TSF internals (ADV_INT)

Objectives

254 This family addresses the assessment of the internal structure of the TSF. A TSF whose internals are well-structured is easier to implement and less likely to contain flaws that could lead to vulnerabilities; it is also easier to maintain without the introduction of flaws.

Component levelling

255 The components in this family are levelled on the basis of the amount of structure and minimisation of complexity required. ADV_INT.1 Well-structured subset of TSF internals places requirements for well-Well-structured internals on only selected parts of the TSF. This component is not included in an EAL because this component is viewed for use in special circumstances (e.g., the sponsor has a specific concern regarding a cryptographic module, which is isolated from the rest of the TSF) and would not be widely applicable.

256 At the next level, the requirements for well-structured internals are placed on the entire TSF. Finally, minimisation of complexity is introduced in the highest component.

Application notes

257 These requirements, when applied to the internal structure of the TSF, typically result in improvements that aid both the developer and the evaluator in understanding the TSF, and also provide the basis for designing and evaluating test suites. Further, improving understandability of the TSF should assist the developer in simplifying its maintainability.

258 The requirements in this family are presented at a fairly abstract level. The wide variety of TOEs makes it impossible to codify anything more specific than “well-structured” or “minimum complexity”. Judgements on structure and complexity are expected to be derived from the specific technologies used in the TOE. For example, software is likely to be considered well-structured if it exhibits the characteristics cited in the software engineering disciplines. The components within this family call for identifying the standards for measuring the characteristic of being well-structured and not overly-complex.

ADV_INT.1 Well-structured subset of TSF internals

Dependencies: ADV_IMP.1 Implementation representation of the TSF

ADV_TDS.3 Basic modular design

ALC_TAT.1 Well-defined development tools

Class ADV: Development

September 2012 Version 3.1 Page 101 of 233

Objectives

259 The objective of this component is to provide a means for requiring specific portions of the TSF to be well-structured. The intent is that the entire TSF has been designed and implemented using sound engineering principles, but the analysis is performed upon only a specific subset.

Application notes

260 This component requires the PP or ST author to fill in an assignment with the subset of the TSF. This subset may be identified in terms of the internals of the TSF at any layer of abstraction. For example:

a) the structural elements of the TSF as identified in the TOE design (e.g. “The developer shall design and implement the audit subsystem such that it has well-structured internals.”)

b) the implementation (e.g. “The developer shall design and implement the encrypt.c and decrypt.c files such that it has well-structured internals.” or “The developer shall design and implement the 6227 IC chip such that it has well-structured internals.”)

261 It is likely this would not be readily accomplished by referencing the claimed SFRs (e.g. “The developer shall design and implement the portion of the TSF that provide anonymity as defined in FPR_ANO.2 such that it has well-structured internals.”) because this does not indicate where to focus the analysis.

262 This component has limited value and would be suitable in cases where potentially-malicious users/subjects have limited or strictly controlled access to the TSFIs or where there is another means of protection (e.g., domain separation) that ensures the chosen subset of the TSF cannot be adversely affected by the rest of the TSF (e.g., the cryptographic functionality, which is isolated from the rest of the TSF, is well-structured).

Developer action elements:

ADV_INT.1.1D The developer shall design and implement [assignment: subset of the TSF] such that it has well-structured internals.

ADV_INT.1.2D The developer shall provide an internals description and justification.

Content and presentation elements:

ADV_INT.1.1C The justification shall explain the characteristics used to judge the meaning of “well-structured”.

ADV_INT.1.2C The TSF internals description shall demonstrate that the assigned subset of the TSF is well-structured.

Class ADV: Development

Page 102 of 233 Version 3.1 September 2012

Evaluator action elements:

ADV_INT.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ADV_INT.1.2E The evaluator shall perform an internals analysis on the assigned subset of the TSF.

ADV_INT.2 Well-structured internals

Dependencies: ADV_IMP.1 Implementation representation of the TSF

ADV_TDS.3 Basic modular design

ALC_TAT.1 Well-defined development tools Objectives

263 The objective of this component is to provide a means for requiring the TSF to be well-structured. The intent is that the entire TSF has been designed and implemented using sound engineering principles.

Application notes

264 Judgements on the adequacy of the structure are expected to be derived from the specific technologies used in the TOE. This component calls for identifying the standards for measuring the characteristic of being well-structured.

Developer action elements:

ADV_INT.2.1D The developer shall design and implement the entire TSF such that it has well-structured internals.

ADV_INT.2.2D The developer shall provide an internals description and justification.

Content and presentation elements:

ADV_INT.2.1C The justification shall describe the characteristics used to judge the meaning of “well-structured”.

ADV_INT.2.2C The TSF internals description shall demonstrate that the entire TSF is well-structured.

Evaluator action elements:

ADV_INT.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ADV_INT.2.2E The evaluator shall perform an internals analysis on the TSF.

Class ADV: Development

September 2012 Version 3.1 Page 103 of 233

ADV_INT.3 Minimally complex internals

Dependencies: ADV_IMP.1 Implementation representation of the TSF

ADV_TDS.3 Basic modular design

ALC_TAT.1 Well-defined development tools Objectives

265 The objective of this component is to provide a means for requiring the TSF to be well-structured and of minimal complexity. The intent is that the entire TSF has been designed and implemented using sound engineering principles.

Application notes

266 Judgements on the adequacy of the structure and complexity are expected to be derived from the specific technologies used in the TOE. This component calls for identifying the standards for measuring the structure and complexity.

Developer action elements:

ADV_INT.3.1D The developer shall design and implement the entire TSF such that it has well-structured internals.

ADV_INT.3.2D The developer shall provide an internals description and justification.

Content and presentation elements:

ADV_INT.3.1C The justification shall describe the characteristics used to judge the meaning of “well-structured” and “complex”.

ADV_INT.3.2C The TSF internals description shall demonstrate that the entire TSF is well-structured and is not overly complex.

Evaluator action elements:

ADV_INT.3.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.

ADV_INT.3.2E The evaluator shall perform an internals analysis on the entire TSF.

Class ADV: Development

Page 104 of 233 Version 3.1 September 2012