The Hard Disk Security Module (HSM) is a software module executed on Multi-Function Printer (MFP) hardware and is contained on an SD memory card or DIMM-ROM providing adaptability to various MFP devices. The HSM is delivered in a kit and each kit is adaptable to a suitable MFP device. The kit contains the software either on a SD memory card or DIMM-ROM, an Operating Instruction Booklet or a CD-ROM containing the Operating Instruction Booklet and a Keytop version for each type of MFP device. Table 1 in the Security Target identifies and describes the HSM kit, the item, and the MFP devices suitable for each HSM kit type.
\r\nThe HSM software provides the MFP with functionality that overwrites the Temporary Area of the Hard Disk Device (HDD). The HSM function is automatic. Once installed on the MFP device, the overwriting function becomes effective immediately. It cannot be turned off, unless the software is removed. There is, however, a priority scheme. For practical MFP usability, the HSM function will become suspended if another application job accesses the HDD for writing or reading data. Once that job is completed, the HSM resumes. If the MFP power is disrupted either during HSM execution or if HSM is idle, upon power restore HSM is executed before user functionality can begin. An icon on the printer control panel displays indicates when the HSM overwrite process has completed.
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the Hard Disc Security Module with imagio Security Module Type A, imagio Security Card Type A, DataOverwriteSecurity Unit Type A, and DataOverwriteSecurity Unit Type B TOE meets the security requirements contained in the Security Target.
The criteria against which the Hard Disc Security Module with imagio Security Module Type A, imagio Security Card Type A, DataOverwriteSecurity Unit Type A, and DataOverwriteSecurity Unit Type B TOE were judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. The COACT, Inc. CAFE Lab determined that the evaluation assurance level (EAL) for the Hard Disc Security Module with imagio Security Module Type A, imagio Security Card Type A, DataOverwriteSecurity Unit Type A, and DataOverwriteSecurity Unit Type B TOE is EAL 3. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target.
A Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by the COACT, Inc. CAFE Lab. The evaluation was completed in March 2007. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report.
","environmental_strengths":"The TOE’s Security Functions are:
\r\n
\r\nSF.RANDOMBUFFERS
\r\n
\r\nThe TOE Security Function SF.RANDOMBUFFERS generates buffers containing two passes of random data and one pass of nulls that are passed to the OS and used by the OS to overwrite copy and print data located in the Temporary Storage Area of the MFP HDD. SF.RANDOMBUFFERS inspects a table resident in memory (maintained by the IT Environment) for notification that residual data exists in the Temporary Storage Area of the MFP HDD. Upon discovery of the existence of residual data, SF.RANDOMBUFFERS seeks permission to begin the overwrite process. Once permission is given SF.RANDOMBUFFERS obtains random numbers from the IT Environment and generates buffers containing two passes of random data and one pass of nulls and sends these buffers to the OS to perform the overwrite. The TOE uses the standard rand() Unix function call for generating random numbers to populate the buffers with random data, but the TOE does not claim the use of a “random number generator” as specified by FIPS 140-2. The IT Environment is responsible for writing the supplied buffers to the designated locations on the HDD.
\r\n
\r\nSF.SELFPROTECT
\r\n
\r\nAt each start-up, MFP firmware outside the TOE boundary checks to see if the TOE is physically installed (i.e., the DIMM or SD memory card is present). If the TOE is present, the IT Environment loads it into RAM for execution as a separate process. In order to remove the software from the MFP, the DIMM or SD memory card must be physically removed and the MFP device restarted. The TOE uses limited interfaces and cannot be directly accessed by a user. These interfaces use standard Unix socket-based communication channels where each communication path has a specified ID that ensures an exclusive connection and prevents access by other modules.