A Common Criteria A Common Criteria Authoring Environment Authoring Environment * Supporting Composition * Supporting Composition Rance DeLong a , John Rushby Computer Science Laboratory SRI International Menlo Park CA USA 8th International 8th International Common Criteria Conference Common Criteria Conference Rome, Italy Rome, Italy September 25, 2007 September 25, 2007 * Sponsored by AFRL via Raytheon a LynuxWorks and Santa Clara University 1
Relationship of the CCAE to the MIPP Relationship of the CCAE to the MIPP We describe two complementary activities two complementary activities: : We describe – a a MILS Integration Protection Profile MILS Integration Protection Profile, and , and – – A A Common Criteria Authoring Environment Common Criteria Authoring Environment – (CCAE) to support authors of MILS PPs PPs and and STs STs (CCAE) to support authors of MILS Together these can provide strategic strategic Together these can provide coordination to the MILS community. to the MILS community. coordination The CCAE will enable authors to produce The CCAE will enable authors to produce reviewed PPs PPs and and STs STs of higher quality in of higher quality in reviewed less time, and , and ones that will better serve the ones that will better serve the less time common interests of the MILS community common interests of the MILS community Rance DeLong, John Rushby SRI CC Authoring Environment 2
What CC protection profiles do: What CC protection profiles do: The CC provides us with The CC provides us with A structure for the development of security A structure for the development of security requirements specifications requirements specifications Independent functional and assurance Independent functional and assurance dimensions (like ITSEC, unlike TCSEC) dimensions (like ITSEC, unlike TCSEC) Assurance same function, different assurance different function, same assurance Functionality Rance DeLong, John Rushby SRI CC Authoring Environment 3
What CC protection profiles do: What CC protection profiles do: Constrain the space Constrain the space CC Protection Profile concept CC Protection Profile concept – Remedies some problems possible with ITSEC Remedies some problems possible with ITSEC – evaluations evaluations • Vendor could make claims for any point in the space of Vendor could make claims for any point in the space of • functionality × assurance and have those claims functionality × assurance and have those claims evaluated evaluated • Users were left comparing apples and oranges Users were left comparing apples and oranges • – PPs PPs constrain the space of compliant products constrain the space of compliant products – – PPs PPs are written and evaluated by experts to are written and evaluated by experts to – present a “ “balanced balanced” ” set of requirements to set of requirements to present a developers developers Rance DeLong, John Rushby SRI CC Authoring Environment 4
What CC protection profiles do : What CC protection profiles do : Unconstrained Function × Assurance space Unconstrained Function × Assurance space TOE 1 Assurance TOE 2 Functionality Rance DeLong, John Rushby SRI CC Authoring Environment 5
What CC protection profiles do : What CC protection profiles do : Function × Assurance space Function × Assurance space constrained by protection profiles constrained by protection profiles TOE PPa Assurance TOE PPb TOE PPc Functionality Rance DeLong, John Rushby SRI CC Authoring Environment 6
CC-based product (TOE) development CC-based product (TOE) development We expect multiple TOEs of each product type and have expectations of a relationship among instances of Type and with instances of other types PP / ST Authoring Process ST 1 TOE 1 Security Type Type problem ST 2 TOE 2 Inputs Type Type PP Type CC Outputs ST 3 TOE 3 Constraints Type Type ST 4 TOE 4 Type Type Critical determiners of properties of Outputs Rance DeLong, John Rushby SRI CC Authoring Environment 7
MILS is based on composition of of MILS is based on composition cooperating products defined by defined by cooperating products related Protection Profiles related Protection Profiles MILS Integration Protection Profile (MIPP) MILS Integration Protection Profile (MIPP) Separation Kernel (SKPP) Separation Kernel (SKPP) Partitioning Communication System (PCSPP) Partitioning Communication System (PCSPP) MILS Console System (MCSPP) MILS Console System (MCSPP) MILS Network System (MNSPP) MILS Network System (MNSPP) MILS File System (MFSPP) MILS File System (MFSPP) . . . . . . Rance DeLong, John Rushby SRI CC Authoring Environment 8
MILS PPs PPs are expected to achieve: are expected to achieve: MILS ST SK SK 1 System A ST SK SK 2 SKPP ST SK SK 3 SK 4 PCS 2 ST SK SK 4 ST PCS PCS 1 ! Console 1 Network 3 ST PCS PCS 2 PCSPP ST PCS PCS 3 File System 3 ST PCS PCS 4 ST MCS Console 1 System B ! ST MCS Console 2 CC MCSPP ST MCS Console 3 ST MCS Console 4 SK 1 PCS 3 ST MFS File System 1 ! ST MFS File System 2 Console 4 Network 1 MFSPP ST MFS File System 3 File System 4 ST MFS File System 4 ST MNS Network 1 ST MNS Network 2 MNSPP ST MNS Network 3 ! = Successful integration ST MNS Network 4 Rance DeLong, John Rushby SRI CC Authoring Environment 9
MILS architecture is based on based on composition composition MILS architecture is A dual challenge of A dual challenge of high assurance high assurance and and composition composition Components independently developed by Components independently developed by different vendors different vendors Components are Components are defined by defined by Common Criteria-style Common Criteria-style protection profiles (PPs PPs) ) protection profiles ( The The collection collection of of PPs PPs reflects an intended reflects an intended architecture architecture The The PPs PPs must must be in agreement with be in agreement with the architecture the architecture CCAE is a vehicle to achieve this CCAE is a vehicle to achieve this agreement agreement Rance DeLong, John Rushby SRI CC Authoring Environment 10
Desirable composition support Desirable composition support Successful composition requires Successful composition requires – – Policy composition (that enforced by each component’ Policy composition (that enforced by each component ’s TSF) s TSF) – – Functional compositionality (foundational and operational) Functional compositionality (foundational and operational) – Functional Interoperability (interfaces, interactions, behaviors) – Functional Interoperability (interfaces, interactions, behaviors) – Results in additional constraints on PP/ST/TOE development – Results in additional constraints on PP/ST/TOE development Apply CC CAP packages and ACO evaluation methodology Apply CC CAP packages and ACO evaluation methodology Constrain PP/ST development beyond current CC guidance Constrain PP/ST development beyond current CC guidance – Constraints flowed-down from the MIPP – Constraints flowed-down from the MIPP – – Constraints from other community standards Constraints from other community standards – – Constraints on definitions of concepts and vocabulary for Constraints on definitions of concepts and vocabulary for expressing the security problem and security environment expressing the security problem and security environment Additional requirements in Additional requirements in PPs PPs – – Ensure additional requirements are represented in new PPs Ensure additional requirements are represented in new PPs – Apply uniformly across collection of composable composable products products – Apply uniformly across collection of Provide a parallel framework for non-CC composition Provide a parallel framework for non-CC composition requirements requirements Rance DeLong, John Rushby SRI CC Authoring Environment 11
How many many PPs PPs have been written have been written How Existing PP Examples (not always good) “Produce a PP for X” ? ? ? ST PP X CC v?.? process Review Cycle(s) Domain Expertise + Security Expertise (ideally) Rance DeLong, John Rushby SRI CC Authoring Environment 12
Recommend
More recommend
