Compliant Product - FDRERASE/OPEN, Version 02, Level 05
Certificate Date: 29 January 2008
Validation Report Number: CCEVS-VR-VID10232-2008
Product Type: Sensitive Data Protection
Conformance Claim: EAL2 Augmented with ALC_FLR.2
PP Identifiers: None
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The TOE is FDRERASE/OPEN provided by Innovation Data Processing, Inc. The TOE is an application and supporting operating system run on an x86 architecture computer system. The primary purpose of the TOE is to erase data from enterprise disk storage systems (i.e. large scale storage systems with one or more hard disks containing system and user data) that an organization may be scrapping or decommissioning, selling or returning, reusing for a different purpose within the organization or when an organization is leaving a recovery site, e.g., after a disaster recovery test, to prevent any access to any data that may reside on the disk storage system leaving their control. The TOE accomplishes erasure by overwriting, to destroy any data residing on the disk storage system making it no longer accessible. The disk erasure techniques provided by the TOE and described in the Security Target offer successively higher levels of data erasure security by overwriting once or, as appropriate, by overwriting multiple times using multiple data patterns and complements of those patterns, using suitable internal functions to insure data is physically written to disk and to confirm that erasure did take place.
The ERASE function overwrites every sector of disk storage. The TOE writes an increment of sectors, with binary zeroes by default. This single overwrite will make all data originally on each sector unrecoverable by any normal program running anywhere that has direct access to the disk or through the disk control unit. Original data, however, may still be recoverable through sophisticated laboratory techniques and special programs whose purpose is to recover data on a disk by commanding the disk to skew read heads plus or minus a number of degrees. Any residual data recording on the “edge” of the sector may be recoverable using such a technique.
The SECUREERASE function overwrites each disk sector a minimum of three times, writing a random pattern, a complement of the first pattern, and finally another random pattern, by default. This multiple overwrite process (optionally up to eight overwrites) makes the original data unrecoverable, even by sophisticated laboratory techniques applied to hard drives removed from the control unit.
The VERIFY function can be used to sample sectors on the erased volumes to ensure that they have been erased. By default it verifies a percentage of the volume but can verify the entire volume if needed.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Innovation Data Processing, FDRERASE/OPEN, Version 02, Level 05 TOE was judged are described in the was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the INNOVATION Data Processing Software Distribution Process Description and Software Distribution Facility User Guide and the INNOVATION Data Processing FDRERASE/OPEN User Manual and Installation Guide, satisfies all of the security functional requirements stated in the Innovation Data Processing FDRERASE/OPEN Security Target, Version 1.0. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in December 2007. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10232-2008, dated 29 January 2008) prepared by CCEVS.
The TOE is a commercial product whose users require a low to moderate level of independently assured security. Innovation Data Processing, FDRERASE/OPEN, Version 02, Level 05 is targeted at a relatively benign environment with good physical access security and competent TOE administrators and users. Within such environments, it is assumed that attackers will have a low attack potential. In addition, ALC_FLR.2 is selected as an appropriate augmentation because flaw remediation procedures provide greater assurance that security-related bugs will be fixed in a widely distributed commercial product.
Innovation Data Processing, FDRERASE/OPEN, Version 02, Level 05 supports the following five security functions:
Security Audit - The TOE records the results of its activities both in individual disk log files, which are maintained per function per disk (e.g., file “c0t1d0p0.erase.log” is the cumulative log of all erase functions performed on the disk identified as c0t1p0d0), and in a history file that provides a cumulative listing of all TOE activity. Both the individual disk log files and the cumulative history file are stored on the FDRERASE/OPEN key (USB flash drive) associated with the TOE. The TOE GUI provides the capability for the TOE user to view all contents of any of the individual disk log files and the cumulative history file. The TOE user can also view and print the individual disk logs and the cumulative history log that the TOE records on the FDRERASE/OPEN Key from Windows, or any other operating system that will mount a USB flash drive.
Cryptographic support - The TOE hashes the user password using the SHA-1 cryptographic hashing algorithm as specified in FIPS PUB 180-2 Secure Hash Standard, 1 August 2002. The SHA-1 algorithm produces a 160-bit long hash of the password.
User Data Protection - The TOE provides two disk erasure functions: ERASE and SECUREERASE. Both functions overwrite disk storage to ensure the risk of remaining residual data, if any, is commensurate with the risk of a person scavenging for user data. The ERASE function overwrites a disk volume with one pass (or more, selectable by an input option, up to 8) of binary zero or of hexadecimal bytes chosen by the TOE user. The SECUREERASE function overwrites a disk volume with a minimum of three passes (or more, selectable by an input option, up to 8) of hexadecimal bytes determined by the TOE.
In addition, the TOE provides the VERIFY function to enable the TOE user to verify that physical sectors of the disk volume have indeed been overwritten sufficiently that no residual information remains.
Authentication - The TOE requires the user to authenticate their authority to operate the TOE during installation by entering a “customer key value” and on subsequent start-ups by entering a password prior to allowing the user to access the functions of the TOE. The TOE user can lock (prevent) access to the TOE security features at any time. In addition, the TOE will lock the user’s session with the TOE if it does not detect any user activity for a user defined number of minutes. In order to unlock the session, the user must re-authenticate their authority by re-entering the password. An authentication password at TOE start-up is a requirement to operate the TOE in a manner that is consistent with CCEVS EAL2 certification prerequisites.
Security Management - The TOE provides two disk erasure options and identifies the disk storage to be cleared.
The TOE reports to the TOE user the outcome of a disk volume overwrite, including: success; failure to complete because the overwrite function was canceled; failure because the disk volume had already been erased; failure to access the disk because the disk volume could not be reserved to the system; and failure to overwrite a bad disk sector after successive attempts.
The TOE provides the VERIFY function, to enable the user to verify that physical sectors of a disk volume have indeed been overwritten sufficiently that no residual information remains. The TOE reports to the TOE user the outcome of a disk volume verify, including: success; failure to complete because the verify function was canceled; failure because the disk volume had not been erased; and failure to read a bad disk sector after successive attempts.
Protection of the TSF - The TOE ensures the security function that is to be executed cannot be bypassed by ensuring (where possible) it has exclusive access to the target disk storage by issuing a hardware command to reserve the disk for its own use before initiating the security function. When a disk volume is reserved, there is no untrusted external interface to the disk storage while the TOE is in operation. To ensure this, the first thing the TOE does during execution for SCSI and Fibre Channel disk is reserve the disk volume. If it fails, the TOE will not attempt to overwrite the disk storage and will report the failure to the TOE user. SCSI/ATA (SAT) disk volumes do not support/honor a hardware reserve command. Appropriate procedures should be established in the TOE IT environment to ensure SCSI/ATA (SAT) disk volumes are unmounted to other systems.
Throughout the process of performing disk storage overwrite, the TOE continually monitors for any I/O errors on the write and other I/O issued to the disk. Channel hardware and Solaris 10 software error recovery is invoked to recover from errors if possible. If all recovery attempts fail, the user is warned that it was impossible to overwrite the disk. If the hardware will not allow the disk storage to be overwritten, then to absolutely ensure no data is accessible, the failing hard disks may need to be physically removed and destroyed.