US Government Protection Profile for Separation Kernels In
Total Page:16
File Type:pdf, Size:1020Kb
U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness Version 1.03 Information Assurance Directorate 29 June 2007 U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness Version 1.03 – 29 June 2007 This page intentionally left blank. 1 U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness Version 1.03 – 29 June 2007 Foreword 1 This publication, “U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness”, is issued by the Information Assurance Directorate as part of its program to promulgate security standards for information systems. This protection profile is based on the “Common Criteria for Information Technology Security Evaluations, Version 2.3.” [1] 2 Comments on this document should be directed to: [email protected]. The comments should include the title of the document, the page, the section number, and paragraph number, detailed comment and recommendations. 2 U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness Version 1.03 – 29 June 2007 Table of Contents 1. Introduction.......................................................................................................................... 10 1.1 Identification............................................................................................................................10 1.2 Overview...................................................................................................................................10 1.3 Mutual Recognition of Common Criteria Certificates.........................................................11 1.4 Conventions..............................................................................................................................11 1.5 Glossary of Terms....................................................................................................................15 1.6 Document Organization..........................................................................................................23 2. Target of Evaluation (TOE) Description ............................................................................ 25 2.1 Product Type............................................................................................................................25 2.2 General TOE Functionality ....................................................................................................27 2.3 TOE Concepts..........................................................................................................................28 2.3.1 Principle of Least Privilege..................................................................................................................30 2.3.2 Partitions and the Partitioned Information Flow Policy (PIFP) ...........................................................30 2.3.3 Partitions and Subject Address Spaces ................................................................................................37 2.3.4 TOE Configuration Changes................................................................................................................38 2.4 Modes, States, and Trusted Recovery....................................................................................40 2.5 Trusted Delivery ......................................................................................................................42 2.6 Platform Considerations .........................................................................................................43 2.6.1 Platform Components ..........................................................................................................................43 2.6.2 Platform Interfaces...............................................................................................................................44 2.7 Evaluation Considerations......................................................................................................45 2.7.1 Security Management ..........................................................................................................................45 2.7.2 TOE Component Development Diversity............................................................................................46 2.8 Use of High Robustness...........................................................................................................47 3. TOE Security Environment ................................................................................................. 48 3.1 Threats......................................................................................................................................48 3.2 Security Policy .........................................................................................................................49 3 U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness Version 1.03 – 29 June 2007 3.3 Security Usage Assumptions...................................................................................................50 4. Security Objectives ............................................................................................................... 52 4.1 TOE Security Objectives.........................................................................................................52 4.2 Environment Security Objectives ..........................................................................................55 5. TOE Security Functional Requirements............................................................................. 57 5.1 Security Audit (FAU) ..............................................................................................................57 5.1.1 Security Audit Automatic Response (FAU_ARP)...............................................................................57 5.1.2 Security Audit Data Generation (FAU_GEN) .....................................................................................58 5.1.3 Security Audit Review (FAU_SAR) ...................................................................................................61 5.1.4 Security Audit Event Selection (FAU_SEL) .......................................................................................62 5.2 User Data Protection (FDP)....................................................................................................62 5.2.1 Information Flow Control Policy (FDP_IFC)......................................................................................62 5.2.2 Information Flow Control Functions (FDP_IFF).................................................................................63 5.2.3 Residual Information Protection (FDP_RIP).......................................................................................64 5.3 Identification and Authentication (FIA)................................................................................65 5.3.1 User Attribute Definition (FIA_ATD).................................................................................................65 5.3.2 User-Subject Binding (FIA_USB).......................................................................................................66 5.4 Security Management (FMT).................................................................................................67 5.4.1 Explicit: Management of Configuration Data (FMT_MCD_EXP) .....................................................68 5.4.2 Management of Functions in TSF (FMT_MOF) .................................................................................68 5.4.3 Management of Security Attributes (FMT_MSA)...............................................................................69 5.4.4 Management of TSF Data (FMT_MTD) .............................................................................................70 5.4.5 Specification of Management Functions (FMT_SMF)........................................................................70 5.5 Protection of the TSF (FPT) ...................................................................................................71 5.5.1 Underlying Abstract Machine Test (FPT_AMT).................................................................................71 5.5.2 Explicit: Configuration Change (FPT_CFG_EXP) ............................................................................71 5.5.3 Explicit: Establishment of Secure State (FPT_ESS_EXP) .................................................................73 5.5.4 Fail Secure (FPT_FLS)........................................................................................................................73 5.5.5 Explicit: TOE Halt (FPT_HLT_EXP) .................................................................................................74 5.5.6 Explicit: TOE Maintenance (FPT_MTN_EXP)..................................................................................74 5.5.7 Explicit: Principle of Least Privilege (FPT_PLP_EXP) ......................................................................74 5.5.8 Explicit: Trusted Recovery (FPT_RCV_EXP) ....................................................................................75 4 U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness Version 1.03 – 29 June 2007 5.5.9 Explicit: TOE Restart (FPT_RST_EXP) ............................................................................................76