Protection Profile: pp_psshid_v1.1

Protection Profile: pp_psshid_v1.1
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Peripheral Sharing Switch
(PSS)
For Human Interface Devices
Protection Profile
Information
Assurance
Directorate
Version 1.1
Date 25 July 2007
Version 1.1 (25 July 2007)
Page 1of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Preface
Protection Profile Title:
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Criteria Version:
This Protection Profile “Peripheral Sharing Switch (PSS) for Human Interface Devices
Protection Profile” (PP) was updated using Version 3.1 of the Common Criteria (CC).
Editor’s note: The purpose of this update was to bring the PP up to the new CC 3.1
standard without changing the authors’ original meaning or purpose of the documented
requirements. The original PP was developed using version 2.x of the CC. The CC
version 2.3 was the final version 2 update that included all international interpretations.
CC version 3.1 used the final CC version 2.3 Security Functional Requirements (SFR)s
as the new set of SFRs for version 3.1. Some minor changes were made to the SFRs in
version 3.1, including moving a few SFRs to Security Assurance Requirements (SAR)s.
There may be other minor differences between some SFRs in the version 2.3 PP and the
new version 3.1 SFRs. These minor differences were not modified to ensure the author’s
original intent was preserved.
The version 3.1 SARs were rewritten by the common criteria international
community. The NIAP/CCEVS staff developed an assurance equivalence mapping
between the version 2.3 and 3.1 SARs. The assurance equivalent version 3.1 SARs
replaced the version 2.3 SARs in the PP.
Any issue that may arise when claiming compliance with this PP can be resolved
using the observation report (OR) and observation decision (OD) process.
Further information, including the status and updates of this protection profile can be
found on the CCEVS website: http://www.niap-ccevs.org/cc-scheme/pp/. Comments on
this document should be directed to [email protected] The email should
include the title of the document, the page, the section number, the paragraph number,
and the detailed comment and recommendation.
Version 1.1 (25 July 2007)
Page 2of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Table of Contents
Preface................................................................................................................................. 2
Foreword ............................................................................................................................. 4
1. Introduction..................................................................................................................... 5
1.1 Identification ............................................................................................................. 5
1.2 Protection Profile Overview ..................................................................................... 5
2. Target of Evaluation Description.................................................................................... 6
3. Target of Evaluation Security Environment ................................................................... 8
3.1 Secure Usage Assumptions....................................................................................... 8
3.2 Threats to Security .................................................................................................... 8
4. Security Objectives ....................................................................................................... 10
4.1 Security Objectives for the Target of Evaluation ................................................... 10
4.2 Security Objectives for the Environment................................................................ 10
5. Information Technology Security Requirements.......................................................... 11
5.1 Target of Evaluation Security Requirements..................................................... 11
5.1.1 User Data Protection (FDP) ............................................................................. 11
5.1.2 Security Management (FMT) .......................................................................... 12
5.1.3 Extended Requirements (EXT)........................................................................ 13
5.2
Target of Evaluation Security Assurance Requirements .................................. 13
Class ADV: Development......................................................................................... 14
Class AGD: Guidance documents ............................................................................ 18
Class ALC: Life-cycle support ................................................................................. 20
Class ATE: Tests....................................................................................................... 26
Class AVA: Vulnerability assessment ...................................................................... 29
6. Rationale ....................................................................................................................... 30
6.1 Security Objectives Rationale................................................................................. 30
6.2 Environmental Objectives Rationale ...................................................................... 36
6.3 Security Requirements Rationale............................................................................ 38
6.4 Dependencies Not Met............................................................................................ 42
6.5 Mapping Tables ...................................................................................................... 43
Terms of Reference........................................................................................................... 46
Acronyms.......................................................................................................................... 49
References......................................................................................................................... 51
Version 1.1 (25 July 2007)
Page 3of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Foreword
This publication, “Peripheral Sharing Switch (PSS) for Human Interface Devices”
Protection Parole, is issued by the Information Assurance Directorate (IAD) as part of its
program to promulgate security standards for the components of information assurance
solutions.
The base set of requirements used in this Protection Parole are taken from the Common
Criteria for Information Technology Security Evaluation, Version 2.1. Further
information, including the status and updates, of both this Parole and the Common
Criteria, can be found on the Internet at “http://www.radium.ncsc.mil/tpep”.
Words which appear in SMALL CAPITALS are those which are formally defined in the
Terms of Reference section.
Comments on this document should be directed to:
National Security Agency
9800 Savage Road, Suite 6757
Fort George G. Meade, MD 20755-6757
or
[email protected]
Version 1.1 (25 July 2007)
Page 4of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
1. Introduction
1.1 Identification
Title: Peripheral Sharing Switch (PSS) for Human Interface Devices.
Assurance Level: EAL 4. augmented with ALC_FLR.2
PP Version: 1.1, 25 July 2007.
General Status: Evaluated Products List.
Registration: PSSPP; NSA/Information Systems Security Organization.
Keywords: DEVICE sharing, multi-way SWITCH, PERIPHERAL switching,
KEYBOARD-Video-MONITOR/Mouse (KVM) SWITCH.
1.2 Protection Profile Overview
This Protection Profile specifies U.S. Department of Defense minimum security
requirements for PERIPHERAL SWITCHES; DEVICES which enable a single set of HUMAN
INTERFACE DEVICES to be shared between multiple COMPUTERS.
The Protection Profile is consistent with Common Criteria Version3.1: Part 2, and Part 3
conformant (Evaluation Assurance Level 4).
Version 1.1 (25 July 2007)
Page 5of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
2. Target of Evaluation Description
This document addresses a DEVICE, hereinafter referred to as a “Peripheral Sharing
Switch” (PSS) or simply “SWITCH”--the Target of Evaluation (TOE)--permitting a single
set of HUMAN INTERFACE DEVICES to be shared among two or more COMPUTERS (see
Figure 1).
The TOE is normally installed in settings where a single USER with limited work surface
space needs to access two or more COMPUTERS, collectively termed SWITCHED
COMPUTERS (which need not be physically distinct entities). The USER may have a
KEYBOARD, a visual display (e.g., MONITOR), a POINTING DEVICE (e.g., mouse), and/or
alternative INPUT/OUTPUT DEVICES to interact with the COMPUTER(S). These are
collectively referred to as the SHARED PERIPHERALS.
In operation, the TOE will be CONNECTED to only one COMPUTER at a time. To use a
different COMPUTER, the USER must perform some specific action (e.g., push a button,
turn a knob, etc.). The TOE will then visually indicate which COMPUTER was selected by
the USER. Such indication is persistent and not transitory in nature.
The TOE must not have, and in fact must specifically preclude, any features that permit
USER information to be shared or transferred between COMPUTERS via the TOE.
A PERIPHERAL PORT GROUP is a collection of DEVICE PORTS treated as a single entity by
the TOE. There is one GROUP for the set of SHARED PERIPHERALS and one GROUP for each
CONNECTED SWITCHED COMPUTER. Each SWITCHED COMPUTER GROUP has some unique
associated logical ID. The SHARED PERIPHERAL GROUP ID is considered to be the same as
that of the SWITCHED COMPUTER GROUP currently selected by the TOE.
Data Separation Security Function Policy (SFP): The TOE shall allow PERIPHERAL
DATA and STATE INFORMATION to be transferred only between PERIPHERAL PORT GROUPS
with the same ID.
The TOE itself is not concerned with the USER’S information flowing between the
SHARED PERIPHERALS and the SWITCHED COMPUTERS. It is only providing a CONNECTION
between the HUMAN INTERFACE DEVICES and a selected COMPUTER at any given instant.
SWITCHES of this type may differ significantly from the familiar “A/B” printer or serial
port SWITCHES, where no constraints are placed on connections between devices. Some
SWITCHES may provide enhanced features such as scanning (where it continually switches
between the COMPUTERS until the USER performs an action to halt the switching), or video
protocol conversion (e.g., Macintosh, Sun, PC, etc.) information in mixed COMPUTER
environments. These enhancements must be examined to insure that information is not
shared or transferred between COMPUTERS.
Version 1.1 (25 July 2007)
Page 6of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Figure 1: A Typical Configuration of Shared Peripherals
Version 1.1 (25 July 2007)
Page 7of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
3. Target of Evaluation Security Environment
3.1 Secure Usage Assumptions
A.ACCESS An AUTHORIZED USER possesses the necessary privileges to access the
information transferred by the TOE. USERS are AUTHORIZED USERS.
A.EMISSION The TOE meets the appropriate national requirements (in the country
where used) for conducted/radiated electromagnetic emissions. [In the United States, Part
15 of the FCC Rules for Class B digital devices.]
A.ISOLATE Only the selected COMPUTER’S video channel will be visible on the shared
MONITOR.
A.MANAGE The TOE is installed and managed in accordance with the manufacturer’s
directions.
A.NOEVIL
The AUTHORIZED USER is non-hostile and follows all usage guidance.
A.PHYSICAL
The TOE is physically secure.
A.SCENARIO
Vulnerabilities associated with attached DEVICES (SHARED
or SWITCHED COMPUTERS), or their CONNECTION to the TOE, are a concern
of the application scenario and not of the TOE.
PERIPHERALS
3.2 Threats to Security
The asset under attack is the information transiting the TOE. In general, the threat agent
is most likely (but not limited to) people with TOE access (who are expected to possess
“average” expertise, few resources, and moderate motivation) or failure of the TOE or
PERIPHERALS.
T.BYPASS
The TOE may be bypassed, circumventing nominal SWITCH functionality.
T.INSTALL The TOE may be delivered and installed in a manner which violates the
security policy.
T.LOGICAL The functionality of the TOE may be changed by reprogramming in such a
way as to violate the security policy.
T.PHYSICAL
A physical attack on the TOE may violate the security policy.
T.RESIDUAL
RESIDUAL DATA may be transferred between PERIPHERAL PORT
GROUPS with different IDs.
Version 1.1 (25 July 2007)
Page 8of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
T.SPOOF
Via intentional or unintentional actions, a USER may think the set of
SHARED PERIPHERALS are CONNECTED to one COMPUTER when in fact they are connected
to a different one.
T.STATE
STATE INFORMATION may be transferred to a PERIPHERAL PORT GROUP
with an ID other than the selected one.
T.TRANSFER
A CONNECTION, via the TOE, between COMPUTERS may allow
information transfer.
Version 1.1 (25 July 2007)
Page 9of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
4. Security Objectives
4.1 Security Objectives for the Target of Evaluation
O.CONF
The TOE shall not violate the confidentiality of information which it
processes. Information generated within any PERIPHERAL GROUPCOMPUTER CONNECTION
shall not be accessible by any other PERIPHERAL GROUP-COMPUTER CONNECTION.
O.CONNECT
No information shall be shared between SWITCHED COMPUTERS via
the TOE.
This includes STATE INFORMATION, if such is maintained within the TOE.
O.INDICATE
The AUTHORIZED USER shall receive an unambiguous indication of
which SWITCHED COMPUTER has been selected.
O.INVOKE Upon switch selection, the TOE is invoked.
O.NOPROG Logic contained within the TOE shall be protected against unauthorized
modification. Embedded logic must not be stored in programmable or re-programmable
components.
O.ROM
TOE software/firmware shall be protected against unauthorized
modification. Embedded software must be contained in mask-programmed or one-timeprogrammable read-only memory permanently attached (non-socketed) to a circuit
assembly.
O.SELECT An explicit action by the AUTHORIZED USER shall be used to select the
to which the shared set of PERIPHERAL DEVICES is CONNECTED Single push
button, multiple push button, or rotary selection methods are used by most (if not all)
current market products. Automatic switching based on scanning shall not be used as a
selection mechanism.
COMPUTER
O.SWITCH All DEVICES in a SHARED PERIPHERAL GROUP shall be CONNECTED to at
most one SWITCHED COMPUTER at a time.
4.2 Security Objectives for the Environment
All of the Secure Usage Assumptions are considered to be Security Objectives for the
Environment. These Objectives are to be satisfied without imposing technical
requirements on the TOE; they will not require the implementation of functions in the
TOE hardware and/or software, but will be satisfied largely through application of
procedural or administrative measures.
Version 1.1 (25 July 2007)
Page 10of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
OE.ACCESS The AUTHORIZED USER shall possess the necessary privileges to access the
information transferred by the TOE. USERS are AUTHORIZED USERS.
OE.EMISSION
The TOE shall meet the appropriate national requirements (in the
country where used) for conducted/radiated electromagnetic emissions. [In the United
States, Part 15 of the FCC Rules for Class B digital devices.]
OE.ISOLATE
Only the selected COMPUTER’S video channel shall be visible on
the shared MONITOR.
OE.MANAGE
The TOE shall be installed and managed in accordance with the
manufacturer’s directions.
OE.NOEVIL The AUTHORIZED USER shall be non-hostile and follow all usage guidance.
OE.PHYSICAL
The TOE shall be physically secure.
OE.SCENARIO
Vulnerabilities associated with attached DEVICES (SHARED
or SWITCHED COMPUTERS), or their CONNECTION to the TOE, shall be a
concern of the application scenario and not of the TOE.
PERIPHERALS
5. Information Technology Security Requirements
5.1
Target of Evaluation Security Requirements
Words which appear in italics are tailoring (via permitted operations)
of requirement definitions.
5.1.1 User Data Protection (FDP)
5.1.1.1
FDP_ETC.1 (Export of User Data Without Security Attributes)
[Dependencies: FDP_ACC.1 or FDP_IFC.1]
1 The TSF shall enforce the Data Separation SFP when exporting user
data, controlled under the SFP(s), outside of the TSC.
2 The TSF shall export the user data without the user data’s
associated security attributes.
5.1.1.2
FDP_IFC.1 (Subset Information Flow Control)
[Dependencies: FDP_IFF.1]
1 The TSF shall enforce the Data Separation SFP on
the set of PERIPHERAL PORT GROUPS, and the bidirectional flow of PERIPHERAL DATA and STATE
INFORMATION between the SHARED PERIPHERALS and the
SWITCHED COMPUTERS.
Version 1.1 (25 July 2007)
Page 11of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
5.1.1.3
FDP_IFF.1 (Simple Security Attributes)
[Dependencies: FDP_IFC.1 and FMT_MSA.3]
1 The TSF shall enforce the Data Separation SFP based on the
following types of subject and information security attributes:
PERIPHERAL PORT GROUPS (SUBJECTS), PERIPHERAL DATA and STATE
INFORMATION (OBJECTS), and PERIPHERAL PORT GROUP IDs
(ATTRIBUTES).
2 The TSF shall permit an information flow between a
controlled subject and controlled information via a
controlled operation if the following rules hold:
Switching Rule:
PERIPHERAL DATA can flow to a PERIPHERAL PORT GROUP
with a given ID only if it was received from a PERIPHERAL PORT
GROUP with the same ID.
3 The TSF shall enforce the [No additional information flow control
SFP rules.]
4 The TSF shall provide the following: [No additional SFP
capabilities.]
5 The TSF shall explicitly authorize an information flow based on the
following rules: [No additional rules.]
6 The TSF shall explicitly deny an information flow based on the
following rules: [No additional rules.]
5.1.1.4.FDP_ITC.1 (Import of User Data Without Security Attributes)
[Dependencies: (FDP_ACC.1 or FDP_IFC.1) and FMT_MSA.3]
1 The TSF shall enforce the Data Separation SFP when importing user
data, controlled under the SFP, from outside the TSC.
2 The TSF shall ignore any security attributes associated with the user
data when imported from outside the TSC.
3 The TSF shall enforce the following rules when importing user
data controlled under the SFP from outside the TSC: [No
additional rules.]
5.1.2 Security Management (FMT)
5.1.2.1
FMT_MSA.1 (Management of Security Attributes)
[Dependencies:
(FDP_ACC.1 or FDP_IFC.1) and
FMT_SMR.1]
1 The TSF shall enforce the Data Separation SFP to restrict the
ability to modify the security attributes PERIPHERAL PORT GROUP
IDS to the USER.
Application Note: An AUTHORIZED USER shall perform an explicit
action to select the COMPUTER to which the shared set of
PERIPHERAL devices is CONNECTED.
Version 1.1 (25 July 2007)
Page 12of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
5.1.2.2
FMT_MSA.3 (Static Attribute Initialization)
[Dependencies: FDP_MSA.1 and FMT_SMR.1]
1 The TSF shall enforce the Data Separation SFP to provide restrictive
default values for security attributes that are used to enforce the SFP.
Application Note: On start-up, one and only one attached
COMPUTER shall be selected.
2 The TSF shall allow the none to specify alternative initial values
to override the default values when an object or information is
created.
5.1.3 Extended Requirements (EXT)
5.1.3.1
EXT_VIR.1 (Visual Indication Rule)
[No dependencies]
1 A visual method of indicating which COMPUTER is CONNECTED to
the shared set of PERIPHERAL DEVICES shall be provided.
Application Note: Does not require tactile indicators, but
does not preclude their presence. The indication shall
persist for the duration of the CONNECTION.
5.2
Target of Evaluation Security Assurance Requirements
This section defines the assurance requirements for the TOE. The table below
summarizes the components for EAL4 augmented. The augmented requirements are in
bold print.
Table 1 Assurance Requirements
Assurance Class
Development
Guidance Documents
Life Cycle Support
Version 1.1 (25 July 2007)
Assurance
Components
Assurance Components Description
ADV_ARC.1
Security Architectural Description
ADV_FSP.4
Complete Functional Specification
ADV_IMP.1
Implementation of the TSF
ADV_TDS.3
Basic modular design
AGD_OPE.1
Operational user guidance
AGD_PRE.1
Preparative User guidance
ALC_CMC.4
Product support, acceptance procedures and
automation
Page 13of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Assurance Class
Tests
Vulnerability
Assessment
Assurance
Components
Assurance Components Description
ALC_CMS.4
Problem tracking CM coverage
ALC_DEL.1
Delivery procedures
ALC_DVS.1
Identification of security measures
ALC_FLR.2
Flaw Reporting Procedures
ALC_LCD.1
Developer defined life-cycle model
ALC_TAT.1
Well-defined development tools
ATE_COV.2
Analysis of coverage
ATE_DPT.2
Testing: security enforcing modules
ATE_FUN.1
Functional testing
ATE_IND.2
Independent testing - sample
AVA_VAN.3
Focused vulnerability analysis
Class ADV: Development
ADV_ARC.1 Security architecture description
Dependencies: ADV_FSP.1 Basic functional specification
ADV_TDS.1 Basic design
Developer action elements:
ADV_ARC.1.1D The developer shall design and implement the TOE so that the
security features of the TSF cannot be bypassed.
ADV_ARC.1.2D The developer shall design and implement the TSF so that it is
able to protect itself from tampering by untrusted active entities.
ADV_ARC.1.3D The developer shall provide a security architecture description of
the TSF.
Content and presentation elements:
ADV_ARC.1.1C The security architecture description shall be at a level of detail
commensurate with the description of the SFR-enforcing
Version 1.1 (25 July 2007)
Page 14of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
abstractions described in the TOE design document.
ADV_ARC.1.2C The security architecture description shall describe the security
domains maintained by the TSF consistently with the SFRs.
ADV_ARC.1.3C The security architecture description shall describe how the TSF
initialization process is secure.
ADV_ARC.1.4C The security architecture description shall demonstrate that the
TSF protects itself from tampering.
ADV_ARC.1.5C The security architecture description shall demonstrate that the
TSF prevents bypass of the SFR-enforcing functionality.
Evaluator action elements:
ADV_ARC.1.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ADV_FSP.4 Complete functional specification
Dependencies: ADV_TDS.1 Basic design
Developer action elements:
ADV_FSP.4.1D The developer shall provide a functional specification.
ADV_FSP.4.2D The developer shall provide a tracing from the functional
specification to the SFRs.
Content and presentation elements:
ADV_FSP.4.1C The functional specification shall completely represent the TSF.
ADV_FSP.4.2C The functional specification shall describe the purpose and
method of use for all TSFI.
ADV_FSP.4.3C The functional specification shall identify and describe all
Version 1.1 (25 July 2007)
Page 15of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
parameters associated with each TSFI.
ADV_FSP.4.4C The functional specification shall describe all actions associated
with each TSFI.
ADV_FSP.4.5C The functional specification shall describe all direct error
messages that may result from an invocation of each TSFI.
ADV_FSP.4.6C The tracing shall demonstrate that the SFRs trace to TSFIs in
the functional specification.
Evaluator action elements:
ADV_FSP.4.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ADV_FSP.4.2E The evaluator shall determine that the functional specification is
an accurate and complete instantiation of the SFRs.
ADV_IMP.1 Implementation representation of the TSF
Dependencies: ADV_TDS.3 Basic modular design
ALC_TAT.1 Well-defined development tools
Developer action elements:
ADV_IMP.1.1D The developer shall make available the implementation
representation for the entire TSF.
ADV_IMP.1.2D The developer shall provide a mapping between the TOE design
description and the sample of the implementation representation.
Content and presentation elements:
ADV_IMP.1.1C The implementation representation shall define the TSF to a level
of detail such that the TSF can be generated without further design
decisions.
Version 1.1 (25 July 2007)
Page 16of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ADV_IMP.1.2C The implementation representation shall be in the form used by
the development personnel.
ADV_IMP.1.3C The mapping between the TOE design description and the
sample of the implementation representation shall demonstrate
their correspondence.
Evaluator action elements:
ADV_IMP.1.1E The evaluator shall confirm that, for the selected sample of the
implementation representation, the information provided meets all
requirements for content and presentation of evidence.
ADV_TDS.3 Basic modular design
Dependencies: ADV_FSP.4 Complete functional specification
Developer action elements:
ADV_TDS.3.1D The developer shall provide the design of the TOE.
ADV_TDS.3.2D The developer shall provide a mapping from the TSFI of the
functional specification to the lowest level of decomposition
available in the TOE design.
Content and presentation elements:
ADV_TDS.3.1C The design shall describe the structure of the TOE in terms of
subsystems.
ADV_TDS.3.2C The design shall describe the TSF in terms of modules.
ADV_TDS.3.3C The design shall identify all subsystems of the TSF.
ADV_TDS.3.4C The design shall provide a description of each subsystem of the
TSF.
ADV_TDS.3.5C The design shall provide a description of the interactions among
all subsystems of the TSF.
Version 1.1 (25 July 2007)
Page 17of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ADV_TDS.3.6C The design shall provide a mapping from the subsystems of the
TSF to the modules of the TSF.
ADV_TDS.3.7C The design shall describe each SFR-enforcing module in terms
of its purpose and interaction with other modules.
ADV_TDS.3.8C The design shall describe each SFR-enforcing module in terms
of its SFR-related interfaces, return values from those interfaces,
interaction with and called interfaces to other modules.
ADV_TDS.3.9C The design shall describe each SFR-supporting or SFR-noninterfering module in terms of its purpose and interaction with other
modules.
ADV_TDS.3.10C The mapping shall demonstrate that all behavior described in
the TOE design is mapped to the TSFIs that invoke it.
Evaluator action elements:
ADV_TDS.3.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ADV_TDS.3.2E The evaluator shall determine that the design is an accurate and
complete instantiation of all security functional requirements.
Class AGD: Guidance documents
AGD_OPE.1 Operational user guidance
Dependencies: ADV_FSP.1 Basic functional specification
Developer action elements:
AGD_OPE.1.1D The developer shall provide operational user guidance.
Content and presentation elements:
AGD_OPE.1.1C The operational user guidance shall describe, for each user
role, the user-accessible functions and privileges that should be
controlled in a secure processing environment, including
Version 1.1 (25 July 2007)
Page 18of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
appropriate warnings.
AGD_OPE.1.2C The operational user guidance shall describe, for each user
role, how to use the available interfaces provided by the TOE in a
secure manner.
AGD_OPE.1.3C The operational user guidance shall describe, for each user
role, the available functions and interfaces, in particular all security
parameters under the control of the user, indicating secure values
as appropriate.
AGD_OPE.1.4C The operational user guidance shall, for each user role, clearly
present each type of security-relevant event relative to the useraccessible functions that need to be performed, including changing
the security characteristics of entities under the control of the TSF.
AGD_OPE.1.5C The operational user guidance shall identify all possible modes
of operation of the TOE (including operation following failure or
operational error), their consequences and implications for
maintaining secure operation.
AGD_OPE.1.6C The operational user guidance shall, for each user role,
describe the security measures to be followed in order to fulfill the
security objectives for the operational environment as described in
the ST.
AGD_OPE.1.7C The operational user guidance shall be clear and reasonable.
Evaluator action elements:
AGD_OPE.1.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
AGD_PRE.1 Preparative procedures
Dependencies: No dependencies.
Developer action elements:
AGD_PRE.1.1D The developer shall provide the TOE including its preparative
Version 1.1 (25 July 2007)
Page 19of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
procedures.
Content and presentation elements:
AGD_PRE.1.1C The preparative procedures shall describe all the steps
necessary for secure acceptance of the delivered TOE in
accordance with the developer's delivery procedures.
AGD_PRE.1.2C The preparative procedures shall describe all the steps
necessary for secure installation of the TOE and for the secure
preparation of the operational environment in accordance with the
security objectives for the operational environment as described in
the ST.
Evaluator action elements:
AGD_PRE.1.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
AGD_PRE.1.2E The evaluator shall apply the preparative procedures to confirm
that the TOE can be prepared securely for operation.
Class ALC: Life-cycle support
ALC_CMC.4 Production support, acceptance procedures and automation
Dependencies: ALC_CMS.1 TOE CM coverage
ALC_DVS.1 Identification of security measures
ALC_LCD.1 Developer defined life-cycle model
ALC_CMC.4.1D The developer shall provide the TOE and a reference for the
TOE.
ALC_CMC.4.2D The developer shall provide the CM documentation.
ALC_CMC.4.3D The developer shall use a CM system.
Content and presentation elements:
ALC_CMC.4.1C The TOE shall be labeled with its unique reference.
Version 1.1 (25 July 2007)
Page 20of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ALC_CMC.4.2C The CM documentation shall describe the method used to
uniquely identify the configuration items.
ALC_CMC.4.3C The CM system shall uniquely identify all configuration items.
ALC_CMC.4.4C The CM system shall provide automated measures such that
only authorized changes are made to the configuration items.
ALC_CMC.4.5C The CM system shall support the production of the TOE by
automated means.
ALC_CMC.4.6C The CM documentation shall include a CM plan.
ALC_CMC.4.7C The CM plan shall describe how the CM system is used for the
development of the TOE.
ALC_CMC.4.8C The CM plan shall describe the procedures used to accept
modified or newly created configuration items as part of the TOE.
ALC_CMC.4.9C The evidence shall demonstrate that all configuration items are
being maintained under the CM system.
ALC_CMC.4.10C The evidence shall demonstrate that the CM system is being
operated in accordance with the CM plan.
Evaluator action elements:
ALC_CMC.4.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ALC_CMS.4 Problem tracking CM coverage
Dependencies: No dependencies.
Developer action elements:
ALC_CMS.4.1D The developer shall provide a configuration list for the TOE.
Version 1.1 (25 July 2007)
Page 21of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Content and presentation elements:
ALC_CMS.4.1C The configuration list shall include the following: the TOE itself;
the evaluation evidence required by the SARs; the parts that
comprise the TOE; the implementation representation; and security
flaw reports and resolution status.
ALC_CMS.4.2C The configuration list shall uniquely identify the configuration
items.
ALC_CMS.4.3C For each TSF relevant configuration item, the configuration list
shall indicate the developer of the item.
Evaluator action elements:
ALC_CMS.4.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ALC_DEL.1 Delivery procedures
Dependencies: No dependencies.
Developer action elements:
ALC_DEL.1.1D The developer shall document procedures for delivery of the
TOE or parts of it to the consumer.
ALC_DEL.1.2D The developer shall use the delivery procedures.
Content and presentation elements:
ALC_DEL.1.1C The delivery documentation shall describe all procedures that
are necessary to maintain security when distributing versions of the
TOE to the consumer.
Evaluator action elements:
ALC_DEL.1.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
Version 1.1 (25 July 2007)
Page 22of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ALC_DVS.1 Identification of security measures
Dependencies: No dependencies.
Developer action elements:
ALC_DVS.1.1D The developer shall produce development security
documentation.
Content and presentation elements:
ALC_DVS.1.1C The development security documentation shall describe all the
physical, procedural, personnel, and other security measures that
are necessary to protect the confidentiality and integrity of the TOE
design and implementation in its development environment.
Evaluator action elements:
ALC_DVS.1.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ALC_DVS.1.2E The evaluator shall confirm that the security measures are being
applied.
ALC_FLR.2 Flaw reporting procedures
Dependencies: No dependencies.
Developer action elements:
ALC_FLR.2.1D The developer shall document flaw remediation procedures
addressed to TOE developers.
ALC_FLR.2.2D The developer shall establish a procedure for accepting and
acting upon all reports of security flaws and requests for corrections
to those flaws.
ALC_FLR.2.3D The developer shall provide flaw remediation guidance
addressed to TOE users.
Version 1.1 (25 July 2007)
Page 23of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Content and presentation elements:
ALC_FLR.2.1C The flaw remediation procedures documentation shall describe
the procedures used to track all reported security flaws in each
release of the TOE.
ALC_FLR.2.2C The flaw remediation procedures shall require that a description
of the nature and effect of each security flaw be provided, as well
as the status of finding a correction to that flaw.
ALC_FLR.2.3C The flaw remediation procedures shall require that corrective
actions be identified for each of the security flaws.
ALC_FLR.2.4C The flaw remediation procedures documentation shall describe
the methods used to provide flaw information, corrections and
guidance on corrective actions to TOE users.
ALC_FLR.2.5C The flaw remediation procedures shall describe a means by
which the developer receives from TOE users reports and enquiries
of suspected security flaws in the TOE.
ALC_FLR.2.6C The procedures for processing reported security flaws shall
ensure that any reported flaws are remediated and the remediation
procedures issued to TOE users.
ALC_FLR.2.7C The procedures for processing reported security flaws shall
provide safeguards that any corrections to these security flaws do
not introduce any new flaws.
ALC_FLR.2.8C The flaw remediation guidance shall describe a means by which
TOE users report to the developer any suspected security flaws in
the TOE.
Evaluator action elements:
ALC_FLR.2.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
Version 1.1 (25 July 2007)
Page 24of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ALC_LCD.1 Developer defined life-cycle model
Dependencies: No dependencies.
Developer action elements:
ALC_LCD.1.1D The developer shall establish a life-cycle model to be used in the
development and maintenance of the TOE.
ALC_LCD.1.2D The developer shall provide life-cycle definition documentation.
Content and presentation elements:
ALC_LCD.1.1C The life-cycle definition documentation shall describe the model
used to develop and maintain the TOE.
ALC_LCD.1.2C The life-cycle model shall provide for the necessary control over
the development and maintenance of the TOE.
Evaluator action elements:
ALC_LCD.1.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ALC_TAT.1 Well-defined development tools
Dependencies: ADV_IMP.1 Implementation representation of the
TSF
Developer action elements:
ALC_TAT.1.1D The developer shall identify each development tool being used
for the TOE.
ALC_TAT.1.2D The developer shall document the selected implementationdependent options of each development tool.
Content and presentation elements:
Version 1.1 (25 July 2007)
Page 25of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ALC_TAT.1.1C Each development tool used for implementation shall be welldefined.
ALC_TAT.1.2C The documentation of each development tool shall
unambiguously define the meaning of all statements as well as all
conventions and directives used in the implementation.
ALC_TAT.1.3C The documentation of each development tool shall
unambiguously define the meaning of all implementationdependent options.
Evaluator action elements:
ALC_TAT.1.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
Class ATE: Tests
ATE_COV.2 Analysis of coverage
Dependencies: ADV_FSP.2 Security-enforcing functional
specification
ATE_FUN.1 Functional testing
Developer action elements:
ATE_COV.2.1D The developer shall provide an analysis of the test coverage.
Content and presentation elements:
ATE_COV.2.1C The analysis of the test coverage shall demonstrate the
correspondence between the tests in the test documentation and
the TSFIs in the functional specification.
ATE_COV.2.2C The analysis of the test coverage shall demonstrate that all
TSFIs in the functional specification have been tested.
Evaluator action elements:
ATE_COV.2.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
Version 1.1 (25 July 2007)
Page 26of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ATE_DPT.2 Testing: security enforcing modules
Dependencies: ADV_ARC.1 Security architecture description
ADV_TDS.3 Basic modular design
ATE_FUN.1 Functional testing
Developer action elements:
ATE_DPT.2.1D The developer shall provide the analysis of the depth of testing.
Content and presentation elements:
ATE_DPT.2.1C The analysis of the depth of testing shall demonstrate the
correspondence between the tests in the test documentation and
the TSF subsystems and SFR-enforcing modules in the TOE
design.
ATE_DPT.2.2C The analysis of the depth of testing shall demonstrate that all
TSF subsystems in the TOE design have been tested.
ATE_DPT.2.3C The analysis of the depth of testing shall demonstrate that the
SFR-enforcing modules in the TOE design have been tested.
Evaluator action elements:
ATE_DPT.2.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ATE_FUN.1 Functional testing
Dependencies: ATE_COV.1 Evidence of coverage
Developer action elements:
ATE_FUN.1.1D The developer shall test the TSF and document the results.
ATE_FUN.1.2D The developer shall provide test documentation.
Content and presentation elements:
Version 1.1 (25 July 2007)
Page 27of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ATE_FUN.1.1C The test documentation shall consist of test plans, expected test
results and actual test results.
ATE_FUN.1.2C The test plans shall identify the tests to be performed and
describe the scenarios for performing each test. These scenarios
shall include any ordering dependencies on the results of other
tests.
ATE_FUN.1.3C The expected test results shall show the anticipated outputs from
a successful execution of the tests.
ATE_FUN.1.4C The actual test results shall be consistent with the expected test
results.
Evaluator action elements:
ATE_FUN.1.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ATE_IND.2 Independent testing - sample
Dependencies: ADV_FSP.2 Security-enforcing functional
specification
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
Developer action elements:
ATE_IND.2.1D The developer shall provide the TOE for testing.
Content and presentation elements:
ATE_IND.2.1C The TOE shall be suitable for testing.
ATE_IND.2.2C The developer shall provide an equivalent set of resources to
Version 1.1 (25 July 2007)
Page 28of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
those that were used in the developer's functional testing of the
TSF.
Evaluator action elements:
ATE_IND.2.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
ATE_IND.2.2E The evaluator shall execute a sample of tests in the test
documentation to verify the developer test results.
ATE_IND.2.3E The evaluator shall test a subset of the TSF to confirm that the
TSF operates as specified.
Class AVA: Vulnerability assessment
AVA_VAN.3 Focused vulnerability analysis
Dependencies: ADV_ARC.1 Security architecture description
ADV_FSP.2 Security-enforcing functional specification
ADV_TDS.3 Basic modular design
ADV_IMP.1 Implementation representation of the TSF
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
Developer action elements:
AVA_VAN.3.1D The developer shall provide the TOE for testing.
Content and presentation elements:
AVA_VAN.3.1C The TOE shall be suitable for testing.
Evaluator action elements:
AVA_VAN.3.1E The evaluator shall confirm that the information provided meets
all requirements for content and presentation of evidence.
AVA_VAN.3.2E The evaluator shall perform a search of public domain sources
to identify potential vulnerabilities in the TOE.
Version 1.1 (25 July 2007)
Page 29of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
AVA_VAN.3.3E The evaluator shall perform an independent vulnerability
analysis of the TOE using the guidance documentation, functional
specification, TOE design, security architecture description and
implementation representation to identify potential vulnerabilities
in the TOE.
AVA_VAN.3.4E The evaluator shall conduct penetration testing, based on the
identified potential vulnerabilities, to determine that the TOE is
resistant to attacks performed by an attacker possessing
Enhanced-Basic attack potential.
Application Note: The evaluator should test the system for buffer overflows, heap
overflows, and string format problems.
6. Rationale
6.1 Security Objectives Rationale
Threat
Objective
Rationale
T.BYPASS
O.INVOKE
The TOE may be bypassed,
circumventing nominal
SWITCH functionality.
Upon switch selection, the
TOE is invoked
O.INVOKE: The TOE
must be invoked whenever
a switch selection is made.
T.INSTALL
OE.MANAGE
The TOE may be delivered
and installed in a manner,
which violates the security
policy.
T.LOGICAL
O.NOPROG
The functionality of the
TOE may be changed by
reprogramming in such a
way as to violate the
security policy.
Logic contained within the
TOE shall be protected
against unauthorized
modification. Embedded
logic must not be stored in
Version 1.1 (25 July 2007)
O.NOPROG: The
functional capabilities of
the TOE are finalized
during manufacturing. The
configuration of the TOE
(operating parameters and
other control information)
Page 30of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
programmable or reprogrammable components
O.ROM
TOE software/firmware
shall be protected against
unauthorized modification.
Embedded software must be
contained in maskprogrammed or one-timeprogrammable read-only
memory permanently
attached (non-socketed) to a
circuit assembly.
T.PHYSICAL
A physical attack on the
TOE may violate the
security policy.
Version 1.1 (25 July 2007)
may change.
O.ROM: Any
software/firmware affecting
the basic functionality of
the TOE must be stored in a
medium which prevents its
modification
O.CONF: If the
PERIPHERALS can be
The TOE shall not violate
CONNECTED to more than
the confidentiality of
one COMPUTER at any
information, which it
given instant, then a
processes. Information
channel may exist which
generated within any
would allow transfer of
PERIPHERAL
information from one to the
GROUPCOMPUTER
other. This is particularly
CONNECTION shall not be important for DEVICES
accessible by any other
with bi-directional
PERIPHERAL GROUPcommunications channels
COMPUTER
such as KEYBOARD and
CONNECTION.
POINTING DEVICES.
Since many
PERIPHERALS now have
embedded microprocessors
O.NOPROG
or microcontrollers,
significant amounts of
Logic contained within the
information may be
TOE shall be protected
transferred from one
against unauthorized
COMPUTER system to
modification. Embedded
another, resulting in
logic must not be stored in
compromise of sensitive
programmable or reinformation. An example of
programmable components
this is transfer via the
buffering mechanism in
O.CONF
Page 31of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
many KEYBOARDS.
O.NOPROG: The
functional capabilities of
the TOE are finalized
TOE software/firmware
during manufacturing. The
shall be protected against
unauthorized modification. configuration of the TOE
Embedded software must be (operating parameters and
other control information)
contained in maskmay change.
programmed or one-timeprogrammable read-only
O.ROM: Any
memory permanently
attached (non-socketed) to a software/firmware affecting
the basic functionality of
circuit assembly.
the TOE must be stored in a
medium which prevents its
modification
O.ROM
O.CONF: If the
PERIPHERALS can be
The TOE shall not violate
CONNECTED to more than
the confidentiality of
one COMPUTER at any
RESIDUAL DATA may be information, which it
given instant, then a
transferred between
processes. Information
channel may exist which
PERIPHERAL PORT
generated within any
would allow transfer of
GROUPS with different IDs PERIPHERAL
information from one to the
GROUPCOMPUTER
other. This is particularly
CONNECTION shall not be important for DEVICES
accessible by any other
with bi-directional
PERIPHERAL GROUPcommunications channels
COMPUTER
such as KEYBOARD and
CONNECTION.
POINTING DEVICES.
Since many
PERIPHERALS now have
embedded microprocessors
O.CONNECT
or microcontrollers,
significant amounts of
No information shall be
information may be
shared between
transferred from one
SWITCHED
COMPUTER system to
COMPUTERS in the TOE.
another, resulting in
This includes STATE
compromise of sensitive
INFORMATION, if such is
information. An example of
maintained within the TOE.
this is transfer via the
buffering mechanism in
many KEYBOARDS.
T.RESIDUAL
Version 1.1 (25 July 2007)
O.CONF
Page 32of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
O.CONNECT: The
purpose of the TOE is to
share a set of
PERIPHERALS among
multiple COMPUTERS.
Information transferred
to/from one SWITCHED
COMPUTER is not to be
shared with any other
COMPUTER
T.SPOOF
Via intentional or
unintentional actions, a
USER may think the set of
SHARED PERIPHERALS
are CONNECTED to one
COMPUTER when in fact
they are connected to a
different one.
O.INDICATE
The AUTHORIZED USER
shall receive an
unambiguous indication of
which SWITCHED
COMPUTER has been
selected.
O.SELECT
O.INDICATE: The USER
must receive positive
confirmation of
SWITCHED COMPUTER
selection.
O.SELECT: The USER
must take positive action to
select the current
SWITCHED COMPUTER
An explicit action by the
AUTHORIZED USER shall
be used to select the
COMPUTER to which the
shared set of PERIPHERAL
DEVICES is
CONNECTED. Single
push button, multiple push
button, or rotary selection
methods are used by most
(if not all) current market
products. Automatic
switching based on
scanning shall not be used
as a selection mechanism.
T.STATE
O.CONF
The TOE shall not violate
Version 1.1 (25 July 2007)
O.CONF: If the
PERIPHERALS can be
CONNECTED to more than
Page 33of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
STATE INFORMATION
may be transferred to a
PERIPHERAL PORT
GROUP with an ID other
than the selected one.
the confidentiality of
information, which it
processes. Information
generated within any
PERIPHERAL
GROUPCOMPUTER
CONNECTION shall not be
accessible by any other
PERIPHERAL GROUPCOMPUTER
CONNECTION.
O.CONNECT
No information shall be
shared between
SWITCHED
COMPUTERS in the TOE.
This includes STATE
INFORMATION, if such is
maintained within the TOE.
one COMPUTER at any
given instant, then a
channel may exist which
would allow transfer of
information from one to the
other. This is particularly
important for DEVICES
with bi-directional
communications channels
such as KEYBOARD and
POINTING DEVICES.
Since many
PERIPHERALS now have
embedded microprocessors
or microcontrollers,
significant amounts of
information may be
transferred from one
COMPUTER system to
another, resulting in
compromise of sensitive
information. An example of
this is transfer via the
buffering mechanism in
many KEYBOARDS.
O.CONNECT: The
purpose of the TOE is to
share a set of
PERIPHERALS among
multiple COMPUTERS.
Information transferred
to/from one SWITCHED
COMPUTER is not to be
shared with any other
COMPUTER
T.TRANSFER
O.CONF
A CONNECTION, via the
TOE, between
COMPUTERS may allow
information transfer.
The TOE shall not violate
the confidentiality of
information, which it
processes. Information
generated within any
PERIPHERAL
Version 1.1 (25 July 2007)
O.CONF: If the
PERIPHERALS can be
CONNECTED to more than
one COMPUTER at any
given instant, then a
channel may exist which
would allow transfer of
information from one to the
Page 34of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
GROUPCOMPUTER
CONNECTION shall not be
accessible by any other
PERIPHERAL GROUPCOMPUTER
CONNECTION.
O.CONNECT
No information shall be
shared between
SWITCHED
COMPUTERS in the TOE.
This includes STATE
INFORMATION, if such is
maintained within the TOE.
other. This is particularly
important for DEVICES
with bi-directional
communications channels
such as KEYBOARD and
POINTING DEVICES.
Since many
PERIPHERALS now have
embedded microprocessors
or microcontrollers,
significant amounts of
information may be
transferred from one
COMPUTER system to
another, resulting in
compromise of sensitive
information. An example of
this is transfer via the
buffering mechanism in
many KEYBOARDS.
O.SWITCH
All DEVICES in a
SHARED PERIPHERAL
GROUP shall be
CONNECTED to at most
one SWITCHED
COMPUTER at a time.
O.CONNECT: The
purpose of the TOE is to
share a set of
PERIPHERALS among
multiple COMPUTERS.
Information transferred
to/from one SWITCHED
COMPUTER is not to be
shared with any other
COMPUTER
O.SWITCH: The purpose
of the TOE is to share a set
of PERIPHERALS among
multiple COMPUTERS. It
makes no sense to have, for
example, video
CONNECTED to one
COMPUTER while a
POINTING DEVICE is
CONNECTED to another
Version 1.1 (25 July 2007)
Page 35of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
COMPUTER
6.2 Environmental Objectives Rationale
All of the Security Objectives for the Environment are considered to be Secure Usage
Assumptions.
These objectives on the environment do not contain any IT security requirements because
they are non-IT related objectives. Thus, the CC does not mandate it map to any
requirements.
Assumption
Environmental Objective
Addressing the Assumption
Rationale
A.ACCESS
OE.ACCESS
An AUTHORIZED USER
possesses the necessary
privileges to access the
information transferred by
the TOE. USERS are
AUTHORIZED USERS.
The AUTHORIZED USER
shall possess the necessary
privileges to access the
information transferred by
the TOE.
All authorized users are
trustworthy individuals,
having background
investigations
commensurate with the
level of data being
protected, have undergone
appropriate training, and
follow all user guidance.
USERS are AUTHORIZED
USERS.
A.EMISSION
OE.EMISSION
The TOE meets the
appropriate national
requirements (in the country
where used) for
conducted/radiated
electromagnetic emissions.
[In the United States, Part
15 of the FCC Rules for
Class B digital devices.]
The TOE shall meet the
appropriate national
requirements (in the country
where used) for
conducted/radiated
electromagnetic emissions.
[In the United States, Part
15 of the FCC Rules for
Class B digital devices.]
Version 1.1 (25 July 2007)
Restates the assumption.
Page 36of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Assumption
Environmental Objective
Addressing the Assumption
Rationale
A.ISOLATE
OE.ISOLATE
Restates the assumption.
Only the selected
COMPUTER’S video
channel will be visible on
the shared MONITOR.
Only the selected
COMPUTER’S video
channel shall be visible on
the shared MONITOR.
A.MANAGE
OE.MANAGE
The TOE is installed and
managed in accordance
with the manufacturer’s
directions.
The TOE shall be installed
and managed in accordance
with the manufacturer’s
directions.
A.NOEVIL
OE.NOEVIL
The AUTHORIZED USER
is non-hostile and follows
all usage guidance.
The AUTHORIZED USER
shall be non-hostile and
follow all usage guidance.
A.PHYSICAL
OE.PHYSICAL
The TOE is physically
secure.
The TOE shall be
physically secure.
Version 1.1 (25 July 2007)
Restates the assumption.
Restates the assumption.
The TOE, is assumed to be
protected from physical
attack (e.g., theft,
modification, destruction, or
eavesdropping). Physical
attack could include
unauthorized intruders into
the TOE environment, but it
does not include physical
destructive actions that
might be taken by an
individual that is authorized
to access the TOE
environment.
Page 37of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Assumption
Environmental Objective
Addressing the Assumption
Rationale
A.SCENARIO
OE.SCENARIO
Vulnerabilities associated
with attached DEVICES
(SHARED PERIPHERALS
or SWITCHED
COMPUTERS), or their
CONNECTION to the
TOE, shall be a concern of
the application scenario and
not of the TOE.
Restates the assumption.
Vulnerabilities associated
with attached DEVICES
(SHARED PERIPHERALS
or SWITCHED
COMPUTERS), or their
CONNECTION to the
TOE, are a concern of the
application scenario and not
of the TOE.
6.3 Security Requirements Rationale
Objective
Requirements Addressing
the Objective
Rationale
O.CONF
FDP_ETC.1 (Export of
User Data Without Security
Attributes)
FDP_ETC.1: In typical
TOE applications, USER
data consists of HUMAN
The TOE shall not violate
the confidentiality of
information, which it
processes. Information
generated within any
PERIPHERAL
GROUPCOMPUTER
CONNECTION shall not be
accessible by any other
PERIPHERAL GROUPCOMPUTER
CONNECTION.
INTERFACE DEVICE
FDP_IFC.1 (Subset
Information Flow Control)
FDP_IFF.1 (Simple
Security Attributes)
FDP_ITC.1 (Import of
User Data Without Security
Attributes)
control information. Also
included is configuration
information such as
KEYBOARD settings that
must be reestablished each
time the TOE switches
between COMPUTERS. These
DEVICES neither expect nor
require any security
ATTRIBUTE information.
The information content of
the data passed through a
CONNECTION is ignored.
FDP_IFC.1: This captures
the policy that no
information flows between
different
Version 1.1 (25 July 2007)
Page 38of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Objective
Requirements Addressing
the Objective
Rationale
PERIPHERAL PORT
GROUP IDS.
FDP_IFF.1: This
requirement identifies the
security ATTRIBUTES needed
to detail the operation of a
switch and the rules
allowing information
transfer. This requirement is
a dependency of
FDP_IFC.1.
FDP_ITC.1: In typical
TOE applications, USER
data consists of HUMAN
INTERFACE DEVICE
control information. These
DEVICES neither expect nor
require any security
ATTRIBUTE information.
O.CONNECT
No information shall be
shared between
SWITCHED
COMPUTERS via the TOE.
This includes STATE
INFORMATION, if such is
maintained within the TOE.
FDP_ETC.1 (Export of
User Data Without Security
Attributes)
FDP_ETC.1: In typical
TOE applications, USER
data consists of HUMAN
INTERFACE DEVICE
FDP_IFC.1 (Subset
Information Flow Control)
FDP_IFF.1 (Simple
Security Attributes)
FDP_ITC.1 (Import of
User Data Without Security
Attributes)
control information. Also
included is configuration
information such as
KEYBOARD settings that
must be reestablished each
time the TOE switches
between COMPUTERS. These
DEVICES neither expect nor
require any security
ATTRIBUTE information.
The information content of
the data passed through a
CONNECTION is ignored.
FDP_IFC.1: This captures
the policy that no
information flows between
different
Version 1.1 (25 July 2007)
Page 39of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Objective
Requirements Addressing
the Objective
Rationale
PERIPHERAL PORT
GROUP IDS.
FDP_IFF.1: This
requirement identifies the
security ATTRIBUTES needed
to detail the operation of a
switch and the rules
allowing information
transfer. This requirement is
a dependency of
FDP_IFC.1.
FDP_ITC.1: In typical
TOE applications, USER
data consists of HUMAN
INTERFACE DEVICE
control information. These
DEVICES neither expect nor
require any security
ATTRIBUTE information.
O.INDICATE
EXT_VIR.1 (Visual
Indication Rule)
The AUTHORIZED USER
shall receive an
unambiguous indication of
which SWITCHED
COMPUTER has been
selected
O.INVOKE Upon switch
selection, the TOE is
invoked.
Version 1.1 (25 July 2007)
EXT_VIR.1: There must be
some positive feedback from the
TOE to the USER to indicate
which SWITCHED COMPUTER
is currently CONNECTED.
Part 2 of the Common Criteria
does not provide a component
appropriate to express the
requirement for visual indication.
ADV_ARC.1 (Security
architecture description)
ADV_ARC.1: addresses
the non-bypassability and
domain separation aspects
of the TSF. The
architecture will contribute
to this objective by ensuring
that the TSF can protect
itself from users. The Data
Separation SFP must be
enforced at all times during
TOE operation. This
requires that the TSP
Page 40of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Objective
Requirements Addressing
the Objective
Rationale
functions always be
invoked.
O.NOPROG
ADV_ARC.1 (Security
architecture description)
ADV_ARC.1: addresses
the non-bypassability and
domain separation aspects
of the TSF. The architecture
will contribute to this
objective by ensuring that
the TSF can protect itself
from users. The TSF
needs to ensure that it
protects itself against
changes, which might
compromise its security
functionality.
ADV_ARC.1 (Security
architecture description)
ADV_ARC.1: addresses
the non-bypassability and
domain separation aspects
of the TSF. The
architecture will contribute
to this objective by ensuring
that the TSF can protect
itself from users. The TSF
needs to ensure that it
protects itself against
changes, which might
compromise its security
functionality.
FMT_MSA.1
(Management of Security
Attributes)
FMT_MSA.1: This
restricts the ability to
change selected PERIPHERAL
PORT GROUP IDS to the
AUTHORIZED USER. This
requirement is a
dependency of
FMT_MSA.3.
Logic contained within the
TOE shall be protected
against unauthorized
modification. Embedded
logic must not be stored in
programmable or reprogrammable components.
O.ROM
TOE software/firmware
shall be protected against
unauthorized modification.
Embedded software must be
contained in maskprogrammed or one-timeprogrammable read-only
memory permanently
attached (non-socketed) to a
circuit assembly.
O.SELECT
An explicit action by the
AUTHORIZED USER shall
be used to select the
FMT_MSA.3 (Static
COMPUTER to which the
Attribute Initialization)
shared set of PERIPHERAL
DEVICES is
CONNECTED. Single
push button, multiple push
button, or rotary selection
methods are used by most
(if not all) current market
Version 1.1 (25 July 2007)
FMT_MSA.3: The TOE
assumes a default
PERIPHERAL PORT GROUP
selection based on a
Page 41of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Objective
Requirements Addressing
the Objective
products. Automatic
switching based on
scanning shall not be used
as a selection mechanism.
O.SWITCH
Rationale
physical switch position or
a manufacturer’s specified
sequence for choosing
among the CONNECTED
COMPUTERS (CONNECTED
here implies powered on).
This requirement is a
dependency of FDP_IFF.1
and FDP_ITC.1.
FDP_IFF.1 (Simple
Security Attributes)
All DEVICES in a
SHARED PERIPHERAL
GROUP shall be
CONNECTED to at most
one SWITCHED
COMPUTER at a time.
FDP_IFF.1: This
requirement identifies the
security ATTRIBUTES needed
to detail the operation of a
switch and the rules
allowing information
transfer. This requirement is
a dependency of
FDP_IFC.1.
The set of security functional requirements can be partitioned into the following areas,
analytically determined to be mutually exclusive and internally consistent.
Information Flow:
FDP_ETC.1
FDP_IFC.1
FDP_IFF.1
FDP_ITC.1
Group ID Management:
FMT_MSA.1
FMT_MSA.3
6.4 Dependencies Not Met
FMT_SMR.1 (Security Roles)
The TOE is not required to associate USERS with roles; hence, there is only one
“role”, that of USER. This deleted requirement, a dependency of FMT_MSA.1 and
FMT_MSA.3, allows the TOE to operate normally in the absence of any formal
roles.
Version 1.1 (25 July 2007)
Page 42of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
6.5 Mapping Tables
T.BYPASS
OE.MANAGE
O.SWITCH
O.SELECT
O.ROM
O.NOPROG
O.INVOKE
O.INDICATE
O.CONNECT
O.CONF
The indicated mappings do not necessarily imply that all aspects of the relations are
resolved. For example, in Table 1, T.PHYSICAL is only partially addressed by
O.NOPROG.
X
X
T.INSTALL
T.LOGICAL
T.PHYSICAL
X
T.RESIDUAL
X
X
X
X
X
X
T.SPOOF
X
T.STATE
X
X
T.TRANSFER
X
X
X
X
Table 1: Mapping of Threats to Objectives
Version 1.1 (25 July 2007)
Page 43of 51
X
FDP_IFF.1
X
X
FDP_ITC.1
X
X
X
FMT_MSA.1
X
FMT_MSA.3
X
ADV_ARC.1
X
ADV_ARC.1
EXT_VIR.1
O.SWITCH
X
O.SELECT
FDP_IFC.1
O.ROM
X
O.NOPROG
X
O.INVOKE
O.CONNECT
FDP_ETC.1
O.INDICATE
O.CONF
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
X
X
X
Table 2: Mapping of Security Functional Requirements to Objectives
Version 1.1 (25 July 2007)
Page 44of 51
FDP_IFC.1
X
FDP_IFF.1
X
X
FDP_ITC.1
X
X
FMT_MSA.1
X
FMT_MSA.3
FMT_SMR.1
FMT_MSA.3
FMT_MSA.1
X
FDP_ITC.1
FDP_ETC.1
FDP_IFF.1
Dependency
FDP_IFC.1
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
X
X
X
EXT_VIR.1
Table 3: Mapping of Security Functional Requirements Dependencies
Version 1.1 (25 July 2007)
Page 45of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Terms of Reference
Attribute
(See Peripheral Port Group ID)
Authorized User
A USER who has been granted permission to interact with the TOE and all of its
CONNECTED PERIPHERALS.
Computer
A programmable machine. The two principal characteristics of a computer are: it
responds to a specific set of instructions in a well-defined manner, and It can execute a
prerecorded list of instructions (a software program). For the purposes of this document,
any electronic DEVICE controlling the MONITOR, and accepting signals from the
KEYBOARD and POINTING DEVICE (if any) will qualify. Examples of computers under this
definition are IBM-class personal computers (and so-called clones), desktop
workstations, and control console INTERFACES into “mainframe” computers.
Connected
A state in which information can be intentionally transferred.
Connection
A path for information flow between two or more DEVICES.
Device
A unit of hardware, outside or inside the case or housing for the essential
COMPUTER that is capable of providing INPUT to the essential COMPUTER or of receiving
OUTPUT or both. The term PERIPHERAL is sometimes used as a synonym for device or
any INPUT/OUTPUT unit.
Group
(See Peripheral Port Group)
Human Interface Devices
Those PERIPHERALS which primarily allow a USER to directly observe and/or
modify the operation/status of a COMPUTER. Examples include a keyboard, video
MONITOR, mouse, and an optical head tracker. Modems, printers, hard drives, and
scanners are not such devices.
Input Device
Any machine that feeds data into a COMPUTER. This includes scanners, touch
screens, and voice response systems.
Interface
The CONNECTION and interaction between hardware, software, and the USER.
Keyboard
A DEVICE which converts the physical action of a USER such as the depressing of
one or more buttons into electronic signals corresponding to the bitwise symbol for a
character in some form of electronic alphabet. The most common example is the
typewriter-like keyboard found on most home COMPUTERS, but the definition also
includes braille keypads among other DEVICES.
Monitor
A COMPUTER OUTPUT surface and projecting mechanism that show text and other
graphic images from a COMPUTER system to a user, using a Cathode Ray Tube (CRT),
Version 1.1 (25 July 2007)
Page 46of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Liquid Crystal Display (LCD), Light-Emitting Diode (LED), gas plasma, active matrix,
or other image projection technology. The display (the terms display and monitor are
often used interchangeably) is usually considered to include the screen or projection
surface and the DEVICE that produces the information on the screen. In some COMPUTERS,
the display is packaged in a separate unit called a monitor. Displays (and monitors) are
also sometimes called Video Display Terminals (VDTs). Also included in this category
are tactile braille OUTPUT DEVICES.
Object
(See Peripheral Data and State Information)
Output Device
Any machine capable of representing information from a COMPUTER. This
includes display screens, printers, plotters, and synthesizers.
Peripheral
A DEVICE that is logically and electrically (or electromagnetically) CONNECTED to
a COMPUTER, but normally mounted outside of the COMPUTER enclosure. MONITORS,
KEYBOARDS, and POINTING DEVICES are all peripherals.
Peripheral Data
Information, including [buffered] STATE INFORMATION, sent from or to a PERIPHERAL.
Peripheral Port Group
(“Group”)/ Peripheral Port
Group ID
A collection of HUMAN INTERFACE DEVICE PORTS treated as a single entity by the
SWITCH. There is one Group for the set of SHARED PERIPHERALS and one Group for each
SWITCHED COMPUTER directly CONNECTED to the SWITCH. Each SWITCHED COMPUTER
Group has a unique logical ID. The shared Group ID is the same as that of the SWITCHED
COMPUTER Group currently selected by the SWITCH.
Pointing Device
A DEVICE, which converts relative positioning motion from a human operator
into positioning information on a MONITOR. Examples of Pointing Devices include a
mouse, trackball, joystick, and touchpad.
Port
An external socket for plugging in communications lines and/or PERIPHERALS.
Residual Data
Any PERIPHERAL DATA stored in a SWITCH.
Shared Peripheral
(See Peripheral Port Group)
State Information
The current or last-known status, or condition, of a process, transaction, or
setting. “Maintaining state” means keeping track of such data over time.
Subject
(See Peripheral Port Group)
Switch
A DEVICE permitting a single set of PERIPHERALS to be shared among two or more
COMPUTERS. Synonymous with TOE in this document.
Switched Computer
(See Peripheral Port Group)
Version 1.1 (25 July 2007)
Page 47of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
User
The human operator of the TOE.
Version 1.1 (25 July 2007)
Page 48of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
Acronyms
CCIB Common Criteria Implementation Board
CCIMB Common Criteria Interpretations Management Board
CM Configuration Management
CRT Cathode Ray Tube
DAC Discretionary Access Control
EAL Evaluation Assurance Level
FCC Federal Communications Commission
FFRDC Federally Funded Research and Development Center
ID Identification
IEC International Electro-technical Commission
ISO International Standards Organization
ISSE Information Systems Security Engineer[ing]
ISSO Information Systems Security Organization
IT Information Technology
KVM Keyboard-Video-Mouse
LCD Liquid Crystal Display
LED Light-Emitting Diode
MAC Mandatory Access Control
PP Protection Profile
PSS Peripheral Sharing Switch
SFP Security Function Policy
Version 1.1 (25 July 2007)
Page 49of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
ST Security Target
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Functions
TSP TOE Security Policy
VDT Video Display Terminal
Version 1.1 (25 July 2007)
Page 50of 51
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile
References
1. Common Criteria for Information Technology Security Evaluation, Version 3.1
Revision 1, CCIB-2006-09-001, 002, 003), September 2006.
2. ISSE Analysis - Electronic Computer Peripheral Switches, NSA/V23, draft dated
12 March 1999.
3. ISSE Analysis/Keyboard-Video-Mouse (KVM) Switches,
NSA/V23, draft dated 5 August 1999.
4. Network Security Framework Forum (renamed the Information Assurance
Framework Forum), http://www.nsff.org
5. Network Security Framework Robustness Strategy (Chapter 4.4), Release 1.1 3
December 1998
6. http://ourworld.compuserve.com/homepages/david_fletcher1/Fletcher2/encyclop.
htm Over 10,000 computer terms and definitions.
7. http://www.pcwebopaedia.com online encyclopedia and search engine.
8. http://www.whatis.com Computer-related term definitions.
9. Title 47 CFR, Chapter 1 (FCC), Part 15 (Radio Frequency Devices);
http://www.fcc.gov/oet/info/rules/part15/part15-mar99.pdf
Version 1.1 (25 July 2007)
Page 51of 51
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement