About
This research is being carried out by a team at the Centre for Research on Cryptography and Security at Masaryk University. If you would like to contact us, you can do so at [email protected].
Current members
Petr Švenda
Initial implementation, idea person
2019-now
Ján Jančár
Web implementation, anti-idea person
2019-now
Adam Janovský
Library implementation, machine-learning
2019-2024
Łukasz Chmielewski
Common Criteria insights
2023-now
Jaroslav Řezník
FIPS-140 insights
2023-now
Yasir Yakup Demircan
Machine-learning
2024-now
Martin Ukrop
Project lead
2022-now
Vashek Matyáš
Project & student supervision
2019-now
Student members
Several students extended or used the functionality of the sec-certs project in their Bachelor's or Master's thesis.
Master's thesis on Metadata overlay for seccerts.org with security analysis tools, 2022-2023
Bachelor's thesis ongoing, 2024-now
Master's thesis ongoing, 2024-now
Master's thesis ongoing, 2024-now
Master's thesis ongoing, 2024-now
Bachelor's thesis ongoing, 2024-now
Sponsors
This project has received support from several sources. We are thankful for the support received.
Research
sec-certs: Examining the security certification practice for better vulnerability mitigation
Adam Janovsky, Jan Jancar, Petr Svenda, Lukasz Chmielewski, Jiri Michalik, Vashek Matyas
@article{sec-certs,
title = {sec-certs: Examining the security certification practice for better vulnerability mitigation},
journal = {Computers & Security},
volume = {143},
year = {2024},
issn = {0167-4048},
doi = {10.1016/j.cose.2024.103895},
url = {https://www.sciencedirect.com/science/article/pii/S0167404824001974},
author = {Adam Janovsky and Jan Jancar and Petr Svenda and Łukasz Chmielewski and Jiri Michalik and Vashek Matyas},
keywords = {Security certification, Common criteria, Vulnerability assessment, Data analysis, Smartcards}
}
Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certificates. To address these problems, we conducted a large-scale automated analysis of Common Criteria and FIPS 140 certificates. We trained unsupervised models to learn which vulnerabilities from NIST's National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities (on average). This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available on this site.
Chain of trust: Unraveling the references among Common Criteria certified products
Adam Janovsky, Lukasz Chmielewski, Petr Svenda, Jan Jancar, Vashek Matyas
@inproceedings{chain-of-trust,
title = {Chain of Trust: Unraveling References Among Common Criteria Certified Products},
booktitle = {ICT Systems Security and Privacy Protection},
edition = {volume 710},
editor = {Nikolaos Pitropakis, Sokratis Katsikas, Steven Furnell, Konstantinos Markantonakis},
publisher = {Springer Nature Switzerland},
address = {Cham},
year = {2024},
isbn = {978-3-031-65175-5},
doi = {10.1007/978-3-031-65175-5_14},
url = {https://link.springer.com/chapter/10.1007/978-3-031-65175-5_14},
author = {Adam Janovsky and {\L}ukasz Chmielewski and Petr Svenda and Jan Jancar and Vashek Matyas},
keywords = {security certification, Common Criteria, FIPS 140, security evaluation}
}
With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem -- making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.
Privacy policy
This site collects personal data in order to provide notifications about vulnerabilities or changes in certified products.
Personal data
This site collects the following personal data:
- Email address. It is required to send notifications.
The collected personal data resides only on the server running this site.
Right to access personal data
You have a right to access your personal data that this site collects. If you want to exercise this right please send an email request to the above email address.
Right to correct personal data
You have a right to correct your personal data that this site collects. If you want to exercise this right please send an email request to the above email address.
Right to be forgotten
You have a right to have your personal data deleted. Your personal data is deleted automatically after your notification subscription is cancelled. The personal data associated to an unconfirmed subscription request is deleted after 7 days from the date of the subscription request. If you want to exercise this right please send an email request to the above email address.
Reason for collection
Email addresses are collected in order to provide a notification service, notifying users about potential vulnerabilities or changes in certified products they subscribed to. The collected personal data is not provided to any third parties. The emails are sent through a local mail server and not a third-party service.
Other
This project is open-source, you can find its sources on our GitHub where you can see how your personal data is processed.
The site uses some third and first-party tools that handle user data, namely Sentry.io, CloudFlare Turnstile and Matomo. Sentry.io is a third-party service used to track errors on the frontend and backend of the site and thus might receive information such as the IP address, HTTP headers or the client's User-Agent, or other information included in a JavaScript error. This site is protected by CloudFlare and its Privacy Policy and Terms of Service apply. Matomo is a self-hosted service that collects analytics on this site.