protection profile for virtualization · 1 introduction 1.1 overview the scope of this protection...
TRANSCRIPT
ProtectionProfileforVirtualization
Version:1.12021-02-25
NationalInformationAssurancePartnership
RevisionHistory
Version Date Comment
1.0 2016-11-17 InitialPublication
1.1 2020-11-17 IncorporateTDs,ReferenceTLSPackage,AddEquivalencyGuidelines
Contents
1 Introduction1.1 Overview1.2 Terms1.2.1 CommonCriteriaTerms1.2.2 TechnicalTerms1.3 CompliantTargetsofEvaluation1.3.1 TOEBoundary1.3.2 RequirementsMetbythePlatform1.3.3 ScopeofCertification1.3.4 ProductandPlatformEquivalence1.4 UseCases2 ConformanceClaims3 SecurityProblemDescription3.1 Threats3.2 Assumptions3.3 OrganizationalSecurityPolicies4 SecurityObjectives4.1 SecurityObjectivesfortheTOE4.2 SecurityObjectivesfortheOperationalEnvironment4.3 SecurityObjectivesRationale5 SecurityRequirements5.1 SecurityFunctionalRequirements5.1.1 AuditableEventsforMandatorySFRs5.1.2 SecurityAudit(FAU)5.1.3 CryptographicSupport(FCS)5.1.4 UserDataProtection(FDP)5.1.5 IdentificationandAuthentication(FIA)5.1.6 SecurityManagement(FMT)5.1.7 ProtectionoftheTSF(FPT)5.1.8 TOEAccess(FTA)5.1.9 TrustedPath/Channel(FTP)5.1.10 TOESecurityFunctionalRequirementsRationale5.2 SecurityAssuranceRequirements5.2.1 ClassASE:SecurityTargetEvaluation5.2.2 ClassADV:Development5.2.3 ClassAGD:GuidanceDocuments5.2.4 ClassALC:Life-CycleSupport5.2.5 ClassATE:Tests5.2.6 ClassAVA:VulnerabilityAssessment
AppendixA- OptionalRequirementsA.1 StrictlyOptionalRequirementsA.1.1 AuditableEventsforStrictlyOptionalRequirementsA.1.2 SecurityAudit(FAU)A.1.3 ProtectionoftheTSF(FPT)A.2 ObjectiveRequirementsA.2.1 AuditableEventsforObjectiveRequirementsA.2.2 ProtectionoftheTSF(FPT)A.3 Implementation-basedRequirementsAppendixB- Selection-basedRequirementsB.1 AuditableEventsforSelection-basedRequirementsB.2 CryptographicSupport(FCS)B.3 IdentificationandAuthentication(FIA)B.4 ProtectionoftheTSF(FPT)B.5 TrustedPath/Channel(FTP)AppendixC- ExtendedComponentDefinitionsC.1 ExtendedComponentsTableC.2 ExtendedComponentDefinitionsAppendixD- ImplicitlySatisfiedRequirementsAppendixE- EntropyDocumentationandAssessmentE.1 DesignDescriptionE.2 EntropyJustificationE.3 OperatingConditions
E.4 HealthTestingAppendixF- EquivalencyGuidelinesF.1 IntroductionF.2 ApproachtoEquivalencyAnalysisF.3 SpecificGuidanceforDeterminingProductModelEquivalenceF.4 SpecificGuidanceforDeterminingProductVersionEquivalenceF.5 SpecificGuidanceforDeterminingPlatformEquivalenceF.5.1 HardwarePlatformEquivalenceF.5.2 SoftwarePlatformEquivalenceF.6 LevelofSpecificityforTestedConfigurationsandClaimedEquivalentConfigurationsAppendixG- ReferencesAppendixH- Acronyms
1Introduction
1.1OverviewThescopeofthisProtectionProfile(PP)istodescribethesecurityfunctionalityofvirtualizationtechnologiesintermsof[CC]andtodefinesecurityfunctionalandassurancerequirementsforsuchproducts.ThisPPisnotcompleteinitself,butratherprovidesasetofrequirementsthatarecommontothePP-ModulesforServerVirtualizationandforClientVirtualization.Thesecapabilitieshavebeenbrokenoutintothisgeneric‘base’PPduetothehighdegreeofsimilaritybetweenthetwoproducttypes.
Duetotheincreasingprevalenceofvirtualizationtechnologyinenterprisecomputingenvironmentsandtheshifttocloudcomputing,itisessentialtoensurethatthistechnologyisimplementedsecurelyinordertomitigatetheriskintroducedbysharingmultiplecomputersandtheirdataacrossasinglephysicalsystem.
1.2TermsThefollowingsectionslistCommonCriteriaandtechnologytermsusedinthisdocument.
1.2.1CommonCriteriaTerms
Assurance GroundsforconfidencethataTOEmeetstheSFRs[CC].
BaseProtectionProfile(Base-PP)
ProtectionProfileusedasabasistobuildaPP-Configuration.
CommonCriteria(CC)
CommonCriteriaforInformationTechnologySecurityEvaluation(InternationalStandardISO/IEC15408).
CommonCriteriaTestingLaboratory
WithinthecontextoftheCommonCriteriaEvaluationandValidationScheme(CCEVS),anITsecurityevaluationfacility,accreditedbytheNationalVoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbytheNIAPValidationBodytoconductCommonCriteria-basedevaluations.
CommonEvaluationMethodology(CEM)
CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation.
DistributedTOE
ATOEcomposedofmultiplecomponentsoperatingasalogicalwhole.
OperationalEnvironment(OE)
HardwareandsoftwarethatareoutsidetheTOEboundarythatsupporttheTOEfunctionalityandsecuritypolicy.
ProtectionProfile(PP)
Animplementation-independentsetofsecurityrequirementsforacategoryofproducts.
ProtectionProfileConfiguration(PP-Configuration)
AcomprehensivesetofsecurityrequirementsforaproducttypethatconsistsofatleastoneBase-PPandatleastonePP-Module.
ProtectionProfileModule(PP-Module)
Animplementation-independentstatementofsecurityneedsforaTOEtypecomplementarytooneormoreBaseProtectionProfiles.
SecurityAssuranceRequirement(SAR)
ArequirementtoassurethesecurityoftheTOE.
SecurityFunctionalRequirement(SFR)
ArequirementforsecurityenforcementbytheTOE.
SecurityTarget(ST)
Asetofimplementation-dependentsecurityrequirementsforaspecificproduct.
TOESecurityFunctionality(TSF)
Thesecurityfunctionalityoftheproductunderevaluation.
TOESummarySpecification(TSS)
AdescriptionofhowaTOEsatisfiestheSFRsinanST.
TargetofEvaluation(TOE)
Theproductunderevaluation.
1.2.2TechnicalTerms
Administrator AdministratorsperformmanagementactivitiesontheVS.ThesemanagementfunctionsdonotincludeadministrationofsoftwarerunningwithinGuestVMs,suchastheGuestOS.AdministratorsneednotbehumanasinthecaseofembeddedorheadlessVMs.AdministratorsareoftennothingmorethansoftwareentitiesthatoperatewithintheVM.
Auditor AuditorsareresponsibleformanagingtheauditcapabilitiesoftheTOE.AnAuditormayalsobeanAdministrator.ItisnotarequirementthattheTOEbecapableofsupportinganAuditorrolethatisseparatefromthatofanAdministrator.
Domain ADomainorInformationDomainisapolicyconstructthatgroupstogetherexecutionenvironmentsandnetworksbysensitivityofinformationandaccesscontrolpolicy.Forexample,classificationlevelsrepresentinformationdomains.Withinclassificationlevels,theremightbeotherdomainsrepresentingcommunitiesofinterestorcoalitions.InthecontextofaVS,informationdomainsaregenerallyimplementedascollectionsofVMsconnectedbyvirtualnetworks.TheVSitselfcanbeconsideredanInformationDomain,ascanitsManagementSubsystem.
GuestNetwork
SeeOperationalNetwork.
GuestOperatingSystem(OS)
AnoperatingsystemthatrunswithinaGuestVM.
GuestVM AGuestVMisaVMthatcontainsavirtualenvironmentfortheexecutionofanindependentcomputingsystem.Virtualenvironmentsexecutemissionworkloadsandimplementcustomer-specificclientorserverfunctionalityinGuestVMs,suchasawebserverordesktopproductivityapplications.
HelperVM AHelperVMisaVMthatperformsservicesonbehalfofoneormoreGuestVMs,butdoesnotqualifyasaServiceVM—andthereforeisnotpartoftheVMM.HelperVMsimplementfunctionsorservicesthatareparticulartotheworkloadsofGuestVMs.Forexample,aVMthatprovidesavirusscanningserviceforaGuestVMwouldbeconsideredaHelperVM.Forthepurposesofthisdocument,HelperVMsareconsideredatypeofGuestVM,andarethereforesubjecttoallthesamerequirements,unlessspecificallystatedotherwise.
HostOperatingSystem(OS)
AnoperatingsystemontowhichaVSisinstalled.RelativetotheVS,theHostOSispartofthePlatform.
Hypercall AnAPIfunctionthatallowsVM-awaresoftwarerunningwithinaVMtoinvokeVMMfunctionality.
Hypervisor TheHypervisorispartoftheVMM.ItisthesoftwareexecutiveofthephysicalplatformofaVS.AHypervisor’sprimaryfunctionistomediateaccesstoallCPUandmemoryresources,butitisalsoresponsibleforeitherthedirectmanagementorthedelegationofthemanagementofallotherhardwaredevicesonthehardwareplatform.
InformationDomain
SeeDomain.
Introspection Acapabilitythatallowsaspeciallydesignatedandprivilegeddomaintohavevisibilityintoanotherdomainforpurposesofanomalydetectionormonitoring.
ManagementNetwork
Anetwork,whichmayhavebothphysicalandvirtualizedcomponents,usedtomanageandadministeraVS.ManagementnetworksincludenetworksusedbyVSAdministratorstocommunicatewithmanagementcomponentsoftheVS,andnetworksusedbytheVSforcommunicationsbetweenVScomponents.Forpurposesofthisdocument,networksthatconnectphysicalhostsforpurposesofVMtransferorcoordinate,andbackendstoragenetworksareconsideredmanagementnetworks.
ManagementSubsystem
ComponentsoftheVSthatallowVSAdministratorstoconfigureandmanagetheVMM,aswellasconfigureGuestVMs.VMMmanagementfunctionsincludeVMconfiguration,virtualizednetworkconfiguration,andallocationofphysicalresources.
OperationalNetwork
AnOperationalNetworkisanetwork,whichmayhavebothphysicalandvirtualizedcomponents,usedtoconnectGuestVMstoeachotherandpotentiallytootherentitiesoutsideoftheVS.OperationalNetworkssupportmissionworkloadsandcustomer-specificclientorserverfunctionality.Alsocalleda“GuestNetwork.”
PhysicalPlatform
ThehardwareenvironmentonwhichaVSexecutes.Physicalplatformresourcesincludeprocessors,memory,devices,andassociatedfirmware.
Platform Thehardware,firmware,andsoftwareenvironmentintowhichaVSisinstalledandexecutes.
ServiceVM AServiceVMisaVMwhosepurposeistosupporttheHypervisorinprovidingtheresourcesorservicesnecessarytosupportGuestVMs.ServiceVMsmayimplementsomeportionofHypervisorfunctionality,butalsomaycontainimportantsystemfunctionalitythatisnotnecessaryforHypervisoroperation.AswithanyVM,ServiceVMsnecessarilyexecutewithoutfullHypervisorprivileges—onlytheprivilegesrequiredtoperformitsdesignedfunctionality.ExamplesofServiceVMsincludedevicedriverVMsthatmanageaccesstoaphysicaldevices,andname-serviceVMsthathelpestablishcommunicationpathsbetweenVMs.
SystemSecurityPolicy(SSP)
TheoverallpolicyenforcedbytheVSdefiningconstraintsonthebehaviorofVMsandusers.
User UsersoperateGuestVMsandaresubjecttoconfigurationpoliciesappliedtotheVSbyAdministrators.UsersneednotbehumanasinthecaseofembeddedorheadlessVMs,usersareoftennothingmorethansoftwareentitiesthatoperatewithintheVM.
VirtualMachine(VM)
AVirtualMachineisavirtualizedhardwareenvironmentinwhichanoperatingsystemmayexecute.
VirtualMachineManager(VMM)
AVMMisacollectionofsoftwarecomponentsresponsibleforenablingVMstofunctionasexpectedbythesoftwareexecutingwithinthem.Generally,theVMMconsistsofaHypervisor,ServiceVMs,andothercomponentsoftheVS,suchasvirtualdevices,binarytranslationsystems,andphysicaldevicedrivers.ItmanagesconcurrentexecutionofallVMsandvirtualizesplatformresourcesasneeded.
VirtualizationSystem(VS)
Asoftwareproductthatenablesmultipleindependentcomputingsystemstoexecuteonthesamephysicalhardwareplatformwithoutinterferencefromoneother.Forthepurposesofthisdocument,theVSconsistsofaVirtualMachineManager(VMM),VirtualMachineabstractions,amanagementsubsystem,andothercomponents.
1.3CompliantTargetsofEvaluationAVirtualizationSystem(VS)isasoftwareproductthatenablesmultipleindependentcomputingsystemstoexecuteonthesamephysicalhardwareplatformwithoutinterferencefromoneother.AVScreatesavirtualizedhardwareenvironment(virtualmachinesorVMs)foreachinstanceofanoperatingsystempermittingtheseenvironmentstoexecuteconcurrentlywhilemaintainingisolationandtheappearanceofexclusivecontroloverassignedcomputingresources.Forthepurposesofthisdocument,theVSconsistsofaVirtualMachineManager(VMM),VirtualMachine(VM)abstractions,amanagementsubsystem,andothercomponents.
AVMMisacollectionofsoftwarecomponentsresponsibleforenablingVMstofunctionasexpectedbythesoftwareexecutingwithinthem.Generally,theVMMconsistsofaHypervisor,ServiceVMs,andothercomponentsoftheVS,suchasvirtualdevices,binarytranslationsystems,andphysicaldevicedrivers.ItmanagesconcurrentexecutionofallVMsandvirtualizesplatformresourcesasneeded.
TheHypervisoristhesoftwareexecutiveofthephysicalplatformofaVS.AhypervisoroperatesatthehighestCPUprivilegelevelandmanagesaccesstoallofthephysicalresourcesofthehardwareplatform.Itexportsawell-defined,protectedinterfaceforaccesstotheresourcesitmanages.AHypervisor’sprimaryfunctionistomediateaccesstoallCPUandmemoryresources,butitisalsoresponsibleforeitherthedirectmanagementorthedelegationofthemanagementofallotherhardwaredevicesonthehardwareplatform.ThisdocumentdoesnotspecifyanyHypervisor-specificrequirements,thoughmanyVMMrequirementswouldnaturallyapplytoaHypervisor.
AServiceVMisaVMwhosepurposeistosupporttheHypervisorinprovidingtheresourcesorservicesnecessarytosupportGuestVMs.ServiceVMsmayimplementsomeportionofHypervisorfunctionality,butalsomaycontainimportantsystemfunctionalitythatisnotnecessaryforHypervisoroperation.AswithanyVM,ServiceVMsnecessarilyexecutewithoutfullHypervisorprivileges—onlytheprivilegesrequiredto
performitsdesignedfunctionality.ExamplesofServiceVMsincludedevicedriverVMsthatmanageaccesstophysicaldevices,andname-serviceVMsthathelpestablishcommunicationpathsbetweenVMs.
AGuestVMisaVMthatcontainsavirtualenvironmentfortheexecutionofanindependentcomputingsystem.Virtualenvironmentsexecutemissionworkloadsandimplementcustomer-specificclientorserverfunctionalityinGuestVMs,suchasawebserverordesktopproductivityapplications.AHelperVMisaVMthatperformsservicesonbehalfofoneormoreGuestVMs,butdoesnotqualifyasaServiceVM—andthereforeisnotpartoftheVMM.HelperVMsimplementfunctionsorservicesthatareparticulartotheworkloadsofGuestVMs.Forexample,aVMthatprovidesavirusscanningserviceforaGuestVMwouldbeconsideredaHelperVM.ThelinebetweenHelperandServiceVMscaneasilybeblurred.Forinstance,aVMthatimplementsacryptographicfunction—suchasanin-lineencryptionVM—couldbeidentifiedaseitheraServiceorHelperVMdependingontheparticularvirtualizationsolution.IfthecryptographicfunctionsarenecessaryonlyfortheprivacyofGuestVMdatainsupportoftheGuest’smissionapplications,itwouldbepropertoclassifytheencryptionVMasaHelper.ButiftheencryptionVMisnecessaryfortheVMMtoisolateGuestVMs,itwouldbepropertoclassifytheencryptionVMasaServiceVM.Forthepurposesofthisdocument,HelperVMsaresubjecttoallrequirementsthatapplytoGuestVMs,unlessspecificallystatedotherwise.
1.3.1TOEBoundaryFigure1showsagreatlysimplifiedviewofagenericVirtualizationSystemandPlatform.TOEcomponentsaredisplayedinRed.Non-TOEcomponentsareinBlue.ThePlatformisthehardware,firmware,andsoftwareontowhichtheVSisinstalled.TheVMMincludestheHypervisor,ServiceVMs,andVMcontainers,butnotthesoftwarethatrunsinsideGuestVMsorHelperVMs.TheManagementSubsystemispartoftheTOE,butmayormaynotbepartoftheVMM.
Figure1:VirtualizationSystemandPlatform
ForpurposesofthisProtectionProfile,theVirtualizationSystemistheTOE,subjecttosomecaveats.ThePlatformontowhichtheVSisinstalled(whichincludeshardware,platformfirmware,andHostOperatingSystem)isnotpartoftheTOE.SoftwareinstalledwiththeVSontheHostOSspecificallytosupporttheVSorimplementVSfunctionalityispartoftheTOE.Generalpurposesoftware—suchasdevicedriversforphysicaldevicesandtheHostOSitself—isnotpartoftheTOE,regardlessofwhetheritsupportsVSfunctionalityorrunsinsideaServiceVMorcontroldomain.SoftwarethatrunswithinGuestandHelperVMsisnotpartoftheTOE.
Ingeneral,forvirtualizationproductsthatareinstalledonto“baremetal,”theentiresetofinstalledcomponentsconstitutetheTOE,andthehardwareconstitutesthePlatform.Alsoingeneral,forproductsthatarehostedbyorintegratedintoacommodityoperatingsystem,thecomponentsinstalledexpresslyforimplementingandsupportingvirtualizationareintheTOE,andthePlatformcomprisesthehardwareandHostOS.
1.3.2RequirementsMetbythePlatformDependingonthewaytheVSisinstalled,functionstestedunderthisPPmaybeimplementedbytheTOEorbythePlatform.ThereisnodifferenceinthetestingrequiredwhetherthefunctionisimplementedbytheTOEorbythePlatform.Ineithercase,thetestsdeterminewhetherthefunctionbeingtestedprovidesalevelofassuranceacceptabletomeetthegoalsofthisProfilewithrespecttoaparticularproductandplatform.TheequivalencyguidelinesareintendedinparttoaddressthisTOEvs.Platformdistinction,andtoensurethattheassuranceleveldoesnotchangebetweeninstancesofequivalentproductsonequivalentplatforms—andalso,ofcourse,toensurethattheappropriatetestingisdonewhenthedistinctionissignificant.-->
1.3.3ScopeofCertificationSuccessfulevaluationofaVirtualizationSystemagainstthisprofiledoesnotconstituteorimplysuccessfulevaluationofanyHostOperatingSystemorPlatform—nomatterhowtightlyintegratedwiththeVS.ThePlatform,includinganyHostOS,supportstheVSthroughprovisionofservicesandresources.SpecializedVScomponentsinstalledonorinaHostOStosupporttheVSmaybeconsideredpartoftheTOE.Butgeneral-purposeOScomponentsandfunctions—whetherornottheysupporttheVS—arenotpartoftheTOE,andthusarenotevaluatedunderthisPP.
1.3.4ProductandPlatformEquivalence
ThetestsinthisProtectionProfilemustberunonallproductversionsandPlatformswithwhichtheVendorwouldliketoclaimcompliance—subjecttothisProfile’sequivalencyguidelines(seeAppendixF-EquivalencyGuidelines).
1.4UseCasesThisbasePPdoesnotdefineanyusecasesforvirtualizationtechnology.ClientVirtualizationandServerVirtualizationproductshavedifferentusecasesandsothesearedefinedintheirrespectivePP-Modules.
2ConformanceClaimsConformanceStatement
AnSTmustclaimexactconformancetothisPP,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).
CCConformanceClaimsThisPPisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Revision5.
PPClaimThisPPdoesnotclaimconformancetoanyProtectionProfile.
PackageClaimThisPPisNetworkEncryption(TLS)Package,Version1.1ConformantandSecureShell(SSH)Package,Version1.0Conformant.
ConformanceStatementASecurityTargetmustclaimexactconformancetothisProtectionProfile,asdefinedintheCCandCEMaddendaforExactConformance,Selection-BasedSFRs,andOptionalSFRs(datedMay2017).
CCConformanceClaimsThisPPisconformanttoParts2(extended)and3(conformant)ofCommonCriteriaVersion3.1,Release5[CC].
PPClaimsThisPPdoesnotclaimconformancetoanyotherPP.
ModuleClaimOneormoreofthefollowingmodulesmustbespecifiedinaPP-ConfigurationwiththisPP.
PP-ModuleforClientVirtualization,Version1.1PP-ModuleforServerVirtualization,Version1.1
PackageClaimsThisPPisFunctionalPackageforTLS-conformant.
3SecurityProblemDescription
3.1ThreatsT.DATA_LEAKAGE
ItisafundamentalpropertyofVMsthatthedomainsencapsulatedbydifferentVMsremainseparateunlessdatasharingispermittedbypolicy.Forthisreason,allVirtualizationSystemsshallsupportapolicythatprohibitsinformationtransferbetweenVMs.
ItshallbepossibletoconfigureVMssuchthatdatacannotbemovedbetweendomainsfromVMtoVM,orthroughvirtualorphysicalnetworkcomponentsunderthecontroloftheVS.WhenVMsareconfiguredassuch,itshallnotbepossiblefordatatoleakbetweendomains,neitherbytheexpresseffortsofsoftwareorusersofaVM,norbecauseofvulnerabilitiesorerrorsintheimplementationoftheVMMorotherVScomponents.
Ifitispossiblefordatatoleakbetweendomainswhenprohibitedbypolicy,thenanadversaryononedomainornetworkcanobtaindatafromanotherdomain.Suchcross-domaindataleakagecan,forexample,causeclassifiedinformation,corporateproprietaryinformation,orpersonallyidentifiableinformationtobemadeaccessibletounauthorizedentities.
T.UNAUTHORIZED_UPDATEItiscommonforattackerstotargetoutdatedversionsofsoftwarecontainingknownflaws.ThismeansitisextremelyimportanttoupdateVSsoftwareassoonaspossiblewhenupdatesareavailable.Butthesourceoftheupdatesandtheupdatesthemselvesmustbetrusted.IfanattackercanwritetheirownupdatecontainingmaliciouscodetheycantakecontroloftheVS.
T.UNAUTHORIZED_MODIFICATIONSystemintegrityisacoresecurityobjectiveforVirtualizationSystems.Toachievesystemintegrity,theintegrityofeachVMMcomponentmustbeestablishedandmaintained.MalwarerunningontheplatformmustnotbeabletoundetectablymodifyVScomponentswhilethesystemisrunningoratrest.Likewise,maliciouscoderunningwithinavirtualmachinemustnotbeabletomodifyVirtualizationSystemcomponents.
T.USER_ERRORIfaVirtualizationSystemiscapableofsimultaneouslydisplayingVMsofdifferentdomainstothesameuseratthesametime,thereisalwaysthechancethattheuserwillbecomeconfusedandunintentionallyleakinformationbetweendomains.ThisisespeciallylikelyifVMsbelongingtodifferentdomainsareindistinguishable.Maliciouscodemayalsoattempttointerferewiththeuser’sabilitytodistinguishbetweendomains.TheVSmusttakemeasurestominimizethelikelihoodofsuchconfusion.
T.3P_SOFTWAREInsomeVSimplementations,functionscriticaltothesecuityoftheTOEarebynecessityperformedbysoftwarenotproducedbythevirtualizationvendor.Suchsoftwaremayincludephysicaldevicedrivers,andevennon-TOEentitiessuchasHostOperatingSystems.SincethissoftwarehasthesameorsimilarprivilegelevelastheVS,vulnerabilitiescanbeexploitedbyanadversarytocompromisetheVSandVMs.Wherepossible,theVSshouldmitigatetheresultsofpotentialvulnerabilitiesormaliciouscontentinthird-partycodeonwhichitrelies.Forexample,physicaldevicedrivers(potentiallytheHostOS)couldbeencapsulatedwithinVMsinordertolimittheeffectsofcompromise.
T.VMM_COMPROMISETheVSisdesignedtoprovidetheappearanceofexclusivitytotheVMsandisdesignedtoseparateorisolatetheirfunctionsexceptwherespecificallyshared.FailureofsecuritymechanismscouldleadtounauthorizedintrusionintoormodificationoftheVMM,orbypassoftheVMMaltogether,bynon-TOEsoftware,suchasthatrunninginGuestorHelperVMsoronthehostplatform.ThismustbepreventedtoavoidcompromisingtheVS.
T.PLATFORM_COMPROMISETheVSmustbecapableofprotectingtheplatformfromthreatsthatoriginatewithinVMsandoperationalnetworksconnectedtotheVS.Thehostingofuntrusted—evenmalicious—domainsbytheVScannotbepermittedtocompromisethesecurityandintegrityoftheplatformonwhichtheVSexecutes.IfanattackercanaccesstheunderlyingplatforminamannernotcontrolledbytheVMM,theattackermightbeabletomodifysystemfirmwareorsoftware—compromisingboththeVSandtheunderlyingplatform.
T.UNAUTHORIZED_ACCESSFunctionsperformedbythemanagementlayerincludeVMconfiguration,virtualizednetworkconfiguration,allocationofphysicalresources,andreporting.Onlycertainauthorizedsystemusers(administrators)areallowedtoexercisemanagementfunctions.
VirtualizationSystemsareoftenmanagedremotelyovercommunicationnetworks.Membersofthesenetworkscanbebothgeographicallyandlogicallyseparatedfromeachother,andpassthroughavarietyofothersystemswhichmaybeunderthecontrolofanadversary,andoffertheopportunityforcommunicationstobecompromised.Anadversarywithaccesstoanopenmanagementnetworkcouldinjectcommandsintothemanagementinfrastructure.Thiswouldprovideanadversarywithadministratorprivilegeontheplatform,andadministrativecontrolovertheVMsandvirtualnetwork
connections.Theadversarycouldalsogainaccesstothemanagementnetworkbyhijackingthemanagementnetworkchannel.
T.WEAK_CRYPTOTotheextentthatVMsappearisolatedwithintheVS,athreatofweakcryptographymayariseiftheVMMdoesnotprovidegoodentropytosupportsecurity-relatedfeaturesthatdependonentropytoimplementcryptographicalgorithms.Forexample,arandomnumbergeneratorkeepsanestimateofthenumberofbitsofnoiseintheentropypool.Fromthisentropypoolrandomnumbersarecreated.Goodrandomnumbersareessentialtoimplementingstrongcryptography.Cryptographyimplementedusingpoorrandomnumberscanbedefeatedbyasophisticatedadversary.SuchdefeatcanresultinthecompromiseofGuestVMdataandcredentials,andofVSdataandcredentials,andcanenableanauthorizedaccesstotheVSorVMs.
T.UNPATCHED_SOFTWAREVulnerabilitiesinoutdatedorunpatchedsoftwarecanbeexploitedbyadversariestocompromisetheVSorplatform.
T.MISCONFIGURATIONTheVSmaybemisconfigured,whichcouldimpactitsfunctioningandsecurity.Thismisconfigurationcouldbeduetoanadministrativeerrorortheuseoffaultyconfigurationdata.
T.DENIAL_OF_SERVICEAVMmayblockothersfromsystemresources(e.g.,systemmemory,persistentstorage,andprocessingtime)viaaresourceexhaustionattack.
3.2AssumptionsA.PLATFORM_INTEGRITY
TheplatformhasnotbeencompromisedpriortoinstallationoftheVS.
A.PHYSICALPhysicalsecuritycommensuratewiththevalueoftheTOEandthedataitcontainsisassumedtobeprovidedbytheenvironment.
A.TRUSTED_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidance.
A.COVERT_CHANNELSThereissufficientassurancerelativetothevalueoftheVM’sITassetstoaddresstheriskofcovertstorageandtimingchannelstotheVMsexecutingontheTOE.
A.NON_MALICIOUS_USERTheuseroftheVSisnotwillfullynegligentorhostile,andusestheVSincompliancewiththeappliedenterprisesecuritypolicyandguidance.Atthesametime,maliciousapplicationscouldactastheuser,sorequirementswhichconfinemaliciousapplicationsarestillinscope.
3.3OrganizationalSecurityPoliciesTherearenoorganizationalsecuritypoliciesdefinedforthisPP.
4SecurityObjectives
4.1SecurityObjectivesfortheTOEO.VM_ISOLATION
VMsarethefundamentalsubjectofthesystem.TheVMMisresponsibleforapplyingthesystemsecuritypolicy(SSP)totheVMandallresources.Asbasicfunctionality,theVMMmustsupportasecuritypolicythatmandatesnoinformationtransferbetweenVMs.
TheVMMmustsupportthenecessarymechanismstoisolatetheresourcesofallVMs.TheVMMpartitionsaplatform'sphysicalresourcesforusebythesupportedvirtualenvironments.Dependingoncustomerrequirements,aVMmayneedacompletelyisolatedenvironmentwithexclusiveaccesstosystemresources,orsharesomeofitsresourceswithotherVMs.ItmustbepossibletoenforceasecuritypolicythatprohibitsthetransferofdatabetweenVMsthroughshareddevices.WhentheplatformsecuritypolicyallowsthesharingofresourcesacrossVMboundaries,theVMMmustensurethatallaccesstothoseresourcesisconsistentwiththepolicy.TheVMMmaydelegatetheresponsibilityforthemediationofsharingofparticularresourcestoselectServiceVMs;howeverindoingso,itremainsresponsibleformediatingaccesstotheServiceVMs,andeachServiceVMmustmediateallaccesstoanysharedresourcethathasbeendelegatedtoitinaccordancewiththeSSP.
Devices,whethervirtualorphysical,areresourcesrequiringaccesscontrol.TheVMMmustenforceaccesscontrolinaccordancetosystemsecuritypolicy.PhysicaldevicesareplatformdeviceswithaccessmediatedviatheVMMpertheO.VMM_Integrityobjective.Virtualdevicesmayincludevirtualstoragedevicesandvirtualnetworkdevices.SomeoftheaccesscontrolrestrictionsmustbeenforcedinternaltoServiceVMs,asmaybethecaseforisolatingvirtualnetworks.VMMsmayalsoexposepurelyvirtualinterfaces.TheseareVMMspecific,andwhiletheyarenotanalogoustoaphysicaldevice,theyarealsosubjecttoaccesscontrol.
TheVMMmustsupportthemechanismstoisolateallresourcesassociatedwithvirtualnetworksandtolimitaVM'saccesstoonlythosevirtualnetworksforwhichithasbeenconfigured.TheVMMmustalsosupportthemechanismstocontroltheconfigurationsofvirtualnetworksaccordingtotheSSP.
O.VMM_INTEGRITYIntegrityisacoresecurityobjectiveforVirtualizationSystems.Toachievesystemintegrity,theintegrityofeachVMMcomponentmustbeestablishedandmaintained.ThisobjectiveconcernsonlytheintegrityoftheVS—nottheintegrityofsoftwarerunninginsideofGuestVMsorofthephysicalplatform.TheoverallobjectiveistoensuretheintegrityofcriticalcomponentsofaVS.
InitialintegrityofaVScanbeestablishedthroughmechanismssuchasadigitallysignedinstallationorupdatepackage,orthroughintegritymeasurementsmadeatlaunch.IntegrityismaintainedinarunningsystembycarefulprotectionoftheVMMfromuntrustedusersandsoftware.Forexample,itmustnotbepossibleforsoftwarerunningwithinaGuestVMtoexploitavulnerabilityinadeviceorhypercallinterfaceandgaincontroloftheVMM.Thevendormustreleasepatchesforvulnerabilitiesassoonaspracticableafterdiscovery.
O.PLATFORM_INTEGRITYTheintegrityoftheVMMdependsontheintegrityofthehardwareandsoftwareonwhichtheVMMrelies.AlthoughtheVSdoesnothavecompletecontrolovertheintegrityoftheplatform,theVSshouldasmuchaspossibletrytoensurethatnousersorsoftwarehostedbytheVSiscapableofunderminingtheintegrityoftheplatform.
O.DOMAIN_INTEGRITYWhiletheVSisnotresponsibleforthecontentsorcorrectfunctioningofsoftwarethatrunswithinGuestVMs,itisresponsibleforensuringthatthecorrectfunctioningofthesoftwarewithinaGuestVMisnotinterferedwithbyotherVMs.
O.MANAGEMENT_ACCESSVMMmanagementfunctionsincludeVMconfiguration,virtualizednetworkconfiguration,allocationofphysicalresources,andreporting.Onlycertainauthorizedsystemusers(administrators)areallowedtoexercisemanagementfunctions.
BecauseoftheprivilegesexercisedbytheVMMmanagementfunctions,itmustnotbepossiblefortheVMM’smanagementcomponentstobecompromisedwithoutadministratornotification.Thismeansthatunauthorizeduserscannotbepermittedaccesstothemanagementfunctions,andthemanagementcomponentsmustnotbeinterferedwithbyGuestVMsorunprivilegedusersonothernetworks—includingoperationalnetworksconnectedtotheTOE.
VMMsincludeasetofmanagementfunctionsthatcollectivelyallowadministratorstoconfigureandmanagetheVMM,aswellasconfigureGuestVMs.ThesemanagementfunctionsarespecifictotheVS,distinctfromanyothermanagementfunctionsthatmightexistfortheinternalmanagementofanygivenGuestVM.TheseVMMmanagementfunctionsareprivileged,withthesecurityoftheentiresystemrelyingontheirproperuse.TheVMMmanagementfunctionscanbeclassifiedintodifferentcategoriesandthepolicyfortheiruseandtheimpacttosecuritymayvaryaccordingly.
ThemanagementfunctionsmightbedistributedthroughouttheVMM(withintheVMMandServiceVMs).TheVMMmustsupportthenecessarymechanismstoenablethecontrolofallmanagementfunctionsaccordingtothesystemsecuritypolicy.WhenamanagementfunctionisdistributedamongmultipleServiceVMs,theVMsmustbeprotectedusingthesecuritymechanismsoftheHypervisorandanyServiceVMsinvolvedtoensurethattheintentofthesystemsecuritypolicyisnotcompromised.Additionally,sincehypercallspermitGuestVMstoinvoketheHypervisor,andoftenallowthepassingofdatatotheHypervisor,itisimportantthatthehypercallinterfaceiswell-guardedandthatallparametersbevalidated.
TheVMMmaintainsconfigurationdataforeveryVMonthesystem.Thisconfigurationdata,whetherofServiceorGuestVMs,mustbeprotected.Themechanismsusedtoestablish,modifyandverifyconfigurationdataarepartoftheVSmanagementfunctionsandmustbeprotectedassuch.TheproperinternalconfigurationofServiceVMsthatprovidecriticalsecurityfunctionscanalsogreatlyimpactVSsecurity.Theseconfigurationsmustalsobeprotected.InternalconfigurationofGuestVMsshouldnotimpactoverallVSsecurity.TheoverallgoalistoensurethattheVMM,includingtheenvironmentsinternaltoServiceVMs,isproperlyconfiguredandthatallGuestVMconfigurationsaremaintainedconsistentwiththesystemsecuritypolicythroughouttheirlifecycle.
VirtualizationSystemsareoftenmanagedremotely.Forexample,anadministratorcanremotelyupdatevirtualizationsoftware,startandshutdownVMs,andmanagevirtualizednetworkconnections.Ifaconsoleisrequired,itcouldberunonaseparatemachineoritcoulditselfruninaVM.Whenperformingremotemanagement,anadministratormustcommunicatewithaprivilegedmanagementagentoveranetwork.CommunicationswiththemanagementinfrastructuremustbeprotectedfromGuestVMsandoperationalnetworks.
O.PATCHED_SOFTWARETheVSmustbeupdatedandpatchedwhenneededinordertopreventthepotentialcompromiseoftheVMM,aswellasthenetworksandVMsthatithosts.Identifyingandapplyingneededupdatesmustbeanormalpartoftheoperatingproceduretoensurethatpatchesareappliedinatimelyandthoroughmanner.Inordertofacilitatethis,theVSmustsupportstandardsandprotocolsthathelpenhancethemanageabilityoftheVSasanITproduct,enablingittobeintegratedaspartofamanageablenetwork(e.g.,reportingcurrentpatchlevelandpatchability).
O.VM_ENTROPYVMsmusthaveaccesstogoodentropysourcestosupportsecurity-relatedfeaturesthatimplementcryptographicalgorithms.Forexample,inordertofunctionasmembersofoperationalnetworks,VMsmustbeabletocommunicatesecurelywithothernetworkentities—whethervirtualorphysical.Theymustthereforehaveaccesstosourcesofgoodentropytosupportthatsecurecommunication.
O.AUDITAnauditlogmustbecreatedthatcapturesaccessestotheobjectstheTOEprotects.Thelogoftheseaccesses,orauditevents,mustbeprotectedfrommodification,unauthorizedaccess,anddestruction.Theauditlogmustbesufficientlydetailedtoindicatethedateandtimeoftheevent,theidentifyoftheuser,thetypeofevent,andthesuccessorfailureoftheevent.
O.CORRECTLY_APPLIED_CONFIGURATIONTheTOEmustnotapplyconfigurationsthatviolatethecurrentsecuritypolicy.
TheTOEmustcorrectlyapplyconfigurationsandpoliciestonewlycreatedGuestVM,aswellastoexistingGuestVMswhenapplicableconfigurationorpolicychangesaremade.Allchangestoconfigurationandtopolicymustconformtotheexistingsecuritypolicy.Similarly,changesmadetotheconfigurationoftheTOEitselfmustnotviolatetheexistingsecuritypolicy.
O.RESOURCE_ALLOCATIONTheTOEwillprovidemechanismsthatenforceconstraintsontheallocationofsystemresourcesinaccordancewithexistingsecuritypolicy.
4.2SecurityObjectivesfortheOperationalEnvironmentOE.CONFIG
TOEadministratorswillconfiguretheVScorrectlytocreatetheintendedsecuritypolicy.
OE.PHYSICALPhysicalsecurity,commensuratewiththevalueoftheTOEandthedataitcontains,isprovidedbytheenvironment.
OE.TRUSTED_ADMINTOEAdministratorsaretrustedtofollowandapplyalladministratorguidanceinatrustedmanner.
OE.COVERT_CHANNELSIftheTOEhascovertstorageortimingchannels,thenforallVMsexecutingonthatTOE,itisassumedthatthoseVMswillhavesufficientassurancerelativetotheITassetstowhichtheyhaveaccess,tooutweightheriskthattheywillviolatethesecuritypolicyoftheTOEbyusingthosecovertchannels.
OE.NON_MALICIOUS_USERUsersaretrustedtobenotwillfullynegligentorhostileandusetheVSincompliancewiththeappliedenterprisesecuritypolicyandguidance.
4.3SecurityObjectivesRationaleThissectiondescribeshowtheassumptions,threats,andorganizationsecuritypoliciesmaptothesecurityobjectives.
Table1:SecurityObjectivesRationaleThreat,Assumption,orOSP SecurityObjectives Rationale
T.DATA_LEAKAGE O.VM_ISOLATION LogicalseparationofVMsandenforcementofdomainintegritypreventunauthorizedtransmissionofdatafromoneVMtoanother.
O.DOMAIN_INTEGRITY LogicalseparationofVMsandenforcementofdomainintegritypreventunauthorizedtransmissionofdatafromoneVMtoanother.
T.UNAUTHORIZED_UPDATE O.VMM_INTEGRITY SystemintegritypreventstheTOEfrominstallingasoftwarepatchcontainingunknownandpotentiallymaliciouscode.
T.UNAUTHORIZED_MODIFICATION O.VMM_INTEGRITY EnforcementofVMMintegritypreventsthebypassofenforcementmechanismsandauditingensuresthatabuseoflegitimateauthoritycanbedetected.
O.AUDIT EnforcementofVMMintegritypreventsthebypassofenforcementmechanismsandauditingensuresthatabuseoflegitimateauthoritycanbedetected.
T.USER_ERROR O.VM_ISOLATION IsolationofVMsincludesclearattributionofthoseVMstotheirrespectivedomainswhichreducesthelikelihoodthatauserinadvertentlyinputsortransfersdatameantforoneVMintoanother.
T.3P_SOFTWARE O.VMM_INTEGRITY TheVMMintegritymechanismsincludeenvironment-basedvulnerabilitymitigationandpotentiallysupportforintrospectionanddevicedriverisolation,allofwhichreducethelikelihood
thatanyvulnerabilitiesinthird-partysoftwarecanbeusedtoexploittheTOE.
T.VMM_COMPROMISE O.VMM_INTEGRITY MaintainingtheintegrityoftheVMMandensuringthatVMsexecuteinisolateddomainsmitigatetheriskthattheVMMcanbecompromisedorbypassed.
O.VM_ISOLATION MaintainingtheintegrityoftheVMMandensuringthatVMsexecuteinisolateddomainsmitigatetheriskthattheVMMcanbecompromisedorbypassed.
T.PLATFORM_COMPROMISE O.PLATFORM_INTEGRITY PlatformintegritymechanismsusedbytheTOEreducetheriskthatanattackercan‘breakout’ofaVMandaffecttheplatformonwhichtheVSisrunning.
T.UNAUTHORIZED_ACCESS O.MANAGEMENT_ACCESS EnsuringthatTSFmanagementfunctionscannotbeexecutedwithoutauthorizationpreventsuntrustedsubjectsfrommodifyingthebehavioroftheTOEinanunanticipatedmanner.
T.WEAK_CRYPTO O.VM_ENTROPY AcquisitionofgoodentropyisnecessarytosupporttheTOE'ssecurity-relatedcryptographicalgorithms.
T.UNPATCHED_SOFTWARE O.PATCHED_SOFTWARE TheabilitytopatchtheTOEsoftwareensuresthatprotectionsagainstvulnerabilitiescanbeappliedastheybecomeavailable.
T.MISCONFIGURATION O.CORRECTLY_APPLIED_CONFIGURATION Mechanismstopreventtheapplicationofconfigurationsthatviolatethecurrentsecuritypolicyhelppreventmisconfigurations.
T.DENIAL_OF_SERVICE O.RESOURCE_ALLOCATION TheabilityoftheTSFtoensuretheproperallocationofresourcesmakes
denialofserviceattacksmoredifficult.
A.PLATFORM_INTEGRITY OE.PHYSICAL IftheunderlyingplatformhasnotbeencompromisedpriortoinstallationoftheTOE,itsintegritycanbeassumedtobeintact.
A.PHYSICAL OE.PHYSICAL IftheTOEisdeployedinalocationthathasappropriatephysicalsafeguards,itcanbeassumedtobephysicallysecure.
A.TRUSTED_ADMIN OE.TRUSTED_ADMIN Providingguidancetoadministratorsandensuringthatindividualsareproperlytrainedandvettedbeforebeinggivenadministrativeresponsibilitieswillensurethattheyaretrusted.
A.COVERT_CHANNELS OE.COVERT_CHANNELS ItisexpectedthatthevalueofanydatacontainedwithinVMsiscommensuratewiththesecurityprovidedbytheTOE,whichincludesanyvulnerabilitiesduetothepotentialpresenceofcovertstorageortimingchannels.
A.NON_MALICIOUS_USER OE.NON_MALICIOUS_USER Iftheorganizationproperlyvetsandtrainsusers,itisexpectedthattheywillbenon-malicious.
5SecurityRequirementsThischapterdescribesthesecurityrequirementswhichhavetobefulfilledbytheproductunderevaluation.ThoserequirementscomprisefunctionalcomponentsfromPart2andassurancecomponentsfromPart3of[CC].Thefollowingconventionsareusedforthecompletionofoperations:
Refinementoperation(denotedbyboldtextorstrikethroughtext):isusedtoadddetailstoarequirement(includingreplacinganassignmentwithamorerestrictiveselection)ortoremovepartoftherequirementthatismadeirrelevantthroughthecompletionofanotheroperation,andthusfurtherrestrictsarequirement.Selection(denotedbyitalicizedtext):isusedtoselectoneormoreoptionsprovidedbythe[CC]instatingarequirement.Assignmentoperation(denotedbyitalicizedtext):isusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Showingthevalueinsquarebracketsindicatesassignment.Iterationoperation:isindicatedbyappendingtheSFRnamewithaslashanduniqueidentifiersuggestingthepurposeoftheoperation,e.g."/EXAMPLE1."
5.1SecurityFunctionalRequirements
5.1.1AuditableEventsforMandatorySFRs
Table2:AuditEventsforMandatoryRequirementsRequirement AuditableEvents AdditionalAuditRecordContents
FAU_GEN.1 Noeventsspecified
FAU_SAR.1 Noeventsspecified
FAU_STG.1 Noeventsspecified
FAU_STG_EXT.1 Failureofauditdatacaptureduetolackofdiskspaceorpre-definedlimit.
FAU_STG_EXT.1 Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.
FCS_CKM.1 Noeventsspecified
FCS_CKM.2 Noeventsspecified
FCS_CKM_EXT.4 Noeventsspecified
FCS_COP.1/UDE Noeventsspecified
FCS_COP.1/HASH Noeventsspecified
FCS_COP.1/Sig Noeventsspecified
FCS_COP.1/KeyHash Noeventsspecified
FCS_ENT_EXT.1 Noeventsspecified
FCS_RBG_EXT.1 Failureoftherandomizationprocess
FDP_HBI_EXT.1 Noeventsspecified
FDP_PPR_EXT.1 SuccessfulandfailedVMconnectionstophysicaldeviceswhereconnectionisgovernedbyconfigurablepolicy.
VMandphysicaldeviceidentifiers.
FDP_PPR_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.
FDP_RIP_EXT.1 Noeventsspecified
FDP_RIP_EXT.2 Noeventsspecified
FDP_VMS_EXT.1 Noeventsspecified
FDP_VNC_EXT.1 SuccessfulandfailedattemptstoconnectVMstovirtualandphysicalnetworkingcomponents.
VMandvirtualorphysicalnetworkingcomponentidentifiers.
FDP_VNC_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.VMandvirtualorphysicalnetworkingcomponentidentifiers.
FDP_VNC_EXT.1 Administratorconfigurationofinter-VMcommunicationschannelsbetweenVMs.
VMandvirtualorphysicalnetworkingcomponentidentifiers.
FIA_AFL_EXT.1 Unsuccessfulloginattemptslimitismetorexceeded.
Originofattempt(e.g.,IPaddress).
FIA_UAU.5 Noeventsspecified
FIA_UIA_EXT.1 Administratorauthenticationattempts.
Provideduseridentity,originoftheattempt(e.g.console,remoteIPaddress).
FIA_UIA_EXT.1 Alluseoftheidentificationandauthenticationmechanism.
Provideduseridentity,originoftheattempt(e.g.console,remoteIPaddress).
FIA_UIA_EXT.1 [selection:Startandendofadministratorsession.,None]
Starttimeandendtimeofadministratorsession.
FMT_MSA_EXT.1 Noeventsspecified
FMT_SMO_EXT.1 Noeventsspecified
FPT_DVD_EXT.1 Noeventsspecified
FPT_EEM_EXT.1 Noeventsspecified
FPT_HAS_EXT.1 Noeventsspecified
FPT_HCL_EXT.1 Attemptstoaccessdisabledhypercallinterfaces
Interfaceforwhichaccesswasattempted.
FPT_HCL_EXT.1 Securitypolicyviolations. Identifierforthesecuritypolicythatwasviolated.
FPT_RDM_EXT.1 Connection/disconnectionofremovablemediaordeviceto/fromaVM.
VMIdentifier,Removablemedia/deviceidentifier,eventdescriptionoridentifier(connect/disconnect,ejection/insertion,etc.)
FPT_RDM_EXT.1 Ejection/insertionofremovablemediaordevicefrom/toanalreadyconnectedVM.
VMIdentifier,Removablemedia/deviceidentifier,eventdescriptionoridentifier(connect/disconnect,ejection/insertion,etc.)
FPT_TUD_EXT.1 Initiationofupdate.
FPT_TUD_EXT.1 Failureofsignatureverification.
FPT_VDP_EXT.1 Noeventsspecified
FPT_VIV_EXT.1 Noeventsspecified
FTA_TAB.1 Noeventsspecified
FTP_ITC_EXT.1 Initiationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.
FTP_ITC_EXT.1 Terminationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.
FTP_ITC_EXT.1 Failuresofthetrustedpathfunctions. UserIDandremotesource(IPAddress)iffeasible.
FTP_UIF_EXT.1 Noeventsspecified
FTP_UIF_EXT.2 Noeventsspecified
5.1.2SecurityAudit(FAU)
FAU_GEN.1AuditDataGeneration
FAU_GEN.1.1TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:
a. Start-upandshutdownofauditfunctionsb. [AlladministrativeactionsrelevanttoclaimedSFRsasdefinedin
theAuditableEventsTablefromtheClientandServerPP-Modules]c. [AuditableeventsdefinedinTableatref-mandatory]d. [selection:AuditableeventsdefinedinTableatref-optional-depfor
StrictlyOptionalSFRs,AuditableeventsdefinedinTableatref-objective-depforObjectiveSFRs,AuditableeventsdefinedinTableatref-sel-based-depforSelection-BasedSFRs,AuditableeventsdefinedintheaudittablefortheTLSFunctionalPackage(seeTable3),AuditableeventsdefinedintheaudittablefortheSSHFunctionalPackage(seeTable3),nootherauditableevents]
FAU_GEN.1.2TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:
a. Dateandtimeoftheeventb. Typeofeventc. Subjectandobjectidentity(ifapplicable)d. Theoutcome(successorfailure)oftheevente. [AdditionalinformationdefinedinTableatref-mandatory]f. [selection:AdditionalinformationdefinedinTableatref-optional-depforStrictlyOptionalSFRs,AdditionalinformationdefinedinTableatref-objective-depforObjectiveSFRs,AdditionalinformationdefinedinTableatref-sel-based-depforSelection-BasedSFRs,AdditionalinformationdefinedintheaudittablefortheTLSFunctionalPackage(seeTable3),AdditionalinformationdefinedintheaudittablefortheSSHFunctionalPackage(seeTable3),nootherinformation]
ApplicationNote:TheSTauthorcanincludeotherauditableeventsdirectlyinTableatref-mandatory;theyarenotlimitedtothelistpresented.TheSTauthorshouldupdatethetableinFAU_GEN.1.2withanyadditionalinformationgenerated.“Subjectidentity”inFAU_GEN.1.2couldbeauseridoranidentifierspecifyingaVM,forexample.
AppropriateentriesfromTableatref-optional-dep,Tableatref-objective-dep,andTableatref-sel-based-depshouldbeincludedintheSTiftheassociatedSFRsandselectionsareincluded.
TheTableatref-mandatoryentryforFDP_VNC_EXT.1referstoconfigurationsettingsthatattachVMstovirtualizednetworkcomponents.ChangestotheseconfigurationscanbemadeduringVMexecutionorwhenVMsarenotrunning.Auditrecordsmustbegeneratedforeithercase.
TheintentoftheauditrequirementforFDP_PPR_EXT.1istologthattheVMisconnectedtoaphysicaldevice(whenthedevicebecomespartoftheVM'shardwareview),nottologeverytimethatthedeviceisaccessed.Generally,thisisonlyonceatVMstartup.However,somedevicescanbeconnectedanddisconnectedduringoperation(e.g.,virtualUSBdevicessuchasCD-ROMs).Allsuchconnection/disconnectioneventsmustbelogged.
ThefollowingtablecontainstheeventsenumeratedintheauditableeventstablesfortheSSHandTLSFunctionalPackages.InclusionoftheseeventsintheSTissubjecttoselectionabove,inclusionofthecorrespondingSFRsintheST,andsupportintheFPasrepresentedbyaselectionintheFPaudittable.Thislistisincludedhereforreference.
Table3:AuditableEventsforFunctionalPackages
Requirement AuditableEvents AdditionalAuditRecordContents
FCS_SSHC_EXT.1 Failuretoestablishasession.
Reasonforfailure,Non-TOEendpointofattemptedconnection(IPAddress).
FCS_SSHC_EXT.1 Establishmentofasession.
Non-TOEendpointofconnection(IPAddress).
FCS_SSHC_EXT.1 Terminationofasession. Non-TOEendpointofconnection(IPAddress).
FCS_SSHS_EXT.1 Failuretoestablishasession.
Reasonforfailure,Non-TOEendpointofattemptedconnection(IPAddress).
FCS_SSHS_EXT.1 Establishmentofasession.
Non-TOEendpointofconnection(IPAddress).
FCS_SSHS_EXT.1 Terminationofasession. Non-TOEendpointofconnection(IPAddress).
FCS_TLSC_EXT.1 Failuretoestablishasession.
Reasonforfailure.
FCS_TLSC_EXT.1 Failuretoverifypresentedidentifier.
Presentedidentifierandreferenceidentifier.
FCS_TLSC_EXT.1 Establishment/terminationofaTLSsession.
Non-TOEendpointofconnection.
FCS_TLSS_EXT.1 Failuretoestablishasession.
Reasonforfailure.
FCS_DTLSC_EXT.1 Failureofthecertificatevaliditycheck.
IssuerNameandSubjectNameofcertificate.
FCS_DTLSS_EXT.1 Failureofthecertificatevaliditycheck.
IssuerNameandSubjectNameofcertificate.
EvaluationActivities
FAU_GEN.1:TSSTheevaluatorshallchecktheTSSandensurethatitlistsalloftheauditableeventsandprovidesaformatforauditrecords.Eachauditrecordformattypeshallbecovered,alongwithabriefdescriptionofeachfield.TheevaluatorshallchecktomakesurethateveryauditeventtypemandatedbythePP-ConfigurationisdescribedintheTSS.
GuidanceTheevaluatorshallalsomakeadeterminationoftheadministrativeactionsthatarerelevantinthecontextofthisPP-Configuration.Theevaluatorshallexaminetheadministrativeguideandmakeadeterminationofwhichadministrativecommands,includingsubcommands,scripts,andconfigurationfiles,arerelatedtotheconfiguration(includingenablingordisabling)ofthemechanismsimplementedintheTOEthatarenecessarytoenforcetherequirementsspecifiedinthePPandPP-Module(s).Theevaluatorshalldocumentthemethodologyorapproachtakenwhiledeterminingwhichactionsintheadministrativeguidearesecurity-relevantwithrespecttothisPP-Configuration.
TestsTheevaluatorshalltesttheTOE’sabilitytocorrectlygenerateauditrecordsbyhavingtheTOEgenerateauditrecordsfortheeventslistedandadministrativeactions.Foradministrativeactions,theevaluatorshalltestthateachactiondeterminedbytheevaluatorabovetobesecurityrelevantinthecontextofthisPPisauditable.Whenverifyingthetestresults,theevaluatorshallensuretheauditrecordsgeneratedduringtestingmatchtheformatspecifiedintheadministrativeguide,andthatthefieldsineachauditrecordhavetheproperentries.
Notethatthetestingherecanbeaccomplishedinconjunctionwiththetestingofthesecuritymechanismsdirectly.
FAU_SAR.1AuditReviewFAU_SAR.1.1
TheTSFshallprovide[administrators]withthecapabilitytoread[allinformation]fromtheauditrecords.
FAU_SAR.1.2TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.
EvaluationActivities
FAU_SAR.1:GuidanceTheevaluatorshallreviewtheoperationalguidancefortheprocedureonhowtoreviewtheauditrecords.TestsTheevaluatorshallverifythattheauditrecordsprovidealloftheinformationspecifiedinFAU_GEN.1andthatthisinformationissuitableforhumaninterpretation.TheassuranceactivityforthisrequirementisperformedinconjunctionwiththeassuranceactivityforFAU_GEN.1.
FAU_FAK_EXT.1FakeAuditReviewFAU_FAK_EXT.1.1
EvaluationActivities
FAU_STG.1ProtectedAuditTrailStorageFAU_STG.1.1
TheTSFshallprotectthestoredauditrecordsintheaudittrailfromunauthorizeddeletion.
FAU_STG.1.2TheTSFshallbeableto[prevent]unauthorizedmodificationstothestoredauditrecordsintheaudittrail.
ApplicationNote:TheassuranceactivityforthisSFRisnotintendedtoimplythattheTOEmustsupportanadministrator’sabilitytodesignateindividualauditrecordsfordeletion.Thatlevelofgranularityisnotrequired.
EvaluationActivities
FAU_STG.1:TSSTheevaluatorshallensurethattheTSSdescribeshowtheauditrecordsareprotectedfromunauthorizedmodificationordeletion.TheevaluatorshallensurethattheTSSdescribestheconditionsthatmustbemetforauthorizeddeletionofauditrecords.GuidanceTestsTheevaluatorshallperformthefollowingtests:
Test1:TheevaluatorshallaccesstheaudittrailasanunauthorizedAdministratorandattempttomodifyanddeletetheauditrecords.Theevaluatorshallverifythattheseattemptsfail.Test2:TheevaluatorshallaccesstheaudittrailasanauthorizedAdministratorandattempttodeletetheauditrecords.Theevaluatorshallverifythattheseattemptssucceed.Theevaluatorshallverifythatonlytherecordsauthorizedfordeletionaredeleted.
FAU_STG_EXT.1Off-LoadingofAuditDataFAU_STG_EXT.1.1
TheTSFshallbeabletotransmitthegeneratedauditdatatoanexternalITentityusingatrustedchannelasspecifiedinFTP_ITC_EXT.1.
FAU_STG_EXT.1.2TheTSFshall[selection:dropnewauditdata,overwritepreviousauditrecordsaccordingtothefollowingrule:[assignment:ruleforoverwritingpreviousauditrecords],[assignment:otheraction]]whenthelocalstoragespaceforauditdataisfull.
ApplicationNote:Anexternallogserver,ifavailable,mightbeusedasalternativestoragespaceincasethelocalstoragespaceisfull.An‘otheraction’couldbedefinedinthiscaseas‘sendthenewauditdatatoanexternalITentity’.
EvaluationActivities
FAU_STG_EXT.1:ProtocolsusedforimplementingthetrustedchannelmustbeselectedinFTP_ITC_EXT.1.
TSSTheevaluatorshallexaminetheTSStoensureitdescribesthemeansbywhichtheauditdataaretransferredtotheexternalauditserver,andhowthetrustedchannelisprovided.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensureitdescribeshowtoestablishthetrustedchanneltotheauditserver,aswellasdescribeanyrequirementsontheauditserver(particularauditserverprotocol,versionoftheprotocolrequired,etc.),aswellasconfigurationoftheTOEneededtocommunicatewiththeauditserver.TestsTestingofthetrustedchannelmechanismistobeperformedasspecifiedintheassuranceactivitiesforFTP_ITC_EXT.1.
Theevaluatorshallperformthefollowingtestforthisrequirement:
Test1:TheevaluatorshallestablishasessionbetweentheTOEandtheauditserveraccordingtotheconfigurationguidanceprovided.TheevaluatorshallthenexaminethetrafficthatpassesbetweentheauditserverandtheTOEduringseveralactivitiesoftheevaluator’schoicedesignedtogenerateauditdatatobetransferredtotheauditserver.Theevaluatorshallobservethatthesedataarenotabletobeviewedintheclearduringthistransfer,andthattheyaresuccessfullyreceivedbytheauditserver.Theevaluatorshallrecordtheparticularsoftware(name,version)usedontheauditserverduringtesting.
TSSTheevaluatorshallexaminetheTSStoensureitdescribeswhathappenswhenthelocalauditdatastoreisfull.GuidanceTheevaluatorshallalsoexaminetheoperationalguidancetodeterminethatitdescribestherelationshipbetweenthelocalauditdataandtheauditdatathataresenttotheauditlogserver.Forexample,whenanauditeventisgenerated,isitsimultaneouslysenttotheexternalserverandthelocalstore,oristhelocalstoreusedasabufferand“cleared”periodicallybysendingthedatatotheauditserver.TestsTheevaluatorshallperformoperationsthatgenerateauditdataandverifythatthisdataisstoredlocally.TheevaluatorshallperformoperationsthatgenerateauditdatauntilthelocalstoragespaceisexceededandverifiesthattheTOEcomplieswiththebehaviordefinedintheSTforFAU_STG_EXT.1.2.
5.1.3CryptographicSupport(FCS)
FCS_CKM.1CryptographicKeyGenerationFCS_CKM.1.1
TheTSFshallgenerateasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithm[selection:
RSAschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.3],ECCschemesusing[“NISTcurves”P-256,P-384,and[selection:P-521,noothercurves]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.4],FFCschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,AppendixB.1]].
].
ApplicationNote:TheSTauthorselectsallkeygenerationschemesusedforkeyestablishmentanddeviceauthentication.Whenkeygenerationisusedforkeyestablishment,theschemesinFCS_CKM.2.1andselectedcryptographicprotocolsshallmatchtheselection.Whenkeygenerationisusedfordeviceauthentication,thepublickeyisexpectedtobeassociatedwithanX.509v3certificate.
IftheTOEactsasareceiverintheRSAkeyestablishmentscheme,theTOEdoesnotneedtoimplementRSAkeygeneration.
EvaluationActivities
FCS_CKM.1:TSSTheevaluatorshallensurethattheTSSidentifiesthekeysizessupportedbytheTOE.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.
GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeygenerationscheme(s)andkeysize(s)forallusesdefinedinthisPP.TestsNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
KeyGenerationforFIPSPUB186-4RSASchemesTheevaluatorshallverifytheimplementationofRSAKeyGenerationbytheTOEusingtheKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthekeycomponentsincludingthepublicverificationexponente,theprivateprimefactorspandq,thepublicmodulusnandthecalculationoftheprivatesignatureexponentd.
KeyPairgenerationspecifies5ways(ormethods)togeneratetheprimespandq.Theseinclude:
RandomPrimes:ProvableprimesProbableprimes
PrimeswithConditions:Primesp1,p2,q1,q2,pandqshallallbeprovableprimesPrimesp1,p2,q1,andq2shallbeprovableprimesandpandqshallbeprobableprimesPrimesp1,p2,q1,q2,pandqshallallbeprobableprimes
TotestthekeygenerationmethodfortheRandomProvableprimesmethodandforallthePrimeswithConditionsmethods,theevaluatorshallseedtheTSFkeygenerationroutinewithsufficientdatatodeterministicallygeneratetheRSAkeypair.Thisincludestherandomseed(s),thepublicexponentoftheRSAkey,andthedesiredkeylength.Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25keypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.
KeyGenerationforEllipticCurveCryptography(ECC)
FIPS186-4ECCKeyGenerationTest
ForeachsupportedNISTcurve,i.e.,P-256,P-384andP-521,theevaluatorshallrequiretheimplementationundertest(IUT)togenerate10private/publickeypairs.Theprivatekeyshallbegeneratedusinganapprovedrandombitgenerator(RBG).Todeterminecorrectness,theevaluatorshallsubmitthegeneratedkeypairstothepublickeyverification(PKV)functionofaknowngoodimplementation.FIPS186-4PublicKeyVerification(PKV)TestForeachsupportedNISTcurve,i.e.,P-256,P-384andP-521,theevaluatorshallgenerate10private/publickeypairsusingthekeygenerationfunctionofaknowngoodimplementationandmodifyfiveofthepublickeyvaluessothattheyareincorrect,leavingfivevaluesunchanged(i.e.,correct).Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.
KeyGenerationforFinite-FieldCryptography(FFC)
TheevaluatorshallverifytheimplementationoftheParametersGenerationandtheKeyGenerationforFFCbytheTOEusingtheParameterGenerationandKeyGenerationtest.ThistestverifiestheabilityoftheTSFtocorrectlyproducevaluesforthefieldprimep,thecryptographicprimeq(dividingp-1),thecryptographicgroupgeneratorg,andthecalculationoftheprivatekeyxandpublickeyy.
TheParametergenerationspecifies2ways(ormethods)togeneratethecryptographicprimeqandthefieldprimep:
PrimesqandpshallbothbeprovableprimesPrimesqandfieldprimepshallbothbeprobableprimes
andtwowaystogeneratethecryptographicgroupgeneratorg:GeneratorgconstructedthroughaverifiableprocessGeneratorgconstructedthroughanunverifiableprocess.
TheKeygenerationspecifies2waystogeneratetheprivatekeyx:len(q)bitoutputofRBGwhere1�x�q-1len(q)+64bitoutputofRBG,followedbyamodq-1operationwhere1�x�q-1
ThesecuritystrengthoftheRBGshallbeatleastthatofthesecurityofferedbytheFFCparameterset.
Totestthecryptographicandfieldprimegenerationmethodfortheprovableprimesmethodandthegroupgeneratorgforaverifiableprocess,theevaluatorshallseedtheTSFparametergenerationroutinewithsufficientdatatodeterministicallygeneratetheparameterset.
Foreachkeylengthsupported,theevaluatorshallhavetheTSFgenerate25parametersetsandkeypairs.TheevaluatorshallverifythecorrectnessoftheTSF’simplementationbycomparingvaluesgeneratedbytheTSFwiththosegeneratedfromaknowngoodimplementation.Verificationshallalsoconfirm
g!=0,1qdividesp-1g^qmodp=1g^xmodp=y
foreachFFCparametersetandkeypair.
FCS_CKM.2CryptographicKeyEstablishmentFCS_CKM.2.1
TheTSFshallperformcryptographickeyestablishmentinaccordancewithaspecifiedcryptographickeyestablishmentmethod:[selection:
RSA-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56B,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingIntegerFactorizationCryptography”,Ellipticcurve-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56A,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography”,Finitefield-basedkeyestablishmentschemesthatmeetsthefollowing:NISTSpecialPublication800-56A,“RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography”]
]
EvaluationActivities
FCS_CKM.2:TSSTheevaluatorshallensurethatthesupportedkeyestablishmentschemescorrespondtothekeygenerationschemesidentifiedinFCS_CKM.1.1.IftheSTspecifiesmorethanonescheme,theevaluatorshallexaminetheTSStoverifythatitidentifiestheusageforeachscheme.
GuidanceTheevaluatorshallverifythattheAGDguidanceinstructstheadministratorhowtoconfiguretheTOEtousetheselectedkeyestablishmentscheme(s).
TestsTheevaluatorshallverifytheimplementationofthekeyestablishmentschemesofthesupportedbytheTOEusingtheapplicabletestsbelow.
KeyEstablishmentSchemes
SP800-56AKeyEstablishmentSchemes
TheevaluatorshallverifyaTOE'simplementationofSP800-56AkeyagreementschemesusingthefollowingFunctionandValiditytests.ThesevalidationtestsforeachkeyagreementschemeverifythataTOEhasimplementedthecomponentsofthekeyagreementschemeaccordingtothespecificationsintheRecommendation.ThesecomponentsincludethecalculationoftheDLCprimitives(thesharedsecretvalueZ)andthecalculationofthederivedkeyingmaterial(DKM)viatheKeyDerivationFunction(KDF).Ifkeyconfirmationissupported,theevaluatorshallalsoverifythatthecomponentsofkeyconfirmationhavebeenimplementedcorrectly,usingthetestproceduresdescribedbelow.ThisincludestheparsingoftheDKM,thegenerationofMACdataandthecalculationofMACtag.
FunctionTest
TheFunctiontestverifiestheabilityofthetoimplementthekeyagreementschemescorrectly.Toconductthistest,theevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachsupportedkeyagreementscheme-key
agreementrolecombination,KDFtype,and,ifsupported,keyconfirmationrole-keyconfirmationtypecombination,thetestershallgenerate10setsoftestvectors.Thedatasetconsistsofonesetofdomainparametervalues(FFC)ortheNISTapprovedcurve(ECC)per10setsofpublickeys.Thesekeysarestatic,ephemeralorbothdependingontheschemebeingtested.
TheevaluatorshallobtaintheDKM,thecorrespondingTOE’spublickeys(staticand/orephemeral),theMACtag(s),andanyinputsusedintheKDF,suchastheOtherInformationfieldOIandTOEidfields.
IftheTOEdoesnotuseaKDFdefinedinSP800-56A,theevaluatorshallobtainonlythepublickeysandthehashedvalueofthesharedsecret.
TheevaluatorshallverifythecorrectnessoftheTSF’simplementationofagivenschemebyusingaknowngoodimplementationtocalculatethesharedsecretvalue,derivethekeyingmaterialDKM,andcomparehashesorMACtagsgeneratedfromthesevalues.
Ifkeyconfirmationissupported,theTSFshallperformtheaboveforeachimplementedapprovedMACalgorithm.
ValidityTest
TheValiditytestverifiestheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidkeyagreementresultswithorwithoutkeyconfirmation.Toconductthistest,theevaluatorshallobtainalistofthesupportingcryptographicfunctionsincludedintheSP800-56AkeyagreementimplementationtodeterminewhicherrorstheTOEshouldbeabletorecognize.Theevaluatorgeneratesasetof24(FFC)or30(ECC)testvectorsconsistingofdatasetsincludingdomainparametervaluesorNISTapprovedcurves,theevaluator’spublickeys,theTOE’spublic/privatekeypairs,MACTag,andanyinputsusedintheKDF,suchastheotherinfoandTOEidfields.
TheevaluatorshallinjectanerrorinsomeofthetestvectorstotestthattheTOErecognizesinvalidkeyagreementresultscausedbythefollowingfieldsbeingincorrect:thesharedsecretvalueZ,theDKM,theotherinformationfieldOI,thedatatobeMACed,orthegeneratedMACTag.IftheTOEcontainsthefullorpartial(onlyECC)publickeyvalidation,theevaluatorwillalsoindividuallyinjecterrorsinbothparties’staticpublickeys,bothparties’ephemeralpublickeysandtheTOE’sstaticprivatekeytoassuretheTOEdetectserrorsinthepublickeyvalidationfunctionand/orthepartialkeyvalidationfunction(inECConly).Atleasttwoofthetestvectorsshallremainunmodifiedandthereforeshouldresultinvalidkeyagreementresults(theyshouldpass).
TheTOEshallusethesemodifiedtestvectorstoemulatethekeyagreementschemeusingthecorrespondingparameters.TheevaluatorshallcomparetheTOE’sresultswiththeresultsusingaknowngoodimplementationverifyingthattheTOEdetectstheseerrors.
SP800-56BKeyEstablishmentSchemes
TheevaluatorshallverifythattheTSSdescribeswhethertheTOEactsasasender,arecipient,orbothforRSA-basedkeyestablishmentschemes.
IftheTOEactsasasender,thefollowingassuranceactivityshallbeperformedtoensuretheproperoperationofeveryTOEsupportedcombinationofRSA-basedkeyestablishmentscheme:
Toconductthistest,theevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachcombinationofsupportedkeyestablishmentschemeanditsoptions(withorwithoutkeyconfirmationifsupported,foreachsupportedkeyconfirmationMACfunctionifkeyconfirmationissupported,andforeachsupportedmaskgenerationfunctionifKTS-OAEPissupported),thetestershallgenerate10setsoftestvectors.EachtestvectorshallincludetheRSApublickey,theplaintextkeyingmaterial,anyadditionalinputparametersifapplicable,theMacKeyandMacTagifkeyconfirmationisincorporated,andtheoutputtedciphertext.Foreachtestvector,theevaluatorshallperformakeyestablishmentencryptionoperationontheTOEwiththesameinputs(incaseswherekeyconfirmationisincorporated,thetestshallusetheMacKeyfromthetestvectorinsteadoftherandomlygeneratedMacKeyusedinnormaloperation)andensurethattheoutputtedciphertextisequivalenttotheciphertextinthetestvector.
IftheTOEactsasareceiver,thefollowingassuranceactivitiesshallbeperformedtoensuretheproperoperationofeveryTOEsupportedcombinationofRSA-basedkeyestablishmentscheme:
Toconductthistest,theevaluatorshallgenerateorobtaintestvectorsfromaknowngoodimplementationoftheTOEsupportedschemes.Foreachcombinationofsupportedkeyestablishmentschemeanditsoptions(withourwithoutkeyconfirmationifsupported,foreachsupportedkeyconfirmationMACfunctionifkeyconfirmationissupported,andforeachsupportedmaskgenerationfunctionifKTS-OAEPissupported),thetestershallgenerate10setsoftestvectors.EachtestvectorshallincludetheRSAprivatekey,theplaintextkeyingmaterial
(KeyData),anyadditionalinputparametersifapplicable,theMacTagincaseswherekeyconfirmationisincorporated,andtheoutputtedciphertext.Foreachtestvector,theevaluatorshallperformthekeyestablishmentdecryptionoperationontheTOEandensurethattheoutputtedplaintextkeyingmaterial(KeyData)isequivalenttotheplaintextkeyingmaterialinthetestvector.Incaseswherekeyconfirmationisincorporated,theevaluatorshallperformthekeyconfirmationstepsandensurethattheoutputtedMacTagisequivalenttotheMacTaginthetestvector.
TheevaluatorshallensurethattheTSSdescribeshowtheTOEhandlesdecryptionerrors.InaccordancewithNISTSpecialPublication800-56B,theTOEshallnotrevealtheparticularerrorthatoccurred,eitherthroughthecontentsofanyoutputtedorloggederrormessageorthroughtimingvariations.IfKTS-OAEPissupported,theevaluatorshallcreateseparatecontrivedciphertextvaluesthattriggereachofthethreedecryptionerrorchecksdescribedinNISTSpecialPublication800-56Bsection7.2.2.3,ensurethateachdecryptionattemptresultsinanerror,andensurethatanyoutputtedorloggederrormessageisidenticalforeach.IfKTS-KEM-KWSissupported,theevaluatorshallcreateseparatecontrivedciphertextvaluesthattriggereachofthethreedecryptionerrorchecksdescribedinNISTSpecialPublication800-56Bsection7.2.3.3,ensurethateachdecryptionattemptresultsinanerror,andensurethatanyoutputtedorloggederrormessageisidenticalforeach.
FCS_CKM_EXT.4CryptographicKeyDestructionFCS_CKM_EXT.4.1
TheTSFshallcausedisusedcryptographickeysinvolatilememorytobedestroyedorrenderedunrecoverable.
ApplicationNote:Thethreataddressedbythiselementistherecoveryofdisusedcryptographickeysfromvolatilememorybyunauthorizedprocesses.
TheTSFmusttodestroyorcausetobedestroyedallcopiesofcryptographickeyscreatedandmanagedbytheTOEoncethekeysarenolongerneeded.ThisrequirementisthesameforallinstancesofkeyswithinTOEvolatilememoryregardlessofwhetherthememoryiscontrolledbyTOEmanufacturersoftwareorby3rdpartyTOEmodules.TheassuranceactivitiesaredesignedwithflexibilitytoaddresscaseswheretheTOEmanufacturerhaslimitedinsightintothebehaviorof3rdpartyTOEcomponents.
ThepreferredmethodfordestroyingkeysinTOEvolatilememoryisbydirectoverwriteofthememoryoccupiedbythekeys.Thevaluesusedforoverwritingcanbeallzeros,allones,oranyotherpatternorcombinationofvaluessignificantlydifferentthanthevalueofthekeyitselfsuchthatthekeysarerenderedinaccessibletorunningprocesses.
Someimplementationsmayfindthatdirectoverwritingofmemoryisnotfeasibleorpossibleduetoprogramminglanguageconstraints.Manymemory-andtype-safelanguagesprovidenomechanismforprogrammerstospecifythataparticularmemorylocationbeaccessedorwritten.Thevalueofsuchlanguagesisthatitismuchharderforaprogrammingerrortoresultinabufferorheapoverflow.Thedownsideisthatmultiplecopiesofkeysmightbescatteredthroughoutlanguage-runtimememory.Insuchcases,theTOEshouldtakewhateveractionsarefeasibletocausethekeystobecomeinaccessible—freeingmemory,destroyingobjects,closingapplications,programmingusingtheminimumpossiblescopeforvariablescontainingkeys.
Likewise,ifkeysresideinmemorywithintheexecutioncontextofathird-partymodule,thentheTOEshouldtakewhateverfeasibleactionsitcantocausethekeystobedestroyed.
Cryptographickeysinnon-TOEvolatilememoryarenotcoveredbythisrequirement.ThisexpresslyincludeskeyscreatedandusedbyGuestVMs.TheGuestisresponsiblefordisposingofsuchkeys.
FCS_CKM_EXT.4.2TheTSFshallcausedisusedcryptographickeysinnon-volatilestoragetobedestroyedorrenderedunrecoverable.
ApplicationNote:Theultimategoalofthiselementistoensurethatdisusedcryptographickeysareinaccessiblenotonlytocomponentsoftherunningsystem,butarealsounrecoverablethroughforensicanalysisofdiscardedstoragemedia.Theelementisdesignedtoreflectthefactthatthelattermaynotbewhollypracticalatthistimeduetothewaysomestoragetechnologiesareimplemented(e.g.,wear-levelingofflashstorage).
Keystorageareasinnon-volatilestoragecanbeoverwrittenwithanyvaluethat
rendersthekeysunrecoverable.Thevalueusedcanbeallzeros,allones,oranyotherpatternorcombinationofvaluessignificantlydifferentthanthevalueofthekeyitself.
TheTSFmustdestroyallcopiesofcryptographickeyscreatedandmanagedbytheTOEoncethekeysarenolongerneeded.Sincethisisasoftware-onlyTOE,thehardwarecontrollersthatmanagenon-volatilestoragemediaarenecessarilyoutsidetheTOEboundary.Thus,theTOEmanufacturerislikelytohavelittlecontrolover—orinsightinto—thefunctioningofthesestoragedevices.TheTOEmustmakea“best-effort”todestroydisusedcryptographickeysbyinvokingtheappropriateplatforminterfaces—recognizingthatthespecificactionstakenbytheplatformareoutoftheTOE’scontrol.
ButincaseswheretheTOEhasinsightintothenon-volatilestoragetechnologiesusedbytheplatform,orwheretheTOEcanspecifyapreferenceormethodfordestroyingkeys,thedestructionshouldbeexecutedbyasingle,directoverwriteconsistingofpseudo-randomdataoranewkey,byarepeatingpatternofanystaticvalue,orbyablockerase.
Forkeysstoredonencryptedmedia,itissufficientforthemediaencryptionkeystobedestroyedforallkeysstoredonthemediatobeconsidereddestroyed.
EvaluationActivities
FCS_CKM_EXT.4:TSSTheevaluatorshallchecktoensuretheTSSlistseachtypeofkeyanditsoriginandlocationinmemoryorstorage.TheevaluatorshallverifythattheTSSdescribeswheneachtypeofkeyiscleared.TestsForeachkeyclearingsituationtheevaluatorshallperformoneofthefollowingactivities:
Theevaluatorshalluseappropriatecombinationsofspecializedoperationalordevelopmentenvironments,developmenttools(debuggers,emulators,simulators,etc.),orinstrumentedbuilds(developmental,debug,orrelease)todemonstratethatkeysareclearedcorrectly,includingallintermediatecopiesofthekeythatmayhavebeencreatedinternallybytheTOEduringnormalcryptographicprocessing.Incaseswheretestingrevealsthat3rd-partysoftwaremodulesorprogramminglanguagerun-timeenvironmentsdonotproperlyoverwritekeys,thisfactmustbedocumented.Likewise,itmustbedocumentedifthereisnopracticalwaytodeterminewhethersuchmodulesorenvironmentsdestroykeysproperly.Incaseswhereitisimpossibleorimpracticabletoperformtheabovetests,theevaluatorshalldescribehowkeysaredestroyedinsuchcases,toinclude:
WhichkeysareaffectedThereasonswhytestingisimpossibleorimpracticableEvidencethatkeysaredestroyedappropriately(e.g.,citationstocomponentdocumentation,componentdeveloper/vendorattestation,componentvendortestresults)Aggravatingandmitigatingfactorsthatmayaffectthetimelinessorexecutionofkeydestruction(e.g.,caching,garbagecollection,operatingsystemmemorymanagement)
UseofdebugorinstrumentedbuildsoftheTOEandTOEcomponentsispermittedinordertodemonstratethattheTOEtakesappropriateactiontodestroykeys.Thesebuildsshouldbebasedonthesamesourcecodeasarereleasebuilds(ofcourse,withinstrumentationanddebug-specificcodeadded).
FCS_COP.1/UDECryptographicOperation(AESDataEncryption/Decryption)FCS_COP.1.1/UDE
TheTSFshallperform[encryptionanddecryption]inaccordancewithaspecifiedcryptographicalgorithm[selection:
AESKeyWrap(KW)(asdefinedinNISTSP800-38F),AESKeyWrapwithPadding(KWP)(asdefinedinNISTSP800-38F),AES-GCM(asdefinedinNISTSP800-38D),AES-CCM(asdefinedinNISTSP800-38C),AES-XTS(asdefinedinNISTSP800-38E)mode,AES-CCMP-256(asdefinedinNISTSP800-38CandIEEE802.11ac-2013),AES-GCMP-256(asdefinedinNISTSP800-38DandIEEE802.11ac-2013),AES-CCMP(asdefinedinFIPSPUB197,NISTSP800-38CandIEEE802.11-2012),AES-CBC(asdefinedinFIPSPUB197,andNISTSP800-38A)mode,
AES-CTR(asdefinedinNISTSP800-38A)mode]andcryptographickeysizes[selection:128-bitkeysizes,256-bitkeysizes].
ApplicationNote:ForthefirstselectionofFCS_COP.1.1/UDE,theSTauthorshouldchoosethemodeormodesinwhichAESoperates.Forthesecondselection,theSTauthorshouldchoosethekeysizesthataresupportedbythisfunctionality.
EvaluationActivities
FCS_COP.1/UDE:AssuranceActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
TestsAES-CBCTests
AES-CBCKnownAnswerTests
TherearefourKnownAnswerTests(KATs),describedbelow.InallKATs,theplaintext,ciphertext,andIVvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
KAT-1.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitall-zeroskey,andtheotherfiveshallbeencryptedwitha256-bitall-zeroskey.
TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinputandAES-CBCdecryption.
KAT-2.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromAES-CBCencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeysshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.
TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usinganall-zerociphertextvalueasinputandAES-CBCdecryption.
KAT-3.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluethatresultsfromAESencryptionofanall-zerosplaintextusingthegivenkeyvalueandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondsetshallhave256256-bitkeys.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].
TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromAES-CBCdecryptionofthegivenciphertextusingthegivenkeyandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitkey/ciphertextpairs.KeyiineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanall-zerosplaintextwhendecryptedwithitscorrespondingkey.
KAT-4.TotesttheencryptfunctionalityofAES-CBC,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromAES-CBCencryptionofthegivenplaintextusinga128-bitkeyvalueofallzeroswithanIVofallzerosandusinga256-bitkeyvalueofallzeroswithanIVofallzeros,respectively.Plaintextvalueiineachsetshallhavetheleftmostibitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].
TotestthedecryptfunctionalityofAES-CBC,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinputandAES-CBCdecryption.
AES-CBCMulti-BlockMessageTest
Theevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1<i�
10.Theevaluatorshallchooseakey,anIVandplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.
Theevaluatorshallalsotestthedecryptfunctionalityforeachmodebydecryptingani-blockmessagewhere1<i�10.Theevaluatorshallchooseakey,anIVandaciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkeyandIV.TheplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewiththesamekeyandIVusingaknowngoodimplementation.
AES-CBCMonteCarloTests
Theevaluatorshalltesttheencryptfunctionalityusingasetof200plaintext,IV,andkey3-tuples.100oftheseshalluse128bitkeys,and100shalluse256bitkeys.TheplaintextandIVvaluesshallbe128-bitblocks.Foreach3-tuple,1000iterationsshallberunasfollows:
#Input:PT,IV,Keyfori=1to1000:ifi==1:CT[1]=AES-CBC-Encrypt(Key,IV,PT)PT=IVelse:CT[i]=AES-CBC-Encrypt(Key,PT)PT=CT[i-1]
Theciphertextcomputedinthe1000thiteration(i.e.,CT[1000])istheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.
Theevaluatorshalltestthedecryptfunctionalityusingthesametestasforencrypt,exchangingCTandPTandreplacingAES-CBC-EncryptwithAES-CBC-Decrypt.
AES-CCMTests
Theevaluatorshalltestthegeneration-encryptionanddecryption-verificationfunctionalityofAES-CCMforthefollowinginputparameterandtaglengths:
128bitand256bitkeys
Twopayloadlengths.Onepayloadlengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Theotherpayloadlengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).
Twoorthreeassociateddatalengths.Oneassociateddatalengthshallbe0,ifsupported.Oneassociateddatalengthshallbetheshortestsupportedpayloadlength,greaterthanorequaltozerobytes.Oneassociateddatalengthshallbethelongestsupportedpayloadlength,lessthanorequalto32bytes(256bits).Iftheimplementationsupportsanassociateddatalengthof216bytes,anassociateddatalengthof216bytesshallbetested.
Noncelengths.Allsupportednoncelengthsbetween7and13bytes,inclusive,shallbetested.
Taglengths.Allsupportedtaglengthsof4,6,8,10,12,14and16bytesshallbetested.
Totestthegeneration-encryptionfunctionalityofAES-CCM,theevaluatorshallperformthefollowingfourtests:
Test1:ForEACHsupportedkeyandassociateddatalengthandANYsupportedpayload,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.Test2:ForEACHsupportedkeyandpayloadlengthandANYsupportedassociateddata,nonceandtaglength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.Test3:ForEACHsupportedkeyandnoncelengthandANYsupportedassociateddata,payloadandtaglength,theevaluatorshallsupplyonekeyvalueand10associateddata,payloadandnoncevalue3-tuplesandobtaintheresultingciphertext.Test4:ForEACHsupportedkeyandtaglengthandANYsupportedassociateddata,payloadandnoncelength,theevaluatorshallsupplyonekeyvalue,onenoncevalueand10pairsofassociateddataandpayloadvaluesandobtaintheresultingciphertext.
Todeterminecorrectnessineachoftheabovetests,theevaluatorshallcomparetheciphertextwiththeresultofgeneration-encryptionofthesameinputswithaknowngoodimplementation.
Totestthedecryption-verificationfunctionalityofAES-CCM,forEACHcombinationofsupportedassociateddatalength,payloadlength,noncelengthandtaglength,theevaluatorshallsupplyakeyvalueand15nonce,associateddataandciphertext3-tuplesandobtaineitheraFAILresult
oraPASSresultwiththedecryptedpayload.Theevaluatorshallsupply10tuplesthatshouldFAILand5thatshouldPASSpersetof15.
Additionally,theevaluatorshallusetestsfromtheIEEE802.11-02/362r6document“ProposedTestvectorsforIEEE802.11TGi”,datedSeptember10,2002,Section2.1AES-CCMPEncapsulationExampleandSection2.2AdditionalAESCCMPTestVectorstofurtherverifytheIEEE802.11-2007implementationofAES-CCMP.
AES-GCMTest
TheevaluatorshalltesttheauthenticatedencryptfunctionalityofAES-GCMforeachcombinationofthefollowinginputparameterlengths:
128bitand256bitkeys
Twoplaintextlengths.Oneoftheplaintextlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Theotherplaintextlengthshallnotbeanintegermultipleof128bits,ifsupported.
ThreeAADlengths.OneAADlengthshallbe0,ifsupported.OneAADlengthshallbeanon-zerointegermultipleof128bits,ifsupported.OneAADlengthshallnotbeanintegermultipleof128bits,ifsupported.
TwoIVlengths.If96bitIVissupported,96bitsshallbeoneofthetwoIVlengthstested.
Theevaluatorshalltesttheencryptfunctionalityusingasetof10key,plaintext,AAD,andIVtuplesforeachcombinationofparameterlengthsaboveandobtaintheciphertextvalueandtagthatresultsfromAES-GCMauthenticatedencrypt.Eachsupportedtaglengthshallbetestedatleastoncepersetof10.TheIVvaluemaybesuppliedbytheevaluatorortheimplementationbeingtested,aslongasitisknown.
Theevaluatorshalltestthedecryptfunctionalityusingasetof10key,ciphertext,tag,AAD,andIV5-tuplesforeachcombinationofparameterlengthsaboveandobtainaPass/FailresultonauthenticationandthedecryptedplaintextifPass.ThesetshallincludefivetuplesthatPassandfivethatFail.
Theresultsfromeachtestmayeitherbeobtainedbytheevaluatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.
XTS-AESTest
TheevaluatorshalltesttheencryptfunctionalityofXTS-AESforeachcombinationofthefollowinginputparameterlengths:
256bit(forAES-128)and512bit(forAES-256)keys
Threedataunit(i.e.,plaintext)lengths.Oneofthedataunitlengthsshallbeanon-zerointegermultipleof128bits,ifsupported.Oneofthedataunitlengthsshallbeanintegermultipleof128bits,ifsupported.Thethirddataunitlengthshallbeeitherthelongestsupporteddataunitlengthor216bits,whicheverissmaller.
usingasetof100(key,plaintextand128-bitrandomtweakvalue)3-tuplesandobtaintheciphertextthatresultsfromXTS-AESencrypt.
Theevaluatormaysupplyadataunitsequencenumberinsteadofthetweakvalueiftheimplementationsupportsit.Thedataunitsequencenumberisabase-10numberrangingbetween0and255thatimplementationsconverttoatweakvalueinternally.
TheevaluatorshalltestthedecryptfunctionalityofXTS-AESusingthesametestasforencrypt,replacingplaintextvalueswithciphertextvaluesandXTS-AESencryptwithXTS-AESdecrypt.
AESKeyWrap(AES-KW)andKeyWrapwithPadding(AES-KWP)Test
TheevaluatorshalltesttheauthenticatedencryptionfunctionalityofAES-KWforEACHcombinationofthefollowinginputparameterlengths:
128and256bitkeyencryptionkeys(KEKs)Threeplaintextlengths.Oneoftheplaintextlengthsshallbetwosemi-blocks(128bits).Oneoftheplaintextlengthsshallbethreesemi-blocks(192bits).Thethirddataunitlengthshallbethelongestsupportedplaintextlengthlessthanorequalto64semi-blocks(4096
bits).usingasetof100keyandplaintextpairsandobtaintheciphertextthatresultsfromAES-KWauthenticatedencryption.Todeterminecorrectness,theevaluatorshallusetheAES-KWauthenticated-encryptionfunctionofaknowngoodimplementation.
Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWusingthesametestasforauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWauthenticated-encryptionwithAES-KWauthenticated-decryption.
Theevaluatorshalltesttheauthenticated-encryptionfunctionalityofAES-KWPusingthesametestasforAES-KWauthenticated-encryptionwiththefollowingchangeinthethreeplaintextlengths:
Oneplaintextlengthshallbeoneoctet.Oneplaintextlengthshallbe20octets(160bits).
Oneplaintextlengthshallbethelongestsupportedplaintextlengthlessthanorequalto512octets(4096bits).
Theevaluatorshalltesttheauthenticated-decryptionfunctionalityofAES-KWPusingthesametestasforAES-KWPauthenticated-encryption,replacingplaintextvalueswithciphertextvaluesandAES-KWPauthenticated-encryptionwithAES-KWPauthenticated-decryption.
AES-CTRTest
Test1:KnownAnswerTests(KATs)TherearefourKnownAnswerTests(KATs)describedbelow.ForallKATs,theplaintext,initializationvector(IV),andciphertextvaluesshallbe128-bitblocks.Theresultsfromeachtestmayeitherbeobtainedbythevalidatordirectlyorbysupplyingtheinputstotheimplementerandreceivingtheresultsinresponse.Todeterminecorrectness,theevaluatorshallcomparetheresultingvaluestothoseobtainedbysubmittingthesameinputstoaknowngoodimplementation.Test1a:Totesttheencryptfunctionality,theevaluatorshallsupplyasetof10plaintextvaluesandobtaintheciphertextvaluethatresultsfromencryptionofthegivenplaintextusingakeyvalueofallzerosandanIVofallzeros.Fiveplaintextvaluesshallbeencryptedwitha128-bitallzeroskey,andtheotherfiveshallbeencryptedwitha256-bitallzeroskey.Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,using10ciphertextvaluesasinput.
Test1b:Totesttheencryptfunctionality,theevaluatorshallsupplyasetof10keyvaluesandobtaintheciphertextvaluethatresultsfromencryptionofanallzerosplaintextusingthegivenkeyvalueandanIVofallzeros.Fiveofthekeyvaluesshallbe128-bitkeys,andtheotherfiveshallbe256-bitkeys.Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,usinganallzerociphertextvalueasinput.Test1c:Totesttheencryptfunctionality,theevaluatorshallsupplythetwosetsofkeyvaluesdescribedbelowandobtaintheciphertextvaluesthatresultfromAESencryptionofanallzerosplaintextusingthegivenkeyvaluesandanIVofallzeros.Thefirstsetofkeysshallhave128128-bitkeys,andthesecondshallhave256256-bitkeys.Key_iineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezeros,foriin[1,N].Totestthedecryptfunctionality,theevaluatorshallsupplythetwosetsofkeyandciphertextvaluepairsdescribedbelowandobtaintheplaintextvaluethatresultsfromdecryptionofthegivenciphertextusingthegivenkeyvaluesandanIVofallzeros.Thefirstsetofkey/ciphertextpairsshallhave128128-bitkey/ciphertextpairs,andthesecondsetofkey/ciphertextpairsshallhave256256-bitpairs.Key_iineachsetshallhavetheleftmostibitsbeonesandtherightmostN-ibitsbezerosforiin[1,N].Theciphertextvalueineachpairshallbethevaluethatresultsinanallzerosplaintextwhendecryptedwithitscorrespondingkey.
Test1d:Totesttheencryptfunctionality,theevaluatorshallsupplythesetof128plaintextvaluesdescribedbelowandobtainthetwociphertextvaluesthatresultfromencryptionofthegivenplaintextusinga128-bitkeyvalueofallzerosandusinga256bitkeyvalueofallzeros,respectively,andanIVofallzeros.Plaintextvalueiineachsetshallhavetheleftmostbitsbeonesandtherightmost128-ibitsbezeros,foriin[1,128].Totestthedecryptfunctionality,theevaluatorshallperformthesametestasforencrypt,usingciphertextvaluesofthesameformastheplaintextintheencrypttestasinput.
Test2:Multi-BlockMessageTestTheevaluatorshalltesttheencryptfunctionalitybyencryptingani-blockmessagewhere1less-thaniless-than-or-equalto10.Foreachitheevaluatorshallchooseakey,IV,andplaintextmessageoflengthiblocksandencryptthemessage,usingthemodetobetested,withthechosenkey.TheciphertextshallbecomparedtotheresultofencryptingthesameplaintextmessagewiththesamekeyandIVusingaknowngoodimplementation.Theevaluatorshallalsotestthedecryptfunctionalitybydecryptingani-blockmessagewhere1less-thaniless-than-or-equalto10.Foreachitheevaluatorshallchooseakeyanda
ciphertextmessageoflengthiblocksanddecryptthemessage,usingthemodetobetested,withthechosenkey.Theplaintextshallbecomparedtotheresultofdecryptingthesameciphertextmessagewiththesamekeyusingaknowngoodimplementation.
Test3:Monte-CarloTestForAES-CTRmodeperformtheMonteCarloTestforECBModeontheencryptionengineofthecountermodeimplementation.Thereisnoneedtotestthedecryptionengine.Theevaluatorshalltesttheencryptfunctionalityusing200plaintext/keypairs.100oftheseshalluse128bitkeys,and100oftheseshalluse256bitkeys.Theplaintextvaluesshallbe128-bitblocks.Foreachpair,1000iterationsshallberunasfollows:ForAES-ECBmode#Input:PT,Keyfori=1to1000:CT[i]=AES-ECB-Encrypt(Key,PT)PT=CT[i]Theciphertextcomputedinthe1000thiterationistheresultforthattrial.Thisresultshallbecomparedtotheresultofrunning1000iterationswiththesamevaluesusingaknowngoodimplementation.
If"invokeplatform-provided"isselected,theevaluatorconfirmsthatSSHconnectionsareonlysuccessfulifappropriatealgorithmsandappropriatekeysizesareconfigured.Todothis,theevaluatorshallperformthefollowingtests:
Test1:[Conditional:TOEisanSSHserver]TheevaluatorshallconfigureanSSHclienttoconnectwithaninvalidcryptographicalgorithmandkeysizeforeachlisteningSSHsocketconnectionontheTOE.TheevaluatorinitiatesSSHclientconnectionstoeachlisteningSSHsocketconnectionontheTOEandobservesthattheconnectionfailsineachattempt.Test2:[Conditional:TOEisanSSHclient]TheevaluatorshallconfigurealisteningSSHsocketonaremoteSSHserverthatacceptsonlyinvalidcryptographicalgorithmsandkeys.TheevaluatorusestheTOEtoattemptanSSHconnectiontothisserverandobservesthattheconnectionfails.
FCS_COP.1/HASHCryptographicOperation(Hashing)FCS_COP.1.1/HASH
TheTSFshallperform[cryptographichashing]inaccordancewithaspecifiedcryptographicalgorithm[selection:SHA-1,SHA-256,SHA-384,SHA-512,SHA-3-224,SHA-3-256,SHA-3-384,SHA-3-512]andmessagedigestsizes[selection:160,256,384,512bits]thatmeetthefollowing:[selection:FIPSPUB180-4"SecureHashStandard",ISO/IEC10118-3:2018]
ApplicationNote:PerNISTSP800-131A,SHA-1forgeneratingdigitalsignaturesisnolongerallowed,andSHA-1forverificationofdigitalsignaturesisstronglydiscouragedastheremayberiskinacceptingthesesignatures.ItisexpectedthatvendorswillimplementSHA-2algorithmsinaccordancewithSP800-131A.
Theintentofthisrequirementistospecifythehashingfunction.Thehashselectionshallsupportthemessagedigestsizeselection.Thehashselectionshouldbeconsistentwiththeoverallstrengthofthealgorithmused(forexample,SHA256for128-bitkeys).
EvaluationActivities
FCS_COP.1/HASH:TSSTheevaluatorshallcheckthattheassociationofthehashfunctionwithotherTSFcryptographicfunctions(forexample,thedigitalsignatureverificationfunction)isdocumentedintheTSS.GuidanceTheevaluatorcheckstheAGDdocumentstodeterminethatanyconfigurationthatisrequiredtobedonetoconfigurethefunctionalityfortherequiredhashsizesispresent.TestsSHA-1andSHA-2TestsTheTSFhashingfunctionscanbeimplementedinoneoftwomodes.Thefirstmodeisthebyteorientedmode.InthismodetheTSFonlyhashesmessagesthatareanintegralnumberofbytesinlength;i.e.,thelength(inbits)ofthemessagetobehashedisdivisibleby8.Thesecondmodeisthebitorientedmode.InthismodetheTSFhashesmessagesofarbitrarylength.Astherearedifferenttestsforeachmode,anindicationisgiveninthefollowingsectionsforthebitorientedvs.thebyteorientedtestmacs.
TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.
AssuranceActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
ShortMessagesTestBit-orientedMode
Theevaluatorsdeviseaninputsetconsistingofm+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tombits.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
ShortMessagesTestByte-orientedMode
Theevaluatorsdeviseaninputsetconsistingofm/8+1messages,wheremistheblocklengthofthehashalgorithm.Thelengthofthemessagesrangesequentiallyfrom0tom/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
SelectedLongMessagesTestBit-orientedMode
Theevaluatorsdeviseaninputsetconsistingofmmessages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+99*i,where1�i�m.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
SelectedLongMessagesTestByte-orientedMode
Theevaluatorsdeviseaninputsetconsistingofm/8messages,wheremistheblocklengthofthehashalgorithm.Thelengthoftheithmessageis512+8*99*i,where1�i�m/8.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
Pseudo-randomlyGeneratedMessagesTest
Thistestisforbyte-orientedimplementationsonly.Theevaluatorsrandomlygenerateaseedthatisnbitslong,wherenisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Theevaluatorsthenformulateasetof100messagesandassociateddigestsbyfollowingthealgorithmprovidedinFigure1of[SHAVS].TheevaluatorsthenensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
SHA-3TestsThetestsbelowarederivedfromtheTheSecureHashAlgorithm-3ValidationSystem(SHA3VS),Updated:April7,2016,fromtheNationalInstituteofStandardsandTechnology.
ForeachSHA-3-XXXimplementation,XXXrepresentsd,thedigestlengthinbits.Thecapacity,c,isequalto2dbits.Therateisequalto1600-cbits.
TheTSFhashingfunctionscanbeimplementedwithoneoftwoorientations.Thefirstisabit-orientedmodethathashesmessagesofarbitrarylength.Thesecondisabyte-orientedmodethathashesmessagesthatareanintegralnumberofbytesinlength(i.e.,thelength(inbits)ofthemessagetobehashedisdivisibleby8).Separatetestsforeachorientationaregivenbelow.
TheevaluatorshallperformallofthefollowingtestsforeachhashalgorithmandorientationimplementedbytheTSFandusedtosatisfytherequirementsofthisPP.Theevaluatorshallcomparedigestvaluesproducedbyaknown-goodSHA-3implementationagainstthosegeneratedbyrunningthesamevaluesthroughtheTSF.
ShortMessagesTest,Bit-orientedMode
Theevaluatorsdeviseaninputsetconsistingofrate+1shortmessages.Thelengthofthemessagesrangessequentiallyfrom0toratebits.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.Themessageoflength0isomittediftheTOEdoesnotsupportzero-lengthmessages.
ShortMessagesTest,Byte-orientedMode
Theevaluatorsdeviseaninputsetconsistingofrate/8+1shortmessages.Thelengthofthemessagesrangessequentiallyfrom0torate/8bytes,witheachmessagebeinganintegralnumberofbytes.Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.Themessageoflength0isomittediftheTOEdoesnotsupportzero-lengthmessages.
SelectedLongMessagesTest,Bit-orientedMode
Theevaluatorsdeviseaninputsetconsistingof100longmessagesranginginsizefromrate+(rate+1)torate+(100*(rate+1)),incrementingbyrate+1.(Forexample,SHA-3-256hasarateof1088bits.Therefore,100messageswillbegeneratedwithlengths2177,3266,…,109988bits.)Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
SelectedLongMessagesTest,Byte-orientedMode
Theevaluatorsdeviseaninputsetconsistingof100messagesranginginsizefrom(rate+(rate+8))to(rate+100*(rate+8)),incrementingbyrate+8.(Forexample,SHA-3-256hasarateof1088bits.Therefore100messageswillbegeneratedoflengths2184,3280,4376,…,110688bits.)Themessagetextshallbepseudo-randomlygenerated.TheevaluatorscomputethemessagedigestforeachofthemessagesandensurethatthecorrectresultisproducedwhenthemessagesareprovidedtotheTSF.
Pseudo-randomlyGeneratedMessagesMonteCarlo)Test,Byte-orientedMode
Theevaluatorssupplyaseedofdbits(wheredisthelengthofthemessagedigestproducedbythehashfunctiontobetested.Thisseedisusedbyapseudorandomfunctiontogenerate100,000messagedigests.Onehundredofthedigests(every1000thdigest)arerecordedascheckpoints.TheTOEthenusesthesameproceduretogeneratethesame100,000messagedigestsand100checkpointvalues.TheevaluatorsthencomparetheresultsgeneratedensurethatthecorrectresultisproducedwhenthemessagesaregeneratedbytheTSF.
FCS_COP.1/SigCryptographicOperation(SignatureAlgorithms)FCS_COP.1.1/Sig
TheTSFshallperform[cryptographicsignatureservices(generationandverification)]inaccordancewithaspecifiedcryptographicalgorithm[selection:
RSAschemesusingcryptographickeysizes[2048-bitorgreater]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,Section4],ECDSAschemesusing[“NISTcurves”P-256,P-384and[selection:P-521,noothercurves]]thatmeetthefollowing:[FIPSPUB186-4,“DigitalSignatureStandard(DSS)”,Section5]
].
ApplicationNote:TheSTAuthorshouldchoosethealgorithmimplementedtoperformdigitalsignatures;ifmorethanonealgorithmisavailable,thisrequirementshouldbeiteratedtospecifythefunctionality.Forthealgorithmchosen,theSTauthorshouldmaketheappropriateassignments/selectionstospecifytheparametersthatareimplementedforthatalgorithm.
EvaluationActivities
FCS_COP.1/Sig:TestsAssuranceActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
ECDSAAlgorithmTests
ECDSAFIPS186-4SignatureGenerationTest
ForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerate101024-bitlongmessagesandobtainforeachmessageapublickey
andtheresultingsignaturevaluesRandS.Todeterminecorrectness,theevaluatorshallusethesignatureverificationfunctionofaknowngoodimplementation.
ECDSAFIPS186-4SignatureVerificationTest
ForeachsupportedNISTcurve(i.e.,P-256,P-384andP-521)andSHAfunctionpair,theevaluatorshallgenerateasetof101024-bitmessage,publickeyandsignaturetuplesandmodifyoneofthevalues(message,publickeyorsignature)infiveofthe10tuples.Theevaluatorshallobtaininresponseasetof10PASS/FAILvalues.
RSASignatureAlgorithmTests
SignatureGenerationTest
TheevaluatorshallverifytheimplementationofRSASignatureGenerationbytheTOEusingtheSignatureGenerationTest.Toconductthistest,theevaluatorshallgenerateorobtain10messagesfromatrustedreferenceimplementationforeachmodulussize/SHAcombinationsupportedbytheTSF.TheevaluatorshallhavetheTOEusetheirprivatekeyandmodulusvaluetosignthesemessages.
TheevaluatorshallverifythecorrectnessoftheTSF’ssignatureusingaknowngoodimplementationandtheassociatedpublickeystoverifythesignatures.
SignatureVerificationTest
TheevaluatorshallperformtheSignatureVerificationtesttoverifytheabilityoftheTOEtorecognizeanotherparty’svalidandinvalidsignatures.TheevaluatorshallinjecterrorsintothetestvectorsproducedduringtheSignatureVerificationTestbyintroducingerrorsinsomeofthepublickeyse,messages,IRformat,and/orsignatures.TheTOEattemptstoverifythesignaturesandreturnssuccessorfailure.
TheevaluatorshallusethesetestvectorstoemulatethesignatureverificationtestusingthecorrespondingparametersandverifythattheTOEdetectstheseerrors.
FCS_COP.1/KeyHashCryptographicOperation(KeyedHashAlgorithms)FCS_COP.1.1/KeyHash
TheTSFshallperform[keyed-hashmessageauthentication]inaccordancewithaspecifiedcryptographicalgorithm[selection:HMAC-SHA-1,HMAC-SHA-256,HMAC-SHA-384,HMAC-SHA-512,SHA-3-224,SHA-3-256,SHA-3-384,SHA-3-512]andcryptographickeysizes[assignment:keysize(inbits)usedinHMAC]andmessagedigestsizes[selection:160,256,384,512bits]thatmeetthefollowing:[FIPSPub198-1,"TheKeyed-HashMessageAuthenticationCode,andFIPSPub180-4,“SecureHashStandard"].
ApplicationNote:Theselectioninthisrequirementmustbeconsistentwiththekeysizespecifiedforthesizeofthekeysusedinconjunctionwiththekeyed-hashmessageauthentication.
EvaluationActivities
FCS_COP.1/KeyHash:TSSTheevaluatorshallexaminetheTSStoensurethatitspecifiesthefollowingvaluesusedbytheHMACfunction:keylength,hashfunctionused,blocksize,andoutputMAClengthused.TestsAssuranceActivityNote:Thefollowingtestsrequirethedevelopertoprovideaccesstoatestplatformthatprovidestheevaluatorwithtoolsthataretypicallynotfoundonfactoryproducts.
Foreachofthesupportedparametersets,theevaluatorshallcompose15setsoftestdata.Eachsetshallconsistofakeyandmessagedata.TheevaluatorshallhavetheTSFgenerateHMACtagsforthesesetsoftestdata.TheresultingMACtagsshallbecomparedtotheresultofgeneratingHMACtagswiththesamekeyandIVusingaknowngoodimplementation.
FCS_ENT_EXT.1Extended:EntropyforVirtualMachinesFCS_ENT_EXT.1.1
TheTSFshallprovideamechanismtomakeavailabletoVMsentropythatmeetsFCS_RBG_EXT.1through[selection:Hypercallinterface,virtualdeviceinterface,passthroughaccesstohardwareentropysource].
FCS_ENT_EXT.1.2TheTSFshallprovideindependententropyacrossmultipleVMs.
ApplicationNote:ThisrequirementensuresthatsufficiententropyisavailabletoanyVMthatrequiresit.Theentropyneednotprovidehigh-qualityentropyforeverypossiblemethodthataVMmightacquireit.TheVMMmust,however,providesomemeansforVMstogetsufficiententropy.Forexample,theVMMcanprovideaninterfacethatreturnsentropytoaGuestVM.Alternatively,theVMMcouldprovidepass-throughaccesstoentropysourcesprovidedbythehostplatform.
Thisrequirementallowsforthreegeneralwaysofprovidingentropytoguests:1)TheVScanprovideaHypercallaccessibletoVM-awareguests,2)accesstoavirtualizeddevicethatprovidesentropy,or3)pass-throughaccesstoahardwareentropysource(includingasourceofrandomnumbers).Inallcases,itispossiblethattheguestismadeVM-awarethroughinstallationofsoftwareordrivers.Forthesecondandthirdcases,itispossiblethattheguestcouldbeVM-unaware.ThereisnorequirementthattheTOEprovideentropysourcesasexpectedbyVM-unawareguests.Thatis,theTOEdoesnothavetoanticipateeverywayaguestmighttrytoacquireentropyaslongasitsuppliesamechanismthatcanbeusedbyVM-awareguests,orprovidesaccesstoastandardmechanismthataVM-unawareguestwoulduse.
TheSTauthorshouldselect“Hypercallinterface”iftheTSFprovidesanAPIfunctionthroughwhichguest-residentsoftwarecanobtainentropyorrandomnumbers.TheSTauthorshouldselect“virtualdeviceinterface”iftheTSFpresentsavirtualdeviceinterfacetotheGuestOSthroughwhichitcanobtainentropyorrandomnumbers.Suchaninterfacecouldpresentavirtualizedrealdevice,suchasaTPM,thatcanbeaccessedbyVM-unawareguests,oravirtualizedfictionaldevicethatwouldrequiretheGuestOStobeVM-aware.TheSTauthorshouldselect“passthroughaccesstohardwareentropysource”iftheTSFpermitsGuestVMstohavedirectaccesstohardwareentropyorrandomnumbersourceontheplatform.TheSTauthorshouldselectallitemsthatareappropriate.
ForFCS_ENT_EXT.1.2,theVMMmustensurethattheprovisionofentropytooneVMcannotaffectthequalityofentropyprovidedtoanotherVMonthesameplatform.
EvaluationActivities
FCS_ENT_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribeshowtheTOEprovidesentropytoGuestVM"s,andhowtoaccesstheinterfacetoacquireentropyorrandomnumbers.TheevaluatorshallverifythattheTSSdescribesthemechanismsforensuringthatoneVMdoesnotaffecttheentropyacquiredbyanother.TestsTheevaluatorshallperformthefollowingtests:
Test1:TheevaluatorshallinvokeentropyfromeachGuestVM.TheevaluatorshallverifythateachVMacquiresvaluesfromtheinterface.Test2:TheevaluatorshallinvokeentropyfrommultipleVMsasnearlysimultaneouslyaspracticable.TheevaluatorshallverifythattheentropyusedinoneVMisnotidenticaltothatinvokedfromtheotherVMs.
FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)FCS_RBG_EXT.1.1
TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)]
FCS_RBG_EXT.1.2ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:asoftware-basednoisesource,ahardware-basednoisesource]withaminimumof[selection:128bits,192bits,256bits]ofentropyatleastequaltothegreatestsecuritystrengthaccordingtoNISTSP800-57,ofthekeysandhashesthatitwillgenerate.
ApplicationNote:NISTSP800-90Acontainsthreedifferentmethodsofgeneratingrandomnumbers;eachofthese,inturn,dependsonunderlyingcryptographicprimitives(hashfunctions/ciphers).TheSTauthorwillselectthe
functionused,andincludethespecificunderlyingcryptographicprimitivesusedintherequirement.Whileanyoftheidentifiedhashfunctions(SHA-1,SHA-224,SHA-256,SHA-384,SHA-44512)areallowedforHash_DRBGorHMAC_DRBG,onlyAES-basedimplementationsforCTR_DRBGareallowed.
IfthekeylengthfortheAESimplementationusedhereisdifferentthanthatusedtoencrypttheuserdata,thenFCS_COP.1/UDEmayhavetobeadjustedoriteratedtoreflectthedifferentkeylength.FortheselectioninFCS_RBG_EXT.1.2,theSTauthorselectstheminimumnumberofbitsofentropythatisusedtoseedtheRBG.
EvaluationActivities
FCS_RBG_EXT.1:Documentationshallbeproduced—andtheevaluatorshallperformtheactivities—inaccordancewithAppendixD,EntropyDocumentationandAssessment.
TestsTheevaluatorshallalsoperformthefollowingtests,dependingonthestandardtowhichtheRBGconforms.
Theevaluatorshallperform15trialsfortheRBGimplementation.IftheRBGisconfigurable,theevaluatorshallperform15trialsforeachconfiguration.TheevaluatorshallalsoconfirmthattheoperationalguidancecontainsappropriateinstructionsforconfiguringtheRBGfunctionality.
IftheRBGhaspredictionresistanceenabled,eachtrialconsistsof(1)instantiatedrbg,(2)generatethefirstblockofrandombits(3)generateasecondblockofrandombits(4)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thenexttwoareadditionalinputandentropyinputforthefirstcalltogenerate.Thefinaltwoareadditionalinputandentropyinputforthesecondcalltogenerate.Thesevaluesarerandomlygenerated.“generateoneblockofrandombits”meanstogeneraterandombitswithnumberofreturnedbitsequaltotheOutputBlockLength(asdefinedinNISTSP800-90A).
IftheRBGdoesnothavepredictionresistance,eachtrialconsistsof(1)instantiatedrbg,(2)generatethefirstblockofrandombits(3)reseed,(4)generateasecondblockofrandombits(5)uninstantiate.Theevaluatorverifiesthatthesecondblockofrandombitsistheexpectedvalue.Theevaluatorshallgenerateeightinputvaluesforeachtrial.Thefirstisacount(0–14).Thenextthreeareentropyinput,nonce,andpersonalizationstringfortheinstantiateoperation.Thefifthvalueisadditionalinputtothefirstcalltogenerate.Thesixthandseventhareadditionalinputandentropyinputtothecalltore-seed.Thefinalvalueisadditionalinputtothesecondgeneratecall.
Thefollowingparagraphscontainmoreinformationonsomeoftheinputvaluestobegenerated/selectedbytheevaluator.
Entropyinput:thelengthoftheentropyinputvaluemustequaltheseedlengthNonce:Ifanonceissupported(CTR_DRBGwithnodfdoesnotuseanonce),thenoncebitlengthisone-halftheseedlength.Personalizationstring:Thelengthofthepersonalizationstringmustbe<=seedlength.Iftheimplementationonlysupportsonepersonalizationstringlength,thenthesamelengthcanbeusedforbothvalues.Ifmorethanonestringlengthissupport,theevaluatorshallusepersonalizationstringsoftwodifferentlengths.Iftheimplementationdoesnotuseapersonalizationstring,novalueneedstobesupplied.Additionalinput:theadditionalinputbitlengthshavethesamedefaultsandrestrictionsasthepersonalizationstringlengths.
5.1.4UserDataProtection(FDP)
FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsFDP_HBI_EXT.1.1
TheTSFshalluse[selection:nomechanism,[assignment:listofplatform-provided,hardware-basedmechanisms]]toconstrainaGuestVM'sdirectaccesstothefollowingphysicaldevices:[selection:nodevices,[assignment:physicaldevicestowhichtheVMMallowsGuestVMsphysicalaccess]].
ApplicationNote:TheTSFmustuseavailablehardware-basedisolationmechanismstoconstrainVMswhenVMshavedirectaccesstophysicaldevices.“Directaccess”inthiscontextmeansthattheVMcanreadorwritedevicememoryoraccessdeviceI/OportswithouttheVMMbeingabletointerceptandvalidateeverytransaction.
EvaluationActivities
FDP_HBI_EXT.1:TSSTheevaluatorshallensurethattheTSSprovidesevidencethathardware-basedisolationmechanismsareusedtoconstrainVMswhenVMshavedirectaccesstophysicaldevices,includinganexplanationoftheconditionsunderwhichtheTSFinvokestheseprotections.GuidanceTheevaluatorshallverifythattheoperationalguidancecontainsinstructionsonhowtoensurethattheplatform-provided,hardware-basedmechanismsareenabled.
FDP_PPR_EXT.1PhysicalPlatformResourceControlsFDP_PPR_EXT.1.1
TheTSFshallallowanauthorizedadministratortocontrolGuestVMaccesstothefollowingphysicalplatformresources:[assignment:listofphysicalplatformresourcestheVMMisabletocontrolaccessto].
FDP_PPR_EXT.1.2TheTSFshallexplicitlydenyallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisexplicitlydenied]].
FDP_PPR_EXT.1.3TheTSFshallexplicitlyallowallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisalwaysallowed]].
ApplicationNote:ThisrequirementspecifiesthattheVMMcontrolsaccesstophysicalplatformresources,andindicatesthatitmustbeconfigurable,butdoesnotspecifythemeansbywhichthatisdone.TheSTauthorshouldlistthephysicalplatformresourcesthatcanbeconfiguredforGuestVMaccessbytheadministrator.GuestVMsmaynotbealloweddirectaccesstocertainphysicalresources;thoseresourcesarelistedinthesecondelement.Iftherearenosuchresources,theSTauthorselects"nophysicalplatformresources".Likewise,anyresourcestowhichallGuestVMsautomaticallyhaveaccesstoarelistedinthethirdelement;iftherearenosuchresources,then"nophysicalplatformresources"isselected.
EvaluationActivities
FDP_PPR_EXT.1:TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthemechanismbywhichtheVMMcontrolsaGuestVM'saccesstophysicalplatformresourcesisdescribed.ThisdescriptionshallcoverallofthephysicalplatformsallowedintheevaluatedconfigurationbytheST.ThisdescriptionshallincludehowtheVMMdistinguishesamongGuestVMs,andhoweachphysicalplatformresourcethatiscontrollable(thatis,listedintheassignmentstatementinthefirstelement)isidentified.TheevaluatorshallensurethattheTSSdescribeshowtheGuestVMisassociatedwitheachphysicalresources,andhowotherGuestVMscannotaccessaphysicalresourcewithoutbeinggrantedexplicitaccess.ForTOEsthatimplementarobustinterface(otherthanjust"allowaccess"or"denyaccess"),theevaluatorshallensurethattheTSSdescribesthepossibleoperationsormodesofaccessbetweenaGuestVMsandphysicalplatformresources.
Ifphysicalresourcesarelistedinthesecondelement,theevaluatorshallexaminetheTSSandoperationalguidancetodeterminethatthereappearstobenowaytoconfigurethoseresourcesforaccessbyaGuestVM.Theevaluatorshalldocumentintheevaluationreporttheiranalysisofwhythecontrolsofferedtoconfigureaccesstophysicalresourcescan'tbeusedtospecifyaccesstotheresourcesidentifiedinthesecondelement(forexample,iftheinterfaceoffersadrop-downlistofresourcestoassign,andthedeniedresourcesarenotincludedonthatlist,thatwouldbesufficientjustificationintheevaluationreport).GuidanceTheevaluatorshallexaminetheoperationalguidancetodeterminethatitdescribeshowanadministratorisabletoconfigureaccesstophysicalplatformresourcesforGuestVMsforeachplatformallowedintheevaluatedconfigurationaccordingtotheST.Theevaluatorshallalsodeterminethattheoperationalguidanceidentifiesthoseresourceslistedinthesecondandthirdelementsofthecomponentandnotesthataccesstotheseresourcesisexplicitlydenied/allowed,respectively.TestsUsingtheoperationalguidance,theevaluatorshallperformthefollowingtestsforeachphysical
platformidentifiedintheST:
Test1:Foreachphysicalplatformresourceidentifiedinthefirstelement,theevaluatorshallconfigureaGuestVMtohaveaccesstothatresourceandshowthattheGuestVMisabletosuccessfullyaccessthatresource.Test2:Foreachphysicalplatformresourceidentifiedinthefirstelement,theevaluatorshallconfigurethesystemsuchthataGuestVMdoesnothaveaccesstothatresourceandshowthattheGuestVMisunabletosuccessfullyaccessthatresource.Test3:[conditional]:ForTOEsthathavearobustcontrolinterface,theevaluatorshallexerciseeachelementoftheinterfaceasdescribedintheTSSandtheoperationalguidancetoensurethatthebehaviordescribedintheoperationalguidanceisexhibited.Test4:[conditional]:IftheTOEexplicitlydeniesaccesstocertainphysicalresources,theevaluatorshallattempttoaccesseachlisted(inFDP_PPR_EXT.1.2)physicalresourcefromaGuestVMandobservethataccessisdenied.Test5:[conditional]:IftheTOEexplicitlyallowsaccesstocertainphysicalresources,theevaluatorshallattempttoaccesseachlisted(inFDP_PPR_EXT.1.3)physicalresourcefromaGuestVMandobservethattheaccessisallowed.IftheoperationalguidancespecifiesthataccessisallowedsimultaneouslybymorethanoneGuestVM,theevaluatorshallattempttoaccesseachresourcelistedfrommorethanoneGuestVMandshowthataccessisallowed.
FDP_RIP_EXT.1ResidualInformationinMemoryFDP_RIP_EXT.1.1
TheTSFshallensurethatanypreviousinformationcontentofphysicalmemoryisclearedpriortoallocationtoaGuestVM.
ApplicationNote:PhysicalmemorymustbezeroedbeforeitismadeaccessibletoaVMforgeneralusebyaGuestOS.
ThepurposeofthisrequirementistoensurethataVMdoesnotreceivememorycontainingdatapreviouslyusedbyanotherVMorthehost.
“Forgeneraluse”meansforusebytheGuestOSinitspagetablesforrunningapplicationsorsystemsoftware.
ThisdoesnotapplytopagessharedbydesignorpolicybetweenVMsorbetweentheVMMsandVMs,suchasread-onlyOSpagesorpagesusedforvirtualdevicebuffers.
EvaluationActivities
FDP_RIP_EXT.1:TSSTheevaluatorshallensurethattheTSSdocumentstheprocessusedforclearingphysicalmemorypriortoallocationtoaGuestVM,providingdetailsonwhenandhowthisisperformed.Additionally,theevaluatorshallensurethattheTSSdocumentstheconditionsunderwhichphysicalmemoryisnotclearedpriortoallocationtoaGuestVM,anddescribeswhenandhowthememoryiscleared.
FDP_RIP_EXT.2ResidualInformationonDiskFDP_RIP_EXT.2.1
TheTSFshallensurethatanypreviousinformationcontentofphysicaldiskstorageisclearedtozerospriortoallocationtoaGuestVM.
ApplicationNote:DiskstoragemustbezeroedbeforeitismadeaccessibletoaVMforusebyaGuestOS.
ThepurposeofthisrequirementistoensurethataVMdoesnotreceivediskstoragecontainingdatapreviouslyusedbyanotherVMorthehost.
Thisdoesnotapplytodisk-residentfilessharedbydesignorpolicybetweenVMsorbetweentheVMMsandVMs,suchasread-onlydatafilesorfilesusedforinter-VMdatatransferspermittedbypolicy.
EvaluationActivities
FDP_RIP_EXT.2:TSS
TheevaluatorshallensurethattheTSSdocumentstheconditionsunderwhichphysicaldiskstorageisnotclearedpriortoallocationtoaGuestVM.TheevaluatorshallalsoensurethattheTSSdocumentsthemetadatausedinitsvirtualdiskfiles.TestsTheevaluatorshallperformthefollowingtest:
Test1:Onthehost,theevaluatorcreatesafilethatismorethanhalfthesizeofaconnectedphysicalstoragedevice(ormultiplefileswhoseindividualsizesadduptomorethanhalfthesizeofthestoragemedia).Thisfile(orfiles)shallbefilledentirelywithanon-zerovalue.Then,thefile(orfiles)shallbereleased(freedforusebutnotcleared).Next,theevaluator(asaVSAdministrator)createsavirtualdiskatleastthatlargeonthesamephysicalstoragedeviceandconnectsittoapowered-offVM.Then,fromoutsidetheGuestVM,scanthroughandcheckthatallthenon-metadata(asdocumentedintheTSS)inthefilecorrespondingtothatvirtualdiskissettozero.
FDP_VMS_EXT.1VMSeparationFDP_VMS_EXT.1.1
TheVSshallprovidethefollowingmechanismsfortransferringdatabetweenGuestVMs:[selection:
nomechanism,virtualnetworking,[assignment:otherinter-VMdatasharingmechanisms]
].
FDP_VMS_EXT.1.2TheTSFshallallowAdministratorstoconfigurethemechanismsselectedinFDP_VMS_EXT.1.1toenableanddisablethetransferofdatabetweenGuestVMs.
FDP_VMS_EXT.1.3TheVSshallensurethatnoGuestVMisabletoreadortransferdatatoorfromanotherGuestVMexceptthroughthemechanismslistedinFDP_VMS_EXT.1.1.
ApplicationNote:ThefundamentalrequirementofaVirtualizationSystemistheabilitytoenforceseparationbetweeninformationdomainsimplementedasVirtualMachinesandVirtualNetworks.TheintentofthisrequirementistoensurethatVMs,VMMs,andtheVSasawholeisimplementedwiththisfundamentalrequirementinmind.
TheSTauthorshouldselect“nomechanism”intheunlikelyeventthattheVSimplementsnomechanismsfortransferringdatabetweenGuestVMs.Otherwise,theSTauthorshouldselect“virtualnetworking”andidentifyallothermechanismsthroughwhichdatacanbetransferredbetweenGuestVMs.ThisshouldbethesamelistofmechanismssuppliedforFMT_MSA_EXT.1.
Examplesofnon-networkinter-VMsharingmechanismsare:
Userinterface-basedmechanisms,suchascopy-pasteanddrag-and-dropSharedvirtualorphysicaldevicesAPI-basedmechanismssuchasHypercalls
FordatatransfermechanismsimplementedintermsofHypercallfunctions,FDP_VMS_EXT.1.2ismetifFPT_HCL_EXT.1.2ismetforthoseHypercallfunctions(VMaccesstoHypercallfunctionsisconfigurable).
Fordatatransfermechanismsthatusesharedphysicaldevices,FDP_VMS_EXT.1.2ismetifthedeviceislistedinandmeetsFDP_PPR_EXT.1.1(VMaccesstothephysicaldeviceisconfigurable).
Fordatatransfermechanismsthatusevirtualnetworking,FDP_VMS_EXT.1.2ismetifFDP_VNC_EXT.1.1ismet(VMaccesstovirtualnetworksisconfigurable).
EvaluationActivities
FDP_VMS_EXT.1:TSSTheevaluatorshallexaminetheTSStoverifythatitdocumentsallinter-VMcommunicationsmechanisms(asdefinedabove),andexplainshowtheTSFpreventsthetransferofdatabetweenVMsoutsideofthemechanismslistedinFDP_VMS_EXT.1.1.Guidance
Theevaluatorshallexaminetheoperationalguidancetoensurethatitdocumentshowtoconfigureallinter-VMcommunicationsmechanisms,includinghowtheyareinvokedandhowtheyaredisabled.TestsTheevaluatorshallperformthefollowingtestsforeachdocumentedinter-VMcommunicationschannel:
Test1:a. CreatetwoVMswithoutspecifyinganycommunicationsmechanismoroverridingthe
defaultconfiguration.b. TestthatthetwoVMscannotcommunicatethroughthemechanismsselectedin
FMT_MSA_EXT.1.1.c. CreatetwonewVMs,overridingthedefaultconfigurationtoallowcommunications
throughachannelselectedinFMT_MSA_EXT.1.1.d. TestthatcommunicationscanbepassedbetweentheVMsthroughthechannel.e. CreatetwonewVMs,thefirstwiththeinter-VMcommunicationschannelcurrently
beingtestedenabled,andthesecondwiththeinter-VMcommunicationschannelcurrentlybeingtesteddisabled.
f. TestthatcommunicationscannotbepassedbetweentheVMsthroughthechannel.g. AsanAdministrator,enableinter-VMcommunicationsbetweentheVMsonthesecond
VM.h. Testthatcommunicationscanbepassedthroughtheinter-VMchannel.i. AsanAdministratoragain,disableinter-VMcommunicationsbetweenthetwoVMs.j. Testthatcommunicationscannolongerbepassedthroughthechannel.
FDP_VMS_EXT.1.2ismetifcommunicationissuccessfulinstep(d)andunsuccessfulinstep(f).
FMT_MSA_EXT.1.1ismetifcommunicationisunsuccessfulinstep(b).FMT_MSA_EXT.1.2ismetifcommunicationissuccessfulinstep(d).Additionally,FMT_MSA_EXT.1requiresthattheevaluatorverifiesthattheTSSdocumentstheinter-VMcommunicationsmechanismsasdescribedabove.
FDP_VNC_EXT.1VirtualNetworkingComponentsFDP_VNC_EXT.1.1
TheTSFshallallowAdministratorstoconfigurevirtualnetworkingcomponentstoconnectVMstoeachother,andtophysicalnetworks.
FDP_VNC_EXT.1.2TheTSFshallensurethatnetworktrafficvisibletoaGuestVMonavirtualnetwork--orvirtualsegmentofaphysicalnetwork--isvisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetworkorsegment.
ApplicationNote:Virtualnetworksmustbeisolatedfromoneanothertoprovideassurancecommensuratewiththatprovidedbyphysicallyseparatenetworks.ItmustnotbepossiblefordatatocrossbetweenproperlyconfiguredvirtualnetworksregardlessofwhetherthetrafficoriginatedfromalocalGuestVMoraremotehost.
UnprivilegedusersmustnotbeabletoconnectVMstoeachotherortoexternalnetworks.
EvaluationActivities
FDP_VNC_EXT.1:TSSTheevaluatorshallexaminetheTSS(oraproprietaryannex)toverifythatitdescribesthemechanismbywhichvirtualnetworktrafficisensuredtobevisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetwork.GuidanceTheevaluatormustensurethattheOperationalGuidancedescribeshowtocreatevirtualizednetworksandconnectVMstoeachotherandtophysicalnetworks.Tests
Test1:TheevaluatorshallassumetheroleoftheAdministratorandattempttoconfigureaVMtoconnecttoanetworkcomponent.Theevaluatorshallverifythattheattemptissuccessful.Theevaluatorshallthenassumetheroleofanunprivilegeduserandattemptthesameconnection.Iftheattemptfails,orthereisnowayforanunprivilegedusertoconfigureVMnetworkconnections,therequirementismet.Test2:TheevaluatorshallassumetheroleoftheAdministratorandattempttoconfigureaVMtoconnecttoaphysicalnetwork.Theevaluatorshallverifythattheattemptissuccessful.Theevaluatorshallthenassumetheroleofanunprivilegeduserandmakethesameattempt.Iftheattemptfails,orthereisnowayforanunprivilegedusertoconfigure
VMnetworkconnections,therequirementismet.
5.1.5IdentificationandAuthentication(FIA)
FIA_AFL_EXT.1AuthenticationFailureHandlingFIA_AFL_EXT.1.1
TheTSFshalldetectwhen[selection:[assignment:apositiveintegernumber],anadministratorconfigurablepositiveintegerwithina[assignment:rangeofacceptablevalues]
]unsuccessfulauthenticationattemptsoccurrelatedtoAdministratorsattemptingtoauthenticateremotelyusing[selection:usernameandpassword,usernameandPIN].
FIA_AFL_EXT.1.2Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmet,theTSFshall:[selection:preventtheoffendingAdministratorfromsuccessfullyestablishingremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntil[assignment:actiontounlock]istakenbyanAdministrator,preventtheoffendingAdministratorfromsuccessfullyestablishingremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntilanAdministratordefinedtimeperiodhaselapsed]
ApplicationNote:TheactiontobetakenshallbepopulatedintheselectionoftheSTanddefinedintheAdministratorguidance.
ThisrequirementappliestoadefinednumberofsuccessiveunsuccessfulremotepasswordorPIN-basedauthenticationattemptsanddoesnotapplytolocalAdministrativeaccess.CompliantTOEsmayoptionallyincludecryptographicauthenticationfailuresandlocalauthenticationfailuresinthenumberofunsuccessfulauthenticationattempts.
EvaluationActivities
FIA_AFL_EXT.1:TestsTheevaluatorshallperformthefollowingtestsforeachcredentialselectedinFIA_AFL_EXT.1.1:
Test1:TheevaluatorwillsetanAdministrator-configurablethresholdnforfailedattempts,ornotetheST-specifiedassignment.
Test1:Theevaluatorwillattempttoauthenticateremotelywiththecredentialn-1times.Theevaluatorwillthenattempttoauthenticateusingagoodcredentialandverifythatauthenticationissuccessful.Test2:Theevaluatorwillmakenattemptstoauthenticateusingabadcredential.Theevaluatorwillthenattempttoauthenticateusingagoodcredentialandverifythattheattemptisunsuccessful.NotethattheauthenticationattemptsandlockoutsmustalsobeloggedasspecifiedinFAU_GEN.1.Test3:Afterreachingthelimitforunsuccessfulauthenticationattemptstheevaluatorwillproceedasfollows:
Test1:IftheAdministratoractionselectioninFIA_AFL_EXT.1.2isselected,thentheevaluatorwillconfirmbytestingthatfollowingtheoperationalguidanceandperformingeachactionspecifiedintheSTtore-enabletheremoteAdministrator’saccessresultsinsuccessfulaccess(whenusingvalidcredentialsforthatAdministrator).Test2:IfthetimeperiodselectioninFIA_AFL_EXT.1.2isselected,theevaluatorwillwaitforjustlessthanthetimeperiodconfiguredandshowthatanauthenticationattemptusingvalidcredentialsdoesnotresultinsuccessfulaccess.Theevaluatorwillthenwaituntiljustafterthetimeperiodconfiguredandshowthatanauthenticationattemptusingvalidcredentialsresultsinsuccessfulaccess.
FIA_UAU.5MultipleAuthenticationMechanismsFIA_UAU.5.1
TheTSFshallprovidethefollowingauthenticationmechanisms:[selection:[selection:local,directory-based]authenticationbasedonusernameandpassword,authenticationbasedonusernameandaPINthatreleasesanasymmetrickeystoredinOE-protectedstorage,
[selection:local,directory-based]authenticationbasedonX.509certificates,[selection:local,directory-based]authenticationbasedonanSSHpublickeycredential
]tosupportAdministratorauthentication.
ApplicationNote:Selectionof‘authenticationbasedonusernameandpassword’requiresthatFIA_PMG_EXT.1beincludedintheST.ThisalsorequiresthattheSTincludeamanagementfunctionforpasswordmanagement.IftheSTauthorselects‘authenticationbasedonanSSHpublic-keycredential’,theTSFshallbevalidatedagainsttheFunctionalPackageforSecureShell.TheSTmustincludeFIA_X509_EXT.1if'authenticationbasedonX.509certificates'isselected.
PINsusedtoaccessOE-protectedstoragearesetandmanagedbytheOE-protectedstoragemechanism.ThusrequirementsonPINmanagementareoutsidethescopeoftheTOE.
FIA_UAU.5.2TheTSFshallauthenticateanyAdministrator’sclaimedidentityaccordingtothe[assignment:rulesdescribinghowthemultipleauthenticationmechanismsprovideauthentication].
EvaluationActivities
FIA_UAU.5:TestsIf‘usernameandpasswordauthentication‘isselected,theevaluatorwillconfiguretheVSwithaknownusernameandpasswordandconductthefollowingtests:
Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernameandpassword.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernamebutanincorrectpassword.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.
If‘usernameandPINthatreleasesanasymmetrickey‘isselected,theevaluatorwillexaminetheTSSforguidanceonsupportedprotectedstorageandwillthenconfiguretheTOEorOEtoestablishaPINwhichenablesreleaseoftheasymmetrickeyfromtheprotectedstorage(suchasaTPM,ahardwaretoken,orisolatedexecutionenvironment)withwhichtheVScaninterface.Theevaluatorwillthenconductthefollowingtests:
Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernameandPIN.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillattempttoauthenticatetotheVSusingtheknownusernamebutanincorrectPIN.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.
If‘X.509certificateauthentication‘isselected,theevaluatorwillgenerateanX.509v3certificateforanAdministratoruserwiththeClientAuthenticationEnhancedKeyUsagefieldset.TheevaluatorwillprovisiontheVSforauthenticationwiththeX.509v3certificate.TheevaluatorwillensurethatthecertificatesarevalidatedbytheVSasperFIA_X509_EXT.1.1andthenconductthefollowingtests:
Test1:TheevaluatorwillattempttoauthenticatetotheVSusingtheX.509v3certificate.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:Theevaluatorwillgenerateasecondcertificateidenticaltothefirstexceptforthepublickeyandanyvaluesderivedfromthepublickey.TheevaluatorwillattempttoauthenticatetotheVSwiththiscertificate.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.
If‘SSHpublic-keycredentialauthentication‘isselected,theevaluatorshallgenerateapublic-privatehostkeypairontheTOEusingRSAorECDSA,andasecondpublic-privatekeypaironaremoteclient.TheevaluatorshallprovisiontheVSwiththeclientpublickeyforauthenticationoverSSH,andconductthefollowingtests:
Test1:TheevaluatorwillattempttoauthenticatetotheVSusingamessagesignedbytheclientprivatekeythatcorrespondstoprovisionedclientpublickey.Theevaluatorwillensurethattheauthenticationattemptissuccessful.Test2:TheevaluatorwillgenerateasecondclientkeypairandwillattempttoauthenticatetotheVSwiththeprivatekeyoverSSHwithoutfirstprovisioningtheVStosupportthenewkeypair.Theevaluatorwillensurethattheauthenticationattemptisunsuccessful.
FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationFIA_UIA_EXT.1.1
TheTSFshallrequireAdministratorstobesuccessfullyidentifiedandauthenticatedusingoneofthemethodsinFIA_UAU.5beforeallowinganyTSF-mediatedmanagementfunctiontobeperformedbythatAdministrator.
ApplicationNote:Usersdonothavetoauthenticate,onlyAdministratorsneedtoauthenticate.
EvaluationActivities
FIA_UIA_EXT.1:TSSTheevaluatorshallexaminetheTSStodeterminethatitdescribesthelogonprocessforeachlogonmethod(local,remote(HTTPS,SSH,etc.))supportedfortheproduct.Thisdescriptionshallcontaininformationpertainingtothecredentialsallowed/used,anyprotocoltransactionsthattakeplace,andwhatconstitutesa“successfullogon”.Theevaluatorshallexaminetheoperationalguidancetodeterminethatanynecessarypreparatorysteps(e.g.,establishingcredentialmaterialsuchaspre-sharedkeys,tunnels,certificates,etc.)tologginginaredescribed.Foreachsupportedtheloginmethod,theevaluatorshallensuretheoperationalguidanceprovidesclearinstructionsforsuccessfullyloggingon.Ifconfigurationisnecessarytoensuretheservicesprovidedbeforeloginarelimited,theevaluatorshalldeterminethattheoperationalguidanceprovidessufficientinstructiononlimitingtheallowedservices.
5.1.6SecurityManagement(FMT)
FMT_MSA_EXT.1DefaultDataSharingConfigurationFMT_MSA_EXT.1.1
TheTSFshallbydefaultenforceapolicyprohibitingsharingofdatabetweenGuestVMs.
FMT_MSA_EXT.1.2TheTSFshallallowAdministratorstospecifyalternativeinitialconfigurationvaluestooverridethedefaultvalueswhenaGuestVMiscreated.
ApplicationNote:Bydefault,theVMMmustenforceapolicyprohibitingsharingofdatabetweenVMs.ThedefaultpolicyappliestoallmechanismsforsharingdatabetweenVMs,includinginter-VMcommunicationchannels,sharedphysicaldevices,sharedvirtualdevices,andvirtualnetworks.Thedefaultpolicydoesnotapplytocovertchannelsandarchitecturalside-channels.
ThelistofdatasharingmechanismsimplementedbytheTOEiscontainedintheselectioninFDP_VMS_EXT.1.1.Examplesofnon-networkinter-VMsharingmechanismsare:
Userinterface-basedmechanisms,suchascopy-pasteanddrag-and-dropSharedvirtualorphysicaldevicesAPI-basedmechanismssuchasHypercalls
.
EvaluationActivities
FMT_MSA_EXT.1:TestsThisrequirementismetifFDP_VMS_EXT.1ismet.
FMT_SMO_EXT.1SeparationofManagementandOperationalNetworksFMT_SMO_EXT.1.1
TheTSFshallsupporttheconfigurationofseparatemanagementandoperationalnetworksthrough[selection:physicalmeans,logicalmeans,trustedchannel].
ApplicationNote:Managementcommunicationsmustbeseparatefromuserworkloads.Administrativecommunications—includingcommunicationsbetweenphysicalhostsconcerningloadbalancing,auditdata,VMstartupandshutdown—mustbeseparatefromguestoperationalnetworks.
“Physicalmeans”referstousingseparatephysicalnetworksformanagementandoperationalnetworks.Forexample,themachinesinthemanagementnetworkareconnectedbyseparatecablespluggedintoseparateanddedicatedphysicalportsoneachphysicalhost.
“Logicalmeans”referstousingseparatenetworkcablestoconnectphysicalhoststogetherusinggeneral-purposenetworkingports.Themanagementandoperationalnetworksarekeptseparatewithinthehostsusingseparatevirtualizednetworkingcomponents.
IftheSTauthorselects“trustedchannel”,thentheprotocolsusedfornetworkseparationmustbeselectedinFTP_ITC_EXT.1.
EvaluationActivities
FMT_SMO_EXT.1:TSSTheevaluatorshallexaminetheTSStoverifythatitdescribeshowmanagementandoperationalnetworksmaybeseparated.GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifythatitdetailshowtoconfiguretheVSwithseparateManagementandOperationalNetworks.TestsTheevaluatorshallconfigurethemanagementnetworkasdocumented.Ifseparationiscryptographicorlogical,thentheevaluatorshallcapturepacketsonthemanagementnetwork.IfGuestnetworktrafficisdetected,therequirementisnotmet.
5.1.7ProtectionoftheTSF(FPT)
FPT_DVD_EXT.1Non-ExistenceofDisconnectedVirtualDevicesFPT_DVD_EXT.1.1
TheTSFshalllimitaGuestVM’saccesstovirtualdevicestothosethatarepresentintheVM’scurrentvirtualhardwareconfiguration.
ApplicationNote:ThevirtualizedhardwareabstractionimplementedbyaparticularVSmightincludethevirtualizedinterfacesformanydifferentdevices.SometimesthesedevicesarenotpresentinaparticularinstantiationofaVM.TheinterfacefordevicesnotpresentmustnotaccessiblebytheVM.
SuchinterfacesincludememorybuffersandprocessorI/Oports.
ThepurposeofthisrequirementistoreducetheattacksurfaceoftheVMMbyclosingunusedinterfaces.
EvaluationActivities
FPT_DVD_EXT.1:TestsTheevaluatorshallconnectadevicetoaVM,thenusingadevicedriverrunningintheguest,scantheVM'sprocessorI/Oportstoensurethatthedevice'sportsarepresent.(Thedevice'sinterfaceshouldbedocumentedintheTSSunderFPT_VDP_EXT.1.)TheevaluatorshallremovethedevicefromtheVMandrunthescanagain.Thisrequirementismetifthedevice'sI/Oportsarenolongerpresent.
FPT_EEM_EXT.1ExecutionEnvironmentMitigationsFPT_EEM_EXT.1.1
TheTSFshalltakeadvantageofexecutionenvironment-basedvulnerabilitymitigationmechanismssupportedbythePlatformsuchas:[selection:
Addressspacerandomization,Memoryexecutionprotection(e.g.,DEP),Stackbufferoverflowprotection,Heapcorruptiondetection,[assignment:othermechanisms],Nomechanisms
]
ApplicationNote:Processormanufacturers,compilerdevelopers,andoperatingsystemvendorshavedevelopedexecutionenvironment-basedmitigationsthatincreasethecosttoattackersbyaddingcomplexitytothetaskofcompromisingsystems.SoftwarecanoftentakeadvantageofthesemechanismsbyusingAPIsprovidedbytheoperatingsystemorbyenablingthemechanismthroughcompilerorlinkeroptions.
ThisrequirementdoesnotmandatethattheseprotectionsbeenabledthroughouttheVirtualizationSystem—onlythattheybeenabledwheretheyhavelikelyimpact.Forexample,codethatreceivesandprocessesuserinputshouldtakeadvantageofthesemechanisms.
Fortheselection,theSTauthorselectsthesupportedmechanism(s)andusestheassignmenttoincludemechanismsnotlistedintheselection,ifany.
EvaluationActivities
FPT_EEM_EXT.1:TSSTheevaluatorshallexaminetheTSStoensurethatitstates,foreachplatformlistedintheST,theexecutionenvironment-basedvulnerabilitymitigationmechanismsusedbytheTOEonthatplatform.TheevaluatorshallensurethatthelistscorrespondtowhatisspecifiedinFPT_EEM_EXT.1.1.
FPT_HAS_EXT.1HardwareAssistsFPT_HAS_EXT.1.1
TheVMMshalluse[assignment:listofhardware-basedvirtualizationassists]toreduceoreliminatetheneedforbinarytranslation.
FPT_HAS_EXT.1.2TheVMMshalluse[assignment:listofhardware-basedvirtualizationmemory-handlingassists]toreduceoreliminatetheneedforshadowpagetables.
ApplicationNote:Thesehardware-assistshelpreducethesizeandcomplexityoftheVMM,andthus,ofthetrustedcomputingbase,byeliminatingorreducingtheneedforparavirtualizationorbinarytranslation.Paravirtualizationinvolvesmodifyingguestsoftwaresothatinstructionsthatcannotbeproperlyvirtualizedareneverexecutedonthephysicalprocessor.
FortheassignmentinFPT_HAS_EXT.1,theSTauthorliststhehardware-basedvirtualizationassistsonallplatformsincludedintheSTthatareusedbytheVMMtoreduceoreliminatetheneedforsoftware-basedbinarytranslation.Examplesforthex86platformareIntelVT-xandAMD-V.“None”isanacceptableassignmentforplatformsthatdonotrequirevirtualizationassistsinordertoeliminatetheneedforbinarytranslation.ThismustbedocumentedintheTSS.
FortheassignmentinFPT_HAS_EXT.1.2,theSTauthorliststhesetofhardware-basedvirtualizationmemory-handlingextensionsforallplatformslistedintheSTthatareusedbytheVMMtoreduceoreliminatetheneedforshadowpagetables.Examplesforthex86platformareIntelEPTandAMDRVI.“None”isanacceptableassignmentforplatformsthatdonotrequirememory-handlingassistsinordertoeliminatetheneedforshadowpagetables.ThismustbedocumentedintheTSS.
EvaluationActivities
FPT_HAS_EXT.1:TSSTheevaluatorshallexaminetheTSStoensurethatitstates,foreachplatformlistedintheST,thehardwareassistsandmemory-handlingextensionsusedbytheTOEonthatplatform.TheevaluatorshallensurethattheselistscorrespondtowhatisspecifiedintheapplicableFPT_HAS_EXTcomponent.
FPT_HCL_EXT.1HypercallControlsFPT_HCL_EXT.1.1
TheTSFshallprovideaHypercallinterfaceforGuestVMstousetoinvokefunctionalityprovidedbytheVMM.
FPT_HCL_EXT.1.2TheTSFshallallowadministratorstoconfigureanyVM’sHypercallinterfacetodisableaccesstoindividualfunctions,allfunctions,orgroupsoffunctions.
FPT_HCL_EXT.1.3TheTSFshallpermitexceptionstotheconfigurationofthefollowingHypercallinterfacefunctions:[assignment:listoffunctionsthatarenotsubjecttothe
configurationcontrolsinFPT_HCL_EXT.1.2].
FPT_HCL_EXT.1.4TheTSFshallvalidatetheparameterspassedtothehypercallinterfacepriortoexecutionoftheVMMfunctionalityexposedbythatinterface.
ApplicationNote:ThepurposeofthisrequirementistohelpensuretheintegrityoftheVMMbydefiningtheattacksurfaceexposedtoGuestVMsthroughHypercalls,testingthemechanismsforreducingthatattacksurfacebydisablingHypercalls,andensuringthatHypercallparametersareproperlyvalidatedpriortousebytheVMM.
AHypercallinterfaceallowsasetofVMMfunctionstobeinvokedbysoftwarerunningwithinaVM.Hypercallinterfacesareusedbyvirtualization-awareVMstocommunicateandexchangedatawiththeVMM.Forexample,aVMcoulduseahypercallinterfacetogetinformationabouttherealworld,suchasthetimeofdayortheunderlyinghardwareofthehostsystem.AhypercallcouldalsobeusedtotransferdatabetweenVMsthroughacopy-pastemechanism.BecausehypercallinterfacesexposetheVMMtoGuestVMs,theseinterfacesconstituteattacksurface.Inordertominimizeattacksurface,theseinterfacesmustbelimitedtotheminimumneededtosupportVMfunctionality.
FortheselectioninFPT_HCL_EXT.1.2,theSTauthorselectstheapplicableactionsthatadministratorscanperformtoconfigurefunctionssupportedbytheinterface.
FortheassignmentinFPT_HCL_EXT.1.3,theSTauthorliststheinterfacefunctionsthatcannotbeconfiguredperFPT_HCL_EXT.1.2.
Avendor-providedtestharnessmayreduceevaluationtime.
ThereisnoexpectationthattheevaluatorwillneedtoreviewsourcecodeinordertoaccomplishtheAssuranceActivity.TheevaluatordocumentationreviewshouldensurethattherearedocumentedHypercallfunctionsintheTSS,thateachdocumentedHypercallfunctioncontainsthespecifiedinformation,andthattherearenotobviousorpubliclyknownHypercallfunctionsmissing.
EvaluationActivities
FPT_HCL_EXT.1:TSSTheevaluatorshallexaminetheTSSoroperationalguidancetoensureitdocumentsallHypercallfunctionsatthelevelnecessaryfortheevaluatortodisablethefunctionsandruntests1and2,below.Documentationmustinclude,foreachfunction,howtocallthefunction,functionparametersandlegalvalues,configurationsettingsforenabling/disablingthefunction,andconditionsunderwhichthefunctioncanbedisabled.TheTSSmustalsospecifythosefunctionsthatcannotbedisabled.WhilethereisnoexpectationthattheevaluatorwillneedtoexaminesourcecodeinordertoaccomplishthisAssuranceActivity,theevaluatormustensurethattherearenoobviousorpubliclyknownHypercallfunctionsmissingfromtheTSS.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensureitcontainsinstructionsforhowtoconfigureinterfacefunctionsperFPT_HCL_EXT.1.2.TestsTheevaluatorshallperformthefollowingtests:
Test1:ForeachconfigurablefunctionthatmeetsFPT_HCL_EXT.1.2,theevaluatorshallfollowtheoperationalguidancetoenablethefunction.TheevaluatorshallthenattempttocalleachfunctionfromwithintheVM.Ifthecallisallowed,thenthetestsucceeds.Test2:ForeachconfigurablefunctionthatmeetsFPT_HCL_EXT.1.2,theevaluatorshallconfiguretheTSFtodisablethefunction.TheevaluatorshallthenattempttocallthefunctionfromwithintheVM.Ifthecallisblocked,thenthetestsucceeds.
FPT_RDM_EXT.1RemovableDevicesandMediaFPT_RDM_EXT.1.1
TheTSFshallimplementcontrolsforhandlingthetransferofvirtualandphysicalremovablemediaandvirtualandphysicalremovablemediadevicesbetweeninformationdomains.
FPT_RDM_EXT.1.2TheTSFshallenforcethefollowingruleswhen[assignment:virtualorphysicalremovablemediaandvirtualorphysicalremovablemediadevices]areswitched
betweeninformationdomains,then[selection:theAdministratorhasgrantedexplicitaccessforthemediaordevicetobeconnectedtothereceivingdomain,themediainadevicethatisbeingtransferredisejectedpriortothereceivingdomainbeingallowedaccesstothedevice,theuserofthereceivingdomainexpresslyauthorizestheconnection,thedeviceormediathatisbeingtransferredispreventedfrombeingaccessedbythereceivingdomain
]
ApplicationNote:ThepurposeoftheserequirementsistoensurethatVMsarenotgiveninadvertentaccesstoinformationfromdifferentdomainsbecauseofmediaorremovablemediadevicesleftconnectedtophysicalmachines.
Removablemediaismediathatcanbeejectedfromadevice,suchasacompactdisc,floppydisk,SD,orcompactflashmemorycard.
Removablemediadevicesareremovabledevicesthatincludemedia,suchasUSBflashdrivesandUSBharddrives.Removablemediadevicescanthemselvescontainremovablemedia(e.g.,USBCDROMdrives).
Forpurposesofthisrequirement,anInformationDomainis:
a. AVMorcollectionofVMsb. TheVirtualizationSystemc. HostOSd. ManagementSubsystem
Theserequirementsalsoapplytovirtualizedremovablemedia—suchasvirtualCDdrivesthatconnecttoISOimages—aswellasphysicalmedia—suchasCDROMsandUSBflashdrives.InthecaseofvirtualCDROMs,virtualejectionofthevirtualmediaissufficient.
Inthefirstassignment,theSTauthorlistsallremovablemediaandremovablemediadevices(bothvirtualandreal)thataresupportedbytheTOE.TheSTauthorthenselectsactionsthatareappropriateforallremovablemediaandremovablemediadevices(bothvirtualandreal)thatarebeingclaimedintheassignment.
Forclarity,theSTauthormayiteratethisrequirementsothatlikeactionsaregroupedwiththeremovablemediaordevicestowhichtheyapply(e.g.,thefirstiterationcouldcontainalldevicesforwhichmediaisejectedonaswitch;theseconditerationcouldcontainalldevicesforwhichaccessispreventedonswitch,etc.).
EvaluationActivities
FPT_RDM_EXT.1:TSSTheevaluatorshallexaminetheTSStoensureitdescribestheassociationbetweenthemediaordevicessupportedbytheTOEandtheactionsthatcanoccurwhenswitchinginformationdomains.Theevaluatorshallexaminetheoperationalguidancetoensureitdocumentshowanadministratororuserconfiguresthebehaviorofeachmediaordevice.TestsTheevaluatorshallperformthefollowingtestforeachlistedmediaordevice:
Test1:TheevaluatorshallconfiguretwoVMsthataremembersofdifferentinformationdomains,withthemediaordeviceconnectedtooneoftheVMs.TheevaluatorshalldisconnectthemediaordevicefromtheVMandconnectittotheotherVM.TheevaluatorshallverifythattheactionperformedisconsistentwiththeactionassignedintheTSS.
FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemFPT_TUD_EXT.1.1
TheTSFshallprovideadministratorstheabilitytoquerythecurrentlyexecutedversionoftheTOEfirmware/softwareaswellasthemostrecentlyinstalledversionoftheTOEfirmware/software.
ApplicationNote:Theversioncurrentlyrunning(beingexecuted)maynotbetheversionmostrecentlyinstalled.Forinstance,maybetheupdatewasinstalledbutthesystemrequiresarebootbeforethisupdatewillrun.Therefore,itneedstobeclearthatthequeryshouldindicateboththemostrecentlyexecutedversionaswellasthemostrecentlyinstalledupdate.
FPT_TUD_EXT.1.2TheTSFshallprovideadministratorstheabilitytomanuallyinitiateupdatestoTOEfirmware/softwareand[selection:automaticupdates,nootherupdatemechanism].
FPT_TUD_EXT.1.3TheTSFshallprovidemeanstoauthenticatefirmware/softwareupdatestotheTOEusinga[selection:digitalsignaturemechanismusingcertificates,digitalsignaturemechanismnotusingcertificates,publishedhash]priortoinstallingthoseupdates.
ApplicationNote:ThedigitalsignaturemechanismreferencedinFPT_TUD_EXT.1.3isoneofthealgorithmsspecifiedinFCS_COP.1/SIG.
Ifcertificatesareusedbytheupdateverificationmechanism,certificatesarevalidatedinaccordancewithFIA_X509_EXT.1andshouldbeselectedinFIA_X509_EXT.2.1.Additionally,FPT_TUD_EXT.2mustbeincludedintheST.
“Update”inthecontextofthisSFRreferstotheprocessofreplacinganon-volatile,systemresidentsoftwarecomponentwithanother.TheformerisreferredtoastheNVimage,andthelatteristheupdateimage.WhiletheupdateimageistypicallynewerthantheNVimage,thisisnotarequirement.Therearelegitimatecaseswherethesystemownermaywanttorollbackacomponenttoanolderversion(e.g.,whenthecomponentmanufacturerreleasesafaultyupdate,orwhenthesystemreliesonanundocumentedfeaturenolongerpresentintheupdate).Likewise,theownermaywanttoupdatewiththesameversionastheNVimagetorecoverfromfaultystorage.
Alldiscretesoftwarecomponents(e.g.,applications,drivers,kernel,firmware)oftheTSF,shouldbedigitallysignedbythecorrespondingmanufacturerandsubsequentlyverifiedbythemechanismperformingtheupdate.Sinceitisrecognizedthatcomponentsmaybesignedbydifferentmanufacturers,itisessentialthattheupdateprocessverifythatboththeupdateandNVimageswereproducedbythesamemanufacturer(e.g.,bycomparingpublickeys)orsignedbylegitimatesigningkeys(e.g.,successfulverificationofcertificateswhenusingX.509certificates).
TheDigitalSignatureoptionisthepreferredmechanismforauthenticatingupdates.ThePublishedHashoptionwillberemovedfromafutureversionofthisPP.
EvaluationActivities
FPT_TUD_EXT.1:TSSTheevaluatorshallverifythattheTSSdescribesallTSFsoftwareupdatemechanismsforupdatingthesystemsoftware.UpdatestotheTOEeitherhaveahashassociatedwiththem,oraresignedbyanauthorizedsource.Theevaluatorshallverifythatthedescriptionincludeseitheradigitalsignatureorpublishedhashverificationofthesoftwarebeforeinstallationandthatinstallationfailsiftheverificationfails.TheevaluatorshallverifythattheTSSdescribesthemethodbywhichthedigitalsignatureorpublishedhashisverifiedtoincludehowthecandidateupdatesareobtained,theprocessingassociatedwithverifyingtheupdate,andtheactionsthattakeplaceforbothsuccessfulandunsuccessfulverification.Ifdigitalsignaturesareused,theevaluatorshallalsoensurethedefinitionofanauthorizedsourceiscontainedintheTSS.
IftheSTauthorindicatesthatacertificate-basedmechanismisusedforsoftwareupdatedigitalsignatureverification,theevaluatorshallverifythattheTSScontainsadescriptionofhowthecertificatesarecontainedonthedevice.TheevaluatoralsoensuresthattheTSS(oradministratorguidance)describeshowthecertificatesareinstalled/updated/selected,ifnecessary.TestsTheevaluatorshallperformthefollowingtests:
Test1:Theevaluatorperformstheversionverificationactivitytodeterminethecurrentversionoftheproduct.TheevaluatorobtainsalegitimateupdateusingproceduresdescribedintheoperationalguidanceandverifiesthatitissuccessfullyinstalledontheTOE.Aftertheupdate,theevaluatorperformstheversionverificationactivityagaintoverifytheversioncorrectlycorrespondstothatoftheupdate.Test2:Theevaluatorperformstheversionverificationactivitytodeterminethecurrentversionoftheproduct.Theevaluatorobtainsorproducesillegitimateupdatesasdefinedbelow,andattemptstoinstallthemontheTOE.TheevaluatorverifiesthattheTOErejectsalloftheillegitimateupdates.Theevaluatorperformsthistestusingallofthefollowingformsofillegitimateupdates:
1. Amodifiedversion(e.g.,usingahexeditor)ofalegitimatelysignedorhashedupdate2. Animagethathasnotbeensigned/hashed3. Animagesignedwithaninvalidhashorinvalidsignature(e.g.,byusingadifferentkey
asexpectedforcreatingthesignatureorbymanualmodificationofalegitimatehash/signature)
FPT_VDP_EXT.1VirtualDeviceParametersFPT_VDP_EXT.1.1
TheTSFshallprovideinterfacesforvirtualdevicesimplementedbytheVMMaspartofthevirtualhardwareabstraction.
FPT_VDP_EXT.1.2TheTSFshallvalidatetheparameterspassedtothevirtualdeviceinterfacepriortoexecutionoftheVMMfunctionalityexposedbythoseinterfaces.
ApplicationNote:ThepurposeofthisrequirementistoensurethattheVMMisnotvulnerabletocompromisethroughtheprocessingofmalformeddatapassedtothevirtualdeviceinterfacefromaGuestOS.TheVMMcannotassumethatanydatacomingfromaVMiswell-formed—evenifthevirtualdeviceinterfaceisuniquetotheVSandthedatacomesfromavirtualdevicedriversuppliedbytheVirtualizationVendor.
EvaluationActivities
FPT_VDP_EXT.1:TSSTheevaluatorshallexaminetheTSStoensureitlistsallvirtualdevicesaccessiblebytheguestOS.TheTSS,oraseparateproprietarydocument,mustalsodocumentallvirtualdeviceinterfacesatthelevelofI/Oports-includingportnumber(s)(absoluteorrelativetoabase),portname,andadescriptionoflegalinputvalues.TheTSSmustalsodescribetheexpectedbehavioroftheinterfacewhenpresentedwithillegalinputvalues.ThisbehaviormustbedeterministicandindicativeofparametercheckingbytheTSF.TheevaluatormustensurethattherearenoobviousorpubliclyknownvirtualI/OportsmissingfromtheTSS.Thereisnoexpectationthatevaluatorswillexaminesourcecodetoverifythe“all”partoftheAssuranceActivity.TestsForeachvirtualdeviceinterface,theevaluatorshallattempttoaccesstheinterfaceusingatleastoneparametervaluethatisoutofrangeorillegal.ThetestispassediftheinterfacebehavesinthemannerdocumentedintheTSS.Interfacesthatdonothaveinputparametersneednotbetested.ThistestcanbeperformedinconjunctionwiththetestsforFPT_DVD_EXT.1.
FPT_VIV_EXT.1VMMIsolationfromVMsFPT_VIV_EXT.1.1
TheTSFmustensurethatsoftwarerunninginaVMisnotabletodegradeordisruptthefunctioningofotherVMs,theVMM,orthePlatform.
FPT_VIV_EXT.1.2TheTSFmustensurethataGuestVMisunabletoinvokeplatformcodethatrunsataprivilegelevelequaltoorexceedingthatoftheVMMwithoutinvolvementoftheVMM.
ApplicationNote:ThisrequirementisintendedtoensurethatsoftwarerunningwithinaGuestVMcannotcompromiseotherVMs,theVMM,ortheplatform.ThisrequirementisnotmetifGuestVMsoftware—whateveritsprivilegelevel—cancrashtheVSorthePlatform,orbreakoutofitsvirtualhardwareabstractiontogainexecutionontheplatform,withinoroutsideofthecontextoftheVMM.
ThisrequirementisnotviolatedifsoftwarerunningwithinaVMcancrashtheGuestOSandthereisnowayforanattackertogainexecutionintheVMMoroutsideofthevirtualizeddomain.
FPT_VIV_EXT.1.2addressesseveralspecificmechanismsthatmustnotbepermittedtobypasstheVMMandinvokeprivilegedcodeonthePlatform.
Ataminimum,theTSFshouldenforcethefollowing:
a. Onthex86platform,avirtualSystemManagementInterrupt(SMI)cannotinvokeplatformSystemManagementMode(SMM)
b. AnattempttoupdatevirtualfirmwareorvirtualBIOScannotcausephysicalplatformfirmwareorphysicalplatformBIOStobemodified
c. AnattempttoupdatevirtualfirmwareorvirtualBIOScannotcausetheVMMtobemodified
Oftheabove,(a)doesnotapplytoplatformsthatdonotsupportSMM.Therationalebehindactivity(c)isthatafirmwareupdateofasingleVMmustnotaffectotherVMs.SoifmultipleVMssharethesamefirmwareimageaspartofacommonhardwareabstraction,thentheupdateofasinglemachine’sBIOSmustnotbeallowedtochangethecommonabstraction.ThevirtualhardwareabstractionispartoftheVMM.
EvaluationActivities
FPT_VIV_EXT.1:TSSTheevaluatorshallverifythattheTSS(oraproprietaryannextotheTSS)describeshowtheTSFensuresthatguestsoftwarecannotdegradeordisruptthefunctioningofotherVMs,theVMMortheplatform.AndhowtheTSFpreventsguestsfrominvokinghigher-privilegeplatformcode,suchastheexamplesinthenote.GuidanceThereisnooperationalguidanceforthisrequirement.TestsTherearenotestsforthisrequirement.
5.1.8TOEAccess(FTA)
FTA_TAB.1TOEAccessBannerFTA_TAB.1.1
Beforeestablishinganadministrativeusersession,theTSFshalldisplayasecurityAdministrator-specifiedadadvisorynoticeandconsentwarningmessageregardinguseoftheTOE.
ApplicationNote:ThisrequirementisintendedtoapplytointeractivesessionsbetweenahumanuserandaTOE.ITentitiesestablishingconnectionsorprogrammaticconnections(e.g.,remoteprocedurecallsoveranetwork)arenotrequiredtobecoveredbythisrequirement.
EvaluationActivities
FTA_TAB.1:TestsTheevaluatorshallconfiguretheTOEtodisplaytheadvisorywarningmessage“TESTTESTWarningMessageTESTTEST”.Theevaluatorshallthenlogoutandconfirmthattheadvisorymessageisdisplayedbeforeloggingcanoccur.
5.1.9TrustedPath/Channel(FTP)
FTP_ITC_EXT.1TrustedChannelCommunicationsFTP_ITC_EXT.1.1
TheTSFshalluse[selection:TLSasconformingtotheFunctionalPackageforTransportLayerSecurity,TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1,IPsecasconformingtoFCS_IPSEC_EXT.1,SSHasconformingtotheExtendedPackageforSecureShell
]toprovideatrustedcommunicationchannelbetweenitself,and
auditservers(asrequiredbyFAU_STG_EXT.1),and[selection:
remoteadministrators(asrequiredbyFTP_TRP.1.1ifselectedinFMT_MOF_EXT.1.1intheClientorServerPP-Module),separationofmanagementandoperationalnetworks(ifselectedinFMT_SMO_EXT.1),[assignment:othercapabilities],noothercapabilities
]thatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddata.
ApplicationNote:IftheSTauthorselectseitherTLSorHTTPS,theTSFshallbevalidatedagainsttheFunctionalPackageforTLS.ThisPPdoesnotmandatethataproductimplementTLSwithmutualauthentication,butiftheproductincludesthecapabilitytoperformTLSwithmutualauthentication,thenmutualauthenticationmustbeincludedwithintheTOEboundary.TheTLSPackagerequiresthattheX509requirementsbeincludedbythePP,soselectionofTLSorHTTPScausesFIA_X509_EXT.*tobeselected.
IftheSTauthorselectsSSH,theTSFshallbevalidatedagainsttheExtendedPackageforSecureShell.TheSSHpackageimportstheX509requirementsifnecessary,soselectingSSHheredoesnotautomaticallycausetheirinclusion.
SelectionofIPSecalsoautomaticallycausesinclusionoftheX509requirements.
TheSTauthormustincludethesecurityfunctionalrequirementsforthetrustedchannelprotocolselectedinFTP_ITC_EXT.1inthemainbodyoftheST.
EvaluationActivities
FTP_ITC_EXT.1:TSSTheevaluatorwillreviewtheTSStodeterminethatitlistsalltrustedchannelstheTOEusesforremotecommunications,includingboththeexternalentitiesand/orremoteusersusedforthechannelaswellastheprotocolthatisusedforeach.TestsTheevaluatorwillconfiguretheTOEtocommunicatewitheachexternalITentityand/ortypeofremoteuseridentifiedintheTSS.TheevaluatorwillmonitornetworktrafficwhiletheVSperformscommunicationwitheachofthesedestinations.Theevaluatorwillensurethatforeachsessionatrustedchannelwasestablishedinconformancewiththeprotocolsidentifiedintheselection.
FTP_UIF_EXT.1UserInterface:I/OFocusFTP_UIF_EXT.1.1
TheTSFshallindicatetouserswhichVM,ifany,hasthecurrentinputfocus.
ApplicationNote:Thisrequirementappliestoallusers—whetherUserorAdministrator.InenvironmentswheremultipleVMsrunatthesametime,theusermusthaveawayofknowingwhichVMuserinputisdirectedtoatanygivenmoment.Thisisespeciallyimportantinmultiple-domainenvironments.
Inthecaseofahumanuser,thisisusuallyavisualindicator.InthecaseofheadlessVMs,theuserisconsideredtobeaprogram,butthisprogramstillneedstoknowwhichVMitissendinginputto;thiswouldtypicallybeaccomplishedthroughprogrammaticmeans.
EvaluationActivities
FTP_UIF_EXT.1:TSSTheevaluatorshallensurethattheTSSliststhesupporteduserinputdevices.GuidanceTheevaluatorshallensurethattheoperationalguidancespecifieshowthecurrentinputfocusisindicatedtotheuser.TestsForeachsupportedinputdevice,theevaluatorshalldemonstratethattheinputfromeachdevicelistedintheTSSisdirectedtotheVMthatisindicatedtohavetheinputfocus.
FTP_UIF_EXT.2UserInterface:IdentificationofVMFTP_UIF_EXT.2.1
TheTSFshallsupporttheuniqueidentificationofaVM’soutputdisplaytousers.
ApplicationNote:InenvironmentswhereauserhasaccesstomorethanoneVMatthesametime,theusermustbeabletodeterminetheidentityofeachVMdisplayedinordertoavoidinadvertentcross-domaindataentry.
TheremustbeamechanismforassociatinganidentifierwithaVMsothatanapplicationorprogramdisplayingtheVMcanidentifytheVMtousers.Thisisgenerallyindicatedvisuallyforhumanusers(e.g.,VMidentityinthewindowtitlebar)andprogrammaticallyforheadlessVMs(e.g.,anAPIfunction).TheidentificationmustbeuniquetotheVS,butdoesnotneedtobeuniversallyunique.
EvaluationActivities
FTP_UIF_EXT.2:TSSTheevaluatorshallensurethattheTSSdescribesthemechanismforidentifyingVMstotheuser,howidentitiesareassignedtoVMs,andhowconflictsareprevented.TestsTheevaluatorshallperformthefollowingtest:
TheevaluatorshallattempttocreateandstartatleastthreeGuestVMsonasingledisplaydevicewheretheevaluatorattemptstoassigntwooftheVMsthesameidentifier.IftheuserinterfacedisplaysdifferentidentifiersforeachVM,thentherequirementismet.Likewise,therequirementismetifthesystemrefusestocreateorstartaVMwhenthereisalreadyaVMwiththesameidentifier.
5.1.10TOESecurityFunctionalRequirementsRationaleThefollowingrationaleprovidesjustificationforeachsecurityobjectivefortheTOE,showingthattheSFRsaresuitabletomeetandachievethesecurityobjectives:
Table4:SFRRationaleOBJECTIVE ADDRESSEDBY RATIONALE
O.VM_ISOLATION FAU_GEN.1 Auditeventscanreportattemptstobreachisolation.
FCS_CKM_EXT.4 Requirescryptographickeydestructiontoprotectdomaindatainsharedstorage.
FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.
FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocated.
FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromstoragebeforethestorageisre-allocated.
FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.
FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.
FPT_DVD_EXT.1 EnsuresthatVMscanaccessonlythosevirtualdevicesthattheyareconfiguredtoaccess.
FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.
FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.
FPT_HCL_EXT.1 RequiresthatAdministratorscandisableunneccessaryhypercallinterfacestoreduceattacksurface.
FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.
FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokepriviledgedcodewithoutproperhypervisormediation.
O.VMM_INTEGRITY FAU_GEN.1 Auditeventscanreportpotentialintegritybreachesandattempts.
FCS_CKM.1 Requiresgenerationofasymmetrickeysforprotectionofintegritymeasures.
FCS_COP.1 Ensuresproperfunctioningofcryptographicalgorithmsusedtoprotectdataintegrity.
FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.
FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.
FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.
FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.
FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.
FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.
FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.
FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokepriviledgedcodewithoutproperhypervisormediation.
O.PLATFORM_INTEGRITY FDP_HBI_EXT.1 RequiresthattheTOEuseplatform-supportedmechanismsforaccesstophysicaldevices.
FDP_PPR_EXT.1 Requiressupportforreducingattacksurfacethroughdisablingaccesstounneededphysicalplatformresources.
FDP_VMS_EXT.1 EnsuresthatauthorizeddatatransfersbetweenVMsaredonesecurely.
FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.
FPT_DVD_EXT.1 EnsuresthatVMscannotaccessvirtualdevicesthattheyarenotonfiguredtoaccess.
FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.
FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.
FPT_HCL_EXT.1 RequiresthatAdministratorscandisableunneccessaryhypercallinterfacestoreduceattacksurface.
FPT_VDP_EXT.1 Requiresvalidationofparameterdata
passedtothehardwareabstractionbyuntrustedVMs.
FPT_VIV_EXT.1 EnsuresthatuntrustedVMscannotinvokepriviledgedcodewithoutproperhypervisormediation.
O.DOMAIN_INTEGRITY FCS_CKM_EXT.4 Requirescryptographickeydestructiontoprotectdomaindatainsharedstorage.
FCS_ENT_EXT.1 Requiresthatdomainshaveaccesstohigh-qualityentropyforcryptographicpurposes.
FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.
FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocatedtoanotherdomain.
FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromstoragebeforethestorageisre-allocatedtoanotherdomain.
FDP_VMS_EXT.1 Ensuresthatauthorizeddatatransfersbetweendomainsaredonesecurely.
FDP_VNC_EXT.1 EnsuresthatnetworktrafficisvisibleonlytoVMsconfiguredtobethatnetwork.
FPT_EEM_EXT.1 RequiresthattheTOEusesecuritymechanismssupportedbythephysicalplatform.
FPT_HAS_EXT.1 RequiresthattheTOEuseplatform-supportedvirtualizationassiststoreduceattacksurface.
FPT_RDM_EXT.1 Requiressupportforrulesforswitchingremoveablemediabetweendomainstoreducethechanceofdataspillage.
FPT_VDP_EXT.1 RequiresvalidationofparameterdatapassedtothehardwareabstractionbyuntrustedVMs.
FTP_UIF_EXT.1 Ensuresthatusersareabletodeterminethedomainwiththecurrentinputfocus.
FTP_UIF_EXT.2 EnsuresthatuserscanknowtheidentityofanyVMthattheycanaccess.
O.MANAGEMENT_ACCESS FAU_GEN.1 Auditeventsreportattemptstoaccessthemanagementsubsystem.
FCS_CKM.1 Requiresgenerationofasymmetrickeysfortrustedcommunicationschannels.
FCS_CKM.2 Requiresestablishmentofcryptographickeysfortrustedcommunicationschannels.
FCS_COP.1 Ensuresproperfunctioningofcryptographicalgorithmsusedtoimplementaccesscontrols.
FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.
FIA_AFL_EXT.1 RequiresthattheTOEdetectfailedauthenticationattemptsforAdministratoraccess.
FIA_UAU.5 EnsuresthatstrongmechanismsareusedforAdministratorauthentication.
FIA_UIA_EXT.1 RequiresthatAdministratorsbesuccessfullyauthenticatedbeforeperformingmanagementfunctions.
FMT_SMO_EXT.1 RequiresthattheTOEsupporthavingseparatemanagementandoperationalnetworks.
FTP_ITC_EXT.1 Ensuresthattrustedcommunicationschannelsareimplementedusinggoodcryptography.
O.PATCHED_SOFTWARE FPT_TUD_EXT.1 Requiressupportforproductupdates.
O.VM_ENTROPY FCS_ENT_EXT.1 Requiresthatdomainshaveaccesstohigh-qualityentropyforcryptographicpurposes.
FCS_RBG_EXT.1 RequiresthattheTOEhasaccesstohigh-qualityentropyforcryptographicpurposes.
O.AUDIT FAU_GEN.1 Requiresreportingofauditevents.
FAU_SAR.1 RequiressupportforAdministratorreviewofauditrecords.
FAU_STG.1 Requiresprotectionofstoredauditrecords.
FAU_STG_EXT.1 RequiressupportforprotectedtransmissionofauditrecordsofftheTOE.
O.CORRECTLY_APPLIED_CONFIGURATION FMT_MSA_EXT.1 EnsuresthatdatasharingbetweenVMsisturnedoffbydefault.
O.RESOURCE_ALLOCATION FCS_CKM_EXT.4 Requirescryptographickeydestructiontoensureresidualdatainsharedstorageisunrecoverable.
FDP_RIP_EXT.1 Ensuresthatdomaindataisclearedfrommemorybeforememoryisre-allocated.
FDP_RIP_EXT.2 Ensuresthatdomaindataisclearedfromstoragebeforethestorageisre-allocated.
5.2SecurityAssuranceRequirementsTheSecurityObjectivesfortheTOEinSection4wereconstructedtoaddressthreatsidentifiedinSection3.1.TheSecurityFunctionalRequirements(SFRs)inSection5.1areaformalinstantiationoftheSecurityObjectives.ThePPidentifiestheSecurityAssuranceRequirements(SARs)toframetheextenttowhichtheevaluatorassessesthedocumentationapplicablefortheevaluationandperformsindependenttesting.
ThissectionliststhesetofSecurityAssuranceRequirements(SARs)fromPart3oftheCommonCriteriaforInformationTechnologySecurityEvaluation,Version3.1,Revision4thatarerequiredinevaluationsagainstthisPP.IndividualassuranceactivitiestobeperformedarespecifiedinbothSection5.1aswellasinthissection.
AftertheSThasbeenapprovedforevaluation,theInformationTechnologySecurityEvaluationFacility(ITSEF)willobtaintheTOE,supportingenvironmentalIT,andtheadministrative/userguidesfortheTOE.TheITSEFisexpectedtoperformactionsmandatedbytheCEMfortheASEandALCSARs.TheITSEFalsoperformstheassuranceactivitiescontainedwithinSection5,whichareintendedtobeaninterpretationoftheotherCEMassurancerequirementsastheyapplytothespecifictechnologyinstantiatedintheTOE.TheassuranceactivitiesthatarecapturedinSection5alsoprovideclarificationastowhatthedeveloperneedstoprovidetodemonstratetheTOEiscompliantwiththePP.
5.2.1ClassASE:SecurityTargetEvaluationAsperASEactivitiesdefinedin[CEM]plustheTSSassuranceactivitiesdefinedforanySFRsclaimedbytheTOE.
5.2.2ClassADV:DevelopmentTheinformationabouttheTOEiscontainedintheguidancedocumentationavailabletotheenduseraswellastheTOESummarySpecification(TSS)portionoftheST.TheTOEdevelopermustconcurwiththedescriptionoftheproductthatiscontainedintheTSSasitrelatestothefunctionalrequirements.TheAssuranceActivitiescontainedinSection5.2shouldprovidetheSTauthorswithsufficientinformationtodeterminetheappropriatecontentfortheTSSsection.
ADV_FSP.1Basicfunctionalspecification
Developeractionelements:ADV_FSP.1.1D
Thedevelopershallprovideafunctionalspecification.
ADV_FSP.1.2DThedevelopershallprovideatracingfromthefunctionalspecificationtotheSFRs.
DeveloperNote:Asindicatedintheintroductiontothissection,thefunctionalspecificationiscomposedoftheinformationcontainedintheAGD_OPRandAGD_PREdocumentation,coupledwiththeinformationprovidedintheTSSoftheST.TheassuranceactivitiesinthefunctionalrequirementspointtoevidencethatshouldexistinthedocumentationandTSSsection;sincethesearedirectlyassociatedwiththeSFRs,thetracinginelementADV_FSP.1.2Disimplicitlyalreadydoneandnoadditionaldocumentationisnecessary.
Contentandpresentationelements:ADV_FSP.1.3C
ThefunctionalspecificationshalldescribethepurposeandmethodofuseforeachSFR-enforcingandSFR-supportingTSFI.
ADV_FSP.1.4CThefunctionalspecificationshallidentifyallparametersassociatedwitheachSFR-enforcingandSFR-supportingTSFI.
ADV_FSP.1.5CThefunctionalspecificationshallproviderationalefortheimplicitcategorizationofinterfacesasSFR-non-interfering.
ADV_FSP.1.6CThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctionalspecification.
Evaluatoractionelements:ADV_FSP.1.7E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
ADV_FSP.1.8ETheevaluatorshalldeterminethatthefunctionalspecificationisanaccurateandcompleteinstantiationoftheSFRs.
ApplicationNote:TherearenospecificassuranceactivitiesassociatedwiththeseSARs.ThefunctionalspecificationdocumentationisprovidedtosupporttheevaluationactivitiesdescribedinSection5.2,andotheractivitiesdescribedforAGD,ATE,andAVASARs.Therequirementsonthecontentofthefunctionalspecificationinformationisimplicitlyassessedbyvirtueoftheotherassuranceactivitiesbeingperformed;iftheevaluatorisunabletoperformanactivitybecausethethereisinsufficientinterfaceinformation,thenanadequatefunctionalspecificationhasnotbeenprovided.
EvaluationActivities
5.2.3ClassAGD:GuidanceDocumentsTheguidancedocumentswillbeprovidedwiththedeveloper’ssecuritytarget.GuidancemustincludeadescriptionofhowtheauthorizeduserverifiesthattheOperationalEnvironmentcanfulfillitsroleforthesecurityfunctionality.Thedocumentationshouldbeinaninformalstyleandreadablebyanauthorizeduser.
GuidancemustbeprovidedforeveryoperationalenvironmentthattheproductsupportsasclaimedintheST.Thisguidanceincludes
instructionstosuccessfullyinstalltheTOEinthatenvironment;and
instructionstomanagethesecurityoftheTOEasaproductandasacomponentofthelargeroperationalenvironment.
Guidancepertainingtoparticularsecurityfunctionalityisalsoprovided;specificrequirementsonsuchguidancearecontainedintheassuranceactivitiesspecifiedwithindividualSFRswhereapplicable.
AGD_OPE.1OperationalUserGuidance
Developeractionelements:AGD_OPE.1.1D
Thedevelopershallprovideoperationaluserguidance.
DeveloperNote:Ratherthanrepeatinformationhere,thedevelopershouldreviewtheassuranceactivitiesforthiscomponenttoascertainthespecificsoftheguidancethattheevaluatorswillbecheckingfor.Thiswillprovidethenecessaryinformationforthepreparationofacceptableguidance.
Contentandpresentationelements:AGD_OPE.1.2C
Theoperationaluserguidanceshalldescribewhattheauthorizeduser-accessiblefunctionsandprivilegesthatshouldbecontrolledinasecureprocessingenvironment,includingappropriatewarnings.
AGD_OPE.1.3CTheoperationaluserguidanceshalldescribe,fortheauthorizeduser,howtousetheavailableinterfacesprovidedbytheTOEinasecuremanner.
AGD_OPE.1.4CTheoperationaluserguidanceshalldescribe,fortheauthorizeduser,theavailablefunctionsandinterfaces,inparticularallsecurityparametersunderthecontroloftheuser,indicatingsecurevaluesasappropriate.
AGD_OPE.1.5CTheoperationaluserguidanceshall,fortheauthorizeduser,clearlypresenteachtypeofsecurity-relevanteventrelativetotheuser-accessiblefunctionsthatneedtobeperformed,includingchangingthesecuritycharacteristicsofentitiesunderthecontroloftheTSF.
AGD_OPE.1.6CTheoperationaluserguidanceshallidentifyallpossiblemodesofoperationoftheTOE(includingoperationfollowingfailureoroperationalerror),theirconsequencesandimplicationsformaintainingsecureoperation.
AGD_OPE.1.7CTheoperationaluserguidanceshall,fortheauthorizeduser,describethesecuritymeasurestobefollowedinordertofulfillthesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.
AGD_OPE.1.8CTheoperationaluserguidanceshallbeclearandreasonable.
Evaluatoractionelements:AGD_OPE.1.9E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
AGD_OPE.1:SomeofthecontentsoftheoperationalguidancewillbeverifiedbytheassuranceactivitiesinSection5.2andevaluationoftheTOEaccordingtotheCEM.Thefollowingadditionalinformationisalsorequired.
Theoperationalguidanceshallcontaininstructionsforconfiguringthepasswordcharacteristics,numberofallowedauthenticationattemptfailures,thelockoutperiodtimesforinactivity,andthenoticeandconsentwarningthatistobeprovidedwhenauthenticating.
Theoperationalguidanceshallcontainstep-by-stepinstructionssuitableforusebyanend-useroftheVStoconfigureanew,out-of-the-boxsystemintotheconfigurationevaluatedunderthisProtectionProfile.
ThedocumentationshalldescribetheprocessforverifyingupdatestotheTOE,eitherbycheckingthehashorbyverifyingadigitalsignature.Theevaluatorshallverifythatthisprocess
includesthefollowingsteps:InstructionsforqueryingthecurrentversionoftheTOEsoftware.Forhashes,adescriptionofwherethehashforagivenupdatecanbeobtained.Fordigitalsignatures,instructionsforobtainingthecertificatethatwillbeusedbytheFCS_COP.1/SIGmechanismtoensurethatasignedupdatehasbeenreceivedfromthecertificateowner.Thismaybesuppliedwiththeproductinitially,ormaybeobtainedbysomeothermeans.Instructionsforobtainingtheupdateitself.ThisshouldincludeinstructionsformakingtheupdateaccessibletotheTOE(e.g.,placementinaspecificdirectory).Instructionsforinitiatingtheupdateprocess,aswellasdiscerningwhethertheprocesswassuccessfulorunsuccessful.Thisincludesgenerationofthehash/digitalsignature.
AGD_PRE.1Preparativeprocedures
Developeractionelements:AGD_PRE.1.1D
ThedevelopershallprovidetheTOEincludingitspreparativeprocedures.
DeveloperNote:Aswiththeoperationalguidance,thedevelopershouldlooktotheassuranceactivitiestodeterminetherequiredcontentwithrespecttopreparativeprocedures.
Contentandpresentationelements:AGD_PRE.1.2C
ThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureacceptanceofthedeliveredTOEinaccordancewiththedeveloper’sdeliveryprocedures.
AGD_PRE.1.3CThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureinstallationoftheTOEandforthesecurepreparationoftheoperationalenvironmentinaccordancewiththesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.
Evaluatoractionelements:AGD_PRE.1.4E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
AGD_PRE.1.5ETheevaluatorshallapplythepreparativeprocedurestoconfirmthattheTOEcanbepreparedsecurelyforoperation.
EvaluationActivities
AGD_PRE.1:Asindicatedintheintroductionabove,therearesignificantexpectationswithrespecttothedocumentation—especiallywhenconfiguringtheoperationalenvironmenttosupportTOEfunctionalrequirements.TheevaluatorshallchecktoensurethattheguidanceprovidedfortheTOEadequatelyaddressesallplatforms(thatis,combinationofhardwareandoperatingsystem)claimedfortheTOEintheST.
Theoperationalguidanceshallcontainstep-by-stepinstructionssuitableforusebyanend-useroftheVStoconfigureanew,out-of-the-boxsystemintotheconfigurationevaluatedunderthisProtectionProfile.
5.2.4ClassALC:Life-CycleSupportAttheassurancelevelspecifiedforTOEsconformanttothisPP,life-cyclesupportislimitedtoanexaminationoftheTOEvendor’sdevelopmentandconfigurationmanagementprocessinordertoprovideabaselinelevelofassurancethattheTOEitselfisdevelopedinasecuremannerandthatthedeveloperhasawell-definedprocessinplacetodeliverupdatestomitigateknownsecurityflaws.Thisisaresultofthecriticalrolethatadeveloper’spracticesplayincontributingtotheoveralltrustworthinessofaproduct.
ALC_CMC.1LabelingoftheTOE
Developeractionelements:ALC_CMC.1.1D
ThedevelopershallprovidetheTOEandareferencefortheTOE.
Contentandpresentationelements:ALC_CMC.1.2C
TheTOEshallbelabeledwithitsuniquereference.
Evaluatoractionelements:ALC_CMC.1.3E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
ALC_CMC.1:TheevaluatorshallchecktheSTtoensurethatitcontainsanidentifier(suchasaproductname/versionnumber)thatspecificallyidentifiestheversionthatmeetstherequirementsoftheST.
TheevaluatorshallchecktheAGDguidanceandTOEsamplesreceivedfortestingtoensurethattheversionnumberisconsistentwiththatintheST.
IfthevendormaintainsawebsiteadvertisingtheTOE,theevaluatorshallexaminetheinformationonthewebsitetoensurethattheinformationintheSTissufficienttodistinguishtheproduct.
ALC_CMS.1TOECMcoverage
Developeractionelements:ALC_CMS.1.1D
ThedevelopershallprovideaconfigurationlistfortheTOE.
Contentandpresentationelements:ALC_CMS.1.2C
Theconfigurationlistshallincludethefollowing:theTOEitself;andtheevaluationevidencerequiredbytheSARs.
ALC_CMS.1.3CTheconfigurationlistshalluniquelyidentifytheconfigurationitems.
Evaluatoractionelements:ALC_CMS.1.4E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
ALC_CMS.1:Theevaluatorshallensurethatthedeveloperhasidentified(inpublic-facingdevelopmentguidancefortheirplatform)oneormoredevelopmentenvironmentsappropriateforuseindevelopingapplicationsforthedeveloper’splatform.Foreachofthesedevelopmentenvironments,thedevelopershallprovideinformationonhowtoconfiguretheenvironmenttoensurethatbufferoverflowprotectionmechanismsintheenvironment(s)areinvoked(e.g.,compilerandlinkerflags).Theevaluatorshallensurethatthisdocumentationalsoincludesanindicationofwhethersuchprotectionsareonbydefault,orhavetobespecificallyenabled.TheevaluatorshallensurethattheTSFisuniquelyidentified(withrespecttootherproductsfromtheTSFvendor),andthatdocumentationprovidedbythedeveloperinassociationwiththerequirementsintheSTisassociatedwiththeTSFusingthisuniqueidentification.
ALC_TSU_EXT.1TimelySecurityUpdatesThiscomponentrequirestheTOEdeveloper,inconjunctionwithanyothernecessaryparties,toprovideinformationastohowtheVSisupdatedtoaddresssecurityissuesinatimelymanner.Thedocumentationdescribestheprocessofprovidingupdatestothepublicfromthetimeasecurityflawisreported/discovered,tothetimeanupdateisreleased.Thisdescriptionincludesthepartiesinvolved(e.g.,thedeveloper,hardwarevendors)andthestepsthatareperformed(e.g.,developertesting),includingworstcasetimeperiods,beforeanupdateismadeavailabletothepublic.
Developeractionelements:
ALC_TSU_EXT.1.1DThedevelopershallprovideadescriptionintheTSSofhowtimelysecurityupdatesaremadetotheTOE.
Contentandpresentationelements:ALC_TSU_EXT.1.2C
ThedescriptionshallincludetheprocessforcreatinganddeployingsecurityupdatesfortheTOEsoftware/firmware.
ALC_TSU_EXT.1.3CThedescriptionshallexpressthetimewindowasthelengthoftime,indays,betweenpublicdisclosureofavulnerabilityandthepublicavailabilityofsecurityupdatestotheTOE.
ApplicationNote:Thetotallengthoftimemaybepresentedasasummationoftheperiodsoftimethateachparty(e.g.,TOEdeveloper,hardwarevendor)onthecriticalpathconsumes.Thetimeperioduntilpublicavailabilityperdeploymentmechanismmaydiffer;eachisdescribed.
ALC_TSU_EXT.1.4CThedescriptionshallincludethemechanismspubliclyavailableforreportingsecurityissuespertainingtotheTOE.
ApplicationNote:Thereportingmechanismcouldincludewebsites,emailaddresses,andameanstoprotectthesensitivenatureofthereport(e.g.,publickeysthatcouldbeusedtoencryptthedetailsofaproof-of-conceptexploit).
Evaluatoractionelements:ALC_TSU_EXT.1.5E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
EvaluationActivities
5.2.5ClassATE:TestsTestingisspecifiedforfunctionalaspectsofthesystemaswellasaspectsthattakeadvantageofdesignorimplementationweaknesses.TheformerisdonethroughATE_INDfamily,whilethelatteristhroughtheAVA_VANfamily.AttheassurancelevelspecifiedinthisPP,testingisbasedonadvertisedfunctionalityandinterfaceswithdependencyontheavailabilityofdesigninformation.Oneoftheprimaryoutputsoftheevaluationprocessisthetestreportasspecifiedinthefollowingrequirements.
ATE_IND.1IndependentTesting-ConformanceTestingisperformedtoconfirmthefunctionalitydescribedintheTSSaswellastheadministrative(includingconfigurationandoperation)documentationprovided.ThefocusofthetestingistoconfirmthattherequirementsspecifiedinSection5.1arebeingmet,althoughsomeadditionaltestingisspecifiedforSARsinSection5.2.TheAssuranceActivitiesidentifytheadditionaltestingactivitiesassociatedwiththesecomponents.Theevaluatorproducesatestreportdocumentingtheplanforandresultsoftesting,aswellascoverageargumentsfocusedontheplatform/TOEcombinationsthatareclaimingconformancetothisPP.
Developeractionelements:ATE_IND.1.1D
ThedevelopershallprovidetheTOEfortesting.
Contentandpresentationelements:ATE_IND.1.2C
TheTOEshallbesuitablefortesting.
Evaluatoractionelements:ATE_IND.1.3E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
ATE_IND.1.4ETheevaluatorshalltestasubsetoftheTSFtoconfirmthattheTSFoperatesasspecified.
EvaluationActivities
ATE_IND.1:Theevaluatorshallprepareatestplanandreportdocumentingthetestingaspectsofthesystem.WhileitisnotnecessarytohaveonetestcasepertestlistedinanAssuranceActivity,theevaluatorsmustdocumentinthetestplanthateachapplicabletestingrequirementintheSTiscovered.
TheTestPlanidentifiestheplatformstobetested,andforthoseplatformsnotincludedinthetestplanbutincludedintheST,thetestplanprovidesajustificationfornottestingtheplatforms.Thisjustificationmustaddressthedifferencesbetweenthetestedplatformsandtheuntestedplatforms,andmakeanargumentthatthedifferencesdonotaffectthetestingtobeperformed.Itisnotsufficienttomerelyassertthatthedifferenceshavenoaffect;rationalemustbeprovided.IfallplatformsclaimedintheSTaretested,thennorationaleisnecessary.
Thetestplandescribesthecompositionofeachplatformtobetested,andanysetupthatisnecessarybeyondwhatiscontainedintheAGDdocumentation.ItshouldbenotedthattheevaluatorsareexpectedtofollowtheAGDdocumentationforinstallationandsetupofeachplatformeitheraspartofatestorasastandardpre-testcondition.Thismayincludespecialtestdriversortools.Foreachdriverortool,anargument(notjustanassertion)isprovidedthatthedriverortoolwillnotadverselyaffecttheperformanceofthefunctionalitybytheTOEanditsplatform.Thisalsoincludestheconfigurationofcryptographicenginestobeused.ThecryptographicalgorithmsimplementedbytheseenginesarethosespecifiedbythisPPandusedbythecryptographicprotocolsbeingevaluated(IPsec,TLS/HTTPS,SSH).
Thetestplanidentifieshigh-leveltestobjectivesaswellasthetestprocedurestobefollowedtoachievethoseobjectives.Theseproceduresincludeexpectedresults.Thetestreport(whichcouldjustbeanannotatedversionofthetestplan)detailstheactivitiesthattookplacewhenthetestprocedureswereexecuted,andincludestheactualresultsofthetests.Thisshallbeacumulativeaccount,soiftherewasatestrunthatresultedinafailure;afixinstalled;andthenasuccessfulre-runofthetest,thereportwouldshowa“fail”and“pass”result(andthesupportingdetails),andnotjustthe“pass”result.
5.2.6ClassAVA:VulnerabilityAssessmentForthefirstgenerationofthisProtectionProfile,theevaluationlabisexpectedtosurveyopensourcestolearnwhatvulnerabilitieshavebeendiscoveredinthesetypesofproducts.Inmostcases,thesevulnerabilitieswillrequiresophisticationbeyondthatofabasicattacker.Untilpenetrationtoolsarecreatedanduniformlydistributedtotheevaluationlabs,evaluatorswillnotbeexpectedtotestforthesevulnerabilitiesintheTOE.Thelabswillbeexpectedtocommentonthelikelihoodofthesevulnerabilitiesgiventhedocumentationprovidedbythevendor.ThisinformationwillbeusedinthedevelopmentofpenetrationtestingtoolsandforthedevelopmentoffuturePPs.
AVA_VAN.1Vulnerabilitysurvey
Developeractionelements:AVA_VAN.1.1D
ThedevelopershallprovidetheTOEfortesting.
Contentandpresentationelements:AVA_VAN.1.2C
TheTOEshallbesuitablefortesting.
Evaluatoractionelements:AVA_VAN.1.3E
Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
AVA_VAN.1.4ETheevaluatorshallperformasearchofpublicdomainsourcestoidentifypotentialvulnerabilitiesintheTOE.
AVA_VAN.1.5ETheevaluatorshallconductpenetrationtesting,basedontheidentifiedpotentialvulnerabilities,todeterminethattheTOEisresistanttoattacksperformedbyanattackerpossessingBasicattackpotential.
EvaluationActivities
AVA_VAN.1:AswithATE_INDtheevaluatorshallgenerateareporttodocumenttheirfindingswithrespecttothisrequirement.ThisreportcouldphysicallybepartoftheoveralltestreportmentionedinATE_IND,oraseparatedocument.Theevaluatorperformsasearchofpublicinformationto
determinethevulnerabilitiesthathavebeenfoundinvirtualizationingeneral,aswellasthosethatpertaintotheparticularTOE.Theevaluatordocumentsthesourcesconsultedandthevulnerabilitiesfoundinthereport.Foreachvulnerabilityfound,theevaluatoreitherprovidesarationalewithrespecttoitsnon-applicabilityortheevaluatorformulatesatest(usingtheguidelinesprovidedinATE_IND)toconfirmthevulnerability,ifsuitable.Suitabilityisdeterminedbyassessingtheattackvectorneededtotakeadvantageofthevulnerability.Forexample,ifthevulnerabilitycanbedetectedbypressingakeycombinationonboot-up,atestwouldbesuitableattheassurancelevelofthisPP.Ifexploitingthevulnerabilityrequiresexpertskillsandanelectronmicroscope,forinstance,thenatestwouldnotbesuitableandanappropriatejustificationwouldbeformulated.
AppendixA-OptionalRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOE)arecontainedinthebodyofthisPP.ThisappendixcontainsthreeothertypesofoptionalrequirementsthatmaybeincludedintheST,butarenotrequiredinordertoconformtothisPP.However,appliedmodules,packagesand/orusecasesmayrefinespecificrequirementsasmandatory.
Thefirsttype(A.1StrictlyOptionalRequirements)arestrictlyoptionalrequirementsthatareindependentoftheTOEimplementinganyfunction.IftheTOEfulfillsanyoftheserequirementsorsupportsacertainfunctionality,thevendorisencouragedtoincludedtheSFRsintheST,butarenotrequiredinordertoconformtothisPP.
Thesecondtype(A.2ObjectiveRequirements)areobjectiverequirementsthatdescribesecurityfunctionalitynotyetwidelyavailableincommercialtechnology.TherequirementsarenotcurrentlymandatedinthebodyofthisPP,butwillbeincludedinthebaselinerequirementsinfutureversionsofthisPP.Adoptionbyvendorsisencouragedandexpectedassoonaspossible.
Thethirdtype(A.3Implementation-basedRequirements)aredependentontheTOEimplementingaparticularfunction.IftheTOEfulfillsanyoftheserequirements,thevendormusteitheraddtherelatedSFRordisablethefunctionalityfortheevaluatedconfiguration.
A.1StrictlyOptionalRequirements
A.1.1AuditableEventsforStrictlyOptionalRequirements
Table5:AuditEventsforOptionalRequirements
Requirement AuditableEvents AdditionalAuditRecordContents
FAU_ARP.1 Actionstakenduetopotentialsecurityviolations.
FAU_SAA.1 Enablinganddisablingofanyoftheanalysismechanisms.
FAU_SAA.1 AutomatedresponsesperformedbytheTSF.
FPT_GVI_EXT.1 Actionstakenduetofailedintegritycheck.
A.1.2SecurityAudit(FAU)
FAU_ARP.1SecurityAuditAutomaticResponseFAU_ARP.1.1
TheTSFshalltake[assignment:listofactions]upondetectionofapotentialsecurityviolation.
ApplicationNote:Incertaincases,itmaybeusefulforVirtualizationSystemstoperformautomatedresponsestocertainsecurityevents.AnexamplemayincludehaltingaVMwhichhastakensomeactiontoviolateakeysystemsecuritypolicy.Thismaybeespeciallyusefulwithheadlessendpointswhenthereisnohumanuserintheloop.
ThepotentialsecurityviolationmentionedinFAU_ARP.1.1referstoFAU_SAA.1.
EvaluationActivities
FAU_ARP.1:TestsTheevaluatorshallgenerateapotentialsecurityviolationasdefinedinFAU_SAA.1andverifythateachactionintheassignmentinFAU_ARP.1.1isperformedbytheTSFasaresult.TheevaluatorshallperformthisactionforeachsecurityviolationthatisdefinedinFAU_SAA.1.
FAU_SAA.1SecurityAuditAnalysisFAU_SAA.1.1
TheTSFshallbeabletoapplyasetofrulesinmonitoringtheauditedeventsandbasedupontheserulesindicateapotentialviolationoftheenforcementoftheSFRs.
FAU_SAA.1.2
TheTSFshallenforcethefollowingrulesformonitoringauditedevents:
a. accumulationorcombinationof[assignment:subsetofdefinedauditableevents]knowntoindicateapotentialsecurityviolation
b. [assignment:anyotherrules]
ApplicationNote:ThepotentialsecurityviolationdescribedinFAU_SAA.1canbeusedasatriggerforautomatedresponsesasdefinedinFAU_ARP.1.
EvaluationActivities
FAU_SAA.1:TestsTheevaluatorshallcauseeachcombinationofauditableeventsdefinedinFAU_SAA.1.2tooccur,andverifythatapotentialsecurityviolationisindicatedbytheTSF.
A.1.3ProtectionoftheTSF(FPT)
FPT_GVI_EXT.1GuestVMIntegrityFPT_GVI_EXT.1.1
TheTSFshallverifytheintegrityofGuestVMsthroughthefollowingmechanisms:[assignment:listofGuestVMintegritymechanisms].
ApplicationNote:TheprimarypurposeofthisrequirementistoidentifyanddescribethemechanismsusedtoverifytheintegrityofGuestVMsthathavebeen'imported'insomefashion,thoughthesemechanismscouldalsobeappliedtoallGuestVMs,dependingonthemechanismused.ImportationforthisrequirementcouldincludeVMmigration(liveorotherwise),theimportationofvirtualdiskfilesthatwerepreviouslyexported,VMsinsharedstorage,etc.ItispossiblethatatrustedVMcouldhavebeenmodifiedduringthemigrationorimport/exportprocess,orVMscouldhavebeenobtainedfromuntrustedsourcesinthefirstplace,sointegritychecksontheseVMscanbeaprudentmeasuretotake.TheseintegritycheckscouldbeasthoroughasmakingsuretheentireVMexactlymatchesapreviouslyknownVM(byhashforexample),orbysimplycheckingcertainconfigurationsettingstoensurethattheVM'sconfigurationwillnotviolatethesecuritymodeloftheVS.
EvaluationActivities
FPT_GVI_EXT.1:TSSForeachmechanismlistedintheassignment,theevaluatorshallensurethattheTSSdocumentsthemechanism,includinghowitverifiesVMintegrity,whichsetofGuestVMsitwillcheck(allGuestVMs,onlymigratedVMs,etc.),whensuchchecksoccur(beforeVMstartup,immediatelyfollowingimportation/migration,ondemand,etc.),andwhichactionsaretakenifaVMfailstheintegritycheck(orwhichrangeofactionsarepossibleiftheactionisconfigurable).
A.2ObjectiveRequirements
A.2.1AuditableEventsforObjectiveRequirements
Table6:AuditEventsforObjectiveRequirementsRequirement AuditableEvents AdditionalAuditRecordContents
FPT_DDI_EXT.1 Noeventsspecified
FPT_IDV_EXT.1 Noeventsspecified
FPT_INT_EXT.1 Introspectioninitiated/enabled. TheVMintrospected.
FPT_ML_EXT.1 Integrityinitiated/enabled. Integritymeasurementvalues.
A.2.2ProtectionoftheTSF(FPT)
FPT_DDI_EXT.1DeviceDriverIsolationFPT_DDI_EXT.1.1
TheTSFshallensurethatdevicedriversforphysicaldevicesareisolatedfrom
theVMMandallotherdomains.
ApplicationNote:Inordertofunctiononphysicalhardware,theVMMmusthaveaccesstothedevicedriversforthephysicalplatformonwhichitruns.Thesedriversareoftenwrittenbythirdparties,andyetareeffectivelyapartoftheVMM.ThustheintegrityoftheVMMinpartdependsonthequalityofthirdpartycodethatthevirtualizationvendorhasnocontrolover.Byencapsulatingthesedriverswithinoneormorededicateddriverdomains(e.g.,ServiceVMorVMs)thedamageofadriverfailureorvulnerabilitycanbecontainedwithinthedomain,andwouldnotcompromisetheVMM.Whendriverdomainshaveexclusiveaccesstoaphysicaldevice,hardwareisolationmechanisms,suchasIntel'sVT-d,AMD'sInput/OutputMemoryManagementUnit(IOMMU),orARM'sSystemMemoryManagementUnit(MMU)shouldbeusedtoensurethatoperationsperformedbyDirectMemoryAccess(DMA)hardwareareproperlyconstrained.
EvaluationActivities
FPT_DDI_EXT.1:TSSTheevaluatorshallexaminetheTSSdocumentationtoverifythatitdescribesthemechanismusedfordevicedriverisolation.IftheTSSdocumentindicatesthatahardwareisolationmechanismisused,theevaluatorshallverifythattheTSSdocumentationenumeratesthehardware-isolatedDMA-capabledevices,andthatitalsoprovidesacompletelistoftheaccessibletargetsformemorytransactionsforeachofthoseDMA-capabledevices.(AnexampleofinformationthatmightbeincludedintheTSSdocumentation:alistingofallpagesbelongingtothedriverdomain,theidentificationofasubsetofthedriverdomain'spagesthatthedriverdomainhaspermittedthedeviceaccessto,ortheidentificationofadedicatedareaofmemoryreservedforthedeviceordriverdomain).
FPT_IDV_EXT.1SoftwareIdentificationandVersionsFPT_IDV_EXT.1.1
TheTSFshallincludesoftwareidentification(SWID)tagsthatcontainaSoftwareIdentityelementandanEntityelementasdefinedinISO/IEC19770-2:2009.
FPT_IDV_EXT.1.2TheTSFshallstoreSWIDsina.swidtagfileasdefinedinISO/IEC19770-2:2009.
ApplicationNote:SWIDtagsareXMLfilesembeddedwithinsoftwarethatprovideastandardmethodforITdepartmentstotrackandmanagethesoftware.ThepresenceofSWIDscangreatlysimplifythesoftwaremanagementprocessandimprovesecuritybyenhancingtheabilityofITdepartmentstomanageupdates.
EvaluationActivities
FPT_IDV_EXT.1:TSSTheevaluatorshallexaminetheTSStoensureitdescribeshowSWIDtagsareimplementedandtheformatofthetags.TheevaluatorshallverifythattheformatcomplieswithFPT_IDV_EXT.1.1andthatSWIDsarestoredinaccordancewithFPT_IDV_EXT.1.2.TestsTheevaluatorshallperformthefollowingtest:
Test1:TheevaluatorshallcheckfortheexistenceofSWIDtagsina.swidtagfile.TheevaluatorshallopenthefileandverifythateachSWIDcontainsatleastaSoftwareIdentityelementandanEntityelement.
FPT_INT_EXT.1SupportforIntrospectionFPT_INT_EXT.1.1
TheTSFshallsupportamechanismforpermittingtheVMMorprivilegedVMstoaccesstheinternalsofanotherVMforpurposesofintrospection.
ApplicationNote:Introspectioncanbeusedtosupportmalwareandanomalydetectionfromoutsideoftheguestenvironment.ThisnotonlyhelpsprotecttheGuestOS,italsoprotectstheVSbyprovidinganopportunityfortheVStodetectthreatstoitselfthatoriginatewithinVMs,andthatmayattempttobreakoutoftheVMandcompromisetheVMMorotherVMs.
ThehostingofmalwaredetectionsoftwareoutsideoftheguestVMhelpsprotecttheguestandhelpsensuretheintegrityofthemalwaredetection/antivirussoftware.ThiscapabilitycanbeimplementedintheVMMitself,butideallyitshouldbehostedbyaServiceVMsothatitcanbebettercontainedanddoesnotintroducebugsintotheVMM.
EvaluationActivities
FPT_INT_EXT.1:TSSTheevaluatorshallexaminetheTSSdocumentationtoverifythatitdescribestheinterfaceforVMintrospectionandwhethertheintrospectionisperformedbytheVMMoranotherVM.GuidanceTheevaluatorshallexaminetheoperationalguidancetoensurethatitcontainsinstructionsforconfigurationoftheintrospectionmechanism.
FPT_ML_EXT.1MeasuredLaunchofPlatformandVMMFPT_ML_EXT.1.1
TheTSFshallsupportameasuredlaunchoftheVirtualizationSystem.MeasuredcomponentsoftheVSshallincludethestaticexecutableimageoftheHypervisorand:[selection:
StaticexecutableimagesoftheManagementSubsystem,[assignment:listof(staticimagesof)ServiceVMs],[assignment:listofconfigurationfiles],noothercomponents
]
FPT_ML_EXT.1.2TheTSFshallmakethemeasurementsselectedinFPT_ML_EXT.1.1availabletotheManagementSubsystem.
ApplicationNote:AmeasuredlaunchoftheplatformandVSdemonstratesthattheproperTOEsoftwarewasloaded.Ameasuredlaunchprocessemploysverifiableintegritymeasurementmechanisms.Forexample,aVSmayhashcomponentssuchas:thehypervisor,serviceVMsand/ortheManagementSubsystem.Ameasuredlaunchprocessonlyallowscomponentstobeexecutedafterthemeasurementhasbeenrecorded.Anexampleprocessmayaddeachcomponent’shashbeforeitisexecutedsothatthefinalhashreflectstheevidenceofacomponent’sstatepriortoexecution.Themeasurementmaybeverifiedasthesystemboots,butthisisnotrequired.
ThePlatformisoutsideoftheTOE.However,thisrequirementspecifiesthattheVSmustbecapableofreceivingPlatformmeasurementsifthePlatformprovidesthem.ThisrequirementisrequiringTOEsupportforPlatformmeasurementsifprovided;itisnotplacingarequirementonthePlatformtotakesuchmeasurements.
Ifavailable,hardwareshouldbeusedtostoremeasurementsinsuchamannerthattheycannotbemodifiedinanymannerexcepttobeextended.Thesemeasurementsshouldbeproducedinarepeatablemannersothatathirdpartycanverifythemeasurementsifgiventheinputs.Hardwaredevices,likeTrustedPlatformModules(TPM),TrustZone,andMMUaresomeexamplesthatmayserveasfoundationsforstoringandreportingmeasurements.
Platformswitharootoftrustformeasurement(RTM)shouldinitiatethemeasuredlaunchprocess.ThismayincludecoreBIOSorthechipset.ThechipsetisthepreferredRTM,butcoreBIOSorotherfirmwareisacceptable.InsystemwithoutatraditionalRTM,thefirstcomponentthatbootswouldbeconsideredtheRTM,thisisnotpreferred.
EvaluationActivities
FPT_ML_EXT.1:TSSTheevaluatorshallverifythattheTSSorOperationalGuidancedescribeshowintegritymeasurementsareperformedandmadeavailabletotheManagementSubsystem.TheevaluatorshallexaminetheoperationalguidancetoverifythatitdocumentshowtoaccessthemeasurementsintheManagementSubsystem.TestsTheevaluatorshallperformthefollowingtests:
Test1:TheevaluatorshallstarttheVS,loginasanAdministrator,andverifythatthemeasurementsforthespecifiedcomponentsareviewableintheManagementSubsystem.
A.3Implementation-basedRequirementsThisPPdoesnotdefineanyImplementation-basedrequirements.
AppendixB-Selection-basedRequirementsAsindicatedintheintroductiontothisPP,thebaselinerequirements(thosethatmustbeperformedbytheTOEoritsunderlyingplatform)arecontainedinthebodyofthisPP.ThereareadditionalrequirementsbasedonselectionsinthebodyofthePP:ifcertainselectionsaremade,thenadditionalrequirementsbelowmustbeincluded.
B.1AuditableEventsforSelection-basedRequirementsTable7:AuditEventsforSelection-basedRequirements
Requirement AuditableEvents AdditionalAuditRecordContents
FCS_HTTPS_EXT.1 FailuretoestablishaHTTPSSession. Reasonforfailure.Non-TOEendpointofconnection(IPaddress)forfailures.
FCS_HTTPS_EXT.1 Establishment/TerminationofaHTTPSsession.
Non-TOEendpointofconnection(IPaddress).
FCS_IPSEC_EXT.1 FailuretoestablishanIPsecSA. Reasonforfailure.Non-TOEendpointofconnection(IPaddress).
FCS_IPSEC_EXT.1 Establishment/TerminationofanIPsecSAA.
Non-TOEendpointofconnection(IPaddress).
FIA_PMG_EXT.1 Noeventsspecified
FIA_X509_EXT.1 Failuretovalidateacertificate. Reasonforfailure.
FIA_X509_EXT.2 Noeventsspecified
FPT_TUD_EXT.2 Noeventsspecified
FTP_TRP.1 Initiationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.
FTP_TRP.1 Terminationofthetrustedchannel. UserIDandremotesource(IPAddress)iffeasible.
FTP_TRP.1 Failuresofthetrustedpathfunctions. UserIDandremotesource(IPAddress)iffeasible.
B.2CryptographicSupport(FCS)
FCS_HTTPS_EXT.1HTTPSProtocol
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFTP_ITC_EXT.1.1,FIA_X509_EXT.2.1.
FCS_HTTPS_EXT.1.1TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.
ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselects"TLS/HTTPS"inFTP_ITC_EXT.1.1.
TheSTauthormustprovideenoughdetailtodeterminehowtheimplementationiscomplyingwiththestandard(s)identified;thiscanbedoneeitherbyaddingelementstothiscomponent,orbyadditionaldetailintheTSS.
FCS_HTTPS_EXT.1.2TheTSFshallimplementHTTPSusingTLS.
EvaluationActivities
FCS_HTTPS_EXT.1:TSSTheevaluatorshallchecktheTSStoensurethatitisclearonhowHTTPSusesTLStoestablishanadministrativesession,focusingonanyclientauthenticationrequiredbytheTLSprotocolvs.
securityadministratorauthenticationwhichmaybedoneatadifferentleveloftheprocessingstack.TestsTestingforthisactivityisdoneaspartoftheTLStesting;thismayresultinadditionaltestingiftheTLStestsaredoneattheTLSprotocollevel.
FCS_IPSEC_EXT.1IPsecProtocol
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFTP_ITC_EXT.1.1,FIA_X509_EXT.2.1.
FCS_IPSEC_EXT.1.1TheTSFshallimplementtheIPsecarchitectureasspecifiedinRFC4301.
ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselected"IPsec"inFTP_ITC_EXT.1.1.
RFC4301callsforanIPsecimplementationtoprotectIPtrafficthroughtheuseofaSecurityPolicyDatabase(SPD).TheSPDisusedtodefinehowIPpacketsaretobehandled:PROTECTthepacket(e.g.,encryptthepacket),BYPASStheIPsecservices(e.g.,noencryption),orDISCARDthepacket(e.g.,dropthepacket).TheSPDcanbeimplementedinvariousways,includingrouteraccesscontrollists,firewallrulesets,a"traditional"SPD,etc.Regardlessoftheimplementationdetails,thereisanotionofa"rule"thatapacketis"matched"againstandaresultingactionthattakesplace.
Whiletheremustbeameanstoordertherules,ageneralapproachtoorderingisnotmandated,aslongastheTOEcandistinguishtheIPpacketsandapplytherulesaccordingly.TheremaybemultipleSPDs(oneforeachnetworkinterface),butthisisnotrequired.
FCS_IPSEC_EXT.1.2TheTSFshallimplement[selection:transportmode,tunnelmode].
ApplicationNote:IftheTOEisusedtoconnecttoaVPNgatewayforthepurposesofestablishingasecureconnectiontoaprivatenetwork,theSTauthorshallselecttunnelmode.IftheTOEusesIPsectoestablishanend-to-endconnectiontoanotherIPsecVPNClient,theSTauthorshallselecttransportmode.IftheTOEusesIPsectoestablishaconnectiontoaspecificendpointdeviceforthepurposeofsecureremoteadministration,theSTauthorshallselecttransportmode.
FCS_IPSEC_EXT.1.3TheTSFshallhaveanominal,finalentryintheSPDthatmatchesanythingthatisotherwiseunmatched,anddiscardsit.
FCS_IPSEC_EXT.1.4TheTSFshallimplementtheIPsecprotocolESPasdefinedbyRFC4303usingthecryptographicalgorithms[AES-GCM-128,AES-GCM-256(asspecifiedinRFC4106),[selection:AES-CBC-128(specifiedinRFC3602),AES-CBC-256(specifiedinRFC3602),nootheralgorithms]]togetherwithaSecureHashAlgorithm(SHA)-basedHMAC.
FCS_IPSEC_EXT.1.5TheTSFshallimplementtheprotocol:
[selection:IKEv1,usingMainModeforPhase1exchanges,asdefinedinRFC2407,RFC2408,RFC2409,RFC4109,[selection:nootherRFCsforextendedsequencenumbers,RFC4304forextendedsequencenumbers],[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions],and[selection:supportforXAUTH,nosupportforXAUTH],IKEv2asdefinedinRFC7296(withmandatorysupportforNATtraversalasspecifiedinsection2.23),RFC8784,RFC8247,and[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions].
]
ApplicationNote:IftheTOEimplementsSHA-2hashalgorithmsforIKEv1orIKEv2,theSTauthorshallselectRFC4868.
FCS_IPSEC_EXT.1.6TheTSFshallensuretheencryptedpayloadinthe[selection:IKEv1,IKEv2]
protocolusesthecryptographicalgorithmsAES-CBC-128,AES-CBC-256asspecifiedinRFC6379and[selection:AES-GCM-128asspecifiedinRFC5282,AES-GCM-256asspecifiedinRFC5282,nootheralgorithm].
FCS_IPSEC_EXT.1.7TheTSFshallensurethat[selection:
IKEv2SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimesarefixedbasedon[selection:numberofpackets/numberofbytes,lengthoftime].Iflengthoftimeisused,itmustincludeatleastoneoptionthatis24hoursorlessforPhase1SAsand8hoursorlessforPhase2SAs.
]
ApplicationNote:TheSTauthorisaffordedaselectionbasedontheversionofIKEintheirimplementation.ThereisafurtherselectionwithinthisselectionthatallowstheSTauthortospecifywhichentityisresponsiblefor“configuring”thelifeoftheSA.AnimplementationthatallowsanadministratortoconfiguretheclientoraVPNgatewaythatpushestheSAlifetimedowntotheclientarebothacceptable.
AsfarasSAlifetimesareconcerned,theTOEcanlimitthelifetimebasedonthenumberofbytestransmitted,orthenumberofpacketstransmitted.Eitherpacket-basedorvolume-basedSAlifetimesareacceptable;theSTauthormakestheappropriateselectiontoindicatewhichtypeoflifetimelimitsaresupported.
TheSTauthorchooseseithertheIKEv1requirementsorIKEv2requirements(orboth,dependingontheselectioninFCS_IPSEC_EXT.1.5.TheIKEv1requirementcanbeaccomplishedeitherbyprovidingAuthorizedAdministrator-configurablelifetimes(withappropriateinstructionsindocumentsmandatedbyAGD_OPE),orby“hardcoding”thelimitsintheimplementation.ForIKEv2,therearenohardcodedlimits,butinthiscaseitisrequiredthatanadministratorbeabletoconfigurethevalues.Ingeneral,instructionsforsettingtheparametersoftheimplementation,includinglifetimeoftheSAs,shouldbeincludedintheoperationalguidancegeneratedforAGD_OPE.ItisappropriatetorefinetherequirementintermsofnumberofMB/KBinsteadofnumberofpackets,aslongastheTOEiscapableofsettingalimitontheamountoftrafficthatisprotectedbythesamekey(thetotalvolumeofallIPsectrafficprotectedbythatkey).
FCS_IPSEC_EXT.1.8TheTSFshallensurethatallIKEprotocolsimplementDHgroups[19(256-bitRandomECP),20(384-bitRandomECP),and[selection:24(2048-bitMODPwith256-bitPOS),15(3072-bitMODP),14(2048-bitMODP),nootherDHgroups]].
ApplicationNote:TheselectionisusedtospecifyadditionalDHgroupssupported.ThisappliestoIKEv1andIKEv2exchanges.ItshouldbenotedthatifanyadditionalDHgroupsarespecified,theymustcomplywiththerequirements(intermsoftheephemeralkeysthatareestablished)listedinFCS_CKM.1.
SincetheimplementationmayallowdifferentDiffie-HellmangroupstobenegotiatedforuseinformingtheSAs,theassignmentsinFCS_IPSEC_EXT.1.9andFCS_IPSEC_EXT.1.10maycontainmultiplevalues.ForeachDHgroupsupported,theSTauthorconsultsTable2in800-57todeterminethe“bitsofsecurity”associatedwiththeDHgroup.Eachuniquevalueisthenusedtofillintheassignment(for1.9theyaredoubled;for1.10theyareinserteddirectlyintotheassignment).Forexample,supposetheimplementationsupportsDHgroup14(2048-bitMODP)andgroup20(ECDHusingNISTcurveP-384).FromTable2,thebitsofsecurityvalueforgroup14is112,andforgroup20itis192.ForFCS_IPSEC_EXT.1.9,then,theassignmentwouldread“[224,384]”andforFCS_IPSEC_EXT.1.10itwouldread“[112,192]”(althoughinthiscasetherequirementshouldprobablyberefinedsothatitmakessensemathematically).
FCS_IPSEC_EXT.1.9TheTSFshallgeneratethesecretvaluexusedintheIKEDiffie-Hellmankeyexchange(“x”ingxmodp)usingtherandombitgeneratorspecifiedinFCS_RBG_EXT.1,andhavingalengthofatleast[assignment:(oneormore)number(s)ofbitsthatisatleasttwicethe“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General]bits.
FCS_IPSEC_EXT.1.10TheTSFshallgeneratenoncesusedinIKEexchangesinamannersuchthattheprobabilitythataspecificnoncevaluewillberepeatedduringthelifeaspecificIPsecSAislessthan1in2^[assignment:(oneormore)“bitsofsecurity”value(s)associatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General].
FCS_IPSEC_EXT.1.11TheTSFshallensurethatallIKEprotocolsperformpeerauthenticationusinga[selection:RSA,ECDSA]thatuseX.509v3certificatesthatconformtoRFC4945and[selection:Pre-sharedKeys,noothermethod].
ApplicationNote:Atleastonepublic-key-basedPeerAuthenticationmethodisrequiredinordertoconformtothisPP-Module;oneormoreofthepublickeyschemesischosenbytheSTauthortoreflectwhatisimplemented.TheSTauthoralsoensuresthatappropriateFCSrequirementsreflectingthealgorithmsused(andkeygenerationcapabilities,ifprovided)arelistedtosupportthosemethods.NotethattheTSSwillelaborateonthewayinwhichthesealgorithmsaretobeused(forexample,2409specifiesthreeauthenticationmethodsusingpublickeys;eachonesupportedwillbedescribedintheTSS).
If“pre-sharedkeys”isselected,theselection-basedrequirementFIA_PSK_EXT.1mustbeclaimed.
FCS_IPSEC_EXT.1.12TheTSFshallnotestablishanSAifthe[[selection:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,DistinguishedName(DN)]and[selection:nootherreferenceidentifiertype,[assignment:othersupportedreferenceidentifiertypes]]]containedinacertificatedoesnotmatchtheexpectedvalue(s)fortheentityattemptingtoestablishaconnection.
ApplicationNote:TheTOEmustsupportatleastoneofthefollowingidentifiertypes:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,orDistinguishedName(DN).Inthefuture,theTOEwillberequiredtosupportalloftheseidentifiertypes.TheTOEisexpectedtosupportasmanyIPaddressformats(IPv4andIPv6)asIPversionssupportedbytheTOEingeneral.TheSTauthormayassignadditionalsupportedidentifiertypesinthesecondselection.
FCS_IPSEC_EXT.1.13TheTSFshallnotestablishanSAifthepresentedidentifierdoesnotmatchtheconfiguredreferenceidentifierofthepeer.
ApplicationNote:Atthistime,onlythecomparisonbetweenthepresentedidentifierinthepeer’scertificateandthepeer’sreferenceidentifierismandatedbythetestingbelow.However,inthefuture,thisrequirementwilladdresstwoaspectsofthepeercertificatevalidation:1)comparisonofthepeer’sIDpayloadtothepeer’scertificatewhicharebothpresentedidentifiers,asrequiredbyRFC4945and2)verificationthatthepeeridentifiedbytheIDpayloadandthecertificateisthepeerexpectedbytheTOE(perthereferenceidentifier).Atthattime,theTOEwillberequiredtodemonstratebothaspects(i.e.thattheTOEenforcesthatthepeer’sIDpayloadmatchesthepeer’scertificatewhichbothmatchconfiguredpeerreferenceidentifiers).
ExcludingtheDNidentifiertype(whichisnecessarilytheSubjectDNinthepeercertificate),theTOEmaysupporttheidentifierineithertheCommonNameorSubjectAlternativeName(SAN)orboth.Ifbotharesupported,thepreferredlogicistocomparethereferenceidentifiertoapresentedSAN,andonlyifthepeer’scertificatedoesnotcontainaSAN,tofallbacktoacomparisonagainsttheCommonName.Inthefuture,theTOEwillberequiredtocomparethereferenceidentifiertothepresentedidentifierintheSANonly,ignoringtheCommonName.
TheconfigurationofthepeerreferenceidentifierisaddressedbyFMT_SMF.1.1/VPN.
FCS_IPSEC_EXT.1.14The[selection:TSF,VPNGateway]shallbeabletoensurebydefaultthatthestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase1,IKEv2IKE_SA]connectionisgreaterthanorequaltothestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase2,IKEv2CHILD_SA]connection.
ApplicationNote:Ifthisfunctionalityisconfigurable,theTSFmaybeconfiguredbyaVPNGatewayorbyanAdministratoroftheTOEitself.
TheSTauthorchooseseitherorbothoftheIKEselectionsbasedonwhatisimplementedbytheTOE.Obviously,theIKEversion(s)chosenshouldbeconsistentnotonlyinthiselement,butwithotherchoicesforotherelementsinthiscomponent.Whileitisacceptableforthiscapabilitytobeconfigurable,thedefaultconfigurationintheevaluatedconfiguration(either"outofthebox"orbyconfigurationguidanceintheAGDdocumentation)mustenablethisfunctionality.
EvaluationActivities
FCS_IPSEC_EXT.1:TSSInadditiontotheTSSEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshallperformthefollowing:IftheTOEboundaryincludesageneral-purposeoperatingsystemormobiledevice,theevaluatorshallexaminetheTSStoensurethatitdescribeswhethertheVPNclientcapabilityisarchitecturallyintegratedwiththeplatformitselforwhetheritisaseparateexecutablethatisbundledwiththeplatform.GuidanceInadditiontotheOperationalGuidanceEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshallperformthefollowing:IftheconfigurationoftheIPsecbehaviorisfromanenvironmentalsource,mostnotablyaVPNgateway(e.gthroughreceiptofrequiredconnectionparametersfromaVPNgateway),theevaluatorshallensurethattheoperationalguidancecontainsanyappropriateinformationforensuringthatthisconfigurationcanbeproperlyapplied.NoteinthiscasethattheimplementationoftheIPsecprotocolmustbeenforcedentirelywithintheTOEboundary;i.e.itisnotpermissibleforasoftwareapplicationTOEtobeagraphicalfront-endforIPsecfunctionalityimplementedtotallyorinpartbytheunderlyingOSplatform.ThebehaviorreferencedhereisforthepossibilitythattheconfigurationoftheIPsecconnectionisinitiatedfromoutsidetheTOE,whichispermissiblesolongastheTSFissolelyresponsibleforenforcingtheconfiguredbehavior.However,itisallowablefortheTSFtorelyonlow-levelplatform-providednetworkingfunctionstoimplementtheSPDfromtheclient(e.g.,enforcementofpacketroutingdecisions).
TestsAsaprerequisiteforperformingtheTestEAsfortheindividualFCS_IPSEC_EXT.1elementsbelow,theevaluatorshalldothefollowing:Theevaluatorshallminimallycreateatestenvironmentequivalenttothetestenvironmentillustratedbelow.ThetrafficgeneratorusedtoconstructnetworkpacketsshouldprovidetheevaluatorwiththeabilitymanipulatefieldsintheICMP,IPv4,IPv6,UDP,andTCPpacketheaders.Theevaluatorshallprovidejustificationforanydifferencesinthetestenvironment.
Figure2:IPsecTestEnvironmentNotethattheevaluatorshallperformalltestsusingtheVirtualizationSystemandarepresentativesampleofplatformslistedintheST(forTOEsthatclaimtosupportmultipleplatforms).FCS_IPSEC_EXT.1.1TSSTheevaluatorshallexaminetheTSSanddeterminethatitdescribeshowtheIPseccapabilitiesareimplemented.TheevaluatorshallensurethattheTSSdescribesatahighlevelthearchitecturalrelationshipbetweentheIPsecimplementationandtherestoftheTOE(e.g.istheIPsecimplementationanintegratedpartoftheVSorisitastandaloneexecutablethatisbundledintotheVS).TheevaluatorshallensurethattheTSSdescribeshowtheSPDisimplementedandtherulesforprocessingbothinboundandoutboundpacketsintermsoftheIPsecpolicy.TheTSSdescribestherulesthatareavailableandtheresultingactionsavailableaftermatchingarule.TheTSSdescribeshowtheavailablerulesandactionsformtheSPDusingtermsdefinedinRFC4301
suchasBYPASS(e.g.,noencryption),DISCARD(e.g.,dropthepacket),andPROTECT(e.g.,encryptthepacket)actionsdefinedinRFC4301.Asnotedinsection4.4.1ofRFC4301,theprocessingofentriesintheSPDisnon-trivialandtheevaluatorshalldeterminethatthedescriptionintheTSSissufficienttodeterminewhichruleswillbeappliedgiventherulestructureimplementedbytheTOE.Forexample,iftheTOEallowsspecificationofranges,conditionalrules,etc.,theevaluatorshalldeterminethatthedescriptionofruleprocessing(forbothinboundandoutboundpackets)issufficienttodeterminetheactionthatwillbeapplied,especiallyinthecasewheretwodifferentrulesmayapply.Thisdescriptionshallcoverboththeinitialpackets(thatis,noSAisestablishedontheinterfaceorforthatparticularpacket)aswellaspacketsthatarepartofanestablishedSA.GuidanceTheevaluatorshallexaminetheoperationalguidancetoverifyitinstructstheAdministratorhowtoconstructentriesintotheSPDthatspecifyaruleforprocessingapacket.Thedescriptionincludesallthreecases–arulethatensurespacketsareencrypted/decrypted,dropped,andflowthroughtheTOEwithoutbeingencrypted.TheevaluatorshalldeterminethatthedescriptionintheoperationalguidanceisconsistentwiththedescriptionintheTSS,andthatthelevelofdetailintheoperationalguidanceissufficienttoallowtheadministratortosetuptheSPDinanunambiguousfashion.ThisincludesadiscussionofhoworderingofrulesimpactstheprocessingofanIPpacket.
TestsTheevaluatorusestheoperationalguidancetoconfiguretheTOEtocarryoutthefollowingtests:
Test1:TheevaluatorshallconfiguretheSPDsuchthatthereisarulefordroppingapacket,encryptingapacket,andallowingapackettoflowinplaintext.Theselectorsusedintheconstructionoftheruleshallbedifferentsuchthattheevaluatorcangenerateapacketandsendpacketstothegatewaywiththeappropriatefields(fieldsthatareusedbytherule-e.g.,theIPaddresses,TCP/UDPports)inthepacketheader.Theevaluatorperformsbothpositiveandnegativetestcasesforeachtypeofrule(e.g.,apacketthatmatchestheruleandanotherthatdoesnotmatchtherule).Theevaluatorobservesviatheaudittrail,andpacketcapturesthattheTOEexhibitedtheexpectedbehavior:appropriatepacketsweredropped,allowedtoflowwithoutmodification,encryptedbytheIPsecimplementation.Test2:Theevaluatorshalldeviseseveralteststhatcoveravarietyofscenariosforpacketprocessing.AswithTest1,theevaluatorensuresbothpositiveandnegativetestcasesareconstructed.ThesescenariosshallexercisetherangeofpossibilitiesforSPDentriesandprocessingmodesasoutlinedintheTSSandoperationalguidance.Potentialareastocoverincluderuleswithoverlappingrangesandconflictingentries,inboundandoutboundpackets,andpacketsthatestablishSAsaswellaspacketsthatbelongtoestablishedSAs.Theevaluatorshallverify,viatheaudittrailandpacketcaptures,foreachscenariothattheexpectedbehaviorisexhibited,andisconsistentwithboththeTSSandtheoperationalguidance.
FCS_IPSEC_EXT.1.2TSSTheevaluatorcheckstheTSStoensureitstatesthatamIPsecVPNcanbeestablishedtooperateintunnelmodeortransportmode(asselected).GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsonhowtoconfiguretheconnectionineachmodeselected.Ifbothtransportmodeandtunnelmodeareimplemented,theevaluatorshallreviewtheoperationalguidancetodeterminehowtheuseofagivenmodeisspecified.
TestsTheevaluatorshallperformthefollowingtest(s)basedontheselectionschosen:
Test1:(conditional):Iftunnelmodeisselected,theevaluatorusestheoperationalguidancetoconfiguretheTOE/platformtooperateintunnelmodeandalsoconfiguresaVPNpeertooperateintunnelmode.TheevaluatorconfigurestheTOE/platformandtheVPNpeertouseanyoftheallowablecryptographicalgorithms,authenticationmethods,etc.toensureanallowableSAcanbenegotiated.TheevaluatorshalltheninitiateaconnectionfromtheTOE/PlatformtotheVPNpeer.Theevaluatorobserves(forexample,intheaudittrailandthecapturedpackets)thatasuccessfulconnectionwasestablishedusingthetunnelmode.Test2:(conditional):Iftransportmodeisselectted,theevaluatorusestheoperationalguidancetoconfiguretheTOE/platformtooperateintransportmodeandalsoconfiguresaVPNpeertooperateintransportmode.TheevaluatorconfigurestheTOE/platformandtheVPNpeertouseanyoftheallowedcryptographicalgorithms,authenticationmethods,etc.toensureanallowableSAcanbenegotiated.TheevaluatortheninitiatesaconnectionfromtheTOE/platformtoconnecttotheVPNpeer.Theevaluatorobserves(forexample,intheaudittrailandthecapturedpackets)thatasuccessfulconnectionwasestablishedusingthetransportmode.
FCS_IPSEC_EXT.1.3
TSSIfbothtransportmodeandtunnelmodeareimplemented,theevaluatorshallreviewtheoperationalguidancetodeterminehowtheuseofagivenmodeisspecified.
GuidanceTheevaluatorshallcheckthattheoperationalguidanceprovidesinstructionsonhowtoconstructoracquiretheSPDandusestheguidancetoconfiguretheTOEforthefollowingtest.TestsTheevaluatorshallperformthefollowingtest:
Test1::TheevaluatorshallconfiguretheSPDsuchthatithasentriesthatcontainoperationsthatDISCARD,PROTECT,and(ifapplicable)BYPASSnetworkpackets.TheevaluatormayusetheSPDthatwascreatedforverificationofFCS_IPSEC_EXT.1.1.TheevaluatorshallconstructanetworkpacketthatmatchesaBYPASSentryandsendthatpacket.Theevaluatorshouldobservethatthenetworkpacketispassedtotheproperdestinationinterfacewithnomodification.Theevaluatorshallthenmodifyafieldinthepacketheader;suchthatitnolongermatchestheevaluator-createdentries(theremaybea“TOE-created”finalentrythatdiscardspacketsthatdonotmatchanypreviousentries).Theevaluatorsendsthepacket,andobservesthatthepacketwasnotpermittedtoflowtoanyoftheTOE’sinterfaces.
FCS_IPSEC_EXT.1.4TSSTheevaluatorshallexaminetheTSStoverifythatthealgorithmsAES-GCM-128andAES-GCM-256areimplemented.Ifthe"ST"authorhasselectedeitherAES-CBC-128orAES-CBC-256intherequirement,thentheevaluatorverifiestheTSSdescribestheseaswell.Inaddition,theevaluatorensuresthattheSHA-basedHMACalgorithmconformstothealgorithmsspecifiedinFCS_COP.1/KeyHashCryptographicOperations(KeyedHashAlgorithms).
GuidanceTheevaluatorcheckstheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEisconfiguredtousethealgorithmsselectedinthiscomponentandwhetherthisisperformedthroughdirectconfiguration,definedduringinitialinstallation,ordefinedbyacquiringconfigurationsettingsfromanenvironmentalcomponent.Tests
Test1:TheevaluatorshallconfiguretheTOE/platformasindicatedintheoperationalguidanceconfiguringtheTOE/platformtouseeachofthesupportedalgorithms,attempttoestablishaconnectionusingESP,andverifythattheattemptsucceeds.
FCS_IPSEC_EXT.1.5TSSTheevaluatorshallexaminetheTSStoverifythatIKEv1and/orIKEv2areimplemented.IfIKEv1isimplemented,theevaluatorshallverifythattheTSSindicateswhetherornotXAUTHissupported,andthataggressivemodeisnotusedforIKEv1Phase1exchanges(i.e.onlymainmodeisused).Itmaybethattheseareconfigurableoptions.
GuidanceTheevaluatorshallchecktheoperationalguidancetoensureitinstructstheadministratorhowtoconfiguretheTOEtouseIKEv1and/orIKEv2(asselected),andusestheguidancetoconfiguretheTOEtoperformNATtraversalforthetestbelow.IfXAUTHisimplemented,theevaluatorshallverifythattheoperationalguidanceprovidesinstructionsonhowitisenabledordisabled.IftheTOEsupportsIKEv1,theevaluatorshallverifythattheoperationalguidanceeitherassertsthatonlymainmodeisusedforPhase1exchanges,orprovidesinstructionsfordisablingaggressivemode.TestsTestsareperformedinconjunctionwiththeotherIPsecevaluationactivitieswiththeexceptionoftheactivitiesbelow:
Test1::TheevaluatorshallconfiguretheTOEsothatitwillperformNATtraversalprocessingasdescribedintheTSSandRFC7296,section2.23.TheevaluatorshallinitiateanIPsecconnectionanddeterminethattheNATissuccessfullytraversed.IftheTOEsupportsIKEv1withorwithoutXAUTH,theevaluatorshallverifythatthistestcanbesuccessfullyrepeatedwithXAUTHenabledanddisabledinthemannerspecifiedbytheoperationalguidance.IftheTOEonlysupportsIKEv1withXAUTH,theevaluatorshallverifythatconnectionsnotusingXAUTHareunsuccessful.IftheTOEonlysupportsIKEv1withoutXAUTH,theevaluatorshallverifythatconnectionsusingXAUTHareunsuccessful.Test2:(conditional)::IftheTOEsupportsIKEv1,theevaluatorshallperformanyapplicableoperationalguidancestepstodisabletheuseofaggressivemodeandthenattempttoestablishaconnectionusinganIKEv1Phase1connectioninaggressivemode.Thisattemptshouldfail.TheevaluatorshallshowthattheTOEwillrejectaVPNgatewayfrominitiatinganIKEv1Phase1connectioninaggressivemode.Theevaluatorshouldthenshowthatmainmodeexchangesaresupported.
FCS_IPSEC_EXT.1.6
TSSTheevaluatorshallensuretheTSSidentifiesthealgorithmsusedforencryptingtheIKEv1and/orIKEv2payload,andthatthealgorithmsAES-CBC-128,AES-CBC-256arespecified,andifothersarechosenintheselectionoftherequirement,thoseareincludedintheTSSdiscussion.
GuidanceTheevaluatorcheckstheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEisconfiguredtousethealgorithmsselectedinthiscomponentandwhetherthisisperformedthroughdirectconfiguration,definedduringinitialinstallation,ordefinedbyacquiringconfigurationsettingsfromanenvironmentalcomponent.TestsTheevaluatorshallusetheoperationalguidancetoconfiguretheTOE(ortoconfiguretheOperationalEnvironmenttohavetheTOEreceiveconfiguration)toperformthefollowingtestforeachciphersuiteselected:
Test1:TheevaluatorshallconfiguretheTOEtousetheciphersuiteundertesttoencrypttheIKEv1and/orIKEv2payloadandestablishaconnectionwithapeerdevice,whichisconfiguredtoonlyacceptthepayloadencryptedusingtheindicatedciphersuite.Theevaluatorwillconfirmthealgorithmwasthatusedinthenegotiation.Theevaluatorwillconfirmthattheconnectionissuccessfulbyconfirmingthatdatacanbepassedthroughtheconnectiononceitisestablished.Forexample,theevaluatormayconnecttoawebpageontheremotenetworkandverifythatitcanbereached.
FCS_IPSEC_EXT.1.7TSSTherearenoTSSEAsforthisrequirement.GuidanceTheevaluatorshallchecktheoperationalguidancetoensureitprovidesinstructionsonhowtheTOEconfiguresthevaluesforSAlifetimes.Inaddition,theevaluatorshallcheckthattheguidancehastheoptionforeithertheAdministratororVPNGatewaytoconfigurePhase1SAsiftime-basedlimitsaresupported.Currentlytherearenovaluesmandatedforthenumberofpacketsornumberofbytes,theevaluatorshallsimplychecktheoperationalguidancetoensurethatthiscanbeconfiguredifselectedintherequirement.TestsWhentestingthisfunctionality,theevaluatorneedstoensurethatbothsidesareconfiguredappropriately.FromtheRFC“AdifferencebetweenIKEv1andIKEv2isthatinIKEv1SAlifetimeswerenegotiated.InIKEv2,eachendoftheSAisresponsibleforenforcingitsownlifetimepolicyontheSAandrekeyingtheSAwhennecessary.Ifthetwoendshavedifferentlifetimepolicies,theendwiththeshorterlifetimewillendupalwaysbeingtheonetorequesttherekeying.Ifthetwoendshavethesamelifetimepolicies,itispossiblethatbothwillinitiatearekeyingatthesametime(whichwillresultinredundantSAs).Toreducetheprobabilityofthishappening,thetimingofrekeyingrequestsSHOULDbejittered.”EachofthefollowingtestsshallbeperformedforeachversionofIKEselectedintheFCS_IPSEC_EXT.1.5protocolselection:
Test1:(Conditional)::Theevaluatorshallconfigureamaximumlifetimeintermsofthe#ofpackets(orbytes)allowedfollowingtheoperationalguidance.TheevaluatorshallestablishanSAanddeterminethatoncetheallowed#ofpackets(orbytes)throughthisSAisexceeded,theconnectionisclosed.Test2:(Conditional):TheevaluatorshallconstructatestwhereaPhase1SAisestablishedandattemptedtobemaintainedformorethan24hoursbeforeitisrenegotiated.TheevaluatorshallobservethatthisSAisclosedorrenegotiatedin24hoursorless.IfsuchanactionrequiresthattheTOEbeconfiguredinaspecificway,theevaluatorshallimplementtestsdemonstratingthattheconfigurationcapabilityoftheTOEworksasdocumentedintheoperationalguidance.Test3:[conditional]:TheevaluatorshallperformatestsimilartoTest2forPhase2SAs,exceptthatthelifetimewillbe8hoursorlessinsteadof24hoursorless.Test4:[conditional]:IfafixedlimitforIKEv1SAsissupported,theevaluatorshallestablishanSAandobservethattheconnectionisclosedafterthefixedtrafficand/ortimevalueisreached.
FCS_IPSEC_EXT.1.8TSSTheevaluatorshallchecktoensurethattheDHgroupsspecifiedintherequirementarelistedasbeingsupportedintheTSS.IfthereismorethanoneDHgroupsupported,theevaluatorcheckstoensuretheTSSdescribeshowaparticularDHgroupisspecified/negotiatedwithapeer.GuidanceTherearenoAGDEAsforthisrequirement.TestsTheevaluatorshallperformthefollowingtest:
Test1:ForeachsupportedDHgroup,theevaluatorshalltesttoensurethatallsupportedIKEprotocolscanbesuccessfullycompletedusingthatparticularDHgroup.
FCS_IPSEC_EXT.1.9TSS
Theevaluatorshallchecktoensurethat,foreachDHgroupsupported,theTSSdescribestheprocessforgenerating"x"(asdefinedinFCS_IPSEC_EXT.1.9)andeachnonce.TheevaluatorshallverifythattheTSSindicatesthattherandomnumbergeneratedthatmeetstherequirementsinthisEPisused,andthatthelengthof"x"andthenoncesmeetthestipulationsintherequirement.
GuidanceTherearenoAGDEAsforthisrequirement.TestsTherearenotestEAsforthisrequirement.FCS_IPSEC_EXT.1.10EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.9.FCS_IPSEC_EXT.1.11TSSTheevaluatorensuresthattheTSSidentifiesRSAand/orECDSAasbeingusedtoperformpeerauthentication.Ifpre-sharedkeysarechosenintheselection,theevaluatorshallchecktoensurethattheTSSdescribeshowpre-sharedkeysareestablishedandusedinauthenticationofIPsecconnections.ThedescriptionintheTSSshallalsoindicatehowpre-sharedkeyestablishmentisaccomplisheddependingonwhethertheTSFcangenerateapre-sharedkey,acceptapre-sharedkey,orboth.TheevaluatorshallensurethattheTSSdescribeshowtheTOEcomparesthepeer’spresentedidentifiertothereferenceidentifier.ThisdescriptionshallincludewhetherthecertificatepresentedidentifieriscomparedtotheIDpayloadpresentedidentifier,whichfield(s)ofthecertificateareusedasthepresentedidentifier(DN,CommonName,orSAN)and,ifmultiplefieldsaresupported,thelogicalordercomparison.IftheSTauthorassignedanadditionalidentifiertype,theTSSdescriptionshallalsoincludeadescriptionofthattypeandthemethodbywhichthattypeiscomparedtothepeer’spresentedcertificate.
GuidanceTheevaluatorshallcheckthattheoperationalguidancedescribeshowpre-sharedkeysaretobegeneratedandestablished.TheevaluatorensurestheoperationalguidancedescribeshowtosetuptheTOEtousethecryptographicalgorithmsRSAand/orECDSA.InordertoconstructtheenvironmentandconfiguretheTOEforthefollowingtests,theevaluatorwillensurethattheoperationalguidancealsodescribeshowtoconfiguretheTOEtoconnecttoatrustedCA,andensureavalidcertificateforthatCAisloadedintotheTOEasatrustedCA.Theevaluatorshallalsoensurethattheoperationalguidanceincludestheconfigurationofthereferenceidentifier(s)forthepeer.
TestsForefficiency’ssake,thetestingthatisperformedherehasbeencombinedwiththetestingforFIA_X509_EXT.2andFIA_X509_EXT.3(forIPsecconnectionsanddependingontheBase-PP),FCS_IPSEC_EXT.1.12,andFCS_IPSEC_EXT.1.13.ThefollowingtestsshallberepeatedforeachpeerauthenticationprotocolselectedintheFCS_IPSEC_EXT.1.11selectionabove:
Test1::TheevaluatorshallhavetheTOEgenerateapublic-privatekeypair,andsubmitaCSR(CertificateSigningRequest)toaCA(trustedbyboththeTOEandthepeerVPNusedtoestablishaconnection)foritssignature.ThevaluesfortheDN(CommonName,Organization,OrganizationalUnit,andCountry)willalsobepassedintherequest.Alternatively,theevaluatormayimporttotheTOEapreviouslygeneratedprivatekeyandcorrespondingcertificate.Test2:TheevaluatorshallconfiguretheTOEtouseaprivatekeyandassociatedcertificatesignedbyatrustedCAandshallestablishanIPsecconnectionwiththepeer.Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates–conditionalonwhetherCRLorOCSPisselected;ifbothareselected,andthenatestisperformedforeachmethod.ForthiscurrentversionofthePP-Module,theevaluatorhastoonlytestoneupinthetrustchain(futuredraftsmayrequiretoensurethevalidationisdoneuptheentirechain).Theevaluatorshallensurethatavalidcertificateisused,andthattheSAisestablished.Theevaluatorthenattemptsthetestwithacertificatethatwillberevoked(foreachmethodchosenintheselection)toensurewhenthecertificateisnolongervalidthattheTOEwillnotestablishanSA.Test4:[conditional]:Theevaluatorshallgenerateapre-sharedkeyanduseit,asindicatedintheoperationalguidance,toestablishanIPsecconnectionwiththeVPNGWpeer.Ifthegenerationofthepre-sharedkeyissupported,theevaluatorshallensurethatestablishmentofthekeyiscarriedoutforaninstanceoftheTOEgeneratingthekeyaswellasaninstanceoftheTOEmerelytakinginandusingthekey.Foreachsupportedidentifiertype(excludingDNs),theevaluatorshallrepeatthefollowingtests:
Test5:Foreachfieldofthecertificatesupportedforcomparison,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOE(pertheadministrativeguidance)to
matchthefieldinthepeer’spresentedcertificateandshallverifythattheIKEauthenticationsucceeds.Test6:Foreachfieldofthecertificatesupportforcomparison,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOE(pertheadministrativeguidance)tonotmatchthefieldinthepeer’spresentedcertificateandshallverifythattheIKEauthenticationfails.Thefollowingtestsareconditional:Test7:[conditional]:If,accordingtotheTSS,theTOEsupportsbothCommonNameandSANcertificatefieldsandusesthepreferredlogicoutlinedintheApplicationNote,thetestsabovewiththeCommonNamefieldshallbeperformedusingpeercertificateswithnoSANextension.Additionally,theevaluatorshallconfigurethepeer’sreferenceidentifierontheTOEtonotmatchtheSANinthepeer’spresentedcertificatebuttomatchtheCommonNameinthepeer’spresentedcertificate,andverifythattheIKEauthenticationfails.Test8:[conditional]:IftheTOEsupportsDNidentifiertypes,theevaluatorshallconfigurethepeer'sreferenceidentifierontheTOE(pertheadministrativeguidance)tomatchthesubjectDNinthepeer'spresentedcertificateandshallverifythattheIKEauthenticationsucceeds.Todemonstrateabit-wisecomparisonoftheDN,theevaluatorshallchangeasinglebitintheDN(preferably,inanObjectIdentifier(OID)intheDN)andverifythattheIKEauthenticationfails.TodemonstrateacomparisonofDNvalues,theevaluatorshallchangeanyoneofthefourDNvaluesandverifythattheIKEauthenticationfails.Test9:[conditional]:IftheTOEsupportsbothIPv4andIPv6andsupportsIPaddressidentifiertypes,theevaluatormustrepeattest1and2withbothIPv4addressidentifiersandIPv6identifiers.Additionally,theevaluatorshallverifythattheTOEverifiesthattheIPheadermatchestheidentifiersbysettingthepresentedidentifiersandthereferenceidentifierwiththesameIPaddressthatdiffersfromtheactualIPaddressofthepeerintheIPheadersandverifyingthattheIKEauthenticationfails.Test10:[conditional]:If,accordingtotheTSS,theTOEperformscomparisonsbetweenthepeer’sIDpayloadandthepeer’scertificate,theevaluatorshallrepeatthefollowingtestforeachcombinationofsupportedidentifiertypesandsupportedcertificatefields(asabove).TheevaluatorshallconfigurethepeertopresentadifferentIDpayloadthanthefieldinthepeer’spresentedcertificateandverifythattheTOEfailstoauthenticatetheIKEpeer.
FCS_IPSEC_EXT.1.12EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.11.FCS_IPSEC_EXT.1.13EAsforthiselementaretestedthroughEAsforFCS_IPSEC_EXT.1.11.FCS_IPSEC_EXT.1.14TSSTheevaluatorshallcheckthattheTSSdescribesthepotentialstrengths(intermsofthenumberofbitsinthesymmetrickey)ofthealgorithmsthatareallowedfortheIKEandESPexchanges.TheTSSshallalsodescribethechecksthataredonewhennegotiatingIKEv1Phase2and/orIKEv2CHILD_SAsuitestoensurethatthestrength(intermsofthenumberofbitsofkeyinthesymmetricalgorithm)ofthenegotiatedalgorithmislessthanorequaltothatoftheIKESAthisisprotectingthenegotiation.GuidanceTherearenoAGDEAsforthisrequirement.TestsTheevaluatorfollowstheguidancetoconfiguretheTOEtoperformthefollowingtests:
Test1:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallsuccessfullynegotiateanIPsecconnectionusingeachofthesupportedalgorithmsandhashfunctionsidentifiedintherequirements.Test2:[conditional]:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanSAforESPthatselectsanencryptionalgorithmwithmorestrengththanthatbeingusedfortheIKESA(i.e.,symmetricalgorithmwithakeysizelargerthanthatbeingusedfortheIKESA).Suchattemptsshouldfail.Test3:ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanIKESAusinganalgorithmthatisnotoneofthesupportedalgorithmsandhashfunctionsidentifiedintherequirements.Suchanattemptshouldfail.Test4::ThistestshallbeperformedforeachversionofIKEsupported.TheevaluatorshallattempttoestablishanSAforESP(assumestheproperparameterswhereusedtoestablishtheIKESA)thatselectsanencryptionalgorithmthatisnotidentifiedinFCS_IPSEC_EXT.1.4.Suchanattemptshouldfail.
B.3IdentificationandAuthentication(FIA)
FIA_PMG_EXT.1PasswordManagement
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFIA_UAU.5.1.
FIA_PMG_EXT.1.1TheTSFshallprovidethefollowingpasswordmanagementcapabilitiesforadministrativepasswords:
a. Passwordsshallbeabletobecomposedofanycombinationofupperandlowercasecharacters,digits,andthefollowingspecialcharacters:[selection:“!”,“@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,“)”,[assignment:othercharacters]]
b. Minimumpasswordlengthshallbeconfigurablec. Passwordsofatleast15charactersinlengthshallbesupported
ApplicationNote:ThisSFRisincludedintheSTiftheSTAuthorselects‘authenticationbasedonusernameandpassword’inFIA_UAU.5.1.
TheSTauthorselectsthespecialcharactersthataresupportedbytheTOE;theymayoptionallylistadditionalspecialcharacterssupportedusingtheassignment.“Administrativepasswords”referstopasswordsusedbyadministratorstogainaccesstotheManagementSubsystem.
EvaluationActivities
FIA_PMG_EXT.1:GuidanceTheevaluatorshallexaminetheoperationalguideancetodeterminethatitprovidesguidancetosecurityadministratorsinthecompositionofstrongpasswords,andthatitprovidesinstructionsonsettingtheminimumpasswordlength.TestsTheevaluatorshallalsoperformthefollowingtests.Notethatoneormoreofthesetestsmaybeperformedwithasingletestcase.
Test1:Theevaluatorshallcomposepasswordsthateithermeettherequirements,orfailtomeettherequirements,insomeway.Foreachpassword,theevaluatorshallverifythattheTOEsupportsthepassword.Whiletheevaluatorisnotrequired(norisitfeasible)totestallpossiblecombinationsofpasswords,theevaluatorshallensurethatallcharacters,rulecharacteristics,andaminimumlengthlistedintherequirementaresupported,andjustifythesubsetofthosecharacterschosenfortesting.
FIA_X509_EXT.1X.509CertificateValidation
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFPT_TUD_EXT.1.3,FIA_UAU.5.1,FTP_ITC_EXT.1.1,FTP_ITC_EXT.1.1,FTP_ITC_EXT.1.1.
FIA_X509_EXT.1.1TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:
RFC5280certificatevalidationandcertificatepathvalidationThecertificatepathmustterminatewithatrustedcertificateTheTOEshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidaterevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,aCRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:
CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1withOID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningPurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.
ApplicationNote:ThisSFRmustbeincludedintheSTiftheselectionfor
FPT_TUD_EXT.1.3is“digitalsignaturemechanism,”oriftheselectionforFTP_ITC_EXT.1includes“IPsec,”“TLS,”or“TLS/HTTPS.”
FIA_X509_EXT.1.1liststherulesforvalidatingcertificates.TheSTauthorshallselectwhetherrevocationstatusisverifiedusingOCSPorCRLs.FIA_X509_EXT.2requiresthatcertificatesareusedforIPsec;thisuserequiresthattheextendedKeyUsagerulesareverified.CertificatesmayoptionallybeusedforSSH,TLS,andHTTPsand,ifimplemented,mustbevalidatedtocontainthecorrespondingextendedKeyUsage.
OCSPstaplingandOCSPmulti-staplingsupportonlyTLSservercertificatevalidation.Ifothercertificatetypesarevalidated,eitherOCSPorCRLmustbeclaimed.IfOCSPisnotsupportedtheEKUprovisionforcheckingtheOCSPSigningpurposeismetbydefault.
RegardlessoftheselectionofTSForTOEplatform,thevalidationmustresultinatrustedrootCAcertificateinarootstoremanagedbytheplatform.
FIA_X509_EXT.1.2TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.
ApplicationNote:ThisrequirementappliestocertificatesthatareusedandprocessedbytheTSFandrestrictsthecertificatesthatmaybeaddedastrustedCAcertificates.
EvaluationActivities
FIA_X509_EXT.1:TSSTheevaluatorshallensuretheTSSdescribeswherethecheckofvalidityofthecertificatestakesplace.TheevaluatorensurestheTSSalsoprovidesadescriptionofthecertificatepathvalidationalgorithm.
TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Iftherequirementthattheadministratorisabletospecifythedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.TestsThetestsdescribedmustbeperformedinconjunctionwiththeotherCertificateServicesassuranceactivities,includingtheuseslistedinFIA_X509_EXT.2.1.ThetestsfortheextendedKeyUsagerulesareperformedinconjunctionwiththeusesthatrequirethoserules.
Test1:Theevaluatorshalldemonstratethatvalidatingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing,foreachofthefollowingreasons,inturn:
byestablishingacertificatepathinwhichoneoftheissuingcertificatesisnotaCAcertificate,byomittingthebasicConstraintsfieldinoneoftheissuingcertificates,bysettingthebasicConstraintsfieldinanissuingcertificatetohaveCA=False,byomittingtheCAsigningbitofthekeyusagefieldinanissuingcertificate,andbysettingthepathlengthfieldofavalidCAfieldtoavaluestrictlylessthanthecertificatepath.
TheevaluatorshallthenestablishavalidcertificatepathconsistingofvalidCAcertificates,anddemonstratethatthefunctionsucceeds.TheevaluatorshallthenremovetrustinoneoftheCAcertificates,andshowthatthefunctionfails.Test2:Theevaluatorshalldemonstratethatvalidatinganexpiredcertificateresultsinthefunctionfailing.Test3:TheevaluatorshalltestthattheTOEcanproperlyhandlerevokedcertificates–conditionalonwhetherCRL,OCSP,OCSPstapling,orOCSPmulti-staplingisselected;ifmultiplemethodsareselected,andthenatestisperformedforeachmethod.Theevaluatorhastoonlytestoneupinthetrustchain(futurerevisionsmayrequiretoensurethevalidationisdoneuptheentirechain).Theevaluatorshallensurethatavalidcertificateisused,andthatthevalidationfunctionsucceeds.Theevaluatorshallthenattemptthetestwithacertificatethatwillberevoked(foreachmethodchosenintheselection)andverifythatthevalidationfunctionfails.Test4:IfanyOCSPoptionisselected,theevaluatorshallconfiguretheOCSPserveroruseaman-in-the-middletooltopresentacertificatethatdoesnothavetheOCSPsigningpurposeandverifythatvalidationoftheOCSPresponsefails.IfCRLisselected,theevaluatorshallconfiguretheCAtosignaCRLwithacertificatethatdoesnothavethecRLsignkeyusagebitsetandverifythatvalidationoftheCRLfails.Test5:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1/SIG).The
evaluatorshallestablishavalid,trustedcertificatechainconsistingofanECleafcertificate,anECIntermediateCAcertificatenotdesignatedasatrustanchor,andanECcertificatedesignatedasatrustedanchor,wheretheellipticcurveparametersarespecifiedasanamedcurve.TheevaluatorshallconfirmthattheTOEvalidatesthecertificatechain..Test6:(ConditionalonsupportforECcertificatesasindicatedinFCS_COP.1/SIG).TheevaluatorshallreplacetheintermediatecertificateinthecertificatechainforTest5withamodifiedcertificate,wherethemodifiedintermediateCAhasapublickeyinformationfieldwheretheECparametersusesanexplicitformatversionoftheEllipticCurveparametersinthepublickeyinformationfieldoftheintermediateCAcertificatefromTest5,andthemodifiedIntermediateCAcertificateissignedbythetrustedECrootCA,buthavingnootherchanges.TheevaluatorshallconfirmtheTOEtreatsthecertificateasinvalid.
FIA_X509_EXT.2X.509CertificateAuthentication
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFPT_TUD_EXT.1.3,FIA_UAU.5.1,FTP_ITC_EXT.1.1,FTP_ITC_EXT.1.1,FTP_ITC_EXT.1.1.
FIA_X509_EXT.2.1TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationfor[selection:IPsec,TLS,HTTPS,SSH],and[selection:codesigningforsystemsoftwareupdates,codesigningforintegrityverification,[assignment:otheruses],noadditionaluses]
ApplicationNote:ThisSFRmustbeincludedintheSTiftheselectionforFPT_TUD_EXT.1.3is“digitalsignaturemechanismusingcertificates,”oriftheselectionforFTP_ITC_EXT.1.1includes“IPsec,”“TLS,”or“TLS/HTTPS,”orifFIA_UAUrequiresauthenticationusingX.509certificates.
FIA_X509_EXT.2.2WhentheTSFcannotestablishaconnectiontodeterminethevalidityofacertificate,theTSFshall[selection:allowtheadministratortochoosewhethertoacceptthecertificateinthesecases,acceptthecertificate,notacceptthecertificate].
ApplicationNote:Oftenaconnectionmustbeestablishedtochecktherevocationstatusofacertificate-eithertodownloadaCRLortoperformalookupusingOCSP.Theselectionisusedtodescribethebehaviorintheeventthatsuchaconnectioncannotbeestablished(forexample,duetoanetworkerror).IftheTOEhasdeterminedthecertificatevalidaccordingtoallotherrulesinFIA_X509_EXT.1,thebehaviorindicatedintheselectionshalldeterminethevalidity.TheTOEmustnotacceptthecertificateifitfailsanyoftheothervalidationrulesinFIA_X509_EXT.1.Iftheadministrator-configuredoptionisselectedbytheSTAuthor,theSTAuthormustensurethatthisisalsodefinedasamanagementfunctionthatisprovidedbytheTOE.
EvaluationActivities
FIA_X509_EXT.2:TSSTheevaluatorshallchecktheTSStoensurethatitdescribeshowtheTOEchooseswhichcertificatestouse,andanynecessaryinstructionsintheadministrativeguidanceforconfiguringtheoperatingenvironmentsothattheTOEcanusethecertificates.
TheevaluatorshallexaminetheTSStoconfirmthatitdescribesthebehavioroftheTOEwhenaconnectioncannotbeestablishedduringthevaliditycheckofacertificateusedinestablishingatrustedchannel.Iftherequirementthattheadministratorisabletospecifythedefaultaction,thentheevaluatorshallensurethattheoperationalguidancecontainsinstructionsonhowthisconfigurationactionisperformed.TestsTheevaluatorshallperformTest1foreachfunctionlistedinFIA_X509_EXT.2.1thatrequirestheuseofcertificates:
Test1:Theevaluatorshalldemonstratethatusingacertificatewithoutavalidcertificationpathresultsinthefunctionfailing.Usingtheadministrativeguidance,theevaluatorshallthenloadacertificateorcertificatesneededtovalidatethecertificatetobeusedinthefunction,anddemonstratethatthefunctionsucceeds.Theevaluatorthenshalldeleteoneofthecertificates,andshowthatthefunctionfails.Test2:Theevaluatorshalldemonstratethatusingavalidcertificatethatrequirescertificatevalidationcheckingtobeperformedinatleastsomepartbycommunicatingwithanon-TOEITentity.TheevaluatorshallthenmanipulatetheenvironmentsothattheTOEisunabletoverifythevalidityofthecertificate,andobservethattheactionselectedin
FIA_X509_EXT.2.2isperformed.Iftheselectedactionisadministrator-configurable,thentheevaluatorshallfollowtheoperationalguidancetodeterminethatallsupportedadministrator-configurableoptionsbehaveintheirdocumentedmanner.
B.4ProtectionoftheTSF(FPT)
FPT_TUD_EXT.2TrustedUpdateBasedonCertificates
Theinclusionofthisselection-basedcomponentdependsuponaselectioninFPT_TUD_EXT.1.3,FIA_X509_EXT.2.1.
FPT_TUD_EXT.2.1TheTSFshallnotinstallanupdateifthecodesigningcertificateisdeemedinvalid.
ApplicationNote:Certificatesmayoptionallybeusedforcodesigningofsystemsoftwareupdates(FPT_TUD_EXT.1.3).ThiselementmustbeincludedintheSTifcertificatesareusedforvalidatingupdates.If“codesigningforsystemsoftwareupdates”isselectedinFIA_X509_EXT.2.1,FPT_TUD_EXT.2mustbeincludedintheST.
Validityisdeterminedbythecertificatepath,theexpirationdate,andtherevocationstatusinaccordancewithFIA_X509_EXT.1.
EvaluationActivities
FPT_TUD_EXT.2:TestsTheassuranceactivityforthisrequirementisperformedinconjunctionwiththeassuranceactivityforFIA_X509_EXT.1andFIA_X509_EXT.2.
B.5TrustedPath/Channel(FTP)
FTP_TRP.1TrustedPath
Theinclusionofthisselection-basedcomponentdependsuponaselectionin.
FTP_TRP.1.1TheTSFshalluseatrustedchannelasspecifiedinFTP_ITC_EXT.1toprovideatrustedcommunicationpathbetweenitselfand[remote]administratorsthatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafrom[modification,disclosure].
FTP_TRP.1.2TheTSFshallpermitremoteadministratorstoinitiatecommunicationviathetrustedpath.
FTP_TRP.1.3TheTSFshallrequiretheuseofthetrustedpathfor[[allremoteadministrationactions]].
ApplicationNote:ThisSFRisincludedintheSTif"remote"isselectedinFMT_MOF_EXT.1.1oftheclientorserverPP-Module.
ProtocolsusedtoimplementtheremoteadministrationtrustedchannelmustbeselectedinFTP_ITC_EXT.1.
ThisrequirementensuresthatauthorizedremoteadministratorsinitiateallcommunicationwiththeTOEviaatrustedpath,andthatallcommunicationswiththeTOEbyremoteadministratorsisperformedoverthispath.Thedatapassedinthistrustedcommunicationchannelareencryptedasdefinedtheprotocolchoseninthefirstselection.TheSTauthorchoosesthemechanismormechanismssupportedbytheTOE,andthenensuresthatthedetailedrequirementsinAppendixBcorrespondingtotheirselectionarecopiedtotheSTifnotalreadypresent.
EvaluationActivities
FTP_TRP.1:TSSTheevaluatorshallexaminetheTSStodeterminethatthemethodsofremoteTOEadministrationareindicated,alongwithhowthosecommunicationsareprotected.TheevaluatorshallalsoconfirmthatallprotocolslistedintheTSSinsupportofTOEadministrationareconsistentwiththosespecifiedintherequirement,andareincludedintherequirementsintheST.GuidanceTheevaluatorshallconfirmthattheoperationalguidancecontainsinstructionsforestablishingtheremoteadministrativesessionsforeachsupportedmethod.TestsTheevaluatorshallalsoperformthefollowingtests:
Test1:Theevaluatorsshallensurethatcommunicationsusingeachspecified(intheoperationalguidance)remoteadministrationmethodistestedduringthecourseoftheevaluation,settinguptheconnectionsasdescribedintheoperationalguidanceandensuringthatcommunicationissuccessful.Test2:Foreachmethodofremoteadministrationsupported,theevaluatorshallfollowtheoperationalguidancetoensurethatthereisnoavailableinterfacethatcanbeusedbyaremoteusertoestablishremoteadministrativesessionswithoutinvokingthetrustedpath.Test3:Theevaluatorshallensure,foreachmethodofremoteadministration,thechanneldataisnotsentinplaintext.Test4:Theevaluatorshallensure,foreachmethodofremoteadministration,modificationofthechanneldataisdetectedbytheTOE.
Furtherassuranceactivitiesareassociatedwiththespecificprotocols.
AppendixC-ExtendedComponentDefinitionsThisappendixcontainsthedefinitionsforallextendedrequirementsspecifiedinthePP.
C.1ExtendedComponentsTableAllextendedcomponentsspecifiedinthePParelistedinthistable:
Table8:ExtendedComponentDefinitionsFunctionalClass FunctionalComponents
SecurityAudit(FAU) FAU_STG_EXTOff-LoadingofAuditData
SecurityAudit(FAU) FAU_FAK_EXTFakeAuditData
CryptographicSupport(FCS) FCS_CKM_EXTCryptographicKeyManagement
CryptographicSupport(FCS) FCS_ENT_EXTEntropyforVirtualMachines
CryptographicSupport(FCS) FCS_HTTPS_EXTHTTPSProtocol
CryptographicSupport(FCS) FCS_IPSEC_EXTIPsecProtocol
CryptographicSupport(FCS) FCS_RBG_EXTCryptographicOperation(RandomBitGeneration)
UserDataProtection(FDP) FDP_HBI_EXTHardware-BasedIsolationMechanisms
UserDataProtection(FDP) FDP_PPR_EXTPhysicalPlatformResourceControls
UserDataProtection(FDP) FDP_RIP_EXTResidualInformationinMemory
UserDataProtection(FDP) FDP_VMS_EXTVMSeparation
UserDataProtection(FDP) FDP_VNC_EXTVirtualNetworkingComponents
IdentificationandAuthentication(FIA)
FIA_AFL_EXTAuthenticationFailureHandling
IdentificationandAuthentication(FIA)
FIA_PMG_EXTPasswordManagement
IdentificationandAuthentication(FIA)
FIA_UIA_EXTAdministratorIdentificationandAuthentication
IdentificationandAuthentication(FIA)
FIA_X509_EXTX.509Certificate
SecurityManagement(FMT) FMT_MSA_EXTDefaultDataSharingConfiguration
SecurityManagement(FMT) FMT_SMO_EXTSeparationofManagementandOperationalNetworks
ProtectionoftheTSF(FPT) FPT_DDI_EXTDeviceDriverIsolation
ProtectionoftheTSF(FPT) FPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevices
ProtectionoftheTSF(FPT) FPT_EEM_EXTExecutionEnvironmentMitigations
ProtectionoftheTSF(FPT) FPT_GVI_EXTGuestVMIntegrity
ProtectionoftheTSF(FPT) FPT_HAS_EXTHardwareAssists
ProtectionoftheTSF(FPT) FPT_HCL_EXTHypercallControls
ProtectionoftheTSF(FPT) FPT_IDV_EXTSoftwareIdentificationandVersions
ProtectionoftheTSF(FPT) FPT_INT_EXTSupportforIntrospection
ProtectionoftheTSF(FPT) FPT_ML_EXTMeasuredLaunchofPlatformandVMM
ProtectionoftheTSF(FPT) FPT_RDM_EXTRemovableDevicesandMedia
ProtectionoftheTSF(FPT) FPT_TUD_EXTTrustedUpdates
ProtectionoftheTSF(FPT) FPT_VDP_EXTVirtualDeviceParameters
ProtectionoftheTSF(FPT) FPT_VIV_EXTVMMIsolationfromVMs
ProtectionoftheTSF(FPT) FPT_VIV_EXTVMMIsolationfromVMs
TrustedPath/Channel(FTP) FTP_ITC_EXTTrustedChannelCommunications
TrustedPath/Channel(FTP) FTP_UIF_EXTUserInterface
C.2ExtendedComponentDefinitions
FAU_STG_EXTOff-LoadingofAuditData
FamilyBehaviorThisfamilydefinesrequirementsfortheTSFtobeabletosecurelytransmitauditdatabetweentheTOEandanexternalITentity.FAU_STG_EXT FAU_STG_EXT.1
ComponentLevelingFAU_STG_EXT.1,Off-LoadingofAuditData,requirestheTSFtotransmitauditdatausingatrustedchanneltoanoutsideentityandtospecifytheactiontobetakenwhenlocalauditstorageisfull.
Management:FAU_STG_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoconfigureandmanagetheauditsystemandauditdata.
Audit:FAU_STG_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Failureofauditdatacaptureduetolackofdiskspaceorpre-definedlimit.b. Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.
FAU_STG_EXT.1Off-LoadingofAuditDataHierarchicalto:Noothercomponents.Dependenciesto:FAU_GEN.1AuditDataGenerationFTP_ITC_EXT.1TrustedChannelCommunications
FAU_STG_EXT.1.1
TheTSFshallbeabletotransmitthegeneratedauditdatatoanexternalITentityusingatrustedchannelasspecifiedinFTP_ITC_EXT.1.
FAU_STG_EXT.1.2
TheTSFshall[selection:dropnewauditdata,overwritepreviousauditrecordsaccordingtothefollowingrule:[assignment:ruleforoverwritingpreviousauditrecords],[assignment:otheraction]]whenthelocalstoragespaceforauditdataisfull.
FAU_FAK_EXTFakeAuditData
FamilyBehaviorThisfamilydefinesrequirementsthataretotallyfake.FAU_FAK_EXT FAU_FAK_EXT.1
ComponentLevelingFAU_FAK_EXT.1,FakeAuditReview,requirestheTSFtotransmitfakeauditdatausingacup-and-stringtrustedchanneltoanoutsideentityandtospecifytheactiontobetakenwhenlocalauditstorageisoverflown.
Management:FAU_FAK_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFAU:
a. Abilitytoconfigureandmanagethefakeauditsystemandauditdata.
Audit:FAU_FAK_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Failureoffakeauditdatacaptureduetolackofdiskspaceorpre-definedlimit.b. Onfailureofloggingfunction,capturerecordoffailureandrecorduponrestartofloggingfunction.
FAU_FAK_EXT.1FakeAuditReviewHierarchicalto:Noothercomponents.Dependenciesto:FAU_GEN.1AuditDataGenerationFTP_ITC_EXT.1TrustedChannelCommunications
FAU_FAK_EXT.1.1
FCS_CKM_EXTCryptographicKeyManagement
FamilyBehaviorThisfamilydefinesrequirementsformanagementofcryptographickeys.FCS_CKM_EXT FCS_CKM_EXT.4
ComponentLevelingFCS_CKM_EXT.4,CryptographicKeyDestruction,requirestheTSFtodestroyormakeunrecoverableemptykeysinvolatileandnon-volatilememory.Notethatcomponentlevel4isusedherebecauseofthiscomponent’ssimilaritytotheCCPart2componentFCS_CKM.4.
Management:FCS_CKM_EXT.4Thefollowingactionscouldbeconsideredforthemanagementfunctionsin0FMT:
a. Managingthecryptographicfunctionality.
Audit:FCS_CKM_EXT.4Therearenoauditableeventsforeseen.
FCS_CKM_EXT.4CryptographicKeyDestructionHierarchicalto:Noothercomponents.Dependenciesto:[FCS_CKM.1CryptographicKeyGeneration,orFCS_CKM.2CryptographicKeyDistribution]
FCS_CKM_EXT.4.1
TheTSFshallcausedisusedcryptographickeysinvolatilememorytobedestroyedorrenderedunrecoverable.
FCS_CKM_EXT.4.2
TheTSFshallcausedisusedcryptographickeysinnon-volatilestoragetobedestroyedorrenderedunrecoverable.
FCS_ENT_EXTEntropyforVirtualMachines
FamilyBehaviorThisfamilydefinesrequirementsforavailabilityofentropydatageneratedorcollectedbytheTSF.FCS_ENT_EXT FCS_ENT_EXT.1
ComponentLevelingFCS_ENT_EXT.1,Extended:EntropyforVirtualMachines,requirestheTSFtoprovideentropydatatoVMsinaspecifiedmanner.
Management:FCS_ENT_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FCS_ENT_EXT.1Therearenoauditableeventsforeseen.
FCS_ENT_EXT.1Extended:EntropyforVirtualMachinesHierarchicalto:Noothercomponents.Dependenciesto:FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)
FCS_ENT_EXT.1.1
TheTSFshallprovideamechanismtomakeavailabletoVMsentropythatmeetsFCS_RBG_EXT.1through[selection:Hypercallinterface,virtualdeviceinterface,passthroughaccesstohardwareentropysource].
FCS_ENT_EXT.1.2
TheTSFshallprovideindependententropyacrossmultipleVMs.
FCS_HTTPS_EXTHTTPSProtocol
FamilyBehaviorThisfamilydefinesrequirementsforprotectingremotemanagementsessionsbetweentheTOEandaSecurityAdministrator.ThisfamilydescribeshowHTTPSwillbeimplemented.FCS_HTTPS_EXT FCS_HTTPS_EXT.1
ComponentLevelingFCS_HTTPS_EXT.1,HTTPSProtocol,definesrequirementsfortheimplementationoftheHTTPSprotocol.
Management:FCS_HTTPS_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FCS_HTTPS_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. FailuretoestablishanHTTPSsession.b. Establishment/terminationofanHTTPSsession.
FCS_HTTPS_EXT.1HTTPSProtocolHierarchicalto:Noothercomponents.Dependenciesto:[FCS_TLSC_EXT.1TLSClientProtocol,orFCS_TLSC_EXT.2TLSClientProtocolwithMutualAuthentication,orFCS_TLSS_EXT.1TLSServerProtocol,orFCS_TLSS_EXT.2TLSServerProtocolwithMutualAuthentication]
FCS_HTTPS_EXT.1.1
TheTSFshallimplementtheHTTPSprotocolthatcomplieswithRFC2818.
FCS_HTTPS_EXT.1.2
TheTSFshallimplementHTTPSusingTLS.
FCS_IPSEC_EXTIPsecProtocol
FamilyBehaviorThisfamilydefinesrequirementsforprotectingcommunicationsusingIPsec.FCS_IPSEC_EXT FCS_IPSEC_EXT.1
ComponentLevelingFCS_IPSEC_EXT.1,IPsecProtocol,requiresthatIPsecbeimplementedasspecified.
Management:FCS_IPSEC_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Managingthecryptographicfunctionality.
Audit:FCS_IPSEC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. FailuretoestablishanIPsecSA.b. Establishment/TerminationofanIPsecSA.
FCS_IPSEC_EXT.1IPsecProtocolHierarchicalto:Noothercomponents.Dependenciesto:FCS_CKM.1CryptographicKeyGenerationFCS_CKM.2CryptographicKeyEstablishmentFCS_COP.1CryptographicOperationFCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)FIA_X509_EXT.1X.509CertificateValidation
FCS_IPSEC_EXT.1.1
TheTSFshallimplementtheIPsecarchitectureasspecifiedinRFC4301.
FCS_IPSEC_EXT.1.2
TheTSFshallimplement[selection:transportmode,tunnelmode].
FCS_IPSEC_EXT.1.3
TheTSFshallhaveanominal,finalentryintheSPDthatmatchesanythingthatisotherwiseunmatched,anddiscardsit.
FCS_IPSEC_EXT.1.4
TheTSFshallimplementtheIPsecprotocolESPasdefinedbyRFC4303usingthecryptographicalgorithms[AES-GCM-128,AES-GCM-256(asspecifiedinRFC4106),[selection:AES-CBC-128(specifiedinRFC3602),AES-CBC-256(specifiedinRFC3602),nootheralgorithms]]togetherwithaSecureHashAlgorithm(SHA)-basedHMAC.
FCS_IPSEC_EXT.1.5
TheTSFshallimplementtheprotocol:
[selection:IKEv1,usingMainModeforPhase1exchanges,asdefinedinRFC2407,RFC2408,RFC2409,RFC4109,[selection:nootherRFCsforextendedsequencenumbers,RFC4304forextendedsequencenumbers],[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions],and[selection:supportforXAUTH,nosupportforXAUTH],IKEv2asdefinedinRFC7296(withmandatorysupportforNATtraversalasspecifiedinsection2.23),RFC8784,RFC8247,and[selection:nootherRFCsforhashfunctions,RFC4868forhashfunctions].
]
FCS_IPSEC_EXT.1.6
TheTSFshallensuretheencryptedpayloadinthe[selection:IKEv1,IKEv2]protocolusesthecryptographicalgorithmsAES-CBC-128,AES-CBC-256asspecifiedinRFC6379and[selection:AES-GCM-128asspecifiedinRFC5282,AES-GCM-256asspecifiedinRFC5282,nootheralgorithm].
FCS_IPSEC_EXT.1.7
TheTSFshallensurethat[selection:IKEv2SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimescanbeconfiguredby[selection:anAdministrator,aVPNGateway]basedon[selection:numberofpackets/numberofbytes,lengthoftime],IKEv1SAlifetimesarefixedbasedon[selection:numberofpackets/numberofbytes,lengthoftime].Iflengthoftimeisused,itmustincludeatleastoneoptionthatis24hoursorlessforPhase1SAsand8hoursorlessforPhase2SAs.
]
FCS_IPSEC_EXT.1.8
TheTSFshallensurethatallIKEprotocolsimplementDHgroups[19(256-bitRandomECP),20(384-bitRandomECP),and[selection:24(2048-bitMODPwith256-bitPOS),15(3072-bitMODP),14(2048-bitMODP),nootherDHgroups]].
FCS_IPSEC_EXT.1.9
TheTSFshallgeneratethesecretvaluexusedintheIKEDiffie-Hellmankeyexchange(“x”ingxmodp)usingtherandombitgeneratorspecifiedinFCS_RBG_EXT.1,andhavingalengthofatleast[assignment:(oneormore)number(s)ofbitsthatisatleasttwicethe“bitsofsecurity”valueassociatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2ofNISTSP800-57,RecommendationforKeyManagement–Part1:General]bits.
FCS_IPSEC_EXT.1.10
TheTSFshallgeneratenoncesusedinIKEexchangesinamannersuchthattheprobabilitythataspecificnoncevaluewillberepeatedduringthelifeaspecificIPsecSAislessthan1in2^[assignment:(oneormore)“bitsofsecurity”value(s)associatedwiththenegotiatedDiffie-HellmangroupaslistedinTable2of
NISTSP800-57,RecommendationforKeyManagement–Part1:General].
FCS_IPSEC_EXT.1.11
TheTSFshallensurethatallIKEprotocolsperformpeerauthenticationusinga[selection:RSA,ECDSA]thatuseX.509v3certificatesthatconformtoRFC4945and[selection:Pre-sharedKeys,noothermethod].
FCS_IPSEC_EXT.1.12
TheTSFshallnotestablishanSAifthe[[selection:IPaddress,FullyQualifiedDomainName(FQDN),userFQDN,DistinguishedName(DN)]and[selection:nootherreferenceidentifiertype,[assignment:othersupportedreferenceidentifiertypes]]]containedinacertificatedoesnotmatchtheexpectedvalue(s)fortheentityattemptingtoestablishaconnection.
FCS_IPSEC_EXT.1.13
TheTSFshallnotestablishanSAifthepresentedidentifierdoesnotmatchtheconfiguredreferenceidentifierofthepeer.
FCS_IPSEC_EXT.1.14
The[selection:TSF,VPNGateway]shallbeabletoensurebydefaultthatthestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase1,IKEv2IKE_SA]connectionisgreaterthanorequaltothestrengthofthesymmetricalgorithm(intermsofthenumberofbitsinthekey)negotiatedtoprotectthe[selection:IKEv1Phase2,IKEv2CHILD_SA]connection.
FCS_RBG_EXTCryptographicOperation(RandomBitGeneration)
FamilyBehaviorThisfamilydefinesrequirementsforrandombit/numbergeneration.FCS_RBG_EXT FCS_RBG_EXT.1
ComponentLevelingFCS_RBG_EXT.1,CryptographicOperation(RandomBitGeneration),requiresrandombitgenerationtobeperformedinaccordancewithselectedstandardsandseededbyanentropysource.
Management:FCS_RBG_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FCS_RBG_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Failureoftherandomizationprocess.
FCS_RBG_EXT.1CryptographicOperation(RandomBitGeneration)Hierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperation
FCS_RBG_EXT.1.1
TheTSFshallperformalldeterministicrandombitgenerationservicesinaccordancewithNISTSpecialPublication800-90Ausing[selection:Hash_DRBG(any),HMAC_DRBG(any),CTR_DRBG(AES)]
FCS_RBG_EXT.1.2
ThedeterministicRBGshallbeseededbyanentropysourcethataccumulatesentropyfrom[selection:asoftware-basednoisesource,ahardware-basednoisesource]withaminimumof[selection:128bits,192bits,256bits]ofentropyatleastequaltothegreatestsecuritystrengthaccordingtoNISTSP800-57,ofthekeysandhashesthatitwillgenerate.
FDP_HBI_EXTHardware-BasedIsolationMechanisms
FamilyBehaviorThisfamilydefinesrequirementsforisolationofGuestVMsfromthehardwareresourcesofthephysicaldeviceonwhichtheGuestVMsaredeployed.FDP_HBI_EXT FDP_HBI_EXT.1
ComponentLeveling
FDP_HBI_EXT.1,Hardware-BasedIsolationMechanisms,requirestheTSFtoidentifythemechanismsusedtoisolateGuestVMsfromplatformhardwareresources.
Management:FDP_HBI_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FDP_HBI_EXT.1Therearenoauditableeventsforeseen.
FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation
FDP_HBI_EXT.1.1
TheTSFshalluse[selection:nomechanism,[assignment:listofplatform-provided,hardware-basedmechanisms]]toconstrainaGuestVM'sdirectaccesstothefollowingphysicaldevices:[selection:nodevices,[assignment:physicaldevicestowhichtheVMMallowsGuestVMsphysicalaccess]].
FDP_PPR_EXTPhysicalPlatformResourceControls
FamilyBehaviorThisfamilydefinesrequirementsforthephysicalresourcesthattheTOEwillalloworprohibitGuestVMstoaccess.FDP_PPR_EXT FDP_PPR_EXT.1
ComponentLevelingFDP_PPR_EXT.1,PhysicalPlatformResourceControls,requirestheTSFtodefinethehardwareresourcesthatGuestVMsmayalwaysaccess,mayneveraccess,andmayconditionallyaccessbasedonadministrativeconfiguration.
Management:FDP_PPR_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytoconfigureVMaccesstophysicaldevices.
Audit:FDP_PPR_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. SuccessfulandfailedVMconnectionstophysicaldeviceswhereconnectionisgovernedbyconfigurablepolicy.
b. Securitypolicyviolations.
FDP_PPR_EXT.1PhysicalPlatformResourceControlsHierarchicalto:Noothercomponents.Dependenciesto:FDP_HBI_EXT.1Hardware-BasedIsolationMechanismsFMT_SMR.1SecurityRoles
FDP_PPR_EXT.1.1
TheTSFshallallowanauthorizedadministratortocontrolGuestVMaccesstothefollowingphysicalplatformresources:[assignment:listofphysicalplatformresourcestheVMMisabletocontrolaccessto].
FDP_PPR_EXT.1.2
TheTSFshallexplicitlydenyallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisexplicitlydenied]].
FDP_PPR_EXT.1.3
TheTSFshallexplicitlyallowallGuestVMsaccesstothefollowingphysicalplatformresources:[selection:nophysicalplatformresources,[assignment:listofphysicalplatformresourcestowhichaccessisalwaysallowed]].
FDP_RIP_EXTResidualInformationinMemory
FamilyBehavior
ThisfamilydefinesrequirementsforensuringthatallocationofdatatoaGuestVMdoesnotcauseadisclosureofresidualdatafromapreviousVM.
FDP_RIP_EXTFDP_RIP_EXT.1FDP_RIP_EXT.2
ComponentLevelingFDP_RIP_EXT.1,ResidualInformationinMemory,requirestheTSFtoensurethatphysicalmemoryisclearedtozerospriortoitsallocationtoaGuestVM.
Management:FDP_RIP_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FDP_RIP_EXT.1Therearenoauditableeventsforeseen.
FDP_RIP_EXT.1ResidualInformationinMemoryHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FDP_RIP_EXT.1.1
TheTSFshallensurethatanypreviousinformationcontentofphysicalmemoryisclearedpriortoallocationtoaGuestVM.
ComponentLevelingFDP_RIP_EXT.2,ResidualInformationonDisk,requirestheTSFtoensurethatphysicaldiskstorageisclearedpriortoitsallocationtoaGuestVM.
Management:FDP_RIP_EXT.2Nospecificmanagementfunctionsareidentified.
Audit:FDP_RIP_EXT.2Therearenoauditableeventsforeseen.
FDP_RIP_EXT.2ResidualInformationonDiskHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FDP_RIP_EXT.2.1
TheTSFshallensurethatanypreviousinformationcontentofphysicaldiskstorageisclearedtozerospriortoallocationtoaGuestVM.
FDP_VMS_EXTVMSeparation
FamilyBehaviorThisfamilydefinesrequirementsforthelogicalseparationofmultipleGuestVMsthataremanagedbythesameVirtualizationSystem.FDP_VMS_EXT FDP_VMS_EXT.1
ComponentLevelingFDP_VMS_EXT.1,VMSeparation,requirestheTSFtomaintainlogicalseparationbetweenGuestVMsexceptthroughtheuseofspecificconfigurablemethods.
Management:FDP_VMS_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoconfigureinter-VMdatasharing.
Audit:FDP_VMS_EXT.1Therearenoauditableeventsforeseen.
FDP_VMS_EXT.1VMSeparationHierarchicalto:Noothercomponents.Dependenciesto:FMT_MSA_EXT.1DefaultDataSharingConfigurationFMT_SMR.1SecurityRoles
FDP_VMS_EXT.1.1
TheVSshallprovidethefollowingmechanismsfortransferringdatabetweenGuestVMs:[selection:nomechanism,virtualnetworking,[assignment:otherinter-VMdatasharingmechanisms]
].
FDP_VMS_EXT.1.2
TheTSFshallallowAdministratorstoconfigurethemechanismsselectedinFDP_VMS_EXT.1.1toenableanddisablethetransferofdatabetweenGuestVMs.
FDP_VMS_EXT.1.3
TheVSshallensurethatnoGuestVMisabletoreadortransferdatatoorfromanotherGuestVMexceptthroughthemechanismslistedinFDP_VMS_EXT.1.1.
FDP_VNC_EXTVirtualNetworkingComponents
FamilyBehaviorThisfamilydefinesrequirementsforconfigurationofvirtualnetworkingbetweenGuestVMsthataremanagedbytheVirtualizationSystem.FDP_VNC_EXT FDP_VNC_EXT.1
ComponentLevelingFDP_VNC_EXT.1,VirtualNetworkingComponents,requirestheTSFtosupporttheconfigurationofvirtualnetworkingbetweenGuestVMs.
Management:FDP_VNC_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytoconfigurevirtualnetworksincludingVM.
Audit:FDP_VNC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. SuccessfulandfailedattemptstoconnectVMstovirtualandphysicalnetworkingcomponents.b. Securitypolicyviolations.c. Administratorconfigurationofinter-VMcommunicationschannelsbetweenVMs.
FDP_VNC_EXT.1VirtualNetworkingComponentsHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparationFMT_SMR.1SecurityRoles
FDP_VNC_EXT.1.1
TheTSFshallallowAdministratorstoconfigurevirtualnetworkingcomponentstoconnectVMstoeachother,andtophysicalnetworks.
FDP_VNC_EXT.1.2
TheTSFshallensurethatnetworktrafficvisibletoaGuestVMonavirtualnetwork--orvirtualsegmentofaphysicalnetwork--isvisibleonlytoGuestVMsconfiguredtobeonthatvirtualnetworkorsegment.
FIA_AFL_EXTAuthenticationFailureHandling
FamilyBehaviorThisfamilydefinesrequirementsfordetectionandpreventionofbruteforceauthenticationattempts.FIA_AFL_EXT FIA_AFL_EXT.1
ComponentLevelingFIA_AFL_EXT.1,AuthenticationFailureHandling,requirestheTSFtolockanadministratoraccountwhenanexcessivenumberoffailedauthenticationattemptshavebeenobserveduntilsomerestorativeeventoccurstoenabletheaccount.
Management:FIA_AFL_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoconfigurelockoutpolicythroughunsuccessfulauthenticationattempts.b. Abilitytounlockalockedadministratoraccount.
Audit:FIA_AFL_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Thresholdreachedforsuccessivefailedauthenticationattempts.
FIA_AFL_EXT.1AuthenticationFailureHandlingHierarchicalto:Noothercomponents.Dependenciesto:FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationFMT_SMR.1SecurityRoles
FIA_AFL_EXT.1.1
TheTSFshalldetectwhen[selection:[assignment:apositiveintegernumber],anadministratorconfigurablepositiveintegerwithina[assignment:rangeofacceptablevalues]
]unsuccessfulauthenticationattemptsoccurrelatedtoAdministratorsattemptingtoauthenticateremotelyusing[selection:usernameandpassword,usernameandPIN].
FIA_AFL_EXT.1.2
Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmet,theTSFshall:[selection:preventtheoffendingAdministratorfromsuccessfullyestablishingremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntil[assignment:actiontounlock]istakenbyanAdministrator,preventtheoffendingAdministratorfromsuccessfullyestablishingremotesessionusinganyauthenticationmethodthatinvolvesapasswordorPINuntilanAdministratordefinedtimeperiodhaselapsed]
FIA_PMG_EXTPasswordManagement
FamilyBehaviorThisfamilydefinesrequirementsforthecompositionofadministratorpasswords.FIA_PMG_EXT FIA_PMG_EXT.1
ComponentLevelingFIA_PMG_EXT.1,PasswordManagement,requirestheTSFtoensurethatadministratorpasswordsmeetadefinedpasswordpolicy.
Management:FIA_PMG_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytoconfigureAdministratorpasswordpolicy.
Audit:FIA_PMG_EXT.1Therearenoauditableeventsforeseen.
FIA_PMG_EXT.1PasswordManagementHierarchicalto:Noothercomponents.Dependenciesto:FIA_UIA_EXT.1AdministratorIdentificationandAuthentication
FIA_PMG_EXT.1.1
TheTSFshallprovidethefollowingpasswordmanagementcapabilitiesforadministrativepasswords:
a. Passwordsshallbeabletobecomposedofanycombinationofupperandlowercasecharacters,digits,andthefollowingspecialcharacters:[selection:“!”,“@”,“#”,“$”,“%”,“^”,“&”,“*”,“(“,“)”,[assignment:othercharacters]]
b. Minimumpasswordlengthshallbeconfigurablec. Passwordsofatleast15charactersinlengthshallbesupported
FIA_UIA_EXTAdministratorIdentificationandAuthentication
FamilyBehaviorThisfamilydefinesrequirementsforensuringthataccesstotheTSFisnotgrantedtounauthenticated
subjects.FIA_UIA_EXT FIA_UIA_EXT.1
ComponentLevelingFIA_UIA_EXT.1,AdministratorIdentificationandAuthentication,requirestheTSFtoensurethatallsubjectsattemptingtoperformTSF-mediatedactionsareidentifiedandauthenticatedpriortoauthorizingtheseactionstobeperformed.
Management:FIA_UIA_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FIA_UIA_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Administratorauthenticationattempts.b. Alluseoftheidentificationandauthenticationmechanism.c. Administratorsessionstarttimeandendtime.
FIA_UIA_EXT.1AdministratorIdentificationandAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_UAU.5MultipleAuthenticationMechanisms
FIA_UIA_EXT.1.1
TheTSFshallrequireAdministratorstobesuccessfullyidentifiedandauthenticatedusingoneofthemethodsinFIA_UAU.5beforeallowinganyTSF-mediatedmanagementfunctiontobeperformedbythatAdministrator.
FIA_X509_EXTX.509Certificate
FamilyBehaviorThisfamilydefinesrequirementsforthevalidationanduseofX.509certificates.
FIA_X509_EXTFIA_X509_EXT.1FIA_X509_EXT.2
ComponentLevelingFIA_X509_EXT.1,X.509CertificateValidation,defineshowtheTSFmustvalidateX.509certificatesthatarepresentedtoit.
Management:FIA_X509_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Configurationofcertificaterevocationcheckingmethod.
Audit:FIA_X509_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Failuretovalidateacertificate.
FIA_X509_EXT.1X.509CertificateValidationHierarchicalto:Noothercomponents.Dependenciesto:FPT_STM.1ReliableTimeStamps
FIA_X509_EXT.1.1
TheTSFshallvalidatecertificatesinaccordancewiththefollowingrules:RFC5280certificatevalidationandcertificatepathvalidationThecertificatepathmustterminatewithatrustedcertificateTheTOEshallvalidateacertificatepathbyensuringthepresenceofthebasicConstraintsextension,thattheCAflagissettoTRUEforallCAcertificates,andthatanypathconstraintsaremet.TheTSFshallvalidatethatanyCAcertificateincludescaSigningpurposeinthekeyusagefieldTheTSFshallvalidaterevocationstatusofthecertificateusing[selection:OCSPasspecifiedinRFC6960,aCRLasspecifiedinRFC5759,anOCSPTLSStatusRequestExtension(OCSPstapling)asspecifiedinRFC6066,OCSPTLSMulti-CertificateStatusRequestExtension(i.e.,OCSPMulti-Stapling)asspecifiedinRFC6961].TheTSFshallvalidatetheextendedKeyUsagefieldaccordingtothefollowingrules:
CertificatesusedfortrustedupdatesandexecutablecodeintegrityverificationshallhavetheCodeSigningPurpose(id-kp3withOID1.3.6.1.5.5.7.3.3)intheextendedKeyUsagefield.ServercertificatespresentedforTLSshallhavetheServerAuthenticationpurpose(id-kp1with
OID1.3.6.1.5.5.7.3.1)intheextendedKeyUsagefield.ClientcertificatespresentedforTLSshallhavetheClientAuthenticationpurpose(id-kp2withOID1.3.6.1.5.5.7.3.2)intheEKUfield.OCSPcertificatespresentedforOCSPresponsesshallhavetheOCSPSigningPurpose(id-kp9withOID1.3.6.1.5.5.7.3.9)intheEKUfield.
FIA_X509_EXT.1.2
TheTSFshallonlytreatacertificateasaCAcertificateifthebasicConstraintsextensionispresentandtheCAflagissettoTRUE.
ComponentLevelingFIA_X509_EXT.2,X.509CertificateAuthentication,requirestheTSFtoidentifythefunctionsforwhichitusesX.509certificatesforauthentication
Management:FIA_X509_EXT.2ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. ConfigurationofTSFbehaviorwhencertificaterevocationstatuscannotbedetermined.
Audit:FIA_X509_EXT.2Therearenoauditableeventsforeseen.
FIA_X509_EXT.2X.509CertificateAuthenticationHierarchicalto:Noothercomponents.Dependenciesto:FIA_X509_EXT.1X.509CertificateValidationFTP_ITC_EXT.1TrustedChannelCommunications
FIA_X509_EXT.2.1
TheTSFshalluseX.509v3certificatesasdefinedbyRFC5280tosupportauthenticationfor[selection:IPsec,TLS,HTTPS,SSH],and[selection:codesigningforsystemsoftwareupdates,codesigningforintegrityverification,[assignment:otheruses],noadditionaluses]
FIA_X509_EXT.2.2
WhentheTSFcannotestablishaconnectiontodeterminethevalidityofacertificate,theTSFshall[selection:allowtheadministratortochoosewhethertoacceptthecertificateinthesecases,acceptthecertificate,notacceptthecertificate].
FMT_MSA_EXTDefaultDataSharingConfiguration
FamilyBehaviorThisfamilydefinesrequirementsforthedefaultdatasharingbehaviorforGuestVMs.FMT_MSA_EXT FMT_MSA_EXT.1
ComponentLevelingFMT_MSA_EXT.1,DefaultDataSharingConfiguration,requirestheTSFtodefineitsdefaultsecuritypostureforsharingofdatabetweenGuestVMs.
Management:FMT_MSA_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytosetdefaultinitialVMconfigurations.
Audit:FMT_MSA_EXT.1Therearenoauditableeventsforeseen.
FMT_MSA_EXT.1DefaultDataSharingConfigurationHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation
FMT_MSA_EXT.1.1
TheTSFshallbydefaultenforceapolicyprohibitingsharingofdatabetweenGuestVMs.
FMT_MSA_EXT.1.2
TheTSFshallallowAdministratorstospecifyalternativeinitialconfigurationvaluestooverridethedefaultvalueswhenaGuestVMiscreated.
FMT_SMO_EXTSeparationofManagementandOperationalNetworks
FamilyBehaviorThisfamilydefinesrequirementsforseparationofmanagementandoperationalnetworks.FMT_SMO_EXT FMT_SMO_EXT.1
ComponentLevelingFMT_SMO_EXT.1,SeparationofManagementandOperationalNetworks,requirestheTSFtoseparateitsmanagementandoperationalnetworksthroughadefinedmechanism.
Management:FMT_SMO_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FMT_SMO_EXT.1Therearenoauditableeventsforeseen.
FMT_SMO_EXT.1SeparationofManagementandOperationalNetworksHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FMT_SMO_EXT.1.1
TheTSFshallsupporttheconfigurationofseparatemanagementandoperationalnetworksthrough[selection:physicalmeans,logicalmeans,trustedchannel].
FPT_DDI_EXTDeviceDriverIsolation
FamilyBehaviorThisfamilydefinesrequirementsforisolationofdevicedriversFPT_DDI_EXT FPT_DDI_EXT.1
ComponentLevelingFPT_DDI_EXT.1,DeviceDriverIsolation,requirestheTSFtoisolatedevicedriversforphysicaldevicesfromallvirtualdomains.
Management:FPT_DDI_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_DDI_EXT.1Therearenoauditableeventsforeseen.
FPT_DDI_EXT.1DeviceDriverIsolationHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_DDI_EXT.1.1
TheTSFshallensurethatdevicedriversforphysicaldevicesareisolatedfromtheVMMandallotherdomains.
FPT_DVD_EXTNon-ExistenceofDisconnectedVirtualDevices
FamilyBehaviorThisfamilydefinesrequirementsforensuringthatGuestVMscannotaccessthedevicedriversfordisabledordisconnectedvirtualdevices.FPT_DVD_EXT FPT_DVD_EXT.1
ComponentLevelingFPT_DVD_EXT.1,Non-ExistenceofDisconnectedVirtualDevices,requirestheTSFtopreventGuestVMsfromaccessingvirtualdevicesthatitisnotconfiguredtohaveaccessto.
Management:FPT_DVD_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_DVD_EXT.1Therearenoauditableeventsforeseen.
FPT_DVD_EXT.1Non-ExistenceofDisconnectedVirtualDevicesHierarchicalto:Noothercomponents.Dependenciesto:FPT_VDP_EXT.1VirtualDeviceParameters
FPT_DVD_EXT.1.1
TheTSFshalllimitaGuestVM’saccesstovirtualdevicestothosethatarepresentintheVM’scurrentvirtualhardwareconfiguration.
FPT_EEM_EXTExecutionEnvironmentMitigations
FamilyBehaviorThisfamilydefinesrequirementsfortheTOE’scompatibilitywithplatformmechanismsthatpreventvulnerabilitiesthatallowfortheexecutionofunauthorizedcodeorbypassofaccessrestrictionsonmemoryorstorage.FPT_EEM_EXT FPT_EEM_EXT.1
ComponentLevelingFPT_EEM_EXT.1,ExecutionEnvironmentMitigations,requirestheTSFtoidentifytheexecutionenvironment-basedprotectionmechanismsthatitcanuseforself-protection.
Management:FPT_EEM_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_EEM_EXT.1Therearenoauditableeventsforeseen.
FPT_EEM_EXT.1ExecutionEnvironmentMitigationsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_EEM_EXT.1.1
TheTSFshalltakeadvantageofexecutionenvironment-basedvulnerabilitymitigationmechanismssupportedbythePlatformsuchas:[selection:
Addressspacerandomization,Memoryexecutionprotection(e.g.,DEP),Stackbufferoverflowprotection,Heapcorruptiondetection,[assignment:othermechanisms],Nomechanisms
]
FPT_GVI_EXTGuestVMIntegrity
FamilyBehaviorThisfamilydefinesrequirementsfortheTOEtoasserttheintegrityofGuestVMs.FPT_GVI_EXT FPT_GVI_EXT.1
ComponentLevelingFPT_GVI_EXT.1,GuestVMIntegrity,requirestheTSFtospecifythemechanismsitusestoverifytheintegrityofGuestVMs.
Management:FPT_GVI_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_GVI_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Actionstakenduetofailedintegritycheck.
FPT_GVI_EXT.1GuestVMIntegrityHierarchicalto:Noothercomponents.
Dependenciesto:Nodependencies.
FPT_GVI_EXT.1.1
TheTSFshallverifytheintegrityofGuestVMsthroughthefollowingmechanisms:[assignment:listofGuestVMintegritymechanisms].
FPT_HAS_EXTHardwareAssists
FamilyBehaviorThisfamilydefinesrequirementsforuseofhardware-basedvirtualizationassistsasperformanceenhancements.FPT_HAS_EXT FPT_HAS_EXT.1
ComponentLevelingFPT_HAS_EXT.1,HardwareAssists,requirestheTSFtoidentifythehardwareassistsitusestoreduceTOEcomplexity.
Management:FPT_HAS_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_HAS_EXT.1Therearenoauditableeventsforeseen.
FPT_HAS_EXT.1HardwareAssistsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_HAS_EXT.1.1
TheVMMshalluse[assignment:listofhardware-basedvirtualizationassists]toreduceoreliminatetheneedforbinarytranslation.
FPT_HAS_EXT.1.2
TheVMMshalluse[assignment:listofhardware-basedvirtualizationmemory-handlingassists]toreduceoreliminatetheneedforshadowpagetables.
FPT_HCL_EXTHypercallControls
FamilyBehaviorThisfamilydefinesrequirementsforcontrolofHypercallinterfaces.FPT_HCL_EXT FPT_HCL_EXT.1
ComponentLevelingFPT_HCL_EXT.1,HypercallControls,requirestheTSFtoimplementaHypercallinterfacewithappropriateaccesscontrolstoprotectGuestVMsfromunauthorizedaccessviathisinterface.
Management:FPT_HCL_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoenable/disableVMaccesstoHypercallfunctions.
Audit:FPT_HCL_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. AttemptstoaccessdisabledHypercallinterfaces.b. Securitypolicyviolations.
FPT_HCL_EXT.1HypercallControlsHierarchicalto:Noothercomponents.Dependenciesto:FMT_SMR.1SecurityRoles
FPT_HCL_EXT.1.1
TheTSFshallprovideaHypercallinterfaceforGuestVMstousetoinvokefunctionalityprovidedbytheVMM.
FPT_HCL_EXT.1.2
TheTSFshallallowadministratorstoconfigureanyVM’sHypercallinterfacetodisableaccesstoindividualfunctions,allfunctions,orgroupsoffunctions.
FPT_HCL_EXT.1.3
TheTSFshallpermitexceptionstotheconfigurationofthefollowingHypercallinterfacefunctions:[assignment:listoffunctionsthatarenotsubjecttotheconfigurationcontrolsinFPT_HCL_EXT.1.2].
FPT_HCL_EXT.1.4
TheTSFshallvalidatetheparameterspassedtothehypercallinterfacepriortoexecutionoftheVMMfunctionalityexposedbythatinterface.
FPT_IDV_EXTSoftwareIdentificationandVersions
FamilyBehaviorThisfamilydefinesrequirementsfortheuseofSWIDtagstoidentifytheTOE.FPT_IDV_EXT FPT_IDV_EXT.1
ComponentLevelingFPT_IDV_EXT.1,SoftwareIdentificationandVersions,requirestheTSFtoidentifyitselfusingSWIDtags.
Management:FPT_IDV_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_IDV_EXT.1Therearenoauditableeventsforeseen.
FPT_IDV_EXT.1SoftwareIdentificationandVersionsHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_IDV_EXT.1.1
TheTSFshallincludesoftwareidentification(SWID)tagsthatcontainaSoftwareIdentityelementandanEntityelementasdefinedinISO/IEC19770-2:2009.
FPT_IDV_EXT.1.2
TheTSFshallstoreSWIDsina.swidtagfileasdefinedinISO/IEC19770-2:2009.
FPT_INT_EXTSupportforIntrospection
FamilyBehaviorThisfamilydefinesrequirementsforsupportingVMintrospection.FPT_INT_EXT FPT_INT_EXT.1
ComponentLevelingFPT_INT_EXT.1,SupportforIntrospection,requirestheTSFtosupportintrospection.
Management:FPT_INT_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_INT_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Introspectioninitiated/enabled.
FPT_INT_EXT.1SupportforIntrospectionHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_INT_EXT.1.1
TheTSFshallsupportamechanismforpermittingtheVMMorprivilegedVMstoaccesstheinternalsof
anotherVMforpurposesofintrospection.
FPT_ML_EXTMeasuredLaunchofPlatformandVMM
FamilyBehaviorThisfamilydefinesrequirementsformeasuredlaunch.FPT_ML_EXT FPT_ML_EXT.1
ComponentLevelingFPT_ML_EXT.1,MeasuredLaunchofPlatformandVMM,requirestheTSFtosupportameasuredlaunchofitself.
Management:FPT_ML_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_ML_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Integritymeasurementscollected.
FPT_ML_EXT.1MeasuredLaunchofPlatformandVMMHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies.
FPT_ML_EXT.1.1
TheTSFshallsupportameasuredlaunchoftheVirtualizationSystem.MeasuredcomponentsoftheVSshallincludethestaticexecutableimageoftheHypervisorand:[selection:
StaticexecutableimagesoftheManagementSubsystem,[assignment:listof(staticimagesof)ServiceVMs],[assignment:listofconfigurationfiles],noothercomponents
]
FPT_ML_EXT.1.2
TheTSFshallmakethemeasurementsselectedinFPT_ML_EXT.1.1availabletotheManagementSubsystem.
FPT_RDM_EXTRemovableDevicesandMedia
FamilyBehaviorThisfamilydefinesrequirementsforenforcementofdomainisolationwhenremovabledevicescanbeconnectedtoadomain.FPT_RDM_EXT FPT_RDM_EXT.1
ComponentLevelingFPT_RDM_EXT.1,RemovableDevicesandMedia,requirestheTSFtoensurethatVMsarenotinadvertentlygivenaccesstoinformationindifferentdomainsbecauseremovablemediaissimultaneouslyaccessiblefromseparatedomains.
Management:FPT_RDM_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoconfigureremovablemediapolicy.
Audit:FPT_RDM_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Connection/disconnectionofremovablemediaordeviceto/fromaVM.b. Ejection/insertionofremovablemediaordevicefrom/toanalreadyconnectedVM.
FPT_RDM_EXT.1RemovableDevicesandMediaHierarchicalto:Noothercomponents.Dependenciesto:FDP_VMS_EXT.1VMSeparation
FPT_RDM_EXT.1.1
TheTSFshallimplementcontrolsforhandlingthetransferofvirtualandphysicalremovablemediaandvirtualandphysicalremovablemediadevicesbetweeninformationdomains.
FPT_RDM_EXT.1.2
TheTSFshallenforcethefollowingruleswhen[assignment:virtualorphysicalremovablemediaandvirtualorphysicalremovablemediadevices]areswitchedbetweeninformationdomains,then[selection:
theAdministratorhasgrantedexplicitaccessforthemediaordevicetobeconnectedtothereceivingdomain,themediainadevicethatisbeingtransferredisejectedpriortothereceivingdomainbeingallowedaccesstothedevice,theuserofthereceivingdomainexpresslyauthorizestheconnection,thedeviceormediathatisbeingtransferredispreventedfrombeingaccessedbythereceivingdomain
]
FPT_TUD_EXTTrustedUpdates
FamilyBehaviorThisfamilydefinesrequirementsforensuringthatupdatestotheTOEsoftwareandfirmwarearegenuine.
FPT_TUD_EXTFPT_TUD_EXT.1FPT_TUD_EXT.2
ComponentLevelingFPT_TUD_EXT.1,TrustedUpdatestotheVirtualizationSystem,requirestheTSFtodefinethemechanismforapplyingandverifyingTOEupdates.
Management:FPT_TUD_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. AbilitytoupdatetheVirtualizationSystem.
Audit:FPT_TUD_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Initiationofupdate.b. Failureofsignatureverification.
FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemHierarchicalto:Noothercomponents.Dependenciesto:FCS_COP.1CryptographicOperation
FPT_TUD_EXT.1.1
TheTSFshallprovideadministratorstheabilitytoquerythecurrentlyexecutedversionoftheTOEfirmware/softwareaswellasthemostrecentlyinstalledversionoftheTOEfirmware/software.
FPT_TUD_EXT.1.2
TheTSFshallprovideadministratorstheabilitytomanuallyinitiateupdatestoTOEfirmware/softwareand[selection:automaticupdates,nootherupdatemechanism].
FPT_TUD_EXT.1.3
TheTSFshallprovidemeanstoauthenticatefirmware/softwareupdatestotheTOEusinga[selection:digitalsignaturemechanismusingcertificates,digitalsignaturemechanismnotusingcertificates,publishedhash]priortoinstallingthoseupdates.
ComponentLevelingFPT_TUD_EXT.2,TrustedUpdateBasedonCertificates,requirestheTSFtovalidateupdatesusingacodesigningcertificate.
Management:FPT_TUD_EXT.2Nospecificmanagementfunctionsareidentified.
Audit:FPT_TUD_EXT.2Therearenoauditableeventsforeseen.
FPT_TUD_EXT.2TrustedUpdateBasedonCertificatesHierarchicalto:Noothercomponents.
Dependenciesto:FPT_TUD_EXT.1TrustedUpdatestotheVirtualizationSystemFIA_X509_EXT.1X.509ValidationFIA_X509_EXT.2X.509Authentication
FPT_TUD_EXT.2.1
TheTSFshallnotinstallanupdateifthecodesigningcertificateisdeemedinvalid.
FPT_VDP_EXTVirtualDeviceParameters
FamilyBehaviorThisfamilydefinesrequirementsforprocessingdatatransmittedtotheTOEfromaGuestVM.FPT_VDP_EXT FPT_VDP_EXT.1
ComponentLevelingFPT_VDP_EXT.1,VirtualDeviceParameters,,requirestheTSFtointerfacewithGuestVMsthroughvirtualhardwareabstractionssothatanydatatransmittedtotheTOEfromaGuestVMcanbevalidatedaswell-formed.
Management:FPT_VDP_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_VDP_EXT.1Therearenoauditableeventsforeseen.
FPT_VDP_EXT.1VirtualDeviceParametersHierarchicalto:Noothercomponents.Dependenciesto:FPT_VIV_EXT.1VMMIsolationfromVMs
FPT_VDP_EXT.1.1
TheTSFshallprovideinterfacesforvirtualdevicesimplementedbytheVMMaspartofthevirtualhardwareabstraction.
FPT_VDP_EXT.1.2
TheTSFshallvalidatetheparameterspassedtothevirtualdeviceinterfacepriortoexecutionoftheVMMfunctionalityexposedbythoseinterfaces.
FPT_VIV_EXTVMMIsolationfromVMs
FamilyBehaviorThisfamilydefinesrequirementsforensuringtheTOEislogicallyisolatedfromitsGuestVMsFPT_VIV_EXT FPT_VIV_EXT.1
ComponentLevelingFPT_VIV_EXT.1,VMMIsolationfromVMs,requirestheTSFtoensurethatthereisnomechanismbywhichaGuestVMcaninterfacewiththeTOE,otherVMs,orthehardwareplatformwithoutauthorization.
Management:FPT_VIV_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FPT_VIV_EXT.1Therearenoauditableeventsforeseen.
FPT_VIV_EXT.1VMMIsolationfromVMsHierarchicalto:Noothercomponents.Dependenciesto:FDP_PPR_EXT.1PhysicalPlatformResourceControlsFDP_VMS_EXT.1VMSeparation
FPT_VIV_EXT.1.1
TheTSFmustensurethatsoftwarerunninginaVMisnotabletodegradeordisruptthefunctioningofotherVMs,theVMM,orthePlatform.
FPT_VIV_EXT.1.2
TheTSFmustensurethataGuestVMisunabletoinvokeplatformcodethatrunsataprivilegelevelequaltoorexceedingthatoftheVMMwithoutinvolvementoftheVMM.
FTP_ITC_EXTTrustedChannelCommunications
FamilyBehaviorThisfamilydefinesrequirementsforprotectionofdataintransitbetweentheTOEanditsoperationalenvironment.FTP_ITC_EXT FTP_ITC_EXT.1
ComponentLevelingFTP_ITC_EXT.1,TrustedChannelCommunications,requirestheTSFtoimplementoneormorecryptographicprotocolstosecureconnectivitybetweentheTSFandvariousexternalentities.
Management:FTP_ITC_EXT.1ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a. Abilitytoconfigurethecryptographicfunctionality.
Audit:FTP_ITC_EXT.1ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:
a. Initiationofthetrustedchannel.b. Terminationofthetrustedchannel.c. Failuresofthetrustedpathfunctions.
FTP_ITC_EXT.1TrustedChannelCommunicationsHierarchicalto:Noothercomponents.Dependenciesto:FAU_STG_EXT.1Off-LoadingofAuditData
FTP_ITC_EXT.1.1
TheTSFshalluse[selection:TLSasconformingtotheFunctionalPackageforTransportLayerSecurity,TLS/HTTPSasconformingtoFCS_HTTPS_EXT.1,IPsecasconformingtoFCS_IPSEC_EXT.1,SSHasconformingtotheExtendedPackageforSecureShell
]toprovideatrustedcommunicationchannelbetweenitself,and
auditservers(asrequiredbyFAU_STG_EXT.1),and[selection:
remoteadministrators(asrequiredbyFTP_TRP.1.1ifselectedinFMT_MOF_EXT.1.1intheClientorServerPP-Module),separationofmanagementandoperationalnetworks(ifselectedinFMT_SMO_EXT.1),[assignment:othercapabilities],noothercapabilities
]thatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafromdisclosureanddetectionofmodificationofthecommunicateddata.
FTP_UIF_EXTUserInterface
FamilyBehaviorThisfamilydefinesrequirementsforunambiguouslyidentifyingthespecificGuestVMthataTOEuserisinteractingwithatanygivenpointintime.
FTP_UIF_EXTFTP_UIF_EXT.1FTP_UIF_EXT.2
ComponentLevelingFTP_UIF_EXT.1,UserInterface:I/OFocus,requirestheTSFtounambiguouslyidentifytheGuestVMthathasthecurrentinputfocusforinputperipherals.
Management:FTP_UIF_EXT.1Nospecificmanagementfunctionsareidentified.
Audit:FTP_UIF_EXT.1Therearenoauditableeventsforeseen.
FTP_UIF_EXT.1UserInterface:I/OFocusHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies
FTP_UIF_EXT.1.1
TheTSFshallindicatetouserswhichVM,ifany,hasthecurrentinputfocus.
ComponentLevelingFTP_UIF_EXT.2,UserInterface:IdentificationofVM,requirestheTOEtoperformpoweronself-teststoverifyitsfunctionalityandtheintegrityofitsstoredexecutablecode.
Management:FTP_UIF_EXT.2Nospecificmanagementfunctionsareidentified.
Audit:FTP_UIF_EXT.2Therearenoauditableeventsforeseen.
FTP_UIF_EXT.2UserInterface:IdentificationofVMHierarchicalto:Noothercomponents.Dependenciesto:Nodependencies
FTP_UIF_EXT.2.1
TheTSFshallsupporttheuniqueidentificationofaVM’soutputdisplaytousers.
AppendixD-ImplicitlySatisfiedRequirementsThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisProtectionProfile.However,theserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainsttheProtectionProfileprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated.ThisappendixlistsrequirementsthatshouldbeconsideredsatisfiedbyproductssuccessfullyevaluatedagainstthisPP.TheserequirementsarenotfeaturedexplicitlyasSFRsandshouldnotbeincludedintheST.TheyarenotincludedasstandaloneSFRsbecauseitwouldincreasethetime,cost,andcomplexityofevaluation.Thisapproachispermittedby[CC]Part1,8.2Dependenciesbetweencomponents.Thisinformationbenefitssystemsengineeringactivitieswhichcallforinclusionofparticularsecuritycontrols.EvaluationagainstthePPprovidesevidencethatthesecontrolsarepresentandhavebeenevaluated.Table9:ImplicitlySatisfiedRequirements
Requirement RationaleforSatisfaction
FAU_GEN.1–AuditDataGeneratio
FAU_GEN.1hasadependencyonFPT_STM.1.WhilenotexplicitlystatedinthePP,itisassumedthatthiswillbeprovidedbytheunderlyinghardwareplatformonwhichtheTOEisinstalled.ThisisbecausetheTOEisinstalledasasoftwareorfirmwareproductthatrunsongeneral-purposecomputinghardwaresoahardwareclockisassumedtobeavailable.
FCS_CKM.1–CryptographicKeyGeneration
FCS_CKM.1hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.
FCS_CKM.2–CryptographicKeyEstablishment
FCS_CKM.2hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.
FCS_COP.1–CryptographicOperation
EachiterationofFCS_COP.1hasadependencyonFCS_CKM.4.TheextendedSFRFCS_CKM_EXT.4addressesthisdependencybydefininganalternaterequirementforkeydestruction.
FIA_X509_EXT.1–X.509CertificateValidation
FIA_X509_EXT.1hasadependencyonFPT_STM.1.WhilenotexplicitlystatedinthePP,itisassumedthatthiswillbeprovidedbytheunderlyinghardwareplatformonwhichtheTOEisinstalled.ThisisbecausetheTOEisinstalledasasoftwareorfirmwareproductthatrunsongeneral-purposecomputinghardwaresoahardwareclockisassumedtobeavailable.
FMT_SMR.2–RestrictionsonSecurityRoles
FMT_SMR.2hasadependencyonFIA_UID.1.TheextendedSFRFIA_UID_EXT.1expressesthisdependencybyalsorequiringuseridentificationforuseoftheTOE.
AppendixE-EntropyDocumentationandAssessment
E.1DesignDescriptionDocumentationshallincludethedesignoftheentropysourceasawhole,includingtheinteractionofallentropysourcecomponents.Itwilldescribetheoperationoftheentropysourcetoincludehowitworks,howentropyisproduced,andhowunprocessed(raw)datacanbeobtainedfromwithintheentropysourcefortestingpurposes.Thedocumentationshouldwalkthroughtheentropysourcedesignindicatingwheretherandomcomesfrom,whereitispassednext,anypost-processingoftherawoutputs(hash,XOR,etc.),if/whereitisstored,andfinally,howitisoutputfromtheentropysource.Anyconditionsplacedontheprocess(e.g.,blocking)shouldalsobedescribedintheentropysourcedesign.Diagramsandexamplesareencouraged.
Thisdesignmustalsoincludeadescriptionofthecontentofthesecurityboundaryoftheentropysourceandadescriptionofhowthesecurityboundaryensuresthatanadversaryoutsidetheboundarycannotaffecttheentropyrate.
E.2EntropyJustificationThereshouldbeatechnicalargumentforwheretheunpredictabilityinthesourcecomesfromandwhythereisconfidenceintheentropysourceexhibitingprobabilisticbehavior(anexplanationoftheprobabilitydistributionandjustificationforthatdistributiongiventheparticularsourceisonewaytodescribethis).ThisargumentwillincludeadescriptionoftheexpectedentropyrateandexplainhowyouensurethatsufficiententropyisgoingintotheTOErandomizerseedingprocess.Thisdiscussionwillbepartofajustificationforwhytheentropysourcecanbereliedupontoproducebitswithentropy.
E.3OperatingConditionsDocumentationwillalsoincludetherangeofoperatingconditionsunderwhichtheentropysourceisexpectedtogeneraterandomdata.Itwillclearlydescribethemeasuresthathavebeentakeninthesystemdesigntoensuretheentropysourcecontinuestooperateunderthoseconditions.Similarly,documentationshalldescribetheconditionsunderwhichtheentropysourceisknowntomalfunctionorbecomeinconsistent.Methodsusedtodetectfailureordegradationofthesourceshallbeincluded.
E.4HealthTestingMorespecifically,allentropysourcehealthtestsandtheirrationalewillbedocumented.Thiswillincludeadescriptionofthehealthtests,therateandconditionsunderwhicheachhealthtestisperformed(e.g.,atstartup,continuously,oron-demand),theexpectedresultsforeachhealthtest,andrationaleindicatingwhyeachtestisbelievedtobeappropriatefordetectingoneormorefailuresintheentropysource.
AppendixF-EquivalencyGuidelines
F.1IntroductionThepurposeofequivalenceinPP-basedevaluationsistofindabalancebetweenevaluationrigorandcommercialpracticability--toensurethatevaluationsmeetcustomerexpectationswhilerecognizingthatthereislittletobegainedfromrequiringthateveryvariationinaproductorplatformbefullytested.IfaproductisfoundtobecompliantwithaPPononeplatform,thenallequivalentproductsonequivalentplatformsarealsoconsideredtobecompliantwiththePP.
AVendorcanmakeaclaimofequivalenceiftheVendorbelievesthataparticularinstanceoftheirProductimplementsPP-specifiedsecurityfunctionalityinawayequivalenttotheimplementationofthesamefunctionalityonanotherinstanceoftheirProductonwhichthefunctionalitywastested.TheProductinstancescandifferinversionnumberorfeaturelevel(model),ortheinstancesmayrunondifferentplatforms.Equivalencycanbeusedtoreducethetestingrequiredacrossclaimedevaluatedconfigurations.ItcanalsobeusedduringAssuranceMaintenancetoreducetestingneededtoaddmoreevaluatedconfigurationstoacertification.
TheseequivalencyguidelinesdonotreplaceAssuranceMaintenancerequirementsorNIAPPolicy#5requirementsforCAVPcertificates.Normayequivalencybeusedtoleverageevaluationswithexpiredcertifications.
ThisdocumentprovidesguidancefordeterminingwhetherProductsandPlatformsareequivalentforpurposesofevaluationagainsttheProtectionProfileforVirtualization(VPP)wheninstantiatedwitheithertheClientorServerPP-Module.
Equivalencehastwoaspects:
1. ProductEquivalence:ProductsmaybeconsideredequivalentiftherearenodifferencesbetweenProductModelsandProductVersionswithrespecttoPP-specifiedsecurityfunctionality.
2. PlatformEquivalence:PlatformsmaybeconsideredequivalentiftherearenosignificantdifferencesintheservicestheyprovidetotheProduct--orinthewaytheplatformsprovidethoseservices--withrespecttoPP-specifiedsecurityfunctionality.
TheequivalencydeterminationismadeinaccordancewiththeseguidelinesbytheValidatorandSchemeusinginformationprovidedbytheEvaluator/Vendor.
F.2ApproachtoEquivalencyAnalysisTherearetwoscenariosforperformingequivalencyanalysis.Oneiswhenaproducthasbeencertifiedandthevendorwantstoshowthatalaterproductshouldbeconsideredcertifiedduetoequivalencewiththeearlierproduct.Theotheriswhenmultipleproductvariantsaregoingthoughevaluationtogetherandthevendorwouldliketoreducetheamountoftestingthatmustbedone.Thebasicrulesfordeterminingequivalencearethesameinbothcases.Butthereisoneadditionalconsiderationthatappliestoequivalencewithpreviouslycertifiedproducts.Thatis,theproductwithwhichequivalenceisbeingclaimedmusthaveavalidcertificationinaccordancewithschemerulesandtheAssuranceMaintenanceprocessmustbefollowed.Ifaproduct’scertificationhasexpired,thenequivalencecannotbeclaimedwiththatproduct.
Whenperformingequivalencyanalysis,theEvaluator/VendorshouldfirstusethefactorsandguidelinesforProductModelequivalencetodeterminethesetofProductModelstobeevaluated.Ingeneral,ProductModelsthatdonotdifferinPP-specifiedsecurityfunctionalityareconsideredequivalentforpurposesofevaluationagainsttheVPP.
IfmultiplerevisionlevelsofProductModelsaretobeevaluated--ortodeterminewhetherarevisionofanevaluatedproductneedsre-evaluation--theEvaluator/VendorandValidatorshouldusethefactorsandguidelinesforProductVersionequivalencetodeterminewhetherProductVersionsareequivalent.
HavingdeterminedthesetofProductModelsandVersionstobeevaluated,thenextstepistodeterminethesetofPlatformsthattheProductsmustbetestedon.
Eachnon-equivalentProductforwhichcomplianceisclaimedmustbefullytestedoneachnon-equivalentplatformforwhichcomplianceisclaimed.Fornon-equivalentProductsonequivalentplatforms,onlythedifferencesthataffectPP-specifiedsecurityfunctionalitymustbetestedforeachproduct.
IfthesetofequivalentProductsincludesonlybare-metalinstallations,thentheequivalencyanalysisiscomplete.Butifanymembersofthesetincludehostedinstallationsorinstallationsthatintegratewithanexistinghostoperatingsystemorcontroldomain,thensoftwareplatformequivalencemustbetakenintoconsideration.TheEvaluator/VendorandValidatorshouldusethefactorsandguidanceforsoftwareplatformequivalencetodeterminewhetherdifferentmodelsorversionsofhostorcontroldomainoperatingsystemsrequireseparatetesting.
“DifferencesinPP-SpecifiedSecurityFunctionality”DefinedIfPP-specifiedsecurityfunctionalityisimplementedbytheTOE,thendifferencesintheactualimplementationbetweenversionsorproductmodelsbreakequivalenceforthatfeature.Likewise,iftheTOEimplementsthefunctionalityinoneversionormodelandthefunctionalityisimplementedbytheplatforminanotherversionormodel,thenequivalenceisbroken.Ifthefunctionalityisimplementedbytheplatforminmultiplemodelsorversionsonequivalentplatforms,thenthefunctionalityisconsidereddifferentiftheproductinvokestheplatformdifferentlytoperformthefunction.
F.3SpecificGuidanceforDeterminingProductModelEquivalenceProductModelequivalenceattemptstodeterminewhetherdifferentfeaturelevelsofthesameproductacrossaproductlineareequivalentforpurposesofPPtesting.Forexample,ifaproducthasa“basic”editionandan“enterprise”edition,isitnecessarytotestbothmodels?Ordoestestingonemodelprovidesufficientassurancethatbothmodelsarecompliant?
Table10,below,liststhefactorsfordeterminingProductModelequivalence.
Table10:FactorsforDeterminingProductModelEquivalence
Factor Same/Different Guidance
TargetPlatform
Different ProductModelsthatvirtualizedifferentinstructionsets(e.g.x86,ARM,POWER,SPARC,MIPS)arenotequivalent.
InstallationTypes
Different IfaProductcanbeinstalledeitheronbaremetalorontoanoperatingsystemandthevendorwantstoclaimthatbothinstallationtypesconstituteasingleModel,thenseetheguidancefor“PP-SpecifiedFunctionality,”below.
SoftwarePlatform
Different ProductModelsthatrunonsubstantiallydifferentsoftwareenvironments,suchasdifferenthostoperatingsystems,arenotequivalent.Modelsthatinstallondifferentversionsofthesamesoftwareenvironmentmaybeequivalentdependingonthebelowfactors.
PP-SpecifiedFunctionality
Same IfthedifferencesbetweenModelsaffectonlynon-PP-specifiedfunctionality,thentheModelsareequivalent.
Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferencesbetweenModels,thentheModelsarenotequivalentandmustbetestedseparately.Itisnecessarytotestonlythefunctionalityaffectedbythesoftwaredifferences.Ifonlydifferencesaretested,thenthedifferencesmustbeenumerated,andforeachdifferencetheVendormustprovideanexplanationofwhyeachdifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductModelsarefullytestedseparately,thenthereisnoneedtodocumentthedifferences.
F.4SpecificGuidanceforDeterminingProductVersionEquivalenceIncasesofversionequivalence,differencesareexpressedintermsofchangesimplementedinrevisionsofanevaluatedProduct.Ingeneral,versionsareequivalentifthechangeshavenoeffectonanysecurity-relevantclaimsabouttheTOEorassuranceevidence.Non-security-relevantchangestoTOEfunctionalityortheadditionofnon-security-relevantfunctionalitydoesnotaffectequivalence.
Table11:FactorsforDeterminingProductVersionEquivalence
Factor Same/Different Guidance
ProductModels
Different VersionsofdifferentProductModelsarenotequivalentunlesstheModelsareequivalentasdefinedinSection3.
PP-SpecifiedFunctionality
Same Ifthedifferencesaffectonlynon-PP-specifiedfunctionality,thentheVersionsareequivalent.
Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferences,thentheVersionsareconsideredtobenotequivalentandmustbetestedseparately.Itisnecessaryonlytotestthefunctionalityaffectedbythechanges.Ifonlythedifferencesaretested,thenforeachdifferencetheVendormustprovideanexplanationofwhythedifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductVersionsarefully
testedseparately,thenthereisnoneedtodocumentthedifferences.
F.5SpecificGuidanceforDeterminingPlatformEquivalencePlatformequivalenceisusedtodeterminetheplatformsthataproductmustbetestedon.Theseguidelinesaredividedintosectionsfordetermininghardwareequivalenceandsoftware(hostOS/controldomain)equivalence.IftheProductisinstalledontobaremetal,thenonlyhardwareequivalenceisrelevant.IftheProductisinstalledontoanOS—orisintegratedintoanOS—thenbothhardwareandsoftwareequivalencearerequired.Likewise,iftheProductcanbeinstalledeitheronbaremetaloronanoperatingsystem,bothhardwareandsoftwareequivalencearerelevant.
F.5.1HardwarePlatformEquivalenceIfaVirtualizationSolutionrunsdirectlyonhardwarewithoutanoperatingsystem,thenplatformequivalenceisbasedprimarilyonprocessorarchitectureandinstructionsets.
Platformswithdifferentprocessorarchitecturesandinstructionsetsarenotequivalent.Thisisprobablynotanissuebecausethereislikelytobeadifferentproductmodelfordifferenthardwareenvironments.
Equivalencyanalysisbecomesimportantwhencomparingplatformswiththesameprocessorarchitecture.ProcessorswiththesamearchitecturethathaveinstructionsetsthataresubsetsorsupersetsofeachotherarenotdisqualifiedfrombeingequivalentforpurposesofaVPPevaluation.IftheVStakesthesamecodepathswhenexecutingPP-specifiedsecurityfunctionalityondifferentprocessorsofthesamefamily,thentheprocessorscanbeconsideredequivalentwithrespecttothatapplication.
Forexample,ifaVSfollowsonecodepathonplatformsthatsupporttheAES-NIinstructionandanotheronplatformsthatdonot,thenthosetwoplatformsarenotequivalentwithrespecttothatVSfunctionality.ButiftheVSfollowsthesamecodepathwhetherornottheplatformsupportsAES-NI,thentheplatformsareequivalentwithrespecttothatfunctionality.
TheplatformsareequivalentwithrespecttotheVSiftheplatformsareequivalentwithrespecttoallPP-specifiedsecurityfunctionality.
Table12:FactorsforDeterminingHardwarePlatformEquivalence
Factor Same/Different/None Guidance
PlatformArchitectures
Different Hardwareplatformsthatimplementdifferentprocessorarchitecturesandinstructionsetsarenotequivalent.
PP-SpecifiedFunctionality
Same Forplatformswiththesameprocessorarchitecture,theplatformsareequivalentwithrespecttotheapplicationifexecutionofallPP-specifiedsecurityfunctionalityfollowsthesamecodepathonbothplatforms.
F.5.2SoftwarePlatformEquivalenceIftheProductinstallsontoorintegrateswithanoperatingsystemthatisnotinstalledwiththeproduct--andthusisnotpartoftheTOE--thentheProductmustbetestedonallnon-equivalentSoftwarePlatforms.
TheguidanceforProductModel(Section3)specifiesthatProductsintendedforuseonsubstantiallydifferentoperatingsystems(e.g.Windowsvs.Linuxvs.SunOS)aredifferentModels.Therefore,platformsrunningsubstantiallydifferentoperatingsystemsaredefactonotequivalent.Likewise,operatingsystemswithdifferentmajorversionnumbersarenotequivalentforpurposesofthisPP.
Asaresult,SoftwarePlatformequivalenceislargelyconcernedwithrevisionsandvariationsofoperatingsystemsthataresubstantiallythesame(e.g.differentversionsandrevisionlevelsofWindowsorLinux).
Table13:FactorsforDeterminingSoftwarePlatformEquivalence
Factor Same/Different/None Guidance
PlatformType/Vendor
Different Operatingsystemsthataresubstantiallydifferentorcomefromdifferentvendorsarenotequivalent.
PlatformVersions
Different Operatingsystemsarenotequivalentiftheyhavedifferentmajorversionnumbers.
PP-SpecifiedFunctionality
Same Ifthedifferencesbetweensoftwareplatformmodelsorversionsaffectonlynon-PP-specifiedfunctionality,thenthesoftwareplatformsareequivalent.
Different IfPP-specifiedsecurityfunctionalityisaffectedbythedifferencesbetweensoftwareplatformversionsormodels,thenthesoftwareplatformsarenotconsideredequivalentandmustbetestedseparately.Itisnecessaryonlytotestthefunctionalityaffectedbythechanges.Ifonlythedifferencesaretested,thenforeachdifferencetheVendormustprovideanexplanationofwhythedifferencedoesordoesnotaffectPP-specifiedfunctionality.IftheProductsarefullytestedoneachplatform,thenthereisnoneedtodocumentthedifferences.
F.6LevelofSpecificityforTestedConfigurationsandClaimedEquivalentConfigurationsInordertomakeequivalencydeterminations,thevendorandevaluatormustagreeontheequivalencyclaims.TheymustthenprovidetheschemewithsufficientinformationabouttheTOEinstancesandplatformsthatwereevaluated,andtheTOEinstancesandplatformsthatareclaimedtobeequivalent.
TheSTmustdescribeallconfigurationsevaluateddowntoprocessormanufacturer,modelnumber,andmicroarchitectureversion.
TheinformationregardingclaimedequivalentconfigurationsdependsontheplatformthattheVSwasdevelopedforandrunson.
Bare-MetalVS
ForVSesthatrunwithoutanoperatingsystemonbare-metalorvirtualbare-metal,theclaimedconfigurationmustdescribetheplatformdowntothespecificprocessormanufacturer,modelnumber,andmicroarchitectureversion.TheVendormustdescribethedifferencesintheTOEwithrespecttoPP-specifiedsecurityfunctionalityandhowtheTOEoperatesdifferentlytoleverageplatformdifferences(e.g.,instructionsetextensions)inthetestedconfigurationversustheclaimedequivalentconfiguration.
VSwithOSSupport
ForVSesthatrunonanOShostorwiththeassistanceofanOS,thentheclaimedconfigurationmustdescribetheOSdowntoitsspecificmodelandversionnumber.TheVendormustdescribethedifferencesintheTOEwithrespecttoPP-specifiedsecurityfunctionalityandhowtheTOEfunctionsdifferentlytoleverageplatformdifferencesinthetestedconfigurationversustheclaimedequivalentconfiguration.
AppendixG-Referencesext-comp-def
Identifier Title
[CC] CommonCriteriaforInformationTechnologySecurityEvaluation-Part1:IntroductionandGeneralModel,CCMB-2017-04-001,Version3.1,Revision5,April2017.Part2:SecurityFunctionalComponents,CCMB-2017-04-002,Version3.1,Revision5,April2017.Part3:SecurityAssuranceComponents,CCMB-2017-04-003,Version3.1,Revision5,April2017.
[CEM] CommonEvaluationMethodologyforInformationTechnologySecurity-EvaluationMethodology,CCMB-2017-04-004,Version3.1,Revision5,April2017.
AppendixH-Acronyms
Acronym Meaning
AES AdvancedEncryptionStandard
Base-PP BaseProtectionProfile
CC CommonCriteria
CEM CommonEvaluationMethodology
CPU CentralProcessingUnit
DEP DataExecutionPrevention
DKM DerivedKeyingMaterial
DSS DigitalSignatureStandard
ECC EllipticCurveCryptography
FFC Finite-FieldCryptography
FIPS FederalInformationProcessingStandard
IEC InternationalElectrotechnicalCommission
IP InternetProtocol
ISO InternationalOrganizationforStandardization
IT InformationTechnology
ITSEF InformationTechnologySecurityEvaluationFacility
KDF KeyDerivationFunction
MAC MessageAuthenticationCode
NIST NationalInstituteofStandardsandTechnology
NVLAP NationalVoluntaryLaboratoryAccreditationProgram
OE OperationalEnvironment
OS OperatingSystem
PKV PublicKeyVerification
PP ProtectionProfile
PP-Configuration ProtectionProfileConfiguration
PP-Module ProtectionProfileModule
RSA Rivest,Shamir,Adleman
SAR SecurityAssuranceRequirement
SFR SecurityFunctionalRequirement
SP SpecialPublication
SPD SecurityPolicyDatabase
SSP SystemSecurityPolicy
ST SecurityTarget
SWID SoftwareIdentification
TOE TargetofEvaluation
TPM TrustedPlatformModule
TSF TOESecurityFunctionality
TSFI TSFInterface
TSS TOESummarySpecification
VM VirtualMachine
VMM VirtualMachineManager
VS VirtualizationSystem