The DigitalNet ACL Version 2.0.1 and eSNACC Version 1.3 is comprised of two software libraries that supply the IT-environment with a value needed to perform access control decisions based on X.509 certificates. The ACL portion of the TOE is composed of a high level library which can be used to perform an Access Control Decision F unction in accordance with the Partition Rule Based Access Control (PRBAC) processing requirements specified in the SDN.801 MISSI Access Control Concept and Mechanisms document. The ACL provides an Access Control Decision Function that determines if a subjects authorizations (contained in an X.501 Clearance attribute) allow the subject to access data labeled with specific sensitivity values. The ACL uses the Enhanced Sample Neufeld ASN.1 to C/C++ Compiler (eSNACC) portion of the TOE to perform decoding of certificates. eSNACC decodes X.509 Certificates, Certificate Revocation Lists and Attribute Certificates. To ensure that authorizations are commensurate with values in a security label ( formatted according to the RFC 2634 Enhanced Security Services for S/MIME specification), the ACL uses Security Policy Information Files (SPIFs). A SPIF is composed of a list of available authorizations and sensitivities along with their human readable bitmapped integer representations. SPIF syntax is defined in SDN.801. By using SPIFs, the ACL can support a variety of security policies and equivalency mappings between security policy values. The ACL checks a security label to ensure it includes a valid combination of security classification and security category values as specified in the SPIF.
\r\nThe TOE is a pair of software libraries that must be integrated into a trusted application to implement any security policies. The TOE itself does not completely implement any security policies; it makes an access control decision recommendation that must be enforced by the IT Environment to actually address any security threats.
\r\nThe TOE includes software development guidance to ensure that the libraries are properly integrated into an application in a manner that will meet the assumptions listed in the Security Target. It is the integrators/certifiers/accreditors responsibility to determine that these conditions are met for the specific integrated application..
\r\nThe libraries that comprise the TOE present some interfaces to an integrator that are not intended to be used in the evaluated configuration. The only external library interface covered by this evaluation is the ACDF. There are library interfaces present to perform ASN.1 unwrapping of certificates and many of the activities necessary to determine whether a digital certificate is correctly formatted and currently valid. The security functionality potentially provided by these interfaces (except when it is used internally between components of the TOE) is not part of this evaluation.
\r\nThe TOE was developed using the C++ programming language. Hence, the libraries could be ported to a wide variety of platforms. However, the actual product evaluation was only performed on a Windows 2000 platform using the Visual Studio C++ 6.0 Compiler. Since the tools used for compiling the libraries were included in the evaluation, this compiler must be used for the results of the evaluation to be considered valid.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was performed under the Common Criteria Evaluation and Validation Scheme (CCEVS). The purpose of the evaluation was to demonstrate that the BAE Systems ACL Version 2.0.1 and eSNACC Version 1.3 Sensitive Data Protection; System Access Control product meets the EAL3 security assurance requirements augmented with ADV_IMP.1, ADV_LLD.1, ALC_LCD.1, and ALC_TAT.1 according to the Common Criteria for Information Technology Security Evaluation, Version 2.1 and Part 2 of the Common Methodology for Information Technology Security Evaluation, Version 1.0. Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by COACT, Inc. CAFE Lab. The evaluation was completed on April 21, 2005. The results of the BAE Systems ACL Version 2.0.1 and eSNACC Version 1.3 Sensitive Data Protection; System Access Control product evaluation can be found in the report CCEVS-VR-05-0083, “Common Criteria Evaluation and Validation Scheme Validation Report for BAE Systems Access Control Library Version 2.0.1 and eSNACC Version 1. 3” prepared by the CCEVS Validation Team.
\r\n","environmental_strengths":"N/A
","features":[]}