Ministero dello Sviluppo Economico
Direzione generale per le tecnologie delle comunicazioni ela sicurezza informatica
Istituto Superiore delle Comunicazioni e delle Tecnologie dell'Informazione
Schema nazionale per la valutazione e certificazione della sicurezza di sistemi e prodotti ICT
(DPCM del 30 ottobre 2003 - G.U. n. 93 del 27 aprile 2004)
Certificato n. 2/21
(Certification No.)
Prodotto: IBM z/VM Version 7 Release 2
(Product)
Sviluppato da: IBM Corporation
(Developed by)
Il prodotto indicato in questo certificato è risultato conforme ai requisiti dello standard
ISO/IEC 15408 (Common Criteria) v. 3.1 per il livello di garanzia:
The product identified in this certificate complies with the requirements of the standard
ISO/IEC 15408 (Common Criteria) v. 3.1 for the assurance level:
EAL4+
(ALC_FLR.3)
Il Direttore
(Dott.ssa Eva Spina)
Roma, 30 aprile 2021
Fino a EAL2 (Up to EAL2)
[ORIGINAL DIGITALLY SIGNED]
Page 2 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
This page is intentionally left blank
Page 3 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
Ministero dello Sviluppo Economico
Direzione generale per le tecnologie delle comunicazioni e la sicurezza informatica
Istituto Superiore delle Comunicazioni e delle Tecnologie dell'Informazione
Certification Report
IBM z/VM Version 7 Release 2
OCSI/CERT/ATS/05/2020/RC
Version 1.0
30 April 2021
Page 4 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
Courtesy translation
Disclaimer: this translation in English language is provided for informational purposes
only; it is not a substitute for the official document and has no legal value. The original
Italian language version of the document is the only approved and official version.
Page 5 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
1 Document revisions
Version Author Information Date
1.0 OCSI First issue 30/04/2021
Page 6 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
2 Table of contents
1 Document revisions........................................................................................................5
2 Table of contents............................................................................................................6
3 Acronyms........................................................................................................................8
4 References....................................................................................................................10
4.1 Criteria and regulations........................................................................................10
4.2 Technical documents ...........................................................................................11
5 Recognition of the certificate........................................................................................12
5.1 International Recognition of CC Certificates (CCRA) .........................................12
6 Statement of Certification.............................................................................................13
7 Summary of the evaluation ..........................................................................................15
7.1 Introduction...........................................................................................................15
7.2 Executive summary..............................................................................................15
7.3 Evaluated product ................................................................................................15
7.3.1 TOE Architecture.............................................................................................17
7.3.2 TOE security features......................................................................................19
7.4 Documentation .....................................................................................................22
7.5 Protection Profile conformance claims ................................................................22
7.6 Functional and assurance requirements .............................................................22
7.7 Evaluation conduct...............................................................................................23
7.8 General considerations about the certification validity........................................23
8 Evaluation outcome......................................................................................................24
8.1 Evaluation results.................................................................................................24
8.2 Recommendations ...............................................................................................25
9 Annex A – Guidelines for the secure usage of the product.........................................26
9.1 TOE Delivery ........................................................................................................26
9.2 Identification of the TOE.......................................................................................27
9.3 Installation, initialization and secure usage of the TOE ......................................28
10 Annex B – Evaluated configuration..............................................................................29
11 Annex C – Test activity.................................................................................................30
11.1 Test configuration.................................................................................................30
Page 7 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
11.2 Functional tests performed by the Developer......................................................31
11.2.1 Testing approach.............................................................................................31
11.2.2 Test coverage..................................................................................................32
11.2.3 Test results ......................................................................................................32
11.3 Functional and independent tests performed by the Evaluators ........................32
11.3.1 Testing approach.............................................................................................32
11.3.2 Test coverage..................................................................................................32
11.3.3 Test results ......................................................................................................33
11.4 Vulnerability analysis and penetration tests ........................................................33
Page 8 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
3 Acronyms
APAR Authorized Program Analysis Report
API Application Programming Interface
CB Certification Body
CC Common Criteria
CCRA Common Criteria Recognition Arrangement
CEM Common Evaluation Methodology
CMS Conversational Monitor System
CP Control Program
DAC Discretionary Access Control
DASD Direct Access Storage Device
DPCM Decreto del Presidente del Consiglio dei Ministri
DVD Digital Versatile Disk
EAL Evaluation Assurance Level
I/O Input/Output
ID Identifier
IPL Initial Program Load
IUCV Inter User Communication Vehicle
IT Information Technology
LGP Linea Guida Provvisoria
LGR Live Guest Relocation
LPAR Logical Partition
LVS Laboratorio per la Valutazione della Sicurezza
MAC Mandatory Access Control
MFA Multi-factor Authentication
NIS Nota Informativa dello Schema
Page 9 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
OCSI Organismo di Certificazione della Sicurezza Informatica
PDF Portable Document Format
PP Protection Profile
PR/SM Processor Resource/System Manager
PTF Program Temporary Fix
RACF Resource Access Control Facility
RSU Recommended Service Upgrade
SAK System Assurance Kernel
SAR Security Assurance Requirement
SDF Software Delivery and Fulfillment
SFR Security Functional Requirement
SIE Start Interpretive Execution
SSI Single System Image
SSL Secure Sockets Layer
ST Security Target
SW Software
TCP/IP Transmission Control Protocol/Internet Protocol
TLS Transport Layer Security
TOE Target Of Evaluation
TSF TOE Security Functionality
TSFI TSF Interface
Page 10 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
4 References
4.1 Criteria and regulations
[CC1] CCMB-2017-04-001, “Common Criteria for Information Technology
Security Evaluation, Part 1 – Introduction and general model”, Version 3.1,
Revision 5, April 2017
[CC2] CCMB-2017-04-002, “Common Criteria for Information Technology
Security Evaluation, Part 2 – Security functional components”, Version 3.1,
Revision 5, April 2017
[CC3] CCMB-2017-04-003, “Common Criteria for Information Technology
Security Evaluation, Part 3 – Security assurance components”, Version
3.1, Revision 5, April 2017
[CCRA] “Arrangement on the Recognition of Common Criteria Certificates In the
field of Information Technology Security”, July 2014
[CEM] CCMB-2017-04-004, “Common Methodology for Information Technology
Security Evaluation – Evaluation methodology”, Version 3.1, Revision 5,
April 2017
[LGP1] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione -
Descrizione Generale dello Schema Nazionale - Linee Guida Provvisorie -
parte 1 – LGP1 versione 1.0, Dicembre 2004
[LGP2] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione -
Accreditamento degli LVS e abilitazione degli Assistenti - Linee Guida
Provvisorie - parte 2 – LGP2 versione 1.0, Dicembre 2004
[LGP3] Schema nazionale per la valutazione e certificazione della sicurezza di
sistemi e prodotti nel settore della tecnologia dell’informazione - Procedure
di valutazione - Linee Guida Provvisorie - parte 3 – LGP3, versione 1.0,
Dicembre 2004
[NIS1] Organismo di certificazione della sicurezza informatica, Nota Informativa
dello Schema N. 1/13 – Modifiche alla LGP1, versione 1.0, Novembre
2013
[NIS2] Organismo di certificazione della sicurezza informatica, Nota Informativa
dello Schema N. 2/13 – Modifiche alla LGP2, versione 1.0, Novembre
2013
[NIS3] Organismo di certificazione della sicurezza informatica, Nota Informativa
dello Schema N. 3/13 – Modifiche alla LGP3, versione 1.0, Novembre
2013
Page 11 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
4.2 Technical documents
[CR] Certification Report “IBM z/VM Version 6 Release 4”,
OCSI/CERT/ATS/04/2017/RC, version 1.0, 23 April 2018
[ETRv1] Final Evaluation Technical Report “IBM z/VM Version 7 Release 2”, OCSI-
CERT-ATS-05-2020_ETR_210317_v1, Version 1, atsec information
security GmbH, 17 March 2021
[ETRv2] Final Evaluation Technical Report “IBM z/VM Version 7 Release 2”, OCSI-
CERT-ATS-05-2020_ETR_210406_v2, Version 2, atsec information
security GmbH, 6 March 2021
[OSPP] Operating System Protection Profile, Version 2.0, BSI-CC-PP-0067, 01
June 2010
[OSPP-LS] OSPP Extended Package – Labeled Security, Version 2.0, BSI-CC-PP-
0067, 28 May 2010
[OSPP-VIRT] OSPP Extended Package – Virtualization, Version 2.0, BSI-CC-PP-0067,
28 May 2010
[ST] IBM z/VM Version 7 Release 2 Security Target, Version 1.0, IBM
Corporation, 9 March 2021
[ZVM-CPG] z/VM V7.2 Certified Product Guidance, IBM Corporation
[ZVM-SCG] z/VM Version 7 Release 2 Secure Configuration Guide, SC24-6323-02,
IBM Corporation, 11 December 2020
Page 12 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
5 Recognition of the certificate
5.1 International Recognition of CC Certificates (CCRA)
The current version of the international arrangement on the mutual recognition of
certificates based on the CC (Common Criteria Recognition Arrangement, [CCRA] has
been ratified on 08 September 2014. It covers CC certificates compliant with collaborative
Protection Profiles (cPP), up to and including EAL4, or certificates based on assurance
components up to and including EAL2, with the possible augmentation of Flaw
Remediation family (ALC_FLR).
The current list of signatory nations and of collaborative Protection Profiles (cPP) and
other details can be found on https://www.commoncriteriaportal.org/.
The CCRA logo printed on the certificate indicates that it is recognised under the terms of
this agreement by signatory nations.
This certificate is recognised under CCRA up to EAL2.
Page 13 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
6 Statement of Certification
The Target of Evaluation (TOE) is the product “IBM z/VM Version 7 Release 2”, also
referred to in the following as z/VM V7R2 or z/VM, developed by International Business
Machines Corp. (IBM).
The TOE is a virtual machine hypervisor for IBM Z servers onto which to deploy mission-
critical virtual servers.
The evaluation has been conducted in accordance with the requirements established by
the Italian Scheme for the evaluation and certification of security systems and products in
the field of information technology and expressed in the Provisional Guidelines [LGP1,
LGP2, LGP3] and Scheme Information Notes [NIS1, NIS2, NIS3]. The Scheme is operated
by the Italian Certification Body “Organismo di Certificazione della Sicurezza Informatica
(OCSI)”, established by the Prime Minister’s Decree (DPCM) of 30 October 2003 (O.J.
n.98 of 27 April 2004).
This Certification Report was issued at the conclusion of the re-certification of an earlier
version of the same TOE (IBM z/VM Version 6 Release 4), already certified by OCSI
(Certificate no. 3/18 of April 23, 2018 [CR]).
Due to some changes made to the product by the Developer IBM Corp., it was deemed
necessary to undertake a re-certification of the TOE. The LVS atsec information security
GmbH was able to reuse part of the documentation and evidences already provided in the
previous evaluation.
Note that the changes have also led to the revision of the Security Target [ST]. Customers
of the previous version of the TOE are therefore advised to take also into account the new
ST.
While the considerations and recommendations already expressed for the previous TOE
remain largely valid, for ease of reading this Certification Report has been rewritten in its
entirety so as to constitute an autonomous document associated with the new TOE “IBM
z/VM Version 7 Release 2”.
The objective of the evaluation is to provide assurance that the product complies with the
security requirements specified in the associated Security Target [ST]; the potential
consumers of the product should review also the Security Target, in addition to the present
Certification Report, in order to gain a complete understanding of the security problem
addressed. The evaluation activities have been carried out in accordance with the
Common Criteria Part 3 [CC3] and the Common Evaluation Methodology [CEM].
The TOE resulted compliant with the requirements of Part 3 of the CC v 3.1 for the
assurance level EAL4, augmented with ALC_FLR.3, according to the information provided
in the Security Target [ST] and in the configuration shown in Annex B – Evaluated
configuration of this Certification Report.
The publication of the Certification Report is the confirmation that the evaluation process
has been conducted in accordance with the requirements of the evaluation criteria
Common Criteria - ISO/IEC 15408 ([CC1], [CC2], [CC3]) and the procedures indicated by
Page 14 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
the Common Criteria Recognition Arrangement [CCRA] and that no exploitable
vulnerability was found. However, the Certification Body with such a document does not
express any kind of support or promotion of the TOE.
Page 15 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
7 Summary of the evaluation
7.1 Introduction
This Certification Report states the outcome of the Common Criteria evaluation of the
product “IBM z/VM Version 7 Release 2” to provide assurance to the potential consumers
that TOE security features comply with its security requirements.
In addition to the present Certification Report, the potential consumers of the product
should review also the Security Target [ST], specifying the functional and assurance
requirements and the intended operational environment.
7.2 Executive summary
TOE name IBM z/VM Version 7 Release 2
Security Target IBM z/VM Version 7 Release 2 Security Target,
Version 1.0 [ST]
Evaluation Assurance Level EAL4 augmented with ALC_FLR.3
Developer IBM Corporation
Sponsor IBM Corporation
LVS atsec information security GmbH
CC version 3.1 Rev. 5
PP conformance claim Operating System Protection Profile v2.0 [OSPP] with
the following Extended Packages (EP):
• OSPP EP – Labeled Security v2.0 [OSPP-LS]
• OSPP EP – Virtualization v2.0 [OSPP-VIRT]
Evaluation starting date 1st
July 2020
Evaluation ending date 17 March 2021
The certification results apply only to the version of the product shown in this Certification
Report and only if the operational environment assumptions described in the Security
Target [ST] are fulfilled.
7.3 Evaluated product
This section summarizes the main functional and security requirements of the TOE. For a
detailed description, please refer to the Security Target [ST].
The TOE is z/VM Version 7 Release 2 clustered as up to four cooperating instances of
z/VM within a Single System Image (SSI).
Page 16 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
z/VM is a highly secure, flexible, robust, scalable operating system implementing a virtual
machine hypervisor for IBM Z servers onto which to deploy mission-critical virtual servers.
z/VM is designed to host other operating systems, each in its own virtual machine.
Multiple virtual machines can run concurrently to perform a variety of functions requiring
controlled, separated access to the information stored on the system. Apart from virtual
servers, the TOE provides additional virtual machines for each logged in human user,
separating the execution domain of each virtual machine from others as defined in the
virtual machine definitions stored in the system directory. In addition to the system
directory, the RACF security server is employed to mediate access to resources and
privileged functions.
The TOE offers multi-system clustering technology allowing between one and four z/VM
instances in an SSI cluster. The cluster configuration as well as the cluster status are kept
in resources shared amongst the cluster members. New instances of z/VM can be added
to the cluster topology at runtime. Support for Live Guest Relocation (LGR) allows the
movement of Linux virtual servers without disruption to their operation. The cluster
members are aware of each other and can take advantage of their combined resources.
LGR enables clients to avoid loss of service due to planned outages by relocating guests
from a system requiring maintenance to a system that remains active during the
maintenance period.
The TOE is enabled for Multi-factor Authentication (MFA), i.e., it properly enforces
authentication decisions made by a trusted MFA-provider located in the TOE environment,
which uses multiple factors for authentication of TOE users.
In its evaluated configuration, the TOE allows two modes of operation: a standard mode
and a mode called Labeled Security Mode. In both modes of operation, the same software
elements are used. The two modes have different RACF settings with respect to the use of
security labels. All other configuration parameters are identical in the two modes.
The RACF database used for maintaining the security context of the TOE is shared
between the cluster members. All cluster members run a local instance of RACF for local
auditing, which has access to the shared RACF database.
The concept of virtual machines representing users maintained by a single z/VM instance
can been expanded to match a cluster topology. While a virtual machine configured as
USER is limited to run on only one of any of the cluster members at the same time,
multiconfiguration virtual machines configured as IDENTITY may run simultaneously on
different cluster members and typically represent service machines.
z/VM provides identification and authentication of users using different authentication
mechanisms, both discretionary and mandatory access control to a large number of
different objects, separation of virtual machines, a configurable audit functionality,
sophisticated security management functions, preparation of objects for reuse and
functionality used internally to protect z/VM from interference and tampering by untrusted
users or subjects.
For a more detailed description of the TOE, please refer to sect. 1.5 (“TOE description”) of
the Security Target [ST]. The most significant aspects are summarized below.
Page 17 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
7.3.1 TOE Architecture
7.3.1.1 TOE general overview
The TOE is the z/VM hypervisor product that is part of an SSI cluster formed by one or
more z/VM instances with the software components as described in section 1.5.4 of the
Security Target [ST].
z/VM is an operating system designed to host other operating systems, each in its own
virtual machine. Multiple virtual machines can run concurrently to perform a variety of
functions requiring controlled, separated access to the information stored on the system.
The TOE provides a virtual machine for each logged in user, separating the execution
domain of each user from other users as defined in the virtual machine definitions stored in
the system directory. In addition, the system directory contains access control information
for privileged functions, such as use of certain options of the processor's DIAGNOSE
instruction. In addition to the system directory, the RACF security server is employed to
mediate access to resources and privileged functions.
The TOE is seen as one instance of an z/VM SSI cluster comprising of one through four
individual z/VM systems. These individual z/VM systems each execute on an abstract
machine as the sole operating system on the level of the abstract machine and exercising
full control over this abstract machine regardless which software runs inside of virtual
machines. These abstract machines are provided by logical partitions (LPAR) of IBM
mainframe servers.
The LPARs themselves are not part of the TOE, but belong to the TOE environment. It is
to be noted that although a z/VM instance can be run within a z/VM instance, the
evaluated configuration is restricted to one z/VM instance running directly within an LPAR.
A z/VM instance running within a virtual machine is allowed, but such “second level” z/VM
instances are not part of the evaluated configuration.
The z/VM SSI feature enables up to four z/VM systems to be configured as members of an
SSI cluster, sharing different resources.
Members of the SSI cluster can be on the same or separate hardware systems. SSI
enables the members of the cluster to be managed as one system, which allows
maintenance to be applied to each member of the cluster while avoiding an outage of the
entire cluster. SSI also implements the concept of Live Guest Relocation (LGR) where a
running Linux guest operating system can be relocated from one member in an SSI cluster
to another without the need to completely stop the running Linux guest throughout the
whole process.
All z/VM member instances of one SSI cluster share the RACF database, but they do not
share the RACF audit disks. Each z/VM member instance must execute its own instance
of RACF accessing the shared RACF database. The sharing of the RACF database is
done by sharing the DASD (Direct Access Storage Device) volume keeping the RACF
database between the different SSI z/VM member instances. Although sharing of the
RACF database between z/VM and z/OS is technically feasible, it is explicitly excluded
from this evaluation.
Page 18 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
Different instances of the TOE may also share the RACF database. The sharing is
implemented similarly to the sharing of the RACF database within the SSI cluster.
However, depending on the use scenario, such sharing may not be advisable.
The platforms selected for the evaluation consist of IBM products, which are available
when the evaluation has been completed and will remain available for some period of time
afterwards. Even if withdrawn from general marketing, the product may be obtained by
special request to IBM.
The TOE security functionality (TSF) is provided by the z/VM operating system kernel
called the Control Program (CP) and by an application called RACF that runs within a
specially-privileged virtual machine. In addition to providing user authentication, access
control, and audit services to CP, RACF can provide the same services to other authorized
virtual machines. z/VM provides management functions that allow configuring the TSF and
tailor them to the customer’s needs.
Some elements have been included in the TOE which do not provide security functions,
but run in authorized mode and could therefore, if misbehaved, compromise the TOE.
Since these elements are substantial for the operation of many customer environments,
they are included as trusted applications within the TOE.
In its evaluated configuration, the TOE allows two modes of operation: a standard mode
meeting all requirements of the Operating System Protection Profile base [OSPP] and its
extended package for Virtualization [OSPP-VIRT], and a more restrictive mode called
Labeled Security Mode, which additionally meets all requirements of the OSPP extended
package for Labeled Security [OSPP-LS]. In both modes of operation, the same software
elements are used. The two modes have different RACF settings with respect to the use of
security labels. All other configuration parameters are identical in the two modes.
7.3.1.2 Major software components of the TOE
The TOE consists of up to four z/VM instances each defined by three major components,
i.e., the z/VM Control Program, the Security Manager RACF, and the TCP/IP component,
with RACF and TCP/IP running within specific virtual machines maintained by CP.
The z/VM CP is primarily a real-machine resource manager. CP provides each user with
an individual working environment known as a virtual machine. Each virtual machine is a
functional equivalent of a real system, sharing the real processor instructions and its
functionality, storage, console, and I/O device resources.
CP provides connectivity support that allows application programs running within virtual
machines to exchange information with each other and to access resources residing on
the same z/VM system or on different z/VM systems.
In order to create and maintain these rules (virtual machine definitions), additional
management software is employed, that runs outside the CP, but is part of the TOE.
Hence, each component of the management software runs within a virtual machine. The
following list illustrates, which functionality runs within virtual machines:
• CMS: a single-user general-purpose operating system that is employed to run the
RACF and TCP/IP applications. CMS does not provide any security functionality but
implements a file system that can be used by applications running on top.
Page 19 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
• RACF server: provides authentication, authorization, and audit services to CP and
other authorized virtual machines that run applications on CMS. It runs within a
virtual machine maintained by CP and communicates with CP through a tightly-
controlled well-defined interface.
• TCP/IP server: provides traditional IP-based communications services. For TLS-
encrypted communication, it interacts with the SSL server, which is seen as a
subcomponent of the TCP/IP component rather than an additional part of the TOE.
Both the TCP/IP server and the SSL server are not part of CP, but each run within a
respective virtual machine maintained by CP.
Embedded within the TCP/IP stack is the Telnet service that enables users to access their
virtual machine consoles (“log on”) from the IP network. In particular, this Telnet service
receives console traffic from the network, removes the telnet or TN3270 protocol
wrappers, and then forwards it to CP using a special form of the DIAGNOSE processor
instruction. CP generates a virtual console session as a memory object. All outgoing
information is sent from the CP back to the Telnet service, which encapsulates the
information in the Telnet or TN3270E protocol and sends it back to the client. The TCP/IP
server also provides TLS services allowing the establishment of a cryptographically
secured channel.
7.3.2 TOE security features
7.3.2.1 TOE Security policy
The security policy enforced is defined by the selected set of Security Functional
Requirements and implemented by the TOE. The TOE implements both a discretionary
and a mandatory access control policy to control access to the system. In addition, the
TOE implements policies pertaining to the following security functional classes: Security
Audit (FAU), Cryptographic Support (FCS), User Data Protection (FDP), Identification and
Authentication (FIA), Security Management (FMT), Protection of the TSF (FPT), TOE
Access (FTA), Trusted Path/Channels (FTP).
7.3.2.2 Security objectives for the operational environment
The Assumptions defined in the Security Target [ST] and some aspects of Threats and
Organisational Security Policies are not covered by the TOE itself. These aspects lead to
specific security objectives to be fulfilled by the TOE operational environment. The
following topics are of relevance:
• TOE administrators are competent and trustworthy individuals.
• Remote trusted IT systems supporting the enforcement of the TOE security policy
are protected from attack and are under the same management domain as the
TOE.
• TOE sensitive information is protected in an appropriate manner.
• TOE components are distributed, installed and configured in a secure manner.
• The product diagnostics facilities are invoked at every scheduled maintenance
period.
Page 20 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
• TOE critical parts are protected from physical attacks that might compromise the
security objectives.
• TOE is able to recover after system failure or other discontinuity without a
compromise of security.
• Remote trusted IT systems implement the protocols and mechanisms required by
the TSF to support the enforcement of the TOE security policy.
For a complete description of the security objectives for the TOE operational environment,
please refer to sect. 4.2 of the Security Target [ST].
7.3.2.3 Security functions
For a detailed description of the TOE Security Functions, consult sect. 7 of the Security
Target [ST]. The most significant aspects are summarized below:
• Identification and Authentication: the TOE provides identification and
authentication of users by the means of an alphanumeric user ID and a system-
encrypted password. The following parts of the TOE perform identification and
authentication independently:
o Control Program
o RACF
For supporting identification and authentication, the TOE employs RACF managing
resource profiles and user profiles. Multi Factor Authentication decisions may also
be deferred to an external MFA-provider, if configured. Such MFA-decisions are
subsequently enforced by the TOE.
• Discretionary Access Control (DAC): For implementation of extended DAC rules,
the TOE component RACF provides the capability and flexibility as required by the
evaluation compared to the usage of the system. Basically, a user’s authority to
access a resource while operating in a RACF-protected system at any time is
determined by a combination of these factors:
o user’s identity and group membership;
o user’s attributes including group-level attributes;
o user’s group authorities;
o security classification of the user and the resource profile;
o access authority specified in the resource profile.
• Mandatory Access Control (MAC) and Support for Security Labels: In addition
to DAC, the TOE provides Mandatory Access Control (MAC), which imposes
access restrictions to information based on security classification. Each user and
each RACF controlled object can have a security classification specified in its
profile. The security classification can be a security level and zero or more security
Page 21 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
categories. Security labels are maintained separately from privilege classes in
RACF.
The access control enforced by the TOE ensures that users may only read labelled
information if their security label dominates the information’s label, and that they
may only write to labeled information containers if the container’s label dominates
the subject’s.
• Separation of virtual machines: operating system failures that occur in virtual
machines cannot affect the TOE running on the real processor. As the error is
isolated to a virtual machine, only that virtual machine fails, and the user can re-IPL
without affecting the testing and production work running in other virtual machines.
Supported by the underlying processor, the TOE restricts results of software failures
(such as program checks) occurring in a virtual machine to this machine, thus not
affecting other virtual machines or the CP.
Failures of CP that cannot be isolated to one of its maintained virtual machines
result in the abnormal termination ("abend") of the Control Program. In the event of
such an abend, the system will re-initialize itself, if possible. Special abend code
numbers are used to identify the specific reason for the abend.
• Auditing: the TOE provides an audit capability that allows generating audit records
for security critical events. RACF provides a number of logging and reporting
functions that allow resource owners and auditors to identify users who attempt to
access the resource. The audit records generated by RACF are collected into files
residing on disks that are protected from unauthorized modification or deletion by
the DAC and (in Labeled Security Mode) MAC mechanism.
• Object Reuse: the TOE provides a facility clearing protected objects and storage
previously used by virtual machines or the TOE itself prior to reassignment to other
virtual machines or the TOE. This ensures confidentiality of data maintained either
by the TOE or by virtual machines.
Storage devices and their derivatives (such as minidisks or temporary disks) are to
be cleared manually by the administrator in accordance with the organizational
policies. There is additional software support by the IBM Directory Maintenance
Facility (DirMaint), which however is not part of this evaluation.
• Security Management: the TOE provides a set of commands and options to
adequately manage the security functions of the TOE. The TOE recognizes several
roles that are able to perform the different management tasks related to the TOE’s
security:
o General security options are managed by security administrators.
o Management of MAC attributes is performed by security administrators in
Labeled Security Mode.
o Management of users and their security attributes is performed by security
administrators. Management of groups can be delegated to group security
administrators.
o Management of virtual machine definitions is performed by security
administrators.
Page 22 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
o Users are allowed to change their own password, their default group, and
their user name.
o Users may choose their security label from the range defined in their profile
at login time in Labeled Security mode.
o Auditors manage the parameters of the audit system (e.g. list of audited
events) and can analyse the audit trail.
• TSF Protection: the TOE control program enforces integrity of its own domain. No
virtual machine can access TOE resources without appropriate authorization. This
prevents tampering with TOE resources by untrusted subjects.
Supportive to this functionality are hardware implemented facilities, namely the
Interpretive-Execution Facility (SIE instruction). Therefore, the hardware and
firmware components providing the abstract machine for the TOE are required to be
physically protected from unauthorized access.
• SSI clustering: the SSI clustering mechanism integrates different z/VM systems
into one cluster in order to share different resources. The SSI cluster
communication ensures serialization of concurrent access to shared resources, if
needed.
One of the main goals of SSI is the support of live guest relocation of virtual
machines. The CP ensures the transfer of the virtual machine memory and state to
another SSI cluster member without significant interruption of service of the virtual
machine being relocated.
7.4 Documentation
The guidance documentation specified in Annex A – Guidelines for the secure usage of
the product is delivered to the customer together with the product.
The guidance documentation contains all the information for secure initialization,
configuration and secure usage the TOE in accordance with the requirements of the
Security Target [ST].
Customers should also follow the recommendations for the secure usage of the TOE
contained in sect. 8.2 of this report.
7.5 Protection Profile conformance claims
The Security Target [ST] claims strict conformance to the following Protection Profiles and
PP Packages:
• Operating System Protection Profile, Version 2.0 [OSPP]
• OSPP Extended Package – Labeled Security, Version 2.0 [OSPP-LS]
• OSPP Extended Package – Virtualization, Version 2.0 [OSPP-VIRT]
7.6 Functional and assurance requirements
All Security Assurance Requirements (SAR) have been selected from CC Part 3 [CC3].
Page 23 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
All the SFRs have been selected or derived by extension from CC Part 2 [CC2]. In
particular, considering that the Security Target claims strict conformance to the [OSPP]
PP, the following extended components from such PP are included:
• FDP_RIP.3: Full residual information protection of subjects;
• FIA_USB.2: Enhanced user-subject binding.
Please refer to the Security Target [ST] for the complete description of all security
objectives, the threats that these objectives should address, the Security Functional
Requirements (SFR) and the security functions that realize the same objectives.
7.7 Evaluation conduct
The evaluation has been conducted in accordance with the requirements established by
the Italian Scheme for the evaluation and certification of security systems and products in
the field of information technology and expressed in the Provisional Guideline [LGP3] and
the Scheme Information Note [NIS3] and in accordance with the requirements of the
Common Criteria Recognition Arrangement [CCRA].
The purpose of the evaluation is to provide assurance on the effectiveness of the TOE to
meet the requirements stated in the relevant Security Target [ST]. Initially the Security
Target has been evaluated to ensure that constitutes a solid basis for an evaluation in
accordance with the requirements expressed by the standard CC. Then, the TOE has
been evaluated on the basis of the statements contained in such a Security Target. Both
phases of the evaluation have been conducted in accordance with the CC Part 3 [CC3]
and the Common Evaluation Methodology [CEM].
The Certification Body OCSI has supervised the conduct of the evaluation performed by
the evaluation facility (LVS) atsec information security GmbH.
The evaluation was completed on 17 March 2021 with the issuance by LVS of the
Evaluation Technical Report [ETRv1]. An updated version of the ETR ([ETRv2]) containing
only minor revisions was approved by the Certification Body on 13 April 2021. Then, the
Certification Body issued this Certification Report.
7.8 General considerations about the certification validity
The evaluation focused on the security features declared in the Security Target [ST], with
reference to the operational environment specified therein. The evaluation has been
performed on the TOE configured as described in Annex B – Evaluated configuration.
Potential customers are advised to check that this corresponds to their own requirements
and to pay attention to the recommendations contained in this Certification Report.
The certification is not a guarantee that no vulnerabilities exist; it remains a probability (the
smaller, the higher the assurance level) that exploitable vulnerabilities can be discovered
after the issuance of the certificate. This Certification Report reflects the conclusions of the
certification at the time of issuance. Potential customers are invited to check regularly the
arising of any new vulnerability after the issuance of this Certification Report, and if the
vulnerability can be exploited in the operational environment of the TOE, check with the
Developer if security updates have been developed and if those updates have been
evaluated and certified.
Page 24 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
8 Evaluation outcome
8.1 Evaluation results
Following the analysis of the Evaluation Technical Report ([ETRv1] and [ETRv2]) issued
by the LVS atsec information security GmbH and documents required for the certification,
and considering the evaluation activities carried out, the Certification Body OCSI
concluded that TOE “IBM z/VM Version 7 Release 2” meets the requirements of Part 3 of
the Common Criteria [CC3] provided for the evaluation assurance level EAL4, augmented
with ALC_FLR.3, with respect to the security features described in the Security Target [ST]
and the evaluated configuration, shown in Annex B – Evaluated configuration.
Table 1 summarizes the final verdict of each activity carried out by the LVS in accordance
with the assurance requirements established in [CC3] for the evaluation assurance level
EAL4, augmented with ALC_FLR.3.
Assurance classes and components Verdict
Security Target evaluation Class ASE Pass
Conformance claims ASE_CCL.1 Pass
Extended components definition ASE_ECD.1 Pass
ST introduction ASE_INT.1 Pass
Security objectives ASE_OBJ.2 Pass
Derived security requirements ASE_REQ.2 Pass
Security problem definition ASE_SPD.1 Pass
TOE summary specification ASE_TSS.1 Pass
Development Class ADV Pass
Security architecture description ADV_ARC.1 Pass
Complete functional specification ADV_FSP.4 Pass
Implementation representation of the TSF ADV_IMP.1 Pass
Basic modular design ADV_TDS.3 Pass
Guidance documents Class AGD Pass
Operational user guidance AGD_OPE.1 Pass
Preparative procedures AGD_PRE.1 Pass
Life cycle support Class ALC Pass
Production support, acceptance procedures and
automation
ALC_CMC.4 Pass
Problem tracking CM coverage ALC_CMS.4 Pass
Delivery procedures ALC_DEL.1 Pass
Page 25 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
Assurance classes and components Verdict
Identification of security measures ALC_DVS.1 Pass
Developer defined life-cycle model ALC_LCD.1 Pass
Well-defined development tools ALC_TAT.1 Pass
Systematic flaw remediation ALC_FLR.3 Pass
Test Class ATE Pass
Analysis of coverage ATE_COV.2 Pass
Testing: basic design ATE_DPT.1 Pass
Functional testing ATE_FUN.1 Pass
Independent testing - sample ATE_IND.2 Pass
Vulnerability assessment Class AVA Pass
Focused vulnerability analysis AVA_VAN.3 Pass
Table 1 - Final verdicts for assurance requirements
8.2 Recommendations
The conclusions of the Certification Body (OCSI) are summarized in sect. 6 (Statement of
Certification).
Potential customers of the product “IBM z/VM Version 7 Release 2” are suggested to
properly understand the specific purpose of certification reading this Certification Report
together with the Security Target [ST].
The TOE must be used according to the Security Objectives for the operational
environment specified in sect. 4.2 of the Security Target [ST]. Potential customers are
advised to check that they meet the identified requirements and to pay attention to the
recommendations contained in this Report.
This Certification Report is valid for the TOE in its evaluated configuration; in particular,
Annex A – Guidelines for the secure usage of the product includes a number of
recommendations relating to delivery, initialization, configuration and secure usage of the
product, according to the guidance documentation provided together with the TOE ([ZVM-
CPG], [ZVM-SCG]).
It is assumed that the TOE operates securely if the assumptions about the operational
environment described in sect. 3.2 of the Security Target [ST] are satisfied. In particular, it
is assumed that the administrators of the TOE are adequately trained to the correct usage
of the TOE and chosen among the trusted personnel of the organization. The TOE is not
designed to counter threats from unexperienced, malicious or negligent administrators.
It should also be noted that TOE security is conditioned by the proper functioning of the
software and hardware platforms on which the TOE is installed, and of all trusted external
IT systems supporting the implementation of TOE’s security policy. Specifications for the
operational environment are described in the Security Target [ST].
Page 26 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
9 Annex A – Guidelines for the secure usage of the product
This annex provides considerations particularly relevant to the potential customers of the
product.
9.1 TOE Delivery
The TOE is software only, so no hardware or firmware is delivered as part of the product.
Table 2 contains the items that comprise the different elements of the TOE, including
software and guidance.
# Type Identifier Release Form of
delivery
z/VM Version 7 Release 2.0
1 SW z/VM Version 7 Release 2, program number 5741-A09 V7R2 DVD/
Electronic
2 DOC Program Directory for z/VM V7R2 Base GI13-4358-01 Hard copy
3 DOC Program Directory for RACF function level 720 GI13-4364-01 Hard copy
4 DOC Guide for Automated Installation and Service GC24-6292-02 Hard copy
5 DOC z/VM V7.2 Certified Product Guidance
sha256-Checksum:
258b5d926285059a725e9827536a0e9e8a3704b7d41856b9dab7777d9f006910
2020 September zVM720 GA Collection.zip
n/a Soft copy
6 DOC z/VM V7.2 Secure Configuration Guide
sha256-Checksum:
6090b1fe0b3fee9a570f3c68ee0e434073f12972795e154c9fc0d5ddc053d1c7
hcps0_v7r2.pdf
SC24-6323-02 Soft copy
Additional Media
7 SW RSU1 (the z/VM 7.2 GA level of service)
to be obtained electronically from IBM Shopz
https://www.ibm.com/software/shopzseries
n/a Electronic
8 SW PTF for APAR PH24751
to be obtained electronically from IBM Shopz
https://www.ibm.com/software/shopzseries
n/a Electronic
Table 2 - TOE Deliverables
Customers with proper IBM customer ID may use the IBM Shopz web portal
(https://www.ibm.com/software/shopzseries/ShopzSeries_public.wss) to file an order for
the TOE. In case the customer needs assistance, they may contact an IBM sales
representative who will then support the customer with filling out an order form.
Orders for z/VM on DVD are processed by an SDF Production Center. The z/VM image
ordered is duplicated to an appropriate DVD media set, which is then packed in a card-box
Page 27 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
and shrink wrapped. The final package is then delivered to the customer via a courier
service together with a contents list.
The whole process starting at the preparation and labeling of the media until finally
delivering the shrink-wrapped package to the customer is under supervision of a control
system making use of bar code identification for all parts of an order throughout the
complete process. The bar code enables unambiguous association of the media and the
additional documentation to a specific order number and, hence, to the customer who filed
that respective order.
Once the package arrived at the customer's site, the customer is able to verify that the
delivery matches their order by reviewing the contents list provided as part of the delivery
and by cross checking the part numbers labeled on the delivered media.
9.2 Identification of the TOE
During the order process for the TOE, the customer needs to explicitly order the CC-
certified version of z/VM Version 7 Release 2. This already ensures that the product
delivered to the customer actually is the TOE containing all required components. The
administrator after installation of the product according to the Secure Configuration Guide
[ZVM-SCG] also is able to verify the version of the TOE by issuing the command:
QUERY CPLEVEL
which will result in displaying the version string:
z/VM Version 7 Release 2.0, service level 2001 (64-bit)
In addition, the administrator is asked verify the list of installed PTFs against the list of
PTFs required as stated in the Security target [ST]. In order to do so, the administrator
may issue the commands:
VMFSIM QUERY 7VMCPR20 SRVAPPS * TDATA :PTF
VMFSIM QUERY 7VMRAC20 SRVAPPS * TDATA :PTF
VMFSIM QUERY 7VMTCP20 SRVAPPS * TDATA :PTF
and should be able verify the presence of the following PTFs in the output received.
For CP, the following PTFs should be reported:
UM35699
UMRSU01
For TCP/IP, the following PTF should be reported:
UI72767
For RACF, no PTFs should be reported.
Page 28 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
9.3 Installation, initialization and secure usage of the TOE
TOE installation, configuration and operation should be done following the instructions in
the appropriate sections of the guidance documentation provided with the product to the
customer.
In particular, the following documents contain detailed information for the secure
initialization of the TOE, the preparation of its operational environment and the secure
operation of the TOE in accordance with the security objectives specified in the Security
Target [ST]:
• z/VM Version 7 Release 2 Secure Configuration Guide [ZVM-SCG]
• z/VM V7.2 Certified Product Guidance [ZVM-CPG]
The Secure Configuration Guide contains references to other relevant guidance
documentation contained in the z/VM Certified Product Guidance. Both the Secure
Configuration Guide and the Certified Product Guidance are available from a secured IBM
ResourceLink:
https://www.ibm.com/servers/resourcelink/svc0302a.nsf/pages/zVMV7R2Library
The Certified Product Guidance corresponds to the “z/VM 7.2 2020 September GA PDF
collection”. This collection includes all z/VM V7R2 related documents that were published
when the version became generally available.
Page 29 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
10 Annex B – Evaluated configuration
The Target of Evaluation is “z/VM Version 7 Release 2”, developed by IBM Corp. The TOE
is software only and is accompanied by guidance documentation. The items listed in Table
2 represent the TOE.
The TOE is defined by an SSI cluster of up to four cooperating instances of the z/VM
product each running on an abstract machine as the sole operating system on the level of
the abstract machine and exercising full control over that abstract machine regardless
which software runs inside of virtual machines. The abstract machines are provided by a
logical partition (LPAR) of IBM Z servers.
A detailed list of supported IBM Z server models is given in section 1.5.4.4 of the Security
target [ST].
The LPARs themselves are not part of the TOE, but belong to the TOE environment. It is
to be noted that although a z/VM instance technically can be run within a z/VM instance,
the evaluated configuration is restricted to z/VM instances running directly within an LPAR.
A z/VM instance running within a virtual machine is allowed, but such “second level” z/VM
instances are not part of the evaluated configuration.
The evaluated configuration of the TOE is additionally defined by the configuration
requirements to be met as stated in the Secure Configuration Guide [ZVM-SCG]. The
Security Target [ST] in section 1.5.4.3 redirects readers to this document, which is part of
the TOE deliverables.
Page 30 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
11 Annex C – Test activity
This annex describes the task of both the Evaluators and the Developer in testing
activities. For the assurance level EAL4, augmented with ALC_FLR.3, such activities
include the following three steps:
• evaluation of the tests performed by the Developer in terms of coverage and level of
detail;
• execution of independent functional tests by the Evaluators;
• execution of penetration tests by the Evaluators.
11.1 Test configuration
Developer testing as well as the independent Evaluators testing was performed on the
same configuration, i.e. on systems GDLMCCC and GDLPCCC each running within a
logical partition.
The logical partitions were provided by certified versions of PR/SM on an IBM z14 server
(GDLPCCC) and an IBM z15 server (GDLMCCC), which is consistent with the list of
supported hardware platforms stated in section 1.5.4.4 of the Security Target [ST].
The test systems - for both the Developer and the Evaluators test sessions - had installed
the TOE in its evaluated configuration as required by the Security Target [ST]. This was
confirmed by the Evaluators analyzing Developer evidence generated and running
respective checks on his own when setting up and running his independent tests.
The tests were performed on system GDLMCCC as one of the configured SSI cluster
members running within a logical partition of a z15 server. Test related to the SSI feature
also involved system GDLPCCC as a second cluster member configured and running
within a logical partition of a z14 server.
The test systems each had installed the z/VM Version 7 Release 2 with SSI feature
enabled. An analysis performed by the Evaluators demonstrated that all required RSU and
PTF as stated in section 1.5.4.1 of the Security Target [ST] were installed on the
machines.
The TOE had been in its evaluated configuration when the Developer tests were
performed.
The limitation of tests performed to the test systems identified above was accepted,
because the system configuration was considered to be representative for all allowed
configurations. The TOE relies on an underlying abstract machine that is compliant with
the z/Architecture definition. Extensive testing of the underlying hardware was performed
by IBM on all processor configurations (including the chosen one) to verify full
z/Architecture compliance of the abstract machine provided to the TOE.
Page 31 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
11.2 Functional tests performed by the Developer
11.2.1 Testing approach
The Developer designed a specific CC related test suite that contains various test
scenarios covering the security functions provided by the TOE.
The tests performed by the Developer directly stimulate the following TSFI identified in the
Functional Specification and observe the resulting behaviour:
• CP commands
• RACF commands
• API
• RACF Report Writer
• Telnet Server
MFA Support is represented in the TSFI of CP (via the LOGON command) as well as RACF
(via the ADDUSER, ALTUSER, and DELUSER commands and the MFA CONTROL file).
The following TSFI are tested indirectly by the tests performed and the required test setup:
• System Directory
• System Configuration
• TCP/IP configuration files and commands
• IUCV
All but two test cases are automated, i.e., after executing a script file, a significant number
of single tests are executed mediated by the CHUG test tool as well as the FACT test tool,
the results of which are documented. Proper verification whether the actual test results
match the expected results is already included in the respective test cases. The manual
test cases related to the RACF Report Writer and the certificate-based authentication
implemented by the SSL Server contain sufficiently detailed information for the tester to
decide on whether the actual test results obtained match the expected results.
IBM usually performs a significant amount of SAK testing verifying that the interface
provided towards the virtual machines managed by the TOE is compliant with the
z/Architecture definition. Those SAK tests, however, are to be considered negative tests,
since they cannot actually prove compliance with z/Architecture but due to extensively
issuing random processor instruction streams over a significant amount of time without
ending up in any system errors, sufficient confidence of proper z/Architecture
implementation is built up. Note that for the current evaluation no SAK tests at the level of
z/VM were deemed necessary by the Developer as there have not been major changes to
the z/Architecture since the previous evaluation. However, SAK tests have been actually
performed at the level of the underlying PR/SM for the hardware platforms supported by
Page 32 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
z/VM and did not reveal any deviations as verified as part of the respective PR/SM
evaluations performed.
11.2.2 Test coverage
The Developer testing was performed to the depth of the TOE design at subsystem level,
i.e. the Developer test-depth analysis demonstrated that the TOE subsystems CP, RACF,
and TCP/IP have been subject to test cases exercising the TSFI and the TSF implemented
by those components.
11.2.3 Test results
The test evidence provided by the Developer and examined by the Evaluators
demonstrates that all but one test case were successful, i.e., the TOE behaviour observed
during the tests matched the expected behaviour.
It should be noted that the one failing testcase is due to a long-standing issue that is
neither security-relevant nor has an impact on the TSF. The Developer is still investigating
on a proper solution but stated that due to the nature of the issue not impacting security,
resolution of the issue has lower priority resulting in the issue being fixed at a later stage.
The Evaluators accepted the failing test case as the requirements for depth and coverage
are still fulfilled and the TOE security is not affected.
The Certification Body (OCSI) also considers the presence of a failed test acceptable as it
has been shown to have no impact on the security functions of the TOE. However, the CB
reiterates the recommendation for the Developer to fix this issue before applying for a re-
evaluation of the TOE.
11.3 Functional and independent tests performed by the Evaluators
11.3.1 Testing approach
The Evaluators repeated a randomly chosen subset of the Developer tests. For each of
the test case groups “CP commands” (including 100% of SSI and SSL tests performed),
“RACF commands”, and “DIAGNOSE”, coverage of nearly 100% was achieved by the
sampling strategy. The overall coverage achieved by the sample chosen was nearly
100%. No SAK tests were repeated.
In addition, the Evaluators devised independent test cases to cover the TSFI that are not
explicitly but only implicitly triggered by the Developer tests repeated. The independent
Evaluators’ test cases directly trigger the TELNET Server, the TCP/IP configuration files
and commands, the System Directory, and RACF and CP commands. The Evaluators
covered all TSFI except the API comprising the z/Architecture instructions and the RACF
Report Writer by independent test cases, with those not explicitly listed above being
triggered indirectly.
11.3.2 Test coverage
By using Developer tests as base for independent testing, the Evaluators achieved the
same test depth as the Developer when repeating a subset of the Developer tests.
Therefore, the tests performed by the Evaluators were at the level of the subsystems of
the TOE design.
Page 33 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
11.3.3 Test results
All Developer tests re-performed passed, i.e., the actual results achieved by the Evaluator
matched the expected results. All test cases devised by the Evaluators passed, i.e., the
actual test results matched the expected results.
There were no failed tests that were caused by TOE behaviour different from the expected
behaviour or violating requirements stated in the Security Target [ST].
11.4 Vulnerability analysis and penetration tests
The Evaluators consulted public domain information in order to identify known
vulnerabilities that would require performing penetration testing, but found no such
vulnerabilities.
As for the penetration testing based on the Evaluators’ independent vulnerability analysis
the Evaluators devised a total of two penetration test cases. Whereas one of the test
cases was intended to identify additional interfaces potentially bearing weaknesses, the
second test case was intended to explicitly probe for weaknesses of the TELNET server
interface. All tests were performed at the depth of the subsystems of the TOE design
exercising the TCP/IP subsystem of the TOE.
A port-scan was performed from within the same network segment the TOE was located in
to eliminate interferences with other active network components. The tool nmap was used
for that purpose. The tool identified no open ports on the TOE other than the TELNET
ports, which was expected to be open for the purpose of establishing connections to the
TOE as designed, thus matching the expected results.
Attempts to deliberately provoke buffer overflows during input of user credentials were
performed. That test was performed using the standard clients to be used when accessing
the TOE as well as from the command line. In particular, no specific setup reflecting other
active network components was done. The tests revealed no weaknesses. The excessive
inputs were rejected with error messages, thus matching the expected results.
The TLS implementation of the TOE was subject to protocol fuzzing using a publicly
available test suite. The tests revealed no implementation errors or erratic behaviour of the
TOE.
The independent search for vulnerabilities performed by the Evaluators did not reveal any
vulnerabilities that are exploitable in the intended operational environment of the TOE by
attackers with an assumed attack potential of at most Enhanced-Basic.
The following vulnerabilities, potentially affecting all kinds of operating systems, have been
discovered and addressed by the Developer and confirmed by the Evaluators as being
residual:
• vulnerability to various types of malware (trojan horses, viruses, worms);
• vulnerability to buffer overflows;
• vulnerability to hardware architecture design flaws (Meltdown and Spectre attacks).
Page 34 of 34 OCSI/CERT/ATS/05/2020/RC Ver. 1.0
Exploitation of the above vulnerabilities requires an attack potential that goes beyond the
assumed attack potential of Enhanced-Basic. In particular, the attack potential required to
develop proper exploits for buffer overflows and architectural attacks has been calculated
as Beyond High.