NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0109:  VM Separation Assurance Activity in SVPP

Publication Date

Protection Profiles

Other References

Issue Description

The Assurance Activity for FDP_VMS_EXT.1 states that “FMT_MSA_EXT.1.2 is met if communication is unsuccessful in step (b).”  This Assurance Activity actually tests FMT_MSA_EXT.1.1.  Since FMT_MSA_EXT.1 relies exclusively on the FDP_VMS_EXT.1 AA to also serve as its AA, FMT_MSA_EXT.1.2 may not be fully tested by this AA in its current form.


The FDP_VMS_EXT.1 AA has been updated to better test FMT_MSA_EXT.1.2.  The following is the updated assurance activity for FDP_VMS_EXT.1.  Note the changes to steps (a), (c), and the paragraph about FMT_MSA_EXT:

The evaluator shall examine the TSS to verify that it documents all inter-VM communications mechanisms (as defined above), including how the mechanisms are configured, how they are invoked, and how they are disabled.

The evaluator shall perform the following tests for each documented inter-VM communications channel:


    1. Create two VMs, the first with the inter-VM communications channel currently being tested enabled, and the second with the inter-VM communications channel currently being tested disabled.
    2. Test that communications cannot be passed between the VMs through the channel.
    3. As an Administrator, enable inter-VM communications between the VMs on the second VM.
    4. Test that communications can be passed through the inter-VM channel.
    5. As an Administrator again, disable inter-VM communications between the two VMs.
    6. Test that communications can no longer be passed through the channel.

FDP_VMS_EXT.1.2 is met if communication is successful in step (d) and unsuccessful in step (f).

FMT_MSA_EXT.1.1 is met if communication is unsuccessful in step (b).  FMT_MSA_EXT.1.2 is met if communication is successful in step (d).  Additionally, FMT_MSA_EXT.1 requires that the evaluator verifies that the TSS documents the inter-VM communications mechanisms as described above.

The evaluator must ensure that the ST includes the following statement attesting that there are no other ways for data to be transferred between VMs other than those listed in FDP_VMS_EXT.1.1:

A Guest VM cannot access the data of another Guest VM, or transfer data to another Guest VM other than through the mechanisms described in FDP_VMS_EXT.1.1 when expressly enabled by an authorized Administrator. There are no design or implementation flaws that permit the above mechanisms to be bypassed or defeated, or for data to be transferred through undocumented mechanisms. This claim does not apply to covert channels or architectural side-channels.


These changes ensure that FMT_MSA_EXT.1.2 is fully tested by the Assurance Activity for FDP_VMS_EXT.1 so that the AA for FMT_MSA_EXT.1 is met if the AA for FDP_VMS_EXT.1 is met.

Site Map              Contact Us              Home