Vulnerability Assessment of a EAL 4 system

I am looking at a Linux server which has been accredited as a EAL4
system by IBM. During the assessment, I was looking for standard Linux
protections like iptables, ssh etc. On this server, there is no iptables.

Regardless, I would like to know how to evaluate a EAL 4 system. What
do you need to look for in the EAL 4 system in production that could
become vulnerable?

Thank you in advance for any help.

N J

Re: Vulnerability Assessment of a EAL 4 system

Neil Jones writes:
> I am looking at a Linux server which has been accredited as a EAL4
> system by IBM. During the assessment, I was looking for standard Linux
> protections like iptables, ssh etc. On this server, there is no iptables.
>
> Regardless, I would like to know how to evaluate a EAL 4 system. What
> do you need to look for in the EAL 4 system in production that could
> become vulnerable?

orange book like stuff ... sort of assumed that everything was a
general purpose computer and had to have provisions to handle
everything that a general purpose computer might encountered
(including various kinds of multi-user sharing). there was somewhat
generalized criteria that things were evaluated against.

i've somewhat characterized the change over to common criteria ... as
recognizing that not everything is a general purpuse computer
(including multi-user sharing) ... and so there are all sorts of
provisions in common criteria for specifying the "protection profile"
against which something will be evaluated.

there are some general stuff about what kinds of things that need to
be in a "protection profile" for different evaluation levels ... but
without the specific protection profile ... you have no real idea what
specific evaluation has been performed.

it is possible that there couled be security things that you might be
interested in doing ... that just weren't considered or included in
the protection profile used for the evaluation.

obstensibly one of the purposes of evaluation was so you could compare
the evaluation levels of two similar products and use the evaluation
to help in the choice ... under the assumption that using the same
protection profile would result in comparable evaluations. However, a
couple years ago, there was a statement that of the 64 some
evaluations that had been performed at that time, something like sixty
of the evaluations had non-public deviations from published protection
profile (making it difficult to use evaluations as part of comparing
similar products)

National Information Assurance Partnership (NIAP) home page
http://www.nsa.gov/ia/industry/niap.cfm

The Common Criteria Evaluation and Validation Scheme
http://niap.bahialab.com/cc-scheme/

Common Criteria Portal
http://www.commoncriteriaportal.org/

List of Protection Profiles (against which evaluation are performed)
http://www.commoncriteriaportal.org/public/consumer/index.ph p?menu=5

under operating systems in the above ... there is

"Multi-level Operating Systems in Medium Robustness Environments PP" protection
profile (at EAL4+)
http://www.commoncriteriaportal.org/public/files/ppfiles/PP_ SLOSPP-MR_V1.22.pdf

"Multi-level Operating Systems in Medium Robustness Environments" certification
report (at EAL4+)
http://www.commoncriteriaportal.org/public/files/ppfiles/PP_ VID204-VR.pdf

then there is

"Single-level Operating Systems in Medium Robustness PP" protection profile
(at EAL4+)
http://www.commoncriteriaportal.org/public/files/ppfiles/PP_ SLOSPP-MR_V1.22.pdf

"Single-level Operating Systems in Medium Robustness PP" certification report
(at EAL4+)
http://www.commoncriteriaportal.org/public/files/ppfiles/PP_ VID203-VR


whole lot of past posts mentioning risk, fraud, exploits, and vulnerabilities
http://www.garlic.com/~lynn/subintegrity.html#fraud

and some number of past posts mentioning assurance
http://www.garlic.com/~lynn/subintegrity.html#assurance

Re: Vulnerability Assessment of a EAL 4 system

Anne & Lynn Wheeler wrote:
>
>>I am looking at a Linux server which has been accredited as a EAL4
>>system by IBM. During the assessment, I was looking for standard Linux
>>protections like iptables, ssh etc. On this server, there is no iptables.
>>
>>Regardless, I would like to know how to evaluate a EAL 4 system. What
>>do you need to look for in the EAL 4 system in production that could
>>become vulnerable?
>
>
> orange book like stuff ... sort of assumed that everything was a
> general purpose computer and had to have provisions to handle
> everything that a general purpose computer might encountered
> (including various kinds of multi-user sharing). there was somewhat
> generalized criteria that things were evaluated against.
>
> i've somewhat characterized the change over to common criteria ... as
> recognizing that not everything is a general purpuse computer
> (including multi-user sharing) ... and so there are all sorts of
> provisions in common criteria for specifying the "protection profile"
> against which something will be evaluated.
>
> there are some general stuff about what kinds of things that need to
> be in a "protection profile" for different evaluation levels ... but
> without the specific protection profile ... you have no real idea what
> specific evaluation has been performed.
>
> it is possible that there couled be security things that you might be
> interested in doing ... that just weren't considered or included in
> the protection profile used for the evaluation.
>
> obstensibly one of the purposes of evaluation was so you could compare
> the evaluation levels of two similar products and use the evaluation
> to help in the choice ... under the assumption that using the same
> protection profile would result in comparable evaluations. However, a
> couple years ago, there was a statement that of the 64 some
> evaluations that had been performed at that time, something like sixty
> of the evaluations had non-public deviations from published protection
> profile (making it difficult to use evaluations as part of comparing
> similar products)
>

Thank you for replying.

The system is a EAL4 system (using Common Criteria). Do I need to look
for the protection profiles on the system? Are there any config files
that define these protection profiles (PP)?

N J

Re: Vulnerability Assessment of a EAL 4 system

Neil Jones wrote:
> Thank you for replying.
>
> The system is a EAL4 system (using Common Criteria). Do I need to look
> for the protection profiles on the system? Are there any config files
> that define these protection profiles (PP)?
>
> N J

The Security Target should be available and this would be a good
starting point as this should tell you how the system meets the
Protection Profile to which it conforms. As a little aside I wouldn't
hold that much faith in an CC evaluation to 'prove' that a system is
secure. CC is criticised for focusing to heavily on paper work and
process and little on actually uncovering vulnerabilities.

Re: Vulnerability Assessment of a EAL 4 system

JAB wrote:
> Neil Jones wrote:
>> Thank you for replying.
>>
>> The system is a EAL4 system (using Common Criteria). Do I need to look
>> for the protection profiles on the system? Are there any config files
>> that define these protection profiles (PP)?
>>
>> N J
>
> The Security Target should be available and this would be a good
> starting point as this should tell you how the system meets the
> Protection Profile to which it conforms. As a little aside I wouldn't
> hold that much faith in an CC evaluation to 'prove' that a system is
> secure. CC is criticised for focusing to heavily on paper work and
> process and little on actually uncovering vulnerabilities.

Exactly. CC is meant to analyze the process, not the product. The CC
doesn't include debugging. The deepest level of analysis is source code
review.

The abbreviations EAL and PP are different sides of the same coin: the
EAL tells the amount of effort put into compliance, and the PP tells
what the end result is trying to be compliant with. If you want to know
something about a product, the PP is more important than the EAL.

-- Lassi

Re: Vulnerability Assessment of a EAL 4 system

Lassi Hippeläinen wrote:
> JAB wrote:
>> Neil Jones wrote:
>>> Thank you for replying.
>>>
>>> The system is a EAL4 system (using Common Criteria). Do I need to look
>>> for the protection profiles on the system? Are there any config files
>>> that define these protection profiles (PP)?
>>>
>>> N J
>>
>> The Security Target should be available and this would be a good
>> starting point as this should tell you how the system meets the
>> Protection Profile to which it conforms. As a little aside I wouldn't
>> hold that much faith in an CC evaluation to 'prove' that a system is
>> secure. CC is criticised for focusing to heavily on paper work and
>> process and little on actually uncovering vulnerabilities.
>
> Exactly. CC is meant to analyze the process, not the product. The CC
> doesn't include debugging. The deepest level of analysis is source code
> review.
>
> The abbreviations EAL and PP are different sides of the same coin: the
> EAL tells the amount of effort put into compliance, and the PP tells
> what the end result is trying to be compliant with. If you want to know
> something about a product, the PP is more important than the EAL.
>

If I was to be perfectly honest I would say that CC is a great idea but
that reality is that it adds almost nothing to the security of a product
as it is governed by purists that have no understanding of the
commercial world or more importantly why security vulnerabilities occur.
The sooner it is ditched in favour of an evaluation scheme that actually
concentrates on is a product secure the better. Unfortunately the CC
board seem so entrenched in their own little world so I don't expect any
changes soon.