[Public Interpretations Database]

I-0471: Objects In The TOE

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0471
STATUS:               Ready to Send to Management/CCIMB

TITLE:                Objects In The TOE

SOURCE REFERENCE:     CC v2.2 Part 1 Subclause 2.3 GLOSSARY
                      CC v2.2 Part 2 Subclause 6.9 FDP_RIP
                      CC v2.2 Part 2 Subclause F.9 FDP_RIP
RELATED TO:
     I-0350           Clarification Of Resources/Objects For Residual Information Protection
CCIMB ENTRY:          CCIMB-INTERP-0213

ISSUE:

The requirement FDP_RIP uses the phrase "objects in the TOE," as well as the the phrase "resource." It is unclear what these terms mean and the distinction between them.

STATEMENT

The "objects in the TOE" to which FDP_RIP refers apply to the objects specified in the access control SFP(s) or the information flow SFP(s) as specified in the PP or ST.

The "resource" to which FDP_RIP refers is an entity that the TOE controls which may be serially re-used by different subjects to enable those subjects to perform the types of accesses that the access-control or information-flow rules allow them to perform. For FDP_RIP, examples of such re-usable resources include the hardware registers that support process execution, the memory page(s) to which a file from physical storage has been retrieved, and the buffer for a printer.

RECOMMENDED CRITERIA CHANGES

No changes to the CC or CEM are required.

SUPPORT:

The CC Part 1 Glossary provides the following definitions:

  • OBJECT: An entity within the TSC that contains or receives information and upon which subjects perform operations.

  • RESOURCE: Anything useable or consumable in the TOE.

Section 1.3, Functional Requirements Paradigm, of CC Part 2 states the following regarding reources, subjects, and objects:

A TOE is an IT product or system (along with user and administrator guidance documentation) containing resources such as electronic storage media (e.g. disks), peripheral devices (e.g. printers), and computing capacity (e.g. CPU time) that can be used for processing and storing information and is the subject of an evaluation. [CC v2.2, Para 13]

TOE evaluation is concerned primarily with ensuring that a defined TOE Security Policy (TSP) is enforced over the TOE resources. The TSP defines the rules by which the TOE governs access to its resources, and thus all information and services controlled by the TOE. [Paragraph 14]

The primary goal of the TSF is the complete and correct enforcement of the TSP over the resources and information that the TOE controls. [CC v2.2, Para 28]

TOE resources can be structured and utilized in many different ways. However, CC Part 2 makes a specific distinction that allows for the specification of desired security properties. All entities that can be created from resources can be characterized in one of two ways. The entities may be active, meaning that they are the cause of actions that occur internal to the TOE and cause operations to be performed on information. Alternatively, the entities may be passive, meaning that they are either the container from which information originates or to which information is stored. [CC v2.2, Para 29]

Active entities are referred to as subjects. [CC v2.2, Para 30]

Passive entities (i.e., information containers) are referred to in the CC Part 2 security functional requirements as objects. Objects are the targets of operations that may be performed by subjects. In the case where a subject (an active entity) is the target of an operation (e.g., interprocess communication), a subject may also be acted on as an object. [CC v2.2, Para 32]

Objects can contain information [CC v2.2, Para 33]

User data is information stored in TOE resources that can be operated on by users in accordance with the TSP and upon which the TSF places no special meaning. [CC v2.2, Para 35]

The User Notes for FDP_RIP in Annex F.9 of Part 2 states, "This family should apply to the objects specified in the access control SFP(s) or the information flow control SFP(s) as specified by the PP/ST author." [CC, v2.2, Para 888] Recall that the FDP_ACF.1 component identifies the subjects, objects, and rules governing access to the user-data objects under the TOE's protection while the FDP_IFF.1 component does the same for the subjects and user information under the TOE's protection. Familiar examples of such objects are data files, executable files, relational database tables, and directories. Of course, depending on how the PP/ST defines the user-data objects, the objects for a relational database, for example, may include not only tables but also more granular objects such as rows and columns.

The FDP_RIP User Notes also make clear the concerns of the FDP_RIP family:

  1. This family requires protection for information that has been logically deleted or released (not available to the user but still within the system and may be recoverable). In particular, this includes information that is contained in an object, as part of the TSF reusable resources, where destruction of the object does not necessarily equate to destruction of the resource or any contents of the resource. [CC, v2.2, Para 882]

  2. It also applies to resources that are serially reused by different subjects within the system. For example, most operating systems typically rely upon hardware registers (resources) to support processes within the system. As processes are swapped from a "run" state to a "sleep" state (and vice versa), these registers are serially reused by different subjects. While this "swapping" action may not be considered an allocation or deallocation of a resource, FDP_RIP could apply to such events and resources. [CC, v2.2, Para 883]

The objective of the FDP_RIP components is to prevent unauthorized disclosure of the information that has been placed in the re-usable resource. The TSF may meet that objective by emptying the resource or otherwise making unreadable the information contained in it (e.g., overwriting the information with zeros or nulls) either before the next subject needs it (that is, at resource allocation) or after the current subject is finished using it (that is, at resource de-allocation).

As mentioned above, the CC considers an object to be a TOE entity that "contains or receives information and upon which subjects may perform [permitted] operations." While the FDP class addresses the protection of objects, the FRU class, Resource Utilization, is concerned with controlling and protecting the TOE resources that support or assist object creation, protection, and access--for example, processing capability, disk space, CPU cycles, communications channels, and buffers.