Computer Security Security Evaluation - PowerPoint PPT Presentation

About This Presentation

Computer Security Security Evaluation


Security Target (ST): expresses security requirements for a specific TOE, e.g. by reference to a PP; basis for any evaluation. Evaluation Assurance Level ... – PowerPoint PPT presentation

Number of Views:536
Avg rating:3.0/5.0
Slides: 26
Provided by: mikebur
Learn more at:


Transcript and Presenter's Notes

Title: Computer Security Security Evaluation

Computer SecuritySecurity Evaluation
Security Evaluation
  • How do you get assurance that your computer
    systems are adequately secure?
  • You could trust your software providers.
  • You could check the software yourself, but you
    would have to be a real expert.
  • You could rely on an impartial security
    evaluation by an independent body.
  • Security evaluation schemes have evolved since
    the 1980s currently the Common Criteria are used

  • Examine the fundamental problems any security
    evaluation process has to address.
  • Propose a framework for comparing evaluation
  • Overview of the major evaluation criteria.
  • Assess the merits of evaluated products and

  • History
  • Framework for the comparison of criteria
  • Orange Book
  • Federal Criteria
  • Common Criteria
  • Quality Standards?
  • Summary

Security Evaluation History
  • TCSEC (Orange Book) criteria for the US defense
    sector, predefined evaluation classes linking
    functionality and assurance
  • ITSEC European criteria separating functionality
    and assurance so that very specific targets of
    evaluation can be specified and commercial needs
    can better addressed
  • TCSEC and ITSEC no longer in use replaced by the
  • Common Criteria (CC) http//www.commoncriter, http//

Framework for Security Evaluation
  • What is the target of the evaluation?
  • What is the purpose of an evaluation?
  • What is the method of the evaluation?
  • What is the organizational framework for the
    evaluation process?
  • What is the structure of the evaluation criteria?
  • What are the costs and benefits of evaluation?

Target Purpose
  • Target of evaluation
  • Product off-the-shelf software component to be
    used in a variety of applications has to meet
    generic security requirements
  • System collection of products assembled to meet
    the specific requirements of a given application
  • Purpose of evaluation
  • Evaluation assesses whether a product has the
    security properties claimed for it
  • Certification assesses suitability of a product
    (system) for a given application
  • Accreditation decide to use a certain system

  • Evaluations should not miss problems, different
    evaluations of the same product should give the
    same result.
  • Product oriented examine and test the product
    better at finding problems.
  • Process oriented check documentation product
    development process cheaper and better for
    repeatable results.
  • Repeatability and reproducibility often desired
    properties of an evaluation methodology.

Organizational Framework
  • Public service evaluation by government agency
    can be slow, may be difficult to retain qualified
  • Private service evaluation facilities usually
    accredited by a certification agency.
  • How to make sure that customer pressure does not
    influence evaluation results?
  • Contractual relationship between evaluation
    sponsor, product manufacturer, evaluation
  • Interpretation drift (criteria creep) meaning of
    criteria may change over time and differ between

  • Structure of evaluation criteria
  • Functionality security features
  • Effectiveness are mechanisms used appropriate
  • Assurance thoroughness of analysis
  • Orange Book evaluation classes for a given set
    of typical DoD requirements, consider all three
    aspects simultaneously.
  • ITSEC flexible evaluation framework that can
    deal with new security requirements the three
    aspects are addressed independently.

Costs and Benefits
  • Direct costs fees paid for evaluation.
  • Indirect costs employee time, training
    evaluators in the use of specific analysis tools,
    impact on development process.
  • When evaluating a product, the cost of evaluation
    may be spread over a large number of customers.
  • Benefits evaluation may be required, e.g. for
    government contracts marketing argument better

Orange Book
  • Developed for the national security sector, but
    intended to be more generally applicable
  • a yardstick for users to assess the degree of
    trust that can be placed in a computer security
  • guidance for manufacturers of computer security
  • a basis for specifying security requirements when
    acquiring a computer security system.
  • Security evaluation of the Trusted Computing Base
    (TCB), assumes that there is a reference monitor.
  • Developed for systems enforcing multi-level
  • High assurance linked to formal methods, simple
    TCBs, and structured design methodologies
    complex systems tend to fall into the lower
    evaluation classes.

Evaluation Classes
  • Designed to address typical security
    requirements combine security feature and
    assurance requirements
  • Security Policy mandatory and discretionary
    access control
  • Marking of objects labels specify the
    sensitivity of objects
  • Identification of subjects authentication of
    individual subjects
  • Accountability audit logs of security relevant
  • Assurance operational assurance refers to
    security architecture, life cycle assurance
    refers to design methodology, testing, and
    configuration management
  • Documentation users require guidance on
    installation and use evaluators need test and
    design documentation
  • Continuous Protection security mechanisms cannot
    be tampered with.

Security Classes
  • Four security divisions
  • D Minimal Protection
  • C Discretionary Protection (need to know)
  • B Mandatory Protection (based on labels)
  • A Verified Protection
  • Security classes defined incrementally all
    requirements of one class automatically included
    in the requirements of all higher classes.
  • Class D for products submitted for evaluation
    that did not meet the requirements of any Orange
    Book class.
  • Products in higher classes provide more security
    mechanisms and higher assurance through more
    rigorous analysis.

C1 Discretionary Security Protection
  • Intended for environments where cooperating users
    process data at the same level of integrity.
  • Discretionary access control based on individual
    users and/or groups.
  • Users have to be authenticated.
  • Operational assurance TCB has its own execution
    domain features for periodically validating the
    correct operation of the TCB.
  • Life-cycle assurance testing for obvious flaws.
  • Documentation Users Guide, Trusted Facility
    Manual (for system administrator), test and
    design documentation.

C2 Controlled Access Protection
  • Users individually accountable for their actions.
  • DAC is enforced at the granularity of single
  • Propagation of access rights has to be controlled
    and object reuse has to be addressed.
  • Audit trails of the security-relevant events have
    to be kept.
  • Testing and documentation covers the newly added
    security features testing for obvious flaws
  • C2 was regarded to be the most reasonable class
    for commercial applications.
  • Most major vendors offer C2-evaluated versions of
    their operating systems or database management

B1 Labelled Security Protection
  • Division B for products that handle classified
    data and enforce mandatory Bell-LaPadula policies
    (based on security labels).
  • Class B1 for system high environments with
  • Issue export of labelled objects to other
    systems or a printer e.g. human-readable output
    has to be labelled.
  • To achieve a higher level of assurance an
    informal or formal model of the security policy
    is needed.
  • Design documentation, source code, and object
    code have to be analysed all flaws uncovered in
    testing must be removed.
  • No strong demands on the structure of the
    TCB---hence multilevel secure Unix systems or
    data managemnnet systems have received B1 rating
  • B1 rating for System V/MLS (from AT T),
    operating systems from Hewlett Packard, DEC, and
    Unisys database management systems Trusted
    Oracle 7, INFORMIX-Online/Secure, Secure SQL

B2 Structured Protection
  • Class B2 increases assurance by adding design
  • MAC governs access to physical devices.
  • Users notified about changes to their security
  • Trusted Path for login and initial
  • Formal model of the security policy and a
    Descriptive Top Level Specification (DTLS) are
  • Modularization as an important architectural
    design feature.
  • TCB provides distinct address spaces to isolate
  • Covert channel analysis required events
    potentially creating a covert channel have to be
  • Security testing establishes that the TCB is
    relatively resistant to penetration.
  • B2 rating for Trusted XENIX (MS) operating system
    (which incorporates the Bell-LaPadula model for
    multilevel security).

B3 Security Domain
  • B3 systems are highly resistant to penetration.
  • New requirements on security management support
    for a security administrator auditing mechanisms
    monitor the occurrence or accumulation of
    security relevant events and issue automatic
  • Trusted recovery after a system failure.
  • More system engineering efforts for to minimize
    the complexity of the TCB.
  • A convincing argument for the consistency between
    the formal model of the security policy and the
    informal Descriptive Top Level Specification.
  • B3 rating for versions of Wangs XTS-300 (and
    XTS-200) operating system.

A1 Verified Design
  • Functionally equivalent to B3 achieves the
    highest assurance level through the use of formal
  • Evaluation for class A1 requires
  • a formal model of the security policy
  • a Formal Top Level Specification (FTLS),
  • consistency proofs between model and FTLS
    (formal, where possible)
  • TCB implementation (in)formally shown to be
    consistent with the FTLS formal covert channels
    analysis continued existence of covert channels
    to be justified, bandwidth may have to be
  • More stringent configuration management and
    distribution control.
  • A1 rating for network components MLS LAN (from
    Boeing) and Gemini Trusted Network Processor
    Secure Communications Protocol (SCOMP) operating
    system (predecessor of XTS-300).

Rainbow Series
  • The Orange Book is part of a collection of
    documents on security requirements, security
    management, and security evaluation published by
    NSA and NCSC (US National Security Agency and
    National Computer Security Center).
  • The documents in this series are known by the
    colour of their cover as the rainbow series.
  • Concepts introduced in the Orange Book adapted to
    the specific aspects of computer networks
    (Trusted Network Interpretation, Red Book) of,
    database management systems (Trusted Database
    Management System Interpretation, Lavender/Purple
    Book) etc.

  • Information Technology Security Evaluation
    Criteria (ITSEC) harmonization of Dutch,
    English, French, and German national security
    evaluation criteria endorsed by the Council of
    the European Union in 1995.
  • Builds on lessons learned from using the Orange
    Book intended as a framework for security
    evaluation that can deal with new security
  • Breaks the link between functionality and
  • Apply to security products and to security
  • The sponsor of the evaluation determines the
    operational requirements and threats.

  • The security objectives for the Target of
    Evaluation (TOE) further depend on laws and
    regulations they establish the required security
    functionality and evaluation level.
  • The security target specifies all aspects of the
    TOE that are relevant for evaluation security
    functionality of the TOE, envisaged threats,
    objectives, and details of security mechanisms to
    be used.
  • The security functions of a TOE may be specified
    individually or by reference to a predefined
    functionality class.
  • Seven evaluation levels E0 to E6 express the
    level of confidence in the correctness of the
    implementation of security functions.

US Federal Criteria
  • Evaluation of products, linkage between function
    and assurance in the definition of evaluation
  • Protection profiles to overcome the rigid
    structure of the Orange Book five sections of a
    protection profile
  • Descriptive Elements name of protection
    profile, description of the problem to be
  • Rationale justification of the protection
    profile, including threat, environment, and usage
    assumptions, some guidance on the security
    policies that can be supported.
  • Functional Requirements protection boundary that
    must be provided by the product.
  • Development Assurance Requirements.
  • Evaluation Assurance Requirements type and
    intensity of the evaluation.

Common Criteria
  • Criteria for the security evaluation of products
    or systems, called the Target of Evaluation
  • Protection Profile (PP) a (re-usable) set of
    security requirements, including an EAL should
    be developed by user communities to capture
    typical protection requirements.
  • Security Target (ST) expresses security
    requirements for a specific TOE, e.g. by
    reference to a PP basis for any evaluation.
  • Evaluation Assurance Level (EAL) define what has
    to be done in an evaluation there are seven
    hierarchically ordered EALs.
Write a Comment
User Comments (0)