Protection Profile for Application Software

Version: 1.5
2021-10-07
National Information Assurance Partnership

Revision History

Contents

1 Introduction

1.1 Overview

1.3 Compliant Targets of Evaluation

1.3.1 TOE Boundary

Figure 1: TOE as an Application and Kernel Module Running on an Operating System

Figure 2: TOE as an Application Running in an Execution Environment Plus Native Code

1.4 Use Cases

[USE CASE 1] Content Creation

The application allows a user to create content, saving it to either local or remote storage. Example content includes text documents, presentations, and images.

[USE CASE 2] Content Consumption

The application allows a user to consume content, retrieving it from either local or remote storage. Example content includes web pages and video.

[USE CASE 3] Communication

The application allows for communication interactively or non-interactively with other users or applications over a communications channel. Example communications include instant messages, email, and voice.

1.5 Platforms with Specific EAs

• Android: Mobile operating systems based on Google Android.
• Microsoft Windows: Microsoft Windows operating systems.
• Apple iOS: Apple's mobile operating system for iPhones.
• Linux: Linux-based operating systems other than Android.
• Oracle Solaris: Oracle's enterprise operating system.
• Apple macOS: Apple's operating system for MACs.

2 Conformance Claims

Conformance Statement

An ST must claim exact conformance to this PP.

The evaluation methods used for evaluating the TOE are a combination of the workunits defined in [CEM] as well as the Evaluation Activities for ensuring that individual SFRs and SARs have sufficient level of supporting evidence in the Security Target and guidance documentation and have been sufficiently tested by the laboratory as part of completing ATE_IND.1. Any functional packages which this PP claims similarly contain their own Evaluation Activities that are used in this manner.

CC Conformance Claims

This PP is conformant to Parts 2 (extended) and 3 (extended) of Common Criteria CC:2022, Revision 1.

PP Claim

This PP does not claim conformance to any other Protection Profile.

The following PPs and PP-Modules are allowed to be specified in a PP-Configuration with this PP.

Protection Profile for Mobile Device Management Version 4.0

PP-Module for File Encryption, Version 1.0

PP-Module for File Encryption Enterprise Management, Version 1.0

PP-Module for VPN Clients, Version 2.2

PP-Module for VPN Clients, Version 2.3

PP-Module for VPN Clients, Version 2.4

PP-Module for Endpoint Detection and Response, Version 1.0

PP-Module for Host Agent, Version 1.0

PP-Module for Voice and Video over IP (VVoIP), Version 1.0

PP-Module for Email Clients, Version 1.0

Package Claim

• This PP is Functional Package for TLS Version 1.1 Conformant.
• This PP is Functional Package for TLS Version 2.0 Conformant.
• This PP is Functional Package for SSH Version 1.0 Conformant.
• This PP conforms to the EAL1 assurance package augmented with ALC_TSU_EXT.1, ASE_OBJ.2, ASE_REQ.2, and ASE_SPD.1.

The functional packages to which the PP conforms include SFRs that are not mandatory to claim for the sake of conformance. An ST that claims one or more of these functional packages may include whatever non-mandatory SFRs are appropriate to claim based on the capabilities of the TSF and on any triggers on their inclusion based inherently on the SFR selections made. All security requirements in these packages are intended to satisfy the O.PROTECTED_COMMS TOE security objective of this PP.

3 Security Problem Description

3.1 Threats

T.NETWORK_ATTACK

An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may engage in communications with the application software or alter communications between the application software and other endpoints in order to compromise it.

T.NETWORK_EAVESDROP

An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may monitor and gain access to data exchanged between the application and other endpoints.

T.LOCAL_ATTACK

An attacker can act through unprivileged software on the same computing platform on which the application executes. Attackers may provide maliciously formatted input to the application in the form of files or other local communications.

T.PHYSICAL_ACCESS

An attacker may try to access sensitive data at rest.

3.2 Assumptions

A.PLATFORM

The TOE relies upon a trustworthy computing platform with a reliable time clock for its execution. This includes the underlying platform and whatever runtime environment it provides to the TOE.

A.PROPER_USER

The user of the application software is not willfully negligent or hostile, and uses the software in compliance with the applied enterprise security policy.

A.PROPER_ADMIN

The administrator of the application software is not careless, willfully negligent or hostile, and administers the software in compliance with the applied enterprise security policy.

3.3 Organizational Security Policies

4 Security Objectives

4.1 Security Objectives for the TOE

O.INTEGRITY

Conformant TOEs ensure the integrity of their installation and update packages, and also leverage execution environment-based mitigations. Software is seldom, if ever, shipped without errors. The ability to deploy patches and updates to fielded software with integrity is critical to enterprise network security. Processor manufacturers, compiler developers, execution environment vendors, and operating system vendors have developed execution environment-based mitigations that increase the cost to attackers by adding complexity to the task of compromising systems. Application software can often take advantage of these mechanisms by using APIs provided by the runtime environment or by enabling the mechanism through compiler or linker options.

O.QUALITY

To ensure quality of implementation, conformant TOEs leverage services and APIs provided by the runtime environment rather than implementing their own versions of these services and APIs. This is especially important for cryptographic services and other complex operations such as file and media parsing. Leveraging this platform behavior relies upon using only documented and supported APIs.

O.MANAGEMENT

To facilitate management by users and the enterprise, conformant TOEs provide consistent and supported interfaces for their security-relevant configuration and maintenance. This includes the deployment of applications and application updates through the use of platform-supported deployment mechanisms and formats, as well as providing mechanisms for configuration. This also includes providing control to the user regarding disclosure of any PII.

O.PROTECTED_STORAGE

To address the issue of loss of confidentiality of user data in the event of loss of physical control of the storage medium, conformant TOEs will use data-at-rest protection. This involves encrypting data and keys stored by the TOE in order to prevent unauthorized access to this data. This also includes unnecessary network communications whose consequence may be the loss of data.

O.PROTECTED_COMMS

To address both passive (eavesdropping) and active (packet modification) network attack threats, conformant TOEs will use a trusted channel for sensitive data. Sensitive data includes cryptographic keys, passwords, and any other data specific to the application that should not be exposed outside of the application.

4.2 Security Objectives for the Operational Environment

OE.PLATFORM

The TOE relies upon a trustworthy computing platform for its execution. This includes the underlying operating system and any discrete execution environment provided to the TOE.

OE.PROPER_USER

The user of the application software is not willfully negligent or hostile, and uses the software within compliance of the applied enterprise security policy.

OE.PROPER_ADMIN

The administrator of the application software is not careless, willfully negligent or hostile, and administers the software within compliance of the applied enterprise security policy.

4.3 Security Objectives Rationale

5 Security Requirements

• Refinement operation (denoted by bold text or strikethrough text): Is used to add details to a requirement (including replacing an assignment with a more restrictive selection) or to remove part of the requirement that is made irrelevant through the completion of another operation, and thus further restricts a requirement.
• Selection (denoted by italicized text): Is used to select one or more options provided by the [CC] in stating a requirement.
• Assignment operation (denoted by italicized text): Is used to assign a specific value to an unspecified parameter, such as the length of a password. Showing the value in square brackets indicates assignment.
• Iteration operation: Is indicated by appending the SFR name with a slash and unique identifier suggesting the purpose of the operation, e.g. "/EXAMPLE1."

5.1 Security Functional Requirements

5.1.1 Cryptographic Support (FCS)

5.1.2 User Data Protection (FDP)

5.1.3 Security Management (FMT)

5.1.4 Privacy (FPR)

5.1.5 Protection of the TSF (FPT)

5.1.6 Trusted Path/Channel (FTP)

5.1.7 TOE Security Functional Requirements Rationale

The following rationale provides justification for each security objective for the TOE, showing that the SFRs are suitable to meet and achieve the security objectives:

5.2 Security Assurance Requirements

5.2.1 Class ASE: Security Target

5.2.2 Class ADV: Development

5.2.3 Class AGD: Guidance Documentation

5.2.4 Class ALC: Life-cycle Support

5.2.5 Class ATE: Tests

5.2.6 Class AVA: Vulnerability Assessment

Appendix A - Optional Requirements

A.1 Strictly Optional Requirements

A.1.1 Cryptographic Support (FCS)

A.2 Objective Requirements

A.2.1 Protection of the TSF (FPT)

A.3 Implementation-based Requirements

This PP does not define any Implementation-based requirements.

Appendix B - Selection-based Requirements

B.1 Cryptographic Support (FCS)

						  # Input: PT, IV, Key
						  for i = 1 to 1000:
							if i == 1:
								  CT[1] = AES-CBC-Encrypt(Key, IV, PT)
								  PT = IV
							else:
							  CT[i] = AES-CBC-Encrypt(Key, PT) 
							  PT = CT[i-1]
						  

B.2 Identification and Authentication (FIA)

B.3 Protection of the TSF (FPT)

Appendix C - Extended Component Definitions

C.1 Extended Components Table

C.2 Extended Component Definitions

Appendix D - Entropy Documentation and Assessment

D.1 Design Description

D.2 Entropy Justification

D.3 Operating Conditions

D.4 Health Testing

Appendix E - Application Software Equivalency Guidelines

E.1 Introduction

1. Product Equivalence: Products may be considered equivalent if there are no differences between Product Models and Product Versions with respect to PP-specified security functionality.
2. Platform Equivalence: Platforms may be considered equivalent if there are no significant differences in the services they provide to the Product—or in the way the platforms provide those services—with respect to PP-specified security functionality.

E.2 Approach to Equivalency Analysis

E.3 Specific Guidance for Determining Product Model Equivalence

E.4 Specific Guidance for Determining Product Version Equivalence

E.5 Specific Guidance for Determining Platform Equivalence

E.5.1 Platform Equivalence—Hardware/Virtual Hardware Platforms

E.5.2 Platform Equivalence—OS Platforms

E.5.3 Software-based Execution Environment Platform Equivalence

E.6 Level of Specificity for Tested Configurations and Claimed Equivalent Configurations

Appendix F - Acronyms