Evaluation Assurance Level

From Wikipedia, the free encyclopedia

Jump to: navigation, search

The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a

numerical grade assigned following the completion of a Common Criteria security
evaluation, an international standard in effect since 1999. The increasing assurance levels
reflect added assurance requirements that must be met to achieve Common Criteria
certification. The intent of the higher levels is to provide higher confidence that the
system's principal security features are reliably implemented. The EAL level does not
measure the security of the system itself, it simply states at what level the system was
tested.

To achieve a particular EAL, the computer system must meet specific assurance
requirements. Most of these requirements involve design documentation, design analysis,
functional testing, or penetration testing. The higher EALs involve more detailed
documentation, analysis, and testing than the lower ones. Achieving a higher EAL
certification generally costs more money and takes more time than achieving a lower one.
The EAL number assigned to a certified system indicates that the system completed all
requirements for that level.

Although every product and system must fulfill the same assurance requirements to
achieve a particular level, they do not have to fulfill the same functional requirements. The
functional features for each certified product are established in the Security Target
document tailored for that product's evaluation. Therefore, a product with a higher EAL is
not necessarily "more secure" in a particular application than one with a lower EAL, since
they may have very different lists of functional features in their Security Targets. A
product's fitness for a particular security application depends on how well the features listed
in the product's Security Target fulfill the application's security requirements. If the
Security Targets for two products both contain the necessary security features, then the
higher EAL should indicate the more trustworthy product for that application.

Contents
[hide]

 1 Assurance levels
o 1.1 EAL1: Functionally Tested
o 1.2 EAL2: Structurally Tested
o 1.3 EAL3: Methodically Tested and Checked
o 1.4 EAL4: Methodically Designed, Tested and Reviewed
o 1.5 EAL5: Semiformally Designed and Tested
o 1.6 EAL6: Semiformally Verified Design and Tested
o 1.7 EAL7: Formally Verified Design and Tested
  2 Implications of assurance levels
o 2.1 Impact on cost and schedule
o 2.2 Augmentation of EAL requirements
o 2.3 EAL notation
 3 References
 4 External links

Assurance levels[edit]
EAL1: Functionally Tested[edit]

EAL1 is applicable where some confidence in correct operation is required, but the threats
to security are not viewed as serious. It will be of value where independent assurance is
required to support the contention that due care has been exercised with respect to the
protection of personal or similar information. EAL1 provides an evaluation of the TOE
(Target of Evaluation) as made available to the customer, including independent testing
against a specification, and an examination of the guidance documentation provided. It is
intended that an EAL1 evaluation could be successfully conducted without assistance from
the developer of the TOE, and for minimal cost. An evaluation at this level should provide
evidence that the TOE functions in a manner consistent with its documentation, and that it
provides useful protection against identified threats.

EAL2: Structurally Tested[edit]

EAL2 requires the cooperation of the developer in terms of the delivery of design
information and test results, but should not demand more effort on the part of the developer
than is consistent with good commercial practice. As such it should not require a
substantially increased investment of cost or time. EAL2 is therefore applicable in those
circumstances where developers or users require a low to moderate level of independently
assured security in the absence of ready availability of the complete development record.
Such a situation may arise when securing legacy systems.

EAL3: Methodically Tested and Checked[edit]

EAL3 permits a conscientious developer to gain maximum assurance from positive security
engineering at the design stage without substantial alteration of existing sound development
practices. EAL3 is applicable in those circumstances where developers or users require a
moderate level of independently assured security, and require a thorough investigation of
the TOE and its development without substantial re-engineering.

EAL4: Methodically Designed, Tested and Reviewed[edit]

EAL4 permits a developer to gain maximum assurance from positive security engineering
based on good commercial development practices which, though rigorous, do not require
substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at
which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is
therefore applicable in those circumstances where developers or users require a moderate to
high level of independently assured security in conventional commodity TOEs and are
prepared to incur additional security-specific engineering costs.

Commercial operating systems that provide conventional, user-based security features are
typically evaluated at EAL4. Examples of such operating systems are AIX,[1] HP-UX,[1]
FreeBSD, Oracle Linux, Novell NetWare, Solaris,[1] SUSE Linux Enterprise Server 9,[1][2]
SUSE Linux Enterprise Server 10,[3] Red Hat Enterprise Linux 5,[4][5] Windows 2000
Service Pack 3, Windows 2003,[1][6] Windows XP,[1][6] Windows Vista[7] [8] , Windows
7,[1][9] Windows Server 2008 R2,[1][9] and z/VM version 5.3.[1]

Operating systems that provide multilevel security are evaluated at a minimum of EAL4.
Examples include Trusted Solaris, Solaris 10 Release 11/06 Trusted Extensions,[10] an early
version of the XTS-400, and VMware ESXi version 3.0.2,[11] 3.5, 4.0 and 5.0 (EAL 4+).

EAL5: Semiformally Designed and Tested[edit]

EAL5 permits a developer to gain maximum assurance from security engineering based
upon rigorous commercial development practices supported by moderate application of
specialist security engineering techniques. Such a TOE will probably be designed and
developed with the intent of achieving EAL5 assurance. It is likely that the additional costs
attributable to the EAL5 requirements, relative to rigorous development without the
application of specialized techniques, will not be large. EAL5 is therefore applicable in
those circumstances where developers or users require a high level of independently
assured security in a planned development and require a rigorous development approach
without incurring unreasonable costs attributable to specialist security engineering
techniques.

Numerous smart card devices have been evaluated at EAL5, as have multilevel secure
devices such as the Tenix Interactive Link. XTS-400 (STOP 6) is a general-purpose
operating system which has been evaluated at EAL5 augmented.

LPAR on IBM System z is EAL5 Certified.[12]

EAL6: Semiformally Verified Design and Tested[edit]

EAL6 permits developers to gain high assurance from application of security engineering
techniques to a rigorous development environment in order to produce a premium TOE for
protecting high value assets against significant risks. EAL6 is therefore applicable to the
development of security TOEs for application in high risk situations where the value of the
protected assets justifies the additional costs.

Green Hills Software's INTEGRITY-178B RTOS has been certified to EAL6 augmented.[1]

EAL7: Formally Verified Design and Tested[edit]

EAL7 is applicable to the development of security TOEs for application in extremely high
risk situations and/or where the high value of the assets justifies the higher costs. Practical
application of EAL7 is currently limited to TOEs with tightly focused security functionality
that is amenable to extensive formal analysis. The Tenix Interactive Link Data Diode
Device and the Fox Data Diode[13] have been evaluated at EAL7 augmented.

Fox-IT claim to have certified their one-way data communications device known as the
"Fox Data Diode" at EAL7+.[14]

Implications of assurance levels[edit]

Technically speaking, a higher EAL means nothing more, or less, than that the evaluation
completed a more stringent set of quality assurance requirements. It is often assumed that a
system that achieves a higher EAL will provide its security features more reliably (and the
required third-party analysis and testing performed by security experts is reasonable
evidence in this direction), but there is little or no published evidence to support that
assumption.