Considering the Common Criteria: Introduction to Panel Discussion

This paper provides a brief introduction to the draft security standard known us the Common Criteria and suggests possible related topics for penel discussion. Suggestions for discussion In order for a system to be judged secure, there must, be a coherent and comprehensive set of criteria against which it can be measured. In recent years, a number of different security standards have been developed for the evaluation of computing systems. In the US, the well-known TCSEC [l] or “Orange Book” described seven levels of security rating, from D to Al, each with increasingly stringent requirement,s. A number of European countries standardised their approaches to produce the ITSEC [2] which decoupled the functionality and the assurance components of security evaluation. The Canadians, too, produced a similar standard, CTCPEC [3], which describes how functional components may be brought together to achieve a particular assurance level. Verifying a system against a standard is a very costly procedure. It would be an extremely daunting prospect to face repeating the process three or more times for a product to be accredited in different countries. Seeing the potential benefits of a single, internationally-accepted document, the main players involved in TCSEC, ITSEC and CTCPEC have joined together to produce the “Common Criteria” [4]. It is intended that the Common Criteria will become the international (ISO) standard for security evaluation, covering both military and commercial concerns with equal consideration. A draft document is currently available for comment. It can be obtained on CDROM or in its printed form as 800 A4 pages. Since the Common Criteria have now reached a stage at which they are open to public scrutiny, it seems an appropriate time to consider the issues involved in producing such a standard and to discuss the generalities of its contents. Some of the following questions might be raised. What should be contained in the Common Criteria? How much emphasis should there be on commercial security? What, role can such a standard have in improving security? Is the length of the document a barrier to its success? The Common Criteria take the approach of using a “protection profile”. Standardised, implementation-independent components are brought together to form an abstract, security target. The security target for any individual product is then an instantiation of t,he protection profile. Is this the best way of doing things? Might, there be any problems with it? How easy will it be to evaluate products against the Common Criteria? One specific area of interest is the position of formal methods and the requirements for formal verification. This has proved to be a contentious issue in safety-critical areas where standards, such as the UK 00-55 [5], have mandated the use of formal methods. Criticism has caused the requirements of 00-55 to be lowered from “formal proof’ to “rigorous argument”, and this may be toned down even further before the document achieves full standard status. Current security standards already make certain specification and verification demands for accreditation at the higher levels. This seems to have caused less disquiet in the computer industry than did the safety-critical requirements. So is the security world more advanced in the use of formal methods? One point to bear in mind is that, so far, there has been only one product registered at the highest ITSEC level (E6), and three at Al of the TCSEC. Should this past performance have any effect on the Common Criteria? Should the standard reflect current practice within the industry, or should it lead the way by forcing the use of certain approaches? Should formal (or informal) specification/refinement/proof be required? Have formal 148 1063-6900/95$4.00@1995IEEE Proceedings of the Eighth IEEE Computer Security Foundations Workshop (CSFW '95) 1063-6900/95 $10.00 © 1995 IEEE methods and support tools reached a sufficient level of maturity to bear such a heavy burden? Have formal methods approaches really been shown to work? Finally, what of the document itself? How understandable and usable is an 800-page standard? Should it itself be wholly or partly presented as a formal specification? Recent work [7] has provided a Z specification of 00-56 [6], the companion document to OO,-55. This exercise uncovered a number of inconsistencies and ambiguities in the existing document. Would the assurance provided by producing the Common Criteria as a formal specification justify the cost? Would such a document be of any on-going use in clarifying the standard and easing its application. Panelists Virgil Gliigor, University of Maryland, US. Jeremy Jacob, York University, UK. Richard Lampard, National Physical Laborat,ory, I Jonathan Millen, MITRE, US. Jane Sinc:lair’, Open University, UK. These questions are intended to provide the basis for an email discussion on the Common Criteria which will, in turn, indicate the most interesting areas for discussion at the workshop.