Supporting Document
Mandatory Technical Document

NIAP

PP-Module for Redaction Tools
Version: 1.1
2023-08-25
National Information Assurance Partnership

Foreword

This is a Supporting Document (SD), intended to complement the Common Criteria version 3 and the associated Common Evaluation Methodology for Information Technology Security Evaluation.

SDs may be “Guidance Documents”, that highlight specific approaches and application of the standard to areas where no mutual recognition of its application is required, and as such, are not of normative nature, or “Mandatory Technical Documents”, whose application is mandatory for evaluations whose scope is covered by that of the SD. The usage of the latter class is not only mandatory, but certificates issued as a result of their application are recognized under the CCRA.

Technical Editor:
National Information Assurance Partnership (NIAP)

Document history:

VersionDateComment
1.02022-04-29Initial publication
1.12023-08-25Updates to conform to CC:2022

General Purpose:
The purpose of this SD is to define evaluation methods for the functional behavior of Redaction Tool products.

Acknowledgments:
This SD was developed with support from NIAP Redaction Tools Technical Community members, with representatives from industry, government agencies, Common Criteria Test Laboratories, and members of academia.

Table of Contents

1Introduction1.1Technology Area and Scope of Supporting Document1.2Structure of the Document1.3Terms1.3.1Common Criteria Terms1.3.2Technical Terms2Evaluation Activities for SFRs2.1 Protection Profile for Redaction Tools2.1.1Modified SFRs 2.2TOE SFR Evaluation Activities2.2.1Security Audit (FAU)2.2.2User Data Protection (FDP)2.2.3Security Management (FMT)2.2.4Protection of the TSF (FPT)2.3Evaluation Activities for Optional SFRs2.4Evaluation Activities for Selection-Based SFRs2.5Evaluation Activities for Objective SFRs2.6Evaluation Activities for Implementation-based SFRs3Evaluation Activities for SARs4Required Supplementary InformationAppendix A - References

1 Introduction

1.1 Technology Area and Scope of Supporting Document

The scope of the PP-Module for Redaction Tools is to describe the security functionality of Redaction Tools products in terms of [CC] and to define functional and assurance requirements for them. The PP-Module is intended for use with the following Base-PP:


This SD is mandatory for evaluations of TOEs that claim conformance to a PP-Configuration that includes the PP-Module for : As such it defines Evaluation Activities for the functionality described in the PP-Module as well as any impacts to the Evaluation Activities to the Base-PP(s) it modifies.

Although Evaluation Activities are defined mainly for the evaluators to follow, in general they also help developers to prepare for evaluation by identifying specific requirements for their TOE. The specific requirements in Evaluation Activities may in some cases clarify the meaning of Security Functional Requirements (SFR), and may identify particular requirements for the content of Security Targets (ST) (especially the TOE Summary Specification), user guidance documentation, and possibly supplementary information (e.g. for entropy analysis or cryptographic key management architecture).

1.2 Structure of the Document

Evaluation Activities can be defined for both SFRs and Security Assurance Requirements (SAR), which are themselves defined in separate sections of the SD.

If any Evaluation Activity cannot be successfully completed in an evaluation, then the overall verdict for the evaluation is a 'fail'. In rare cases there may be acceptable reasons why an Evaluation Activity may be modified or deemed not applicable for a particular TOE, but this must be approved by the Certification Body for the evaluation.

In general, if all Evaluation Activities (for both SFRs and SARs) are successfully completed in an evaluation then it would be expected that the overall verdict for the evaluation is a ‘pass’. To reach a ‘fail’ verdict when the Evaluation Activities have been successfully completed would require a specific justification from the evaluator as to why the Evaluation Activities were not sufficient for that TOE.

Similarly, at the more granular level of assurance components, if the Evaluation Activities for an assurance component and all of its related SFR Evaluation Activities are successfully completed in an evaluation then it would be expected that the verdict for the assurance component is a ‘pass’. To reach a ‘fail’ verdict for the assurance component when these Evaluation Activities have been successfully completed would require a specific justification from the evaluator as to why the Evaluation Activities were not sufficient for that TOE.

2 Evaluation Activities for SFRs

The EAs presented in this section capture the actions the evaluator performs to address technology specific aspects covering specific SARs (e.g. ASE_TSS.1, ADV_FSP.1, AGD_OPE.1, and ATE_IND.1) – this is in addition to the CEM workunits that are performed in Section 3 Evaluation Activities for SARs.

Regarding design descriptions (designated by the subsections labeled TSS, as well as any required supplementary material that may be treated as proprietary), the evaluator must ensure there is specific information that satisfies the EA. For findings regarding the TSS section, the evaluator’s verdicts will be associated with the CEM workunit ASE_TSS.1-1. Evaluator verdicts associated with the supplementary evidence will also be associated with ASE_TSS.1-1, since the requirement to provide such evidence is specified in ASE in the PP.

For ensuring the guidance documentation provides sufficient information for the administrators/users as it pertains to SFRs, the evaluator’s verdicts will be associated with CEM workunits ADV_FSP.1-7, AGD_OPE.1-4, and AGD_OPE.1-5.

Finally, the subsection labeled Tests is where the authors have determined that testing of the product in the context of the associated SFR is necessary. While the evaluator is expected to develop tests, there may be instances where it is more practical for the developer to construct tests, or where the developer may have existing tests. Therefore, it is acceptable for the evaluator to witness developer-generated tests in lieu of executing the tests. In this case, the evaluator must ensure the developer’s tests are executing both in the manner declared by the developer and as mandated by the EA. The CEM workunits that are associated with the EAs specified in this section are: ATE_IND.1-3, ATE_IND.1-4, ATE_IND.1-5, ATE_IND.1-6, and ATE_IND.1-7.

2.1 Protection Profile for Redaction Tools

The EAs defined in this section are only applicable in cases where the TOE claims conformance to a PP-Configuration that includes the App PP.

2.1.1 Modified SFRs

The PP-Module does not modify any requirements when the App PP is the base.

2.2 TOE SFR Evaluation Activities

2.2.1 Security Audit (FAU)

FAU_ALR_EXT.1 Redaction Failure Notification

FAU_ALR_EXT.1
TSS
The evaluator shall ensure that the TSS describes how the TOE notifies the user when redaction fails. The evaluator shall ensure that the TSS’ description complies with the requirement that the user is notified when redaction fails for any reason.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall acquire or create test files that should fail the redaction, use the TOE to attempt the redaction process with the expectation of its failure, and verify that the TOE alerts the user that the redaction failed.

FAU_REP_EXT.1 Report Generation

FAU_REP_EXT.1
TSS
The evaluator shall ensure that the TSS describes the TOE’s reporting feature and the metadata that is included for each report entry.

Guidance
The evaluator shall ensure that the operational contains instructions for the configuration of the reporting feature in accordance with this requirement.

Tests
The evaluator shall create test files with specific elements to redact, apply the TOE to the test files, and observe that there is a report for each element expected to be redacted. This evaluation activity can be done in conjunction with FAU_SAR_EXT.1.

FAU_SAR_EXT.1 Report Review

FAU_SAR_EXT.1
TSS
There are no TSS EAs for this component.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create test files with specific elements to redact, apply the TOE to the test files, and observe that there is a report entry for each element expected to be redacted. This evaluation activity can be done in conjunction with FAU_REP_EXT.1.

2.2.2 User Data Protection (FDP)

FDP_DID_EXT.1 Identification of Data

FDP_DID_EXT.1.1
TSS
The evaluator shall ensure that the TSS specifies the hidden data that it identifies and allows the user to select the hidden data to be redacted. The evaluator shall ensure that the TSS’ description complies with the requirement for the TOE to identify all hidden data and allow the user to review and select each hidden data element for redaction.

Guidance
There are no guidance EAs for this element.

Tests
The evaluator shall create test documents with various types of hidden data, use the TOE to search these documents for data elements that should be able to be redacted, and verify that it identifies each expected element and allows the user to select and redact each.
FDP_DID_EXT.1.2
TSS
The evaluator shall ensure that the TSS describes how the TOE handles all obscured data. The evaluator shall ensure that the TSS’ description complies with the requirement that all obscured data is identified and either removed automatically or redacted by the user.

Guidance
There are no guidance EAs for this element.

Tests
The evaluator shall create test documents with various forms of obscured data, apply the TOE, and verify that the tool identifies the obscured data and either removes the obscured data automatically or gives the user the choice to remove or retain the obscured data.
FDP_DID_EXT.1.3
TSS
There are no TSS EAs for this element.

Guidance
There are no guidance EAs for this element.

Tests
The evaluator shall create a test document with an image that is stored in a larger size and resolution than the visible image and apply the TOE without selecting the image for redaction.

The evaluator shall verify that the TOE either gives the user a choice to retain the image unaltered, replace the stored data with the visible data, or that it resizes the stored image. If the stored data is replaced with visible data or if the stored image is resized, the evaluator shall verify that the image is either replaced or resized as expected in the output file.

FDP_DIN_EXT.1 Deep Inspection

FDP_DIN_EXT.1
TSS
The evaluator shall ensure that the TSS lists and describes the methods used to replace redacted elements that contain metadata, other elements, or hidden data. The evaluator shall ensure that the TSS’ description complies with the requirement that each element is handled by either recursing through the element chain and applying the TOE to each layer, simplifying the element, or redacting the element.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create or acquire test files that contain elements that themselves contain other elements and hidden data. The evaluator shall examine the document to identify these elements in the structure, apply the TOE, and examine the output to verify that the elements were handled properly via either redaction or simplification in accordance with the requirement.

FDP_LOC_EXT.1 Redact Content from Every Location

FDP_LOC_EXT.1
TSS
There are no TSS EAs for this component.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create or acquire test files that contain content in multiple places and examine the files to locate the content. The evaluator shall apply the TOE and examine the output to verify that it has been removed from every location.

FDP_NND_EXT.1 No New Data Introduced by TOE

FDP_NND_EXT.1
TSS
The evaluator shall ensure that the TSS describes the actions taken by the TOE when removing, simplifying, or redacting an element. If structural data is added, the TSS shall specify what structural data is added and the purpose of the structural data. If non-structural hidden data is added, the TSS shall detail the added hidden data and describe how the user is notified of the addition. The evaluator shall ensure that the TSS’ description complies with the requirement to not introduce new hidden data, other than structural data, without warning the user.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create or acquire test files with complex objects or other elements and examine the files to locate those items in the structure. The evaluator shall use the TOE to perform the redaction operation and examine the output to verify that no new hidden data or metadata was introduced.

FDP_OBJ_EXT.1 Removal of Objects and Corresponding References

FDP_OBJ_EXT.1
TSS
The evaluator shall ensure that the TSS' description of how redacted objects are removed includes the removal of all references and indicators to the redacted objects in conformance with the requirement.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create or acquire test files that contain objects and examine the files to locate these objects in the file format and all references to them in the structural data. The evaluator shall apply the TOE and select elements for complete redaction. The evaluator shall examine the output files to verify that the objects and all references to them have been redacted.

FDP_REM_EXT.1 Removal of Redacted Data

FDP_REM_EXT.1
TSS
The evaluator shall ensure that the TSS describes the removal of all data selected for redaction and shall verify that no encryption, encoding, or proprietary process is used to obscure selected data. The evaluator shall ensure that the TSS’ description complies with the requirement to remove all data selected by the user or identified by the TOE for redaction.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall acquire or create test files that contain text, images, and other elements. The evaluator shall examine the test files to locate the content in the format. The evaluator shall apply the TOE, marking some of the content for redaction, and examine the output to verify that the marked content was removed and not obscured through encryption, encoding, or conversion to a proprietary format.

FDP_RIP_EXT.1 Residual Information Removal

FDP_RIP_EXT.1
TSS
The evaluator shall ensure that the TSS specifies the residual data and objects (e.g., remnant data, undo buffers, tracked changes buffers, multiple versions of the same object, and any buffer or cache type data container) that the TOE will remove from files without any user interaction. The evaluator shall ensure that the TSS’ description complies with the requirement to automatically remove all such data.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create or acquire test files that contain the types of data described in the requirement and examine the files to locate the data. The evaluator shall apply the TOE and not select anything for redaction, and examine the files to verify that any residual data has been removed automatically.

FDP_RPL_EXT.1 Visible Space Replace

FDP_RPL_EXT.1
TSS
The evaluator shall ensure that the TSS lists and describes the content used to replace redacted elements. The evaluator shall ensure that the TSS’ description complies with the requirement to convey no information about the previous contents.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create or acquire a test file with an image, mark part of the image for redaction, apply the TOE's redaction function to it, and then examine the image in the output to verify that the visual appearance does not provide any indication of the content that was redacted. If the TOE allows text content to be replaced with text, the evaluator shall create or acquire a test file with some text as content, apply the TOE, and verify that the replacement text does not preserve word length or other identifying information that could allow recovery of the original content.

FDP_SEL_EXT.1 Selected Redaction

FDP_SEL_EXT.1
TSS
The evaluator shall ensure that the TSS describes in detail which complex objects can be simplified by the TOE and how they are simplified (e.g., whether the object or the whole page is converted to another format and what that format is). The TSS shall also list those complex objects or images that cannot be simplified and will be removed.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create or acquire test documents that contain complex objects and examine the documents to identify where those objects are in the format. The evaluator shall then apply the TOE and examine the output to verify that the objects have been simplified or removed. The evaluator shall test all objects that can be simplified as well as all objects that should be removed according to the TSS.

The evaluator shall also create or acquire test documents with complex objects that are not documented in the TSS, apply the TOE, and verify that those objects are removed from the document.

FDP_VAL_EXT.1 Validation of Data

FDP_VAL_EXT.1.1
TSS
There are no TSS EAs for this element.

Guidance
There are no guidance EAs for this element.

Tests
The evaluator shall create or acquire test files that contain unrecognized data, unexpected data, and extraneous structural data. The evaluator shall examine the files prior to redaction to identify the data. The evaluator shall input these files to the TOE, make no visible redactions to them, and then save them as output files. The evaluator shall examine the output files and compare them to the originals to verify that the data has been removed.
FDP_VAL_EXT.1.2
TSS
The evaluator shall ensure that the TSS describes how the TOE handles data that it cannot completely interpret.

Guidance
There are no guidance EAs for this element.

Tests
The evaluator shall create or acquire test files with data that the TOE should not be able to completely interpret, input these files to the TOE for redaction, and examine the output to verify that the TOE handled the data according to the requirement.

2.2.3 Security Management (FMT)

FMT_RVW_EXT.1 Element Review

FMT_RVW_EXT.1
TSS
There are no TSS EAs for this component.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create test documents that contain images, text, and complex objects, use the TOE to perform the redaction operation, and verify that each element is selectable for redaction in whole or in part.

2.2.4 Protection of the TSF (FPT)

FPT_FLS.1 Failure with Preservation of Secure State

FPT_FLS.1
TSS
The evaluator shall ensure that the TSS describes the actions the TOE performs upon any failure. The evaluator shall ensure that the TSS’ description complies with the requirement to not produce a partially redacted file.

Guidance
There are no guidance EAs for this component.

Tests
The evaluator shall create or acquire test files that cause the TOE to fail and observe that the TOE fails and does not produce partially redacted files.

2.3 Evaluation Activities for Optional SFRs

The PP-Module does not define any optional requirements.

2.4 Evaluation Activities for Selection-Based SFRs

The PP-Module does not define any selection-based requirements.

2.5 Evaluation Activities for Objective SFRs

The PP-Module does not define any objective requirements.

2.6 Evaluation Activities for Implementation-based SFRs

The PP-Module does not define any implementation-based requirements.

3 Evaluation Activities for SARs

The PP-Module does not define any SARs beyond those defined within the base App PP to which it must claim conformance. It is important to note that a TOE that is evaluated against the PP-Module is inherently evaluated against this Base-PP as well. The App PP includes a number of Evaluation Activities associated with both SFRs and SARs. Additionally, the PP-Module includes a number of SFR-based Evaluation Activities that similarly refine the SARs of the Base-PPs. The evaluation laboratory will evaluate the TOE against the Base-PP and supplement that evaluation with the necessary SFRs that are taken from the PP-Module.

4 Required Supplementary Information

This Supporting Document has no required supplementary information beyond the ST, operational guidance, and testing.

Appendix A - References

IdentifierTitle
[CC] Common Criteria for Information Technology Security Evaluation -
[App PP] Protection Profile for Application Software, Version 2.0, TBD
[CEM] Common Methodology for Information Technology Security - Evaluation Methodology, CCMB-2022-11-006, CEM:2022, Revision 1, November 2022.