Раздел:
Документация0 ...
21 22 23 24 25 26 27 ...
73 Assurance class | Assurance components |
Configuration management | ACMAUT.2 Complete CM automation |
ACMCAP.5 Advanced support |
ACM SCP.3 Development tools CM coverage |
Delivery and operation | ADO DEL.2 Detection of modification |
ADOIGS. 1 Installation, generation, and start-up procedures |
Development | ADVFSP.3 Semiformal functional specification |
ADV HLD.4 Semiformal high-level explanation |
ADVIMP.3 Structured implementation of the TSF |
ADV INT.2 Reduction of complexity |
ADV LLD.2 Semiformal low-level design |
ADVRCR.2 Semiformal correspondence demonstration |
ADVSPM.3 Formal TOE security policy model |
Guidance documents | AGDADM. 1 Administrator guidance |
AGDUSR. 1 User guidance |
Life cycle support | ALCDVS.2 Sufficiency of security measures |
ALCLCD.2 Standardised life-cycle model |
ALCTAT.3 Compliance with implementation standards - all parts |
Tests | ATE COV.3 Rigorous analysis of coverage |
ATEDPT.2 Testing: low-level design |
ATEFUN.2 Ordered functional testing |
ATE IND.2 Independent testing - sample |
Vulnerability assessment | AVACCA.2 Systematic covert channel analysis |
AVAMSU.3 Analysis and testing for insecure states |
AVASOF.1 Strength of TOE security function evaluation |
AVAVLA.4 Highly resistant |
Objectives
EAL7 is applicable to the development of security TOEs for application in extremely high risk situations and/or where the high value of the assets justifies the higher costs. Practical application of EAL7 is currently limited to TOEs with tightly focused security functionality that is amenable to extensive formal analysis.
Assurance components
EAL7 (see Table 6.8) provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a structured presentation of the implementation, to understand the security behaviour. Assurance is additionally gained through a formal model of the TOE security policy, a formal presentation of the functional specification and high-level design, a semiformal presentation of the low-level design, and formal and semiformal demonstration of correspondence between them, as appropriate. A modular, layered and simple TOE design is also required.
The analysis is supported by independent testing of the TOE security functions, evidence of developer testing based on the functional specification high-level design, low-level design and implementation representation, complete independent confirmation of the developer test results, strength of function analysis, evidence of a developer search for vulnerabilities, and an independent vulnerability analysis demonstrating resistance to penetration attackers with a high attack potential. The analysis also includes validation of the developers systematic covert channel analysis.
EAL7 also provides assurance through the use of a structured development process, development environment controls, and comprehensive TOE configuration management including complete automation, and evidence of secure delivery procedures.
This EAL represents a meaningful increase in assurance from EAL6 by requiring more comprehensive analysis using formal representations and formal correspondence, and comprehensive testing.
Assurance class | Assurance components |
Configuration management | ACMAUT.2 Complete CM automation |
ACMCAP.5 Advanced support |
ACMSCP.3 Development tools CM coverage |
Delivery and operation | ADO DEL.3 Prevention of modification |
ADOIGS. 1 Installation, generation, and start-up procedures |
Development | ADV FSP.4 Formal functional specification |
ADV HLD.5 Formal high-level design |
ADVIMP.3 Structured implementation of the TSF |
ADV INT.3 Minimisation of complexity |
ADV LLD.2 Semiformal low-level design |
ADV RCR.3 Formal correspondence demonstration |
ADVSPM.3 Formal TOE security policy model |
Guidance documents | AGDADM. 1 Administrator guidance |
AGDUSR.1 User guidance |
Life cycle support | ALC DVS.2 Sufficiency of security measures |
ALCLCD.3 Measurable life-cycle model |
ALCTAT.3 Compliance with implementation standards - all parts |
Tests | ATECOV.3 Rigorous analysis of coverage |
ATE DPT.3 Testing: implementation representation |
ATE FUN.2 Ordered functional testing |
ATE IND.3 Independent testing - complete |
| AVA CCA.2 Systematic covert channel analysis |
Vulnerability assessment | AVA MSU.3 Analysis and testing for insecure states |
AVASOF.1 Strength of TOE security function evaluation |
AVA VLA.4 Highly resistant |
0 ...
21 22 23 24 25 26 27 ...
73