On Mon, Feb 22, 2010 at 03:51:28PM +0200, Aram H??v??rneanu wrote:
> EAL4 is meaningless. The auditor is not required to view the software
> in any way (binary or source).
Wrong. EAL4 is the lowest EAL that includes ADV_IMP.1, which in turn
requires checking the actual implementation, i.e. source code in case of
software TOEs. It does not, however, require a full code review - a
sampling of whether the implementation actually implements the design is
sufficient.
> Any vendor with money can get its OS to
> be certified at least at EAL 4 because all that means is that the OS
> has some mechanisms in place for implementing security. It does not
> guarantee that those mechanisms really work
Again wrong. The mechanisms that are *claimed* by the vendor have to be
implemented accurately.
> or that the OS is not full of security holes.
Now *that's* where it gets interesting because you're absolutely right
on with this one - CC only verifies the claims made by the vendor,
nothing more. There is no requirement as such to go looking for security
holes that are outside the claimed scope. As you write in your other
mail (and I've written myself before) EALx means zilch without reading
the claims (i.e. Security Target). If the vendor does not claim a lot of
security and/or lists a lot of environmental restrictions/assumptions
(wasn't that the NT4 EAL4 where there was no network and suchlike) he
might very well be able to get a reasonably high EAL without too much
effort. Hence, whoever is looking at EALs does well to carefully read
the corresponding Security Target, *especially* if it's not claiming
conformance to a standardised Protection Profile[0]...
Whether this type of evaluation/certification is of any use in "real
life" is left as an exercise to the reader...
Cheerio,
Thomas
[0] like e.g. smart cards
--
****** PLEASE: NO Cc's to me privately, I do read the list - thanks! ******
-----------------------------------------------------------------------------
Thomas Ribbrock http://www.ribbrock.org ICQ#: 15839919
"You have to live on the edge of reality - to make your dreams come true!"
