ATEN/IOGear Secure KVM Switch Series Security Target File Name: ATEN&IOGear Secure KVM Switch Series Security Target.DOC Version: 1.5.1 Date: 2011/06/28 Author: ATEN page 1 Contents 1 ST Introduction...........................................................................................................2 1.1 ST and TOE Reference..................................................................................2 1.1.1 Document Conventions...............................................................................2 1.2 TOE Overview................................................................................................3 1.3 TOE Description ............................................................................................4 1.4 TOE Boundaries.............................................................................................4 2 Conformance Claims ..................................................................................................8 2.1 Common Criteria Conformance...................................................................8 2.2 Protection Profile Conformance...................................................................8 2.3 Evaluation Assurance Level..........................................................................8 3 Security Problem Definition .......................................................................................9 3.1 Threats ............................................................................................................9 3.2 Organizational Security Policies...................................................................9 3.3 Assumptions....................................................................................................9 4 Security Objectives ...................................................................................................11 4.1 Security Objectives for the TOE ................................................................11 4.2 Security Objectives for the Environment ..................................................11 5 Extended Components Definition.............................................................................13 5.1 Class EXT: Extended...................................................................................13 6 Information Technology Security Requirements......................................................16 6.1 Target of Evaluation Security Requirements............................................16 6.2 Target of Evaluation Security Assurance Requirements.........................18 7 TOE Summary Specification....................................................................................20 7.1 TOE Security Functions..............................................................................20 8 Rationale ...................................................................................................................23 8.1 Rationale for Security Objectives...............................................................23 8.2 Rationale for Security Requirements.........................................................23 8.3 TOE Summary Specification Rationale.....................................................25 9 Acronyms & Reference.............................................................................................26 9.1 Acronyms......................................................................................................26 9.2 Reference ......................................................................................................26 page 2 1 ST Introduction This Security Target (ST) defines the scope of the evaluation in terms of the assumptions made, the intended environment for the ATEN/IOGear Secure KVM Switch, the Information Technology (IT) security functional and assurance requirements to be met, and the level of confidence (evaluation assurance level) to which it is asserted that the ATEN/IOGear Secure KVM Switch satisfies its IT security requirements. This document forms the baseline for the Common Criteria (CC) evaluation. 1.1 ST and TOE Reference ST Title: ATEN/IOGear Secure KVM Switch Series Security Target TOE Identification:  ATEN Secure KVM Model CS1182  ATEN Secure KVM Model CS1184  IOGear Secure KVM Model GCS1212TAA  IOGear Secure KVM Model GCS1214TAA ST Version: Version 1.5.1 Publication Date: 2011/06/28 Assurance Level: EAL 2 augmented with ALC_FLR.2 ST Author: ATEN 1.1.1 Document Conventions The CC permits four types of operations to be performed on security functional requirements: selection, assignment, refinement, and iteration. These operations are identified in this ST in the following manner: a. Selection: Indicated by surrounding brackets and italicized text, e.g., [selected item]. b. Assignment: Indicated by surrounding brackets and regular text, e.g., [assigned item]. c. Refinement: Indicated by underlined text, e.g., refined item for additions. Deleted item for deletion. The functional security requirements beyond those defined in the claimed PP are page 3 identified by italicized text, e.g. FMT_SMF.1 (Specification of Management Functions) 1.2 TOE Overview This document addresses a DEVICE, hereinafter referred to as a “Peripheral Sharing Switch” (PSS) or simply “SWITCH”--the Target of Evaluation (TOE)--permitting a single set of HUMAN INTERFACE DEVICES to be shared among two or more COMPUTERS. The TOE must not have, and in fact must specifically preclude, any features that permit USER information to be shared or transferred between COMPUTERS via the TOE. A PERIPHERAL PORT GROUP is a collection of DEVICE PORTS treated as a single entity by the TOE. There is one GROUP for the set of SHARED PERIPHERALS and one GROUP for each CONNECTED SWITCHED COMPUTER. Each SWITCHED COMPUTER GROUP has some unique associated logical ID (i.e. the SHARED PERIPHERALS PORT GROUPT include the console monitor, USB mouse, USB keyboard, analog audio input device (ex: microphone) and analog audio output device (ex: speaker), while the SWITCHED COMPUTER PERIPHERAL PORT GROUP includes the DVI monitor connection, USB connection, and audio input/output connection). The SHARED PERIPHERAL GROUP ID is considered to be the same as that of the SWITCHED COMPUTER GROUP currently selected by the TOE. 1.2.1 TOE Type The TOE is with KVM (USB Keyboard, DVI-I Video, USB Mouse) switch functionality by combining a 2/4 port KVM switch and audio (input & output) ports. The TOE is normally installed in settings where a single USER with limited work surface space needs to access two or more COMPUTERS, collectively termed SWITCHED COMPUTERS (which need not be physically distinct entities). The USER may have a KEYBOARD, a visual display (e.g., MONITOR), a POINTING DEVICE (e.g., mouse) and audio input/output device. These are collectively referred to as the SHARED PERIPHERALS. In operation, the TOE will be CONNECTED to only one COMPUTER at a time. To use a different COMPUTER, the USER must perform some specific action. The TOE page 4 will then visually indicate which COMPUTER was selected by the USER. Such indication is persistent and not transitory in nature. 1.2.2 Non-TOE hardware/software/firmware There are no hardware/software/firmware components of the TOE that are outside of the scope of evaluation. 1.3 TOE Description The TOE is with KVM (USB Keyboard, DVI-I Video, USB Mouse) switch functionality by combining a 2/4 port KVM switch and audio (input & output) ports. As a KVM switch, the TOE allows users to access two or four computers from a single set USB keyboard, USB mouse, and DVI-I monitor console. In ATEN/IOGear Secure KVM Switch, keyboard/mouse, video, and audio are processed by different chipsets. The keyboard/mouse is processed by ATEN developed ASIC. The video signal is process by a video switch chipset and the audio is process by another analog switch (multiplexer). For video and audio, the chipsets only switch between different channels and let the video/audio signal pass through. Setup is fast and easy; simply plug cables into their appropriate ports. There is no software to configure, no firmware to be upgraded, no boards to configure, no installation routines, and no incompatibility problems. The only one method to access the computers is by pushbuttons located on the unit’s front panel. Since the TOE intercepts keyboard input directly, it works on multiple computing platforms (PC (x86/x64), Macintosh PowerPC, and Sun Microsystems Sparc). The TOE is designed by its unique security architecture which the TOE itself doesn’t allow the private data shared among the connected computers. Thus users can access to connected computers from a single set of console via TOE even the computers are located in different networks (classified/unclassified) since the private data are totally separated. 1.4 TOE Boundaries 1.4.1 Physical Boundary This following tables list the hardware/firmware components and its accompanying guidance documents of the product and denotes which are in the TOE and which are in the environment. Hardware Components page 5 TOE Model Ports Interface ATEN CS1182 2 Dual Link DVI-I, USB Keyboard, USB mouse, Analog Audio input (ex: Microphone) and Analog Audio output (ex: Speaker), Switch Buttons, LED indicators ATEN CS1184 4 Dual Link DVI-I, USB Keyboard, USB mouse, Analog Audio input (ex: Microphone) and Analog Audio output (ex: Speaker), Switch Buttons, LED indicators IOGear GCS1212TAA 2 Dual Link DVI-I, USB Keyboard, USB mouse, Analog Audio input (ex: Microphone) and Analog Audio output (ex: Speaker), Switch Buttons, LED indicators IOGear GCS1214TAA 4 Dual Link DVI-I, USB Keyboard, USB mouse, Analog Audio input (ex: Microphone) and Analog Audio output (ex: Speaker), Switch Buttons, LED indicators TOE/Environment Component Description TOE ATEN CS1182 ATEN CS1184 IOGear GCS1212TAA IOGear GCS1214TAA TOE Hardware Environment USB Keyboard Member of Peripheral Group Environment USB Mouse Member of Peripheral Group Environment DVI Monitor Member of Peripheral Group Environment Audio Input/Output (eg: Speaker and Microphone) Member of Peripheral Group Environment Host Computers Computer Environment Firmware Components TOE Model Firmware ATEN CS1182 FW v1.0.064 ATEN CS1184 IOGear GCS1212TAA page 6 IOGear GCS1214TAA Guidance Documents The guidance documents that accompany the TOE are:: TOE Model AGD_OPE/AGD_PRE Guidance ATEN CS1182 ATEN Secure KVM Switch Series Guidance v1.2.pdf ATEN CS1184 IOGear GCS1212TAA IOGear Secure KVM Switch Series Guidance v1.2.pdf IOGear GCS1214TAA 1.4.2 Logical Boundaries The Logical Scope and Boundary of the TOE consists of the security functions and features provided by the TOE. The security functions include Information Flow Control (TSF_IFC), Security Management (TSF_MGT), and Self Protection (TSF_SPT). 1.4.2.1 Information Flow Control (TSF_IFC) Per request of Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile, Version 2.1, dated September 07, 2010. Data Separation Security Function Policy (SFP) is implemented in the TOE. The TOE shall allow PERIPHERAL DATA to be transferred only between PERIPHERAL PORT GROUPS with the same ID. The TOE processes mainly keyboard/mouse data, keyboard LED data, Data Display Channel information, video signals, audio data and USB status. The TOE itself is neither concerned with the USER’S information in the shared computers nor the information flowing between the SHARED PERIPHERALS and the SWITCHED COMPUTERS. It is only providing a CONNECTION between the HUMAN INTERFACE DEVICES and a selected COMPUTER at any given instant. As long as the guidance is followed by the Administrator while configuring and using the TOE, only valid USB devices are accepted by the TOE. Therefore the user information flows are safe. A more detailed explanation of TSF_IFC implementation is described in Section 7.1.1. All USB devices connected to the USB keyboard/mouse ports of the Peripheral switch shall be interrogated to ensure that they are valid (pointing device, keyboard). No further interaction with non-valid devices shall be performed. 1.4.2.2 Security Management (TSF_MGT) There are two (CS1182/GCS1212TAA) or four (CS1184/GCS1214TAA) pushbuttons page 7 on the TOE front panel. The only one method to access the computers via TOE is by pushbuttons. By pressing the pushbutton, user can explicitly determine which port he wants to select or which computer he wants to switch to, which means user can explicitly determine which computer is connected to the shared set of peripherals. There are also two LED indicators (one green, one orange) located above each pushbutton. The green LED indicator of a specific port lights when there is a computer connected on that port and powered on (the green LED indicator is lit when there is a powered-on USB connection between the TOE and any connected computers). Once a specific computer is selected by the user, which means the share set of peripherals switches to that port of computer, the orange LED indicator lights. An explanation of TSF_MGT implementation is described in Section 7.1.2 1.4.2.3 Self Protection (TSF_SPT) This function intends to protect the set of peripheral devices connected to the TOE. Any attempt to open the TOE will trigger a Tamper Detection switch. Once the TOE is physically tampered, The LED lights on the front panel flash to remind and alert the administrator. All TOE functions are disabled. The firmware of the TOE embedded in the ROMs is contained in one-time-programmable ROM inside the ASIC which is permanently attached (non-socketed) to a circuit assembly. So there is no way to modify the firmware. A more detailed explanation of TSF_SPT implementation is described in Section 7.1.3 page 8 2 Conformance Claims 2.1 Common Criteria Conformance This ST has been prepared in accordance with and is conformant to:  Common Criteria for Information Technology Security Evaluation (CC), Version 3.1, Revision 3, July 2009 (CCMB-2009-07-001, CCMB-2009-07-002, CCMB-2009-07-003)  Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 3, July 2009 (CCMB-2009-07-004). The ST claims the following CC conformance:  Parts 2 extended and contain 4 extended security requirements  EXT_VIR.1 Visual Indication Rule  EXT_IUC.1 Invalid USB Connection  EXT_ROM.1 Read-Only ROMs  EXT_TMP.1 Physical Tampering Security  Parts 3 conformant 2.2 Protection Profile Conformance This ST claims demonstrable compliance to the Protection Profile: Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile, Version 2.1 dated September 7, 2010 2.3 Evaluation Assurance Level EAL 2+ (augmented with ALC_FLR.2 (Flaw reporting procedures) page 9 3 Security Problem Definition The security problem definition shows the threats, Organizational security policies (OSPs) and assumptions that must be countered, enforced and upheld by the TOE and its operational environment. 3.1 Threats A threat consists of a threat agent, an asset and an adverse action of that threat agent on that asset. T.INVALIDUSB The AUTHORIZED USER will connect unauthorized USB devices to the peripheral switch. T.RESIDUAL RESIDUAL DATA may be transferred between PERIPHERAL PORT GROUPS with different IDs. T.ROM_PROG The TSF may be modified by an attacker such that code embedded in reprogrammable ROMs is overwritten, thus leading to a compromise of the separation-enforcing components of the code and subsequent compromise of the data flowing through the TOE. T.SPOOF Via intentional or unintentional actions, a USER may think the set of SHARED PERIPHERALS are CONNECTED to one COMPUTER when in fact they are connected to a different one. T.TRANSFER A CONNECTION, via the TOE, between COMPUTERS may allow information transfer. 3.2 Organizational Security Policies None. 3.3 Assumptions The following usage assumptions are made about the intended environment of the TOE. A.ACCESS An AUTHORIZED USER possesses the necessary privileges to access the information transferred by the TOE. USERS are AUTHORIZED USERS. A.MANAGE The TOE is installed and managed in accordance with the manufacturer’s directions. page 10 Application Note: The installed USB devices connected to the TOE do not buffer and transfer data to other COMPUTERS except the currently CONNECTED COMPUTER. A.NOEVIL The AUTHORIZED USER is non-hostile and follows all usage guidance. A.PHYSICAL The TOE is physically secure. page 11 4 Security Objectives 4.1 Security Objectives for the TOE The following security objectives are intended to be satisfied by the TOE O.CONF The TOE shall not violate the confidentiality of information which it processes. Information generated within any PERIPHERAL GROUP COMPUTER CONNECTION shall not be accessible by any other PERIPHERAL GROUP with a different GROUP ID. O.INDICATE The AUTHORIZED USER shall receive an unambiguous indication of which SWITCHED COMPUTER has been selected. O.ROM TOE software/firmware shall be protected against unauthorized modification. Embedded software must be contained in mask-programmed or one-time-programmable read-only memory permanently attached (non-socketed) to a circuit assembly. O.SELECT An explicit action by the AUTHORIZED USER shall be used to select the COMPUTER to which the shared set of PERIPHERAL DEVICES is CONNECTED Single push button, multiple push button, or rotary selection methods are used by most (if not all) current market products. Automatic switching based on scanning shall not be used as a selection mechanism. O.SWITCH All DEVICES in a SHARED PERIPHERAL GROUP shall be CONNECTED to at most one SWITCHED COMPUTER at a time. O.USBDETECT The TOE shall detect any USB connection that is not a pointing device, keyboard, or display and will perform no interaction with that device after the initial identification. 4.2 Security Objectives for the Environment The following security objectives for the environment of the TOE must be satisfied in order for the TOE to fulfill its own security objectives. OE.ACCESS The AUTHORIZED USER shall possess the necessary privileges page 12 to access the information transferred by the TOE. USERS are AUTHORIZED USERS. OE.MANAGE The TOE shall be installed and managed in accordance with the manufacturer’s directions. OE.NOEVIL The AUTHORIZED USER shall be non-hostile and follow all usage guidance. OE.PHYSICAL The TOE shall be physically secure. page 13 5 Extended Components Definition This section specifies the extended SFRs for the TOE. 5.1 Class EXT: Extended This class provides four families specifically concerned with Part 2 of the Common Criteria does not provide a component appropriate to express the requirement for  EXT_VIR.1 Visual Indication Rule  EXT_IUC.1 invalid USB Connection  EXT_ROM.1 Read-Only ROMs  EXT_TMP.1 Physical Tampering Security 5.1.1 Visual Indication Rule (EXT_VIR) Family Behaviour This family defines requirements for the visual method of indicating which COMPUTER is CONNECTED to the shared set of PERIPHERAL DEVICES shall be provided that is persistent for the duration of the CONNECTION Component leveling Management: EXT_VIR.1 There are no management activities foreseen. Audit: EXT_VIR.1 There are no auditable events foreseen. EXT_VIR.1 Visual Indication Rule Hierarchical to: No other components Dependencies: None EXT_VIR.1.1 A visual method of indicating which COMPUTER is CONNECTED to the shared set of PERIPHERAL DEVICES shall be provided that is persistent for the duration of the CONNECTION. EXT_VIR: Visual Indication Rule 1 page 14 5.1.2 Invalid USB Connection (EXT_IUC) Family Behaviour This family defines requirements for the interrogation of all USB devices connected to the Peripheral switch to ensure that they are valid (pointing device, keyboard, display). Component leveling Management: EXT_IUC.1 There are no management activities foreseen. Audit: EXT_IUC.1 There are no auditable events foreseen. EXT_IUC.1 Invalid USB Connection Hierarchical to: No other components Dependencies: None EXT_IUC.1.1 All USB devices connected to the Peripheral switch shall be interrogated to ensure that they are valid (pointing device, keyboard, display). No further interaction with non-valid devices shall be performed. 5.1.3 Read-Only ROMs (EXT_ROM) Family Behaviour This family defines requirements for the TSF software/firmware which must be contained in mask-programmed or one-time-programmable read-only memory permanently attached (non-socketed) to a circuit assembly. Component leveling Management: EXT_ROM.1 There are no management activities foreseen. EXT_ROM: Read-Only ROMs 1 EXT_IUC: Invalid USB Connection 1 page 15 Audit: EXT_ROM.1 There are no auditable events foreseen. EXT_ROM.1 Read-Only ROMs Hierarchical to: No other components Dependencies: None EXT_ ROM.1.1 EXT_ROM.1.1 TSF software embedded in TSF ROMs must be contained in mask-programmed or one-time-programmable read-only memory permanently attached (non-socketed) to a circuit assembly. 5.1.4 Physical Tampering Security (EXT_TMP) Family Behaviour This family defines requirements for the protection of the set of peripheral devices connected to the TOE. Any attempt to open the enclosure will trigger a Tamper Detection switch. Once the Tamper Detection switch is triggered, all TOE functions are disabled Component leveling Management: EXT_TMP.1 There are no management activities foreseen. Audit: EXT_TMP.1 There are no auditable events foreseen. EXT_TMP.1 Physical Tampering Security Hierarchical to: No other components Dependencies: None EXT_TMP.1.1 Any attempt to open the enclosure of the TOE will trigger a Tamper Detection switch. Once the Tamper Detection switch is triggered, all TOE functions are disabled. EXT_TMP: Physical Tampering Security 1 page 16 6 Information Technology Security Requirements 6.1 Target of Evaluation Security Requirements Words which appear in italics are tailoring (via permitted operations) of requirement definitions. 6.1.1 User Data Protection (FDP) 6.1.1.2 FDP_IFC.1 (Subset Information Flow Control) [Dependencies FDP_IFF.1] 1. The TSF shall enforce the [Data Separation SFP] on [the set of PERIPHERAL PORT GROUPS, and the bi-directional flow of PERIPHERAL DATA between the SHARED PERIPHERALS and the SWITCHED COMPUTERS]. 6.1.1.3 FDP_IFF.1 (Simple Security Attributes) [Dependencies: FDP_IFC.1 and FMT_MSA.3] 1. The TSF shall enforce the [Data Separation SFP] based on the following types of subject and information security attributes: [PERIPHERAL PORT GROUPS (SUBJECTS), PERIPHERAL DATA, and PERIPHERAL PORT GROUP IDs (ATTRIBUTES)]. 2. The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [Switching Rule: PERIPHERAL DATA can flow to a PERIPHERAL PORT GROUP with a given ID only if it was received from a PERIPHERAL PORT GROUP with the same ID]. 3. The TSF shall enforce the [No additional information flow control SFP rules.] 4. The TSF shall provide the following: [No additional SFP capabilities.] 5. The TSF shall explicitly authorize an information flow based on the following rules: [No additional rules.] 6. The TSF shall explicitly deny an information flow based on the following rules: [No additional rules.] 6.1.2 Security Management (FMT) 6.1.2.1 FMT_MSA.1 (Management of Security Attributes) [Dependencies: (FDP_ACC.1 or FDP_IFC.1) FMT_SMR.1, and page 17 FMT_SMF.1] 1. The TSF shall enforce the [Data Separation SFP] to restrict the ability to [modify] the security attributes [PERIPHERAL PORT GROUP IDS] to [the USER]. Application Note: An AUTHORIZED USER shall perform an explicit action to select the COMPUTER to which the shared set of PERIPHERAL devices is CONNECTED, thus effectively modifying the GROUP ID associated with the PERIPHERAL DEVICES. 6.1.2.2 FMT_MSA.3 (Static Attribute Initialization) [Dependencies: FDP_MSA.1 and FMT_SMR.1] 1. The TSF shall enforce the [Data Separation SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. Application Note: On start-up, one and only one attached COMPUTER shall be selected. 2. The TSF shall allow the [none] to specify alternative initial values to override the default values when an object or information is created. 6.1.2.3 FMT_SMF.1 (Specification of Management Functions) [No dependencies] 1. The TSF shall be capable of performing the following management functions: [selection of the CONNECTED PERIPHERAL PORT GROUP]. Application Note: This SFR is missing in the PSS PP which is required by FMT_MSA.1. 6.1.3 Extended Requirements (EXT) 6.1.3.1 EXT_VIR.1 (Visual Indication Rule) [No dependencies] 1. A visual method of indicating which COMPUTER is CONNECTED to the shared set of PERIPHERAL DEVICES shall be provided that is persistent for the duration of the CONNECTION. Application Note: Does not require tactile indicators, but does not preclude their presence. 6.1.3.2 EXT_IUC.1 (Invalid USB Connection) [No dependencies] 1. All USB devices connected to the Peripheral switch shall be interrogated to ensure that they are valid (pointing device, keyboard, display). No further interaction with non-valid devices shall be performed. page 18 6.1.3.3 EXT_ROM.1 (Read-Only ROMs) [No dependencies] 1. TSF software embedded in TSF ROMs must be contained in mask-programmed or one-time-programmable read-only memory permanently attached (non-socketed) to a circuit assembly. 6.1.3.4 EXT_TMP.1 (Physical Tampering Security) [No dependencies] 1. Any attempt to open the enclosure of the TOE will trigger a Tamper Detection switch. Once the Tamper Detection switch is triggered, all TOE functions are disabled. 6.2 Target of Evaluation Security Assurance Requirements The following table describes the TOE security assurance requirements drawn from Part 3 of the CC. The security assurance requirements represent EAL2 augmented with ALC_FLR.2. Assurance Class Assurance Components Identifier Name ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.2 Security-enforcing Functional Specification ADV_TDS.1 Basic design AGD: Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.2 Use of a CM system ALC_CMS.2 Parts of the TOE CM coverage ALC_DEL.1 Delivery procedures ALC_FLR.2 Flaw Reporting Procedures ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction page 19 ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification ATE: Tests ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis page 20 7 TOE Summary Specification This section summarizes the security functions and described the security functions implemented in the TOE. This section also describes the applied assurance measures to ensure the correct security function implementation 7.1 TOE Security Functions The security functions performed by the TOE include Data Separation (TSF_IFC), Security Management (TSF_MGT), and Self Protection (TSF_SPT) 7.1.1 Information Flow Control (TSF_IFC) Per requirement of Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile, Version 2.1, dated September 07, 2010. , Data Separation Security Function Policy (SFP) is implemented in the TOE. The TOE shall allow PERIPHERAL DATA to be transferred only between PERIPHERAL PORT GROUPS with the same ID. The TOE processes mainly keyboard/mouse data, keyboard LED data, Data Display Channel information, video signals, audio data and USB status. The TOE itself is neither concerned with the USER’S information in the shared computers nor the information flowing between the SHARED PERIPHERALS and the SWITCHED COMPUTERS. It is only providing a CONNECTION between the HUMAN INTERFACE DEVICES and a selected COMPUTER at any given instant. As long as the guidance is followed by the Administrator while configuring and using the TOE, only valid USB devices are accepted by the TOE. Therefore the user information flows are safe. The TOE deals with following type of signals: keyboard (including its LED) data, mouse data, USB status, audio (input/output) data and video signals. The TOE collects subsets of the signals and transfer to connected switched computers. There is no data or information flowed between CONNECTED COMPUTERS. By using specifically designed hardware and firmware, The TOE ensures the data separation for all paths of signals. The user data is not stored or buffered for video and audio data in the TOE. The keyboard and mouse data are not stored but are buffered and sent to the CONNECTED COMPUTER. These buffers are zeroized before the PERIPHERAL GROUP ID is changed. However the keyboard Num/Cap/Scr lock status for each COMPUTER is kept in the TOE to resume lock status of the keyboard. page 21 There is no possibility to forward the buffered data to the next selected COMPUTER. In the firmware, specially designed functions are dedicated for Data Separation Functions. Static memory is assigned for these functions without any third-party libraries or multitasking executives. Concerning the audio (input/output), the audio data separation mechanism is the same as the above mechanism. No data will be buffered and sent to other computer. In operation the TOE itself is neither concerned with the USER’S information in the shared computers nor the information flowing between the SHARED PERIPHERALS and the SWITCHED COMPUTERS. It only provides a single connection between the shared peripheral group and the one selected computer supporting the Data Separation Security Functional Policy – “the TOE shall allow peripheral data and state information to be transferred only between peripheral port groups with the same ID.” FUNCTIONAL REQUIREMENTS SATISFIED: FDP_IFC.1, FDP_IFF.1 All USB devices connected to the Peripheral switch shall be interrogated to ensure that they are valid (pointing device and keyboard). No further interaction with non-valid devices shall be performed. FUNCTIONAL REQUIREMENTS SATISFIED: EXT_IUC 7.1.2 Security Management (TSF_MGT) There are two (CS1182/GCS1212TAA) or four (CS1184/GCS1214TAA) pushbuttons on the TOE front panel. The only one method to access the computers via TOE is by pushbuttons. By pressing the pushbutton, user can explicitly determine which port he wants to select or which computer he wants to switch to, which means user can explicitly determine which computer is connected to the shared set of peripherals. There are also two LED indicators (one green, one orange) located above each pushbutton. The green LED indicator of a specific port lights when there is a computer connected on that port and powered on. Once a specific computer is selected by the user, which means the share set of peripherals switches to that port of computer, the orange LED indicator lights. FUNCTIONAL REQUIREMENTS SATISFIED: FMT_MSA.1, FMT_MSA.3, TMT_SMF.1, EXT_VIR.1, FDP_IFF.1 7.1.3 Self Protection (TSF_SPT) This function intends to protect the set of peripheral devices connected to the TOE. Any attempt to open the TOE will trigger a Tamper Detection switch. The Tamper page 22 Detection switch inside the TOE is powered by a dedicated battery. This switch will be triggered once the enclosure cover of the TOE is opened. Once the Tamper Detection switch is removed, the orange LED lights on the front panel flash to remind and alert the administrator. All TOE functions and the TOE itself are disabled. All the operations could not be restored. Since the ROM inside the TOE is OTP (One time programmable), there is no way for the user to reset or recover the system once the firmware runs into the disable loop after the switch is triggered. The TOE has to be returned to ATEN/IOGEAR. ATEN/IOGear will either change a new main board and then send back to the customer or exchange with new hardware. The contact information is listed as follows: ATEN/IOGEAR U.S.A Subsidiary ATEN Technology Inc. Website: Address: Phone: Fax: E-mail: http://www.aten-usa.com 19641 DaVinci Foothill Ranch, CA 92610, U.S.A +1-949-428-1111 +1-949-428-1100 sales@aten-usa.com For customers outside the US, please contact our regional branch offices or headquarters listed below for more detailed information http://www.aten.com/about/about_branch.php?cssflag=branch FUNCTIONAL REQUIREMENTS SATISFIED: EXT_TMP The OTP ROM in the ASIC which is soldered on the PCB ensures the firmware inside the TOE will not be modified or corrupted. FUNCTIONAL REQUIREMENTS SATISFIED: EXT_ROM page 23 8 Rationale 8.1 Rationale for Security Objectives This section shows that all assumptions and threats are countered by security objectives, and that each security objective addresses at least one assumption or threat. 8.1.1 Rationale for Security Objectives for the TOE This section provides a mapping of TOE security objectives to those threats that the TOE is intended to counter, and to those assumptions that must be met. This ST claims conformance to the [PSS_PP] with identical security objectives for the TOE. Therefore the security objectives rationale provided in “[PSS_PP] - Section 6.1” are claimed to be consistent with this ST. 8.1.2 Rationale for Security Objectives for the Environment This section provides a mapping of environment security objectives to those threats that the environment is expected to counter, and to those assumptions that must be met. This ST claims conformance to the [PSS_PP] with identical security objectives for the Environment. Therefore the security objectives rationale provided in “[PSS_PP] - Section 6.2” are claimed to be consistent with this ST. 8.2 Rationale for Security Requirements In this section, the security objectives are mapped to the functional requirements and the rationale is provided for the selected EAL and its components and augmentation. 8.2.1 Rationale for TOE security functional requirements This section demonstrates that all security objectives for the TOE are met by security functional requirements for the TOE, and that each security functional requirement for the TOE addresses at least one security objective for the TOE. The functional requirements are mutually supportive, and their combination meets the security objectives. This ST claims conformance to the [PSS_PP] with identical security objectives and page 24 security functional requirements (except: EXT_TMP.1 Physical Tampering Security) for the TOE. Therefore the security objectives rationale provided in “[PSS_PP] - Section 6.3” are claimed to be consistent with this ST. The rationale of the additional security functional requirements (EXT_TMP.1 Physical Tampering Security) is provided in the following table. Objective Requirements Addressing the Objective Rationale O.ROM TOE software/firmware shall be protected against unauthorized modification. Embedded software must be contained in mask-programmed or one-time-programmable read-only memory permanently attached (non-socketed) to a circuit assembly. EXT_TMP.1 Physical Tampering Security EXT_TMP.1 implements the O.ROM objective indirectly. Any attempt to open the enclosure of the TOE will trigger a Tamper Detection switch. Once the Tamper Detection switch is triggered, all TOE functions are disabled. Therefore this requirement ensures that the TSF code will not be overwritten or modified. NOTE: There are some previous information (not necessary anymore), FDP_ETC.1 and FDP_ITC.1, remained in “[PSS_PP] - Section 6.3”. 8.2.2 Rationale for Security Assurance Requirements (SAR) EAL2 augmented with ALC_FLR.2 was chosen to provide a low to moderate level of assurance that is consistent with good commercial practices. As such minimal additional tasks are placed upon the vendor assuming the vendor follows reasonable software engineering practices and can provide support to the evaluation for design and testing efforts. The chosen assurance level is appropriate with the threats defined for the environment. The TOE is expected to be in a non-hostile position and embedded in or protected by other products designed to address threats that correspond with the intended environment. At EAL2 augmented with ALC_FLR.2, the TOE will have incurred a search for obvious flaws to support its introduction into the non-hostile environment. The assurance claim is consistent to meet the requirements of a Basic Robustness TOE environment. 8.2.3 Dependencies Rationale page 25 The dependency of FMT_SMR.1 is not meet with CC. The rationale is as follow. FMT_SMR.1 (Security Roles) The TOE is not required to associate USERS with roles; hence, there is only one “role”, that of USER. This deleted requirement, a dependency of FMT_MSA.1 and FMT_MSA.3, allows the TOE to operate normally in the absence of any formal roles. 8.3 TOE Summary Specification Rationale This section contains a table which relates the security functional requirements to the TOE security functions. The rationale that the security functions cover the security functional requirements is provided in Section 7.1 TOE Security Functions. Information Flow Control (TSF_IFC) Security Management (TSF_MGT) Self Protection (TSF_SPT) FDP_IFC.1 X FDP_IFF.1 X X FMT_MSA.1 X FMT_MSA.3 X FMT_SMF.1 X EXT_VIR.1 X EXT_IUC.1 X EXT_ROM.1 X EXT_TMP.1 X page 26 9 Acronyms & Reference 9.1 Acronyms CC Common Criteria DVI-I Digital Video Interface - Integrated LED Light Emitting Diode USB Universal Serial Bus 9.2 Reference [PSS_PP] Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile, Version 2.1, dated September 7, 2010