Version | Date | Comment |
---|---|---|
1.0 | 2016-11-17 | Initial Publication as an Extended Package |
1.1 | 2020-06-14 | Publication as a PP-Module |
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Extended Package (EP) | A deprecated document form for collecting SFRs that implement a particular protocol, technology, or functionality. See Functional Packages. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Administrator | Administrators perform management activities on the VS. These management functions do not include administration of software running within Guest VMs, such as the Guest OS. Administrators need not be human as in the case of embedded or headless VMs. Administrators are often nothing more than software entities that operate within the VM. |
Domain | A Domain or Information Domain is a policy construct that groups together execution environments and networks by sensitivity of information and access control policy. For example, classification levels represent information domains. Within classification levels, there might be other domains representing communities of interest or coalitions. In the context of a VS, information domains are generally implemented as collections of VMs connected by virtual networks. The VS itself can be considered an Information Domain, as can its Management Subsystem. |
Guest Operating System (OS) | An operating system that runs within a Guest VM. |
Guest VM | A Guest VM is a VM that contains a virtual environment for the execution of an independent computing system. Virtual environments execute mission workloads and implement customer-specific client or server functionality in Guest VMs, such as a web server or desktop productivity applications. |
Host Operating System (OS) | An operating system onto which a VS is installed. Relative to the VS, the Host OS is part of the Platform. |
Hypercall | An API function that allows VM-aware software running within a VM to invoke VMM functionality. |
Hypervisor | The Hypervisor is part of the VMM. It is the software executive of the physical platform of a VS. A Hypervisor’s primary function is to mediate access to all CPU and memory resources, but it is also responsible for either the direct management or the delegation of the management of all other hardware devices on the hardware platform. |
Management Subsystem | Components of the VS that allow VS Administrators to configure and manage the VMM, as well as configure Guest VMs. VMM management functions include VM configuration, virtualized network configuration, and allocation of physical resources. |
Platform | The hardware, firmware, and software environment into which a VS is installed and executes. |
User | Users operate Guest VMs and are subject to configuration policies applied to the VS by Administrators. Users need not be human as in the case of embedded or headless VMs, users are often nothing more than software entities that operate within the VM. |
Virtual Machine (VM) | A Virtual Machine is a virtualized hardware environment in which an operating system may execute. |
Virtual Machine Manager (VMM) | A VMM is a collection of software components responsible for enabling VMs to function as expected by the software executing within them. Generally, the VMM consists of a Hypervisor, Service VMs, and other components of the VS, such as virtual devices, binary translation systems, and physical device drivers. It manages concurrent execution of all VMs and virtualizes platform resources as needed. |
Virtualization System (VS) | A software product that enables multiple independent computing systems to execute on the same physical hardware platform without interference from one another. For the purposes of this document, the VS consists of a Virtual Machine Manager (VMM), Virtual Machine abstractions, a management subsystem, and other components. |
An organization deploying the TOE is expected to satisfy the organizational security policy listed below in addition to all organizational security policies defined by the claimed Base-PP.
This document does not define any additional OSPs.Threat, Assumption, or OSP | Security Objectives | Rationale |
T.UNAUTHORIZED_UPDATE | O.VMM_INTEGRITY | Integrity of a Virtualization System can be maintained by ensuring that the only way to modify the VS is through a trusted update process initiated by an authorized Administrator as required by FMT_MOF_EXT. |
T.UNAUTHORIZED_ACCESS | O.MANAGEMENT_ACCESS | Access to management functions must be limited to authorized Administrators as managed through controls required by FMT_MOF_EXT.1. |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FMT_MOF_EXT.1 | ||
Attempts to invoke any of the management functions listed in Table 3 |
|
Number | Function | Admin | User | Notes (all SFR references are from the Base-PP |
---|---|---|---|---|
1 | Ability to update the Virtualization System | X | N | See FPT_TUD_EXT.1 |
2 | [selection: Ability to configure Administrator password policy as defined in FIA_PMG_EXT.1, Not applicable. ] | S | N | Must be selected if ST includes FIA_PMG_EXT.1. |
3 | Ability to create, configure and delete VMs | X | O | |
4 | Ability to set default initial VM configurations | X | N | |
5 | Ability to configure virtual networks including VM | X | O | See FDP_VNC_EXT.1 |
6 | Ability to configure and manage the audit system and audit data | X | N | |
7 | Ability to configure VM access to physical devices | X | O | See FDP_PPR_EXT.1 |
8 | Ability to configure inter-VM data sharing | X | O | See FDP_VMS_EXT.1 |
9 | O | O | Management function 9 is no longer required | |
10 | Ability to configure removable media policy | X | N | See FPT_RDM_EXT.1 |
11 | Ability to configure the cryptographic functionality | X | N | See FCS_CKM.1, FCS_CKM.2, and FCS_COP.1/HASH. See also, the Functional Packages for Transport Layer Security (TLS) and for Secure Shell (SSH) if claimed for methods to configure their respective cryptographic functionality. |
12 | Ability to change default authorization factors | X | N | See FIA_PMG_EXT.1 |
13 | Ability to enable/disable screen lock | O | O | |
14 | Ability to configure screen lock inactivity timeout | O | O | |
15 | Ability to configure remote connection inactivity timeout | X | N | |
16 | Ability to configure lockout policy for unsuccessful authentication attempts through [selection: timeouts between attempts, limiting number of attempts during a time period ] | X | N | See FIA_AFL_EXT.1 |
17 | [selection: Ability to configure name/address of directory server to bind with, Not applicable ] | S | O | Must be selected if "directory-based" is selected anywhere in FIA_UAU.5.1 in the Base-PP. |
18 | Ability to configure name/address of audit/logging server to which to send audit/logging records | X | N | See FAU_STG_EXT.1 |
19 | Ability to configure name/address of network time server | X | O | |
20 | Ability to configure banner | X | N | See FTA_TAB.1 |
21 | Ability to connect/disconnect removable devices to/from a VM | O | O | See FPT_RDM_EXT.1 |
22 | Ability to start a VM | O | O | |
23 | Ability to stop/halt a VM | O | O | |
24 | Ability to checkpoint a VM | O | O | |
25 | Ability to suspend a VM | O | O | |
26 | Ability to resume a VM | O | O | |
27 | [selection: Ability to configure action taken if unable to determine the validity of a certificate, Not applicable ] | S | N | This function must be selected if "allow the administrator to choose whether to accept the certificate in these cases" in FIA_X509_EXT.2.2 in the Base-PP. |
The following rationale provides justification for each security objective for the TOE,
showing that the SFRs are suitable to meet and achieve the security objectives:
Objective | Addressed by | Rationale |
---|---|---|
O.VMM_INTEGRITY | FMT_MOF_EXT.1 | Integrity of a Virtualization System can be maintained by ensuring that the only way to modify the VS is through a trusted update process initiated by an authorized Administrator as required by FMT_MOF_EXT.1. |
O.MANAGEMENT_ACCESS | FMT_MOF_EXT.1 | Access to management functions must be limited to authorized Administrators as managed through controls required by FMT_MOF_EXT.1. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.UNAUTHORIZED_UPDATE | This threat applies to functionality that is described in the Base-PP, but is managed through functionality described in this PP-module. |
T.UNAUTHORIZED_ACCESS | This threat applies to functionality that is described in the Base-PP, but is managed through functionality described in this PP-module. |
The objectives for the TOEs are consistent with the Server Virtualization Systemss PP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.VMM_INTEGRITY | This objective comes directly from the Base-PP. |
O.MANAGEMENT_ACCESS | This objective comes directly from the Base-PP. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
This PP-Module does not modify any requirements when the Server Virtualization Systemss PP is the base. | |
Additional SFRs | |
This PP-Module does not add any requirements when the Server Virtualization Systemss PP is the base. | |
Mandatory SFRs | |
FMT_MOF_EXT.1 | This SFR requires the Server Virtualization product to manage security functionality defined in the Virtualization PP in FPT_TUD_EXT.1, FIA_PMG_EXT.1, FDP_VNC_EXT.1, FDP_PPR_EXT.1, FDP_VMS_EXT.1, FIA_UAU.5, FPT_RDM_EXT.1, FCS_CKM.1, FCS_CKM.2, FCS_COP.1/HASH, FIA_AFL_EXT.1, FAU_STG_EXT.1, FIA_X509_EXT.2.2, and FTA_TAB.1. |
Optional SFRs | |
This PP-Module does not define any Optional requirements. | |
Objective SFRs | |
This PP-Module does not define any Objective requirements. | |
Implementation-based SFRs | |
This PP-Module does not define any Implementation-based requirements. | |
Selection-based SFRs | |
This PP-Module does not define any Selection-based requirements. |
This PP-Module does not define any Strictly Optional SFRs.
This PP-Module does not define any Objective SFRs.
This PP-Module does not define any Implementation-based SFRs.
This PP-Module does not define any Selection-based SFRs.
Functional Class | Functional Components |
---|---|
Security Management (FMT) | FMT_MOF_EXT Management of Security Functions Behavior |
FMT_MOF_EXT.1, Management of Security Functions Behavior, defines required management functions and responsibilities.
There are no additional management functions beyond those already described in FMT_MOF_EXT.1.
There are no auditable events defined for this SFR.
Hierarchical to: No other components.
Dependencies to: No other dependencies.
Acronym | Meaning |
---|---|
Base-PP | Base Protection Profile |
CC | Common Criteria |
CEM | Common Evaluation Methodology |
cPP | Collaborative Protection Profile |
EP | Extended Package |
FP | Functional Package |
OE | Operational Environment |
OS | Operating System |
PP | Protection Profile |
PP-Configuration | Protection Profile Configuration |
PP-Module | Protection Profile Module |
SAR | Security Assurance Requirement |
SFR | Security Functional Requirement |
ST | Security Target |
TOE | Target of Evaluation |
TSF | TOE Security Functionality |
TSFI | TSF Interface |
TSS | TOE Summary Specification |
VM | Virtual Machine |
VMM | Virtual Machine Manager |
VS | Virtualization System |
Identifier | Title |
---|---|
[CC] | Common Criteria for Information Technology Security Evaluation -
|
[VirtPP] | Protection Profile for Virtualization, Version: 1.1, 2021-06-14 |