[Public Interpretations Database]

I-0356: FDP_RIP Annex: Reuse Of Subject Data Notes

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0356
STATUS:               Sent to CCEVS Management and CCIMB for Review

TITLE:                FDP_RIP Annex: Reuse Of Subject Data Notes


SOURCE REFERENCE:     CC v2.1 Part 2 Subclause F.9 FDP_RIP
                      CC v2.1 Part 2 Subclause J.11 FPT_SEP
RELATED TO:
     I-0350           Clarification Of Resources/Objects For Residual Information Protection
CCIMB ENTRY:          CCIMB-INTERP-0246

ISSUE:

TSF internal data structures have, at times, been considered as a factor contributing to residual data problems. Some products have had residual data problems because, even though they cleared shared objects and the subject's address space at creation, the TSF, as part of its execution of a subject, moved data left over from a previous subject in a TSF internal data structure to a shared object or another subject's address space. The potential for violation of the TSP that arises from such TSF use of internal data structures needs to be addressed in the CC.

STATEMENT

Separation of the security domains of subjects includes addressing the reuse of TSF-internal structures used to construct those subjects.

Residual information protection includes addressing the reuse of TSF-internal structures and storage used to construct objects.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes are made to CC v2.1, Part 2:

  • In Annex F.9, replace the second paragraph (paragraph number 889) under User notes with the following:

    Note: FDP_RIP should not be used to address reuse of the TSF-internal structures used to construct subjects. Such reuse is more properly addressed through the separation of subject domains covered by FPT_SEP.

  • After paragraph 1266 in Annex J.11, insert the following new paragraphs under User notes:

    FPT_SEP provides that the security domains of subjects must be separate. This implies that information must not flow from one subject to another except through objects/information (either controlled by the TSF, or exempted from TSF control). In particular, information should not flow from one subject to another through the reuse of internal subject data structures.

    Note: FPT_SEP should not be used to address reuse of TSF-internal structures or storage used to construct objects that are dynamically allocated or deallocated. Such reuse is more properly addressed through the residual information protection provided by FDP_RIP.

SUPPORT:

TSF internal data structures have, at times, been considered as a factor contributing to residual data problems. Some products have had residual data problems because, even though they cleared shared objects and the subject's address space at creation, the TSF, as part of its execution of a subject, moved data left over from a previous subject in a TSF internal data structure to a shared object or another subject's address space.

The TSF is responsible for the prevention of inadvertent information transfer between subjects that result from operations internal to it. The results of such operations are not normally visible to subjects under the control of the TSF. If such operations result from a subject's allocation or deallocation request for an object, they fall under the residual information protection family; if they are not directly visible to the subject, they are considered under the domain separation family.