NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0498:  Application Software PP Security Objectives and Requirements Rationale

Publication Date
2020.01.31

Protection Profiles
PP_APP_v1.3

Other References
Section 4.3 and Section 5.2

Issue Description

Evaluation of the PP during the first evaluation found failed work units for APE_OBJ.2 and APE_REQ.2. Therefore, the PP needs to be updated to add the Security Objectives Rationale and SFR Rationale.

Resolution

Updated 05/28/2020: Changed Security Assurance Requirements from 5.3 to 5.2 to account for new 5.2 Security Objectives Rationale.

Section 4.3 is replaced as follows:

4.3 Security Objectives Rationale

This section describes how the assumptions, threats, and organizational security policies map to the security objectives.

Threat/Assumption/OSP

Objective

Rationale

T.NETWORK_ATTACK

An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may engage in communications with the application software or alter communications between the application software and other endpoints in order to compromise it.

O.PROTECTED_COMMS

The threat T.NETWORK_ATTACK is countered by O.PROTECTED_COMMS as this provides for integrity of transmitted data.

O.INTEGRITY

The threat T.NETWORK_ATTACK is countered by O.INTEGRITY as this provides for integrity of software that is installed onto the system from the network.

O.MANAGEMENT

The threat T.NETWORK_ATTACK is countered by O.MANAGEMENT as this provides for the ability to configure the application to defend against network attack.

T.NETWORK_EAVESDROP

An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may monitor and gain access to data exchanged between the application and other endpoints.

O.PROTECTED_COMMS

The threat T.NETWORK_EAVESDROP is countered by O.PROTECTED_COMMS as this provides for confidentiality of transmitted data.

O.QUALITY

The objective O.QUALITY ensures use of mechanisms that provide protection against network-based attack.

O.MANAGEMENT

The threat T.NETWORK_EAVESDROP is countered by O.MANAGEMENT as this provides for the ability to configure the application to protect the confidentiality of its transmitted data.

T.LOCAL_ATTACK

An attacker can act through unprivileged software on the same computing platform on which the application executes.

Attackers may provide maliciously formatted input to the application in the form of files or other local communications.

O.QUALITY

The objective O.QUALITY protects against the use of mechanisms that weaken the TOE with regard to attack by other software on the platform.

T.PHYSICAL_ACCESS

An attacker may try to access sensitive data at rest.

O.PROTECTED_STORAGE

The objective

O.PROTECTED_STORAGE protects against unauthorized attempts to access physical storage used by the TOE.

A.PLATFORM

OE.PLATFORM

The operational environment objective OE.PLATFORM is realized through A.PLATFORM.

A.PROPER_USER

OE.PROPER_USER

The operational environment Objective OE.PROPER_USER is realized through A.PROPER_USER.

A.PROPER_ADMIN

OE.PROPER_ADMIN

The operational environment Objective OE.PROPER_ADMIN is realized through A.PROPER_ADMIN.

The current Section 5.2 Security Assurance Requirement is changed to Section 5.3 Security Assurance Requirements. All sub sections 5.2.x are changed to 5.3.x.

A new Section 5.2 is added  as follows:

Section 5.2 TOE Security Requirements Rationale

The following rationale provides justification for each security objective for the TOE, showing that the SFRs are suitable to meet and achieve the security objectives:

Objective

SFR

Rationale

O.INTEGRITY

 

FDP_DEC_EXT.1

The PP includes FDP_DEC_EXT.1 to limit access to platform hardware resources, which limits the methods by which an attacker can attempt to compromise the integrity of the TOE.

FMT_CFG_EXT.1

The PP includes FMT_CFG_EXT.1 for the TSF to limit unauthorized access to itself by preventing the use of default authentication credentials and by ensuring that the TOE uses appropriately restrictive platform permissions on its binaries and data.

FPT_AEX_EXT.1

The PP includes FPT_AEX_EXT.1 to add complexity to the task of compromising systems by ensuring that application is compatible with security features provided by the platform vendor and that the application implements platform-provided anti-exploitations such as ASLR and stack overflow protection.

FPT_TUD_EXT.1

The PP includes FPT_TUD_EXT.1 to ensure that the TOE can be patched and that any updates to the TOE have appropriate integrity protection.

O.QUALITY

FCS_CKM_EXT.1

The PP supports this objective by allowing FCS_CKM_EXT.1 to specify that the TSF may rely on platform-provided key generation services.

FCS_RBG_EXT.1

The PP supports this objective by allowing FCS_RBG_EXT.1 to specify that the TSF may rely on platform-provided random bit generation services.

FCS_STO_EXT.1

The PP supports this objective by allowing FCS_STO_EXT.1 to specify that the TSF may rely on platform-provided credential storage services.

FDP_DAR_EXT.1

The PP supports this objective by allowing FDP_DAR_EXT.1 to specify that the TSF may rely on platform-provided data-at-rest protection services.

FMT_MEC_EXT.1

The PP includes FMT_MEC_EXT.1 to ensure that the TOE can use platform services to store and set configuration options.

FPT_API_EXT.1

The PP includes FPT_API_EXT.1 to require the TOE to leverage platform functionality by using only documented and supported APIs.

FPT_LIB_EXT.1

The PP includes FPT_LIB_EXT.1 to ensure that the TOE does not include any unnecessary or unexpected third-party libraries which could present a privacy threat or vulnerability.

FTP_DIT_EXT.1

The PP supports this objective by allowing FTP_DIT_EXT.1 to specify that the TSF may rely on platform-provided services to implement trusted communications.

FCS_CKM.1(1) (selection-based)

The PP supports this objective by allowing FCS_CKM.1(1) to specify that the TSF may rely on platform-provided asymmetric key generation services.

FCS_CKM.2 (selection-based)

The PP supports this objective by allowing FCS_CKM.2 to specify that the TSF may rely on platform-provided key establishment services.

FIA_X509_EXT.1 (selection-based)

The PP supports this objective by allowing FIA_X509_EXT.1 to specify that the TSF may rely on platform-provided X.509 certificate validation services.

FPT_TUD_EXT.2 (selection-based)

The TSF includes FPT_TUD_EXT.2 to specify that the TOE may leverage the platform-supported package manager for application distribution and leverages platform-provided mechanisms to remove all traces of itself when removed from the platform system.

FPT_API_EXT.2 (objective)

The PP includes FPT_API_EXT.2 to permit the TOE to use platform-provided libraries for parsing IANA MIME media formats.

O.MANAGEMENT

FMT_SMF.1

The PP includes FMT_SMF.1 to define the security-relevant management functions that are supported by the TOE.

FPR_ANO_EXT.1

The PP includes FPR_ANO_EXT.1 to define how the TSF provides control to the user regarding the disclosure of any PII.

FPT_IDV_EXT.1

The PP includes FPT_IDV_EXT.1 to provide a methodology for identifying the TOE versioning.

FPT_TUD_EXT.1

The PP includes FPT_TUD_EXT.1 to define how updates to the TOE are deployed and verified.

FCS_COP.1(3) (selection-based)

The PP includes FCS_COP.1(3) to define the mechanism used to verify TOE updates if the TOE implements this functionality rather than the underlying platform.

O.PROTECTED_STORAGE

FCS_RBG_EXT.1

The PP includes FCS_RBG_EXT.1 to define whether random bit generation services are implemented by the TSF or the platform. Depending on how data at rest is protected, the TOE may rely on the use of a random bit generator to create keys that are subsequently used for data protection.

FCS_STO_EXT.1

The PP includes FCS_STO_EXT.1 to define the mechanism that the TSF uses or relies upon to protect stored credential data.

FDP_DAR_EXT.1

The PP includes FDP_DAR_EXT.1 to define the mechanism that the TSF uses or relies upon to protect sensitive data at rest.

FCS_CKM.1(2) (optional)

The PP includes FCS_CKM.1(2) to define the TOE’s capability to generate symmetric keys. These keys may subsequently be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.

FCS_CKM.1(3) (selection-based)

The PP includes FCS_CKM.1(3) to define the password-based key derivation function that may be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.

FCS_COP.1(1) (selection-based)

The PP includes FCS_COP.1(1) to define the AES cryptographic algorithm that may be used to encrypt stored credential data based on the claims made in FCS_STO_EXT.1.

FCS_COP.1(2) (selection-based)

The PP includes FCS_COP.1(2) to define integrity mechanisms that may be used by the TOE as part of ensuring that data at rest is protected.

FCS_COP.1(4) (selection-based)

The PP includes FCS_COP.1(2) to define HMAC mechanisms that may be used by the TOE as part of ensuring that data at rest is protected.

FCS_RBG_EXT.2 (selection-based)

The PP includes FCS_RBG_EXT.2 to define the TOE’s implementation of random bit generation functionality in the event that the TOE provides this function in support of generating keys that are used for data protection.

O.PROTECTED_COMMS

FCS_RBG_EXT.1

The PP includes FCS_RBG_EXT.1 to define whether the random bit generation services used in establishing trusted communications are implemented by the TSF or by the platform.

FCS_CKM_EXT.1

The PP includes FCS_CKM_EXT.1 to specify whether the TOE or the platform is responsible for generation of any asymmetric keys that may be used for establishing trusted communications.

FTP_DIT_EXT.1

The PP includes FTP_DIT_EXT.1 to define the trusted channels used to protect data in transit, the data that is protected, and whether the trusted channels are implemented by the TSF or the platform.

FCS_CKM.1(1) (selection-based)

The PP includes FCS_CKM.1(1) to define whether the TSF or the platform generates asymmetric keys that are used in support of trusted communications.

FCS_CKM.2 (selection-based)

The PP includes FCS_CKM.2 to define whether the TSF or the platform performs key establishment for trusted communications.

FCS_COP.1(1) (selection-based)

The PP includes FCS_COP.1(1) to define the symmetric encryption algorithms used in support of trusted communications.

FCS_COP.1(2) (selection-based)

The PP includes FCS_COP.1(2) to define the hash algorithms used in support of trusted communications.

FCS_COP.1(3) (selection-based)

The PP includes FCS_COP.1(3) to define the digital signature algorithms used in support of trusted communications.

FCS_COP.1(4) (selection-based)

The PP includes FCS_COP.1(4) to define the HMAC algorithms used in support of trusted communications.

FCS_RBG_EXT.2 (selection-based)

The PP includes FCS_RBG_EXT.2 to define the DRBG algorithms used in support of trusted communications.

FCS_HTTPS_EXT.1 (selection-based)

The PP includes FCS_HTTPS_EXT.1 to define the TOE’s support for the HTTPS trusted communications protocol.

FDP_NET_EXT.1

The PP includes FDP_NET_EXT.1 to define the TOE’s usage of network communications, which may include the transmission or receipt of data over a trusted channel.

FIA_X509_EXT.1 (selection-based)

The PP includes FIA_X509_EXT.1 to define X.509 certificate validation activities in support of trusted communications.

FIA_X509_EXT.2 (selection-based)

The PP includes FIA_X509_EXT.2 to define the trusted communications that X.509 certificate services support, as well as the extent to which trusted communications can be established when using a certificate with unknown validity.

 

Justification

See issue description.

 
 
Site Map              Contact Us              Home