Trustworthy MILS: CC Composite Evaluation Approach
Blomberg, Alex Söding-Freiherr;
Blomberg, Axel Söding-Freiherr;
As high assurance software systems are becoming more complex and sophisticated, assuring their security and safety is increasingly difficult and costly. Mono-lithic evaluation approaches do not scale well because evaluation effort grows exponentially with the complexity of the evaluation target. To keep pace with growing assurance demands, a compositional evaluation approach is a promising strategy.
In a compositional evaluation, the individual components of a system are evaluated independently, and these partial evaluation results are composed to derive the overall evaluation verdict with minimum additional effort. The Common Criteria for IT Security Evaluation (ISO/IEC 15408) and the sup-porting documentation offer two different compositional evaluation schemes: the “Composite Product Evaluation for Smart Cards and Similar Devices” (CPE) and the “Composed Assurance Package” (CAP).
In this report, we assess the suitability of CPE in the avionics domain, and we compare this evaluation scheme with its CAP alternative. We use the problem of evaluating an avionic security gateway as a case study to illustrate the implications, advantages, and drawbacks of the CPE approach.
Airlines Electronic Engineering Committee (2005): Commercial Aircraft Information Security Concepts of Operation and Process Framework. ARINC Report 811
Christopher Preschern (2012): Catalog of Security Tactics linked to Common Criteria Requirements. In: Proc. 19th Conference on Pattern Languages of Programs (PLoP'12), October 19–21, Tucson, Arizona http://www.hillside.net/plop/2012/index.php?nav=program#acceptedpapers
Common Criteria Development Board (2012): Composite Product Evaluation for Smart Cards and Similar Devices. Common Criteria Supporting Document — Mandatory Technical Document, Version 1.2 (CCDB-2012-04-001) http://www.commoncriteriaportal.org/files/supdocs/CCDB-2012-04-001.pdf
Common Criteria Development Board (2012): Security Architecture Requirements (ADV_ARC) for Smart Cards and Similar Devices — Appendix 1.Supporting Document — Guidance, Version 2.0 (CCMB-2012-04-04) http://www.commoncriteriaportal.org/files/supdocs/CCDB-2012-04-004.pdf
Common Criteria Development Board (2012): Security Architecture Requirements (ADV_ARC) for Smart Cards and Similar Devices. Supporting Document — Guidance, Version 2.0 (CCMB-2012-04-03) http://www.commoncriteriaportal.org/files/supdocs/CCDB-2012-04-003.pdf
Common Criteria Maintenance Board (2012): Common Criteria for Information Technology Security Evaluation, CCv3.1 Revision 4 (CCMB-2012-09-001, -002, -003) http://www.commoncriteriaportal.org/cc/
Common Criteria Maintenance Board (2012): Common Methodology for Information Technology Security Evaluation, CEMv3.1 Revision 4 (CCMB-2012-09-004) http://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R4.pdf
Defence R&D Canada (2004): Review of the Composability Problem for System Evaluation. DRDC Ottawa CR 2004-19 http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.84.1268
Information Assurance Directorate (2007): U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Version 1.03 http://www.niap-ccevs.org/pp/pp_skpp_hr_v1.03.pdf
ISO/IEC 15408:2009: Information technology — Security techniques — Evaluation criteria for IT security (= CCv3.1)
ISO/IEC 18045:2008: Information technology — Security techniques — Methodology for IT security evaluation (= CEMv3.1)
Jim Alves-Foss, W. Scott Harrison, Paul Oman, and Carol Taylor (2006): The MILS Architecture for High-Assurance Embedded Systems. International Journal of Embedded Systems, Vol. 2, No. 3/4, pp. 239–247 http://www.researchgate.net/publication/220309643_The_MILS_architecture_for_high-assurance_embedded_systems/file/d912f50fee695f0273.pdf
RTCA/EUROCAE (2012): Software Considerations in Airborne Systems and Equipment Certification. DO-178C / ED-12C http://www.rtca.org/store_list.asp
RTCA/EUROCAE(2011): Airworthiness security methods and considerations. DO-YY3/ED-203, Working Draft
W. Vanfleet, R. Beckwith, B. Calloni, J. Luke, C. Taylor, and G. Uchenick (2005): MILS: Architecture for High-Assurance Embedded Computing. CrossTalk: Journal of Defence Software Engineering, Vol. 18, No. 8, pp. 12–16 http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.170.4270&rep=rep1&type=pdf