CCDM: Using the CC as a design methodology
The CCDM project focuses on the use of the Common Criteria for
Information Technology Security Evaluation (CC) as the basis for a
methodology for designing secure IT products.
In relation to the CC, the methodology involves proceeding from a
specification of a Protection Profile, which gives an abstract
description of a whole class of IT products, via the specification of a
Security Target to the production of an Implementation Representation
which in detail describes the concrete final product which can operate
in a specified environment:
For the PP and ST, a set of Threats,
Assumptions and Organizational Security Policies (OSPs)
are identified and used to produce a set of Security Objectives
(SOs) for the product and the environment in which it is to
operate. From these objectives, sets of Security Functional
Requirements (SFRs) and Security Assurance Requirements
(SARs) are derived. Finally, concrete components are selected and an
Implementation Representation is produced which fulfils the
SFRs of the ST. This systematic procedure ensures that the product
addresses the threats to which it will be exposed, and the SARs
provide rules for achieving some agreed level of assurance that the
design and subsequent implementation are correct from a security point
of view.
At each step, more details are added to the specification, so in
slightly more detail the process is as shown below:
Case Studies
To validate the method, we have studied a number of cases in which
concrete products have been designed:
- A Point-Of-Sale (POS) System, which is required to maintain
a financial audit trail in a secure manner. This case was reported
at the
2006
IEEE Workshop on Information Assurance.
- A Secure Workflow System, which is required to maintain a
record of document flow and document handling in a secure manner.
- A Web-based Monitoring and Control System for wind
turbines in the electricity net.
- A generic Medical Instrumentation System for monitoring
and possibly administering doses of medicine to patients.
A report on these cases was presented at the International Symposium on
Engineering Secure Software and Systems (ESSoS09) held in Leuven
in February 2009.
If you have a case which you would like considered, please contact us.
Tool Development
The above-mentioned case studies have all been based on paper
documents, generated "by hand". This is a tedious and somewhat
error-prone way of producing the necessary specifications, and
computer assistance would be very helpful to improving the usefulness
of the method.
A first step toward producing a tool has been to formulate a formal
ontology for the concepts used in the Common Criteria. This
ontology is technically speaking a Domain Ontology under SUMO, the
Suggested Upper Merged Ontology (SUMO) defined by the IEEE P1600.1
Working Group. It has been formulated in SUO-KIF, the knowledge
representation language designed by Niles and Pease in order to
support the definition of the SUMO. You can see the latest version
of the ontology here. This ontology won the
2006 SUMO
Prize for the best submission of a new formalised domain
ontology under SUMO.
The tool will support design at assurance levels up to EAL4, following
the methodology described above. For further details, please contact
us.
Robin Sharp, e-mail: robin (at)
imm.dtu.dk
Last modified 111027