Increased Information Flow Needs for High-Assurance Composite Evaluations

Four Common Criteria Certification agencies from France, Germany, the Netherlands and the UK have developed a concept of composite evaluations in which software evaluators would not receive the full hardware Evaluation Technical Report (ETR), but instead would only receive an abbreviated ETR-lite. While ETR-lite is acceptable at low assurance levels, this paper argues that at high assurance levels, such an abbreviated report violates the basic principles of systems engineering and high assurance evaluation, and demonstrates that serious undetected security vulnerabilities can be the result. The paper recommends that additional information flow between hardware evaluators and software developers and evaluators is crucial for high assurance evaluation to succeed.

By: Paul A. Karger, Helmut Kurth

Published in: Proceedings of the Second IEEE International Information Assurance Workshop. Los Alamitos, CA, , IEEE Computer Society. , p.129-40 in 2004

Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.

Questions about this service can be mailed to reports@us.ibm.com .