![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0424: FPT_SEP.2 And FPT_SEP.3 Are Not Hierarchical
TYPE: NIAP Interpretation
NUMBER: I-0424
STATUS: Formally Rescinded
REASON: CCIMB Rejected Interpretation. See February 2003 NIB
Agenda Item 1.d.xii
TITLE: FPT_SEP.2 And FPT_SEP.3 Are Not Hierarchical
SUPERSEDES:
I-0373 FPT_SEP.2 And FPT_SEP.3 Are Not Hierarchical
EFFECTIVE: 2000-12-05
RESCINDED: 2003-05-09
SOURCE REFERENCE: CC v2.1 Part 2 Clause 10 FPT
CC v2.1 Part 2 Clause J FPT
CC v2.1 Part 2 Subclause 10.11 FPT_SEP
CC v2.1 Part 2 Subclause J.11 FPT_SEP
RELATED TO:
I-0373 FPT_SEP.2 And FPT_SEP.3 Are Not Hierarchical
CCIMB ENTRY: CCIMB-INTERP-0110
ISSUE:
According to Section 2.1.2.3 in Part 2, "A component is hierarchical to another if it offers more security." However, FPT_SEP.2, depending on the instantiation, does not necessarily provide less security than FPT_SEP.3. It could be instantiated to provide the same security as FPT_SEP.3. Hence, FPT_SEP.3 cannot be hierarchical to FPT_SEP.2.STATEMENT
CC v2.1 is modified so that FPT_SEP reflects a proper hierarchy.RECOMMENDED CRITERIA CHANGES
To address this interpretation, the following changes are made to CC v2.1,
Part 2:
(additions marked
thusly; deletions marked
thusly)
- FPT_SEP.2 is relabeled as FPT_SEP.2-NIAP-0424, and FPT_SEP.3 is relabeled as FPT_SEP.3-NIAP-0424. Unless otherwise noted in these changes, all normative and informative material associated with FPT_SEP.2 is incorporated unchanged into FPT_SEP.2-NIAP-0424, and all references to FPT_SEP.2 in the CC, CEM, or other Common Criteria documentation is changed to refer to FPT_SEP.2-NIAP-0424. Similarly, all normative and informative material associated with FPT_SEP.3 is incorporated unchanged into FPT_SEP.3-NIAP-0424, and all references to FPT_SEP.3 in the CC, CEM, or other Common Criteria documentation is changed to refer to FPT_SEP.3-NIAP-0424.
- In Clause 10, Figure 10.2, the hierarchy diagram for FPT_SEP is redrawn to show that components 2-NIAP-0424 (a relabeling of 2) and 3-NIAP-0424 (a relabeling of 3) are both immediately hierarchical to component 1, and new component NIAP-0424-1 is immediately hierarchical to both 2-NIAP-0424 and 3-NIAP-0424.
- In the "Component Levelling" section of Subclause 10.11, the hierarchy diagram is redrawn to show that components 2-NIAP-0424 and 3-NIAP-0424 are both immediately hierarchical to component 1, and new component NIAP-0424-1 is hierarchical to both 2-NIAP-0424 and 3-NIAP-0424.
- Paragraphs 436 and 437 of Subclause 10.11 are modified as
follows:
FPT_SEP.2-NIAP-0424 SFP domain separation, requires that the TSF be further subdivided, with distinct domain(s) for an identified set of SFPs that act as reference monitors for their policies, and a domain for the remainder of the TSF, as well as domains for the non-TSF portions of the TOE. There may be multiple reference monitor SFPs in a single domain.
FPT_SEP.3-NIAP-0424 Complete reference monitor, requires that there be distinct domain(s) for TSP enforcement, a domain for the remainder of the TSF, as well as domains for the non-TSF portions of the TOE. However, there may be multiple SFPs within a single domain.
- The following paragraph is added after paragraph 437:
FPT_SEP.NIAP-0424-1 Isolated reference monitor domains, requires that there be a distinct domain for each SFP providing TSP enforcement, a domain for the remainder of the TSF, as well as domains for the non-TSF portions of the TOE.
- In Subclause 10.11, the "Management" section has FPT_SEP.NIAP-0424-1 added to the list of components for which no management actions are forseen.
- In Subclause 10.11, the "Audit" section has FPT_SEP.NIAP-0424-1 added to the list of components for which there are no auditable actions.
- In Subclause 10.11, FPT_SEP.2.3 is replaced with the following:
FPT_SEP.2.3-NIAP-0424 The TSF shall maintain the part of the TSF related to [assignment: list of access control and/or information flow control SFPs] in
asecurity domain(s) for their own execution that protects them from interference and tampering by the remainder of the TSF and by subjects untrusted with respect to those SFPs. - In FPT_SEP.3-NIAP-0424, the "Hierarchical To:" statement is modified to indicate that the component is hierarchical to FPT_SEP.1, not FPT_SEP.2-NIAP-0424.
- FPT_SEP.3.3 is replaced with the following:
FPT_SEP.3.3-NIAP-0424 The TSF shall maintain the part of the TSF that enforces the access control and/or information flow control SFPs in
asecurity domain(s) foritstheir own execution that protects them from interference and tampering by the remainder of the TSF and by subjects untrusted with respect to the TSP. - A new component, FPT_SEP.NIAP-0424-1, is created as follows (changes
are shown against the FPT_SEP.3 component; the key change being modification
of FPT_SEP.3.3 to put each SFP in a distinct security domain):
FPT_SEP.NIAP-0424-1 Isolated
Completereference monitor domainsHierarchical to: FPT_SEP.2-NIAP-0424, FPT_SEP.3-NIAP-0424
FPT_SEP.NIAP-0424-1.1 The unisolated portion of the TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects.
FPT_SEP.NIAP-0424-1.2 The TSF shall enforce separation between the security domains of subjects in the TSC.
FPT_SEP.NIAP-0424-1.3 The TSF shall maintain
theeach part of the TSF that enforcesthean access control and/or information flow control SFPs in a security domain for its own execution that protectsthemit from interference and tampering by the remainder of the TSF and by subjects untrusted with respect to the TSP.Dependencies: No dependencies
- In Clause J, Figure J.2, the hierarchy diagram for FPT_SEP is redrawn to show that components 2-NIAP-0424 and 3-NIAP-0424 are both immediately hierarchical to component 1, and new component NIAP-0424-1 is immediately hierarchical to both 2-NIAP-0424 and 3-NIAP-0424.
- In Subclause J.11, paragraph 1267 is replaced with the following:
In order to obtain the equivalent of a reference monitor, the components FPT_SEP.2-NIAP-0424 (SFP domain separation),
orFPT_SEP.3-NIAP-0424 (Complete reference monitor), or FPT_SEP.NIAP-0424-1 (Isolated reference monitor domains) from this family must be used in conjunction with FPT_RVM.1 (Non-bypassability of the TSP), and ADV_INT.3 (Minimisation of complexity). Further, if complete reference mediation is required, the components from Class FDP User data protection must cover all objects. - In Subclause J.11, paragraph 1273 (the "Assignment" operation for
FPT_SEP.2-NIAP-0424) is replaced with
the following:
For FPT_SEP.2-NIAP-0424.3, the PP/ST author should specify the access control and/or information flow control SFPs in the TSP that should
have a separate domainbe in distinct domain(s). - The following text is added after paragraph 1276 for FPT_SEP.3-NIAP-0424
(Strikeout and
underlining are present to show the differences from the FPT_SEP.3 wording):
FPT_SEP.NIAP-0424-1
CompleteIsolated reference monitor domainsThe most important function provided by a TSF is the enforcement of its SFPs. This component builds upon the intentions of the previous components (FPT_SEP.2-NIAP-0424 and FPT_SEP.3-NIAP-0424) by requiring that each
allaccess control and/or information flow control FSPs be enforced inaits own domain distinct from the remainder of the TSF and other domains. This furthersimplifies the design andincreases the likelihood that the characteristics of a reference monitor (RM), in particular, being tamperproof, are found in the TSF.Evaluator application notes
It is possible that a reference monitor in a layered design may provide functions beyond those of the SFPs. This arises out of the practical nature of layered software design. The goal should be to minimise the non-SFP related functions.
Note that it is acceptable for the reference monitors for all included SFPs to be in a single distinct reference monitor domain, as well as having multiple reference monitor domains (each enforcing one or more SFPs). If multiple reference monitor domains for SFPs are present, it is acceptable for them to be either peers or in a hierarchical relationship.
SUPPORT:
This interpretation corrects the identified problem by adjusting the hierarchy to make FPT_SEP.3 hierarchical to FPT_SEP.1, not FPT_SEP.2. To make clear that placing each access control and information flow SFP into a separate domain provides more security than having two or more SFPs in a single domain, an additional component is added that is hierarchical to both FPT_SEP.2 and FPT_SEP.3 that has each SFP in its own domain.This change further corrects the inconsistency between CC Part 2 and the CC Part 2 Annex in making clear that FPT_SEP.2 and FPT_SEP.3 may have more than a single domain for the SFPs.
Note that both components (FPT_SEP.2 and FPT_SEP.3) allow for distinct domains per SFP, and that both components are silent with respect to non-data protection SFPs.
Note: This interpretation is superseding a previously-approved formal interpretation primarily to reflect modifications to the interpretation format. The intent of the interpretation has not been changed, although some specifics of the criteria changes or the support may have been clarified or corrected.
2003-07: The CCIMB issued the following statement:
This National Interpretation is an incorrect interpretation of the CC:
The National Interpretation incorrectly presumes that two components are not hierarchical if the assignments and selections of the lower one can be completed to result in the higher one. This is not the case. In fact, many of the families are designed to have the higher component cover all of some aspect, and the higher component provide only a subset of that aspect. If the lower component could be completed to exceed the higher one, the relationship would not be a hierarchy. While the difference in wording between FDP_SEP.2.3 and 3.3 is potentially confusing, it results from the fact that only a subset of policies need be covered by SEP.2. If all policies are covered, then "those SFPs" becomes "all SFPs", which is the same as "the TSP".