Professional Documents
Culture Documents
Security Lecture 6
Security Lecture 6
Security Lecture 6
Lecture 6
Security Evaluation
Syed Naqvi
snaqvi@ieee.org
Outline
♦ Auditing
♦ Trusted Computer System Evaluation
Criteria (TCSEC)
♦ Information Technology Security
Evaluation Criteria (ITSEC)
♦ Common Criteria (CC)
1
Auditing
♦ Logging
– Recording events or statistics to provide information
about system use and performance
♦ Auditing
– Analysis of log records to present information about the
system in a clear, understandable manner
Auditing – Goals/Uses
♦ User accountability
♦ Damage assessment
2
Auditing – Problems
♦ What to log?
– looking for violations of a policy, so record at least
what will show such violations
– Use of privileges
♦ Analyzer
– Analyzes logged information looking for something
♦ Notifier
– Reports results of analysis
3
Logger
♦ Type, quantity of information recorded controlled by
system or program configuration parameters
Analyzer
♦ Analyzes one or more logs
– Logs may come from multiple systems, or a single
system
– May lead to changes in logging
– May lead to a report of an event
4
Notifier
♦ Informs analyst, other entities of results of
analysis
5
Evolution of Evaluation Criteria
TCSEC Canadian
1985
Criteria
1993
UK CLs
1989
German
Criteria Federal Criteria
Draft 1993
French
Criteria ITSEC
1991 v1.0 1996
Dutch
v2.0 1998
Criteria
v3.0 2005
6
TCSEC (Orange Book) ~1980
♦ Trusted Computer System Evaluation Criteria
– U.S. Government security evaluation criteria
– Used for evaluating commercial products
♦ Emphasis on Confidentiality
TCSEC – Problems
♦ Based heavily on confidentiality
– Did not address integrity, availability
7
Information Technology
Security Evaluation
Criteria (ITSEC)
ITSEC ~1991
♦ European approach to TCSEC
8
ITSEC – Problems
♦ No validation that security requirements made sense
– Product meets goals
– But does this meet user expectations?
♦ Inconsistency in evaluations
– Not as formally defined as TCSEC
9
Common Criteria ~1999
♦ Replaced TCSEC, ITSEC
♦ CC Documents
– Functional requirements
– Assurance requirements
– Evaluation Assurance Levels (EAL)
♦ CC Evaluation Methodology
– Detailed evaluation guidelines for each EAL
Common Criteria
♦ Protection Profile
Implementation independent, domain-specific set of
security requirements
♦ Narrative Overview
♦ Product/System description
♦ Security Environment (threats, overall policies)
♦ Security Objectives: System, Environment
♦ IT Security Requirements
– Functional requirements drawn from CC set
– Assurance level
♦ Rationale for objectives and requirements
10
Common Criteria
Common Criteria
♦ Security Target
Specific requirements used to evaluate system
♦ Narrative introduction
♦ Environment
♦ Security Objectives
– How met
♦ Security Requirements
– Environment and system
– Drawn from CC set
♦ Mapping of Function to Requirements
♦ Claims of Conformance to Protection Profile
11
Common Criteria
Common Criteria
Functional Requirements
♦ 11 Classes
– Security Audit, Communication, Cryptography, User data
protection, ID/authentication, Security Management, Privacy,
Protection of Security Functions, Resource Utilization, Access,
Trusted paths
12
Common Criteria
Class Example: Communication
♦ Non-repudiation of origin
1. Selective Proof. Capability to request verification of origin
2. Enforced Proof. All communication includes verifiable origin
Common Criteria
1. Pseudonymity Class Example: Privacy
1. The TSF shall ensure that [assignment:
set of users and/or subjects] are unable
to determine the real user name bound
to [assignment: list of subjects and/or
operations and/or objects]
2. The TSF shall be able to provide
[assignment: number of aliases] aliases
of the real user name to [assignment:
list of subjects]
3. The TSF shall [selection: determine an
alias for a user, accept the alias from
the user] and verify that it conforms to
the [assignment: alias metric]
2. Reversible Pseudonimity
1. …
3. Alias Pseudonimity
1. …
18 November 2010 Lecture 6: Security Evaluation 26
13
Common Criteria
Assurance Requirements
♦ 10 Classes
– Protection Profile Evaluation, Security Target Evaluation
– Configuration management, Delivery and operation, Development,
Guidance, Life cycle, Tests, Vulnerability assessment
– Maintenance
Common Criteria
Security environment
Example: Protection Profile Evaluation
♦ In order to determine whether the IT
security requirements in the PP are
sufficient, it is important that the security
problem to be solved is clearly understood
by all parties to the evaluation.
1. Protection Profile, Security environment,
Evaluation requirements
– Dependencies: No dependencies.
– Developer action elements:
♦ The PP developer shall provide a
statement of TOE security environment as
part of the PP.
– Content and presentation of evidence
elements:
♦ ….
14
Common Criteria
Example: Delivery and Operation
Installation, generation and start-up
A. Installation, generation, and start-up procedures
– Dependencies: AGD_ADM.1 Administrator guidance
B. Developer action elements:
– The developer shall document procedures necessary for the secure installation,
generation, and start-up of the TOE.
C. Content and presentation of evidence elements:
– The documentation shall describe the steps necessary for secure installation,
generation, and start-up of the TOE.
D. …
Common Criteria
Evaluation Assurance Levels (EALs)
1. Functionally tested
2. Structurally tested
3. Methodically tested and checked
4. Methodically designed, tested, and reviewed
5. Semi-formally designed and tested
6. Semi-formally verified design and tested
7. Formally verified design and tested
15
Common Criteria
Evaluation Process
♦ National Authority authorizes evaluators
– U.S.: NIST accredits commercial organizations
– Fee charged for evaluation
Conclusions
♦ Security is not a product!
♦ Security is a process and must be viewed holistically with
the rest of the system.
♦ Security must be designed into the system from the
beginning.
♦ Security can not be bolt-on a system.
♦ Security should be woven in the fabric of a system design.
♦ Security paradigms should be reviewed regularly.
♦ …
16
Exercise
♦ Study Common Criteria Evaluation Report sent to you
earlier
17