[Public Interpretations Database]

I-0386: High Level Design Is Too Close To Implementation

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0386
STATUS:               Pending on: ADV Rewrite
REASON:               Hold: Pending ADV Rewrite

TITLE:                High Level Design Is Too Close To Implementation

SOURCE REFERENCE:     CC v2.1 Part 3 Subclause 10.2 ADV_HLD
RELATED TO:           <None>

ISSUE:

The ADV_HLD elements require information that is too close to the implementation. Examples of this are the requirements that call for information on subsystem interfaces, identification of the specific subsystem interfaces (interpreted as entry points) that are visible externally, and, most importantly, identification of the details of the effects, exceptions, and error messages of the interfaces.

STATEMENT

The following interprets the entire ADV_HLD family.

The intent of the high-level design is to describe the TOE at a level removed from implementation detail:

RECOMMENDED CRITERIA CHANGES

To address this interpretation, in addition to the correction identified in I-0384, the following changes must be made to ADV_HLD elements:

  • Reword ADV_HLD.1.7C (and hierarchically greater incarnations) as:

    ADV_HLD.x.7c: The high-level design shall identify the services provided by each subsystem at the TSF interface.

  • Reword ADV_HLD.2.8C (and hierarchically greater incarnations) as:

    ADV_HLD.x.8C: The high-level design shall describe the purpose and control flows of each TSF subsystem, including a description of the interrelationships and interactions between subsystems, based on security relevance.

  • Reword ADV_HLD.2.9C (and hierarchically greater incarnations) as:

    ADV_HLD.x.9C: The high-level design shall identify which TSF subsystems contribute to TSP-enforcement, and the extent of the contribution.

Note: As these elements are reworked as the hierarchy progresses, corresponding changes equivalent to the current changes in the elements must be made. Additionally, these element changes will require corresponding changes in the words of the component levelling (not the levelling itself) and in the application notes.

These changes to the ADV_HLD family will require potentially significant changes to the CEM work units for the ADV_HLD family at EAL2 and above. Additionally, changes are likely in CEM work units for other families in the ADV class at EAL2 and above that represent work performed for ADV_HLD. CEM changes will also be required in the ATE elements that describe use of the ADV_HLD findings in performing test coverage analysis, such as ATE_DPT.

SUPPORT:

The intent of ADV_HLD, is to provide a first level translation of the functional specification into a design. This would identify conceptual subsystems, their interrelationships, the data flow, and the control flows. This is supported by the objective statement for the family.

The goal of this interpretation is to make the elements of the family agree with this goal. This is partially done in I-0384 with the correction of ADV_HLD.1.6C (and hierarchically greater incarnations); this interpretation completes the process. It also clarifies that information is primarily required on security relevant portions of the design; for other portions, evaluators must have sufficient information to confirm and agree with the "non-security-relevent" designation.