Version | Date | Comment |
---|---|---|
1.0 | 2022-04-29 | Initial publication |
1.1 | 2023-08-25 | Updates to conform to CC:2022 |
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Extended Package (EP) | A deprecated document form for collecting SFRs that implement a particular protocol, technology, or functionality. See Functional Packages. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Attachments | An electronic document or data file that is part of the main file but is logically distinct and separable from the main electronic document. |
Complex Objects | Objects that may have their own static or functional metadata and may differ between the stored and visible form, such as images, attachments, Microsoft Object Linking and Embedding (OLE) objects, Microsoft ActiveX controls, and temporal objects. |
Functional data | Forms, scripts, link URLs, workflow data, action buttons, formulas in a spreadsheet, macros, or any type of executable content. |
Images | The actual image data stored in the file as opposed to what is visible; the visible image can be cropped or resized but the full image could still be retained in the file format and may or may not match the visible image; some image formats can have their own metadata, such as Joint Photographic Experts Group (JPG) and Tagged Image File Format (TIFF). |
Metadata of objects or embedded objects | Data associated with an object to describe or identify the contents of the object such as exchangeable image file format (EXIF) data of images; images themselves can contain other images and their own metadata. |
Obscured visible data | Content that could be visible but is obscured in some way, such as content that runs off an edge of the container, text in a black font on black background (or any color of font on a similar color background), very small fonts, cropped or clipped graphics or images, hidden layers, or portions of an embedded object (e.g., Microsoft OLE) that are outside the view container. |
Remnant data | Artifacts of the original application or source file format, such as remnant or unreferenced data from fast saves, unreferenced or unused elements, malformed elements that cannot be fixed, or garbage data in the file structure. |
Static data or metadata | File properties, such as author or creation date, stored form field data, undo cache or any data kept to revert to a prior version of an element or the document itself, incremental updates, collaboration data such as comments, tracked changes, workflow data, embedded search indexes, bookmarks, document info added by third-party apps, accessibility data such as alternate text, etc. |
Steganography | The act of embedding covert data in an image file in such a way that the image alterations needed to embed the data are not readily visible to the naked eye. |
Structural data | Data that is part of the file format structure, such as a file header or fonts, and is necessary to interpret the file properly for display or print. |
Temporal Objects | A particular type of complex object whose representation extends through a time interval, such as video, audio, flash animation, slide shows, etc. References to “complex objects” in the requirements section of this paper include temporal objects. |
Visible contents | The visual representation of text, images, and complex objects in a file. |
An organization deploying the TOE is expected to satisfy the organizational security policy listed below in addition to all organizational security policies defined by the claimed Base-PP.
Threat, Assumption, or OSP | Security Objectives | Rationale |
T.CLUES_TO_ORIGINAL_DATA | O.INSPECTION | The TOE mitigates the threat of clues to unredacted data by ensuring that the entire document is searched for redactable information, including hidden data and metadata. |
O.REDACTION | The TOE mitigates the threat of clues to unredacted data by ensuring that the redaction process replaces the visible space of redacted data in a way that leaves no clues as to the original unredacted data. | |
T.UNREDACTED_DATA | O.PROPER_OUTPUT | The TOE mitigates the threat of unredacted data by ensuring that unexpected or corrupted inputs do not cause the TOE to fail in a way that would generate an unredacted or improperly redacted output. |
O.REDACTION | The TOE mitigates the threat of unredacted data by implementing a redaction function. | |
O.REPORT | The TOE mitigates the threat of unredacted data by generating a report that clearly shows to the user what data was redacted. | |
O.REVIEW | The TOE mitigates the threat of unredacted data by allowing the user to specify the data that will be redacted from a document. | |
A.KNOWLEDGEABLE_USER | OE.KNOWLEDGEABLE_USER | The assumption is realized through achievement of an organizational objective that accomplishes the goal of the assumption. |
P.INFORMATION_RELEASE_POLICY | OE.INFORMATION_RELEASE_POLICY | The assumption is realized through achievement of an organizational objective that accomplishes the goal of the assumption. |
The following rationale provides justification for each security objective for the TOE,
showing that the SFRs are suitable to meet and achieve the security objectives:
Objective | Addressed by | Rationale |
---|---|---|
O.INSPECTION | FDP_DID_EXT.1 | This requirement supports the objective by requiring the TOE to implement a mechanism to inspect a document for common mechanisms used to hide unredacted data. |
FDP_DIN_EXT.1 | This requirement supports the objective by defining a deep inspection mechanism by which the TOE can examine hidden data or metadata to find unredacted data. | |
O.PROPER_OUTPUT | FDP_NND_EXT.1 | This requirement supports the objective by prohibiting the TOE from introducing new data to a file without the user's instruction. |
FDP_VAL_EXT.1 | This requirement supports the objective by requiring the TOE to implement a mechanism that allows it to handle unrecognizable data. | |
FPT_FLS.1 | This requirement supports the objective by requiring the TOE to maintain a secure state (i.e., do not produce unvalidated and potentially unredacted output) if it encounters a failure or some other unexpected event. | |
O.REDACTION | FDP_LOC_EXT.1 | This requirement supports the objective by requiring the TOE to remove redacted content from every location in the source file. |
FDP_OBJ_EXT.1 | This requirement supports the objective by requiring the TOE to remove references to redacted data in the source file. | |
FDP_REM_EXT.1 | This requirement supports the objective by requiring the TOE to redact all data that has been selected for redaction. | |
FDP_RIP_EXT.1 | This requirement supports the objective by requiring the TOE to purge all residual data so that unredacted data cannot be extracted from memory. | |
FDP_RPL_EXT.1 | This requirement supports the objective by requiring the TOE to replace the visible space of redacted documents in a manner that does not provide clues to the original unredacted data. | |
FDP_SEL_EXT.1 | This requirement supports the objective by defining how the TOE handles complex objects that are selected for redaction, whether by simplification or removal. | |
O.REPORT | FAU_ALR_EXT.1 | This requirement supports the objective by requiring the TOE to notify the user of unsuccessful redaction operations. |
FAU_REP_EXT.1 | This requirement supports the objective by identifying the contents of any report that the TOE generates about its redaction behavior. | |
FAU_SAR_EXT.1 | This requirement supports the objective by requiring the TOE allow the user to access reports on redacted data. | |
O.REVIEW | FMT_RVW_EXT.1 | This SFR supports the objective by defining the requirement to review and select data to be redacted. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.CLUES_TO_ORIGINAL_DATA | This threat is consistent with the Base-PP because it relates to functionality that is exclusive to the PP-Module. |
T.UNREDACTED_DATA | This threat is consistent with the Base-PP because it relates to functionality that is exclusive to the PP-Module. |
A.KNOWLEDGEABLE_USER | This assumption is an extension of the A.PROPER_USER and A.PROPER_ADMIN assumptions in the Base-PP but extends them to apply specifically to the operation of redaction tools. |
P.INFORMATION_RELEASE_POLICY | The Base-PP does not define any organizational security policies so there are no existing policies that this could contradict. |
Listed below are the security objectives defined in this PP-Module with rationale for their consistency with the App PP. The PP-Module shares the executable application asset with the App PP but defines additional security objectives because the PP-Module defines a specific type of software application with security functionality that is common to the application type. The objectives for the TOEs are consistent with the App PP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.INSPECTION | This objective relates solely to redaction behavior, which is beyond the scope of the Base-PP and does not prevent any Base-PP objectives from being satisfied. |
O.PROPER_OUTPUT | This objective relates solely to redaction behavior, which is beyond the scope of the Base-PP and does not prevent any Base-PP objectives from being satisfied. |
O.REDACTION | This objective relates solely to redaction behavior, which is beyond the scope of the Base-PP and does not prevent any Base-PP objectives from being satisfied. |
O.REPORT | This objective relates solely to redaction behavior, which is beyond the scope of the Base-PP and does not prevent any Base-PP objectives from being satisfied. |
O.REVIEW | This objective relates solely to redaction behavior, which is beyond the scope of the Base-PP and does not prevent any Base-PP objectives from being satisfied. |
The objectives for the TOE's OE are consistent with the App PP based on the following rationale:
PP-Module OE Objective | Consistency Rationale |
---|---|
OE.KNOWLEDGEABLE_USER | This objective is an extension of the OE.PROPER_USER and OE.PROPER_ADMIN objectives in the Base-PP but extends them to apply specifically to the operation of redaction tools. |
OE.INFORMATION_RELEASE_POLICY | This objective does not contradict the Base-PP because it describes the implementation of an organizational security policy. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
This PP-Module does not modify any requirements when the App PP is the base. | |
Additional SFRs | |
This PP-Module does not add any requirements when the App PP is the base. | |
Mandatory SFRs | |
FAU_ALR_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FAU_REP_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FAU_SAR_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_DID_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_DIN_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_LOC_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_NND_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_OBJ_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_REM_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_RIP_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_RPL_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_SEL_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FDP_VAL_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FMT_RVW_EXT.1 | This requirement relates to redaction functionality, which is beyond the scope of the Base-PP and does not prevent any Base-PP requirements from being implemented. |
FPT_FLS.1 | This requirement relates to the preservation of a secure state in the event of a TSF failure. This is not defined in the Base-PP but the Base-PP has no requirements that prohibit it. |
Optional SFRs | |
This PP-Module does not define any Optional requirements. | |
Objective SFRs | |
This PP-Module does not define any Objective requirements. | |
Implementation-based SFRs | |
This PP-Module does not define any Implementation-based requirements. | |
Selection-based SFRs | |
This PP-Module does not define any Selection-based requirements. |
This PP-Module does not define any Strictly Optional SFRs.
This PP-Module does not define any Objective SFRs.
This PP-Module does not define any Implementation-based SFRs.
This PP-Module does not define any Selection-based SFRs.
Functional Class | Functional Components |
---|---|
Security Audit (FAU) | FAU_ALR_EXT Redaction Failure Notification FAU_REP_EXT Report Generation FAU_SAR_EXT Report Review |
Security Management (FMT) | FMT_RVW_EXT Element Review |
User Data Protection (FDP) | FDP_DID_EXT Identification of Data FDP_DIN_EXT Deep Inspection FDP_LOC_EXT Redact Content from Every Location FDP_NND_EXT No New Data Introduced by TOE FDP_OBJ_EXT Removal of Objects and Corresponding References FDP_REM_EXT Removal of Redacted Data FDP_RIP_EXT Residual Information Removal FDP_RPL_EXT Visible Space Replace FDP_SEL_EXT Selected Redaction FDP_VAL_EXT Validation of Data |
FAU_ALR_EXT.1, Redaction Failure Notification, requires the TSF to generate a notification in the event of a failed redaction operation.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data FPT_FLS.1 Failure with Preservation of Secure State |
FAU_REP_EXT.1, Report Generation, requires the TSF to generate a report following the completion of a redaction operation that identifies the elements that were redacted along with metadata about each redaction.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
FAU_SAR_EXT.1, Report Review, requires the TSF to have its generated report data be user-reviewable.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FAU_REP_EXT.1 Report Generation |
FMT_RVW_EXT.1, Element Review, requires the TSF to present a user interface that can be used to select data elements for redaction.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | No dependencies. |
FDP_DID_EXT.1, Identification of Data, requires the TSF to identify all hidden or obscured data in a document so that this data can be selectable for redaction.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FMT_RVW_EXT.1 Element Review |
FDP_DIN_EXT.1, Deep Inspection, requires the TSF to handle redaction of file metadata in a specified manner.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
FDP_LOC_EXT.1, Redact Content from Every Location, requires the TSF to have the ability to redact data from all possible locations in an input file.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
FDP_NND_EXT.1, No New Data Introduced by TOE, requires the TSF to avoid the introduction of its own data to an input file unless explicitly requested by a user.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
FDP_OBJ_EXT.1, Removal of Objects and Corresponding References, requires the TSF to remove references to redacted objects so as not to disclose information about the data that was redacted.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
FDP_REM_EXT.1, Removal of Redacted Data, requires the TSF to redact all selected data.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FMT_RVW_EXT.1 Element Review |
FDP_RIP_EXT.1, Residual Information Removal, requires the TSF to delete all residual file data that could contain unredacted information.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
FDP_RPL_EXT.1, Visible Space Replace, requires the TSF to replace redacted data with visual data that does not give clues as to the contents of the original data.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
FDP_SEL_EXT.1, Selected Redaction, requires the TSF to redact data from complex objects in a specified manner.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
FDP_VAL_EXT.1, Validation of Data, requires the TOE to remove unexpected or other file data that cannot be validated.
There are no management activities foreseen.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FDP_REM_EXT.1 Removal of Redacted Data |
Acronym | Meaning |
---|---|
Base-PP | Base Protection Profile |
CC | Common Criteria |
CEM | Common Evaluation Methodology |
cPP | Collaborative Protection Profile |
EP | Extended Package |
EXIF | Exchangeable Image File Format |
FP | Functional Package |
ISO/IEC | International Standards Organization/International Electrotechnical Commission |
JPG | Joint Photographic Experts Group |
OE | Operational Environment |
OLE | Object Linking and Embedding |
PP | Protection Profile |
PP-Configuration | Protection Profile Configuration |
PP-Module | Protection Profile Module |
SAR | Security Assurance Requirement |
SFR | Security Functional Requirement |
ST | Security Target |
TIFF | Tagged Image File Format |
TOE | Target of Evaluation |
TSF | TOE Security Functionality |
TSFI | TSF Interface |
TSS | TOE Summary Specification |
Identifier | Title |
---|---|
[App PP] | Protection Profile for Application Software, Version 2.0, TBD |
[CC] | Common Criteria for Information Technology Security Evaluation -
|
[CEM] | Common Methodology for Information Technology Security - Evaluation Methodology, CCMB-2022-11-006, CEM:2022, Revision 1, November 2022. |