Раздел: Документация
0 ... 106 107 108 109 110 111 112 ... 117 J.10 Reference mediation (FPT RVM) The components of this family address the "always invoked" aspect of a traditional reference monitor. The goal of these components is to ensure, with respect to the TSC, that all actions requiring policy enforcement invoked by subjects untrusted with respect to any or all of that SFP to objects controlled by that SFP are validated by the TSF against the SFP. If the portion of the TSF that enforces the SFP also meets the requirements of appropriate components from FPTSEP (Domain separation) and ADVINT (TSF internals), than that portion of the TSF provides a "reference monitor" for that SFP. The Reference Monitor is that portion of the TSF responsible for the enforcement of the TSP; it has the following three characteristics: a)Untrusted subjects cannot interfere with its operation; i.e. it is tamperproof. This is addressed by the components in the FPTSEP family. b)Untrusted subjects cannot bypass its checks; i.e. it is always invoked. This is addressed by the components in the FPTRVM family. c)It is simple enough to be analysed and its behaviour understood (i.e. its design is conceptually simple.) This is addressed by the components in the ADV INT family. This component states that, "the TSF shall ensure that TSP enforcement functions are invoked and succeed before each and every function within the TSC is allowed to proceed." In any system (distributed or otherwise) there are a finite number of functions responsible for enforcing the TSP. There is nothing in this requirement that mandates or prescribes that a single function is invoked to handle security. Rather, it allows multiple functions to fill the role of reference monitor, and the collection of them responsible for enforcing the TSP are simply called, collectively, the reference monitor. However, this must be balanced by the goal of keeping the "reference monitor" simple. A TSF that implements a SFP provides effective protection against unauthorised functions if and only if all enforceable actions (e.g. accesses to objects) requested by subjects untrusted with respect to any or all of that SFP are validated by the TSF before succeeding, If the enforceable action is incorrectly enforced or bypassed, the overall enforcement of the SFP has been compromised. "Untrusted" subjects could then bypass the SFP in a variety of unauthorised ways (e.g. circumvent access checks for some subjects or objects, bypass checks for objects whose protection was assumed by applications, retain access rights beyond their intended lifetime, bypass auditing of audited actions, or bypass authentication). Note that the term "untrusted subjects" refers to subjects untrusted with respect to any or all of the specific SFPs being enforced; a subject may be trusted with respect to one SFP and untrusted with respect to a different SFP. FPTRVM.1 Non-bypassability of the TSP User application notes In order to obtain the equivalent of a reference monitor, this component must be used with either FPT SEP.2 (SFP domain separation) or FPT SEP.3 (Complete reference monitor), and ADV INT.3 (Minimisation of complexity). Further, if complete reference mediation is required, the components from Class FDP User data protection must cover all objects. J.11 Domain separation (FPT SEP) The components of this family ensure that at least one security domain is available for the TSFs own execution, and that the TSF is protected from external interference and tampering (e.g. by modification of TSF code or data structures) by untrusted subjects. Satisfying the requirements of this family makes the TSF self-protecting, meaning that an untrusted subject cannot modify or damage the TSF. This family requires the following: a)The resources of the TSFs security domain ("protected domain") and those of subj ects and unconstrained entities external to the domain are separated such that the entities external to the protected domain cannot observe or modify data structures or code internal to the protected domain. b)The transfer of subjects between domains are controlled such that arbitrary entry to, or return from, the protected domain is not possible. c)The user or application parameters passed to the protected domain by addresses are validated with respect to the protected domains address space, and those passed by value are validated with respect to the values expected by the protected domain. d)The security domains of subjects are distinct except for controlled sharing via the TSF. User notes This family is needed whenever confidence is required that the TSF has not been subverted. In order to obtain the equivalent of a reference monitor, the components FPTSEP.2 (SFP domain separation) or FPTSEP.3 (Complete reference monitor) from this family must be used in conjunction with FPTRVM.1 (Non-bypassability of the TSP), and ADVINT.3 (Minimisation of complexity). Further, if complete reference mediation is required, the components from Class FDP User data protection must cover all objects. FPTSEP.1 TSF domain separation Without a separate protected domain for the TSF, there can be no assurance that the TSF has not been subjected to any tampering attacks by untrusted subjects. Such attacks may involve modification of the TSF code and/or TSF data structures. FPTSEP.2 SFP domain separation The most important function provided by a TSF is the enforcement of its SFPs. In order to simplify the design and increase the likelihood that those significant SFPs exhibit the characteristics of a reference monitor (RM), in particular, being tamperproof, they must be in a domain distinct from the remainder of the TSF. Evaluator application notes It is possible that a reference monitor in a layered design may provide functions beyond those of the SFPs. This arises out of the practical nature of layered software design. The goal should be to minimise the non-SFP related functions. Note that it is acceptable for the reference monitors for all included SFPs to be in a single distinct reference monitor domain, as well as having multiple reference monitor domains (each enforcing one or more SFPs). If multiple reference monitor domains for SFPs are present, it is acceptable for them to be either peers or in a hierarchical relationship. For FPTSEP.2.1, the phrase "unisolated portion of the TSF" refers to that portion of the TSF consisting of those functions in the TSF not covered by FPTSEP.2.3. Operations Assignment: For FPTSEP.2.3, the PP/ST author should specify the access control and/or information flow control SFPs in the TSP that should have a separate domain. FPTSEP.3 Complete reference monitor The most important function provided by a TSF is the enforcement of its SFPs. This component builds upon the intentions of the previous component by requiring that all access control and/or information flow control FSPs be enforced in a domain distinct from the remainder of the TSF. This further simplifies the design and increases the likelihood that the characteristics of a reference monitor (RM), in particular, being tamperproof, are found in the TSF. Evaluator application notes It is possible that a reference monitor in a layered design may provide functions beyond those of the SFPs. This arises out of the practical nature of layered software design. The goal should be to minimise the non-SFP related functions. Note that it is acceptable for the reference monitors for all included SFPs to be in a single distinct reference monitor domain, as well as having multiple reference monitor domains (each enforcing one or more SFPs). If multiple reference monitor domains for SFPs are present, it is acceptable for them to be either peers or in a hierarchical relationship. 0 ... 106 107 108 109 110 111 112 ... 117
|
