PD-0138: Sharing of Peripherals with Memory under the Peripheral Sharing PP |
||||
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
IssueThe PSSHID PP specifies a single security function policy, called Data Separation Security Function Policy. This policy is defined as follows:
Prior to this statement of the SFP, the PP states
For this SFP there are associated objectives, O.CONF and O.CONNECT:
The rationale for O.CONF causes the issue at hand:
The issue relates to what appears to be an additional threat (information transfer via buffering mechanisms and other memory associated with keyboards or pointing devices) that appears to require that the TOE enforce flow between attached computers that takes place using memory on the keyboard or mouse. If malware on computer 1 writes to the keyboard memory, which is then read by malware on computer 2, the data separation SFP is violated. It is not clear if this second paragraph was intended to state something that the objective must block, or if it was intended to scope the objective to state that this form of transfer is outside the scope of the objective. As written, it is an additional requirement for the objective. Given the wide and varied variety of human interface devices, it is likely to be impossible for a practical TOE to incorporate protections against such information flow as there does not appear to be any standard means of accessing such device memory. Further, there is likely no TOE that can claim conformance to this PP unless the TOE incorporates a specific model of keyboard and pointing device that have been tested to ensure that no information flow can be initiated. ResolutionThe particular PP in question is intended for use in benign environments. This is made clear by the assumption:
However, consumers of such devices may mistakenly believe that compliance devices can be used in a broader range of environments. As such, the VR and VPL entry for compliant devices must make the environmental limitations clear. SupportThe concern about malware and data transfer through device memory is a valid concern, and has been around since the days of terminals with remotely programmable function keys. Such data storage creates significant risk in non-benign environments (with potentially malicious users) or in environments where there are peripherals shared across security labels (such as periods processing). However, this PP explicitly excludes the risk from such peripheral devices, pushing assessment of that risk to the parties that integrate the system and approve the system for use in its eventual environment. These parties need to be aware of the risk they are accepting. To that end, the risk must be made clear in the validation documents supplied to the consumer, specifically the Validation Report and the Validation Product List entries:
Modification History:
References:
Related NIs:
Related CCIMB-INTERPs:
Source OD: 0266 |