free web tracker Common Evaluation Methodology Table of Contents

 Common Criteria Documentation

Table of Contents

Chapter 1

Introduction 1

1.1 Scope 1

1.2 Organisation 1

1.3 Document conventions 2

1.3.1 Terminology 2

1.3.2 Verb usage 3

1.3.3 General evaluation guidance 3

1.3.4 Relationship between CC and CEM structures 3

1.4 Evaluator verdicts 5

Chapter 2

General evaluation tasks 7

2.1 Introduction 7

2.2 Evaluation input task 7

2.2.1 Objectives 7

2.2.2 Application notes 7

2.2.3 Management of evaluation evidence sub-task 8

2.3 Evaluation output task 9

2.3.1 Objectives 9

2.3.2 Application notes 9

2.3.3 Write OR sub-task 10

2.3.4 Write ETR sub-task 10

2.4 Evaluation sub-activities 17

Chapter 3

PP evaluation 19

3.1 Introduction 19

3.2 Objectives 19

3.3 PP evaluation relationships 19

3.4 PP evaluation activity 20

3.4.1 Evaluation of TOE description (APE_DES.1) 20

3.4.2 Evaluation of security environment (APE_ENV.1) 22

3.4.3 Evaluation of PP introduction (APE_INT.1) 25

3.4.4 Evaluation of security objectives (APE_OBJ.1) 26

3.4.5 Evaluation of IT security requirements (APE_REQ.1) 30

3.4.6 Evaluation of explicitly stated IT security requirements (APE_SRE.1) 41

Chapter 4

ST evaluation 45

4.1 Introduction 45

4.2 Objectives 45

4.3 ST evaluation relationships 46

4.4 ST evaluation activity 47

4.4.1 Evaluation of TOE description (ASE_DES.1) 47

4.4.2 Evaluation of security environment (ASE_ENV.1) 49

4.4.3 Evaluation of ST introduction (ASE_INT.1) 52

4.4.4 Evaluation of security objectives (ASE_OBJ.1) 54

4.4.5 Evaluation of PP claims (ASE_PPC.1) 58

4.4.6 Evaluation of IT security requirements (ASE_REQ.1) 59

4.4.7 Evaluation of explicitly stated IT security requirements (ASE_SRE.1) 70

4.4.8 Evaluation of TOE summary specification (ASE_TSS.1) 73

Chapter 5

EAL1 evaluation 79

5.1 Introduction 79

5.2 Objectives 79

5.3 EAL1 evaluation relationships 79

5.4 Configuration management activity 81

5.4.1 Evaluation of CM capabilities (ACM_CAP.1) 81

5.5 Delivery and operation activity 83

5.5.1 Evaluation of installation, generation and start-up (ADO_IGS.1) 83

5.6 Development activity 85

5.6.1 Application notes 85

5.6.2 Evaluation of functional specification (ADV_FSP.1) 85

5.6.3 Evaluation of representation correspondence (ADV_RCR.1) 91

5.7 Guidance documents activity 92

5.7.1 Application notes 92

5.7.2 Evaluation of administrator guidance (AGD_ADM.1) 92

5.7.3 Evaluation of user guidance (AGD_USR.1) 96

5.8 Tests activity 99

5.8.1 Application notes 99

5.8.2 Evaluation of independent testing (ATE_IND.1) 99

Chapter 6

EAL2 evaluation 105

6.1 Introduction 105

6.2 Objectives 105

6.3 EAL2 evaluation relationships 105

6.4 Configuration management activity 107

6.4.1 Evaluation of CM capabilities (ACM_CAP.2) 107

6.5 Delivery and operation activity 110

6.5.1 Evaluation of delivery (ADO_DEL.1) 110

6.5.2 Evaluation of installation, generation and start-up (ADO_IGS.1) 113

6.6 Development activity 115

6.6.1 Application notes 115

6.6.2 Evaluation of functional specification (ADV_FSP.1) 116

6.6.3 Evaluation of high-level design (ADV_HLD.1) 122

6.6.4 Evaluation of representation correspondence (ADV_RCR.1) 126

6.7 Guidance documents activity 128

6.7.1 Application notes 128

6.7.2 Evaluation of administrator guidance (AGD_ADM.1) 128

6.7.3 Evaluation of user guidance (AGD_USR.1) 132

6.8 Tests activity 135

6.8.1 Application notes 135

6.8.2 Evaluation of coverage (ATE_COV.1) 135

6.8.3 Evaluation of functional tests (ATE_FUN.1) 138

6.8.4 Evaluation of independent testing (ATE_IND.2) 143

6.9 Vulnerability assessment activity 151

6.9.1 Evaluation of strength of TOE security functions (AVA_SOF.1) 151

6.9.2 Evaluation of vulnerability analysis (AVA_VLA.1) 155

Chapter 7

EAL3 evaluation 163

7.1 Introduction 163

7.2 Objectives 163

7.3 EAL3 evaluation relationships 163

7.4 Configuration management activity 165

7.4.1 Evaluation of CM capabilities (ACM_CAP.3) 165

7.4.2 Evaluation of CM scope (ACM_SCP.1) 170

7.5 Delivery and operation activity 172

7.5.1 Evaluation of delivery (ADO_DEL.1) 172

7.5.2 Evaluation of installation, generation and start-up (ADO_IGS.1) 175

7.6 Development activity 177

7.6.1 Application notes 177

7.6.2 Evaluation of functional specification (ADV_FSP.1) 178

7.6.3 Evaluation of high-level design (ADV_HLD.2) 184

7.6.4 Evaluation of representation correspondence (ADV_RCR.1) 189

7.7 Guidance documents activity 191

7.7.1 Application notes 191

7.7.2 Evaluation of administrator guidance (AGD_ADM.1) 191

7.7.3 Evaluation of user guidance (AGD_USR.1) 195

7.8 Life-cycle support activity 198

7.8.1 Evaluation of development security (ALC_DVS.1) 198

7.9 Tests activity 202

7.9.1 Application notes 202

7.9.2 Evaluation of coverage (ATE_COV.2) 204

7.9.3 Evaluation of depth (ATE_DPT.1) 207

7.9.4 Evaluation of functional tests (ATE_FUN.1) 210

7.9.5 Evaluation of independent testing (ATE_IND.2) 215

7.10 Vulnerability assessment activity 223

7.10.1 Evaluation of misuse (AVA_MSU.1) 223

7.10.2 Evaluation of strength of TOE security functions (AVA_SOF.1) 227

7.10.3 Evaluation of vulnerability analysis (AVA_VLA.1) 231

Chapter 8

EAL4 evaluation 239

8.1 Introduction 239

8.2 Objectives 239

8.3 EAL4 evaluation relationships 239

8.4 Configuration management activity 241

8.4.1 Evaluation of CM automation (ACM_AUT.1) 241

8.4.2 Evaluation of CM capabilities (ACM_CAP.4) 244

8.4.3 Evaluation of CM scope (ACM_SCP.2) 250

8.5 Delivery and operation activity 252

8.5.1 Evaluation of delivery (ADO_DEL.2) 252

8.5.2 Evaluation of installation, generation and start-up (ADO_IGS.1) 255

8.6 Development activity 257

8.6.1 Application notes 257

8.6.2 Evaluation of functional specification (ADV_FSP.2) 258

8.6.3 Evaluation of high-level design (ADV_HLD.2) 264

8.6.4 Evaluation of implementation representation (ADV_IMP.1) 269

8.6.5 Evaluation of low-level design (ADV_LLD.1) 272

8.6.6 Evaluation of representation correspondence (ADV_RCR.1) 276

8.6.7 Evaluation of security policy modeling (ADV_SPM.1) 278

8.7 Guidance documents activity 282

8.7.1 Application notes 282

8.7.2 Evaluation of administrator guidance (AGD_ADM.1) 282

8.7.3 Evaluation of user guidance (AGD_USR.1) 286

8.8 Life-cycle support activity 289

8.8.1 Evaluation of development security (ALC_DVS.1) 289

8.8.2 Evaluation of life-cycle definition (ALC_LCD.1) 293

8.8.3 Evaluation of tools and techniques (ALC_TAT.1) 295

8.9 Tests activity 297

8.9.1 Application notes 297

8.9.2 Evaluation of coverage (ATE_COV.2) 299

8.9.3 Evaluation of depth (ATE_DPT.1) 302

8.9.4 Evaluation of functional tests (ATE_FUN.1) 305

8.9.5 Evaluation of independent testing (ATE_IND.2) 310

8.10 Vulnerability assessment activity 318

8.10.1 Evaluation of misuse (AVA_MSU.2) 318

8.10.2 Evaluation of strength of TOE security functions (AVA_SOF.1) 323

8.10.3 Evaluation of vulnerability analysis (AVA_VLA.2) 327

Annex A

Glossary 343

A.1 Abbreviations and acronyms 343

A.2 Vocabulary 343

A.3 References 345

Annex B

General evaluation guidance 346

B.1 Objectives 346

B.2 Sampling 346

B.3 Consistency analysis 349

B.4 Dependencies 351

B.4.1 Dependencies between activities 351

B.4.2 Dependencies between sub-activities 351

B.4.3 Dependencies between actions 352

B.5 Site visits 352

B.6 TOE boundary 353

B.6.1 Product and system 353

B.6.2 TOE 354

B.6.3 TSF 354

B.6.4 Evaluation 354

B.6.5 Certification 355

B.7 Threats and FPT requirements 355

B.7.1 TOEs not necessarily requiring the FPT class 356

B.7.2 Impact upon Assurance Families 357

B.8 Strength of function and vulnerability analysis 358

B.8.1 Attack potential 360

B.8.2 Calculating attack potential 361

B.8.3 Example strength of function analysis 366

B.9 Scheme responsibilities 368

Annex C

Providing CEM observation reports 371

C.1 Introduction 371

C.2 Format of a CEMOR 371

C.2.1 Example observation 372