A Common Criteria A Common Criteria Authoring Environment - - PowerPoint PPT Presentation

1

A Common Criteria A Common Criteria Authoring Environment Authoring Environment Supporting Composition Supporting Composition*

*

Rance DeLonga, John Rushby Computer Science Laboratory SRI International Menlo Park CA USA

a LynuxWorks and Santa Clara University * Sponsored by AFRL via Raytheon

8th International 8th International Common Criteria Conference Common Criteria Conference Rome, Italy Rome, Italy September 25, 2007 September 25, 2007

2

Relationship of the CCAE to the MIPP Relationship of the CCAE to the MIPP

We describe We describe two complementary activities two complementary activities: :

– – a a MILS Integration Protection Profile MILS Integration Protection Profile, and , and – – A A Common Criteria Authoring Environment Common Criteria Authoring Environment (CCAE) to support authors of MILS (CCAE) to support authors of MILS PPs PPs and and STs STs

Together these can provide Together these can provide strategic strategic coordination coordination to the MILS community. to the MILS community. The CCAE will enable authors to produce The CCAE will enable authors to produce reviewed reviewed PPs PPs and and STs STs of higher quality in

• f higher quality in

less time less time, and , and

• nes that will better serve the
• nes that will better serve the

common interests of the MILS community common interests of the MILS community

Rance DeLong, John Rushby SRI CC Authoring Environment

3

What CC protection profiles do: What CC protection profiles do: The CC provides us with The CC provides us with

  A structure for the development of security

A structure for the development of security requirements specifications requirements specifications

  Independent functional and assurance

Independent functional and assurance dimensions (like ITSEC, unlike TCSEC) dimensions (like ITSEC, unlike TCSEC)

Functionality Assurance

same function, different assurance different function, same assurance

Rance DeLong, John Rushby SRI CC Authoring Environment

4

What CC protection profiles do: What CC protection profiles do: Constrain the space Constrain the space

  CC Protection Profile concept

CC Protection Profile concept

– – Remedies some problems possible with ITSEC Remedies some problems possible with ITSEC evaluations evaluations

• Vendor could make claims for any point in the space of

Vendor could make claims for any point in the space of functionality functionality × × assurance and have those claims assurance and have those claims evaluated evaluated

• Users were left comparing apples and oranges

Users were left comparing apples and oranges

– – PPs PPs constrain the space of compliant products constrain the space of compliant products – – PPs PPs are written and evaluated by experts to are written and evaluated by experts to present a present a “ “balanced balanced” ” set of requirements to set of requirements to developers developers

Rance DeLong, John Rushby SRI CC Authoring Environment

5

What CC protection profiles do : What CC protection profiles do :

Unconstrained Function Unconstrained Function × × Assurance space Assurance space

Functionality Assurance

TOE1 TOE2

Rance DeLong, John Rushby SRI CC Authoring Environment

6

What CC protection profiles do : What CC protection profiles do : Function Function × × Assurance space Assurance space constrained by protection profiles constrained by protection profiles

Functionality Assurance

TOEPPa TOEPPb TOEPPc

Rance DeLong, John Rushby SRI CC Authoring Environment

7

CC PPType ST1

Type

TOE1

Type

ST3

Type

TOE3

Type

ST2

Type

TOE2

Type

ST4

Type

TOE4

Type

CC-based product (TOE) development CC-based product (TOE) development

We expect multiple TOEs of each product type and have expectations of a relationship among instances of Type and with instances of other types

Rance DeLong, John Rushby SRI CC Authoring Environment

Constraints Security problem Outputs Inputs PP / ST Authoring Process Critical determiners

• f properties of Outputs

8

MILS is based on composition MILS is based on composition

• f
• f

cooperating products cooperating products defined by defined by related Protection Profiles related Protection Profiles

  MILS Integration Protection Profile (MIPP)

MILS Integration Protection Profile (MIPP)

  Separation Kernel (SKPP)

Separation Kernel (SKPP)

  Partitioning Communication System (PCSPP)

Partitioning Communication System (PCSPP)

  MILS Console System (MCSPP)

MILS Console System (MCSPP)

  MILS Network System (MNSPP)

MILS Network System (MNSPP)

  MILS File System (MFSPP)

MILS File System (MFSPP)

  . . .

. . .

Rance DeLong, John Rushby SRI CC Authoring Environment

9

MILS MILS PPs PPs are expected to achieve: are expected to achieve:

CC PCSPP MCSPP MNSPP MFSPP STPCS STMCS STMNS STMFS STPCS STMCS STMNS STMFS STPCS STMCS STMNS STMFS STPCS STMCS STMNS STMFS PCS2 Console2 Network2 File System2 PCS4 Console4 Network4 File System4 PCS1 Console1 Network1 File System1 PCS3 Console3 Network3 File System3 SKPP STSK STSK STSK STSK SK2 SK4 SK1 SK3 SK4 PCS2 Console1 File System3 Network3

!

SK1 PCS3 Console4 File System4 Network1

!

System A System B ! ! = Successful integration

Rance DeLong, John Rushby SRI CC Authoring Environment

10

MILS architecture is MILS architecture is based on based on composition composition

  A dual challenge of

A dual challenge of high assurance high assurance and and composition composition

  Components independently developed by

Components independently developed by different vendors different vendors

  Components are

Components are defined by defined by Common Criteria-style Common Criteria-style protection profiles ( protection profiles (PPs PPs) )

  The

The collection collection

• f
• f PPs

PPs reflects an intended reflects an intended architecture architecture

  The

The PPs PPs must must be in agreement with be in agreement with the architecture the architecture

  CCAE is a vehicle to achieve this

CCAE is a vehicle to achieve this agreement agreement

Rance DeLong, John Rushby SRI CC Authoring Environment

11

Desirable composition support Desirable composition support

  Successful composition requires

Successful composition requires

– – Policy composition (that enforced by each component Policy composition (that enforced by each component’ ’s TSF) s TSF) – – Functional compositionality (foundational and operational) Functional compositionality (foundational and operational) – – Functional Interoperability (interfaces, interactions, behaviors) Functional Interoperability (interfaces, interactions, behaviors) – – Results in additional constraints on PP/ST/TOE development Results in additional constraints on PP/ST/TOE development

  Apply CC CAP packages and ACO evaluation methodology

Apply CC CAP packages and ACO evaluation methodology

  Constrain PP/ST development beyond current CC guidance

Constrain PP/ST development beyond current CC guidance

– – Constraints flowed-down from the MIPP Constraints flowed-down from the MIPP – – Constraints from other community standards Constraints from other community standards – – Constraints on definitions of concepts and vocabulary for Constraints on definitions of concepts and vocabulary for expressing the security problem and security environment expressing the security problem and security environment

  Additional requirements in

Additional requirements in PPs PPs

– – Ensure additional requirements are represented in new Ensure additional requirements are represented in new PPs PPs – – Apply uniformly across collection of Apply uniformly across collection of composable composable products products

  Provide a parallel framework for non-CC composition

Provide a parallel framework for non-CC composition requirements requirements

Rance DeLong, John Rushby SRI CC Authoring Environment

12

How How many many PPs PPs have been written have been written

CC v?.? Existing PP Examples (not always good) Domain Expertise + Security Expertise (ideally) PPX ? ? ?

“Produce a PP for X”

ST process

Review Cycle(s)

Rance DeLong, John Rushby SRI CC Authoring Environment

13

Challenges of PP authorship Challenges of PP authorship

 

It takes a It takes a long time ( long time (2+ years 2+ years) and a lot of effort ( ) and a lot of effort ($$$ $$$) )

 

Very Very tedious tedious and and error prone error prone work work

 

Requires Requires “ “legal legal” ” precision of language precision of language unfamiliar to some unfamiliar to some

 

Bad examples Bad examples are propagated like a virus are propagated like a virus

 

Difficult to track differences in Difficult to track differences in CC versions CC versions

 

Difficult to assess impact of Difficult to assess impact of global change global change to MILS PP family to MILS PP family

 

Difficult to generate and Difficult to generate and maintain maintain mappings in a PP mappings in a PP

 

Difficult to check Difficult to check consistency and completeness consistency and completeness

 

Difficult for PP to Difficult for PP to feed into further development feed into further development

 

Authors Authors may have limited expertise may have limited expertise in CC or security in CC or security

 

PP and ST authors have PP and ST authors have little guidance or little guidance or ability to enforce / achieve ability to enforce / achieve shared standards shared standards

 

Little support to Little support to structure the author structure the author’ ’s PP development effort s PP development effort

 

Nothing to assure that the MILS Nothing to assure that the MILS PPs PPs will will “ “hang together hang together” ”

Rance DeLong, John Rushby SRI CC Authoring Environment

14

The CC Authoring Environment for MILS The CC Authoring Environment for MILS will provide will provide (1/2) (1/2)

  Common Criteria in a structured,

Common Criteria in a structured, “ “machinable machinable” ” form form – – Capturing the semantic content Capturing the semantic content – – A A “ “Plugged-in CC Plugged-in CC” ” , instead of , instead of “ “CC Unplugged CC Unplugged” ”

  Library of documentation generation objects

Library of documentation generation objects – – Foundation document object classes Foundation document object classes – – Formatting and typography rules Formatting and typography rules

  Catalog of (re)usable community standards:

Catalog of (re)usable community standards: – – Definitions of basic CC and MILS terms Definitions of basic CC and MILS terms – – MILS evaluator guidance and robustness level guidance MILS evaluator guidance and robustness level guidance – – Threats and countermeasures Threats and countermeasures – – Bibliography of MILS-related references Bibliography of MILS-related references

Rance DeLong, John Rushby SRI CC Authoring Environment

15

The CC Authoring Environment for MILS The CC Authoring Environment for MILS will provide will provide (2/2) (2/2)

 

Mechanical checks Mechanical checks – – Consistency Consistency – – Constraints needed for Constraints needed for composability composability and compositionality and compositionality – – Requirements traceability Requirements traceability – – Analysis and Statistics Analysis and Statistics

 

Guidance based on expert knowledge base that can evolve and be adapted. Guidance based on expert knowledge base that can evolve and be adapted. – – Security ontology Security ontology – – Workflow rules Workflow rules – – Expert usage / instantiation patterns Expert usage / instantiation patterns – – Decision support Decision support – – MILS Integration PP relationships and constraints MILS Integration PP relationships and constraints – – CC documentation conventions CC documentation conventions – – Guidance for desired robustness level Guidance for desired robustness level – – Evaluator guidance Evaluator guidance

 

Output that can be (re)consumed by CCAE and/or other tools Output that can be (re)consumed by CCAE and/or other tools

Rance DeLong, John Rushby SRI CC Authoring Environment

16

The CC Authoring Environment for MILS The CC Authoring Environment for MILS Benefits Benefits (1/2) (1/2)

 

Achieve Achieve uniformity uniformity and and sufficiency sufficiency of

• f PPs

PPs and and STs STs

 

Relieve Relieve much of the much of the tedium tedium, to better apply author , to better apply author’ ’s effort s effort

 

Reduce/eliminate Reduce/eliminate many types of many types of errors errors and inconsistencies and inconsistencies

 

Reduce Reduce the document the document maintenance maintenance problem problem

 

Shorten Shorten PP and ST PP and ST development time development time and and raise quality raise quality

 

Can be used by authors and reviewers of Can be used by authors and reviewers of PPs PPs and and STs STs to to explore/query explore/query the information represented the information represented in the document in the document

 

Explore / Explore / create create “ “what if what if” ” variants variants

 

More easily More easily adapt adapt to later versions to later versions of the Common Criteria

• f the Common Criteria

 

More easily More easily incorporate evolving incorporate evolving community community standards standards

 

More easily More easily revisit existing revisit existing PPs PPs and and STs STs when security environment or when security environment or external requirements change external requirements change

Rance DeLong, John Rushby SRI CC Authoring Environment

17

The CC Authoring Environment for MILS The CC Authoring Environment for MILS Benefits Benefits (2/2) (2/2)

 

MILS MILS PPs PPs harmonized harmonized to achieve to achieve “ “additivity additivity” ” property for foundational property for foundational PPs PPs

 

Expert knowledge Expert knowledge base can grow, adapt, come from new sources, and be base can grow, adapt, come from new sources, and be refined refined and effectively be and effectively be passed on to others passed on to others

 

Automated Automated repeatable repeatable checking checking encourages continuous QA encourages continuous QA

 

Produce a Produce a database database representing the current stage of product definition representing the current stage of product definition that that can be input to the next stage can be input to the next stage (e.g., PP --> ST --> (e.g., PP --> ST --> … … ) )

 

Produce Produce output

• utput that

that can be consumed by other tools can be consumed by other tools during product during product development development

 

Provide a Provide a vehicle for vehicle for applying / propagating the applying / propagating the MILS Integration PP MILS Integration PP constraints to all MILS component constraints to all MILS component PPs PPs and guaranteeing coherence and guaranteeing coherence

 

Help ensure that the Help ensure that the PP or ST remains a living part of PP or ST remains a living part of the definition and the definition and development of a product development of a product

Rance DeLong, John Rushby SRI CC Authoring Environment

18

TheCC TheCC Authoring Environment for MILS Authoring Environment for MILS What it is What it is Not Not

  Not a pushbutton protection profile

Not a pushbutton protection profile

– – Not a Not a “ “Protection Profiles for Dummies Protection Profiles for Dummies” ” – – Not a s Not a substitute for a knowledgeable author ubstitute for a knowledgeable author – – It IS a power tool for subject matter experts It IS a power tool for subject matter experts

  Not a simple

Not a simple “ “template template” ” for a protection profile for a protection profile

– – It IS more like a It IS more like a class library, with inheritance class library, with inheritance, that must , that must be be instantiated and specialized instantiated and specialized for a particular PP for a particular PP

Rance DeLong, John Rushby SRI CC Authoring Environment

19

Users of the Users of the CCAE CCAE

PP

CCAE CCAE CCAE CCAE CCAE

ST

CCAE CCAE Author Author Reviewers Reviewers Evaluators Evaluators Certifiers Rance DeLong, John Rushby SRI CC Authoring Environment

20

Future Vision for the CCAE Future Vision for the CCAE

  MILS Collaborative

MILS Collaborative Portal - web services-based Portal - web services-based

– – Centralized support for authors, reviewers, evaluators, and developers Centralized support for authors, reviewers, evaluators, and developers – – Online repository Online repository

  MILS Coordination Services Framework

MILS Coordination Services Framework

  MILS Component Interoperability - avoid

MILS Component Interoperability - avoid “ “semantic dissonance semantic dissonance” ”

– – Support for evaluation documentation development Support for evaluation documentation development

  MILS Component Interoperability

MILS Component Interoperability

– – Synergistic with another SRI project (ONISTT) that has developed a Synergistic with another SRI project (ONISTT) that has developed a workable approach to improvisational interoperability of complex workable approach to improvisational interoperability of complex DoD DoD systems systems – – ONISTT concepts / implementation techniques similar to CCAE: ONISTT concepts / implementation techniques similar to CCAE: expert expert knowledge, knowledge, ontologies

• ntologies, reasoning engine, Prolog/OWL/XML

, reasoning engine, Prolog/OWL/XML

  Evaluation Documentation (ADV) Support

Evaluation Documentation (ADV) Support

– – A natural and direct extension of A natural and direct extension of CCAE support for PP/ST development CCAE support for PP/ST development

Rance DeLong, John Rushby SRI CC Authoring Environment

21

Collaboration Collaboration

  Collaboration without meetings

Collaboration without meetings

  Partial automation of informal social process*

Partial automation of informal social process*

  Keep central repository of expert knowledge

Keep central repository of expert knowledge

  No distribution or

No distribution or update headaches update headaches

  Seamless way to provide feedback in a semantically

Seamless way to provide feedback in a semantically rich way rich way

  Medium for formal

Medium for formal “ “buyer-seller buyer-seller” ” contracts contracts

  Community of

Community of authors, authors, reviewers, developers, reviewers, developers, evaluators, integrators, certifiers evaluators, integrators, certifiers

Rance DeLong, John Rushby SRI CC Authoring Environment * Bunch Of People Sitting Around a Table

22

CCAE Collaborative Environment CCAE Collaborative Environment

CCAE CCAE CCAE Collaboration Environment CCAE CCAE CCAE Author Author Reviewers Reviewers Evaluators Evaluators Certifiers

PP PP ST ST

CCAE Rance DeLong, John Rushby SRI CC Authoring Environment Developer CCAE

ADV

23

CC CC Authoring Environment illustrated Authoring Environment illustrated

Rule Base

CC Component Operation Rules, Semantic Rules, Relational Model, Workflow Rules

Doc Creation Library

Conventions, Doc comp classes Doc generators: PP, ST, FSP

Env Library

Components, CC SFRs/SARs, Interps, CIM, Security Ontology, Resource Registry MILS Integ FW

PP/ST Author

Parent PP, MILS TOE Concept,

• r TOE Flow-down

Requirements

PP, ST, stats Document Publishing

Project Team Exchange

• r Export

Doc Assembly, Catalog Selection, Checking, Rewriting, Inference, Rule Execution, Queries, XML gen

XML PDF, DOCX, XLSX, …

Current Document Factbase

Document Creation/Revision

Documents & Reports

Rendering & Conversion

CCAE Document Repository UI Agent

Rance DeLong, John Rushby SRI CC Authoring Environment

24

Negotiation Negotiation model of interaction model of interaction

 

Objective: Objective: Achieve a Achieve a PP that PP that is is acceptable acceptable to both to both CCAE and the author CCAE and the author

– – There is considerable latitude in this outcome -- we do not want to force There is considerable latitude in this outcome -- we do not want to force too too specific an embodiment or restrict the author specific an embodiment or restrict the author’ ’s creativity s creativity

 

2-party negotiation 2-party negotiation

– – The author and CCAE share the Objective The author and CCAE share the Objective – – Both the author and CCAE acknowledge they don Both the author and CCAE acknowledge they don’ ’t t have perfect knowledge have perfect knowledge

• f an
• f an “

“evaluatable evaluatable” ” PP -- that will be externally decided in evaluation PP -- that will be externally decided in evaluation – – Author brings initiative, understanding, creativity, and common sense Author brings initiative, understanding, creativity, and common sense – – CCAE brings process framework and an array of techniques CCAE brings process framework and an array of techniques serving as a serving as a proxy for a true oracle proxy for a true oracle – – The CCAE works with the author from the start The CCAE works with the author from the start – – The parties rest when both are satisfied The parties rest when both are satisfied with the PP to the extent of their with the PP to the extent of their ability -- then it goes to review or evaluation ability -- then it goes to review or evaluation

 

Staged development Staged development

– – CCAE can work in stages with an incomplete PP CCAE can work in stages with an incomplete PP – – Each stage concentrates on a particular aspect of the Each stage concentrates on a particular aspect of the PP development PP development – – Allows interim review versions Allows interim review versions – – Can apply gradually increasing threshold of acceptability as PP completed Can apply gradually increasing threshold of acceptability as PP completed

Rance DeLong, John Rushby SRI CC Authoring Environment

25

Libraries - e.g. environment Libraries - e.g. environment library library

  “

“Plugged-In Plugged-In” ” Common Criteria, by versions Common Criteria, by versions

– – Lifetime of last official version, 13 months (proves the point!) Lifetime of last official version, 13 months (proves the point!) – – CC versions 2.3 and 3.1 available in XML CC versions 2.3 and 3.1 available in XML

• CC

CC parses into Prolog terms with existing SGML / XML parser parses into Prolog terms with existing SGML / XML parser

• Build relations within the CC, e.g., dependencies,

Build relations within the CC, e.g., dependencies, EALs EALs, custom , custom EALs EALs

• Index back to

Index back to text in XML for display and export text in XML for display and export

• Relations

Relations to MILS ontology and expert knowledge to MILS ontology and expert knowledge

– – Support for older versions would require some labor Support for older versions would require some labor

  MILS technology and security ontology

MILS technology and security ontology

– – Create with Protégé/OWL Create with Protégé/OWL – – OWL (Ontology Web Language) library for Prolog OWL (Ontology Web Language) library for Prolog – – Create a Create a consistent and semantically rich representation of security consistent and semantically rich representation of security threats, policies, assumptions, objectives, functional threats, policies, assumptions, objectives, functional countermeasures, and assurance countermeasures, and assurance measures measures – – MILS conventions and standards MILS conventions and standards – – Flow-down Flow-down constraints from MILS Integration PP constraints from MILS Integration PP

Rance DeLong, John Rushby SRI CC Authoring Environment

26

Expert Expert Knowledge Knowledge

  PP authors may not be security experts and/or may not have

PP authors may not be security experts and/or may not have written a PP before written a PP before

  We would like to effectively bring to the author the

We would like to effectively bring to the author the knowledge of experts: knowledge of experts:

– – Security engineering Security engineering – – Evaluation requirements and methodology Evaluation requirements and methodology – – Academia and security research Academia and security research – – Common Criteria model, methodology, and documentation Common Criteria model, methodology, and documentation – – MILS architecture MILS architecture

  Evolving and improving on an on-going basis

Evolving and improving on an on-going basis

  Distributed and applied by authors as quickly as possible

Distributed and applied by authors as quickly as possible

Rance DeLong, John Rushby SRI CC Authoring Environment

27

Simplified relational model of a PP Simplified relational model of a PP

Functional Requirements Assurance Requirements Assumptions Policies Threats Security Objectives Environment Requirements Environment Security Objectives

FAU, FCO, FCS, FDP, FIA, FMT, FPR, FPT, FRU, FTA, FTP APE, ASE, ADV, AGD, ALC, ASE, ATE, AVA, ACO

Τ Τ Π Π Α Α Ω Ω SFR SFR SAR SAR PP space = PP space = ( 2 ( 2T

T

× × 2 2Π

Π

× × 2 2Α

Α

× × Ω Ω × × 2 2SFR

SFR

× × 2 2SAR

SAR )

)

Rance DeLong, John Rushby SRI CC Authoring Environment

Let Let

Τ Τ universe of threats universe of threats Ω Ω

• u. of security objectives
• u. of security objectives

Π Π

• u. of organizational policies
• u. of organizational policies

SFR SFR u. of CC security functional

• u. of CC security functional

rqmts rqmts Α Α

• u. of assumptions
• u. of assumptions

SAR SAR u. of CC

• u. of CC

security assurance security assurance rqmts rqmts

28

Simplified Relational Model of a PP Simplified Relational Model of a PP

  The

The Ω Ω-anchored space PP of

• anchored space PP of tuples

tuples PP = PP = ( 2 ( 2T

T

× × 2 2Π

Π

× × 2 2Α

Α

× × Ω Ω × × 2 2SFR

SFR

× × 2 2SAR

SAR )

) represents all possible PP relations represents all possible PP relations

  The relation E:

The relation E: E E ⊂ ⊂ ( 2 ( 2T

T

× × 2 2Π

Π

× × 2 2Α

Α

× × Ω Ω × × 2 2SFR

SFR

× × 2 2SAR

SAR )

) is an oracle is an oracle accepting accepting “ “evaluable evaluable” ” PPs PPs

  The relation M

The relation M ⊂ ⊂ E is an oracle accepting E is an oracle accepting evaluable evaluable MILS MILS PPs PPs

  E and M are

E and M are unknowable a priori unknowable a priori

Rance DeLong, John Rushby SRI CC Authoring Environment

29

M MCCAE

CCAE Approximation of M

Approximation of M

PP = PP = ( 2 ( 2T

T

× × 2 2Π

Π

× × 2 2Α

Α

× × Ω Ω × × 2 2SFR

SFR

× × 2 2SAR

SAR )

)

E M M MC

C

MCCAE

E E ⊂ ⊂ PP PP evaluable PPs evaluable PPs M M ⊂ ⊂ E MILS E MILS evaluable PPs evaluable PPs

M MC

C a candidate

a candidate member of M member of M

CCAE drives MC toward M by measuring consistency and coverage with respect to MCCAE

Rance DeLong, John Rushby SRI CC Authoring Environment

30

Expert Guidance and Advice (1/3) Expert Guidance and Advice (1/3)

  The concept:

The concept: bring a dynamic body of expert knowledge to bring a dynamic body of expert knowledge to bear bear from the start of every authoring activity from the start of every authoring activity

  Knowledge acquisition

Knowledge acquisition

– – Explicit rule encoding Explicit rule encoding – – Generalization from expert interaction on specific Generalization from expert interaction on specific authoring projects authoring projects – – Harmonization of Harmonization of knowledge from different experts knowledge from different experts

  Knowledge application

Knowledge application

– – Expert patterns constructed from Expert patterns constructed from expert knowledge base expert knowledge base – – Author patterns are constructed from the draft PP Author patterns are constructed from the draft PP – – Author patterns are Author patterns are “ “compared compared” ”* to expert patterns * to expert patterns – – Advice is generated for the author Advice is generated for the author’ ’s consideration s consideration

  Negotiation model of interaction

Negotiation model of interaction

– – author and author and system negotiate system negotiate an acceptable PP an acceptable PP

* fuzzy unification

Rance DeLong, John Rushby SRI CC Authoring Environment

31

Expert Guidance and Advice (2/3) Expert Guidance and Advice (2/3)

t1 t2 p1 f a2

• 1
• 1

a3 a4 g

• 1

f a1 t1 t2 p1

• 1

f g a1 a2 a3 a4 m Security analyst rule Certification rule Countermeasures rule Robustness (EAL) rule Expert pattern

Expert Knowledge Rule Base

Threats Policies SFRs SARs Objectives Assumptions A simple example . . .

Rance DeLong, John Rushby SRI CC Authoring Environment

32

Expert Guidance and Advice (3/3) Expert Guidance and Advice (3/3)

t1 t2 p1

• 1

f g a1 a2 a3 a4 m Expert pattern t1 p1

• 1

g a2 a3 m’ Draft PP pattern

Advice

Threat t2 may be an unidentified threat Objective o1 is customarily realized by countermeasure f in addition to g Assurance measures a1 and a4 may be needed due to the EAL sought and a certification requirement associated with countermeasure f

m m’ ’ ≈ ≈F

F m

m

A simple example . . .

Rance DeLong, John Rushby

Threats Policies SFRs SARs Objectives Assumptions

m m’ ’ ≈ ≈F

F m

m

inference

inference + fuzzy unification + fuzzy unification

SRI CC Authoring Environment

33

• Summary and Recommendations

Summary and Recommendations

  MIPP establishes architectural relationships and

MIPP establishes architectural relationships and constraints on components, CCAE provides a constraints on components, CCAE provides a vehicle to support composition by managing vehicle to support composition by managing constraints among component constraints among component PPs PPs

  CCAE can facilitate CC-based PP/ST process and

CCAE can facilitate CC-based PP/ST process and also provide framework for extra-CC coordination also provide framework for extra-CC coordination

  Future versions of CC could

Future versions of CC could consider some of the consider some of the issues that have motivated our work issues that have motivated our work

– – Product Product lines, product families, lines, product families, “ “polymorphic polymorphic PPs PPs” ” – – Changes to systems, integration Changes to systems, integration for systems-of-systems for systems-of-systems – – Explicit assurance cases to focus efforts Explicit assurance cases to focus efforts – – Elevated component element levels, for higher Elevated component element levels, for higher EALs EALs – – Elevated PP/ST scope/depth/rigor at higher Elevated PP/ST scope/depth/rigor at higher EALs EALs

Rance DeLong, John Rushby SRI CC Authoring Environment

34

Grazie Grazie

Fine Fine

35

CCAE-supported author, reviewer, evaluator tasks CCAE-supported author, reviewer, evaluator tasks

Tracked in work flow and Tracked in work flow and relational model relational model Supply Supply mappings and mappings and rationale rationale Tracked in work flow Tracked in work flow Define new component Define new component

• perations for ST
• perations for ST

Tracked in work flow Tracked in work flow Complete SFR/SAR Complete SFR/SAR component operations component operations Check correspondence to Check correspondence to security objectives security objectives Select Select SFR/SARs SFR/SARs from from CC catalog CC catalog Ontology and expert Ontology and expert knowledge knowledge guidance guidance Derive security objectives Derive security objectives Ontology provides a Ontology provides a common framework common framework Choose security environ Choose security environ threats, policies, threats, policies, assump assump. .

Rance DeLong, John Rushby SRI CC Authoring Environment

36

CCAE-supported author, reviewer, evaluator tasks CCAE-supported author, reviewer, evaluator tasks

Apply Apply known dependencies known dependencies in CC and knowledge base in CC and knowledge base Assure dependencies Assure dependencies and consistency and consistency “ “Automated Automated” ” version of CC version of CC built into CCAE built into CCAE Assure accuracy of CC Assure accuracy of CC text and versions text and versions Conventions applied to Conventions applied to form, semantics, form, semantics, typography typography Assure proper use of Assure proper use of CC conventions CC conventions Quantitative measurement Quantitative measurement against model and against model and scoring scoring Assess conformance Assess conformance to abstract PP model to abstract PP model Ensure minimums for EAL Ensure minimums for EAL met despite explicit met despite explicit rqmts rqmts Select EAL and Select EAL and guarantee it is met guarantee it is met Help avoid gratuitous Help avoid gratuitous departure from CC departure from CC Fashion explicit Fashion explicit SFR/SARs SFR/SARs

Rance DeLong, John Rushby SRI CC Authoring Environment