![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0004: Satisfaction of Requirements by Applications Running on Untrusted Products
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
In the context of an information security application running on top of an operating system, where the functional requirements for the application include FPT_SEP, as well as Audit and I&A, can the operating system be excluded from the TOE?
Resolution
In cases where the ST includes FPT_SEP, all components needed to ensure FPT_SEP must be included in the TOE. Specifically, in the case of an application running on top of an operating system, if domain separation is to be assured, that operating system must be included in the TOE. The only exception would be the situation where a convincing argument could be presented that there is no operating system behavior that could result in violation of domain separation.
At EAL3 and below, it is acceptable to consider the underlying operating system as a single subsystem of the TOE. Above EAL3, this is more difficult due to the nature of the design decomposition and structuring requirements.
Support
The rationale for the statement about EAL4 and above is the fact that HLD moves from .1 to .2 as one moves from EAL3 to EAL4, and the fact that LLD and IMP are added. So, when you are talking about a product from an outside vendor, it is anticipated to be difficult to get LLD and IMP level documentation for it. Secondly, HLD.2 introduces the distinction between TSP-enforcing and other subsystems. One might question how a monolithic operating system could be categorized.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- AFLWPPv1.0
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0008