- ポイント
- Common Criteria SFR、SAR一覧
- Security Functional Requirements (SFRs)
- CLASS FAU: SECURITY AUDIT
- CLASS FCO: COMMUNICATION
- CLASS FCS: CRYPTOGRAPHIC SUPPORT
- CLASS FDP: USER DATA PROTECTION
- CLASS FIA: IDENTIFICATION AND AUTHENTICATION
- CLASS FMT: SECURITY MANAGEMENT
- CLASS FPR: PRIVACY
- CLASS FPT: PROTECTION OF THE TSF
- CLASS FRU: RESOURCE UTILISATION
- CLASS FTA: TOE ACCESS
- CLASS FTP: TRUSTED PATH/CHANNELS
- Security Assurance Requirements (SARs)
- Security Functional Requirements (SFRs)
- Link
ポイント
- Common Criteria (ISO/IEC 15408)ってそもそも理解するのが難しいし、特に略語が多すぎ・・・
- いろんな説明資料でもSFR, SARに英語3文字の略語が多く(AVA_VANとか!)、なんの略なのか想像できないものが多すぎ・・・
- 下記にCCのSFR、SARを網羅
Common Criteria SFR、SAR一覧
Security Functional Requirements (SFRs)
Class名の最初のFが「Function」?
CLASS FAU: SECURITY AUDIT
- Audit requirements in a distributed environment
- Security audit automatic response (FAU_ARP)
- Security audit data generation (FAU_GEN)
- Security audit analysis (FAU_SAA)
- Security audit review (FAU_SAR)
- Security audit event selection (FAU_SEL)
- Security audit event storage (FAU_STG)
CLASS FCO: COMMUNICATION
- Non-repudiation of origin (FCO_NRO)
- Non-repudiation of receipt (FCO_NRR)
CLASS FCS: CRYPTOGRAPHIC SUPPORT
- Cryptographic key management (FCS_CKM)
- Cryptographic operation (FCS_COP)
CLASS FDP: USER DATA PROTECTION
- Access control policy (FDP_ACC)
- Access control functions (FDP_ACF)
- Data authentication (FDP_DAU)
- Export from the TOE (FDP_ETC)
- Information flow control policy (FDP_IFC)
- Information flow control functions (FDP_IFF)
- Import from outside of the TOE (FDP_ITC)
- Internal TOE transfer (FDP_ITT)
- Residual information protection (FDP_RIP)
- Rollback (FDP_ROL)
- Stored data integrity (FDP_SDI)
- Inter-TSF user data confidentiality transfer protection (FDP_UCT)
- Inter-TSF user data integrity transfer protection (FDP_UIT)
CLASS FIA: IDENTIFICATION AND AUTHENTICATION
- Authentication failures (FIA_AFL)
- User attribute definition (FIA_ATD)
- Specification of secrets (FIA_SOS)
- User authentication (FIA_UAU)
- User identification (FIA_UID)
- User-subject binding (FIA_USB)
CLASS FMT: SECURITY MANAGEMENT
- Management of functions in TSF (FMT_MOF)
- Management of security attributes (FMT_MSA)
- Management of TSF data (FMT_MTD)
- Revocation (FMT_REV)
- Security attribute expiration (FMT_SAE)
- Specification of Management Functions (FMT_SMF)
- Security management roles (FMT_SMR)
CLASS FPR: PRIVACY
- Anonymity (FPR_ANO)
- Pseudonymity (FPR_PSE)
- Unlinkability (FPR_UNL)
- Unobservability (FPR_UNO)
CLASS FPT: PROTECTION OF THE TSF
- Fail secure (FPT_FLS)
- Availability of exported TSF data (FPT_ITA)
- Confidentiality of exported TSF data (FPT_ITC)
- Integrity of exported TSF data (FPT_ITI)
- Internal TOE TSF data transfer (FPT_ITT)
- TSF physical protection (FPT_PHP)
- Trusted recovery (FPT_RCV)
- Replay detection (FPT_RPL)
- State synchrony protocol (FPT_SSP)
- Time stamps (FPT_STM)
- Inter-TSF TSF data consistency (FPT_TDC)
- Testing of external entities (FPT_TEE)
- Internal TOE TSF data replication consistency (FPT_TRC)
- TSF self test (FPT_TST)
CLASS FRU: RESOURCE UTILISATION
- Fault tolerance (FRU_FLT)
- Priority of service (FRU_PRS)
- Resource allocation (FRU_RSA)
CLASS FTA: TOE ACCESS
- Limitation on scope of selectable attributes (FTA_LSA)
- Limitation on multiple concurrent sessions (FTA_MCS)
- Session locking and termination (FTA_SSL)
- TOE access banners (FTA_TAB)
- TOE access history (FTA_TAH)
- TOE session establishment (FTA_TSE)
CLASS FTP: TRUSTED PATH/CHANNELS
- Inter-TSF trusted channel (FTP_ITC)
- Trusted path (FTP_TRP)
Security Assurance Requirements (SARs)
Class名の最初のAが「Assurance」?
CLASS ASE: SECURITY TARGET EVALUATION
- ST introduction (ASE_INT)
- Conformance claims (ASE_CCL)
- Security problem definition (ASE_SPD)
- Security objectives (ASE_OBJ)
- Extended components definition (ASE_ECD)
- Security requirements (ASE_REQ)
- TOE summary specification (ASE_TSS)
CLASS ADV: DEVELOPMENT
- Security Architecture (ADV_ARC)
- Functional specification (ADV_FSP)
- Implementation representation (ADV_IMP)
- TSF internals (ADV_INT)
- Security policy modelling (ADV_SPM)
- TOE design (ADV_TDS)
CLASS AGD: GUIDANCE DOCUMENTS
- Operational user guidance (AGD_OPE)
- Preparative procedures (AGD_PRE)
CLASS ALC: LIFE-CYCLE SUPPORT
- CM capabilities (ALC_CMC)
- CM scope (ALC_CMS)
- Delivery (ALC_DEL)
- Development security (ALC_DVS)
- Flaw remediation (ALC_FLR)
- Life-cycle definition (ALC_LCD)
- Tools and techniques (ALC_TAT)
CLASS ATE: TESTS
- Coverage (ATE_COV)
- Depth (ATE_DPT)
- Functional tests (ATE_FUN)
- Independent testing (ATE_IND)
CLASS AVA: VULNERABILITY ASSESSMENT
- Vulnerability analysis (AVA_VAN)
- <= 出た!一番よくみるやつ!^^
- AVA_VAN: Assurance Vulnerability Asesementの中のVulnerability Analysisという意味!
- ClassがAVA、FamilyがVAN
CLASS ACO: COMPOSITION
- Composition rationale (ACO_COR)
- Development evidence (ACO_DEV)
- Reliance of dependent component (ACO_REL)
- Composed TOE testing (ACO_CTT)
- Composition vulnerability analysis (ACO_VUL)