Раздел: Документация
0 ... 18 19 20 21 22 23 24 ... 117 6.5 Information flow control policy (FDP IFC) Family behaviour This family identifies the information flow control SFPs (by name) and defines the scope of control of the policies that form the identified information flow control portion of the TSP. This scope of control is characterised by three sets: the subjects under control of the policy, the information under control of the policy, and operations which cause controlled information to flow to and from controlled subjects covered by the policy. The criteria allows multiple policies to exist, each having a unique name. This is accomplished by iterating components from this family once for each named information flow control policy. The rules that define the functionality of an information flow control SFP will be defined by other families such as FDPIFF and FDPSDI. The names of the information flow control SFPs identified here in FDPIFC are meant to be used throughout the remainder of the functional components that have an operation that calls for an assignment or selection of an "information flow control SFP." The TSF mechanism controls the flow of information in accordance with the information flow control SFP. Operations that would change the security attributes of information are not generally permitted as this would be in violation of an information flow control SFP. However, such operations may be permitted as exceptions to the information flow control SFP if explicitly specified. Component levelling FDP IFC Information flow control policy
FDPIFC.1 Subset information flow control requires that each identified information flow control SFPs be in place for a subset of the possible operations on a subset of information flows in the TOE. FDPIFC.2 Complete information flow control requires that each identified information flow control SFP cover all operations on subjects and information covered by that SFP. It further requires that all information flows and operations with the TSC are covered by at least one identified information flow control SFP. In conjunction with the FPTRVM.1 component, this gives the "always invoked" aspect of a reference monitor. Management: FDPIFC.1, FDPIFC.2 There are no management activities foreseen for this component. Audit: FDPIFC.1, FDPIFC.2 There are no events identified that should be auditable if FAUGEN Security audit data generation is included in the PP/ST. FDPIFC.1 Subset information flow control Hierarchical to: No other components. FDP IFC.1.1 The TSF shall enforce the [assignment: information flow control SFP] on [assignment: list of subjects, information, and operations that cause controlled information to flow to and from controlled subjects covered by the SFP]. Dependencies: FDPIFF.1 Simple security attributes FDPIFC.2 Complete information flow control Hierarchical to: FDPIFC.1 FDP IFC.2.1 The TSF shall enforce the [assignment: information flow control SFP] on [assignment: list ofsubjects and information] and all operations that cause that information to flow to and from subjects covered by the SFP. FDP IFC.2.2 The TSF shall ensure that all operations that cause any information in the TSC to flow to and from any subject in the TSC are covered by an information flow control SFP. Dependencies: FDPIFF.1 Simple security attributes 6.6 Information flow control functions (FDP IFF) Family behaviour This family descibes the rules for the specific functions that can implement the information flow control SFPs named in FDPIFC, which also specifies the scope of control of the policy. It consists of two kinds of requirements: one addressing the common information flow function issues, and a second addressing illicit information flows (i.e. covert channels). This division arises because the issues concerning illicit information flows are, in some sense, orthogonal to the rest of an information flow control SFP. By their nature they circumvent the information flow control SFP resulting in a violation of the policy. As such, they require special functions to either limit or prevent their occurrence. Component levelling FDP IFF Information flow control functions  FDPIFF.1 Simple security attributes requires security attributes on information, and on subjects that cause that information to flow and on subjects that act as recipients of that information. It specifies the rules that must be enforced by the function, and describes how security attributes are derived by the function. FDPIFF.2 Hierarchical security attributes expands on the requirements of FDPIFF.1 Simple security attributes by requiring that all information flow control SFPs in the TSP use hierarchical security attributes that form a lattice. FDPIFF.3 Limited illicit information flows requires the SFP to cover illicit information flows, but not necessarily eliminate them. FDPIFF.4 Partial elimination of illicit information flows requires the SFP to cover the elimination of some (but not necessarily all) illicit information flows. FDPIFF.5 No illicit information flows requires SFP to cover the elimination of all illicit information flows. FDPIFF.6 Illicit information flow monitoring requires the SFP to monitor illicit information flows for specified and maximum capacities. Management: FDPIFF.1, FDPIFF.2 The following actions could be considered for the management functions in FMT Management: a) Managing the attributes used to make explicit access based decisions. 0 ... 18 19 20 21 22 23 24 ... 117
|
