PRODUCT DESCRIPTION

The TOE is an application that runs on a mainframe computer running the IBM z/OS operating systems. The TOE provides two different levels of disk erasures. They are the ERASE and SECUREERASE functions. Disk erasures are actually performed by overwriting stored data to make the original data unrecoverable. This overwrite includes the VTOC (Volume Table of Contents) i.e. the disk directory. The TOE also provides a method to verify that user data has been erased. This is the VERIFY function.

The ERASE function overwrites every track of DASD with a track-length record, consisting of binary zeroes by default. This single overwrite will make all data originally on each track unrecoverable by any normal system program running anywhere that has direct access to the disk or through the disk control unit. Original data, however, may still be recoverable through sophisticated laboratory techniques and special programs whose purpose is to recover data on DASD by commanding the disk to skew read heads plus or minus a number of degrees. Any residual data recording on the "edge" of the track may be recoverable using such a technique.

The SECUREERASE function overwrites each DASD track a minimum of three times, writing a random pattern, a complement of the first pattern, and finally another random pattern, by default. This multiple overwrite process (optionally up to eight overwrites) makes the original data unrecoverable, even by sophisticated laboratory techniques applied to hard drives removed from the control unit.

The VERIFY function can be used to sample tracks on the erased volumes to insure that they have been erased. By default it verifies a percentage of the volume but can verify the entire volume if needed.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Innovation Data Processing, FDRERASE, Version 5.4, Level 50 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2 and International Interpretations effective on 28 January 2005. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2, Revision 256, January 2004. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ADV_SPM.1 and ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the INNOVATION Data Processing Software Distribution Process Description and Software Distribution Facility User Guide and the INNOVATION Data Processing FDRPAS and FDRERASE User Manual and Installation Guide, satisfies all of the security functional requirements stated in the Innovation Data Processing, FDRERASE Security Target, Version 1.0. One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in June 2005. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-05-0109, dated 5 August 2005) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

The TOE is a commercial product whose users require a low to moderate level of independently assured security. Innovation Data Processing, FDRERASE, Version 5.4, Level 50 is targeted at a relatively benign environment with good physical access security and competent TOE administrators and users. Within such environments, it is assumed that attackers will have a low attack potential. Innovation Data Processing, FDRERASE, Version 5.4, Level 50 supports the following five security functions:

• Security Audit - The TOE writes to every track on the DASD in order to erase it. If this operation fails, the I/O will be automatically retried by the disk subsystem (hardware) and by standard IBM error recovery software in the operating system.
  
  If the TOE finds the DASD is not off-line, the TOE will terminate with a non-zero completion code (return code) and output an error message with asterisks to the console and program listing indicating the erasure was incomplete, and the TOE will make no attempt to overwrite the data on that specific DASD volume.
  
• User Data Protection - The TOE provides two disk erasure functions: ERASE and SECUREERASE. Both functions overwrite DASD to ensure the risk of remaining residual data, if any, is commensurate with the risk of a person scavenging for user data. The ERASE function overwrites the DASD with one pass (or more, selectable by an input option, up to 8) of binary zero or of hexadecimal bytes chosen by the TOE user. The SECUREERASE function overwrites a DASD volume with a minimum of three passes (or more, selectable by an input option, up to 8) of hexadecimal bytes determined by the TOE.
  
  In addition, the TSF provides the VERIFY function to enable the TOE user to verify that physical tracks of the DASD have indeed been overwritten sufficiently that no residual information remains
  
• Security Management - The TOE provides two disk erasure options and identifies the DASD to be cleared.
  
  The TOE reports to the TOE user the outcome of a DASD overwrite, including: success; failure to access the DASD because the DASD is found to be on-line; and failure to overwrite a bad disk track after successive attempts.
  
  The TOE provides the VERIFY function, to enable the user to verify that physical tracks of a DASD have indeed been overwritten sufficiently that no residual information remains.
  
• Protection of Security Functions - Protection of Security FunctionsThe TOE protects against failure with loss of the secure state, which requires that the TOE preserve a secure state in the face of the identified failures. The TOE ensures that only DASD that has been varied off-line is available to the TOE. If it is not, the TOE will not attempt to overwrite the DASD and will report the failure to the TOE user. Also, the TOE checks before every write to see if the disk has been varied online; if so, the operation will be terminated with an error message.
  
  The TOE determines the manufacturer of the DASD before beginning to execute. This test is necessary since the external interface of the DASD for committing data to be written from a cache to the hard drive (termed "hardening") varies by manufacturer, and the TOE has to determine the type and size of DASD it is attempting to overwrite.
  
  Throughout the process of performing a DASD overwrite, the TOE continually monitors for any I/O errors on the write and other I/O issued to the disk. During an overwrite of a DASD, if twenty write errors are encountered, the TOE sends a message to the console and the TOE user identifying the DASD, and that the overwrite was a failure. The TOE then terminates and automatically returns to its inactive maintenance mode (i.e., resident in the authorized library on disk where it was originally installed).
  
• Resource Utilization - The TOE notifies the user an operation did not complete in the event of identified failures. When a failure to write to a specific area of DASD occurs because of damage to the surface of the DASD, the TSF makes multiple attempts to write to the area in an attempt to overwrite any data that may reside there. If this fails, the TOE will skip the affected area and can continue with the overwrite until the complete DASD volume has been overwritten.

Vendor Information

Innovation Data Processing
Thomas J. Meehan
973.890.7300
tmeehan@fdrinnovation.com

http://www.innovationdp.fdr.com/products/fdrerase/