 2
� Purpose
o Reusability of results, leads to a significant
reduction of time and money efforts.
o Marketing� Developer image
Site Certification
•8/9/2013 33September 2013 14 ICCC Orlando
o Amanufacturing process certification
o From EAL3
� CC & CEM do not help too much in some aspects of ALC.
Let´s have a look ……….
Current methodology
� CC part 3 & CEM
� Site Certification Supporting Document
� JIL Minimum DVS requirements for high assurance
•8/9/2013 44September 2013 14 ICCC Orlando
Well known SARs’ (ALC) issues in CC.
When analyzing the ALC role in CC we found:
� The broken link between SPD & SARs
o Mapping TOE security capabilities to properties of
the security architecture (ADV_ARC).
•8/9/2013 55September 2013 14 ICCC Orlando
o Mapping desirable security properties of the
development process and sites to assurance life
cycle capabilities (ALC).
o Mapping AVA_VAN attack potential methodology to
security in the development environment.
Well known SARs’ (ALC) issues in CC.
When analyzing the ALC role in CC we found:
� Vague information and references to the development
process characteristics in the ST.
•8/9/2013 66September 2013 14 ICCC Orlando
Well known SARs’ (ALC) issues in CC.
When analyzing the ALC role in CC we found:
� Minimum requirements for the development sites
[ALC_DVS.1-1]
The evaluator determines what is necessary by first
•8/9/2013 77September 2013 14 ICCC Orlando
The evaluator determines what is necessary by first
referring to the ST for any information that may assist in the
determination of necessary protection. If no explicit
information is available from the ST the evaluator will
need to make a determination of the necessary
measures.
The manufacturing model
•8/9/2013 88September 2013 14 ICCC Orlando
The manufacturing model
•8/9/2013 99September 2013 14 ICCC Orlando
Site Certification process
� Site evaluation
AST: SST evaluation� ALC evaluation� ETR
� How to reuse ALC in a later TOE evaluation
o The TOE-ST defines the scope of the development
•8/9/2013 1010September 2013 14 ICCC Orlando
o The TOE-ST defines the scope of the development
environment by claiming the ALC requirements.
o No changes have been made in the certified
development environment.
o The site certificate fulfill all ALC related SARs of the
TOE-ST � no additional evaluation efforts are
necessary in the TOE evaluation concerning ALC.
Single SST template
� Site Security target content.
1. Introduction
2. Conformance Claim
3. Security Problem Definition
•8/9/2013 1111September 2013 14 ICCC Orlando
3. Security Problem Definition
4. Security Objectives for the development
environment
5. Extended Components Definition
6. Security Requirements
7. Site Summary Specification
� Common issues in a single SST:
o Security problem based in Risk analysis
o Security objectives for the Site
o ALC SARs: ALC_CMS.1, ALC_CMC.3, ALC_DVS.1
Single SST template
•8/9/2013 1212September 2013 14 ICCC Orlando
o ALC SARs: ALC_CMS.1, ALC_CMC.3, ALC_DVS.1
� Distinctive issues:
o Implementation of the selected SARs
� Security problem based in Risk analysis: Assets
Single SST template
•8/9/2013 1313September 2013 14 ICCC Orlando
� Security problem based in Risk analysis: Agents
o Insider with rights
o Insider without any rights
o Outsider with rights
Single SST template
•8/9/2013 1414September 2013 14 ICCC Orlando
o Outsider with rights
o Outsider without any rights
� Security problem based in Risk analysis: Threats
Single SST template
•8/9/2013 1515September 2013 14 ICCC Orlando
� Security problem: OSPs
Single SST template
•8/9/2013 1616September 2013 14 ICCC Orlando
� Security problem: Assumptions.
Single SST template
No assumptions should be included
exempting the developer from meeting the
ALC requirements.
•8/9/2013 1717September 2013 14 ICCC Orlando
If needed …….
� Should be outside the sphere of influence of the
developer.
� Should be requirements for the final customer:
security, CMC for maintenance, etc.
� Security Objectives of the Site vs. Threats (I).
Single SST template
•8/9/2013 1818September 2013 14 ICCC Orlando
� Security Objectives of the Site vs. Threats (II).
Single SST template
•8/9/2013 1919September 2013 14 ICCC Orlando
� Security Objectives of the Site vs. OSPs.
Single SST template
•8/9/2013 2020September 2013 14 ICCC Orlando
� Security Assurance Requirements to meet Site
objectives. ConfigurationManagement System.
Single SST template
•8/9/2013 2121September 2013 14 ICCC Orlando
� Security Assurance Requirements to meet Site
objectives. Developers security (I).
Single SST template
•8/9/2013 2222September 2013 14 ICCC Orlando
� Security Assurance Requirements to meet Site
objectives. Developers security (II).
Single SST template
•8/9/2013 2323September 2013 14 ICCC Orlando
� Security Assurance Requirements to meet Site
objectives. Life Cycle model.
Single SST template
•8/9/2013 2424September 2013 14 ICCC Orlando
� Security Assurance Requirements. Application Notes.
Single SST template
•8/9/2013 2525September 2013 14 ICCC Orlando
� Site Summary Specification (SSS)
o Identify evidence needed for the Site to meet the
SARs and describe how the Site met the SARs.
o ALC_DVS: how it fulfils the attack potential claimed.
Single SST template
•8/9/2013 2626September 2013 14 ICCC Orlando
o The SSS has to describe WHAT but not HOW.
o Sanitized version of the SST�without SSS.
� Site Summary Specification (SSS). Attack potential.
o Attack potential calculation.
Single SST template
•8/9/2013 2727September 2013 14 ICCC Orlando
Conclusions - 1st
� Site certification
o Reusability: same area, same procedures
� Significant reduction of time and money efforts.
� Marketing
•8/9/2013 2828September 2013 14 ICCC Orlando
� Marketing
Conclusions – and 2nd
� The Single SST template:
o May derived in a a PP with the common aspects
helping in the definition of a set of minimum reqs.
for medium assurance (e.g. EAL3 & EAL4).
o May be extended to cover multiple sites in a supply
•8/9/2013 2929September 2013 14 ICCC Orlando
o May be extended to cover multiple sites in a supply
chain including secure delivery. Main add-ons:
� security measures for transfers between sites
� acceptance procedures.
Jose Emilio Rico
[email protected]@epoche.es
Epoche & Espri, S.L.U.
Avda. de la Vega, 1
28108, Alcobendas, Madrid
Spain
Tel: +34 914-902-900
FAX: +34 916-625-344
Epoche & Espri Corporation
4000 Legato Road, Suite 1100
Fairfax, VA 22033
USA
Tel: +1 888-877-9506
FAX: +1 703-227-7189