Module 2.8
Assurance Continuity
and Composition
16 August 2010
© Crown Copyright (2010)
1
“You Are Here”
MODULE 2 - ASSURANCE
M2.1 Requirements
M2.2 Development Representations
M2.3 Functional Testing
M2.4 Development Environment
M2.5 Operational Environment
M2.6 Vulnerability Analysis
M2.7 Penetration Testing
M2.8 Assurance Maintenance/Composition
16 August 2010
© Crown Copyright (2010)
2
Abbreviations and References
• The Abbreviations and References
document, UKSP 00, is available on the
Formal Documentation webpage of the
CESG website at http://www.cesg.gov.uk
• Also see Chapter 4 Terms and Definitions &
Chapter 5 Symbols and Abbreviated Terms
in CC Part 1, Version 3.1
16 August 2010
© Crown Copyright (2010)
3
Glossary
• Assurance Baseline – The culmination of
activities performed by the Evaluator and
Developer resulting in a Certified TOE,
recorded or submitted as evidence and
measurable by any change to that evidence
• Certified TOE – The TOE that has been
successfully evaluated and certified (or reevaluated and certified)
16 August 2010
© Crown Copyright (2010)
4
Glossary
• CESG CB – CESG Certification Body
which is the UK Evaluation Authority
• Changed TOE – The patched, updated or
otherwise modified TOE that is to be
subjected to Assurance Continuity
• Developer Evidence – The TOE and
evaluation documentation deliverables
16 August 2010
© Crown Copyright (2010)
5
Glossary
• Evaluation Authority – A body that implements
the CC for a specific community by means of an
Evaluation Scheme
• Impact Analysis Report (IAR) – The report
generated by the Sponsor/Developer that records
the analysis of changes to the Certified TOE
– The impact of each change should be Minor for
Assurance Maintenance
– Otherwise a Re-evaluation will be required
16 August 2010
© Crown Copyright (2010)
6
Glossary
• Maintained TOE – The Changed TOE that has
successfully undergone the Assurance
Maintenance process and has been awarded a
Maintenance Addendum Certificate
• Maintenance Addendum – The additional text that
is appended to the description of the Certified
TOE on the CESG website in order to describe the
Maintained version(s) of the TOE
16 August 2010
© Crown Copyright (2010)
7
Glossary
• Maintenance Addendum Certificate – The
Certificate of the Maintained TOE, which
references the Certificate of the Certified TOE
• Maintenance Report – The publicly available
report that describes all the changes that were
made to the Certified TOE and that have been
accepted under the Assurance Maintenance
process
16 August 2010
© Crown Copyright (2010)
8
Glossary
• Maintenance – The process applied when the
changes to a Certified TOE have not adversely
affected assurance in that TOE
• Original TOE – The TOE prior to being subjected
to any evaluation and certification
• Re-evaluation – The process applied when the
changes to a Certified TOE require Evaluation
(reusing previous Evaluation or Maintenance
results) to establish a new Assurance Baseline
16 August 2010
© Crown Copyright (2010)
9
CCRA and MRA
• Arrangement on the Recognition of
Common Criteria Certificates in the Field of
Information Technology Security, May 2000
• Mutual Recognition Agreement of
Information Technology Security Evaluation
Certificates, Management Committee,
SOGIS, Version 3.0, January 2010
16 August 2010
© Crown Copyright (2010)
10
CCRA Assurance Continuity
• Assurance Continuity: CCRA Requirements,
Common Criteria Interpretations
Management Board, CCIMB-2004-02-009,
Version 1.0, February 2004
• Reuse of Evaluation Results and Evidence,
Common Criteria Recognition Arrangement
Management Committee, 2002-08-009-002,
Version 1, October 26th, 2002
16 August 2010
© Crown Copyright (2010)
11
UK Scheme Publication No 3
• Sponsor’s Guide – General Introduction,
UKSP 03: Part I, Issue 2.2, December 2009
– Assists Sponsors and Developers intending to
submit a product for Evaluation & Certification
• Sponsor’s Guide – Assurance Continuity,
UKSP 03: Part II, Issue 1.0, December 2009
– Describes the UK Scheme requirements for
Assurance Continuity
16 August 2010
© Crown Copyright (2010)
12
UKSP 03 Part II
• CCRA Assurance Continuity requirements
are extended, if required, in the areas of:
–
–
–
–
Technical Concepts
Change Characterisation
Impact Analysis
Production of the Impact Analysis Report
• Assurance Continuity is only allowed for
products previously certified by CESG CB
16 August 2010
© Crown Copyright (2010)
13
United Kingdom
Accreditation Service
• To satisfy the UKAS accreditation criteria,
established procedures must be used for the
conduct of Assurance Continuity activities
• The responsibilities that are identified in
UKSP 03 Part II reflect UKAS requirements
• Consult the UKAS documentation for the
full accreditation requirements
16 August 2010
© Crown Copyright (2010)
14
Scope
• The Assurance Continuity requirements are
applicable to the security evaluations of
products against the criteria laid down in the
Common Criteria [CC], [CCRA] and [AC]
• This is subject to the relevant International
Interpretations, UK Interpretations and
Scheme Information Notices (SINs)
16 August 2010
© Crown Copyright (2010)
15
Assurance Continuity
• Assurance Continuity is an enhancement to
Common Criteria Certification and consists
of the following two processes:
– Re-evaluation
This is covered by the standard Evaluation
process described in UKSP 01 and UKSP 02
– Assurance Maintenance
This will be covered in the current module
16 August 2010
© Crown Copyright (2010)
16
Assurance Continuity
• The concept of Assurance Maintenance is
introduced in UKSP 01
– Based on an Impact Analysis Report produced by the
Sponsor/Developer
• If all changes to a Certified TOE have a Minor
security impact then the Assurance Maintenance
process is applicable
• If a single change to a Certified TOE has a Major
security impact then a Re-evaluation is necessary
16 August 2010
© Crown Copyright (2010)
17
Assurance Continuity
• Assurance Continuity enables the
Sponsor/Developer of a Certified TOE to provide
ongoing assurance when the TOE is subject to any
type of update, modification or change.
• Assurance Continuity is intended to be a relatively
quick, cheap and efficient process to achieve a
Certified or Maintained TOE, since unchanged
evaluation work that was previously performed
does not need to be unnecessarily repeated.
16 August 2010
© Crown Copyright (2010)
18
Assurance Maintenance
• Assurance Maintenance is based on the production
of an Impact Analysis Report, by the
Sponsor/Developer, which is submitted to the
CESG Certification Body for Review
• CLEF Evaluators are not involved during
Assurance Maintenance, but the CB or
Sponsor/Developer may utilise consultants or
experts (e.g. CLEF Consultants), if required
16 August 2010
© Crown Copyright (2010)
19
Assurance Maintenance
• Although there is no formal CC requirement
to supply any further Developer Evidence in
the assessment process, beyond those items
listed in Chapter 2, the CESG CB reserves
the right to inspect original and/or updated
deliverables, in order to confirm whether
specific changes are Major or Minor.
16 August 2010
© Crown Copyright (2010)
20
Assurance Maintenance
• A satisfactory CESG CB Review will lead to the
publication, on the CESG webpage for the
corresponding Certified TOE, of the following:
– an updated Security Target
– a Maintenance Report summarising the changes from
the Certified TOE
– a Maintenance Addendum
• A Maintenance Addendum Certificate will be
issued to the Sponsor/Developer to supplement the
original Certificate
16 August 2010
© Crown Copyright (2010)
21
Re-evaluation
•
•
Any security relevant change that is deemed to
be Major will necessitate a Re-evaluation if
assurance in the product is to be maintained
The Re-evaluation process is identical to the
Evaluation process described in UKSP 01 and
UKSP 02 except that the Evaluation may be
optionally guided by an IAR and supported by
appropriate reuse of any previous Evaluation or
Maintenance evidence
16 August 2010
© Crown Copyright (2010)
22
TOE Certification Lifecycle
Original
Evaluation & Certification completed.
Publish ST & CR. Issue Certificate
Certified
Re-evaluation –
Major Change(s).
Issue Certificate.
Updated or Modified, by Sponsor or Developer
Changed
Updated or
Modified
Assurance Maintenance –Minor Changes(s) in IAR.
Publish MA with MR & updated ST. Issue MA Certificate
Maintained
The Maintenance Addendum Certificate is produced
as a supplement to the original Certificate.
16 August 2010
© Crown Copyright (2010)
23
Certification Lifecycle
• Re-evaluation is basically the same as the
standard CC Evaluation process; including
the issue of a Certification Report and
Certificate
• Assurance Maintenance requires all
changes in the Impact Analysis Report to be
assessed & verified to have a Minor security
impact on the TOE
16 August 2010
© Crown Copyright (2010)
24
Certification Lifecycle
• In contrast to Section 2.2 of the CCRA
Assurance Continuity document, which
states that there is “no implied issuance of
an updated certificate”, a MA Certificate
will be produced as an Addendum to either
the original Certificate or the most recent
Re-evaluation Certificate
16 August 2010
© Crown Copyright (2010)
25
Certification Lifecycle
• Section 2.4 of CCRA Assurance Continuity
states that new vulnerabilities and attack
methods are not assessed during the
Assurance Maintenance process
• However, even a few weeks is a long time
period in terms of security vulnerability
development/deployment and analysis
16 August 2010
© Crown Copyright (2010)
26
Certification Lifecycle
• CESG CB may wish to increase confidence in the
Assurance Maintenance process by ensuring that:
– either no new vulnerabilities or attack methods have
been found
– or if found they are not in scope of the defined TOE
boundary or at least they are not relevant to the
evaluated configuration of the TOE
• CESG CB is responsible for determining the
extent of any additional vulnerability analysis that
is required beyond that produced by the Developer
16 August 2010
© Crown Copyright (2010)
27
Deliverables Required for
Assurance Maintenance
•
For the Certified TOE:
–
–
–
–
Common Criteria Certificate
including any Maintenance Addendum
Certification Report
including any Maintenance Report
Evaluation Technical Report
including any Evaluation Work Packages
Security Target, including the Security Target
for any Maintained TOE
16 August 2010
© Crown Copyright (2010)
28
Deliverables Required for
Assurance Maintenance
• For the Changed TOE:
–
–
–
–
Impact Analysis Report
Security Target (updated)
Product and supporting documentation
Developer Evidence (updated)
• The above deliverables for the Certified and
Change TOE are suitable for input into the
CESG CB Assurance Maintenance process
16 August 2010
© Crown Copyright (2010)
29
Assurance Maintenance
•
CESG CB may require the following additional
inputs to resolve any decisions regarding the
characterisation or categorisation of changes:
–
–
–
–
–
Security Architecture and Design
Vulnerability Analysis
Test Scripts and Results
Configuration List
Operational Guidance
16 August 2010
© Crown Copyright (2010)
30
Assurance Maintenance
•
Although there is no defined time limit
between the TOE Certification date and
the start of the Assurance Maintenance
process, the Certifier should ensure that
the time gap is consistent and reasonable
in relation to other aspects of the proposed
Assurance Maintenance process
16 August 2010
© Crown Copyright (2010)
31
Assurance Maintenance
• The CESG Certification Body will perform
a Review of the Impact Analysis Report,
using a standard CESG CB Review form, to
ensure that all changes have a Minor
security impact on the assurance of the TOE
16 August 2010
© Crown Copyright (2010)
32
Assurance Maintenance
• If all changes are Minor then a Maintenance
Report and Maintenance Addendum will be
produced and published on the CESG
website, as an update to the information
about the Certified TOE
• Note that the IAR is normally shared only
between the Sponsor/Developer and the
CESG Certification Body
16 August 2010
© Crown Copyright (2010)
33
Assurance Maintenance
•
•
The Maintenance Addendum is just a few
paragraphs, referencing the Maintenance
Report and the updated Security Target,
which are appended to the entry about the
Certified TOE on the CESG website
This satisfies the Maintenance Addendum
requirements in Section 2.4.1.2 of [AC]
16 August 2010
© Crown Copyright (2010)
34
Re-evaluation
• Apart from the potential use of a formal
Impact Analysis Report in a Re-evaluation,
everything else in Section 2.4.2 of [AC]
regarding the Re-evaluation process is
already covered by UKSP 02
16 August 2010
© Crown Copyright (2010)
35
Certification Work Programme
•
•
The CESG CB Certification activities for the
Assurance Maintenance process and Reevaluation process are outlined in the Standard
Certification Work Programme, see [CWP-AM]
and [CWP]
Depending on the scope and quantity of
changes, the CB may seek the support of a
consultant to perform the analysis of the changes
in the IAR and to draft the Maintenance Report.
16 August 2010
© Crown Copyright (2010)
36
Characterisation of TOE Changes
•
•
No additional information is required in
addition to Chapter 3 of [AC], which just
contains some examples of changes that
have Minor or Major security impact
In general, it is very difficult to determine
whether the impact on assurance of any
specific change to a TOE should be
classified as Minor or Major
16 August 2010
© Crown Copyright (2010)
37
Characterisation of TOE Changes
• There is no guarantee that the security of an
updated product can be determined by checking
the updates only and ignoring the unchanged
aspects, in the context of the whole product
• In practice, the categorisation is agreed between
the Sponsor, Developer and the CB, together with
any assigned CB consultant, but the decision of
the CB will be final
16 August 2010
© Crown Copyright (2010)
38
Performing an Impact Analysis
•
No additional information is required in
addition to Chapter 4 of [AC], which
states that any changes that impact on any
aspect of the original Evaluation and
Certification (eg Objectives, Threats,
SFRs, SARs, Documentation, etc) should
be addressed by the Sponsor/Developer,
who will produce updated Documentation
and the Impact Analysis Report
16 August 2010
© Crown Copyright (2010)
39
Performing an Impact Analysis
• Steps 1 to 5 in Section 4.3 of [AC] may be used as
a checklist by the Sponsor/Developer or the CESG
Certification Body to ensure that the IAR covers
all the stated requirements
• A stricter requirement for evaluation deliverables
or a stronger level of assurance than the Original
TOE Evaluation and Certification is unnecessary
and is not required
16 August 2010
© Crown Copyright (2010)
40
Impact Analysis Report
•
The required minimum contents of the IAR are as follows and could
be used by the Sponsor/Developer as a basis for an IAR template:
Introduction:
•
–
–
–
–
–
–
–
the IAR configuration control identifiers (e.g. name, date and version);
current TOE configuration control identifiers (the current version of the
TOE)
configuration control identifiers for the ETR, CR, and Certified TOE
(Assurance Baseline)
configuration control identifiers for the version of the ST related to the
Certified TOE
identity of the Developer
information in relation to legal or statutory aspects
information related to any previous Assurance Maintenance activity
(e.g. MR)
16 August 2010
© Crown Copyright (2010)
41
Impact Analysis Report (IAR)
•
Description of changes:
–
–
•
Affected Developer Evidence:
–
•
changes to the product
changes to the development environment
for each change, the Developer shall list the affected
items of the original Developer Evidence (i.e. the
affected Evaluation Deliverables)
Modifications to Developer Evidence:
–
the developer shall describe the required
modifications to the affected items of the original
Developer Evidence
16 August 2010
© Crown Copyright (2010)
42
Impact Analysis Report (IAR)
•
Conclusions:
–
–
–
–
•
for each change the Developer shall report if the impact on
assurance is considered Minor or Major
for each change the Developer should provide a supporting
rationale for the reported impact
the Developer shall report if the overall impact is considered
Minor or Major
the Developer should include a supporting rationale, taking all
the changes into consideration
Annex: Updated Developer Evidence:
–
the Developer shall report the title and the unique reference (e.g.
issue date and version number) of each updated item of
Developer Evidence
16 August 2010
© Crown Copyright (2010)
43
Templates for
Assurance Continuity
•
•
•
•
•
Assurance Maintenance Plan template is provided on the
CESG website in CTAS Methodology
Impact Analysis Report template, for the Sponsor /
Developer, is provided in Chapter V of UKSP03 Part II
IAR Review template, for the CESG Certification Body
is provided by a standard CESG CB Review Form
Maintenance Report template, for the CESG
Certification Body, is available from the CESG CB
Maintenance Addendum template, for the CESG
Certification Body, is not specifically provided
16 August 2010
© Crown Copyright (2010)
44
Main Principles for
Assurance Continuity
• Maintain Impartiality and Objectivity, as
with all Common Criteria evaluation and
certification tasks
• There should not be any time, money or
resource pressures that would affect the
impartiality or objectivity of the Assurance
Continuity process
16 August 2010
© Crown Copyright (2010)
45
Main Principles for
Assurance Continuity
• Reuse evaluation results wherever possible
• For parts of the Changed TOE where there
has been no change, there is no point in
repeating work that has already been
performed during the evaluation of the
Certified TOE
16 August 2010
© Crown Copyright (2010)
46
Main Principles for
Assurance Continuity
• No more detail is required than that provided
during the evaluation of the Certified TOE
• Only the changes that actually affect the
deliverables of the Certified TOE are required to
be reported
– For example, if a document was not provided as a
deliverable for the Certified TOE then any updates to
that document do not need to be provided for the
Maintained TOE
16 August 2010
© Crown Copyright (2010)
47
Main Principles for
Assurance Continuity
• Details of changes should be sufficient to support
Repeatability and Reproducibility across CBs
• A non-security related change is usually
completely irrelevant to the TOE and IAR
– it can be eliminated quickly
– it does not need to be discussed in detail
• The impact of non-security related changes can be
categorised as None (rather than Minor)
• Changes categorised as None would not have been
discussed in the Original TOE evaluation
16 August 2010
© Crown Copyright (2010)
48
Main Principles for
Assurance Continuity
• Correcting an implementation fault (even to
security functionality) is just strengthening the
claimed behaviour of the TOE and hence cannot
be considered a Major change for the Impact
Analysis Report
• Generic wording that may be used for this
situation is as follows: “The < fault correction |
bug fix > relating to the < subsystem | component
> is a correction to the TOE functionality and
hence does not affect the expression of the SFRs
in the assurance evidence”
16 August 2010
© Crown Copyright (2010)
49
Procedures
•
The CESG CB procedures for the Initial Stage
of Assurance Maintenance are:
–
–
–
–
–
Prepare for the IAR Review (i.e. familiarise with the
previous ST, ETR, CR, IAR, MR as appropriate)
Confirm whether the ST is essentially unchanged
(except for trivial changes such as software versions)
Review the draft IAR and check its change
categorisations
Audit any updated deliverables regarding specific
changes (such as the bug list and test results)
Perform a search for any obvious vulnerabilities
16 August 2010
© Crown Copyright (2010)
50
Procedures
•
The CESG CB procedures for the Final Stage
of Assurance Maintenance are:
–
–
–
–
–
–
–
Review and approve the final IAR
Address any issues raised by CESG CB or the
Sponsor/Developer
Produce and agree the Maintenance Report
Record the decision rationale
Produce and agree the MA and MA Certificate
Update the entries on the CESG and CC portal
websites using ST, MR, and MA
Submit the MA Certificate to the Sponsor/Developer
16 August 2010
© Crown Copyright (2010)
51
{End of New Presentation…}
• {…and start of Old Presentation}
16 August 2010
© Crown Copyright (2010)
52
Introduction
• Assurance maintenance
– assessment of changes to TOE
– assurance maintained after certification
• Composition
– TOE comprises component products
– certified components included
• Some TOEs may involve both
16 August 2010
© Crown Copyright (2010)
53
Assurance Maintenance Options
• Ad-hoc re-evaluation
– initiated when desired
• Certificate Maintenance Scheme (CMS)
– requires ongoing developer support
16 August 2010
© Crown Copyright (2010)
54
Assurance Maintenance
Fundamentals
•
•
•
•
Previous evaluation results
Security impact analysis
Categorisation report
‘Evaluation’ activity
16 August 2010
© Crown Copyright (2010)
55
Ad-hoc Re-evaluation
- Process and Reporting
• Updated deliverables
– may include impact analysis
• Standard evaluation process
– re-use of previous results
• Observation reports and ETR
16 August 2010
© Crown Copyright (2010)
56
CMS - Process
• Certificate Maintenance Plan (CMP)
– planned maintenance cycle for TOE
• Developer Security Analyst (DSA)
– responsible developer representative
• CMS rules
16 August 2010
© Crown Copyright (2010)
57
CMS - Maintenance Cycle
TOE Certified
CMP Approved
CMP Updated
TOE Maintained
Under CMS
TOE Re-certified
CMP Updated
16 August 2010
© Crown Copyright (2010)
58
CMS - Certificate Maintenance
Plan
• Covers one maintenance cycle
• Identifies changes
– components affected
– assurance required
• Release plans
• Audit schedule/Re-evaluation schedule
• DSA
• Maintenance and Vulnerability Tracking
Procedures
16 August 2010
© Crown Copyright (2010)
59
CMS - Developer Security
Analyst
• ‘Qualifications’
– familiar with TOE
– criteria and methodology knowledge
– impartiality
• Responsibilities:
– deliverables
– testing
– vulnerabilities
16 August 2010
© Crown Copyright (2010)
60
CMS - Security Impact Analysis
• Responsibility of DSA
– production and maintenance of SIA
• Contents
– changes
– test evidence
• Purpose
16 August 2010
© Crown Copyright (2010)
61
CMS - Categorisation Report
Security Enforcing
TSP-enforcing:
Security Critical
Security Relevant
TSP-enforcing:
Security Supporting
Security Irrelevant
Non-TSP-enforcing
16 August 2010
© Crown Copyright (2010)
62
CMS - Reporting
• Observation Reports
• Audit Reports
• ETR (following re-evaluation)
16 August 2010
© Crown Copyright (2010)
63
ITSEC vs. CC
Certificate
Maintenance Plan
Assurance
Maintenance Plan
Categorisation Report
TOE Component
Categorisation Report
Certificate Maintenance
Audit Report
Assurance Maintenance
Audit Report
Security Impact Analysis
Security Impact Analysis
Certificate Maintenance
Status Report
Evidence of Assurance
Maintenance
16 August 2010
© Crown Copyright (2010)
64
Composite TOEs
• Certified Products and Bespoke Applications
– re-use component product results
– assess interaction between components
Bespoke
RDBMS
Operating System
Certified
Hardware
16 August 2010
© Crown Copyright (2010)
65
Summary
• Assurance maintenance involves
– Reuse of previous results
– SIA
• Options for ad-hoc re-evaluation or CMS
• CMS also involves
– CMP
– DSA
• Composition
– Re-use of component product results
16 August 2010
© Crown Copyright (2010)
66
Further Reading
ITSEC Evaluation
• UKSP 05 Part III, Chapter 11
• UKSP 16
CC evaluation
• CC Part 3, Sections 2.8, 15 and 16
16 August 2010
© Crown Copyright (2010)
67
Exercise - Maintenance
Month 1
TOE Completes evaluation
Month 4
Minor bug fixes are carried out relating to the display of fields
Month 8
Administrator manuals are updated to clarify certain actions
Month 12
The maximum number of audit records is extended
16 August 2010
© Crown Copyright (2010)
68
Exercise - Maintenance (Cont)
Month 15
The authentication mechanism is changed
Month 18
An additional service is added to the firewall
Month 21
Testing documentation is updated to reflect new vulnerabilities
Month 24
16 August 2010
Security Relevant Functionality is added to the TOE
© Crown Copyright (2010)
69
Download

Module 2.8 Assurance Maintenance and Composition