8(495)909-90-01
8(964)644-46-00
pro@sio.su
Главная
Системы видеонаблюдения
Охранная сигнализация
Пожарная сигнализация
Система пожаротушения
Система контроля удаленного доступа
Оповещение и эвакуация
Контроль периметра
Система домофонии
Парковочные системы
Проектирование слаботочных сетей
Аварийный
контроль
Раздел: Документация

0 ... 37 38 39 40 41 42 43 ... 73

10.4 TSF internals (ADV INT)

Objectives

This family addresses the internal structure of the TSF. Requirements are presented for modularity, layering (to separate levels of abstraction and minimise circular dependencies), minimisation of the complexity of policy enforcement mechanisms, and the minimisation of the amount of non-TSP-enforcing functionality within the TSF - thus resulting in a TSF that is simple enough to be analysed.

Modular design reduces the interdependence between elements of the TSF and thus reduces the risk that a change or error in one module will have effects throughout the TOE. Thus, a modular design provides the basis for determining the scope of interaction with other elements of the TSF, provides for increased assurance that unexpected effects do not occur, and also provides the basis for designing and evaluating test suites.

The use of layering and of simpler designs for the TSP-enforcing functionality reduces the complexity of the TSF. This in turn enables a better understanding of the TSF, providing more assurance that the TOE security functional requirements are accurately and completely instantiated in the implementation.

Minimising the amount of functionality in the TSF that does not enforce the TSP, reduces the possibility of flaws in the TSF. In combination with modularity and layering, it allows the evaluator to focus only on that functionality which is necessary for TSP enforcement.

Design complexity minimisation contributes to the assurance that the code is understood - the less complex the code in the TSF, the greater the likelihood that the design of the TSF is comprehensible. Design complexity minimisation is a key characteristic of a reference validation mechanism.

Component levelling

The components in this family are levelled on the basis of the amount of structure and minimisation required.

Application notes

The term "portions of the TSF" is used to represent parts of the TSF with a varying granularity based on the available TSF representations. The functional specification allows identification in terms of interfaces, the high-level design allows identification in terms of subsystems, the low-level design allows identification in terms of modules, and the implementation representation allows identification in terms of implementation units.

The ADV INT.2.5C and ADV INT.3.5C elements address minimisation of mutual interactions between layers. Nevertheless, it is still permissible to have mutual interactions between layers, but in such cases the developer is required to demonstrate that these mutual interactions are necessary and cannot reasonably be avoided.


ADVINT.2.6C introduces a reference monitor concept by requiring the minimisation of complexity of the portions of the TSF that enforce the access control and/or information flow control policies identified in the TSP. ADVINT.3.6C further develops the reference monitor concept by requiring minimisation of the complexity of the entire TSF.

Several of the elements within the components for this family refer to the architectural description. The architectural description is at a similar level of abstraction to the low-level design, in that it is concerned with the modules of the TSF. Whereas the low-level design describes the design of the modules of the TSF, the purpose of the architectural description is to provide evidence of modularity, layering, and minimisation of complexity of the TSF, as applicable. Both the low-level design and the implementation representation are required to be in compliance with the architectural description, to provide assurance that these TSF representations possess the required modularity, layering, and minimisation of complexity.

ADV INT.1 Modularity

Dependencies:

ADVIMP.1 Subset of the implementation of the TSF ADV LLD.1 Descriptive low-level design

Developer action elements:

adv int.1.1d The developer shall design and structure the TSF in a modular fashion that avoids unnecessary interactions between the modules of the design.

adv int.1.2d The developer shall provide an architectural description.

Content and presentation of evidence elements:

adv int.1.1c The architectural description shall identify the modules of the TSF.

adv int.1.2c The architectural description shall describe the purpose, interface, parameters, and effects of each module of the TSF.

adv int.1.3c The architectural description shall describe how the TSF design provides for largely independent modules that avoid unnecessary interactions.

Evaluator action elements:

adv int.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

adv int.1.2e The evaluator shall determine that both the low-level design and the implementation representation are in compliance with the architectural description.


ADV INT.2 Reduction of complexity

Application notes

This component introduces a reference monitor concept by requiring the minimisation of complexity of the portions of the TSF that enforce the access control and/or information flow control policies identified in the TSP.

Dependencies:

ADVIMP.1 Subset of the implementation of the TSF ADV LLD. 1 Descriptive low-level design

Developer action elements:

adv int.2.1d The developer shall design and structure the TSF in a modular fashion that avoids unnecessary interactions between the modules of the design.

adv int.2.2d The developer shall provide an architectural description.

adv int.2.3d The developer shall design and structure the TSF in a layered fashion that minimises mutual interactions between the layers of the design.

adv int.2.4d The developer shall design and structure the TSF in such a way that minimises the complexity of the portions of the TSF that enforce any access control and/ or information flow control policies.

Content and presentation of evidence elements:

adv int.2.1c The architectural description shall identify the modules of the TSF and shall specify which portions of the TSF enforce the access control and/or information flow control policies.

adv int.2.2c The architectural description shall describe the purpose, interface, parameters, and effects of each module of the TSF.

adv int.2.3c The architectural description shall describe how the TSF design provides for largely independent modules that avoid unnecessary interactions.

adv int.2.4c The architectural description shall describe the layering architecture.

adv int.2.5c The architectural description shall show that mutual interactions have been minimised, and justify those that remain.

adv int.2.6c The architectural description shall describe how the portions of the TSF that enforce any access control and/or information flow control policies have been structured to minimise complexity.



0 ... 37 38 39 40 41 42 43 ... 73