4-6 November | Sheraton Grand Doha, Qatar

ICCC18 Track Chair Notes

Conference Track Chairs have provided notes and highlights for selected conference presentations. 
Jump to:    |   Advances in CC   |   Meeting Customer Requirements   |   Updates from Schemes and iTCs   |   Assurance

Advances in the Use of Common Criteria

Track Chair: Miguel Bañón, Global Technology Leader for Cyber Security, DEKRA

Track Keynote: Why I Care About the Security of Your Car (A12a)

Marc Witteman provided a futuristic view on the connected and autonomous vehicle, and the challenges that these will have from a cybersecurity stand point. He concluded that high assurance seemed appropriate to safeguard us in this scenario, with a strong shift to process evaluation, and called for Governmental action to regulate the world of connected cars. Audio Archive

Robustness Propagation Through Systems of Heterogeneous CC Components (A12b)

Mohamad Hajj gave a general view on the problem of composition, and how it relates to the IoT systems. He followed with a presentation of a novel “Logo” composition methodology, aimed to support the evaluation of the integration of heterogeneous multipurpose components. Audio Archive

Common Criteria as Backbone of IoT Security Certification (A12C)

George Stütz explained his experience in the use of Common Criteria, and depicted a complicated picture of current product vulnerabilities, specially in the IoT world. He presented an architecture model for an IoT device that built on a root of trust and on a certification layering that would allow an end IoT product developer to achieve high assurance and certified product in an efficient way. Audio Archive

Why Composite Evaluations Fail (A131a)

Helmut Kurth shared his view on why the current composition model fails, and the relationship between this failure and the definition of vulnerability in the current standard, as it has been reported by this speaker repeatedly. A suggested framework for composition that requires the analysis of the composability and preservation of policies and properties was introduced to improve the compositional certification methodology. Audio Archive

A Compositional Certification Methodology For a COTS-Based System (A13b)

The presentation, given by Sergey Tverdyshev and by Alvaro Ortega, introduced the R&D project CERTmils, funded by the EU H2020 programme. The project, built upon the MILS platform specification, has developed a Compositional Methodology for Security Certification, to be applied to pilot projects, in the areas of smart grid, railway and subway infrastructures. The presentation concluded with an summary of the developed methodology and the introduction of a project Protection Profile for a separation kernel. Audio Archive

Evaluation of Distributed Products in the CC Paradigm (A13c)

Richard West shared the experience of CISCO when applying the Network Device cPP to the evaluation of a distributed TOE. Some use cases and possible options were explained, as well as alternatives for SFR selection and allocation. The presentation concluded with some suggestions to PP authors. Audio Archive

Meeting Customer Requirements

Track Chair: Alicia Squires, Global Certifications Team – Manager, FIPS/Common Criteria, Cisco Systems Major Themes: This track focused on the areas of technology expansion in use of the CC. Many of the presentations considered challenges and highlights of use of the CC in other markets. The track also looked in depth at procurement requirements around the globe, and how CC meets them, and in what manner. There were several discussions of the ENISA Cybersecurity Act and how it intertwines with CC.

Introducing Secure Systems into NATO – the requirements to Common Criteria (M12a)

Jan Fanekrog covered NATO’s alignment with CC. He covered how he has mapped NATO policy to some CC requirements. NATO embraces the use of CC, and they focus on Supply Chain security as well. Three methods to get product into NATO: cPP, EAL, or National Scheme evaluation. Audio Archive

Continuous Mobile Application Compliance Using Government Standards (M12b)

Sritapan & Dr Stavrou did a study on public safety apps and found a number of issues, including hard-coded passwords and certificate issues -> indicated the need for Mobile App PP evaluations. Emphasis on speed and low cost of the evaluation. An automated test suite was developed. Top 100 iOS and Android Apps were run through it, and there were lots of security failures. Audio Archive

Adopting Common Criteria Methodology and Strategies in Malaysia Critical National Information Infrastructure (M12c)

Muzamir Mohammed from Securelytics, spent time considering the needs of Critical National Information Infrastructure in Malaysia. The strategy for national protection for critical infrastructure in Malaysia is: Protect -> Address Risks -> Develop Key Programs to address the risks. Malaysian CC Scheme is part of the key programs part. Covers 10 CNII Sectors. Audio Archive

Regulating IT Market with Common Criteria Certifications (M13a)

Mehmet Cakir discussed how the security regulations in Turkey affect the market. Even the public sees the constant news coverage of the risks to their phones or other devices. This caused the government to act on cybersecurity and correlate it with the freedom of the nation. The resulting cybersecurity regulations are like an ST for the whole nation. Highlighted similar ‘regulations’ in Germany, Netherlands, Spain, Poland, Hungary, US, Japan, Jamaica, Qatar, Jordan, and Singapore. Audio Archive

Using Common Criteria for Procurement: International Procurement Initiatives (M13b)

Jose Ruiz Gualda asked the question about whether procurement was used as a tool to up security. He conducted an informal survey of several nations via web searches, contacting those that he knows: Asked whether their country used CC for procurement, another evaluation methodology, and whether CC meets the need or not. 93% of responses said yes on CC for procurement. Lots of good summaries in the slides. Audio Archive

EU Cybersecurity Act: the tough part is yet to come! (M13c)

Martin Schaffer discussed how the European Cyber Security Org (ECSO) Working Group 1 had been considering cybersecurity before ENISA put out the Cybersecurity Act. Standards are good and important, but correct use of them is critical. In principle, the EU Cybersecurity Act is a good start, but he noted that it has a long way to go. He pointed out that Cybersecurity is dynamic, whereas evaluation is valid at the moment of issue. He asserted that evaluation completion is more important than the level attained. He presented a sector-agnostic mapping to show the challenges. Audio Archive

Reconciling Security Vulnerabilities within the Common Criteria (M20a)

Fabien Deboyser proposed 7 different solutions for considering vulnerability testing in CC. They ranged in complexity and skills. See his slides for the great detail. Audio Archive

Hypervisor Security—Panel Discussion (M20b)

The security of hypervisors is growing in importance and scope. Started with consideration of whether Hypervisor is the same as an OS -> No, while similar. Also considered whether virtual TPMs can be used as a basis for secure boot. Entropy discussions, and whether the hypervisor should have to get its entropy from the bare metal, and make that raw entropy available to client machines was debated. Audio Archive

Connected Cars. Security Certification Schemes (M21a)

In this presentation, Jose Emilio Rico discussed how cars are computerized and connected and thus are vulnerable to being attacked. He talked about how components in smart cars interface with external systems and applications which exposes them to serious threats. Additionally, a complex supply chain hides component internals. Jose presented strategies to address the problem which included threat modeling, defense in-depth, and evaluation and certification. Audio Archive

Protection Profiles for Smart Home Appliances (M21b)

Arnold Abromeit presented how the Secure Communications Alliance is driving the PP work in the area of Smart Home Appliances. They are using an EAL-based approach. It covers directly connected (to the Internet) devices, as well as those that connect via a secure gateway. The PP composes the solution into an IoT Secure Communications Module and an IoT Secure Element. Audio Archive

Expressing Minimum Security Requirements for Smart Meters in a Protection Profile (M21c)

Tony Boswell presented a view that people do actually want to use CC outside our traditional domains. ESMIG is the group that has been using CC for Smart Meters. It provides a core set of functionality in the meter that then won’t need to be evaluated over and over again: logging secure data exchange, availability, crypto hygiene, authorization of devices communicating with it, protection of data at rest, and other areas. Audio Archive

An Evaluation Methodology with Assurance Levels for Privacy-by-Design (M22a)

This presentation discussed that privacy is not effectually addressed in the CC with certain SFR rarely used. The presentation discussed the possibility of security and privacy being incompatible and looked at the challenges of implementing both. Methodology was created to check compliance to GDPR and the use case of biometric systems against this methodology was described. Audio Archive

PP v/s EAL: Where Does Security Assurance Reside? (M22b)

This presentation compared EAL evaluations against PP evaluations. The presenters described both approaches as well as customer requirements. The presenters discussed the requirement of trustworthiness, understandable certification, disclosure, speed, cost effectiveness and alignment with procurement criteria. They discussed customer requirements of assurance that the products meet their security policies and provide assurance of a security baseline. The presenters compared five EAL network and network related devices and system evaluations against a similar NDcPP v2,0e evaluation. Four of the evaluations were undertaken in Europe and one was undertaken in Asia. They consisted of EAL2 = 2, EAL3 =1 and EAL = 4. The presenters presented the data against each in regard to SFRs and number of unique classes. For the EALs the SFRs were a lot less than the NDcPP while the number of unique classes were close. However, for number of SFR families per class and average SFR per class, the NDcPP had a greater number.
The presenters discussed areas in cPPs that could be improved upon in cPPs such as possibly considering adding flaw remediation and vulnerability testing. The conclusion of the presentation was that cPPs provide a depth and breadth to establish a demonstrable baseline of security. cPP enables customers to do a like for like comparison. cPPs allows consumers to design and deploy networks that address their threat model. Audio Archive

Verification of Cryptographic Security Functionality in NIAP CCEVS (M23a)

The presenter discussed that NIAP only performs PP evaluations, and that NIAP is working to streamline the evaluation process and eliminate duplicate testing especially for cryptographic functional testing. NIAP policy #5 mandates FIPS140-2 certified products for procurement. The presenter discussed how NIAP and NIST have been working together. NIAP has produced a cryptographic certificate reporting template that laboratories are to use. The completed certificate report will include information of the TOE models and cryptographic operating environment etc., as well as identifying each applicable SFR with a CAVP certificate. A screen shot of the CMVP/CAVP listings also needs to be included clearing showing which algorithms are applicable. Audio Archive

Ensuring Good Entropy Sources is Not a Random Act (M23b)

The presenters discussed Random Bit Generators (RBG), and discussed how entropy source and deterministic RBG work and its importance to produce a cryptographic key. The presenters provided entropy definitions from SP800-90A, SP800-90B, SP800-90C. During the use case of Linux PRNG the presenter highlighted that the entropy source is collected at the input pool from the different noises from the environment, device drivers, environment and that all the testing needs to be done on the input pool sample. The presenter provided information on what needs to be included in the entropy information document. The presenters discussed good entropy referencing David Johnston (Intel) book and discussed entropy sources from hardware, software and other sources. Intel specifically was discussed. Intel is co-operating with vendors in regard to entropy and when asked instructs vendors on how to how into the Intel CPU so that entropy can be gathered at the source. The presentation discussed the challenges with entropy usage and entropy testing. Audio Archive

TLS 1.3, the Real Trusted Channel (M23c)

This presentation provided an overview of trusted path/channel in the CC and also provided a history of TLS and discussed the updates in TLS 1.3. A comparison was given between TLS 1.2 and TLS 1.3 in regard to handshakes, resumption, cipher suites, key exchange & authentication algorithms, HKDF. The presenter highlighted that the following had been removed in TLS 1.3 – RSA (key exchange), RC4, 3DES, Camellia (Encryption algorithms), MD5, SHA-1 (Cryptographic Hash algorithms), AES-CBC (Cipher modes), TLS compression & session renegotiation and DSA signature (ECDSA ≥ 224 BIT) (Other features). The presenter discussed ATE in relation to FTP_ITC and FTP_TRP and AVA. The presenters conclusion is that TLS 1.3 provides identification, authentication, confidentially and integrity. Audio Archive

Updates from Schemes and ITCs

Assurance

Track Chair: Erin Connor Major Themes: The Assurance Track featured a variety of presentations around experience with providing assurance in products in a timely manner.

Frequently Updated TOEs. Is Continued Assurance Possible? (S30a)

In his presentation “Frequently Updated TOEs: Is Continued Asssurance Possible”, Oleg Andrianov presented the problem of patching products in the face of decreasing cycles from discovery of a vulnerability to the issuance of a patch and exploitation of the vulnerability in advance of the patches being applied. He discussed some responses to the problem as well as some modifications to the CC being used in Russia to address the problem of gaining assurance in released patches so end-users may apply them to their systems. Audio Archive

Assurance at the Speed of Development (S30b)

Jason Lawlor discussed issues around matching evaluation and assurance of products to the pace at which they are developed and updated. He reviewed some of the obstacles to aligning evaluation timelines with product development including differences among Schemes, validation of tools used to support testing, complexity and variety of technologies, and vendor buy-in. In addition, use of automation in testing is only generally applicable to standardised Protection Profile based evaluations that involve fixed functionality, e.g., for standard communications protocols. Audio Archive

Dealing with Patch Management in Common Criteria—Lessons Learned from Study Period in SC27 WG3 (S30c)

Francois Guerin presented some lessons learned during a Study Period in SC 27 WG3 on Patch Management after a product is certified and problems are found. He noted that the study identified that a patch of a non-security flaw (not in the TOE) results in the same TOE with the same functionality and the same certificate while a patch for a security flaw actually results in a new TOE (new functionality) with need for a new certificate. It also found from the study of 10 PPs that there were different approaches to patch management based on from silence to a defined time limit from flaw discovery to patch delivery. The study resulted in the definition of a concept of Continuous Assurance for Patch Management that would rely on the evaluation and certification of the Patch Management process for a Product. The initial TOE would receive a product certification and then the certified patch process would be applied foro updates to the TOE. Audio Archive

ePassport High Assurance Evaluations in a Timely Manner (S31a)

Olaf Tettero and Monique Bakker provided a review of the evaluation requirements from the ePassport Protection Profile and discussed the process used to complete evaluations in a timely manner. They also fielded a number of questions from the audience. Audio Archive

Hardware-Enabled AI for Embedded Security: Towards the Highest CC Evaluation Assurance Levels (S31b)

Ismail Guerdira spoke on “Hardware-Enabled AI for Embedded Security: Towards the Highest CC Evaluation Assurance” using the example of smart vehicles and the Protect-Evaluate-Service-Certify (PESC) Strategy employed. He provided a breakdown of the multiple sensors found in modern vehicles and the independent manner in which they “make their own decisions”. The next steps in increasing the capability will require the use of AI and sensor fusion to allow the vehicle to make better decisions especially in the face of malfunctioning sensors or sensors that are in disagreement. Audio Archive

ISCI-WG1: Lean CC and High Assurance—The Java Card Pre-Compiled Evidence Project (S31c)

Wouter Slegers and Monique Bakker closed out the Assurance Track session with a presentaiton on “Lean CC and High Assurance – The Java Card Pre-compiled Evidence Project”. They argued that in the case of fixed functionality, fixed Protection Pofile and fixed test cases, much of the evaluation evidence documentation for high assurance evaluations could be eliminated. Repeated evaluations of a product or products to the same PP do not need to continually look at the process evidence or much of the development evidence as it has been “seen before”. The same applies for much of the evidence tracing test cases to PP requirements – it doesn’t change. This was found to be especially true in the case of Smart Cards where they indicated that reductions in. Audio Archive