Composition vulnerability analysis (ACO_VUL)

Objectives

506 This family calls for an analysis of vulnerability information available in the public domain and of vulnerabilities that may be introduced as a result of the composition.

Component levelling

507 The components in this family are levelled on the basis of increasing scrutiny of vulnerability information from the public domain and independent vulnerability analysis.

Application notes

508 The developer will provide details of any residual vulnerabilities reported during evaluation of the components. These may be gained from the component developers or evaluation reports for the components. These will be used as inputs into the evaluator's vulnerability analysis of the composed TOE in the operational environment.

509 The operational environment of the composed TOE is examined to ensure that the assumptions and objectives for the component operational environment (specified in each component ST) are satisfied in the composed TOE. An initial analysis of the consistency of assumptions and objectives between the components and the composed TOE STs will have been performed during the conduct of the ASE activities for the composed TOE.

However, this analysis is revisited with the knowledge acquired during the ACO_REL, ACO_DEV and the ACO_COR activities to ensure that, for example, assumptions of the dependent component that were addressed by the environment in the dependent component ST are not reintroduced as a result of composition (i.e. that the base component adequately addresses the assumptions of the dependent component ST in the composed TOE).

510 A search by the evaluator for issues in each component will identify potential vulnerabilities reported in the public domain since completion of the evaluation of the components. Any potential vulnerabilities will then be subject to testing.

511 If the base component used in the composed TOE has been the subject of assurance continuity activities since certification, the evaluator will consider during the composed TOE vulnerability analysis activities the changes made in base component.

ACO_VUL.1 Composition vulnerability review

Dependencies: ACO_DEV.1 Functional Description Developer action elements:

ACO_VUL.1.1D The developer shall provide the composed TOE for testing.

Class ACO: Composition

Page 190 of 233 Version 3.1 September 2012

Content and presentation elements:

ACO_VUL.1.1C The composed TOE shall be suitable for testing.

Evaluator action elements:

ACO_VUL.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ACO_VUL.1.2E The evaluator shall perform an analysis to determine that any residual vulnerabilities identified for the base and dependent components are not exploitable in the composed TOE in its operational environment.

ACO_VUL.1.3E The evaluator shall perform a search of public domain sources to identify possible vulnerabilities arising from use of the base and dependent components in the composed TOE operational environment.

ACO_VUL.1.4E The evaluator shall conduct penetration testing, based on the identified vulnerabilities, to demonstrate that the composed TOE is resistant to attacks by an attacker with basic attack potential.

ACO_VUL.2 Composition vulnerability analysis

Dependencies: ACO_DEV.2 Basic evidence of design Developer action elements:

ACO_VUL.2.1D The developer shall provide the composed TOE for testing.

Content and presentation elements:

ACO_VUL.2.1C The composed TOE shall be suitable for testing.

Evaluator action elements:

ACO_VUL.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ACO_VUL.2.2E The evaluator shall perform an analysis to determine that any residual vulnerabilities identified for the base and dependent components are not exploitable in the composed TOE in its operational environment.

ACO_VUL.2.3E The evaluator shall perform a search of public domain sources to identify possible vulnerabilities arising from use of the base and dependent components in the composed TOE operational environment.

ACO_VUL.2.4E The evaluator shall perform an independent vulnerability analysis of the composed TOE, using the guidance documentation, reliance information and composition rationale to identify potential vulnerabilities in the composed TOE.

Class ACO: Composition

September 2012 Version 3.1 Page 191 of 233

ACO_VUL.2.5E The evaluator shall conduct penetration testing, based on the identified vulnerabilities, to demonstrate that the composed TOE is resistant to attacks by an attacker with basic attack potential.

ACO_VUL.3 Enhanced-Basic Composition vulnerability analysis Dependencies: ACO_DEV.3 Detailed evidence of design Developer action elements:

ACO_VUL.3.1D The developer shall provide the composed TOE for testing.

Content and presentation elements:

ACO_VUL.3.1C The composed TOE shall be suitable for testing.

Evaluator action elements:

ACO_VUL.3.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ACO_VUL.3.2E The evaluator shall perform an analysis to determine that any residual vulnerabilities identified for the base and dependent components are not exploitable in the composed TOE in its operational environment.

ACO_VUL.3.3E The evaluator shall perform a search of public domain sources to identify possible vulnerabilities arising from use of the base and dependent components in the composed TOE operational environment.

ACO_VUL.3.4E The evaluator shall perform an independent vulnerability analysis of the composed TOE, using the guidance documentation, reliance information and composition rationale to identify potential vulnerabilities in the composed TOE.

ACO_VUL.3.5E The evaluator shall conduct penetration testing, based on the identified vulnerabilities, to demonstrate that the composed TOE is resistant to attacks by an attacker with Enhanced-Basic attack potential.

Development (ADV)

Page 192 of 233 Version 3.1 September 2012

A Development (ADV) (informative)

512 This annex contains ancillary material to further explain and provide additional examples for the topics brought up in families of the ADV:

Development class.

A.1 ADV_ARC: Supplementary material on security