1 a common criteria authoring environment supporting composition * rance delong a, john rushby...
TRANSCRIPT
1
A Common CriteriaA Common CriteriaAuthoring EnvironmentAuthoring Environment
Supporting CompositionSupporting Composition**
Rance DeLonga, John Rushby
Computer Science LaboratorySRI InternationalMenlo Park CA USA
a LynuxWorks and Santa Clara University* Sponsored by AFRL via Raytheon
8th International8th InternationalCommon Criteria ConferenceCommon Criteria Conference
Rome, ItalyRome, ItalySeptember 25, 2007September 25, 2007
2
Relationship of the CCAE to the MIPPRelationship of the CCAE to the MIPPWe describe We describe two complementary activitiestwo complementary activities::
– a a MILS Integration Protection ProfileMILS Integration Protection Profile, and, and
– A A Common Criteria Authoring EnvironmentCommon Criteria Authoring Environment (CCAE) to support authors of MILS PPs and STs(CCAE) to support authors of MILS PPs and STs
Together these can provide Together these can provide strategic strategic coordinationcoordination to the MILS community. to the MILS community.
The CCAE will enable authors to produce The CCAE will enable authors to produce reviewed reviewed PPs and STs of higher quality in PPs and STs of higher quality in less timeless time, and ones that will better serve the , and ones that will better serve the common interests of the MILS communitycommon interests of the MILS community
Rance DeLong, John Rushby SRI CC Authoring Environment
3
What CC protection profiles do:What CC protection profiles do:The CC provides us withThe CC provides us with A structure for the development of security A structure for the development of security
requirements specificationsrequirements specifications
Independent functional and assurance Independent functional and assurance dimensions (like ITSEC, unlike TCSEC)dimensions (like ITSEC, unlike TCSEC)
Functionality
Assurance
same function, different assurance
different function, same assurance
Rance DeLong, John Rushby SRI CC Authoring Environment
4
What CC protection profiles do:What CC protection profiles do:Constrain the spaceConstrain the space
CC Protection Profile conceptCC Protection Profile concept– Remedies some problems possible with ITSEC Remedies some problems possible with ITSEC
evaluationsevaluations• Vendor could make claims for any point in the space of Vendor could make claims for any point in the space of
functionality functionality assurance and have those claims assurance and have those claims evaluatedevaluated
• Users were left comparing apples and orangesUsers were left comparing apples and oranges
– PPs constrain the space of compliant productsPPs constrain the space of compliant products– PPs are written and evaluated by experts to PPs are written and evaluated by experts to
present a “balanced” set of requirements to present a “balanced” set of requirements to developersdevelopers
Rance DeLong, John Rushby SRI CC Authoring Environment
5
What CC protection profiles do :What CC protection profiles do :Unconstrained Function Unconstrained Function Assurance space Assurance space
Functionality
Assurance TOE1
TOE2
Rance DeLong, John Rushby SRI CC Authoring Environment
6
What CC protection profiles do :What CC protection profiles do :Function Function Assurance space Assurance spaceconstrained by protection profilesconstrained by protection profiles
Functionality
Assurance
TOEPPa
TOEPPb
TOEPPc
Rance DeLong, John Rushby SRI CC Authoring Environment
7
CC PPType
ST1Type TOE1
Type
ST3Type TOE3
Type
ST2Type TOE2
Type
ST4Type TOE4
Type
CC-based product (TOE) developmentCC-based product (TOE) developmentWe expect multiple TOEs of each product type and
have expectations of a relationship among instances of Typeand with instances of other types
Rance DeLong, John Rushby SRI CC Authoring Environment
Constraints
Securityproblem
OutputsInputs
PP / STAuthoringProcess
Criticaldeterminers
of properties of Outputs
8
MILS is based on composition of MILS is based on composition of cooperating products defined by cooperating products defined by related Protection Profilesrelated Protection Profiles
MILS Integration Protection Profile (MIPP)MILS Integration Protection Profile (MIPP) Separation Kernel (SKPP)Separation Kernel (SKPP) Partitioning Communication System (PCSPP)Partitioning Communication System (PCSPP) MILS Console System (MCSPP)MILS Console System (MCSPP) MILS Network System (MNSPP)MILS Network System (MNSPP) MILS File System (MFSPP)MILS File System (MFSPP) . . .. . .
Rance DeLong, John Rushby SRI CC Authoring Environment
9
MILS PPs are expected to achieve:MILS PPs are expected to achieve:
CC
PCSPP
MCSPP
MNSPP
MFSPP
STPCS
STMCS
STMNS
STMFS
STPCS
STMCS
STMNS
STMFS
STPCS
STMCS
STMNS
STMFS
STPCS
STMCS
STMNS
STMFS
PCS2
Console2
Network2
File System2
PCS4
Console4
Network4
File System4
PCS1
Console1
Network1
File System1
PCS3
Console3
Network3
File System3
SKPP STSK
STSK
STSK
STSK
SK2
SK4
SK1
SK3SK4 PCS2
Console1 File System3
Network3!
SK1 PCS3
Console4 File System4
Network1!
System A
System B!
! = Successful integration
Rance DeLong, John Rushby SRI CC Authoring Environment
10
MILS architecture is MILS architecture is based on based on compositioncomposition A dual challenge of A dual challenge of high assurancehigh assurance and and compositioncomposition
Components independently developed by Components independently developed by different vendorsdifferent vendors
Components are Components are defined bydefined by Common Criteria-style protection Common Criteria-style protection profiles (profiles (PPsPPs))
The The collectioncollection of PPs reflects an intended of PPs reflects an intended architecturearchitecture
The PPs must The PPs must be in agreement withbe in agreement with the architecture the architecture
CCAE is a vehicle to achieve this agreementCCAE is a vehicle to achieve this agreement
Rance DeLong, John Rushby SRI CC Authoring Environment
11
Desirable composition supportDesirable composition support Successful composition requiresSuccessful composition requires
– Policy composition (that enforced by each component’s TSF)Policy composition (that enforced by each component’s TSF)– Functional compositionality (foundational and operational)Functional compositionality (foundational and operational)– Functional Interoperability (interfaces, interactions, behaviors)Functional Interoperability (interfaces, interactions, behaviors)– Results in additional constraints on PP/ST/TOE developmentResults in additional constraints on PP/ST/TOE development
Apply CC CAP packages and ACO evaluation methodologyApply CC CAP packages and ACO evaluation methodology Constrain PP/ST development beyond current CC guidanceConstrain PP/ST development beyond current CC guidance
– Constraints flowed-down from the MIPPConstraints flowed-down from the MIPP– Constraints from other community standardsConstraints from other community standards– Constraints on definitions of concepts and vocabulary for Constraints on definitions of concepts and vocabulary for
expressing the security problem and security environmentexpressing the security problem and security environment
Additional requirements in PPsAdditional requirements in PPs– Ensure additional requirements are represented in new PPsEnsure additional requirements are represented in new PPs– Apply uniformly across collection of composable productsApply uniformly across collection of composable products
Provide a parallel framework for non-CC composition Provide a parallel framework for non-CC composition requirementsrequirements
Rance DeLong, John Rushby SRI CC Authoring Environment
12
How many PPs have been writtenHow many PPs have been written
CC v?.?
Existing PP Examples (not always good)
Domain Expertise + Security Expertise(ideally)
PPX
? ? ?
“Produce a PPfor X”
STprocess
ReviewCycle(s)
Rance DeLong, John Rushby SRI CC Authoring Environment
13
Challenges of PP authorshipChallenges of PP authorship It takes a long time (It takes a long time (2+ years2+ years) and a lot of effort () and a lot of effort ($$$$$$))
Very Very tedioustedious and and error proneerror prone work work
Requires “legal” Requires “legal” precision of languageprecision of language unfamiliar to some unfamiliar to some
Bad examplesBad examples are propagated like a virus are propagated like a virus
Difficult to track differences in Difficult to track differences in CC versionsCC versions
Difficult to assess impact of Difficult to assess impact of global changeglobal change to MILS PP family to MILS PP family
Difficult to generate and Difficult to generate and maintain maintain mappings in a PPmappings in a PP
Difficult to check Difficult to check consistency and completenessconsistency and completeness
Difficult for PP to Difficult for PP to feed into further developmentfeed into further development
Authors Authors may have limited expertisemay have limited expertise in CC or security in CC or security
PP and ST authors have PP and ST authors have little guidance orlittle guidance or ability to enforce / achieve ability to enforce / achieve shared standardsshared standards
Little support to Little support to structure the author’s PP development effortstructure the author’s PP development effort
Nothing to assure that the MILS Nothing to assure that the MILS PPs will “hang together”PPs will “hang together”
Rance DeLong, John Rushby SRI CC Authoring Environment
14
The CC Authoring Environment for MILS The CC Authoring Environment for MILS will providewill provide (1/2) (1/2) Common Criteria in a structured, “machinable” formCommon Criteria in a structured, “machinable” form
– Capturing the semantic contentCapturing the semantic content– A A “Plugged-in CC”“Plugged-in CC” , instead of , instead of “CC Unplugged”“CC Unplugged”
Library of documentation generation objectsLibrary of documentation generation objects– Foundation document object classesFoundation document object classes– Formatting and typography rulesFormatting and typography rules
Catalog of (re)usable community standards:Catalog of (re)usable community standards:– Definitions of basic CC and MILS termsDefinitions of basic CC and MILS terms– MILS evaluator guidance and robustness level guidanceMILS evaluator guidance and robustness level guidance– Threats and countermeasuresThreats and countermeasures– Bibliography of MILS-related referencesBibliography of MILS-related references
Rance DeLong, John Rushby SRI CC Authoring Environment
15
The CC Authoring Environment for MILS The CC Authoring Environment for MILS will providewill provide (2/2) (2/2) Mechanical checksMechanical checks
– ConsistencyConsistency– Constraints needed for composability and compositionalityConstraints needed for composability and compositionality– Requirements traceabilityRequirements traceability– Analysis and StatisticsAnalysis and Statistics
Guidance based on expert knowledge base that can evolve and be adapted.Guidance based on expert knowledge base that can evolve and be adapted.– Security ontologySecurity ontology– Workflow rulesWorkflow rules– Expert usage / instantiation patternsExpert usage / instantiation patterns– Decision supportDecision support– MILS Integration PP relationships and constraintsMILS Integration PP relationships and constraints– CC documentation conventionsCC documentation conventions– Guidance for desired robustness levelGuidance for desired robustness level– Evaluator guidanceEvaluator guidance
Output that can be (re)consumed by CCAE and/or other toolsOutput that can be (re)consumed by CCAE and/or other tools
Rance DeLong, John Rushby SRI CC Authoring Environment
16
The CC Authoring Environment for MILS The CC Authoring Environment for MILS BenefitsBenefits (1/2) (1/2)
Achieve Achieve uniformityuniformity and and sufficiency sufficiency of PPs and STsof PPs and STs
Relieve Relieve much of themuch of the tedium tedium, to better apply author’s effort, to better apply author’s effort
Reduce/eliminateReduce/eliminate many types of many types of errors errors and inconsistenciesand inconsistencies
ReduceReduce the document the document maintenance maintenance problemproblem
Shorten Shorten PP and ST PP and ST development timedevelopment time and and raise qualityraise quality
Can be used by authors and reviewers of PPs and STs to Can be used by authors and reviewers of PPs and STs to explore/query explore/query the information representedthe information represented in the document in the document
Explore / Explore / create “what if” variantscreate “what if” variants
More easily More easily adapt to later versionsadapt to later versions of the Common Criteria of the Common Criteria
More easily More easily incorporate evolvingincorporate evolving community community standardsstandards
More easily More easily revisit existing PPs and STsrevisit existing PPs and STs when security environment or when security environment or external requirements changeexternal requirements change
Rance DeLong, John Rushby SRI CC Authoring Environment
17
The CC Authoring Environment for MILS The CC Authoring Environment for MILS BenefitsBenefits (2/2) (2/2)
MILS MILS PPs harmonizedPPs harmonized to achieve “additivity” property for foundational PPs to achieve “additivity” property for foundational PPs
Expert knowledgeExpert knowledge base can grow, adapt, come from new sources, and be base can grow, adapt, come from new sources, and be refinedrefined and effectively be and effectively be passed on to otherspassed on to others
AutomatedAutomated repeatable repeatable checkingchecking encourages continuous QA encourages continuous QA
Produce a Produce a databasedatabase representing the current stage of product definition representing the current stage of product definition that that can be input to the next stagecan be input to the next stage (e.g., PP --> ST --> … )(e.g., PP --> ST --> … )
Produce Produce outputoutput that that can be consumed by other toolscan be consumed by other tools during product during product developmentdevelopment
Provide a Provide a vehicle forvehicle for applying / propagating the applying / propagating the MILS Integration PPMILS Integration PP constraints to all MILS component PPs and guaranteeing coherenceconstraints to all MILS component PPs and guaranteeing coherence
Help ensure that the Help ensure that the PP or ST remains a living part ofPP or ST remains a living part of the definition and the definition and development of a productdevelopment of a product
Rance DeLong, John Rushby SRI CC Authoring Environment
18
TheCC Authoring Environment for MILS TheCC Authoring Environment for MILS What it is What it is NotNot
Not a pushbutton protection profileNot a pushbutton protection profile– Not a “Not a “Protection Profiles for DummiesProtection Profiles for Dummies””– Not a substitute for a knowledgeable authorNot a substitute for a knowledgeable author– It IS a power tool for subject matter expertsIt IS a power tool for subject matter experts
Not a simple “Not a simple “templatetemplate” for a protection profile” for a protection profile– It IS more like a It IS more like a class library, with inheritanceclass library, with inheritance, that must , that must
be be instantiated and specializedinstantiated and specialized for a particular PP for a particular PP
Rance DeLong, John Rushby SRI CC Authoring Environment
19
Users of the CCAEUsers of the CCAE
PP
CCAE
CCAE
CCAE
CCAE CCAE
ST
CCAE
CCAE
Author Author
Reviewers ReviewersEvaluators
Evaluators
CertifiersRance DeLong, John Rushby SRI CC Authoring Environment
20
Future Vision for the CCAEFuture Vision for the CCAE MILS Collaborative Portal - web services-basedMILS Collaborative Portal - web services-based
– Centralized support for authors, reviewers, evaluators, and developersCentralized support for authors, reviewers, evaluators, and developers– Online repositoryOnline repository
MILS Coordination Services Framework MILS Coordination Services Framework
MILS Component Interoperability - avoid “semantic dissonance”MILS Component Interoperability - avoid “semantic dissonance”– Support for evaluation documentation developmentSupport for evaluation documentation development
MILS Component InteroperabilityMILS Component Interoperability– Synergistic with another SRI project (ONISTT) that has developed a Synergistic with another SRI project (ONISTT) that has developed a
workable approach to improvisational interoperability of complex DoD workable approach to improvisational interoperability of complex DoD systemssystems
– ONISTT concepts / implementation techniques similar to CCAE: expert ONISTT concepts / implementation techniques similar to CCAE: expert knowledge, ontologies, reasoning engine, Prolog/OWL/XMLknowledge, ontologies, reasoning engine, Prolog/OWL/XML
Evaluation Documentation (ADV) SupportEvaluation Documentation (ADV) Support– A natural and direct extension of CCAE support for PP/ST developmentA natural and direct extension of CCAE support for PP/ST development
Rance DeLong, John Rushby SRI CC Authoring Environment
21
CollaborationCollaboration
Collaboration without meetingsCollaboration without meetings Partial automation of informal social process*Partial automation of informal social process* Keep central repository of expert knowledgeKeep central repository of expert knowledge No distribution or update headachesNo distribution or update headaches Seamless way to provide feedback in a semantically Seamless way to provide feedback in a semantically
rich wayrich way Medium for formal “buyer-seller” contractsMedium for formal “buyer-seller” contracts Community of authors, reviewers, developers, Community of authors, reviewers, developers,
evaluators, integrators, certifiersevaluators, integrators, certifiers
Rance DeLong, John Rushby SRI CC Authoring Environment
* Bunch Of People Sitting Around a Table
22
CCAE Collaborative EnvironmentCCAE Collaborative Environment
CCAE
CCAE
CCAE
CollaborationEnvironment
CCAE
CCAE
CCAE
Author
Author
Reviewers
Reviewers
Evaluators
Evaluators
Certifiers
PP
PP
ST
ST
CCAE
Rance DeLong, John Rushby SRI CC Authoring Environment
Developer
CCAE
ADV
23
CC Authoring Environment illustratedCC Authoring Environment illustrated
Rule BaseCC Component
Operation Rules,Semantic Rules,Relational Model,Workflow Rules
Doc CreationLibrary
Conventions,Doc comp classesDoc generators:PP, ST, FSP
Env LibraryComponents,CC SFRs/SARs,Interps, CIM,
Security Ontology,Resource RegistryMILS Integ FW
PP/ST Author
Parent PP,MILS TOE Concept,or TOE Flow-downRequirements
PP, ST, stats
DocumentPublishing
ProjectTeam
Exchangeor Export
Doc Assembly, Catalog Selection,Checking, Rewriting, Inference, Rule Execution, Queries, XML gen
XML
PDF, DOCX,XLSX, …
CurrentDocumentFactbase
Document Creation/Rev
ision
Documents& Reports
Rendering & Conversion
CCAEDocumentRepository
UI Agent
Rance DeLong, John Rushby SRI CC Authoring Environment
24
Negotiation model of interactionNegotiation model of interaction Objective: Achieve a Objective: Achieve a PP that isPP that is acceptableacceptable to both to both CCAE and the author CCAE and the author
– There is considerable latitude in this outcome -- we do not want to force too There is considerable latitude in this outcome -- we do not want to force too specific an embodiment or restrict the author’s creativityspecific an embodiment or restrict the author’s creativity
2-party negotiation2-party negotiation– The author and CCAE share the ObjectiveThe author and CCAE share the Objective– Both the author and CCAE acknowledge they don’t have perfect knowledge Both the author and CCAE acknowledge they don’t have perfect knowledge
of an “evaluatable” PP -- that will be externally decided in evaluationof an “evaluatable” PP -- that will be externally decided in evaluation– Author brings initiative, understanding, creativity, and common senseAuthor brings initiative, understanding, creativity, and common sense– CCAE brings process framework and an array of techniques serving as a CCAE brings process framework and an array of techniques serving as a
proxy for a true oracleproxy for a true oracle– The CCAE works with the author from the startThe CCAE works with the author from the start– The parties rest when both are satisfiedThe parties rest when both are satisfied with the PP to the extent of their with the PP to the extent of their
ability -- then it goes to review or evaluationability -- then it goes to review or evaluation Staged developmentStaged development
– CCAE can work in stages with an incomplete PPCCAE can work in stages with an incomplete PP– Each stage concentrates on a particular aspect of the PP developmentEach stage concentrates on a particular aspect of the PP development– Allows interim review versionsAllows interim review versions– Can apply gradually increasing threshold of acceptability as PP completedCan apply gradually increasing threshold of acceptability as PP completed
Rance DeLong, John Rushby SRI CC Authoring Environment
25
Libraries - e.g. environment libraryLibraries - e.g. environment library ““Plugged-In” Common Criteria, by versionsPlugged-In” Common Criteria, by versions
– Lifetime of last official version, 13 months (proves the point!)Lifetime of last official version, 13 months (proves the point!)– CC versions 2.3 and 3.1 available in XMLCC versions 2.3 and 3.1 available in XML
• CC parses into Prolog terms with existing SGML / XML parserCC parses into Prolog terms with existing SGML / XML parser• Build relations within the CC, e.g., dependencies, EALs, custom EALsBuild relations within the CC, e.g., dependencies, EALs, custom EALs• Index back to text in XML for display and exportIndex back to text in XML for display and export• Relations to MILS ontology and expert knowledgeRelations to MILS ontology and expert knowledge
– Support for older versions would require some laborSupport for older versions would require some labor
MILS technology and security ontologyMILS technology and security ontology– Create with Protégé/OWLCreate with Protégé/OWL– OWL (Ontology Web Language) library for PrologOWL (Ontology Web Language) library for Prolog– Create a consistent and semantically rich representation of security Create a consistent and semantically rich representation of security
threats, policies, assumptions, objectives, functional countermeasures, threats, policies, assumptions, objectives, functional countermeasures, and assurance measuresand assurance measures
– MILS conventions and standardsMILS conventions and standards– Flow-down constraints from MILS Integration PPFlow-down constraints from MILS Integration PP
Rance DeLong, John Rushby SRI CC Authoring Environment
26
Expert KnowledgeExpert Knowledge
PP authors may not be security experts and/or may not have PP authors may not be security experts and/or may not have written a PP beforewritten a PP before
We would like to effectively bring to the author the We would like to effectively bring to the author the knowledge of experts:knowledge of experts:– Security engineeringSecurity engineering– Evaluation requirements and methodologyEvaluation requirements and methodology– Academia and security researchAcademia and security research– Common Criteria model, methodology, and documentationCommon Criteria model, methodology, and documentation– MILS architectureMILS architecture
Evolving and improving on an on-going basisEvolving and improving on an on-going basis
Distributed and applied by authors as quickly as possibleDistributed and applied by authors as quickly as possible
Rance DeLong, John Rushby SRI CC Authoring Environment
27
Simplified relational model of a PPSimplified relational model of a PP
Functional Requirements
Assurance Requirements
Assumptions
Policies
Threats
Security Objectives
Environment Requirements
Environment
Security Objectives
FAU, FCO, FCS, FDP,FIA, FMT, FPR, FPT,
FRU, FTA, FTP
APE, ASE, ADV,AGD, ALC, ASE,ATE, AVA, ACO
SFRSFR
SARSAR
PP space = ( 2PP space = ( 2TT 2 2 2 2 2 2SFRSFR 2 2SARSAR ) )Rance DeLong, John Rushby SRI CC Authoring Environment
LetLet universe of threatsuniverse of threats u. of security objectives u. of security objectives u. of organizational policiesu. of organizational policies SFRSFR u. of CC security functional rqmts u. of CC security functional rqmts u. of assumptionsu. of assumptions SAR SAR u. of CC security assurance rqmts u. of CC security assurance rqmts
28
Simplified Relational Model of a PPSimplified Relational Model of a PP The The -anchored space PP of tuples-anchored space PP of tuples
PP = ( 2PP = ( 2TT 2 2 2 2 2 2SFRSFR 2 2SARSAR ) )
represents all possible PP relationsrepresents all possible PP relations
The relation E: The relation E:
E E ( 2 ( 2TT 2 2 2 2 2 2SFRSFR 2 2SARSAR ) )
is an oracle accepting “evaluable” PPsis an oracle accepting “evaluable” PPs
The relation M The relation M E is an oracle accepting evaluable E is an oracle accepting evaluable MILS PPsMILS PPs
E and M are E and M are unknowable a prioriunknowable a priori
Rance DeLong, John Rushby SRI CC Authoring Environment
29
MMCCAECCAE Approximation of M Approximation of M
PP = ( 2PP = ( 2TT 2 2 2 2 2 2SFRSFR 2 2SARSAR ) )
EM
MMCC
MCCAE
E E PP evaluable PPs PP evaluable PPsM M E MILS evaluable PPs E MILS evaluable PPs
MMC C a candidatea candidate
member of Mmember of M
CCAE drives MC toward M by measuringconsistency and coveragewith respect to MCCAE
Rance DeLong, John Rushby SRI CC Authoring Environment
30
Expert Guidance and Advice (1/3)Expert Guidance and Advice (1/3) The concept: bring a dynamic body of expert knowledge to The concept: bring a dynamic body of expert knowledge to
bear from the start of every authoring activitybear from the start of every authoring activity
Knowledge acquisitionKnowledge acquisition– Explicit rule encodingExplicit rule encoding– Generalization from expert interaction on specific authoring projectsGeneralization from expert interaction on specific authoring projects– Harmonization of knowledge from different expertsHarmonization of knowledge from different experts
Knowledge applicationKnowledge application– Expert patterns constructed from expert knowledge baseExpert patterns constructed from expert knowledge base– Author patterns are constructed from the draft PPAuthor patterns are constructed from the draft PP– Author patterns are “compared”* to expert patternsAuthor patterns are “compared”* to expert patterns– Advice is generated for the author’s considerationAdvice is generated for the author’s consideration
Negotiation model of interactionNegotiation model of interaction– author and system negotiateauthor and system negotiate
an acceptable PPan acceptable PP* fuzzy unification
Rance DeLong, John Rushby SRI CC Authoring Environment
31
Expert Guidance and Advice (2/3)Expert Guidance and Advice (2/3)
t1
t2
p1
f
a2
o1
o1
a3a4
g
o1
f a1
t1
t2
p1
o1
f
ga1
a2
a3
a4
m
Securityanalystrule
Certificationrule
Countermeasuresrule
Robustness(EAL)rule Expert pattern
Expert KnowledgeRule Base
ThreatsPolicies
SFRs SARsObjectives
Assumptions
A simple example . . .
Rance DeLong, John Rushby SRI CC Authoring Environment
32
Expert Guidance and Advice (3/3)Expert Guidance and Advice (3/3)
t1
t2
p1
o1
f
ga1
a2
a3
a4
mExpert pattern
t1
p1
o1
g
a2
a3
m’Draft PP pattern
AdviceThreat t2 may be anunidentified threat
Objective o1 is customarilyrealized by countermeasure fin addition to g
Assurance measures a1 and a4
may be needed due to the EALsought and a certificationrequirement associated withcountermeasure f
m’ m’ FF m m
A simple example . . .
Rance DeLong, John Rushby
ThreatsPolicies
SFRs SARsObjectives
Assumptionsm’ m’ FF m m inference + fuzzy unificationinference + fuzzy unification
SRI CC Authoring Environment
33
•Summary and RecommendationsSummary and Recommendations MIPP establishes architectural relationships and MIPP establishes architectural relationships and
constraints on components, CCAE provides a constraints on components, CCAE provides a vehicle to support composition by managing vehicle to support composition by managing constraints among component PPsconstraints among component PPs
CCAE can facilitate CC-based PP/ST process and CCAE can facilitate CC-based PP/ST process and also provide framework for extra-CC coordinationalso provide framework for extra-CC coordination
Future versions of CC could consider some of the Future versions of CC could consider some of the issues that have motivated our workissues that have motivated our work– Product lines, product families, “polymorphic PPs”Product lines, product families, “polymorphic PPs”– Changes to systems, integration for systems-of-systemsChanges to systems, integration for systems-of-systems– Explicit assurance cases to focus effortsExplicit assurance cases to focus efforts– Elevated component element levels, for higher EALsElevated component element levels, for higher EALs– Elevated PP/ST scope/depth/rigor at higher EALsElevated PP/ST scope/depth/rigor at higher EALs
Rance DeLong, John Rushby SRI CC Authoring Environment
35
CCAE-supported author, reviewer, evaluator tasksCCAE-supported author, reviewer, evaluator tasks
Choose security environ Choose security environ threats, policies, assump.threats, policies, assump.
Ontology provides a Ontology provides a common frameworkcommon framework
Derive security objectivesDerive security objectives Ontology and expert Ontology and expert knowledge guidanceknowledge guidance
Select SFR/SARs from Select SFR/SARs from CC catalogCC catalog
Check correspondence to Check correspondence to security objectivessecurity objectives
Complete SFR/SAR Complete SFR/SAR component operationscomponent operations
Tracked in work flowTracked in work flow
Define new component Define new component operations for SToperations for ST
Tracked in work flowTracked in work flow
Supply mappings and Supply mappings and rationalerationale
Tracked in work flow and Tracked in work flow and relational modelrelational model
Rance DeLong, John Rushby SRI CC Authoring Environment
36
CCAE-supported author, reviewer, evaluator tasksCCAE-supported author, reviewer, evaluator tasks
Fashion explicit Fashion explicit SFR/SARsSFR/SARs
Help avoid gratuitous Help avoid gratuitous departure from CCdeparture from CC
Select EAL and Select EAL and guarantee it is metguarantee it is met
Ensure minimums for EAL Ensure minimums for EAL met despite explicit rqmtsmet despite explicit rqmts
Assess conformance Assess conformance to abstract PP modelto abstract PP model
Quantitative measurement Quantitative measurement against model and scoringagainst model and scoring
Assure proper use of Assure proper use of CC conventionsCC conventions
Conventions applied to Conventions applied to form, semantics, typographyform, semantics, typography
Assure accuracy of CC Assure accuracy of CC text and versionstext and versions
““Automated” version of CC Automated” version of CC built into CCAEbuilt into CCAE
Assure dependencies Assure dependencies and consistencyand consistency
Apply known dependencies Apply known dependencies in CC and knowledge basein CC and knowledge base
Rance DeLong, John Rushby SRI CC Authoring Environment