© Crown Copyright (2000)

Module 2.2

Development

Representations

“You Are Here”

M2.1 Requirements

M2.2 Development Representations

M2.3 Functional Testing

M2.4 Development Environment

M2.5 Operational Environment

M2.6 Vulnerability Analysis

M2.7 Penetration Testing

M2.8 Assurance Maintenance/Composition

MODULE 2 - ASSURANCE

Introduction

• Refinement

• Traceability Analysis

• Separation

• Specification Styles

Refinement

• High Level (Architectural )Design

• Low Level (Detailed ) Design

• Implementation Representation (e.g. source code or hardware drawings)

• Depth of Refinement (Commensurate with Assurance)

Traceability Analysis

• Validate correctness of refinement• Security Function to High Level (Architectural)

Design to Low Level (Detailed) Design to Implementation

Security Function

High LevelDesign

Low LevelDesign

Separation

• Ideally integrated into design of product/system• Focus on limited areas• Physical, logical, temporal, others

Specification Styles

• Various styles

• More assurance from greater formality

ITSEC Requirements

Aspect E1 E2 E3 E4 E5 E6

Architectural Design I I I S S F

Detailed Design I I S S S

Modularity of Design

Source code /hardware drawings

CC Requirements

Aspect EAL1

EAL2

EAL3

EAL4

EAL5

EAL6

EAL7

Functional Specification I I I I S S F

High-level Design I I I S S F

Low-level Design I I S S

TOE Internals

ImplementationRepresentation

%

Evaluation Reporting

• Examination of documentation– show how and where requirements are satisfied– demonstrate traceability

Summary

• Refinement

• Traceability

• Separation

• Specification

Further Reading

ITSEC Evaluation

• UK SP 05 Part III, Chapters 5-7

CC Evaluation

• CC Part 3, Sections 2.6.3 and 10

• CEM Part 2, Chapters 5-8 (ADV sections)

Exercise - Design

• Split into two syndicates

• Write a High Level (Architectural) or Low Level (Detailed) design for a Security Function

• Swap over the designs

• Evaluate the designs

• Discuss findings