Common Criteria Course Module
CC v3.0
The New Conceptual
Framework
TNO-ITSEF BV IT Security Evaluation Facility
Dirk-Jan Out
+ 31 70 374 0000
[email protected]
www.commoncriteria.nl
© TNO 2005
This work (and the following) has been
financed by:
•
•
•
•
BSI
CSE
NLNCSA
NSA
Germany
Canada
Netherlands
United States
IT Security Evaluation Facility
Product of a long discussion
The CCIMB found out the we used the same words to mean different things
And of course we also used different words for the same thing.
Apparently something was wrong with the words…
IT Security Evaluation Facility
If you want to clean a set of stairs
you must start at the top
bottom
IT Security Evaluation Facility
Too many words
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Security functions
TOE Security Functions
Security functional requirements
Security functional components
Security functional policies
Security attributes
Organisational security policy
Security environment
Security objectives
IT security requirements
Security requirements for the
(non)-IT environment
TOE Security Policy
Security Policy Model
TSF Scope of Control
TSF Interface
IT Security Evaluation Facility
Too many undefined words…
A threat is:
An attacker gains access to confidential data?
(it threatens something the consumer holds dear)
IT Security Evaluation Facility
Too many undefined words…
A threat is:
An attacker gains access to confidential data?
(it threatens something the consumer holds dear)
Or
An attacker causes a buffer overflow
(it threatens the TOE)
IT Security Evaluation Facility
A vulnerability is something that
breaks the TSP, but
IT Security Evaluation Facility
In short: it was too complex
IT Security Evaluation Facility
Start from scratch
Start from a few simple concepts
Add one concept
at a time
Until you can model everything
IT Security Evaluation Facility
Too many undefined terms…
A threat is:
An attacker gains access to confidential data
(it threatens something the consumer holds dear)
Or
An attacker causes a buffer overflow
(it threatens the TOE)
IT Security Evaluation Facility
Attackers may damage assets
threaten
Attackers
Assets
IT Security Evaluation Facility
Attackers give rise to threats
Threats increase risks to assets
Attackers
give rise
to
Threats
IT Security Evaluation Facility
that
increase
Risk
to
Assets
Assets
Owners value assets
Owners wish to minimize risks
value
Owners
wish to
minimize
Attackers
Threats
IT Security Evaluation Facility
Risk
Assets
Assets
Owners introduce countermeasures
Countermeasures reduce risks
Owners
introduce
Counter
measures
that
reduce
Attackers
Threats
IT Security Evaluation Facility
Risk
Assets
Assets
Owners want confidence in
countermeasures
want
Owners
in
Confidence
IT Security Evaluation Facility
Counter
measures
Countermeasures must be sufficient
want
Owners
that
Confidence
Counter
measures
are
Sufficient
and therefore
minimize
Risk
IT Security Evaluation Facility
Countermeasures must have no
vulnerabilities
want
Owners
that
Confidence
Counter
measures
Sufficient
have
no
Vulnerabilities
IT Security Evaluation Facility
Risk
and therefore
minimize
Countermeasures consists of the TOE
and other countermeasures
Subject of the
evaluation
TOE
Other Counter
measures
Not subject of the
evaluation
IT Security Evaluation Facility
Evaluators need precise descriptions
TOE
Confidence
Other Counter
measures
want precise
definitions of
Evaluators
IT Security Evaluation Facility
to produce
Verdicts
The precise decriptions:
The confidence in the TOE is precisely described by the
Security Assurance Requirements
The functionality of the TOE is precisely described by
the Security Functional Requirements
The Security Functional Requirements are collectively
referred to as “The TOE Security Policy”
IT Security Evaluation Facility
A big OS
About 500 tools, applications, editors, applets,
Data files, user areas etc.
Kernel
IT Security Evaluation Facility
TSF = TOE Security Functionality
A part of the TOE that:
- implements the TSP (all SFRs)
- cannot be influenced by the rest of the TOE
Having a small TSF saves the developer work
IT Security Evaluation Facility
Start from scratch
Start from a few simple concepts
Add one concept
at a time
Until you can model everything
IT Security Evaluation Facility
Then throw away the rest
Less concepts
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Security functions
TOE Security Functionality
Security functional requirements
Security functional components
Security functional policies
Security attributes
Organisational security policy
Security environment
Security objectives
IT security requirements
Security requirements for the
(non)-IT environment
TOE Security Policy
Security Policy Model
TSF Scope of Control
TSF Interface
IT Security Evaluation Facility
Conclusions
It will never be easy, but now it is easier
It will never happen that everybody understands
everything, but now at least a small group
understands it
Hopefully, we will all understand it someday
IT Security Evaluation Facility
IT Security Evaluation Facility