Professional Documents
Culture Documents
SECURE SOFTWARE
by
Dan Wu
May 2007
Copyright 2007
Dan Wu
Dedication
To my grandmother, my parents and Jia, thanks for their support and love.
ii
Acknowledgements
This dissertation could not have been finished without many peoples support and
help. The person I am mostly appreciated for is my advisor: Dr. Barry Boehm. How
lucky I am to be his student and work with him for almost 4 years. I cannot achieve
todays goal without his consistent guidance, encouragement and support on every
aspect of my student life. I also sincerely thank my other committee members: Dr.
Neno Medvidovic and Dr. Bert Steece, for the great guidance and feedbacks on my
research, presentations and drafts of dissertation.
I want to give my special thanks to Ed Colbert, who provides me many useful
feedbacks on this research. I felt very happy working with him and learned many
things from him. I would also thank for Dr George Freidman and Dr Rick Selby,
who gave me many suggestions on how to extend my research and future research
areas.
I want to thank for my family for the unconditionally love and support. I wont be
achieving todays success without his inspiration in my childhood. He is always the
greatest person in my life. My mother, even did not spend much time with me, still
gave me the best love and care in the world. My lovely younger sister, I will be
always loving you and taking care of you.
I really want to share all my success with my grandmother. I feel so sad I could not
be with her in her last few days. Grandmother and aunt Nan, I wish you could feel all
the happiness I feel now, and be very peaceful in the heaven.
iii
Table of Contents
Dedication ....................................................................................................................ii
Acknowledgements .....................................................................................................iii
Table of Contents ........................................................................................................iv
List of Tables ..............................................................................................................vi
List of Figures .............................................................................................................ix
Abbreviations ............................................................................................................... x
Abstract .......................................................................................................................xi
Chapter 1: Introduction ................................................................................................ 1
Chapter 2: Background and Related Work .................................................................. 6
2.1 Security Objectives Taxonomy .......................................................................... 6
2.2 Security Considerations in SDLC ...................................................................... 9
2.2.1 NIST Special Publications........................................................................... 9
2.2.2 MBASE Security Extensions..................................................................... 11
2.2.3 SSE-CMM & IA-CMM............................................................................. 13
2.3 Security Evaluation Criteria ............................................................................. 13
2.3.1 Trusted Computer Systems Evaluation Criteria ........................................ 14
2.3.2 Information Technology Security Evaluation Criteria .............................. 16
2.3.3 Common Criteria ....................................................................................... 17
2.4 Software Pattern and Security Pattern.............................................................. 26
Chapter 3: Research Approach .................................................................................. 32
Chapter 4: Data Context and General Observations .................................................. 34
4.1 SFR Classes Usage........................................................................................... 35
4.2 SFR & EAL: General Trends ........................................................................... 37
4.3 Observations on Security Projects Through Timeline ..................................... 40
Chapter 5: Security Target Analysis Result ............................................................... 44
5.1 SFR Reusable Packages ................................................................................... 45
5.1.1 Identification and Authentication .............................................................. 45
5.1.2 Confidentiality ........................................................................................... 47
5.1.3 Integrity...................................................................................................... 50
5.1.4 Availability ................................................................................................ 51
5.1.5 Non-Repudiation........................................................................................ 53
5.1.6 Security Management ................................................................................ 54
5.1.7 Privacy ....................................................................................................... 56
5.1.8 Accountability............................................................................................ 57
iv
5.1.9 Recoverability............................................................................................ 57
5.1.10 Intrusion Detection and Response ........................................................... 58
5.1.11 SFRs Correlations.................................................................................... 60
5.2 SFR Patterns in Domains ................................................................................. 69
5.2.1 Access Control Devices and Systems (ACDS) ......................................... 69
5.2.2 Boundary Protection Devices and Systems (BPDS) ................................. 70
5.2.3 Database (DB) ........................................................................................... 74
5.2.4 Data Protection (DP).................................................................................. 76
5.2.5 Detection Devices (DD) ............................................................................ 78
5.2.6 ICs, Smart Cards & Related Services (ICSCRS)....................................... 80
5.2.7 Key Management (KM)............................................................................. 83
5.2.8 Network and Network Related Devices and Systems (NNRDS) .............. 85
5.2.9 Operating Systems (OS) ............................................................................ 89
Chapter 6: Validation Approach ................................................................................ 93
6.1 SFR Packages Validation ................................................................................. 93
6.2 SFR Patterns Validation ................................................................................... 94
6.2.1 SFR Pattern Validation Result in BPDS Domain...................................... 96
6.2.2 SFR Pattern Validation Result in ICSCRS Domain .................................. 97
6.2.3 SFR Pattern Validation Result in NNRDS Domain .................................. 98
6.2.4 SFR Pattern Validation Result in OS Domain......................................... 100
6.2.5 SFR Pattern Validation in Other Domains .............................................. 101
Chapter 7: Contributions and Future Work.............................................................. 104
7.1 Contributions .................................................................................................. 104
7.2 Future Work ................................................................................................... 105
References ................................................................................................................ 107
Appendices............................................................................................................... 111
SFR abbreviations and full names........................................................................ 111
List of Tables
Table 1: MBASE Completion Criteria for Anchor Points ......................................... 12
Table 2: Security Classes in Orange Book................................................................. 15
Table 3: ITSEC Levels Mapping with OB Levels ..................................................... 17
Table 4: Mapping Between SFR and Security Objectives......................................... 20
Table 5: Contents of ST Sections............................................................................... 26
Table 6: Element Content of SFR Pattern.................................................................. 27
Table 7: Advantages and Disvantages of Pattern Exploring Approach..................... 31
Table 8: Summaries of Security Products in Different Domains............................... 34
Table 9: Average EAL & Number of SFRs ............................................................... 41
Table 10: Number of Security Products with Certain SO.......................................... 42
Table 11: Percentages of Security Products with Certain SO.................................... 42
Table 12: Average Number of SFRs for Achieving SO ............................................ 43
Table 13: SFR Packages for Identification and Authentication................................. 45
Table 14: SFR Packages for Access Control ............................................................. 48
Table 15: SFR Packages for Encryption .................................................................... 49
Table 16: SFR Packages fr Integrity .......................................................................... 51
Table 17: SFR Packages for Non-Repudiation (Part 1) ............................................. 54
Table 18: SFR Packages for Non-Repudiation (Part 2) ............................................. 54
Table 19: SFR Packages for Accountability .............................................................. 57
Table 20: SFR Packages for Recoverability .............................................................. 58
Table 21: SFR Packages for Intrusion Detection and Response................................ 59
vi
viii
List of Figures
Figure 1: NIST Work Breakdown Structure .............................................................. 10
Figure 2: Structure of PP & ST Document ................................................................ 18
Figure 3: Organization and Construction of Requirements ....................................... 19
Figure 4: Purpose and Scope for GoF Approach ....................................................... 28
Figure 5: Pattern and Problem Categories for POSA Approach................................ 28
Figure 6: Levels of Solution for Security Patterns..................................................... 29
Figure 7: Steps and Archifacts of Research Approach .............................................. 32
Figure 8: SFRs Usage in STs ..................................................................................... 36
Figure 9: Relationship Between Number of SFRs and EAL ..................................... 38
Figure 10: Relationship Between Number of SFRs and EAL (Subset)..................... 39
Figure 11: Dataset 1: Number of SFRs by SFR Classes in STs ................................ 61
Figure 12: Dataset 2: Number of SFRs by SO in STs ............................................... 63
ix
Abbreviations
CC Common Criteria
EAL Evaluation Assurance Level
IT Information Technology
PP Protection Profile
SF Security Function
SFP Security Function Policy
SO Security Objective
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functions
TSP TOE Security Policy
Abstract
Research experience shows that security needs to be considered from the
beginning of software development life cycle to avoid expensive rework and reduce
potential security vulnerabilities. Hence, defining the right set of security functional
requirements (SFRs) and evaluated assurance level (EAL) becomes a critical task for
developers when developing secure software. Much effort has been put into creating
industry standards to provide a shared common base for stakeholders with concerns
on security. One of the industry standards, which is used widely in both industry and
government sides in many countries, is Common Criteria (CC). However, one of the
drawbacks of Common Criteria is the inefficiency of use. Moreover, with limited
project information in the early lifecycle phase, it is hard for developers with less
security experience to select the right security requirements from what are defined in
CC. Extensions on it and experiences from empirical studies on using it are
demanded to achieve a better and more efficient use of CC, which also benefits
developers by saving their effort on security functional requirements definition.
A thorough analysis has been done on a dataset consisted by the Security Target
(ST) files of 242 security products published on common criteria portal website. A
mapping between security objectives and SFRs is presented, which can save much
development effort by reduce the range of candidate SFRs when developers know
the projects security objectives in the early phases. In the cases when developers
only know the product domain of this project, SFR patterns for nine different
domains of security products are presented based on the statistic result from the
xi
published 242 security products, which can be customized or directly used for
particular security application. The analysis result of correlations among SFR classes
defined in CC and correlations among security objectives provide a good guidance
for developers in designing the architecture of security products. A trend shows that
EAL tends to increase when the number of SFRs increases. It is not strongly proved
by the current dataset, but shows a research direction for further discussion and
explorations in the future.
To validate the correctness of the mapping scheme between security objectives and
SFRs, each of the ST files is reviewed to find out the consistency and difference
between the presented mapping scheme with the actual selected SFRs in 242 security
products with certain security objectives. A method is presented to evaluate the
effectiveness of these security patterns, which can be used as a factor for developers
when to consider applying the patterns for actual use.
xii
Chapter 1: Introduction
Today security has become an important issue in not only government departments
but also commercial companies. Much effort has been devoted to design security
products, such as firewalls, intrusion detection systems, data protection systems and
so on. Software that did not have security features in the past, such as database, must
be upgraded to include security features to become secure systems. In terms of
physical representation, a security product can include software, firmware, hardware
and supported documentation. Developers, when designing a new security system,
have choices of developing originally, using Commercial Off-the-Shelf (COTS)
security products and subscribing security services. No matter what choice is made,
developers need to find out the security objectives and security requirements for later
development or being used as one critical criteria for choosing security COTS
products and subscribing security services.
Security in the past was often treated as an add-on on other requirements. Security
patches were largely applied during software maintenance phase to add protections.
This approach is expensive on both the developer and user sides. It is well known
that the later a bug is fixed the more expensive it is to fix it. Since the patching often
happens after the software is delivered, it is expensive to develop the patches. It is
also a time-consuming job for users to install the security patches every time they get
updated. In terms of effectiveness, security patches are designed after the launch of
many successful attacks on one or many security vulnerabilities. Hence users already
1
suffered with the loss of asset values caused by the attacks in the most cases.
Changes on the old approach are highly demanded because of these drawbacks. The
most critical change is to consider security from the beginning of software
development life cycle (SDLC) to address potential threats and enforce organization
security policies. It is not hard to understand the requirements of security patches
since they are clearly driven by discovered vulnerabilities. However, with very
limited information in the beginning phase, it is often hard for developers especially
those with limited security knowledge to determine the right set of security
requirements for the security product. Furthermore, it is a hard task to describe these
security requirements in a way to minimize the ambiguity of them. It is also
important for other stakeholders, such as users and administrators, to interpret the
security requirements in the same way. Industry standards such as Common Criteria
(CC) [13] address this problem by defining security requirements, which provides a
shared common knowledge base. By selecting security functional requirements (SFR)
and evaluated assurance level (EAL) defined in CC, developers can then record them
into a documentation called security target (ST), which is also defined in CC for
future review by certification people or other stakeholders like customers.
CC has a comprehensive set of SFRs that includes 138 SFR components and is
grouped into 11 classes, which is an obvious advantage for wide use. However, it
may become an disadvantage for developers to spend effort on studying each SFR
component defined in CC. Especially when developers only interested in a few
security objectives such as authentication, it is a huge waste of effort for them to
2
study all SFRs to be able to select the appropriate SFRs. One contribution of my
research is to map SFRs in CC to the security objectives defined in section 2.1, hence
reduce the number of candidate SFRs for developers to explore. Security objectives
are defined by analyzing the system assumptions and potential threats of certain
security product. Since the assumption and threats may vary a lot for different
security product in different environments, how to define security objectives is not
addressed in this research. This research focuses on how to select SFRs after
developers know what the products security objectives are. For further increasing
the efficiency of selecting SFRs, this research also defines several SFR packages
with different rigor levels or emphasize for certain security objective. These SFR
packages are first designed based on the definitions of SFRs in CC. The SFR
packages then are refined by observing the difference and extracting the
commonalities in the selected SFR set from a big dataset, which includes ST files for
242 validated security products published on Common Criteria portal website.
Security products can be grouped into domains based on the common
characteristics they share. Examples of characteristics can be threats, IT-environment,
security objectives, etc. Domain specific software architecture (DSSA) is a
successful example to explore architecture patterns [39, 40, 25]. It is also valuable to
discover security requirements patterns for each security product domain with two
major advantages: First, it helps us to understand nature of the problem that this
domains security products address. Second, it provides a good set of requirements
for future reuse.
3
With the least knowledge of the products security objectives, developers can use
the result shown in table, to focus on the SFRs mapping to the particular security
objective instead of exploring the whole set of SFRs.
With knowledge of domain that the product belongs to, developers can customize
the security pattern for particular domains as stated in in section 6.
Security Management: It provides users with certain roles the ability to customize
the use of security mechanisms in a security product. The management can be switch
on/off or customize a security function, or management security attributes of users or
roles. This security objective is not highly related with protection on system or
information, hence is quite distinctive with others.
Privacy: Privacy targets on users identity or actions non-observable to others, even
TSF. This security objective is specific because it sometimes conflicts with other
security objectives such as accountability. Unobservability makes users action
unaccountable.
Detective
Accountability: It provides functionalities for generating records for system behavior
or user actions, which can be used for future review.
Intrusion Detection and Response: It addresses the detection instead of prevention of
certain intrusion. It also covers the potential response activities such as security
alarms in case of detecting an intrusion.
Corrective:
Recoverability: It covers two aspects: data recoverability and system function
recoverability. Data recoverability includes data correction after unauthorized
modifications. System function recoverability requires that system recovers to a
secure state and/or is still able to provide the key functionalities after certain failure
happens.
OCD
SSRD
SSAD
LCP
FRD
LCO
Organization security goals and policies
Project security goals
System security environment
Security related stakeholders identified
System artifacts classification and access control
System security capabilities
Level of services (LOSs) including security
objectives
Rules of behavior
Security functional requirements (SFRs)
Security assurance requirements (SARs)
Development requirements
Development constraints
LOSs requirements
Security requirements for deployment, transition,
and support environment
Top-level definition of at least one feasible
security architecture
Security planning
Top level of WWWWWHH* by stage
Security activities in inception, production and
support stage
Stakeholders security related responsibilities
Auditing and Monitoring
Top-level Security Risk Control
Security Certification and Accreditation
Security Assurance
Business analysis of security solution
SFR & SAR satisfaction
Security Risk assessment
Vulnerability analysis
Threat Analysis
COTs security assessment if any
LCA
Elaboration about
organization and project
security goals.
Elaboration about access
control on system artifacts
Elaboration about system
security capabilities and
LOSs
Elaboration about SFR
and SAR by increment
Elaboration about other
requirements if any
Choice of security
architecture
Satisfy evolutional
requirements
Elaboration about
WWWWWHH by
increment
Elaboration about security
assurance level and
security risk control
Elaboration about
Security Certification and
Accreditation
Assurance of consistency
All major security risks
covered by risk mitigation
or acceptance/response
plan
We can see that security requirements need to be defined during inception phase
and completed at LCO anchor point. In both [24] and [45], the definition of security
requirements is a necessary activity in the early phase of SDLC.
27, 42] provide a shared knowledge base and uniform representation of security
requirements, so that developers can select security requirements from standards for
direct or customize use. The evaluation methodologies defined in [13, 27, 42] also
establish the confidence of the products security functionalities. In this section, we
will talk about three well-used security evaluation criteria, and how they organize
security mechanisms and assurance into different classes or levels.
14
Division
Name
Minimal Protection
C1
Discretionary Security
C2
B1
B2
Structured Protection
B3
Security Domains
A1
Verified Design
Moreover, orange book does not separate security functionalities with security
assurance. Security functionalities and assurances are combined in one rating, where
security policy and accountability focus on security functionalities, and assurance
and documentation focus on security assurance. In terms of usability, it only
15
provides 7 classes of security levels, hence does not have much flexibility for
customize use.
16
Orange Book
D
C1
C2
B1
B2
B3
A1
ST (implementation dependent)
Section 2. Description
Section 7. PP Rationale
Section 7. PP Claims
Section 8. Rationale
As shown in Figure 2, PP and ST has almost the same structure, except that section
6 of ST covers TOE implementation details (TOE security function and descriptions)
and section 7 specifies the PP if ST is derived from it. In both PP and ST, the chosen
SFRs and SARs for the security product are stated in section 5 Security
Requirements.
use a bottom-up approach to extract general solutions from the published STs on the
Common Criteria portal website [15]. Although not all the domains are covered in
this thesis, the proposed security objectives framework and their mappings with
SFRs can be used to apply to any domain for discovering security requirements
patterns.
2.3.3.1 Security Objectives Mapping with SFRs
Table 4 shows the result of mapping CC SFR families with security objectives.
Each row is a SFR family and each column is a security objective. The SFR family
instead of SFR class or SFR component is used because the family level is the sweet
point for maximizing the precision and reducing the complexity of the table. Please
refer to section 2.1 for definitions on these security objectives and Appendix B for
full names of SFR families.
ARP
ID&R
Recoverability
Accountability
Privacy
Security
Management
Availability
Integrity
Confidentiality
Family
Identification
&Authentication
Class
Non-repudiation
Security Objectives
Common Criteria
GEN
SAA
SAR
SEL
Security
Audit (FAU) STG
D
D
NRO
Communication
(FCO)
NRR
ID&R
Recoverability
Accountability
Privacy
D
D
CKM
Cryptographic
Support (FCS) COP
ACC
ACF
DAU
User Data
Protection
(FDP)
Security
Management
Availability
Integrity
Confidentiality
Family
Identification
&Authentication
Class
Non-repudiation
Security Objectives
Common Criteria
ETC
IFC
IFF
ITC
ITT
RIP
ROL
SDI
UCT
UIT
AFL
ATD
SOS
UAU
Table 4, Continued
21
Recoverability
ID&R
FLS
D
I
MTD
REV
Privacy
MSA
Security
Management
Availability
Integrity
AMT
Family
MOF
Security
Management
(FMT)
Accountability
Confidentiality
Identification
&Authentication
Class
Non-repudiation
Security Objectives
Common Criteria
D
I
SAE
SMF
SMR
ANO
PSE
UNL
ITA
ITC
ITI
ITT
PHP
RCV
D
D
RPL
RVM
Protection of
the TSF (FPT) SEP
D
I
Table 4, Continued
22
ID&R
Recoverability
TRC
Protection of
the TSF (FPT) TST
D
I
FLT
PRS
RSA
MCS
TOE Access
(FTA)
Accountability
Security
Management
Availability
Integrity
TDC
LSA
STM
Resource
Utilization
(FRU)
Privacy
SSP
Confidentiality
Family
Identification
&Authentication
Class
Non-repudiation
Security Objectives
Common Criteria
SSL
TAB
TAH
TSE
ITC
Trusted path/
channels (FTP) TRP
Table 4, Continued
As you can see from this table, Common Criteria SFR classes and security
objectives have many to many relationships. For examples, the integrity security
objective can be satisfied by SFR components from different classes, such as FCS,
FDP and FPT. While requirements in FCS class can satisfy more than one security
objectives: Confidentiality, integrity and non-repudiation. The second example is
23
more interesting for developers because it indicates that the implementation of one
set of SFRs may satisfy multiple security objectives.
FMT is a special SFR class defined in CC. Unlike other classes which adds the
security to the TOE, several requirements in FMT such as management of functions
in TSF (FMT_MOF) and specifications of management functions (FMT_SMF) add
on usability or flexibility for other selected SFRs. For example, FMT_MOF allows
special users such as administrator to turn on/off or modify a security function,
which provides more flexibility. However, one can argue that this requirement
actually reduces the security rigor because it relies on the assumption that
administrator will never be malicious. There are requirements in FMT also provides
more security rigor, such as security attributes expiration (FMT_SAE). It enforces
time limits for the validity of security attributes. Hence, security management is
defined as a separate security objective and is satisfied by SFRs in FMT. Another
special class is FPT. As shown in the table, several requirements in FPT support all
security objectives since they protect all the TSF functions. Requirements such as
domain separation (FPT_SEP) are necessary when developing secure software with
high level of robustness. If the TOE has high expectation on confidentiality, it is also
necessary to include non-bypassability of TSP (FPT_RVM), which ensures that
security polices such as access control policies are followed.
Privacy needs to be defined as a separate security objective than confidentiality.
Confidentiality cares about data or information, which are usually objects in the
system. Privacy, on the other hand, protects user identity from being disclosure and
24
protects users activities from being observed. Developers need to be very careful in
choosing requirement for privacy, since it may be contradict with SFRs for other
security objectives, such as accountability. For example, anonymity (FPR_ANO)
requires user may use a resource or service without disclose its identity to other
authorized users (E.g., administrator), even TSF. It conflicts with auditing data
associated with user identities (FAU_GEN.2). Unobservaility (FPR_UNO) is special
in FPR since it tries to hide the resource or service being used instead of hiding user
identity. This requirement is often selected by security products in IC and smart card
domain, we will see it from the analyzed result of ST files as shown in Section 5.
2.3.3.2 Security Target
Security Target is formal document defined in CC as a key element in the
evaluation process. Its contents include security objectives, functional and assurance
requirements, summary specification, PP claims, and rationales. It may conform to
an existing PP and becomes a implementation-dependent response for a certain PP,
or may be created independently, as shown in table 5.
25
Section Name
Section 1. Security Target
Identification
Section 2. Description
Section 3. Security
Environment
Section 4. Security
Objectives
Section 5. Security
Requirements
Section 6. TOE Summary
Description
Section 7. PP Claims
Section 8. Rationale
Content
Identify the name and nature of ST. Provide the overview
of ST and relationship with other ST or PP
Describe TOEs type, architecture and system boundaries,
which includes physical and logical boundaries.
State security assumptions and threats for the TOE and
operational environment. Operational environment
includes IT environment and non-IT environment.
Describe organizational security polices, which applies
to both TOE and operational environment.
Describe security objectives for TOE and its IT and nonIT environment.
Describe the SFRs and SARs for implementing security
objectives in section 4, SFRs can be explicit stated.
Describe TOE security functions; Security assurance
measures details are discussed.
Identify dependent PP and any tailoring if applicable.
Demonstrate security objectives mapping to threats,
system assumptions and security policies; Demonstrate
SFRs satisfies security objectives; Demonstrate security
functions implement SFRs;
solutions for solving a particular set of problems. Christopher Alexander is the first
person to raise this pattern concept in [1] and [2]. As he wrote in his books:
Pattern: Each pattern is a three-part rule, which expresses a relation between a
certain context, a problem, and a solution.
He explained further with his statement: Each pattern describes a problem which
occurs over and over again in our environment, and then describes the core of the
solution to that problem Alexander also suggests that every pattern should have a
common structure, which is beneficial of comparing and organizing them. [33]
claims five mandatory elements necessary for a pattern: Name, Context, Problem,
Forces and Solution. What is covered in each of these five pattern elements for SFR
patterns is shown in table 6:
Pattern Elements
Name
Context
Problem
Forces
Solution
Contents
Domain Name
Major security features, IT-environment, major assumptions if
specific for this domain
Threats
Variations of the selected SFRs for different scenarios
SFRs that are selected by most of security products in this
domain, which fit in the context and addresses the problems.
27
30
Each of these approaches has its advantages and disadvantages, as shown in Table
7:
Advantages
Introspective Reflects expert opinions, often
approach
demonstrated by examples or
actual solutions
Artifactual
Authors effort to obtain a generic
approach
approach from many existing
solutions
Sociological Comes out good solution agreed
approach
and accepted by many experts
Disadvantages
Pattern reflects personal style, may
need further evaluation and
agreement from others
Patterns may not be a direct
solution; may need further
evaluation and refinement
Big communication effort;
sometimes it is hard to achieve an
agreement
31
should be selected to achieve certain security objective. In this research, the first step
is to explore and cleanup the dataset. Result of this step is a big table, where each
row is a TOE (Total 242), each column is a SFR component, each cell of the table
shows the number of certain SFR component selected in the TOE. In this table, 189
TOEs are grouped into 9 domains, and the rest 53 TOEs are not grouped into any
domains. The second step is to do some simple statistics analysis of the big table of
242 STs derived from the first step. Results in this step show the usage of SFR
classes in these STs and the relationship between EAL & SFR. The third step is to
define reusable SFR packages with different levels. With basic knowledge of what
security objectives are required in this secure software and in what level, developers
can find out the corresponding reusable SFR packages defined in this step for
directly use or customization. Step 3 explores the total 189 STs as one set. The fourth
step discovers the correlations among SFRs, which provides valuable information for
security architecture design. The fifth step explores the 189 STs as 9 sets, where each
set matches with a particular domain. Results of this step are security requirements
pattern for each domain, which can be customized for a new products use if it fits in
any of these domains. The last step is the validation of all the results derived from
step 3 and 5.
33
Avg num of
TOE SFR
Range of
TOE SFR
Avg
EAL
Range
of EAL
Num
of STs
19.00
[8, 38]
2.65
[2, 4]
10
22.21
[4,46]
3.23
[1,4+]
42
23.27
22.56
[2,39]
[1, 69]
3.73
2.47
[2,4+]
[1, 4+]
11
16
18.43
[10, 29]
2.14
[2, 3]
33.97
[3, 91]
4.47
[2+, 5+]
36
29.36
[7, 76]
3.25
[1+, 4+]
13
22.86
[4, 45]
2.73
[1, 4+]
28
35.88
[11, 107]
3.81
[2, 5]
26
35
250
217
217
206
201
200
177
150
109
100
60
50
36
41
FRU
FTA
26
23
0
FAU
FCO
FCS
FDP
FIA
FMT
FPR
FPT
FTP
36
FRU, which addresses resources availability, only included in less than 15%
validated security products, mainly from database, smart card and operating system
domains. We can see that deny of service (DoS) type of attacks are not addressed
enough in this dataset. FCO and FPR target on non-repudiation and privacy. They
are not typical security mechanisms like identification& authentication and access
confidentiality, hence are not frequently used in this dataset.
37
not a very strong evidence to derive the conclusion that the EAL of TOE tends to
increase when the number of SFRs of TOE increases. But the result in Figure 10
shows one aspect of the fact that leads to a clear direction for further discussion and
explorations in the future.
Domain type: For security products in certain domain, they tend to have
relatively high EAL. For example, as shown in table 8, out of 36 security
products in IC and smart card systems, the average EAL is 4.47.
39
Limited resources: There are not enough resources to achieve the desired EAL.
For example, developers are not capable of doing the formally verified design.
Or there is not enough budget and time for doing it.
40
The following table shows the number of STs, the average EAL and the average of
number of SFRs in year(s) from 1997 to 2005.
Year
NumofSTs EAL
TOESFR
1997 to 2001
29
2.86
22.45
2002
40
3.41
28.65
2003
39
3.26
25.26
2004
46
3.30
25.74
2005
88
3.22
24.74
Table 9: Average EAL & Number of SFRs
As we can see from the table, there are only 29 STs published from 1997 to 2001,
but there are 40 ST files in 2002 one year. In 2005, the number of certified ST files
increased to 88. It not only shows that common criteria is accepted by more people
in both industry and government side, but also shows that security is required in
many fields, and hence is involved in more projects than before. From the average
EAL and the average of number of SFRs in each year, we can see that there is a big
increase from [1997, 2001] to 2002. That shows the dramatic increase of needs for
security during 2002, on the aspects of both functionalities and assurance. One could
question whether it is because the tragedy happened on August 11th, 2001. After
2002, the development of security projects achieves a relatively steady state, where
the EAL and number of SFRs only have little fluctuation. The average of EAL and
number of SFRs in 2005 is little lower than 2004, because of the big number of
security products in 2005 that broads the range of security levels of these products.
To discover more details in how the development of security products changes, let
us take a look on the statistics result of security objectives during these periods. The
41
information about the number and percentage of security products that have a certain
security objective in a particular period is shown in the table 10 and 11:
Year
1997 to 2001
2002
Number
2003
of
2004
Security
2005
Products
Total
Priv
3
6
5
5
7
26
Acc
21
26
30
30
56
163
Rec
5
8
7
10
12
42
IDR
13
22
15
19
35
104
Year
1997 to
2001
2002
Percenta 2003
-ge of
2004
Security 2005
Products Total
I&A
Conf
Integ
Ava Non-R
79.3%
82.5%
84.6%
87.0%
80.7%
82.6%
100.0%
100.0%
100.0%
100.0%
98.9%
99.6%
37.9%
52.5%
56.4%
60.9%
42.0%
49.2%
13.8%
20.0%
23.1%
15.2%
13.6%
16.5%
6.9%
17.5%
17.9%
4.3%
10.2%
11.2%
SM
Priv
Acc
Rec
IDR
79.3%
95.0%
89.7%
93.5%
93.2%
91.3%
10.3%
15.0%
12.8%
10.9%
8.0%
10.7%
72.4%
65.0%
76.9%
65.2%
63.6%
67.4%
17.2%
20.0%
17.9%
21.7%
13.6%
17.4%
44.8%
55.0%
38.5%
41.3%
39.8%
43.0%
that have identification& authentication and integrity keep increasing from [1997,
2001] to 2004, which shows an increase of importance of these two security
objectives. Let us then look at the average number of SFRs that are used by security
products for achieving security objective in these years, as shown in Table 12.
Year
1997 to 2001
2002
2003
2004
2005
Avg
I&A
3.79
4.55
3.82
3.65
3.81
3.92
Priv
0.14
0.20
0.13
0.13
0.09
0.14
Acc
3.34
3.38
4.08
4.11
3.42
3.67
Rec
0.21
0.53
0.23
0.30
0.26
0.31
IDR
0.90
1.18
1.13
0.83
0.84
0.97
43
44
The SFR packages can be formed based on different rigor security level. For
example, SFR package with level 2 provides more security level for the security
objective that it supports than SFR package with level 1.
For any security objective, the SFR package may be defined in one or both formats.
Re-authenticating (UAU.6) increases the rigor level of authentication by reauthenticating the user with a specified time limit.
46
5.1.2 Confidentiality
Confidentiality includes several sub-objectives: access control, information flow
control, encryption and residual data protection, hence are supported by multiple
SFR classes. There are total 36 SFRs that support the sub-objectives of
confidentiality. These sub-objectives can be selected together or separately in
particular security product for satisfying confidentiality. In terms of the rigor level of
confidentiality, access control and/or information flow control is usually selected for
basic level of protection of confidentiality. Access control and encryption are used in
the security products with medium to high requirements on confidentiality, and at the
same time, the data being protected need to be accessible. However, residual data
protection (FDP_RIP) targets on data that is not in use anymore.
Access control and information flow control are directly supported by some SFRs
in FDP class, such as access control policies and functions (FDP_ACC, FDP_ACF),
information flow control policy and functions (FDP_IFC, FDP_IFF). It is also
indirectly supported by FIA_UID since identification is required for enforcing access
control polices. In normal cases, authorization should also rely on authentication
(FIA_UAU) to validate the identity of user before any authorization happens.
However, in some cases authentication may be excluded from TOE because the TOE
47
is physically protected and only user with certain roles can access it or the ITenvironment provides the authentication. The difference between FDP_ACC and
FDP_IFC is that the previous one targets on the static user data while the later one
targets on the information flow under TSF control. If the TOE requires import or
export data out of TSF control, FDP_ETC and FDP_ITC should be considered to
include in the SFR set. Statistics result from these 242 STs show that there are more
security products with requirements in importing data (FDP_ITC) than exporting
data (FDP_ETC). One major reason for this is that cryptographic keys need to be
securely imported instead of being generated for some security products.
Static data
access control
Information
flow access
control
Level 1
Access control on subset of
operations
FDP_ACC.1, FDP_ACF.1
Access control on subset of
operations FDP_IFC.1, FDP_IFF.1
Level 2
Access control on all
operations FDP_ACC.2,
FDP_ACF.1
Access control on all
operations FDP_IFC.2,
FDP_IFF.1
48
where FDP_ACC and FDP_ACF needs to be iterated for different access control
policies and functions.
Encryption is a strong mechanism in protecting data confidentiality, especially for
export information, which may be out of TSF control. CC defines a single SFR class
called cryptographic support (FCS) for encryption-related requirements. The most
reusable SFR package for encryption are shown in table below:
Level 1
Crypto key operation
FCS_COP.1
Level 2
FCS_COP.1 FCS_CKM.1,
FCS_CKM.4
Level 3
FCS_CKM.1,[FCS_CKM.2],
[FCS_CKM.3],FCS_CKM.4
Has requirement of cryptographic key generation, and rely on ITenvironment for cryptographic key destruction requirement
49
5.1.3 Integrity
Integrity ensures data from unauthorized modification. For detecting the
compromise of the integrity, SFRs in FCS are usually used to generate hash value for
50
the information content. For example, data authentication (FDP_DAU) ensures the
validity of static data by generating hash values for the information content several
times and comparing the result. Data authentication with identity (FDP_DAU.2) is
similar with SFRs for non-repudiation, except it is for static data, while SFRs for
non-repudiation is for data in transmission. Moreover, FDP_DAU emphasizes on the
validity of data, while SFRs for non-repudiation more emphasize on the generator of
data instead of the data content. Enforcing access control and information flow
control policies on user/TSF data (FDP_ITT.1/2, FPT_ITT.1/2) can also help to
prevent the compromise of integrity. There are total 24 SFRs for integrity, which can
be grouped by three phases of protecting integrity: Prevention, monitoring, reaction.
SFR packages for each group are shown in Table 16:
Prevent Integrity
Compromise
Integrity Monitor
Recover From
Integrity Error
5.1.4 Availability
Availability security objective focuses on availability on both TOEs capabilities
and resources, which directly maps with SFRs in resource utilization (FRU) and
protection of TSF (FPT), and is also supported by several other SFR classes:
51
Security management (FMT), protection of TSF (FPT) and TOE access (FTA).
There are total 7 SFRs that support availability, which cover fault toleration, priority
of services, resource quota allocation and exported TSF data availability. It is hard to
define reusable SFR packages for availability since this objective is often satisfied by
independent SFR instead of a group of SFRs. Several observations on the use of SFR
from STs including availability are described in the next paragraph.
Although security products claim the availability is satisfied by SFRs in FMT,
such as management of security attributes (FMT_MSA) and security management
roles (FMT_SMR), it is not serious consideration for achieving availability. Around
44% of security products has requirement on the maximum quota of certain service(s)
that single user or a group of users can use (FRU_RSA.1), which address deny of
service (DoS) attacks. No security products has requirement on ensuring the
provision of minimum quantity of certain resource(s) to be available for single user
or a group of users (FRU_RSA.2), which can be considered as an advance protection
from DoS attacks. Very few products address that each access on resources should
be managed by the priority of the subject, e.g., users, services (FRU_PRS). Many
security products in IC and smart card domain have high requirement on fault
tolerance (FRU_FLT). 11 out of 13 security products ensure that all TOE
capabilities availability when certain failures occur are from IC and smart card
domain. However, most security products with FRU_FLT from other domains only
ensure the key part of TOE capabilities availability. Exported TSF data availability
(FTP_ITA) is selected by 4 security products out of the total 242 security products,
52
where they need to export TSF data such as encrypt key or audit data. It is not usual
to export TSF data to other remote trusted IT products unless the TOE works in a
distributed security system, where security products collaborate in security functions
by sharing the TSF data.
5.1.5 Non-Repudiation
Communication (FCO) targets on non-repudiation security objectives, where the
sender cannot deny the origin of the information (FCO_NRO) and the receiver
cannot deny the receipt of the information (FCO_NRR). SFRs from cryptographic
support (FCS) and/or identification & authentication (FIA), such as key management
(FCS_CKM), key operation (FCS_COP) and user identity (FIA_UID) should also be
included when the security product has non-repudiation requirement. There are total
11 SFRs that support non-repudiation. An important observation in this class is that
security products are more interested in verifying the origin of the information,
compared with verifying the receipt of the information. For example, customer may
want to verify the origin of certificate is from an authorized CA, not attackers. But
on the CA side, it does not need to verify whether customer has receipted the
certificate. All 23 security products that include FCO requirements select SFR in
FCO_NRO family, however, only 6 of them select SFR in FCO_NRR family. 5 out
of these 6 security products are messaging management systems, where the evidence
of sending and receiving messages are both important.
53
Besides the obvious reusable SFR packages with three rigor levels in FCO class,
we can also group SFRs in FCS and FIA into two levels as shown in the Table 17
and Table 18.
Level 1
FCO_NRO.1/FCO_NRO.1
Level 2
FCO_NRO.1, FCO_NRR.1
Level 3
FCO_NRO.2, FCO_NRR.2
Level 2
FIA.UID.1/FIA_UID.2, FCS_COP.1,
FCS_CKM.1, FCS_CKM.4
FMT_MTD addresses the aspect of managing TSF data (e.g., audit record or time
stamp). Around 62% security products choose requirements in this family.
Among these security products, more than 85% of them only choose the basic
54
requirement, which allows users with certain roles to manage the values of TSF
data (FMT_MTD.1). Around 10% of them also has requirement of management
of limits on TSF data (FMT_MTD.2). Around 5% of them also has requirement
on secure TSF data (FMT_MTD.3).
because it only has one user role that is the authorized users. In this case, TOE
often physically protected and only an authorized user (the administrator) has
access to the TOE. Hence, for security products not including FMT_SMR
requirement, they also do not include requirement for authentication (FIA_UAU).
5.1.7 Privacy
Privacy security objective also concerns on information disclosure and is directly
supported by FPR class in CC. There are total 10 SFRs in FPR class. The major
difference is the type of data being protected. FDP focuses on the user data and FTP
focuses on TSF data. FPR, however, focuses on the non-disclosure of user identity or
non-observability of user actions to other users/subjects and/or TSF. The use of SFRs
for privacy focuses on two aspects: Pseudonymity (FPR_PSE) and unobservability
(FPR_UNO). Pseudonymity is usually used in security products sit on network
boundary, which have requirement of hiding internal network address to outside
users/computers. Unobservability is usually used in security products in smart card
domain, which require the unboservability of functions such as cryptographic key
operation, access control functions by users through the use of security product.
56
5.1.8 Accountability
Audit (FAU) is directly mapping to accountability as shown in table 4. There are
total 11 SFRs in FAU. Audit provides tracking evidence on user behaviors and
system status, which can be also used in system performance analysis or intrusion
detection purposes. Hence it has indirectly contributions to other security objectives,
such as intrusion detection and response. Audit data can also be used as report to
users as evidence for successfully fulfilled actions.
Three levels of packages of SFR requirements are shown in Table 19:
Level 1
Level 2
Level 3
5.1.9 Recoverability
Recoverability is a corrective security objective compared with preventive security
objectives such as authentication and authorization. There are total 10 SFRs satisfy
recoverability, which fall into two SFR classes: FDP and FPT.
57
Data
recoverability
TSF
recoverability
Table 21 lists the SFRs defined in CC that map to this security objective.
Intrusion
Detection
Intrusion
Response
components
requirement),
which
contains
requirements
on
analysis/react
(IDS_ANL.1,
IDS_RCT.1),
restricted
data
review
(IDS_RDR.1) and guarantee of system data (IDS_STG.1/2). Since these 8 SFRs are
explicitly stated, I dont count them into the total SFRs for ID&R except in the case
when the majority of security products in a particular domain select this class. An
example is Detection Devices domain, which will be discussed later in section 5.2.5.
As shown in table 17, there are also total 13 SFRs defined in CC for satisfying this
security objective. FAU_ARP and FAU_SAA, although they are from security audit
class (FAU), they are about security audit data analysis and automatic response,
hence are grouped into SFR package for intrusion detection and response. TSF
59
physical protection (FPT_PHP) detects and resists to physical attacks that launch on
TSF. Replay detection (FPT_RPL) is to detect a special type of attack: replay attack,
which tries to resend legal messages or service requests and portends that they are
sent from authorized users. Session locking from TOE access class (FTA_SSL) is to
lock or terminate user sessions when any attack is detected.
domain of the security product. Each column from FAU to FTP represents the
number of SFRs in one SFR class (e.g., FAU) in a security product.
CaseNum
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Project
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
BPDS
BPDS
BPDS
BPDS
BPDS
BPDS
BPDS
FAU FCO FCS FDP FIA FMT FPR FPT FRU FTA FTP
0
0
1
3
3
6
0
2
0
0
1
0
0
1
3
3
4
0
2
0
0
1
1
0
0
0
5
1
0
3
0
1
0
6
0
6
4
10
8
0
3
0
0
1
6
0
0
2
0
4
0
0
0
0
0
0
0
8
4
2
6
0
0
0
0
0
0
0
0
2
2
1
0
3
0
0
0
6
0
0
3
7
6
0
5
0
2
0
7
0
0
2
6
6
0
0
0
0
0
6
0
1
3
5
4
0
2
0
0
0
3
1
0
2
3
4
0
7
0
0
0
2
0
0
4
0
8
0
1
0
0
0
6
0
0
6
3
9
2
3
0
0
0
5
0
0
4
3
4
0
3
0
0
0
3
0
0
5
3
5
0
3
0
0
0
5
0
0
8
0
14
0
1
0
0
0
5
0
0
8
0
9
0
0
0
0
0
FAU
FCO
FCS
FDP
FIA
FMT
FPR
FPT
FRU
FTA
FTP
Avg
FAU
1.00
-0.06
-0.12
0.10
0.32
0.38
0.02
0.15
0.11
0.30
-0.04
0.20
FCO FCS
-0.06 -0.12
1.00 0.15
0.15 1.00
0.35 0.54
0.31 0.34
0.12 0.34
0.27 0.24
0.17 0.37
0.09 0.09
0.05 0.09
0.15 0.41
0.24 0.31
FDP
0.10
0.35
0.54
1.00
0.47
0.45
0.41
0.57
0.17
0.08
0.52
0.42
FIA
0.32
0.31
0.34
0.47
1.00
0.51
0.28
0.42
-0.03
0.24
0.28
0.38
FMT FPR
0.38 0.02
0.12 0.27
0.34 0.24
0.45 0.41
0.51 0.28
1.00 0.21
0.21 1.00
0.32 0.38
0.12 0.16
0.43 -0.03
0.28 0.04
0.38 0.27
FPT
0.15
0.17
0.37
0.57
0.42
0.32
0.38
1.00
0.22
0.13
0.45
0.38
FRU FTA
0.11 0.30
0.09 0.05
0.09 0.09
0.17 0.08
-0.03 0.24
0.12 0.43
0.16 -0.03
0.22 0.13
1.00 0.21
0.21 1.00
0.11 0.10
0.20 0.24
FTP
-0.04
0.15
0.41
0.52
0.28
0.28
0.04
0.45
0.11
0.10
1.00
0.30
FDP vs. FCS: SFRs in FDP targets on user data confidentiality or integrity,
which requires encryption in some security products.
FDP vs. FIA: Access control SFRs in FDP require identification and sometimes
authentication.
FDP vs. FMT: Access control SFRs in FDP requires management of roles and
security attributes.
FDP vs. FPT: For security products with high expectation on data confidentiality,
SFRs in FPT such as domain separation (FPT_SEP_ and reference mediation
(FPT_RVM) are required.
FDP vs. FTP: For security products where there are communications from
remote users or other IT-trusted products, it is important to have secure
channels/path between for these communications.
FIA vs. FMT: Since password is one of the security attributes, SFRs in FIA class
such as authentication requirement also need requirement of security attributes
management in FMT.
The last row in the table shows the average correlation value for each SFR class.
Some SFR classes such as FAU, FCO, FPR, and FRU have relatively low correlation
compared with others. However, the correlation among different SFR classes is not
obvious since the highest correlation value is around 0.57. For developers that are
not familiar with CC, the correlations among SFR classes may look less meaningful.
62
Another observation is that most correlations are related with SFR class FDP. The
major reason is that the SFRs in FDP cover confidentiality, integrity and
recoverability of user data; hence it is more easily correlated with other SFR classes.
To discover the correlations among SFRs further, the second dataset is created based
on table in section 2.2.3.1. Instead of grouping SFRs as classes defined in CC, SFRs
are grouped for each security objective in this dataset. In Figure 12, each row and the
first two columns have the same meaning as which in Figure 11. Each column from
I&A to IDR represents the number of SFRs for each security objective (e.g.,
Identification and Authentication) that are included in a security product.
CaseNum
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Project
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
ACDS
BPDS
BPDS
BPDS
BPDS
BPDS
BPDS
I&A
3
3
5
10
0
2
2
7
6
5
3
0
3
3
3
0
security objectives are the same as those for FIA, FMT and FPR in the first
dataset.
Only SFRs that directly support each security objective are counted to obviate
the false-correlation.
There are 6 SFRs that do not directly support any of the security objectives,
hence are not included in this dataset: Abstract machine testing (FPT_AMT),
state synchrony protocol (FPT_SSP), limitation on scope of selectable attributes
(FTA_LSA), limitation on multiple concurrent sessions (FTA_MCS), TOE
access banners (FTA_TAB), TOE access history (FTA_TAH). These SFRs only
used in few security products, hence should not affect the overall accuracy of the
correlation observation result. The user of these SFRs will be discussed
specifically when exploring security requirement patterns in each security
product domain in section 6.
Since this dataset is not directly derived from the STs, the correctness of it needs to
be verified. Security objectives for security product can be found in section 3 of ST,
but they are represented very differently since CC does not provide a standard in
64
defining
security
objectives.
For
example,
one
security
product
has
FDP_ITT.1 and FPT_ITT.1 are SFRs mapping with both confidentiality and
integrity, because they protect inter TOE user/TSF data transfer from disclosure
or modification. However, some security products select FDP_ITT.1 or
FPT_ITT.1 only for confidentiality, which causes the mistakes in identifying
integrity as security objectives in some security products. There are around 15%
of security products are misidentified to include integrity as security objective. It
wont have big effect on the dataset since it only cause one SFR difference.
The correlations among security objectives are shown in table below:
I&A
CONF
INTEG
AVA
NON-R
SM
PRIV
ACC
REC
IDR
Avg
I&A
1.00
0.53
0.39
-0.05
0.34
0.51
0.28
0.29
0.38
0.22
0.39
NON-R
0.34
0.43
0.46
0.09
1.00
0.18
0.46
-0.11
0.36
0.11
0.33
SM
0.51
0.53
0.39
0.09
0.18
1.00
0.21
0.37
0.26
0.16
0.37
PRIV
0.28
0.38
0.38
0.12
0.46
0.21
1.00
-0.08
0.34
0.28
0.34
ACC
0.29
-0.01
-0.13
0.04
-0.11
0.37
-0.08
1.00
-0.13
0.06
0.13
REC
0.38
0.60
0.58
0.13
0.36
0.26
0.34
-0.13
1.00
0.30
0.38
IDR
0.22
0.26
0.29
0.09
0.11
0.16
0.28
0.06
0.30
1.00
0.28
65
We can see that there are some higher correlations among SFRs if they are
grouped by security objectives. With consideration in correlations among SFR
classes and security objectives, some rules for design can be derived as following:
In most cases, SFRs for access control are dependent on SFRs for identification&
authentication.
FPR and FRU class. Hence SFRs for each of these security objectives can be
implemented in one component, without having many coupling relationship with
other components.
It is also interesting to see what the correlations among security objectives are for
different security product domains. For those domains with relatively large number
of security products, I ran the same analysis on them and got the results as shown in
the tables below:
I&A
CONF
INTEG
AVA
NON-R
SM
PRIV
ACC
REC
IDR
I&A
1.00
0.57
0.04
-0.13
0.00
0.15
-0.05
0.70
0.00
0.23
NON-R
0.00
-0.04
0.05
-0.02
1.00
-0.09
-0.03
-0.11
1.00
-0.10
SM
0.15
0.32
0.16
-0.01
-0.09
1.00
0.26
0.33
-0.09
0.16
PRIV
-0.05
0.05
-0.08
-0.03
-0.03
0.26
1.00
0.18
-0.03
0.11
ACC
0.70
0.42
-0.07
-0.11
-0.11
0.33
0.18
1.00
-0.11
0.24
REC
0.00
-0.04
0.05
-0.02
1.00
-0.09
-0.03
-0.11
1.00
-0.10
IDR
0.23
0.46
0.33
-0.10
-0.10
0.16
0.11
0.24
-0.10
1.00
I&A
1.00
0.78
0.73
-0.34
0.64
0.75
0.62
0.21
0.60
0.65
0.56
NON-R
0.64
0.64
0.66
0.02
1.00
0.55
0.63
0.17
0.49
0.18
0.50
SM
0.75
0.90
0.87
0.01
0.55
1.00
0.56
0.13
0.70
0.47
0.59
PRIV
0.62
0.53
0.55
-0.21
0.63
0.56
1.00
0.08
0.33
0.48
0.46
ACC
0.21
0.10
0.11
0.38
0.17
0.13
0.08
1.00
0.21
-0.01
0.24
REC
0.60
0.81
0.82
0.08
0.49
0.70
0.33
0.21
1.00
0.43
0.55
IDR
0.65
0.49
0.44
-0.27
0.18
0.47
0.48
-0.01
0.43
1.00
0.38
67
I&A
CONF
INTEG
AVA
NON-R
SM
PRIV
ACC
REC
IDR
Avg
I&A
1.00
0.16
-0.06
0.21
-0.16
0.46
0.34
0.80
0.28
0.62
0.36
CONF
0.16
1.00
0.82
0.14
0.09
0.35
0.15
0.29
0.18
0.11
0.33
INTEG AVA
-0.06
0.21
0.82
0.14
1.00
0.00
0.00
1.00
0.18
-0.10
0.09
0.03
0.02
0.21
0.04
0.39
-0.03
0.79
-0.01
0.06
0.21
0.27
NON-R
-0.16
0.09
0.18
-0.10
1.00
0.13
-0.10
-0.03
-0.11
-0.11
0.08
SM
0.46
0.35
0.09
0.03
0.13
1.00
0.23
0.22
0.07
0.19
0.28
PRIV
0.34
0.15
0.02
0.21
-0.10
0.23
1.00
0.31
0.49
0.32
0.30
ACC
0.80
0.29
0.04
0.39
-0.03
0.22
0.31
1.00
0.35
0.56
0.39
REC
0.28
0.18
-0.03
0.79
-0.11
0.07
0.49
0.35
1.00
0.04
0.31
IDR
0.62
0.11
-0.01
0.06
-0.11
0.19
0.32
0.56
0.04
1.00
0.28
SM
0.61
0.62
0.51
0.02
1.00
-0.12
0.41
0.02
0.76
0.43
PRIV
-0.17
-0.08
-0.05
0.07
-0.12
1.00
-0.09
-0.12
-0.13
0.03
ACC
0.66
0.44
0.34
-0.21
0.41
-0.09
1.00
0.21
0.38
0.35
REC
0.23
0.03
-0.12
0.06
0.02
-0.12
0.21
1.00
0.45
0.20
IDR
0.51
0.58
0.49
0.10
0.76
-0.13
0.38
0.45
1.00
0.46
The high correlations from non-repudiation and recoverability are only shown in
ICSCRS, which is because they are used in many security products in this
domain. The high correlations between non-repudiation with confidentiality and
integrity do not seem reasonable for me since there is no theories support for
them.
Confidentiality
FCS_COP.1,
FDP_ACC.1/2,
FDP_ACF.1, FPT_RVM.1
Security
Management
MSA.1, MSA.3,
MTD.1, REV.1,
SMR.1, SMF.1
71
Confidentiality
Pattern
1
ATD.1,
UAU.1/UAU.2,
UID.1/UID.2
Pattern
2
AFL.1, ATD.1,
UAU.1/UAU.2,
UID.1/UID.2
Pattern
3
N/A
FDP_IFC.1,
FDP_IFF.1,
FPT_RVM.1,
FPT_SEP.1
FDP_IFC.1,
FDP_IFF.1,
FPT_RVM.1,
FPT_SEP.1
FDP_IFC.1,
FDP_IFF.1,
FPT_RVM.1,
FPT_SEP.1
Security
Management
MOF.1,
MSA.1,
MSA.3, SMR.1
MOF.1,
MSA.1,
MSA.3,
SMR.1, MTD.1
MOF.1,
MSA.1,
MSA.3,
SMR.1, MTD.1
Accountability
GEN.1, SAR.1,
SAR.3,
STG.3/STG.4,
FPT_STM.1
GEN.1, SAR.1,
SAR.3, STG.1,
STG.3/STG.4,
FPT_STM.1
FAU_GEN.1,
FAU_SAR.1,
FAU_SAR.3,
FPT_STM.1
provide
information
flow
policy
and
function
to
control
the
Accountability: Audit generation without user identity, audit data selectable review
and reliable time stamps appear in patterns in all three sets. It is recommended to has
requirement of action in cases of audit data loss or prevention of audit data loss.
For SFR patterns in optional security objectives, this paragraph provides some
observations on them. Around 30% security products have basic requirement on
intrusion detection and response: Potential violation analysis (FAU_SAA.1) and
alarm response (FAU_ARP.1). Around 10% security products have basic
requirement on preventing compromise of integrity, which selects internal TOE
transfer (FDP_ITT.1) and/or internal TOE TSF data transfer (FPT_ITT.1). Less than
10% of security products have requirements in integrity by protecting data exchange
integrity from TSF and other trusted-IT products (FDP_UIT.1).
Availability,
73
For the 6 SFRs that are not covered by SFR packages for security objectives
defined in section 5, none of them are selected in this domain except that abstract
machine testing (FPT_AMT.1) is used in less than 3% of security products.
Confidentiality
Security
Management
MSA.1,
ATD.1,
FDP_ACC.1/
MSA.3,
UAU.1/UAU.2, FDP_ACC.2,
MTD.1,
UID.1/UID.2,
FDP_ACF.1,
USB.1
FDP_RIP.1/ FDP_RIP.2, REV.1,
SMR.1, SMF.1
FPT_SEP.1,
FPT_RVM.1
Accountability
GEN.1,
GEN.2,
SAR.1,
SAR.3, SEL.1
STG.1,
STG.3/STG.4,
75
For the 6 SFRs that are not covered by SFR packages for security objectives
defined in section 5, none of them are selected in this domain except that basic
limitation on multiple concurrent sessions (FTA_MCS.1) is used in 5 security
products. Some security products also have requirement on relying TSF to deny the
session establishment based on certain criteria (FTA_TSE.1).
76
SFR Patterns for primary security objectives are shown in table below:
I&A
UAU.1/UAU.2,
UID.1/UID.2
Confidentiality
FCS_COP.1, FCS_CKM.1,
FCS_CKM.4, FDP_ACC.1/
FDP_ACC.2, FDP_ACF.1,
Security
Management
MOF.1, MSA.1,
MSA.2, MSA.3,
SMR.1
78
SFR Patterns for primary security objectives are shown in table below:
I&A
Security
Management
MOF.1, MTD.1,
SMR.1, SMF.1
Accountability
ID&R
IDS_SDC.1,
IDS_ANL.1,
IDS_RCT.1
Table 37: SFR Patterns for Primary Security Objectives in DD
UAU.1/UAU.2,
UID.1/UID.2
GEN.1, SAR.1,
SAR.2, SAR.3,
SEL.1
management
(FMT_SMR.1)
and
security
management
functions
79
Since number of STs in this domain is relatively large, similarly with what I did in
BPDS domain, STs in this domain are grouped into 3 sets. Each set contains 12 STs.
Pattern 1 is derived by set 1 plus set 2; pattern 2 is derived by set 2 plus set 3; and
pattern 3 is derived by set 1 plus set 3. SFR Patterns for primary security objectives
for the combinations of sets are shown in table below:
Pattern
1
Pattern
2
Pattern
3
Confidentiality
Integrity
FCS_CKM.4,
FCS_COP.1,
FDP_ACC.1/2,
FDP_ACF.1,
FDP_IFC.1, FPT_SEP.1
FCS_CKM.1,
FCS_COP.1,
FDP_ACC.1/2,
FDP_ACF.1,
FDP_IFC.1, FPT_SEP.1
FCS_CKM.1,
FCS_CKM.4,
FCS_COP.1,
FDP_ACC.1/2,
FDP_ACF.1,
FDP_IFC.1, FPT_SEP.1
FCS_CKM.4,
FCS_COP.1,
FDP_SDI.1/2,
FPT_TST.1
Security
Management
MSA.1,
MSA.3,
MTD.1,
SMR.1
ID&R
FPT_PHP.3
FCS_CKM.1,
FCS_COP.1,
FDP_SDI.1/2,
FPT_TST.1
MSA.1,
MSA.3,
SMR.1
FPT_PHP.3
FCS_CKM.1,
FCS_CKM.4,
FCS_COP.1,
FDP_SDI.1/2,
FPT_TST.1
MOF.1,
MSA.1,
MSA.3,
MTD.1,
SMR.1
FAU_SAA.1,
FPT_PHP.3
Security Management: Three SFR patterns are quite different for security
management, although they have one commonality on security attributes
management and management of security roles. Pattern 1 has extra requirement on
management of TSF data compared with pattern 2. Pattern 3 has the strongest
security mechanisms among these three patterns, and it also has requirement on
management of TSF functions.
Intrusion Detection& Response: Three derived patterns all include requirement on
physical protection on TSF. Only difference is pattern 3 also includes requirement on
security audit data automatic analysis.
Security products in this domain cover all security objectives discussed in section
5. Besides the 4 primary security objectives that are chosen by majority of security
products, the rest 6 security objectives can be divided into three groups. The first
group includes identification& authentication and recoverability, which are selected
by around 70% of security products. The second group includes availability,
accountability and privacy, which are selected by around 45% of security products.
The third group includes only non-repudiation, which is selected by around 20% of
security products. For security products having identification& authentication, they
have medium to high requirement on it, by having authentication failure handling
(FIA_AFL.1),
unforgeable
authentication
(FIA_UAU.3)
and
single-use
accountability, which having protected audit storage. Many security products in this
domain have requirements on high fault tolerance (FAU_FLT.2) and resource
maximum quotas (FAU_RSA.1). Unobservability (FPR_UNO.1) is also important in
many security products because they dont want users to gain extra information (e.g.,
crypto key) by observing the behaviors of some operations, such as encryption
operations. There are security products also provide the proof of origin for
transmitted information (FCO_NRO). For example, attackers may forge a credit card.
However, the security application is able to recognize that it is a forged one because
it cannot provide the proof of origin that will be accepted by the security application.
For the 6 SFRs that are not covered by SFR packages for security objectives
defined in section 5, abstract machine testing (FPT_AMT.1), limitation on scope of
selectable attributes (FTA_LSA.1) and default TOE access banners (FTA_TAB.1)
are selected by around 5% of security products.
SFR Patterns for primary security objectives are shown in table below:
I&A
Confidentiality
AFL.1,
UAU.1/2,
UID.1/2
FDP_ACC.1/2,
FDP_ACF.1,
FPT_RVM.1
Integrity
N/A
Security
Management
MOF.1,
MTD.1
Accountability
GEN.1,
(GEN.2)
(FPT_RPL.1) and session locking (FTA_SSL). Only one security product selects
failure with preservation of TSF secure state (FPT_FLS.1) and degraded fault
tolerance (FRU.FLT.1) for achieving availability security objective.
For the 6 SFRs that are not covered by SFR packages for security objectives
defined in section 5, only abstract machine testing (FPT_AMT.1) is used by one
security product with availability as security objective.
85
The primary and optional security objectives for data protection domain are shown
in table below:
Primary Security
Objectives
Optional Security
Objectives
ATD.1,
UAU.1/2,
UID.1/2
ATD.1,
UAU.1/2,
UID.1/2
ATD.1,
UAU.1/2,
UID.1/2
Confidentiality
ACC.1/2, ACF.1,
IFC.1/2, IFF.1,
FPT_SEP.1
IFC.1/2, IFF.1,
FPT_RVM.1,
FPT_SEP.1
IFC.1/2, IFF.1,
FPT_RVM.1,
FPT_SEP.1
Security
Management
MOF.1, MSA.1,
MSA.3, MTD.1,
SMR.1
MOF.1, MSA.1,
MTD.1, SMR.1
MOF.1, MSA.1,
MSA.3, MTD.1,
SMR.1, SMF.1
Accountability
FAU_GEN.1,
FAU_SAR.1,
FPT_STM.1
FAU_GEN.1,
FAU_SAR.1,
FPT_STM.1
FAU_GEN.1,
FAU_SAR.1,
FPT_STM.1
major reason is because some security products that derive pattern 2 and 3 are in the
overlap range between this domain and the Boundary Protection Devices and
Systems (BPDS) domain. Hence pattern 2 and 3 for confidentiality in this domain
are identical to the derived patterns for confidentiality in BPDS domain.
Security Management: Three patterns are different with each other for this security
objective except the commonality on management of security functions behavior,
management of security attributes, management of TSF data and security roles
management. Pattern 1 also one more requirement on the static security attribute
initialization. Pattern 3 has the strongest requirement on security management
compared with the rest two patterns. It also includes requirement on specification of
management functions, which allows authorized users to define/modify the attributes
that control security-related operations.
Accountability: Three patterns are consistent in this security objective. Basic audit
data generation and review are selected. TSF also needs to provide a reliable
timestamp to ensure the validity of the generated audit data and add more
information onto it.
Besides the four primary security objectives, security products in this domain
cover all the rest six security objectives. Since security products in this domain are
network-related, it is possible that different parts of TSF are located on different
network nodes. For example, the part of TSF for collecting network information can
be allocated on several network nodes, and the part of TSF for analyzing network
87
information and making decisions is allocated on another network node. Both parts
need to secure the message communicated between them. For this kind of security
products, they often have requirements on inter-TSF user data integrity transfer
protection (FDP_UIT) and/or inter-TSF detection of modification of TSF data
(FPT_ITI). Around 30% of security products also choose cryptographic operations to
achieve integrity. Around 50% of security products have intrusion detection&
response as one of their security objectives. Intrusion detection is mainly achieved by
having requirements on audit data automatic analysis (FAU_SAA) and response
(FAU_ARP), and physical protection of TSF. Intrusion response is mainly achieved
by having requirements on TSF-initiated termination (FTA_SSL.3) and TOE session
establishment (FTA_TSE.1). Two security products select requirements defined in
IDS, which is an explicated SFR class and used by many products in detection
devices domain. Availability, non-repudiation, recoverability and privacy are each
selected by less than 15% of security products. Availability is achieved by selecting
inter-TSF availability within a defined availability metric (FPT_ITA.1), degraded
fault tolerance (FRU_FLT.1) and limited priority of service (FRU_PRS.1). There are
two security products that choose privacy. One has requirement on anonymity
(FPR_ANO.1). The other has requirement on pseudonymity (FPR_PSE.1). Security
products achieve recoverability by selecting basic rollback (FDP_ROL.1), failure
with preservation of secure state (FPT_FLS.1) and manual/automated TSF recovery
(FPT_RCV.1/2). There are two security products selecting enforced proof of origin
(FCO_NRO.2).
88
For the 6 SFRs that are not covered by SFR packages for security objectives
defined in section 5, abstract machine testing (FPT_AMT.1), basic limitation on
multiple concurrent sessions (FTA_MCS.1) and default TOE access banners
(FTA_TAB.1) are selected by few security products.
89
derived by set 2 plus set 3; and pattern 3 is derived by set 1 plus set 3. SFR Patterns
for primary security objectives for the combinations of sets are shown in table below:
Pattern
1
Pattern
2
Pattern
3
I&A
Confidentiality
ATD.1, SOS.1,
UAU.1/2,
UAU.7,
UID.1/2,
USB.1
ATD.1, SOS.1,
UAU.1/2,
UAU.7,
UID.1/2,
USB.1
ATD.1, SOS.1,
UAU.1/2,
UAU.7,
UID.1/2,
USB.1
FDP_ACC.1/2,
FDP_ACF.1,
FDP_RIP.1/2,
FPT_RVM.1,
FPT_SEP.1
FDP_ACC.1/2,
FDP_ACF.1,
FDP_RIP.1/2,
FPT_RVM.1,
FPT_SEP.1
FDP_ACC.1/2,
FDP_ACF.1,
FDP_RIP.1/2,
FPT_RVM.1,
FPT_SEP.1
Security
Management
MSA.1, MSA.3,
MTD.1, REV.1,
SMR.1, SMF.1
MSA.1, MSA.3,
MTD.1, REV.1,
SMR.1, SMF.1
MSA.1, MSA.3,
MTD.1, REV.1,
SMR.1, SMF.1
Accountability
FAU_GEN.1, 2,
FAU_SAR.1, 2, 3,
FAU_SEL.1,
FAU_STG.1, 3, 4,
FPT_STM.1
FAU_GEN.1, 2,
FAU_SAR.1, 2, 3,
FAU_SEL.1,
FAU_STG.1, 3, 4,
FPT_STM.1
FAU_GEN.1, 2,
FAU_SAR.1, 2, 3,
FAU_SEL.1,
FAU_STG.1, 3, 4,
FPT_STM.1
Security Management: Three patterns are identical in this security objective. Security
products in this domain have medium-high requirements on security management.
They need to provide many customizations ways for authorized users (E.g.,
administrator) to adjust the strength of security mechanisms. For example,
administrator may change the privileges of a particular group of users or turn off the
guest account.
Accountability: Three patterns are identical in this security objective. Security
products in this domain have two extremely choices on accountability. They either
do not have accountability as one of its security objectives, or have extremely strong
SFRs for achieving accountability. Security products with accountability as their
security objective have almost every SFRs that are discussed in section 5.1.8 except
guarantees of audit data availability, which is much harder and more expensive to
implement compared with other SFRs.
Integrity is considered in around 30% of security products, which include interTSF user data exchange integrity (FDP_UIT.1) and TSF self-testing (FPT_TST.1).
Encryption requirements are also used for integrity in some security products.
Around 25% of security products select degraded fault tolerance (FRU_FLT.1) or
resource maximum quotas (FRU_RSA.1), which achieve the basic level of
availability. Around 20% of security products have recoverability and intrusion
detection& response as their security objectives, mainly achieved by failure with
preservation of secure state (FPT_FLS.1) and TSF functional recovery (FPT_RCV),
session locking (FTA_SSL) and TOE session establishment (FTA_TOE.1). Only two
91
security products have unobservability, which prohibit the users from exceeding their
privileges by observing some operations, such as encryption operations.
For the 6 SFRs that are not covered by SFR packages for security objectives
defined in section 5, abstract machine testing (FPT_AMT.1) is used in many security
products that have availability or recoverability as their security objectives.
Limitation on scope of selectable attributes (FTA_LSA.1), basic limitation on
multiple concurrent sessions (FTA_MCS.1), default TOE access banners
(FTA_TAB.1), and TOE access history (FTA_TAH.1) are selected by only one or
two security products.
92
93
i, j
/ (n j * m)) *100%
E j represents for the effectiveness of SFR pattern appears in jth security objective.
It is represented as a percentage number. Di, j represents the difference between this
SFR pattern with the actual used set of SFRs for security product i for security
objective j. nj represents the number of SFR components that are mapping with the jth
94
Integrity
Availability
Non-repudiation
Privacy
Accountability
Recoverability
ID&R
10
14
36
24
11
13
10
11
11
13
(21)
Security
Management
Confidentiality
Identification
&Authentication
section 5.
I can get Di, 8 for the rest security products. There are total 11 security products in
database domain, hence m=11. The sum of D of all security products is:
i, 8 =
25. From table, we can see that n=11 for accountability security objective.
Now we can calculate E accountability = (1- 25/11/11) * 100%= 79.3%.
Test Set
Set 1+2
Set 3
Set 1+2+3
Set 2+3
Set 1
Set 1+2+3
Set 1+2
Set 2
Set 1+2+3
Identity &
Authenticatio
n
85.7%
84.7%
85.4%
85.2%
81.6%
84%
82.9%
77.5%
81.6%
Confiden
tiality
Security
Management
Accounta
bility
92%
91.5%
91.8%
91.8%
91.7%
91.8%
91.6%
92.3%
91.8%
85.2%
82.4%
84.2%
84.6%
81.9%
83.7%
83.8%
83.5%
83.7%
82.5%
82.5%
82.5%
85.1%
76%
82%
79.5%
77.3%
78.8%
96
The percentages of security products that fit in different ranges of effectiveness are
shown in the table below:
Effectiveness of
Security Pattern
<=10%
<=20%
<=30%
Test Set
Confiden
tiality
Integrity
Security
Management
Set 1+2
Set 3
Set 1+2+3
Set 2+3
Set 1
Set 1+2+3
Set 1+2
Set 2
Set 1+2+3
84.7%
82.9%
84.1%
91.9%
83.3%
89%
83.7%
85.2%
84.2%
85.4%
84.4%
85.1%
92.9%
83.7%
89.8%
85.1%
85.1%
85.1%
80.8%
78.8%
80.1%
90.1%
77.6%
85.9%
79.8%
80.8%
80.1%
Intrusion
Detection&
Response
92%
90.4%
91.5%
91.3%
91.7%
91.5%
91%
89.7%
90.6%
97
The percentages of security products that fit in different ranges of effectiveness are
shown in the table below.
Effectiveness
of Security
Pattern
<=10%
<=20%
<=30%
16.7%
83.3%
100%
13.9%
55.6%
72.2%
58.3%
91.7%
100%
Identity& Authentication
88.8%
Accountability
81.5%
98
For confidentiality and security management, since three patterns are different, we
need to calculate effectiveness E once for each of them using different test set, as
shown in table below.
Effectiveness of
Security Pattern
Pattern 1
Pattern 2
Pattern 3
Test Set
Confidentiality
Set 1+2
Set 3
Set 1+2+3
Set 2+3
Set 1
Set 1+2+3
Set 1+2
Set 2
Set 1+2+3
85.2%
85%
85.1%
91.8%
81.5%
88.5%
86.1%
84.5%
85.1%
Security
Management
84.2%
79.2%
82.4%
89.5%
77.8%
85.7%
82.2%
82.1%
82.1%
Effectiveness of
Security Pattern
<=10%
<=20%
<=30%
99
Identification
&
Authentication
88.5%
Confidentiality
Security
Management
Accountability
91.8%
84.9%
72.4%
Effectiveness of
Security Pattern
<=10%
<=20%
<=30%
100
developers to think about whether to include any of these listed primary security
objectives when developing any security product from this domain.
Effectiveness
of SFR Pattern
Identity &
Authentication
Confidentiality
Security
Management
81.4%
90%
75.4%
Confidentia
lity
Security
Management
Accountabi
lity
86.4%
94.9%
86%
79.3%
Effectiveness
of SFR Pattern
86.2%
90.1%
Security
Management
80.8%
101
For security patterns discovered in section 5.2.5 for detection devices domain, the
effectiveness E of them are shown in the table below:
Identity &
Authentication
91.8%
Accountability
71.4%
Security
Management
94.5%
Intrusion Detection&
Response
84.4%
Confidentiality
89.1%
Security
Management
75.7%
Accountability
81.8%
Although there are total 36 SFRs support confidentiality, only few of them
are frequently used in security products, hence the effectiveness of SFR
pattern for confidentiality is usually higher than the others.
103
7.1 Contributions
The contributions of this thesis is listed as following:
1. This work builds up a database containing information of security functional
requirements, assurance level and other information of 242 security products
published on the common criteria portal website, which can be used for other
statistic analysis in the future.
2. This work provides a mapping scheme between SFRs and security objectives,
which is validated by the Security Target files of 242 security products. The
mapping scheme can save developers time by reduce the range of candidate
SFRs when they have the information on security objectives of the security
product.
3. This work shows the analysis result of correlations among SFR classes defined in
CC and correlations among security objectives. It also discusses what can be
derived from the analysis result, which can guide developers in designing the
architecture of security products.
104
4. This work shows the trend analysis between EAL and number of SFRs of the 242
security products in this dataset, which shows one aspect of the fact that leads to
a clear direction for further discussion and explorations in the future.
5. This work presents the SFR patterns for nine domains of security products and
provides a method of evaluating the effectiveness of patterns. Developers choose
the applicable patterns and customize them for the use on specific security
application.
105
106
References
[1]
[2]
Alexander, C., Ishikawa, S., Silverstein, M., Jacobson, M., Fiksdahl-King, I.,
Angel, S., A Pattern Language: Towns-Buildings-Constructions, Oxford
University Press, 1977
[3]
[4]
Boehm, B., et al., An Overview of the COCOMO 2.0 Software Cost Model,
Software Technology Conference, April 1995
[5]
[6]
Boehm, B., Egyed, A., Kwan, J., Port, D., Shah, A., Madachy, R., Using the
WinWin Spiral Model: A Case Study, IEEE Computer, July 1998, Page: 3344
[7]
Boehm, B., Port, D., Balancing Discipline and Flexibility With the Spiral
Model and MBASE, CrossTalk, the Journal of Defense Software
Engineering, Vol 12 No. 12, December 2001
[8]
[9]
Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M., Pattern
Oriented Software Architecture: a System of Patterns, Wiley, Chichester
1996
[10] Chidamber, S. R., Kemerer, C. F., Towards a Metrics Suite for objectoriented Design, In Proceeding of OOPSLA '91, 1991
[11] Common Criteria for Information Technology Security Evaluation (CC),
version 1.0, January 1996
[12] Common Criteria for Information Technology Security Evaluation (CC),
version 2.1, August 1999
[13] Common Criteria for Information Technology Security Evaluation (CC),
version 2.3, ISO/IEC 15408:2005, August 2005
[14] Common Criteria for Information Technology Security Evaluation (CC),
version 3.1 Revision 1, September 2006
[15] Common Criteria Portal http://www.commoncriteriaportal.org/public/expert/
107
[16] Cook, R. D., Weisberg, S., Applied Regression Including Computing and
Graphics, ISBN 0-471-31711-X, John Wiley and Sons, Inc , August 1999
[17] Curphey, M., et.al., A Guide to Building Secure Web Applications, the Open
Web Application Security Project (OWASP), September 2002
[18] Evans, D. L., Bond, P. J., Bement, A. L., Standards for Security
Categorization of Federal information and Information Systems, National
Institute of Standards and Technology (NIST) Federal Information
Processing Standards (FIPS) 199, February 2004
[19] Fenton, N. E., Software Metrics - A Rigorous Approach, Chapman & Hall,
1992
[20] Fernandez, E. B., Sorgente, T., Larrondo-Petrie, M. M., Even more patterns
for secure operating systems, Conference on Pattern Languages of Programs
(PLoP), 2006
[21] Ferraiolo, D., Kuhn, R., Role-Based Access Control, 15th NIST-NCSC
National Computer Security Conference, 1992
[22] Gamma, E., Helm, R., Johnson, R., Vlissides, J., Design Patterns: Elements
of Reusable Object-Oriented Software, Addison-Wesley-Longman, New
York 1995
[23] Gilliam, D. P., Wolfe, T. L., Sheirf, J. S., Software Security Checklist for the
Software Life Cycle. Proceedings of the 12th IEEE International Workshops
on Enabling Technologies: Infrastructure for Collaborative Enterprises
(WETICE), 2003
[24] Grance, T., Hash, J., Stevens, M., Security Considerations in the Information
System Development Life Cycle, National Institute of Standards and
Technology (NIST) Special Publication 800-64 Rev.1, June 2004
[25] Hayes R., B., Pfleger, K., Lalanda, P., Morignot, P., Balabanovic, M., A
domain-specific software architecture for adaptive intelligent systems, IEEE
Transactions on Software Engineering, Volume 21, Page 288--301, April
1995
[26] Herrmann, D. S., Using the Common Criteria for IT Security Evaluation,
ISBN 0-8493-1404-6, Auerbach Publications, 2002
[27] Information Technology Security Evaluation Criteria (ITSEC), Department
of Trade and Industry, London, June 1991
[28] Information Technology System Security Engineering Capability
Maturity Model, ISO/IEC 21827, March 2002
[29] INFOSEC Assurance Capability Maturity Model (IA-CMM), version 3.0,
INFOSEC, October 2003
108
[30] John H., et al., Integrating IT Security into the Capital Planning and
Investment Control Process, National Institute of Standards and Technology
(NIST) Special Publication 800-65, January 2005
[31] Kerth, N. L., Cunningham, W., Using Patterns to Improve Our Architectural
Vision, IEEE Software, 14(1): 53-59, January 1997
[32] Macro, A., Buxton, J., The Craft of Software Engineering, Addison-Wesley,
1987
[33] Meszaros, G., Doble, J., A pattern Language for Pattern Writing,
http://hillside.net/patterns/writing/patternwritingpaper.htm, 1996
[34] Romanosky, S., Enterprise Security Patterns, Information Systems Security
Association Journal, March 2003
[35] Schumacher, M., Security Engineering with Patterns: Origins, Theoretical
Model, and New Applications, LNCS 2754, Springer-Verlag Berlin
Heidelberg, New York, 2003
[36] Steel, C., Nagappan, R., Lai, R., Core Security Patterns: Best Practices and
Strategies for J2EE, Web Services, and Identity Management, ISBN-10: 013-146307-1, Prentice Hall PTR, October 2005
[37] Stoneburner, G., Goguen, A., and Feringa, A., Risk Management Guide for
Information Technology Systems, National Institute of Standards and
Technology (NIST) Special Publication 800-30, July 2002
[38] Swanson, M., Hash, J., Bowen, P., Guide for Developing Security Plans for
Federal Information Systems, National Institute of Standards and Technology
(NIST) Special Publication 800-18 Revision 1, February 2006
[39] Tracz, W., An Outline for a Domain-Specific Software Architecture
Engineering Process, In Fourth Annual Workshop on Software Reuse,
Reston, VA, 1991
[40] Tracz, W., DSSA (Domain-Specific Software Architecture): pedagogical
example, ACM SIGSOFT Software Engineering Notes, Volume 20 , Issue 3,
Pages: 49 62, July 1995
[41] Troy, D. A., Zweben, S. H., Measuring the Quality of Structured Designs.
Journal of Systems and Software, Vol. 2, 1981
[42] Trusted Computer System Evaluation Criteria (TCSEC), DoD 5200.28
STD, December 1985
[43] Wheeler, D. W., Secure Programming for Linux and Unix HOWTO,
http://www.dwheeler.com/secure-programs/, 2002
[44] Wilson, M., Hash, J., Building an Information Technology Security
Awareness and Training Program, National Institute of Standards and
Technology (NIST) Special Publication 800-50, October 2003
109
[45] Wu, D., Naeymi, R. I., Colbert, E., Extending MBASE to Support the
Development of Secure Systems, Accepted by Software Process Workshop
(SPW), Beijing, China, May 2005
[46] Yoder, J., Barcalow, J., Architectural patterns for enabling application
security, In Proceedings of the Pattern Languages of Programming (PLoP)
Workshop, September 1997
[47] Yourdon, E., Constantine, L., Structured Design: Fundamentals of a
Discipline of Computer Program and Systems Design, Prentice-Hall,
Yourdon Press, 1979
110
Appendices
SFR abbreviations and full names
Requirement Class Name
(Abbreviation)
Communication (FCO)
Identification
authentication (FIA)
FPR: Privacy
Anonymity (FPR_ANO)
Pseudonymity (FPR_PSE)
Unlinkability (FPR_UNL)
Unobservability (FPR_UNO)
113