IBM Z/VM Version 6 Release 4 Security Target
Total Page:16
File Type:pdf, Size:1020Kb
IBM z/VM Version 6 Release 4 Security Target Version: 1.2 Status: Released Last Update: 2017-11-29 Classification: Public IBM Corporation IBM z/VM Version 6 Release 4 Security Target Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: ● Enterprise Systems Architecture/390 ● ESA/390 ● IBM ● IBM logo ● HiperSockets ● PR/SM ● Processor Resource/Systems Manager ● RACF ● S/390 ● z System ● VM/ESA ● z/Architecture ● z/VM Other company, product, and service names may be trademarks or service marks of others. Legal Notice This document contains information of a confidential nature. Review and Approval Process: Refer to the inspection process in the z System Software Programming Process. Required Reviewers ● Brian Hugenbruch Document Distribution and Change Notification: The document is distributed to the reviewers of this line item. When reissued with changes, the document owner sends a note to the reviewers notifying them of the availability of a new document version. Revision History Revision Date Author(s) Changes to Previous Revision 1.2 2017-11-29 Brian W. Released public version Hugenbruch Version: 1.2 Classification: Public Page 2 of 125 Last update: 2017-11-29 Copyright © 2017 by atsec information security and IBM IBM Corporation IBM z/VM Version 6 Release 4 Security Target Table of Contents 1 Introduction ................................................................................................... 10 1.1 Security Target Identification ....................................................................................... 10 1.2 TOE Identification ........................................................................................................ 10 1.3 TOE Type ...................................................................................................................... 10 1.4 TOE Overview .............................................................................................................. 10 1.5 TOE Description ........................................................................................................... 11 1.5.1 Structure and concept of z/VM ............................................................................ 12 1.5.1.1 Differences from other operating systems ................................................. 12 1.5.1.2 z/VM’s Kernel and non-kernel software ....................................................... 13 1.5.1.3 User’s management of virtual machines using the Control Program ......... 14 1.5.1.4 Communication between virtual machines and with the Control Program .................................................................................................................... 15 1.5.1.5 Single System Image (SSI) Cluster ............................................................. 77 1.5.2 Intended Method of Use ...................................................................................... 18 1.5.2.1 Conversational Monitor System (CMS) ....................................................... 19 1.5.3 Summary of Security Features ............................................................................ 20 1.5.3.1 Identification and Authentication ............................................................... 20 1.5.3.2 Discretionary Access Control ...................................................................... 21 1.5.3.3 Mandatory Access Control and Support for Security Labels ....................... 21 1.5.3.4 Separation of virtual machines ................................................................... 21 1.5.3.5 Audit ........................................................................................................... 21 1.5.3.6 Object reuse functionality .......................................................................... 21 1.5.3.7 Security Management ................................................................................ 22 1.5.3.8 TSF Protection ............................................................................................ 22 1.5.3.9 SSI clustering .............................................................................................. 22 1.5.4 Configurations ..................................................................................................... 22 1.5.4.1 Software Components ................................................................................ 22 1.5.4.2 Software Privileges ..................................................................................... 23 1.5.4.3 Software Configuration ............................................................................... 23 1.5.4.4 Hardware configurations ............................................................................ 23 2 CC Conformance Claim ................................................................................... 25 3 Security Problem Definition ............................................................................ 26 3.1 Threat Environment ..................................................................................................... 26 3.1.1 Assets .................................................................................................................. 26 3.1.2 Threat agents ...................................................................................................... 26 3.1.3 Threats countered by the TOE ............................................................................ 27 3.2 Assumptions ................................................................................................................ 28 3.2.1 Environment of use of the TOE ........................................................................... 28 3.2.1.1 Physical ...................................................................................................... 28 3.2.1.2 Personnel .................................................................................................... 28 3.2.1.3 Procedural .................................................................................................. 29 3.2.1.4 Connectivity ............................................................................................... 29 Version: 1.2 Classification: Public Page 3 of 125 Last update: 2017-11-29 Copyright © 2017 by atsec information security and IBM IBM Corporation IBM z/VM Version 6 Release 4 Security Target 3.3 Organizational Security Policies ................................................................................... 29 4 Security Objectives ........................................................................................ 31 4.1 Objectives for the TOE ................................................................................................. 31 4.2 Objectives for the Operational Environment ................................................................ 33 4.3 Security Objectives Rationale ...................................................................................... 34 4.3.1 Security Objectives Coverage ............................................................................. 34 4.3.2 Security Objectives Sufficiency ........................................................................... 36 5 Extended Components Definition .................................................................... 42 5.1 Class FCS: Cryptographic support ................................................................................ 42 5.1.1 Random number generator (RNG) ...................................................................... 42 5.1.1.1 FCS_RNG.1 - Random number generation .................................................. 42 6 Security Requirements ................................................................................... 44 6.1 Security Requirements for the Operational Environment ............................................ 44 6.1.1 General security requirements for the abstract machine .................................... 44 6.1.1.1 Subset access control (FDP_ACC.1(E)) ........................................................ 44 6.1.1.2 Security-attribute-based access control (FDP_ACF.1(E)) ............................. 44 6.1.1.3 Static attribute initialization (FMT_MSA.3(E)) ............................................. 45 6.2 TOE Security Functional Requirements ........................................................................ 45 6.2.1 z/VM general purpose computing ........................................................................ 50 6.2.1.1 Audit data generation (FAU_GEN.1) ........................................................... 50 6.2.1.2 User identity association (FAU_GEN.2) ...................................................... 51 6.2.1.3 Audit review (FAU_SAR.1) .......................................................................... 51 6.2.1.4 Restricted audit review (FAU_SAR.2) ......................................................... 51 6.2.1.5 Selectable audit review (FAU_SAR.3) ......................................................... 51 6.2.1.6 Selective audit (FAU_SEL.1) ....................................................................... 51 6.2.1.7 Protected audit trail storage (FAU_STG.1) ................................................. 52 6.2.1.8 Action in case of possible audit data loss (FAU_STG.3) .............................. 52 6.2.1.9 Prevention of audit data loss (FAU_STG.4) ................................................. 52 6.2.1.10 Cryptographic key generation (FCS_CKM.1(SYM))