NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0567:  Security Objectives Rationale, SFR Rationale, and Implicitly Satisfied SFRs

Publication Date
2021.01.28

Protection Profiles
PP_BASE_VIRTUALIZATION_V1.0

Other References
Sections 4.3 and 5.3, Appendix G

Issue Description

Evaluation of the PP during the first evaluation found failed work units. Therefore, the PP needs to be updated to update the Security Objectives Rationale, add the SFR Rationale, and add an Implicitly Satisfied SFRs Appendix.

Resolution

Section 4.3 Security Objectives Rationale for A.NON_MALICIOUS_USER is updated to address OE.CONFIG as follows:

Replace A.NON_MALICIOUS_USER with the following:

Threat, Assumption, or OSP

Objective

Rationale

A.NON_MALICIOUS_USER

OE.NON_MALICIOUS_USER

 

 

 

 

OE.CONFIG

If the organization properly vets and trains users, it is expected that they will be non-malicious.

 

If the TOE is administered by a non-malicious and non-negligent user, the expected result is that the TOE will be configured in a correct and secure manner.

Section 5.3 TOE Security Requirements Rationale is added as follows:

TOE Security Functional Requirements Rationale

The following rationale provides justification for each security objective for the TOE, showing that the SFRs are suitable to meet and achieve the security objectives:

Objective

Addressed By

Rationale

O.VM_ISOLATION

FDP_HBI_EXT.1

This SFR supports the objective by requiring the TSF to enforce VM isolation through limiting access to hardware resources.

FDP_PPR_EXT.1

This SFR supports the objective by requiring the TSF to enforce VM isolation through limiting access to hardware resources.

FDP_VMS_EXT.1

This SFR supports the objective by limiting the methods that can be used to transfer data between Guest VMs.

FDP_VNC_EXT.1

This SFR supports the objective by isolating virtual networks from one another.

FMT_MSA_EXT.1

This SFR supports the objective by defining the default security posture of data isolation between Guest VMs.

FPT_HCL_EXT.1

This SFR supports the objective by controlling the extent to which Guest VMs can interact indirectly with each other via hypercalls.

FPT_RDM_EXT.1

This SFR supports the objective by ensuring that removable media cannot be accessed simultaneously by multiple Guest VMs without authorization.

FPT_VIV_EXT.1

This SFR supports the objective by ensuring that a Guest VM cannot disrupt the functionality of another Guest VM.

O.VMM_INTEGRITY

FPT_DDI_EXT.1 (objective)

This SFR supports the objective by isolating physical device drivers from the VMM so that they cannot be used to attempt to modify the VMM.

FPT_INT_EXT.1 (objective)

This SFR supports the objective by providing a mechanism by which the VMM or a privileged VM can be used to introspect a Guest VM for the purpose of detecting potential threats to the VMM that originate within the Guest VM.

FMT_ML_EXT.1

This SFR supports the objective by implementing a mechanism that asserts the integrity of the VMM on startup.

FMT_SMO_EXT.1

This SFR supports the objective by isolating management traffic bound for the VMM from operational traffic transmitted to and from Guest VMs.

FPT_EEM_EXT.1

This SFR supports the objective by ensuring that platform-based security functions can be used to protect the integrity of the VMM.

FPT_HAS_EXT.1

This SFR supports the objective by allowing the VMM to support hardware-based assistance mechanisms to reduce its own attack surface.

FPT_HCL_EXT.1

This SFR supports the objective by controlling the extent to which Guest VMs can interact with the VMM via hypercalls.

FPT_VDP_EXT.1

This SFR supports the objective by ensuring that malformed data from a Guest VM cannot be used to compromise the VMM.

FPT_VIV_EXT.1

This SFR supports the objective by ensuring that a Guest VM cannot disrupt the functionality of the VMM.

O.PLATFORM_INTEGRITY

FDP_PPR_EXT.1

This SFR supports the objective by limiting the extent to which Guest VMs can interface with the physical platform.

FPT_DVD_EXT.1

This SFR supports the objective by limiting the extent to which a Guest VM can interface with the underlying platform.

FPT_VIV_EXT.1

This SFR supports the objective by ensuring that a Guest VM cannot disrupt the functionality of the underlying platform

O.DOMAIN_INTEGRITY

FPT_GVI_EXT.1 (optional)

This SFR supports the objective by defining a mechanism the TSF can use to ensure that the integrity of its Guest VMs has not been compromised.

FPT_HCL_EXT.1

This SFR supports the objective by controlling the extent to which Guest VMs can interact with the VMM via hypercalls.

FPT_INT_EXT.1 (objective)

This SFR supports the objective by providing a mechanism by which the VMM or a privileged VM can be used to introspect a Guest VM for the purpose of protecting it from compromise.

FPT_VIV_EXT.1

This SFR supports the objective by ensuring that a Guest VM cannot disrupt the functionality of another Guest VM.

FTP_ITC_EXT.1

This SFR supports the objective by reducing the likelihood that user actions are inadvertently performed against the wrong Guest VM.

FTP_ITC_EXT.2

This SFR supports the objective by reducing the likelihood that user actions are inadvertently performed against the wrong Guest VM.

O.MANAGEMENT_ACCESS

FAU_SAR.1

This SFR supports the objective by ensuring that audit data cannot be read by unauthorized subjects.

FCS_CKM.1

This SFR supports the objective by implementing cryptographic functions that are used to secure administrative interactions with the TSF.

FCS_CKM.2

This SFR supports the objective by implementing cryptographic functions that are used to secure administrative interactions with the TSF.

FCS_CKM_EXT.4

This SFR supports the objective by implementing cryptographic functions that are used to secure administrative interactions with the TSF.

FCS_COP.1(1)

This SFR supports the objective by implementing cryptographic functions that are used to secure administrative interactions with the TSF.

FCS_COP.1(2)

This SFR supports the objective by implementing cryptographic functions that are used to secure administrative interactions with the TSF.

FCS_COP.1(3)

This SFR supports the objective by implementing cryptographic functions that are used to secure administrative interactions with the TSF.

FCS_COP.1(4)

This SFR supports the objective by implementing cryptographic functions that are used to secure administrative interactions with the TSF.

FCS_HTTPS_EXT.1 (selection-based)

This SFR supports the objective by defining a specific cryptographic protocol that can be used to secure management data in transit.

FCS_IPSEC_EXT.1 (selection-based)

This SFR supports the objective by defining a specific cryptographic protocol that can be used to secure management data in transit.

FCS_RBG_EXT.1

This SFR supports the objective by giving the TOE access to a strong entropy source that can be used to generate strong keys for administrative sessions.

FCS_TLSS_EXT.1 (selection-based)

This SFR supports the objective by defining a specific cryptographic protocol that can be used to secure management data in transit.

FCS_TLSS_EXT.2 (selection-based)

This SFR supports the objective by defining a specific cryptographic protocol that can be used to secure management data in transit.

FIA_AFL_EXT.1

This SFR supports the objective by protecting against unauthorized access to administrative accounts.

FIA_PMG_EXT.1 (selection-based)

This SFR supports the objective by defining a password policy that reduces the likelihood of brute force password guessing.

FIA_UAU.5

This SFR supports the objective by defining the mechanisms the TSF uses to authenticate administrators.

FIA_UIA_EXT.1

This SFR supports the objective by ensuring that administrators must be identified and authenticated before access to the TSF is granted.

FIA_X509_EXT.1 (selection-based)

This SFR supports the objective by defining how the TSF validates X.509 certificates that may be presented to it as part of establishing a trusted channel.

FIA_X509_EXT.2 (selection-based)

This SFR supports the objective by defining how the TSF validates X.509 certificates that may be presented to it as part of establishing a trusted channel.

FTA_TAB.1

This SFR supports the objective by ensuring that administrators are presented with a warning banner that imputes actionable consequences for misuse of the TOE.

FTP_ITC_EXT.1

This SFR supports the objective by defining any trusted protocols used for remote administration.

FTP_TRP.1 (selection-based)

This SFR supports the objective by defining the use of a remote interface for management.

O.PATCHED_SOFTWARE

FPT_IDV_EXT.1 (objective)

This SFR supports the objective by defining a standardized method of externally identifying the TOE software version for inventory purposes.

FPT_TUD_EXT.1

This SFR supports the objective by defining a mechanism used to securely update the VMM.

FIA_X509_EXT.1 (selection-based)

This SFR supports the objective by defining how the TSF validates X.509 certificates that may be presented to it as an attestation of the authenticity and integrity of a software update.

FIA_X509_EXT.2 (selection-based)

This SFR supports the objective by defining how the TSF validates X.509 certificates that may be presented to it as an attestation of the authenticity and integrity of a software update.

FPT_TUD_EXT.2 (selection-based)

This SFR supports the objective by optionally using X.509 certificates as the method of validating software updates.

O.VM_ENTROPY

FCS_ENT_EXT.1

This SFR supports the objective by providing a mechanism for Guest VMs to have entropy data available for use.

FCS_RBG_EXT.1

This SFR supports the objective by giving the TOE access to a strong entropy source that can be used by Guest VMs.

O.AUDIT

FAU_GEN.1

This SFR supports the objective by ensuring that audit records are generated for security-relevant events.

 

FAU_STG.1

This SFR supports the objective by ensuring that audit data cannot be deleted without authorization or modified by any subject.

 

FAU_STG_EXT.1

This SFR supports the objective by requiring redundant storage of audit data.

FCS_HTTPS_EXT.1 (selection-based)

This SFR supports the objective by defining a specific cryptographic protocol that can be used to secure audit data in transit.

FCS_IPSEC_EXT.1 (selection-based)

This SFR supports the objective by defining a specific cryptographic protocol that can be used to secure audit data in transit.

FCS_TLSC_EXT.1 (selection-based)

This SFR supports the objective by defining a specific cryptographic protocol that can be used to secure audit data in transit.

FCS_TLSC_EXT.2 (selection-based)

This SFR supports the objective by defining a specific cryptographic protocol that can be used to secure audit data in transit.

FIA_X509_EXT.1 (selection-based)

This SFR supports the objective by defining how the TSF validates X.509 certificates that may be presented to it as part of establishing a trusted channel.

FIA_X509_EXT.2 (selection-based)

This SFR supports the objective by defining how the TSF validates X.509 certificates that may be presented to it as part of establishing a trusted channel.

FTP_ITC_EXT.1

This SFR supports the objective by defining the trusted protocols used for remote audit data transfer.

O.CORRECTLY_APPLIED_

CONFIGURATION

FAU_ARP.1 (optional)

This SFR supports the objective by requiring the TOE to take some action when a violation of a security policy is detected.

FAU_SAA.1 (optional)

This SFR supports the objective by defining the conditions that indicate a violation of a security policy.

FDP_PPR_EXT.1

This SFR supports the objective by defining the security policy used to govern Guest VM access to physical resources.

FDP_VNC_EXT.1

This SFR supports the objective by defining the security policy used to govern Guest VM access to network resources.

FMT_MSA_EXT.1

This SFR supports the objective by defining the default security policy for data sharing between VMs.

FPT_HCL_EXT.1

This SFR supports the objective by defining the security policy used to govern Guest VM access to Hypercall functions.

O.RESOURCE_ALLOCATION

FDP_RIP_EXT.1

This SFR supports the objective by ensuring that physical memory cannot be allocated to multiple Guest VMs.

FDP_RIP_EXT.2

This SFR supports the objective by ensuring that disk storage cannot be allocated to multiple Guest VMs.

 

 

Appendix G: Implicitly Satisfied Requirements is added as follows:

 

Appendix G: Implicitly Satisfied Requirements

This appendix lists requirements that should be considered satisfied by products successfully evaluated against this PP. However, these requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.2 Dependencies between components.

This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP provides evidence that these controls are present and have been evaluated.

Requirement

Rationale for Satisfaction

FAU_GEN.1 – Audit Data Generation

FAU_GEN.1 has a dependency on FPT_STM.1. While not explicitly stated in the PP, it is assumed that this will be provided by the underlying hardware platform on which the TOE is installed. This is because the TOE is installed as a software or firmware product that runs on general-purpose computing hardware so a hardware clock is assumed to be available.

FCS_CKM.1 – Cryptographic Key Generation

FCS_CKM.1 has a dependency on FCS_CKM.4. The extended SFR FCS_CKM_EXT.4 addresses this dependency by defining an alternate requirement for key destruction.

FCS_CKM.2 – Cryptographic Key Establishment

FCS_CKM.2 has a dependency on FCS_CKM.4. The extended SFR FCS_CKM_EXT.4 addresses this dependency by defining an alternate requirement for key destruction.

FCS_COP.1 – Cryptographic Operation

Each iteration of FCS_COP.1 has a dependency on FCS_CKM.4. The extended SFR FCS_CKM_EXT.4 addresses this dependency by defining an alternate requirement for key destruction.

FIA_X509_EXT.1 – X.509 Certificate Validation

FIA_X509_EXT.1 has a dependency on FPT_STM.1. While not explicitly stated in the PP, it is assumed that this will be provided by the underlying hardware platform on which the TOE is installed. This is because the TOE is installed as a software or firmware product that runs on general-purpose computing hardware so a hardware clock is assumed to be available.

FMT_SMR.2 – Restrictions on Security Roles

FMT_SMR.2 has a dependency on FIA_UID.1. The extended SFR FIA_UID_EXT.1 expresses this dependency by also requiring user identification for use of the TOE.

Justification

See issue description.

 
 
Site Map              Contact Us              Home