![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0138: Sharing of Peripherals with Memory under the Peripheral Sharing PP
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2007-05-31 |
| Last Modified | 2007-05-31 |
Issue
The PSSHID PP specifies a single security function policy, called Data Separation Security Function Policy. This policy is defined as follows:
Data Separation Security Function Policy (SFP):
The TOE shall allow PERIPHERAL DATA and STATE INFORMATION to be transferred only between PERIPHERAL PORT GROUPS with the same ID. The TOE itself is not concerned with the USER'S information flowing between the SHARED PERIPHERALS and the SWITCHED COMPUTERS. It is only providing a CONNECTION between the HUMAN INTERFACE DEVICES and a selected COMPUTER at any given instant.
Prior to this statement of the SFP, the PP states
The TOE must not have, and in fact must specifically preclude, any features that permit USER information to be shared or transferred between COMPUTERS via the TOE.
For this SFP there are associated objectives, O.CONF and O.CONNECT:
O.CONF The TOE shall not violate the confidentiality of information which it processes.
Information generated within any PERIPHERAL GROUPCOMPUTER CONNECTION shall not be accessible by any other PERIPHERAL GROUP-COMPUTER CONNECTION.
O.CONNECT No information shall be shared between SWITCHED COMPUTERS via the TOE. This includes STATE INFORMATION, if such is maintained within the TOE.
The rationale for O.CONF causes the issue at hand:
O.CONF If the PERIPHERALS can be CONNECTED to more than one COMPUTER at any given instant, then a channel may exist which would allow transfer of information from one to the other. This is particularly important for DEVICES with bi-directional communications channels such as KEYBOARD and POINTING DEVICES.
Since many PERIPHERALS now have embedded microprocessors or microcontrollers, significant amounts of information may be transferred from one COMPUTER system to another, resulting in compromise of sensitive information. An example of this is transfer via the buffering mechanism in many KEYBOARDS.
The issue relates to what appears to be an additional threat (information transfer via buffering mechanisms and other memory associated with keyboards or pointing devices) that appears to require that the TOE enforce flow between attached computers that takes place using memory on the keyboard or mouse. If malware on computer 1 writes to the keyboard memory, which is then read by malware on computer 2, the data separation SFP is violated. It is not clear if this second paragraph was intended to state something that the objective must block, or if it was intended to scope the objective to state that this form of transfer is outside the scope of the objective. As written, it is an additional requirement for the objective.
Given the wide and varied variety of human interface devices, it is likely to be impossible for a practical TOE to incorporate protections against such information flow as there does not appear to be any standard means of accessing such device memory. Further, there is likely no TOE that can claim conformance to this PP unless the TOE incorporates a specific model of keyboard and pointing device that have been tested to ensure that no information flow can be initiated.
Resolution
The particular PP in question is intended for use in benign environments. This is made clear by the assumption:
A.SCENARIO Vulnerabilities associated with attached DEVICES (SHARED PERIPHERALS or SWITCHED COMPUTERS), or their CONNECTION to the TOE, are a concern of the application scenario and not of the TOE.
However, consumers of such devices may mistakenly believe that compliance devices can be used in a broader range of environments. As such, the VR and VPL entry for compliant devices must make the environmental limitations clear.
Support
The concern about malware and data transfer through device memory is a valid concern, and has been around since the days of terminals with remotely programmable function keys. Such data storage creates significant risk in non-benign environments (with potentially malicious users) or in environments where there are peripherals shared across security labels (such as periods processing).
However, this PP explicitly excludes the risk from such peripheral devices, pushing assessment of that risk to the parties that integrate the system and approve the system for use in its eventual environment. These parties need to be aware of the risk they are accepting.
To that end, the risk must be made clear in the validation documents supplied to the consumer, specifically the Validation Report and the Validation Product List entries:
-
The Validation Report must make clear that the threat of leakage through peripheral memory is one of the threats not countered by compliant devices.
-
The Validation Report must provide guidance to the certifier (in the Validator's Comments) that any peripherals used with the validated product must be assessed for the potential of data leakage through accessible peripheral memory that remains uncleared when the peripheral is shared between computers.
-
The VPL entry must include a paragraph indicating that products compliant with this profile do not include mechanisms to ensure that all peripheral memory is cleared when the device is switched between computers. It is the responsibility of integrators of the switch into a system to assess the risk of information transfer with compliance switches.
Modification History:
- 2007-05-31
- PD Created. [ODRB May 2007 Agenda Item 3.a.vi]
References:
- Peripheral Sharing Switch (PSS) for Human Interface Devices, PP_PSSHID_V1.0, August 8, 2000
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0266