A Common Criteria Authoring Environment Supporting Composition *

1

A Common CriteriaA Common CriteriaAuthoring EnvironmentAuthoring Environment

Supporting CompositionSupporting Composition**

Rance DeLonga, John Rushby

Computer Science LaboratorySRI InternationalMenlo Park CA USA

a LynuxWorks and Santa Clara University* Sponsored by AFRL via Raytheon

8th International8th InternationalCommon Criteria ConferenceCommon Criteria Conference

Rome, ItalyRome, ItalySeptember 25, 2007September 25, 2007

2

Relationship of the CCAE to the MIPPRelationship of the CCAE to the MIPPWe describe We describe two complementary activitiestwo complementary activities::

– a a MILS Integration Protection ProfileMILS Integration Protection Profile, and, and

– A A Common Criteria Authoring EnvironmentCommon Criteria Authoring Environment (CCAE) to support authors of MILS PPs and STs(CCAE) to support authors of MILS PPs and STs

Together these can provide Together these can provide strategic strategic coordinationcoordination to the MILS community. to the MILS community.

The CCAE will enable authors to produce The CCAE will enable authors to produce reviewed reviewed PPs and STs of higher quality in PPs and STs of higher quality in less timeless time, and ones that will better serve the , and ones that will better serve the common interests of the MILS communitycommon interests of the MILS community

Rance DeLong, John Rushby SRI CC Authoring Environment

3

What CC protection profiles do:What CC protection profiles do:The CC provides us withThe CC provides us with A structure for the development of security A structure for the development of security

requirements specificationsrequirements specifications

Independent functional and assurance Independent functional and assurance dimensions (like ITSEC, unlike TCSEC)dimensions (like ITSEC, unlike TCSEC)

Functionality

Assurance

same function, different assurance

different function, same assurance


4

What CC protection profiles do:What CC protection profiles do:Constrain the spaceConstrain the space

CC Protection Profile conceptCC Protection Profile concept– Remedies some problems possible with ITSEC Remedies some problems possible with ITSEC

evaluationsevaluations• Vendor could make claims for any point in the space of Vendor could make claims for any point in the space of

functionality functionality assurance and have those claims assurance and have those claims evaluatedevaluated

• Users were left comparing apples and orangesUsers were left comparing apples and oranges

– PPs constrain the space of compliant productsPPs constrain the space of compliant products– PPs are written and evaluated by experts to PPs are written and evaluated by experts to

present a “balanced” set of requirements to present a “balanced” set of requirements to developersdevelopers


5

What CC protection profiles do :What CC protection profiles do :Unconstrained Function Unconstrained Function Assurance space Assurance space

Functionality

Assurance TOE1

TOE2


6

What CC protection profiles do :What CC protection profiles do :Function Function Assurance space Assurance spaceconstrained by protection profilesconstrained by protection profiles

Functionality

Assurance

TOEPPa

TOEPPb

TOEPPc


7

CC PPType

ST1Type TOE1

Type

ST3Type TOE3

Type

ST2Type TOE2

Type

ST4Type TOE4

Type

CC-based product (TOE) developmentCC-based product (TOE) developmentWe expect multiple TOEs of each product type and

have expectations of a relationship among instances of Typeand with instances of other types


Constraints

Securityproblem

OutputsInputs

PP / STAuthoringProcess

Criticaldeterminers

of properties of Outputs

8

MILS is based on composition of MILS is based on composition of cooperating products defined by cooperating products defined by related Protection Profilesrelated Protection Profiles

MILS Integration Protection Profile (MIPP)MILS Integration Protection Profile (MIPP) Separation Kernel (SKPP)Separation Kernel (SKPP) Partitioning Communication System (PCSPP)Partitioning Communication System (PCSPP) MILS Console System (MCSPP)MILS Console System (MCSPP) MILS Network System (MNSPP)MILS Network System (MNSPP) MILS File System (MFSPP)MILS File System (MFSPP) . . .. . .


9

MILS PPs are expected to achieve:MILS PPs are expected to achieve:

CC

PCSPP

MCSPP

MNSPP

MFSPP

STPCS

STMCS

STMNS

STMFS

STPCS

STMCS

STMNS

STMFS

STPCS

STMCS

STMNS

STMFS

STPCS

STMCS

STMNS

STMFS

PCS2

Console2

Network2

File System2

PCS4

Console4

Network4

File System4

PCS1

Console1

Network1

File System1

PCS3

Console3

Network3

File System3

SKPP STSK

STSK

STSK

STSK

SK2

SK4

SK1

SK3SK4 PCS2

Console1 File System3

Network3!

SK1 PCS3

Console4 File System4

Network1!

System A

System B!

! = Successful integration


10

MILS architecture is MILS architecture is based on based on compositioncomposition A dual challenge of A dual challenge of high assurancehigh assurance and and compositioncomposition

Components independently developed by Components independently developed by different vendorsdifferent vendors

Components are Components are defined bydefined by Common Criteria-style protection Common Criteria-style protection profiles (profiles (PPsPPs))

The The collectioncollection of PPs reflects an intended of PPs reflects an intended architecturearchitecture

The PPs must The PPs must be in agreement withbe in agreement with the architecture the architecture

CCAE is a vehicle to achieve this agreementCCAE is a vehicle to achieve this agreement


11

Desirable composition supportDesirable composition support Successful composition requiresSuccessful composition requires

– Policy composition (that enforced by each component’s TSF)Policy composition (that enforced by each component’s TSF)– Functional compositionality (foundational and operational)Functional compositionality (foundational and operational)– Functional Interoperability (interfaces, interactions, behaviors)Functional Interoperability (interfaces, interactions, behaviors)– Results in additional constraints on PP/ST/TOE developmentResults in additional constraints on PP/ST/TOE development

Apply CC CAP packages and ACO evaluation methodologyApply CC CAP packages and ACO evaluation methodology Constrain PP/ST development beyond current CC guidanceConstrain PP/ST development beyond current CC guidance

– Constraints flowed-down from the MIPPConstraints flowed-down from the MIPP– Constraints from other community standardsConstraints from other community standards– Constraints on definitions of concepts and vocabulary for Constraints on definitions of concepts and vocabulary for

expressing the security problem and security environmentexpressing the security problem and security environment

Additional requirements in PPsAdditional requirements in PPs– Ensure additional requirements are represented in new PPsEnsure additional requirements are represented in new PPs– Apply uniformly across collection of composable productsApply uniformly across collection of composable products

Provide a parallel framework for non-CC composition Provide a parallel framework for non-CC composition requirementsrequirements


12

How many PPs have been writtenHow many PPs have been written

CC v?.?

Existing PP Examples (not always good)

Domain Expertise + Security Expertise(ideally)

PPX

? ? ?

“Produce a PPfor X”

STprocess

ReviewCycle(s)


13

Challenges of PP authorshipChallenges of PP authorship It takes a long time (It takes a long time (2+ years2+ years) and a lot of effort () and a lot of effort ($$$$$$))

Very Very tedioustedious and and error proneerror prone work work

Requires “legal” Requires “legal” precision of languageprecision of language unfamiliar to some unfamiliar to some

Bad examplesBad examples are propagated like a virus are propagated like a virus

Difficult to track differences in Difficult to track differences in CC versionsCC versions

Difficult to assess impact of Difficult to assess impact of global changeglobal change to MILS PP family to MILS PP family

Difficult to generate and Difficult to generate and maintain maintain mappings in a PPmappings in a PP

Difficult to check Difficult to check consistency and completenessconsistency and completeness

Difficult for PP to Difficult for PP to feed into further developmentfeed into further development

Authors Authors may have limited expertisemay have limited expertise in CC or security in CC or security

PP and ST authors have PP and ST authors have little guidance orlittle guidance or ability to enforce / achieve ability to enforce / achieve shared standardsshared standards

Little support to Little support to structure the author’s PP development effortstructure the author’s PP development effort

Nothing to assure that the MILS Nothing to assure that the MILS PPs will “hang together”PPs will “hang together”


14

The CC Authoring Environment for MILS The CC Authoring Environment for MILS will providewill provide (1/2) (1/2) Common Criteria in a structured, “machinable” formCommon Criteria in a structured, “machinable” form

– Capturing the semantic contentCapturing the semantic content– A A “Plugged-in CC”“Plugged-in CC” , instead of , instead of “CC Unplugged”“CC Unplugged”

Library of documentation generation objectsLibrary of documentation generation objects– Foundation document object classesFoundation document object classes– Formatting and typography rulesFormatting and typography rules

Catalog of (re)usable community standards:Catalog of (re)usable community standards:– Definitions of basic CC and MILS termsDefinitions of basic CC and MILS terms– MILS evaluator guidance and robustness level guidanceMILS evaluator guidance and robustness level guidance– Threats and countermeasuresThreats and countermeasures– Bibliography of MILS-related referencesBibliography of MILS-related references


15

The CC Authoring Environment for MILS The CC Authoring Environment for MILS will providewill provide (2/2) (2/2) Mechanical checksMechanical checks

– ConsistencyConsistency– Constraints needed for composability and compositionalityConstraints needed for composability and compositionality– Requirements traceabilityRequirements traceability– Analysis and StatisticsAnalysis and Statistics

Guidance based on expert knowledge base that can evolve and be adapted.Guidance based on expert knowledge base that can evolve and be adapted.– Security ontologySecurity ontology– Workflow rulesWorkflow rules– Expert usage / instantiation patternsExpert usage / instantiation patterns– Decision supportDecision support– MILS Integration PP relationships and constraintsMILS Integration PP relationships and constraints– CC documentation conventionsCC documentation conventions– Guidance for desired robustness levelGuidance for desired robustness level– Evaluator guidanceEvaluator guidance

Output that can be (re)consumed by CCAE and/or other toolsOutput that can be (re)consumed by CCAE and/or other tools


16

The CC Authoring Environment for MILS The CC Authoring Environment for MILS BenefitsBenefits (1/2) (1/2)

Achieve Achieve uniformityuniformity and and sufficiency sufficiency of PPs and STsof PPs and STs

Relieve Relieve much of themuch of the tedium tedium, to better apply author’s effort, to better apply author’s effort

Reduce/eliminateReduce/eliminate many types of many types of errors errors and inconsistenciesand inconsistencies

ReduceReduce the document the document maintenance maintenance problemproblem

Shorten Shorten PP and ST PP and ST development timedevelopment time and and raise qualityraise quality

Can be used by authors and reviewers of PPs and STs to Can be used by authors and reviewers of PPs and STs to explore/query explore/query the information representedthe information represented in the document in the document

Explore / Explore / create “what if” variantscreate “what if” variants

More easily More easily adapt to later versionsadapt to later versions of the Common Criteria of the Common Criteria

More easily More easily incorporate evolvingincorporate evolving community community standardsstandards

More easily More easily revisit existing PPs and STsrevisit existing PPs and STs when security environment or when security environment or external requirements changeexternal requirements change


17

The CC Authoring Environment for MILS The CC Authoring Environment for MILS BenefitsBenefits (2/2) (2/2)

MILS MILS PPs harmonizedPPs harmonized to achieve “additivity” property for foundational PPs to achieve “additivity” property for foundational PPs

Expert knowledgeExpert knowledge base can grow, adapt, come from new sources, and be base can grow, adapt, come from new sources, and be refinedrefined and effectively be and effectively be passed on to otherspassed on to others

AutomatedAutomated repeatable repeatable checkingchecking encourages continuous QA encourages continuous QA

Produce a Produce a databasedatabase representing the current stage of product definition representing the current stage of product definition that that can be input to the next stagecan be input to the next stage (e.g., PP --> ST --> … )(e.g., PP --> ST --> … )

Produce Produce outputoutput that that can be consumed by other toolscan be consumed by other tools during product during product developmentdevelopment

Provide a Provide a vehicle forvehicle for applying / propagating the applying / propagating the MILS Integration PPMILS Integration PP constraints to all MILS component PPs and guaranteeing coherenceconstraints to all MILS component PPs and guaranteeing coherence

Help ensure that the Help ensure that the PP or ST remains a living part ofPP or ST remains a living part of the definition and the definition and development of a productdevelopment of a product


18

TheCC Authoring Environment for MILS TheCC Authoring Environment for MILS What it is What it is NotNot

Not a pushbutton protection profileNot a pushbutton protection profile– Not a “Not a “Protection Profiles for DummiesProtection Profiles for Dummies””– Not a substitute for a knowledgeable authorNot a substitute for a knowledgeable author– It IS a power tool for subject matter expertsIt IS a power tool for subject matter experts

Not a simple “Not a simple “templatetemplate” for a protection profile” for a protection profile– It IS more like a It IS more like a class library, with inheritanceclass library, with inheritance, that must , that must

be be instantiated and specializedinstantiated and specialized for a particular PP for a particular PP


19

Users of the CCAEUsers of the CCAE

PP

CCAE

CCAE

CCAE

CCAE CCAE

ST

CCAE

CCAE

Author Author

Reviewers ReviewersEvaluators

Evaluators

CertifiersRance DeLong, John Rushby SRI CC Authoring Environment

20

Future Vision for the CCAEFuture Vision for the CCAE MILS Collaborative Portal - web services-basedMILS Collaborative Portal - web services-based

– Centralized support for authors, reviewers, evaluators, and developersCentralized support for authors, reviewers, evaluators, and developers– Online repositoryOnline repository

MILS Coordination Services Framework MILS Coordination Services Framework

MILS Component Interoperability - avoid “semantic dissonance”MILS Component Interoperability - avoid “semantic dissonance”– Support for evaluation documentation developmentSupport for evaluation documentation development

MILS Component InteroperabilityMILS Component Interoperability– Synergistic with another SRI project (ONISTT) that has developed a Synergistic with another SRI project (ONISTT) that has developed a

workable approach to improvisational interoperability of complex DoD workable approach to improvisational interoperability of complex DoD systemssystems

– ONISTT concepts / implementation techniques similar to CCAE: expert ONISTT concepts / implementation techniques similar to CCAE: expert knowledge, ontologies, reasoning engine, Prolog/OWL/XMLknowledge, ontologies, reasoning engine, Prolog/OWL/XML

Evaluation Documentation (ADV) SupportEvaluation Documentation (ADV) Support– A natural and direct extension of CCAE support for PP/ST developmentA natural and direct extension of CCAE support for PP/ST development


21

CollaborationCollaboration

Collaboration without meetingsCollaboration without meetings Partial automation of informal social process*Partial automation of informal social process* Keep central repository of expert knowledgeKeep central repository of expert knowledge No distribution or update headachesNo distribution or update headaches Seamless way to provide feedback in a semantically Seamless way to provide feedback in a semantically

rich wayrich way Medium for formal “buyer-seller” contractsMedium for formal “buyer-seller” contracts Community of authors, reviewers, developers, Community of authors, reviewers, developers,

evaluators, integrators, certifiersevaluators, integrators, certifiers


* Bunch Of People Sitting Around a Table

22

CCAE Collaborative EnvironmentCCAE Collaborative Environment

CCAE

CCAE

CCAE

CollaborationEnvironment

CCAE

CCAE

CCAE

Author

Author

Reviewers

Reviewers

Evaluators

Evaluators

Certifiers

PP

PP

ST

ST

CCAE


Developer

CCAE

ADV

23

CC Authoring Environment illustratedCC Authoring Environment illustrated

Rule BaseCC Component

Operation Rules,Semantic Rules,Relational Model,Workflow Rules

Doc CreationLibrary

Conventions,Doc comp classesDoc generators:PP, ST, FSP

Env LibraryComponents,CC SFRs/SARs,Interps, CIM,

Security Ontology,Resource RegistryMILS Integ FW

PP/ST Author

Parent PP,MILS TOE Concept,or TOE Flow-downRequirements

PP, ST, stats

DocumentPublishing

ProjectTeam

Exchangeor Export

Doc Assembly, Catalog Selection,Checking, Rewriting, Inference, Rule Execution, Queries, XML gen

XML

PDF, DOCX,XLSX, …

CurrentDocumentFactbase

Document Creation/Rev

ision

Documents& Reports

Rendering & Conversion

CCAEDocumentRepository

UI Agent


24

Negotiation model of interactionNegotiation model of interaction Objective: Achieve a Objective: Achieve a PP that isPP that is acceptableacceptable to both to both CCAE and the author CCAE and the author

– There is considerable latitude in this outcome -- we do not want to force too There is considerable latitude in this outcome -- we do not want to force too specific an embodiment or restrict the author’s creativityspecific an embodiment or restrict the author’s creativity

2-party negotiation2-party negotiation– The author and CCAE share the ObjectiveThe author and CCAE share the Objective– Both the author and CCAE acknowledge they don’t have perfect knowledge Both the author and CCAE acknowledge they don’t have perfect knowledge

of an “evaluatable” PP -- that will be externally decided in evaluationof an “evaluatable” PP -- that will be externally decided in evaluation– Author brings initiative, understanding, creativity, and common senseAuthor brings initiative, understanding, creativity, and common sense– CCAE brings process framework and an array of techniques serving as a CCAE brings process framework and an array of techniques serving as a

proxy for a true oracleproxy for a true oracle– The CCAE works with the author from the startThe CCAE works with the author from the start– The parties rest when both are satisfiedThe parties rest when both are satisfied with the PP to the extent of their with the PP to the extent of their

ability -- then it goes to review or evaluationability -- then it goes to review or evaluation Staged developmentStaged development

– CCAE can work in stages with an incomplete PPCCAE can work in stages with an incomplete PP– Each stage concentrates on a particular aspect of the PP developmentEach stage concentrates on a particular aspect of the PP development– Allows interim review versionsAllows interim review versions– Can apply gradually increasing threshold of acceptability as PP completedCan apply gradually increasing threshold of acceptability as PP completed


25

Libraries - e.g. environment libraryLibraries - e.g. environment library ““Plugged-In” Common Criteria, by versionsPlugged-In” Common Criteria, by versions

– Lifetime of last official version, 13 months (proves the point!)Lifetime of last official version, 13 months (proves the point!)– CC versions 2.3 and 3.1 available in XMLCC versions 2.3 and 3.1 available in XML

• CC parses into Prolog terms with existing SGML / XML parserCC parses into Prolog terms with existing SGML / XML parser• Build relations within the CC, e.g., dependencies, EALs, custom EALsBuild relations within the CC, e.g., dependencies, EALs, custom EALs• Index back to text in XML for display and exportIndex back to text in XML for display and export• Relations to MILS ontology and expert knowledgeRelations to MILS ontology and expert knowledge

– Support for older versions would require some laborSupport for older versions would require some labor

MILS technology and security ontologyMILS technology and security ontology– Create with Protégé/OWLCreate with Protégé/OWL– OWL (Ontology Web Language) library for PrologOWL (Ontology Web Language) library for Prolog– Create a consistent and semantically rich representation of security Create a consistent and semantically rich representation of security

threats, policies, assumptions, objectives, functional countermeasures, threats, policies, assumptions, objectives, functional countermeasures, and assurance measuresand assurance measures

– MILS conventions and standardsMILS conventions and standards– Flow-down constraints from MILS Integration PPFlow-down constraints from MILS Integration PP


26

Expert KnowledgeExpert Knowledge

PP authors may not be security experts and/or may not have PP authors may not be security experts and/or may not have written a PP beforewritten a PP before

We would like to effectively bring to the author the We would like to effectively bring to the author the knowledge of experts:knowledge of experts:– Security engineeringSecurity engineering– Evaluation requirements and methodologyEvaluation requirements and methodology– Academia and security researchAcademia and security research– Common Criteria model, methodology, and documentationCommon Criteria model, methodology, and documentation– MILS architectureMILS architecture

Evolving and improving on an on-going basisEvolving and improving on an on-going basis

Distributed and applied by authors as quickly as possibleDistributed and applied by authors as quickly as possible


27

Simplified relational model of a PPSimplified relational model of a PP

Functional Requirements

Assurance Requirements

Assumptions

Policies

Threats

Security Objectives

Environment Requirements

Environment

Security Objectives

FAU, FCO, FCS, FDP,FIA, FMT, FPR, FPT,

FRU, FTA, FTP

APE, ASE, ADV,AGD, ALC, ASE,ATE, AVA, ACO

SFRSFR

SARSAR

PP space = ( 2PP space = ( 2TT 2 2 2 2 2 2SFRSFR 2 2SARSAR ) )Rance DeLong, John Rushby SRI CC Authoring Environment

LetLet universe of threatsuniverse of threats u. of security objectives u. of security objectives u. of organizational policiesu. of organizational policies SFRSFR u. of CC security functional rqmts u. of CC security functional rqmts u. of assumptionsu. of assumptions SAR SAR u. of CC security assurance rqmts u. of CC security assurance rqmts

28

Simplified Relational Model of a PPSimplified Relational Model of a PP The The -anchored space PP of tuples-anchored space PP of tuples

PP = ( 2PP = ( 2TT 2 2 2 2 2 2SFRSFR 2 2SARSAR ) )

represents all possible PP relationsrepresents all possible PP relations

The relation E: The relation E:

E E ( 2 ( 2TT 2 2 2 2 2 2SFRSFR 2 2SARSAR ) )

is an oracle accepting “evaluable” PPsis an oracle accepting “evaluable” PPs

The relation M The relation M E is an oracle accepting evaluable E is an oracle accepting evaluable MILS PPsMILS PPs

E and M are E and M are unknowable a prioriunknowable a priori


29

MMCCAECCAE Approximation of M Approximation of M

PP = ( 2PP = ( 2TT 2 2 2 2 2 2SFRSFR 2 2SARSAR ) )

EM

MMCC

MCCAE

E E PP evaluable PPs PP evaluable PPsM M E MILS evaluable PPs E MILS evaluable PPs

MMC C a candidatea candidate

member of Mmember of M

CCAE drives MC toward M by measuringconsistency and coveragewith respect to MCCAE


30

Expert Guidance and Advice (1/3)Expert Guidance and Advice (1/3) The concept: bring a dynamic body of expert knowledge to The concept: bring a dynamic body of expert knowledge to

bear from the start of every authoring activitybear from the start of every authoring activity

Knowledge acquisitionKnowledge acquisition– Explicit rule encodingExplicit rule encoding– Generalization from expert interaction on specific authoring projectsGeneralization from expert interaction on specific authoring projects– Harmonization of knowledge from different expertsHarmonization of knowledge from different experts

Knowledge applicationKnowledge application– Expert patterns constructed from expert knowledge baseExpert patterns constructed from expert knowledge base– Author patterns are constructed from the draft PPAuthor patterns are constructed from the draft PP– Author patterns are “compared”* to expert patternsAuthor patterns are “compared”* to expert patterns– Advice is generated for the author’s considerationAdvice is generated for the author’s consideration

Negotiation model of interactionNegotiation model of interaction– author and system negotiateauthor and system negotiate

an acceptable PPan acceptable PP* fuzzy unification


31

Expert Guidance and Advice (2/3)Expert Guidance and Advice (2/3)

t1

t2

p1

f

a2

o1

o1

a3a4

g

o1

f a1

t1

t2

p1

o1

f

ga1

a2

a3

a4

m

Securityanalystrule

Certificationrule

Countermeasuresrule

Robustness(EAL)rule Expert pattern

Expert KnowledgeRule Base

ThreatsPolicies

SFRs SARsObjectives

Assumptions

A simple example . . .


32

Expert Guidance and Advice (3/3)Expert Guidance and Advice (3/3)

t1

t2

p1

o1

f

ga1

a2

a3

a4

mExpert pattern

t1

p1

o1

g

a2

a3

m’Draft PP pattern

AdviceThreat t2 may be anunidentified threat

Objective o1 is customarilyrealized by countermeasure fin addition to g

Assurance measures a1 and a4

may be needed due to the EALsought and a certificationrequirement associated withcountermeasure f

m’ m’ FF m m

A simple example . . .

Rance DeLong, John Rushby

ThreatsPolicies

SFRs SARsObjectives

Assumptionsm’ m’ FF m m inference + fuzzy unificationinference + fuzzy unification

SRI CC Authoring Environment

33

•Summary and RecommendationsSummary and Recommendations MIPP establishes architectural relationships and MIPP establishes architectural relationships and

constraints on components, CCAE provides a constraints on components, CCAE provides a vehicle to support composition by managing vehicle to support composition by managing constraints among component PPsconstraints among component PPs

CCAE can facilitate CC-based PP/ST process and CCAE can facilitate CC-based PP/ST process and also provide framework for extra-CC coordinationalso provide framework for extra-CC coordination

Future versions of CC could consider some of the Future versions of CC could consider some of the issues that have motivated our workissues that have motivated our work– Product lines, product families, “polymorphic PPs”Product lines, product families, “polymorphic PPs”– Changes to systems, integration for systems-of-systemsChanges to systems, integration for systems-of-systems– Explicit assurance cases to focus effortsExplicit assurance cases to focus efforts– Elevated component element levels, for higher EALsElevated component element levels, for higher EALs– Elevated PP/ST scope/depth/rigor at higher EALsElevated PP/ST scope/depth/rigor at higher EALs


34

GrazieGrazie

FineFine

35

CCAE-supported author, reviewer, evaluator tasksCCAE-supported author, reviewer, evaluator tasks

Choose security environ Choose security environ threats, policies, assump.threats, policies, assump.

Ontology provides a Ontology provides a common frameworkcommon framework

Derive security objectivesDerive security objectives Ontology and expert Ontology and expert knowledge guidanceknowledge guidance

Select SFR/SARs from Select SFR/SARs from CC catalogCC catalog

Check correspondence to Check correspondence to security objectivessecurity objectives

Complete SFR/SAR Complete SFR/SAR component operationscomponent operations

Tracked in work flowTracked in work flow

Define new component Define new component operations for SToperations for ST

Tracked in work flowTracked in work flow

Supply mappings and Supply mappings and rationalerationale

Tracked in work flow and Tracked in work flow and relational modelrelational model


36

CCAE-supported author, reviewer, evaluator tasksCCAE-supported author, reviewer, evaluator tasks

Fashion explicit Fashion explicit SFR/SARsSFR/SARs

Help avoid gratuitous Help avoid gratuitous departure from CCdeparture from CC

Select EAL and Select EAL and guarantee it is metguarantee it is met

Ensure minimums for EAL Ensure minimums for EAL met despite explicit rqmtsmet despite explicit rqmts

Assess conformance Assess conformance to abstract PP modelto abstract PP model

Quantitative measurement Quantitative measurement against model and scoringagainst model and scoring

Assure proper use of Assure proper use of CC conventionsCC conventions

Conventions applied to Conventions applied to form, semantics, typographyform, semantics, typography

Assure accuracy of CC Assure accuracy of CC text and versionstext and versions

““Automated” version of CC Automated” version of CC built into CCAEbuilt into CCAE

Assure dependencies Assure dependencies and consistencyand consistency

Apply known dependencies Apply known dependencies in CC and knowledge basein CC and knowledge base
