PrinterLogic Web Stack Server version 18.3 Security Target Version 1.0 27 November 2019 Prepared for: PrinterLogic 912 West 1600 South St. George, UT 84770 Prepared by: Accredited Testing and Evaluation Labs 6841 Benjamin Franklin Drive Columbia, MD 21046 Security Target Version 1.0, 11/27/2019 Page ii of iii Table of Contents 1. SECURITY TARGET INTRODUCTION............................................................................................................1 1.1 SECURITY TARGET, TOE AND CC IDENTIFICATION........................................................................................1 1.2 CONFORMANCE CLAIMS.................................................................................................................................1 1.3 CONVENTIONS ................................................................................................................................................2 1.3.1 Terminology ..........................................................................................................................................3 1.3.2 Acronyms...............................................................................................................................................4 2. PRODUCT AND TOE DESCRIPTION............................................................................................................5 2.1 INTRODUCTION...............................................................................................................................................5 2.2 PRODUCT OVERVIEW......................................................................................................................................5 2.3 TOE OVERVIEW .............................................................................................................................................6 2.4 TOE ARCHITECTURE......................................................................................................................................9 2.4.1 Physical Boundary.................................................................................................................................9 2.4.2 Logical Boundary ................................................................................................................................11 2.5 TOE DOCUMENTATION ................................................................................................................................12 3. SECURITY PROBLEM DEFINITION ..........................................................................................................13 4. SECURITY OBJECTIVES ..............................................................................................................................14 5. IT SECURITY REQUIREMENTS..................................................................................................................15 5.1 EXTENDED REQUIREMENTS..........................................................................................................................15 5.2 TOE SECURITY FUNCTIONAL REQUIREMENTS .............................................................................................16 5.2.1 Cryptographic Support (FCS)..............................................................................................................16 5.2.2 User Data Protection (FDP).................................................................................................................17 5.2.3 Security Management (FMT) ..............................................................................................................17 5.2.4 Privacy (FPR) ......................................................................................................................................18 5.2.5 Protection of the TSF (FPT) ................................................................................................................18 5.2.6 Trusted Path/Channels (FTP)...............................................................................................................19 5.3 TOE SECURITY ASSURANCE REQUIREMENTS...............................................................................................19 6. TOE SUMMARY SPECIFICATION..............................................................................................................20 6.1 TIMELY SECURITY UPDATES ........................................................................................................................20 6.2 CRYPTOGRAPHIC SUPPORT...........................................................................................................................20 6.3 USER DATA PROTECTION .............................................................................................................................21 6.4 SECURITY MANAGEMENT.............................................................................................................................22 6.5 PRIVACY.......................................................................................................................................................23 6.6 PROTECTION OF THE TSF .............................................................................................................................23 6.7 TRUSTED PATH/CHANNELS ..........................................................................................................................24 7. PROTECTION PROFILE CLAIMS...............................................................................................................25 8. RATIONALE.....................................................................................................................................................26 8.1 TOE SUMMARY SPECIFICATION RATIONALE................................................................................................26 APPENDIX A: TOE USAGE OF THIRD-PARTY COMPONENTS ..................................................................28 A.1 PLATFORM APIS...........................................................................................................................................28 A.2 THIRD-PARTY LIBRARIES .............................................................................................................................29 LIST OF TABLES Security Target Version 1.0, 11/27/2019 Page iii of iii Table 1 TOE Security Functional Components ......................................................................................................16 Table 2 Assurance Components ...............................................................................................................................19 Table 3 Sensitive Data ...............................................................................................................................................21 Table 4 Security Functions vs Requirements Mapping..........................................................................................27 Security Target Version 1.0, 11/27/2019 Page 1 of 52 1. Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is PrinterLogic Web Stack Server, version 18.3. PrinterLogic Web Stack Server (PL Server) is a web server application that interacts with PrinterLogic Web Stack Clients (PL Clients) in its operational environment. These clients are installed on endpoint systems in an organization to facilitate direct IP printing. The PL Server is used to administer PL Clients, specifically in regards to configuration, user self-service, and handling of mediated printing activities that cannot be performed directly between a computer and an installed printer (e.g., AirPrint, Email Printing Service, Google Could Print). The focus of this evaluation is on the TOE functionality supporting the claims of version 1.3 of the Protection Profile for Application Software [App PP]. The only capabilities covered by the evaluation are those specified in the aforementioned Protection Profile; no additional security functional claims are made by the product. The security functionality specified in [App PP] includes protection of security-relevant data at rest and in transit, any cryptographic functionality used to achieve this, and security of the interactions between the application(s) and their underlying platform(s). Where appropriate and permitted by the [App PP], this evaluation will identify areas where the TOE’s underlying platform is used to support the TOE’s implementation of its claimed security functionality. The Security Target contains the following additional sections:  Product and TOE Description (Section 2)  Security Problem Definition (Section 3)  Security Objectives (Section 4)  IT Security Requirements (Section 5)  TOE Summary Specification (Section 6)  Security Target Version 1.0, 11/27/2019 Page 2 of 52  Protection Profile Claims (Section 0)  Rationale (Section 8) 1.1 Security Target, TOE and CC Identification ST Title – PrinterLogic Web Stack Server version 18.3 Security Target ST Version – Version 1.0 ST Date – 27 November 2019 TOE Identification – PrinterLogic Web Stack Server version 18.3. The specific components of the TOE include: 1. PrinterLogic Web Stack Web Server (on-premises variant) a. Supported on Windows Server 2008 R2, 2012, 2012 R2, or 2016 (64-bit) TOE Developer – PrinterLogic, LLC Evaluation Sponsor – PrinterLogic, LLC CC Identification – Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017 1.2 Conformance Claims This ST and the TOE it describes are conformant to the following CC specifications: This ST is conformant to:  Protection Profile for Application Software, Version 1.3, 01 March 2019 with the following optional, selection-based, and objective SFRs: o FCS_CKM.1(1) o FCS_CKM.2  The following NIAP Technical Decisions apply to this PP and have been accounted for in the ST development and the conduct of the evaluation, or were considered to be non-applicable :  TD0416: Correction to FCS_RBG_EXT.1 Test Activity o No change to ST; affects only test activities.  TD0427: Reliable Time Source o No change to ST; the ST includes the PP’s assumptions by reference and therefore any changes to the assumptions are implicity made.  TD0434: Windows Desktop Application Test o No change to ST; affects only test activities.  TD0435: Alternative to SELinux for FPT_AEX_EXT.1.3 o No change to ST; affects only test activities.  TD0437: Supported Configuration Mechanism o FMT_MEC_EXT.1.1 has been modified in ST.  TD0444: IPsec selections o N/A to TOE; the TD adds a selection for IPsec to FTP_DIT_EXT.1 but the TSF does not include IPsec so this selection is not chosen.  TD0445: User Modifiable File Definition o No change to ST; affects only test activities. Security Target Version 1.0, 11/27/2019 Page 3 of 52  TD0465: Configuration Storage for .NET Apps o N/A to TOE; the TOE is not a .NET application.  Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1, Revision 5, April 2017. o Part 2 Extended  Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 Revision 5, April 2017. o Part 3 Extended 1.3 Conventions The following conventions have been applied in this document:  Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may be applied to functional requirements: iteration, assignment, selection, and refinement. o Iteration: allows a component to be used more than once with varying operations. An iterated SFR is indicated by a number in parentheses placed at the end of the component. For example, FCS_CKM.1(1) and FCS_CKM.1(2) indicate that the ST includes two iterations of the FCS_CKM.1 requirement: (1) and (2). o Assignment: allows the specification of an identified parameter. Assignments are indicated using italics and are surrounded by brackets (e.g., [assignment item]). Note that an assignment within a selection would be identified in both italics and underline, with the brackets themselves underlined since they are explicitly part of the selection text, unlike the brackets around the selection itself (e.g., [selection item, [assignment item inside selection]]). o Selection: allows the specification of one or more elements from a list. Selections are indicated using underlines and are surrounded by brackets (e.g., [selection item]). o Refinement: allows the addition of details and non-technical changes to grammar and formatting. Refinements are indicated using bold, for additions, and strike-through, for deletions (e.g., “… all objects …” or “… some big things …”). Note that minor grammatical changes that do not involve the addition or removal of entire words (e.g., for consistency of quantity such as changing “meets” to “meet”) do not have formatting applied.  Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such as captions.  For SFRs that only apply to specific components of the TOE, the SFR is indicated by one or more abbreviations in parentheses placed at the end of the component. Specifically, ‘WS’ is used to indicate that the component applies to the Web Server and ‘WC’, ‘LC’, and ‘MC’ indicate applicability to Windows Client, Linux Client, and macOS Client, respectively. For example, FCS_HTTPS_EXT.1(WC,LC,MC) applies to all TOE components except for the Web Server component.  The ST does not highlight operations that have been completed by the PP authors, though it does preserve brackets to show where operations have been made. 1.3.1 Terminology The following terms and abbreviations are used in this ST: Admin Console A GUI that is part of the Web Server application. Used by administrators to configure PL Client settings, including whether to designate a given PL Client instance as a Service Host. Administrator Any member of the organization deploying the TOE who has credentials to access the Admin Console. Security Target Version 1.0, 11/27/2019 Page 4 of 52 AirPrint A feature of Apple devices (Mac/iPhone/iPad) that is used to print documents on those devices via wireless network. Console Print Application An interactive program running on a printer or multifunction device, typically controllable through a touchscreen, that can be used to configure device settings and networking. Delphi An integrated development environment for the Object Pascal programming language. Email Printing A method of remote printing where a user can send an email message to a specific address that is monitored by a Service Host and either printed directly or held for pull printing. Google Cloud Printing A feature of Android/Chrome OS devices that is used to print documents on those devices via wireless network. PrinterLogic Web Stack Client A TOE component. Runs on user machines and is used to handle installation of print drivers and remote printing. Can be configured as a Service Host to provide additional functionality for remote printing. Pull Printing A workflow for printing where a user requests to print a document but it is held by a Service Host instead of being immediately printed. The user can then choose to later release the document through the Release Portal, after which it is printed by a desired target printer. Often used in cases where physical custody of a printed document is essential but the user is not physically at or near the desired printer at the time the print job is initiated. Release Portal A GUI that is part of the Web Server application. Used to direct a Service Host to release held documents for printing. Remote Printing Term used to collectively describe AirPrint, Email Printing, and Google Cloud Printing. Self-Service Portal A GUI that is part of the Web Server application. Used for user installation of printer drivers and other basic configuration functionality that does not need to be restricted to administrators. Service Host A special configuration for a PL Client application. While configured as a Service Host, a PL Client can process remote printing and pull printing workflows. It does this by acting as a ‘dummy’ printer for AirPrint/Google Cloud Printing and/or by monitoring email boxes used for email printing. User An individual in the organization that lacks any specific privileges to administer PrinterLogic Web Stack. Web Server A TOE component. Application that runs various user- and administrator-facing user interfaces and acts as a central point for distributing configuration settings changes and release of held pull printing jobs to the various PL Clients (including Service Hosts). 1.3.2 Acronyms AA Assurance Activity API Application Programming Interface ASLR Address Space Layout Randomization AES Advanced Encryption Standard CAVP Cryptographic Algorithm Validation Program CBC Cipher-Block Chaining CC Common Criteria for Information Technology Security Evaluation CEM Common Evaluation Methodology for Information Technology Security CPA Control Panel Application CRL Certificate Revocation List FIPS Federal Information Processing Standard GUI Graphical User Interface HMAC Hashed Message Authentication Code HTTP(S) Hypertext Transfer Protocol (Secure) Security Target Version 1.0, 11/27/2019 Page 5 of 52 IP Internet Protocol LDAPS Lightweight Directory Access Protocol Secure NIAP National Information Assurance Partnership NIST National Institute of Standards and Technology PL PrinterLogic Web Stack PII Publicly Identifiable Information PP Protection Profile RSA Rivest, Shamir and Adleman (algorithm for public-key cryptography) SAR Security Assurance Requirement SFR Security Functional Requirement SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SQL Structured Query Language SSH Secure Shell SSL Secure Socket Layer Protocol ST Security Target TCP Transmission Control Protocol TLS Transport Layer Security TOE Target of Evaluation TSF TOE Security Functions XMPP Extensible Messaging and Presence Protocol Security Target Version 1.0, 11/27/2019 Page 6 of 52 2. Product and TOE Description The TOE is the PrinterLogic Web Stack Server v18.3 product. This section provides an overview of the capabilities of the product and then proceeds to describe the TOE itself in terms of its evaluated components and functional claims. 2.1 Introduction PrinterLogic Web Stack Server is an web application that is used to manage on-premise application designed to simplify the management, migration, and provisioning of printers. PrinterLogic Web Stack Server facilitates features including centrally-managed direct IP printing, self-service installation of printer drivers, automated deployment of drivers, centralized reporting of printer usage, and pull/mobile printing. PrinterLogic Web Stack Server is part of a client-server distribution. The TOE is the server portion of this distribution. It interacts with remote PL Client applications in its operational environment. 2.2 Product Overview This sub-section describes capabilities of the PrinterLogic Web Stack Server product as a whole. It should be noted that many of these capabilities are not covered within the scope of the evaluation. The scope of the evaluation is covered in the subsequent sub-sections that provide the TOE overview and describe the TOE architecture and physical and logical boundaries. PrinterLogic Web Stack Server is a product that provides centralized services for user installation of print drivers as well as pull printing and cloud printing functionality. PrinterLogic Web Stack Server can be used to centrally manage direct IP printing. Printers can be added, modified (e.g. driver, port, name, duplex option), and removed from a centralized Admin Console. These changes are then provisioned to individual PrinterLogic Web Stack Client (PL Client) applications installed on user workstations in the operational environment. End users are provided a Self-Service Portal where they can install additional print drivers above and beyond those provisioned for them. They are also provided a Release Portal where held pull print jobs can be released to a selected printer. Authorizations are based on Active Directory attributes, so users may be given access (or the ability to gain access) to different printers based on role, geographic location, or other attributes. PrinterLogic Web Stack Server can also be used for centralized auditing and reporting of print jobs by communicating with the PL Client applications in its operational environment. This allows the organization to identify operational costs based on printer usage so that cost savings can be identified. It also uses SNMP to provide monitoring of individual printers and can generate emails in response to specific SNMP notifications. Pull printing, also known as secure printing, refers to the case where a user will initiate a print job from their desktop workstation but it will not be printed immediately. Instead, the TOE will interact with the environmental PL Client to ‘hold’ the print job until the user signals that they wish to ‘release’ (i.e. print) the job once they are physically present at the printer that they wish to have the job printed to. This is signaled either by the user logging onto the TOE themselves (e.g. through a mobile device) or through the user signing on to the printer, which then uses its embedded control panel application (CPA) to retrieve and print the job. Cloud printing refers to the use of various network services to initiate print jobs in the absence of having installed printer drivers on the system. The TOE, along with the environmental PL Client, supports the following methods of cloud printing:  Email printing: the TOE can be used to configure a PL Client to communicate with an email inbox and automatically place any attachments in a pull print queue owned by the enterprise identity of the user that sent an email to the inbox (via reverse Active Directory lookup).  Apple AirPrint: the TOE can be used to configure a PL Client to broadcast itself as an AirPrint-compatible printer so that iOS users can use native iOS printing capabilities. The user provides their credentials to PL Client, which takes the print job and places it into a pull print queue owned by the user.  Google Cloud Printing: the TOE can be used to configure a PL Client either to interface with Google Cloud or to impersonate a Google Cloud server so that Android/Chromebook users can use native printing capabilities. Similar to email printing, the PL Client will perform a reverse lookup of the user’s enterprise identity and hold the print job in a queue until released by that user. Security Target Version 1.0, 11/27/2019 Page 7 of 52 2.3 TOE Overview The Target of Evaluation (TOE) is comprised of the PrinterLogic Web Stack Server software application (Web Server). The Web Server is deployed on Windows. The focus of this evaluation is on the TOE functionality supporting the claims in the Protection Profile for Application Software, Version 1.3. Specifically, the following capabilities are within the scope of the evaluation:  Trusted communications of user credential data, print spool data, and configuration data between the user and the TOE and between the TOE and the operational environment. Note that the Web Server relies on the underlying Windows OS platform to provide its HTTP server functionality.  The extent to which the TSF relies on platform-provided and third-party capabilities to perform its functionality.  The extent to which data used to determine the behavior of the TSF is secured while at rest and in transit.  The ability for the TOE to function on a host platform that is configured for secure operation.  The ability of the TOE to interface with the low-level components of its host platform in such a manner that the TOE cannot be used as an attack vector to exploit the host platform.  Pull printing and cloud printing functionality that require the TSF to handle sensitive print spool data.  The ability of the organization deploying the TOE to perform timely and trusted security updates to it. The basic workflows of the application that relate to the TSF are listed below: Administrator change to client settings 1. Administrator opens web browser, navigates to Admin Console on the TOE over TLS/HTTPS connection. 2. Administrator supplies username/password to TOE, which authenticates them locally. 3. If authentication is successful, administrator interacts with Admin Console to change settings for desired clients in the operational environment. 4. Changes are propagated locally to SQL database on Web Server platform and transmitted to desired clients in the operational environment over TLS/HTTPS connection. User self-service 1. User opens web browser, navigates to Self-Service Portal on the TOE over TLS/HTTPS connection. 5. User supplies username/password to TOE, which authenticates them locally. 2. If authentication is successful, user interacts with Self-Service Portal to manage printer drivers or release held print jobs. 3. If printer drivers are not installed, the TOE will automatically transfer the desired drivers to the environmental PL Client running on the user’s system, which then installs the drivers automatically. 4. If print job is released, the TOE will communicate with the environmental PL Client instance that is holding the job over TLS/HTTPS (the instance on the user’s local system for pull printing, a Service Host for cloud printing) to instruct it to send the job to the desired printer. Pull printing 1. User prints document on local system, choosing a pull printer installed by the environmental PL Client. 2. Print job is held by PL Client and PL Client notifies the TOE over TLS/HTTPS that a print job is being held by that user. 3. User releases job by doing one of the following: - Navigating to the Release Portal on the TOE, selecting the held job, and specifying a printer to print it to - Authenticating to a printer that has been configured to send pull printing requests back to the TOE 4. Regardless of the method used to release the print job, the TOE will notify the PL Client that the job has been released (via TLS/HTTPS) and the PL Client will take the held job and send it to the platform’s print spool for printing to the desired printer. Email printing (standard) Security Target Version 1.0, 11/27/2019 Page 8 of 52 1. On the Admin Console, administrator configures an environmental Service Host to poll a particular email box. 2. The configuration change is sent to the Service Host via TLS/HTTPS and also stored by the TOE on the local database. 3. The configuration change is received by the Service Host and stored in the registry/configuration files as needed. 4. When the user wishes to print a document, they will email it to the polled email box. 5. The Service Host will retrieve any emails sent to the polled email box over IMAPS (IMAP over TLS). 6. The Service Host will connect to the environmental Active Directory server over TLS to do a reverse lookup of the sender of the email (i.e., the user). BIND credential used to do this is retrieved from the Web Server over HTTPS. 7. If the sender of the email is a valid AD user, the Service Host will hold the print job and notify the TOE (over TLS/HTTPS) that a print job is being held for that user. 8. The user can then release their print job using one of the methods specified in ‘pull printing’ above. 9. If the sender of the email is not a valid AD user, the Service Host will discard the email. Email printing (direct) 1. On the Admin Console, administrator configures an environmental Service Host to poll a particular email box. 2. In the operational environment, the administrator will configure one or more sub-domains of that email box to forward inbound messages to that email box via mail routing rules. 3. On the Admin Console, administrator configures the printer(s) that should be printed to based on the sub- domains of inbound messages. 4. The configuration changes are sent to the Service Host via TLS/HTTPS and also stored by the TOE on the local database. 5. The configuration changes are received by the Service Host and stored in the registry/configuration files as needed. 6. When the user wishes to print a document, they will email it to the polled email box. 7. The Service Host will retrieve any emails sent to the polled email box over IMAPS (IMAP over TLS). 8. The Service Host will connect to the environmental Active Directory server over LDAPS to do a reverse lookup of the sender of the email (i.e., the user). BIND credential used to do this is retrieved from the TOE over HTTPS. 9. If the sender of the email is a valid AD user, the Service Host will immediately print the document using the specified printer. Email printing (guest) 1. On the Admin Console, administrator configures an environmental Service Host to poll a particular email box. 2. The administrator also designates a specific printer as a guest printer for that email box using the ‘Allow print jobs to be emailed directly to this printer from guests’ option in the TOE. 3. When a guest user (i.e., not defined in the organizational Active Directory) wishes to print a document, they send it as an email to the polled email box. 4. The Service Host will retrieve any emails sent to the polled email box over IMAPS (IMAP over TLS). 5. Since the user is a guest, there will be no AD user to look up. 6. The Service Host will then take the email and immediately release it to be printed to the specified guest printer. AirPrint cloud printing 1. On the Admin Console, administrator enables iOS printing and designates an environmental Service Host as a pull printer for this. 2. In the operational environment, an administrator creates pointer records on the DNS server to let any iOS device see the pull printer. 3. User prints a document on iOS device, specifying the Service Host as the pull printer. 4. The user will be prompted for their Active Directory credentials, which are validated by the Service Host using LDAPS. Security Target Version 1.0, 11/27/2019 Page 9 of 52 5. Once the user credentials have been validated, the print job will be transmitted to the Service Host via IPPS (IPP over TLS). 6. The Service Host will notify the TOE that a job is being held for that user. 7. The user releases the job using one of the methods specified in ‘pull printing’ above. Google Cloud printing (traditional) 1. On the Admin Console, administrator registers an environmental Service Host as a pull printer and configures it for mobile printing. 2. Configuration settings are transmitted to the Service Host using TLS/HTTPS. 3. The Administrator enables Google Cloud printing and specifies the email address and password of the Google Cloud print account where documents will be published. 4. The Administrator registers the printer in Google (via pop-up redirect from Admin Console to Google). 5. A user prints a document on their Android or Chromebook device to the pull printer. 6. When the user selects print, the print job is sent to the Google Cloud print server and subsequently converted to a PDF document. 7. The Service Host will poll the Google Cloud print server and retrieve print jobs from the print server’s queue. 8. The Service Host will perform a reverse AD lookup of the user that submitted the print job. 9. If the user is recognized, the print job is pulled down from the Google Cloud print server over TLS/HTTPS (XMPP channel over TLS created by Google Cloud for job status and TLS/HTTPS for retrieval of the job itself) and held. 10. The Service Host notifies the TOE over TLS/HTTPS that a pull print job is being held for the user. 11. The user can release the print job for printing using any of the methods specified in ‘pull printing’ above. Google Cloud printing (local) 1. On the Admin Console, Administrator specifies one or more environmental Service Hosts to function as a local Google Cloud printer. 2. Configuration settings are transmitted to the Service Host using TLS/HTTPS. 3. The Service Host will automatically broadcast itself as a Google Cloud printer. 4. User on Android or Chromebook device will see the Service Host as a valid printer. 5. When the user selects print, the print job is sent directly to the Service Host using TLS/HTTPS rather than to the Google Cloud print server. 6. The Service Host will perform a reverse AD lookup of the user that submitted the print job. 7. If the user is recognized, the print job is held by the Service Host. 8. The Service Host notifies the TOE over TLS/HTTPS that a pull print job is being held for the user. 9. The user can release the print job for printing using any of the methods specified in ‘pull printing’ above. Software update (Web Server) 1. Administrator downloads the PrinterLogic Web Stack update from the PrinterLogic web site. 2. Administrator runs the update file, specifying all desired options. 3. The old version of the application will automatically be replaced with the updated version as part of the update process. From these use cases, the user-facing responsibilities of the TOE include the following:  Provide a mechanism for administrators to access the TSF remotely over a trusted path.  Provide a mechanism for users to access the TSF remotely over a trusted path.  Provide an interface for administrators to modify configuration settings of a PL Client application, for these configuration settings to be stored locally on the Web Server platform, and for them to be transmitted securely to the PL Client application over a trusted channel.  Notify a PL Client application over a trusted channel that a print job has been released. The TSF includes all security data and configuration settings needed to support this behavior. Not all configuration settings are security-relevant; information about how the PL Client is displayed to the user or the installation of print drivers is outside the scope of the TOE. Security Target Version 1.0, 11/27/2019 Page 10 of 52 Once a print job has been released, the TSF notifies the relevant environmental PL Client, which sends the job to the print spool for printing by the host platform. Any transmission of the print job data from the host platform itself to the target printer is not under the control of the TSF and is therefore outside the scope of the TOE. Similarly, all configuration of network settings and email servers that allow print data to be received by the TOE are outside the scope of the TOE. The TSF is not responsible for the security of print data that is sent by the user to a component in the TOE’s operational environment (e.g., the communication from the user to a mailbox used for email printing is non-TSF, but the communication between that mailbox and the TOE is part of the TSF). 2.4 TOE Architecture The PrinterLogic Web Stack Server TOE is a PHP application hosted on IIS The TOE consists of three subsystems: an Admin Console, which provides a graphical user interface (GUI) for administrative functions; a Self-Service Portal, which provides a GUI for end user configuration functions; a Release Portal, which provides a GUI for end users to release held pull print jobs; and a print management client configuration subsystem, which handles the storage and application of configuration settings. The TOE includes the following running processes:  CGI/FastCGI  PrinterLogic Web Stack Client Interface  PrinterLogic Web Stack Client Launcher  PrinterLogic Web Stack Client Manager 2.4.1 Physical Boundary The TOE consists of the following component:  Web Server application (for Windows) In Figure 1 below the TOE and its associated MySQL database are indicated by a red box. In the evaluated configuration all other components in Figure 1, including the PrinterLogic Web Stack Client are considered parts of the environment. Figure 1: TOE Architecture TSF-relevant remote interfaces are shown using solid green lines in Figure 1. Note that an environmental Service Host may also reside on a system that is remote from the TOE. In these cases, the same interface that is used by the Security Target Version 1.0, 11/27/2019 Page 11 of 52 TOE to communicate with a remote PL Client is used. Printing functionality is shown in this diagram using a dotted line. This is because facilitating printing activities is the primary purpose of the product; however, the actual act of sending documents from a system’s print spool to a networked printer is still the responsibility of the underlying operating system. The TOE has the following system requirements for its host platform:  Windows Server 2008 R2 or higher (64-bit)  Microsoft IIS 7.0 or higher  Two 2.0 GHz processors or one 2.0 GHz dual-core processor for up to 15,000 users (add a core for each additional 15,000 users)  4GB RAM for up to 15,000 users (add 4GB for each additional 15,000 users)  20GB free hard disk space (add 4GB for each additional 100 printers)  MySQL 5.7 (installed as part of installation package) The following network ports must be open for the TOE to function:  443/TCP (for HTTPS communications)  587/TCP and 993/TCP (for secure SMTP/IMAP communications) The product itself also requires TCP port 9100 to be open for network printing, UDP ports 161/162 to be open for SNMP communications, and TCP ports 80/139/445 and UDP ports 137/138 for installation of printer drivers; however, these functions do not pertain to the storage and transmission of sensitive data so they are non-TSF. The TOE supports the following web browsers:  Microsoft Edge 40.x and HTML 16.x  Microsoft Internet Explorer 9 and higher  Mozilla Firefox 3 and higher  Google Chrome 45 and higher  Safari 6.28 and 9.03 The TOE’s operational environment includes the following:  PrinterLogic Web Stack Clients (PL Clients) that are used to facilitate the installation of print drivers and execution of pull/cloud print functions  Platforms (hardware and software) on which the TOE and PL Client applications are hosted  Full disk encryption is required for all platforms to ensure adequate data-at-rest protection.  Windows cryptographic libraries, used to provide cryptographic functionality to the TOE  Web browser, used to access the TOE GUIs  MySQL 5.7 database (installed on same local system as the TOE), used to store configuration settings and security data  Email server, used to hold messages that can be retrieved by a PL Client for pull printing  Google Cloud print server, used to hold messages that can be retrieved by a PL Client for pull printing  Active Directory, used for user authentication – in the evaluated configuration, it is assumed that all users belong to the organization’s Active Directory domain; however, the TOE does require the use of at least one locally-defined administrator account to be used during initial setup of the TOE  Mobile devices, used to initiate mobile print jobs—the following mobile operating systems are supported: Security Target Version 1.0, 11/27/2019 Page 12 of 52 o iOS 9+ o Android 4.4+ o Chrome OS (all versions)  Printers, used to execute print jobs released by the user—supported manufacturers include HP, Xerox, Konica Minolta, and Ricoh. For the full list of compatible devices, refer to http://docs.printerlogic.com/Content/B_GettingStarted/RequirementsAndSupportedEnvironments.htm?Hig hlight=hardware. 2.4.2 Logical Boundary This section summarizes the security functions provided by the TOE:  Cryptographic Support  User Data Protection  Identification and authentication  Security Management  Privacy  Protection of the TSF  TOE access  Trusted Path/Channels 2.4.2.1 Cryptographic Support The TOE uses NIST-validated cryptographic algorithms to secure data in transit. The TOE relies on the FIPS-validated cryptographic library cng.sys provided by Windows to perform cryptographic functionality. The TSF encrypts credential data stored by the TOE in the environmental SQL database. The TOE relies on its underlying OS platform to implement TLS/HTTPS server functionality. The TOE also relies on its underlying OS platform to provide entropy used for key generation. 2.4.2.2 User Data Protection The TSF leverages functionality provided by their underlying OS platform to secure sensitive data at rest. The TOE uses network resources provided by the underlying platform. All platform services are invoked with user awareness and authorization. The TOE uses network connectivity to handle interactive user and administrator sessions and to communicate with environmental PL Clients for the purpose of applying configuration changes and updating the status of held print jobs. 2.4.2.3 Security Management The Web Server provides an Admin Console GUI for configuration of environmental PL Client activity. Specifically, an administrator can designate a PL Client as a Service Host and configure it to work with email printing and mobile printing, thus defining the trusted channels used by a PL Client. The Web Server also provides Self-Service Portal and Release Portal GUIs that allow users to control printing activity. The Release Portal is used to release print jobs, which prompts secure communications back to environmental PL Clients (Service Hosts) to initiate the print operation. Authentication to the Web Server is performed using locally-defined credentials. On initial installation, the administrator is prompted to specify credentials to be used for the Admin Console. TOE configuration data is stored locally in the Windows Registry. 2.4.2.4 Privacy The TOE does not handle personally identifiable information (PII). Security Target Version 1.0, 11/27/2019 Page 13 of 52 2.4.2.5 Protection of the TSF The TOE includes measures to integrate securely with its underlying OS platform. The TOE does not perform explicit memory mapping and it does not allocate any memory region with both write and execute permissions. Similarly, the TSF does not write user-modifiable data to directories that contain executable files. The TOE is compatible with its host OS platform when that platform is configured in a secure manner. The TOE is not written in a language that is susceptible to stack-based buffer overflow attacks. The TOE uses a well-defined set of platform APIs and third party libraries. The TOE provides the ability for a user/administrator to check its version and to apply updates. Updates are delivered in formats appropriate for the platform on which the TOE is installed. Application of an update removes all executable code associated with the application; there is no way for the application to modify its own code. Updates the TOE are digitally signed, and the signature is validated prior to installation. 2.4.2.6 Trusted Path/Channels TOE components use trusted paths and channels to secure data in transit. The following interfaces are provided by each TOE component:  Web Server: o TLS/HTTPS server for remote user/administrator access o TLS/HTTPS server for changes to PL Client configuration data and pull printing status 2.5 TOE Documentation PrinterLogic provides the following product documentation in support of the installation and secure use of the TOE:  PrinterLogic Web Stack Common Criteria Evaluated Configuration Guide, Version 1.0 Additional information on installation, configuration and use of the TOE can be found in the PrinterLogic Web Stack online help page, located at https://docs.printerlogic.com/. Security Target Version 1.0, 11/27/2019 Page 14 of 52 3. Security Problem Definition This Security Target includes by reference the Security Problem Definition, composed of threats and assumptions, from the [App PP]. The Common Criteria also provides for organizational security policies to be part of a security problem definition, but no such policies are defined in the [App PP]. In general, the threat model of the [App PP] is designed to protect against the following:  Disclosure of sensitive data at rest or in transit that the user has a reasonable expectation of security for  Excessive or poorly-implemented interfaces with the underlying platform that allow an application to be used as an intrusion point to a system This threat model is applicable to the TOE because information related to a user’s interaction with printer resources may contain sensitive data that a user expects will not be disclosed to anyone, and because the TOE runs on a general purpose operating system that may contain other data, applications, or network services that enforce their security in part through the assumption that the underlying operating system is trusted. Security Target Version 1.0, 11/27/2019 Page 15 of 52 4. Security Objectives Like the Security Problem Definition, this Security Target includes by reference the security objectives define in [App PP]. This includes security objectives for the TOE (used to mitigate threats) and for its operational environment (used to satisfy assumptions). Security Target Version 1.0, 11/27/2019 Page 16 of 52 5. IT Security Requirements This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation effort. The SFRs have all been drawn from the following Protection Profile (PP):  Protection Profile for Application Software, version 1.3, 21 March 2019 [App PP] As a result, any selection/assignment/refinement operations already performed by that PP on the claimed SFRs are not identified here (i.e., they are not for matted in accordance with the conventions specified in section 1.3 of this Security Target). Formatting conventions are only applied on SFR text that was chosen at the ST author’s discretion. 5.1 Extended Requirements All of the extended requirements in this ST have been drawn from the [App PP]. The PP defines the following extended SAR and SFRs; since they have not been redefined in this ST, the [App PP] should be consulted for more information regarding these extensions to CC Parts 2 and 3.  ALC_TSU_EXT.1 (from [App PP]): Timely Security Updates  FCS_CKM_EXT.1 (from [App PP]): Cryptographic Key Generation Services  FCS_RBG_EXT.1 (from [App PP]): Random Bit Generation Services  FCS_STO_EXT.1 (from [App PP]): Storage of Credentials  FDP_DAR_EXT.1 (from [App PP]): Encryption of Sensitive Application Data  FDP_DEC_EXT.1 (from [App PP]): Access to Platform Resources  FDP_NET_EXT.1 (from [App PP]): Network Communications  FMT_CFG_EXT.1 (from [App PP]): Secure by Default Configuration  FMT_MEC_EXT.1 (from [App PP]): Supported Configuration Mechanism  FPR_ANO_EXT.1 (from [App PP]): User Consent for Transmission of Personally Identifiable Information  FPT_AEX_EXT.1 (from [App PP]): Anti-Exploitation Capabilities  FPT_API_EXT.1 (from [App PP]): Use of Supported Services and APIs  FPT_IDV_EXT.1 (from [App PP]): Software Identification and Versions  FPT_LIB_EXT.1 (from [App PP]): Use of Third Party Libraries  FPT_TUD_EXT.1 (from [App PP]): Integrity for Installation and Update  FPT_TUD_EXT.2 (from [App PP]): Integrity for Installation and Update  FTP_DIT_EXT.1 (from [App PP]): Protection of Data in Transit Security Target Version 1.0, 11/27/2019 Page 17 of 52 5.2 TOE Security Functional Requirements The following table identifies the SFRs that are satisfied by the TOE. Table 1 TOE Security Functional Components Requirement Class Requirement Component FCS: Cryptographic Support FCS_CKM.1(1): Cryptographic Asymmetric Key Generation FCS_CKM.2: Cryptographic Key Establishment FCS_CKM_EXT.1: Cryptographic Key Generation Services FCS_RBG_EXT.1: Random Bit Generation Services FCS_STO_EXT.1: Storage of Credentials FDP: User Data Protection FDP_DAR_EXT.1: Encryption of Sensitive Application Data FDP_DEC_EXT.1: Access to Platform Resources FDP_NET_EXT.1: Network Communications FMT: Security Management FMT_CFG_EXT.1: Secure by Default Configuration FMT_MEC_EXT.1: Supported Configuration Mechanism FMT_SMF.1: Specification of Management Functions FPR: Privacy FPR_ANO_EXT.1: User Consent for Transmission of Personally Identifiable Information FPT: Protection of the TSF FPT_AEX_EXT.1: Anti-Exploitation Capabilities FPT_API_EXT.1: Use of Supported Services and APIs FPT_IDV_EXT.1: Software Identification and Versions FPT_LIB_EXT.1: Use of Third Party Libraries FPT_TUD_EXT.1: Integrity for Installation and Update FPT_TUD_EXT.2: Integrity for Installation and Update FTP: Trusted Path/Channels FTP_DIT_EXT.1: Protection of Data in Transit 5.2.1 Cryptographic Support (FCS) FCS_CKM.1(1) Cryptographic Asymmetric Key Generation FCS_CKM.1.1(1) The application shall [invoke platform-provided functionality] to generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [ [ECC schemes] using [“NIST curves” P-256, P-384 and [no other curves]] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4] ]. FCS_CKM.2 Cryptographic Key Establishment FCS_CKM.2.1 The application shall [invoke platform-provided functionality] to perform cryptographic key establishment in accordance with a specified cryptographic key establishment method: [ Security Target Version 1.0, 11/27/2019 Page 18 of 52 [Elliptic curve-based key establishment schemes] that meet the following: [NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”] ]. FCS_CKM_EXT.1 Cryptographic Key Generation Services FCS_CKM_EXT.1.1 The application shall [invoke platform-provided functionality for asymmetric key generation]. FCS_RBG_EXT.1 Random Bit Generation Services FCS_RBG_EXT.1.1 The application shall [invoke platform-provided DRBG functionality] for its cryptographic functions. FCS_STO_EXT.1 Storage of Credentials FCS_STO_EXT.1.1 The application shall [invoke the functionality provided by the platform to securely store [local user, local administrator, and Console Print Application credentials]] to non- volatile memory. Application Note: Credentials are stored by the platform through invocation of platform-provided AES (i.e., the same mechanism that the TSF would use if it was the component responsible for the secure storage). 5.2.2 User Data Protection (FDP) FDP_DAR_EXT.1 Encryption of Sensitive Application Data FDP_DAR_EXT.1.1 The application shall [[leverage platform-provided functionality to encrypt sensitive data]] in non-volatile memory. FDP_DEC_EXT.1 Access to Platform Resources FDP_DEC_EXT.1.1 The application shall restrict its access to [network connectivity]. FDP_DEC_EXT.1.2 The application shall restrict its access to [[SQL database]]. FDP_NET_EXT.1 Network Communications FDP_NET_EXT.1.1 The application shall restrict network communication to [user-initiated communication for [remote interaction with GUI], respond to [remotely-initiated status communication with PL Client], [application-initiated status communication with PL Client, application- initiated status communication with PL Client]]. 5.2.3 Security Management (FMT) FMT_CFG_EXT.1 Secure by Default Configuration FMT_CFG_EXT.1.1 The application shall only provide enough functionality to set new credentials when configured with default credentials or no credentials. FMT_CFG_EXT.1.2 The application shall be configured by default with file permissions which protect the application’s binaries and data files from modification by normal unprivileged users. FMT_MEC_EXT.1 Supported Configuration Mechanism FMT_MEC_EXT.1.11 The application shall [invoke the mechanisms recommended by the platform vendor for storing and setting configuration options]. 1 This SFR has been modified as per NIAP TD0437 Security Target Version 1.0, 11/27/2019 Page 19 of 52 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TSF shall be capable of performing the following management functions [[specification of endpoints for trusted channels, release of print jobs, configuration of client settings]]. 5.2.4 Privacy (FPR) FPR_ANO_EXT.1 User Consent for Transmission of Personally Identifiable Information FPR_ANO_EXT.1.1 The application shall [not transmit PII over a network]. 5.2.5 Protection of the TSF (FPT) FPT_AEX_EXT.1 Anti-Exploitation Capabilities FPT_AEX_EXT.1.1 The application shall not request to map memory at an explicit address except for [no exceptions]. FPT_AEX_EXT.1.2 The application shall [not allocate any memory region with both write and execute permissions]. FPT_AEX_EXT.1.3 The application shall be compatible with security features provided by the platform vendor. FPT_AEX_EXT.1.4 The application shall not write user-modifiable files to directories that contain executable files unless explicitly directed by the user to do so. FPT_AEX_EXT.1.5 The application shall be compiled with stack-based buffer overflow protection enabled. FPT_API_EXT.1 Use of Supported Services and APIs FPT_API_EXT.1.1 The application shall only use documented platform APIs. FPT_IDV_EXT.1 Software Identification and Versions FPT_IDV_EXT.1.1 The application shall be versioned with [[other version information]]. FPT_LIB_EXT.1 Use of Third Party Libraries FPT_LIB_EXT.1.1 The application shall be packaged with only [third-party libraries listed in Appendix A.2]. Application Note: The TOE uses a large number of third-party libraries so this information has been provided in an Appendix for readability purposes. FPT_TUD_EXT.1 Integrity for Installation and Update FPT_TUD_EXT.1.1 The application shall [provide the ability] to check for updates and patches to the application software. FPT_TUD_EXT.1.2 The application shall [provide the ability] to query the current version of the application software. FPT_TUD_EXT.1.3 The application shall not download, modify, replace or update its own binary code.. FPT_TUD_EXT.1.4 The application installation package and its updates shall be digitally signed such that its platform can cryptographically verify them prior to installation. FPT_TUD_EXT.1.5 The application is distributed [as an additional software package to the platform OS]. FPT_TUD_EXT.2 Integrity for Installation and Update FPT_TUD_EXT.2.1 The application shall be distributed using the format of the platform-supported package manager. Security Target Version 1.0, 11/27/2019 Page 20 of 52 FPT_TUD_EXT.2.2 The application shall be packaged such that its removal results in the deletion of all traces of the application, with the exception of configuration settings, output files, and audit/log events. 5.2.6 Trusted Path/Channels (FTP) FTP_DIT_EXT.1 Protection of Data in Transit FTP_DIT_EXT.1.1 The application shall [  invoke platform-provided functionality to encrypt all transmitted sensitive data with [HTTPS, TLS] ] between itself and another trusted IT product. 5.3 TOE Security Assurance Requirements The security assurance requirements for the TOE are included by reference to [App PP]. Table 2 Assurance Components Requirement Class Requirement Component ADV: Development ADV_FSP.1 Basic Functional Specification AGD: Guidance Documents AGD_OPE.1: Operational User Guidance AGD_PRE.1: Preparative Procedures ALC: Life-Cycle Support ALC_CMC.1: Labelling of the TOE ALC_CMS.1: TOE CM coverage ALC_TSU_EXT.1: Timely Security Updates ATE: Tests ATE_IND.1 Independent Testing – Conformance AVA: Vulnerability Assessment AVA_VAN.1 Vulnerability Survey Consequently, the assurance activities specified in the [App PP] apply to the TOE evaluation, including any changes made to them by subsequent NIAP Technical Decisions as summarized in section 1.2 above. Security Target Version 1.0, 11/27/2019 Page 21 of 52 6. TOE Summary Specification This chapter describes the security functions of the TOE:  Cryptographic Support  User Data Protection  Identification and Authentication  Security Management  Privacy  Protection of the TSF  Trusted Path/Channels It also describes the process put in place by the TOE vendor to provide timely security updates to the TOE as per the ALC_TSU_EXT.1 requirements of the [App PP]. 6.1 Timely Security Updates PrinterLogic provides maintenance releases as needed in between major releases. The purpose of the maintenance release is to provide bug fixes and security updates for the PrinterLogic Web Stack Server. Additionally, when updates are made to the bundled third-party capabilities (MySQL, PHP), they are obtained by PrinterLogic and pushed to customers. Customers are notified by the Customer Support team when a maintenance release is made available. Maintenance release notes identify the security vulnerabilities that are fixed in the release. The only mechanism to deploy security updates is through maintenance releases. Upon discovery of a vulnerability, the impact will be assessed for priority. Any critical security fixes are immediately implemented, with a target release of 72 hours from discovery. Lower-risk items are targeted for resolution in 30-45 days depending on priority and severity. All security reports are communicated from customers to Customer Support via live phone support or through an HTTPS form on the printerlogic.com website. 6.2 Cryptographic Support TOE components use cryptography to secure data in transit to and from each application instance. The following cryptographic interfaces are used by each component when the TOE is configured to be in its evaluated configuration:  TLS/HTTPS server (for remote user/administrator authentication using the Self-Service Portal and the Release Portal)  TLS/HTTPS server (for communication of configuration settings to individual PL Client applications at the request of those applications) The TOE relies on the underlying OS platform cryptography (via the FIPS-validated cryptographic module cng.sys) to implement the cryptographic primitives for TLS/HTTPS communications. The TOE relies on IIS to provide the TLS/HTTPS protocol stack for these communications. The TOE relies on its operational environment to generate asymmetric keys in support of trusted communications. The TSF generates ECC keys using P-256 and P-384. These keys are generated in support of the ECDHE key establishment schemes that are used for TLS/HTTPS communications. To ensure sufficient key strength, the TOE invokes environmental DRBG functionality for key generation. The proprietary Entropy Analysis Report (EAR) describes how the TSF extracts random data from software-based sources to ensure that an amount of entropy that is at least equal to the strength of the generated keys is present (i.e., at least 256 bits when the largest supported keys are generated) when seeding the DRBG for key generation purposes. The TOE relies on the third-party entropy sources provided by the platform vendor (Microsoft); in this case, it is assumed that this platform provides at least 256 bits of entropy. Key generation is the only TOE function that requires the use of random numbers. Random numbers are obtained from the BCryptGenRandom platform API. The TOE relies on IIS to implement all TLS functionality, so the platform API is itself invoked by the platform. The TOE uses TLS 1.2 implemented by the OS platform for protection of data in transit. The TOE stores local user/administrator credentials (to the Admin, Self-Service, and Release Portals) and credentials for environmental control panel applications (CPAs) in the MySQL database that is bundled with the TOE installation. This data is protected from unauthorized access using AES encryption of the database itself by the TOE platform’s cryptographic Security Target Version 1.0, 11/27/2019 Page 22 of 52 module as well as full disk encryption of the entire platform on which the Web Server and MySQL database are installed (see FDP_DAR_EXT.1). The Cryptographic Support security function is designed to satisfy the following security functional requirements:  FCS_CKM.1(1) – The TOE platform generates ECC keys for the purpose of TLS key establishment.  FCS_CKM.2 – The TOE platform performs ECC key establishment for TLS.  FCS_CKM_EXT.1 – the TSF relies on the underlying OS platform to provide key generation functionality.  FCS_RBG_EXT.1 – The TSF relies on the underlying OS platform to provide random bit generation functionality.  FCS_STO_EXT.1 – TOE components use platform-provided services to store all credential data. 6.3 User Data Protection The [App PP] defines ‘sensitive data’ as follows: “Sensitive data may include all user or enterprise data or may be specific application data such as emails, messaging, documents, calendar items, and contacts. Sensitive data must minimally include PII, credentials, and keys. Sensitive data shall be identified in the application’s TSS by the ST author.” The table below lists the data that is considered to be ‘sensitive data’ for this TOE along with where that data resides. Note that while CPA credentials are not used by the TSF to fulfill any security functions in the claimed PP, they are stored by the TOE for non-TSF functions. As a result, user/administrator will have a reasonable expectation that the TSF can protect this data. The TSF does not examine printed documents for content so they are all considered to be sensitive data since a user has a reasonable expectation that if they print a document, it will not be stored on a separate server for others to view. Table 3 Sensitive Data Sensitive Data Stored On Exchange Protection At Rest Protection In Transit Database key TOE Inter-process communication Platform encryption (full disk) N/A Admin Console Credentials (Local) TOE Admin’s browser to Web Server over browser connection Platform encryption (full disk + FCS_STO_EXT.1 AES) HTTPS Self-Service/Release Portal User Credentials (Local) TOE User’s browser to Web Server over browser connection Platform encryption (full disk + FCS_STO_EXT.1 AES) HTTPS CPA credential TOE Queried by remote printer Platform encryption (full disk + FCS_STO_EXT.1 AES) HTTPS PL Client configuration settings TOE Pulled by PL Client instances as needed Platform encryption (full disk + FCS_STO_EXT.1 AES) HTTPS Instructions to hold/release print jobs N/A Issued from Web Server to Service Host at user direction N/A HTTPS In the evaluated configuration, the TOE will be installed on a platform that has full disk encryption enabled. All data at rest is ultimately secured by the operational environment’s platform encryption functionality, including credential data that is stored in the environmental database and encrypted. Security Target Version 1.0, 11/27/2019 Page 23 of 52 The underlying platform functionality that the TOE interacts with is the system’s network connectivity. Network usage of the TOE is authorized implicitly through user guidance; it does not make any specific requests on its own to use network services once installed. The TOE restricts network connectivity to the following uses only:  User-initiated: accessing the Web Server from a remote web browser  Remotely-initiated: initiation of cloud/email printing that a Service Host is configured to handle, remotely- initiated status communication with environmental PL Client (e.g. notification from PL Client that a print job is being held by a user)  TSF-initiated: status communication with environmental PL Client (e.g. notification to PL Client that a held print job has been released by a user) The TOE also interacts with the SQL database residing on its local system when user actions requiring access to it are performed. The User Data Protection security function is designed to satisfy the following security functional requirements:  FDP_DAR_EXT.1 – Sensitive data at rest is protected by full disk encryption of the underlying OS platforms for each TOE component.  FDP_DEC_EXT.1 – The TOE’s use of platform services is well understood by users prior to authorizing the TOE activity.  FDP_NET_EXT.1 – The TOE communicates over the network for well-defined purposes. Depending on the function, the use of network resources is user-initiated directly through the TSF, remotely initiated by a user performing an action in the operational environment, or initiated by the TOE itself. 6.4 Security Management The TOE provides a graphical user interface (GUI) that requires user authentication to access. As part of initial setup, the user must specify the username/password of an administrator account before any additional access is granted. The TOE is protected from unauthorized access via the host platform’s file system. By default, the binaries and application data for the TOE are owned by Administrators. The TOE enforces its security functionality by default upon initial installation and configuration. Configuration settings are defined on the Web Server’s local system and stored in the Windows registry. The TOE can be used to specify the endpoints for trusted channels through configuration of environmental PL Clients. Specifically, a user can specify one or more email servers that a Service Host will retrieve data from for email printing. A user can also designate a Service Host to receive and hold print jobs for AirPrint and Google cloud printing. The TOE specifies this behavior by saving settings in its SQL database. When an environmental PL Client communicates with the TOE, it will be notified if it has been designated as a Service Host; in response to this, it will spawn a process to provide that functionality. The behavior of that process (e.g., what mailbox to monitor for email printing, whether to print or discard email printing requests that come from guest users, what Active Directory repository to use when doing reverse lookups for user identities) is controlled by the TOE settings as well. As this configuration data is stored remotely from the PL Client, it isstored as sensitive data in the SQL database and so it is not subject to unauthorized manipulation. The TOE provides a mechanism for a user to complete a pull print or cloud print through release of the print job. The release method differs based on the print method, as follows:  Pull print: PL Client (on user’s host system) prompts user to hold or release print job o If print job is held, user will use the TOE to release the job at a later time o If print job is released, PL Client will release the job  Cloud print: o User can use the TOE to release the job In the Admin Console, an administrator may also configure the following PL Client settings: Security Target Version 1.0, 11/27/2019 Page 24 of 52  Time interval for client check-in (default 240 minutes)  Enable/disable server initiation of client updates  Enable/disable designation of individual client as Service Host  Specify use of HTTPS for client-server communications (Service Host communications are not configurable and use TLS/HTTPS by default) All other management functionality provided by the product is non-TSF and all other security-relevant settings are established during TOE installation and are non-configurable. The Security Management security function is designed to satisfy the following security functional requirements:  FMT_CFG_EXT.1 – The TOE requires credentials to be defined before use. It is also prevented from direct modification by untrusted users via their host OS platform.  FMT_MEC_EXT.1 – Locally-modifiable configuration settings for the TOE are stored in an appropriate location.  FMT_SMF.1 – The TOE can be used by administrators to configure environmental PL Client settings including configuring individual clients to act as Service Hosts and configuring trusted channel endpoints by identifying where Service Hosts will retrieve print jobs. The TOE can also be used by end users to authorize the release of print jobs that are held by Service Hosts. 6.5 Privacy The TOE does not handle personally identifiable information (PII). The TOE facilitates interaction between users and printer resources but does not directly accept Active Directory credentials or handle print spool data. The Privacy security function is designed to satisfy the following security functional requirements:  FPR_ANO_EXT.1 – the TOE does not handle personally identifiable information. 6.6 Protection of the TSF The TOE implements several mechanisms to protect against exploitation. The TOE implement address space layout randomization (ASLR) and relies fully on its underlying host platform to perform memory mapping. There is no situation where the TSF maps memory to an explicit address. The TOE (PHP) is interpreted code that does not use just-in-time compilation. It also does not use both PROT_WRITE and PROT_EXEC on the same memory regions. The TOE writes data to the underlying OS platform; however, no data is considered to be user-modifiable. The following directories are used to write and store data:  web application resides in IIS node of administrator’s choosing (e.g., C:\inetpub); PHP writes log data to %TMP% directory on OS platform; configuration data is stored in SQL database installed at location of administrator’s choosing. The TOE is written in interpreted language that relies on the runtime environment to dynamically allocate memory and is therefore not subject to stack-based buffer overflows. The TOE is designed to run on a host OS platform where platform security features have been enabled (e.g. Windows Defender Export Guard). The TOE uses only documented platform APIs. Appendix A.1 lists the APIs used by the TOE. The TOE also makes use of third-party libraries. Appendix A.2 lists the libraries used by the TOE. The TOE is versioned in the format ‘x.y’ where x is the year of release and y is the nth release of that year (e.g. in the case of version 18.3, it’s the 3rd version released in 2018). The TOE provides the means to check for, apply, and verify software updates. This is implemented as follows: A user can check for updates by visiting a link in the Admin Console to check for the latest release. Updates are packaged as .exe files. There is no method to uninstall the application; application of an update will modify existing components as opposed to removing and re-installing components. The current version of the application can be queried by navigating to About PrinterLogic Web Stack in the Admin Console. All updates are digitally signed by Security Target Version 1.0, 11/27/2019 Page 25 of 52 PrinterLogic using 2048-bit RSA signatures. The digital signature is verified automatically by Windows APIs prior to installation. The TOE is made available as a stand-alone installer that can be obtained from PrinterLogic’s website, and can be distribed by any variety of methods (e.g. pushed out through AD or made available in the Software Center). Updating the TOE software is the only method of changing its executable code; it does not change its own code. Removal of the application will result in the deletion of all traces of the application except for any related configuration settings, log events, or output files. The Protection of the TSF security function is designed to satisfy the following security functional requirements:  FPT_AEX_EXT.1 – The TOE interacts with its host OS platform in a manner that does not expose the system to memory-related exploitation.  FPT_API_EXT.1 – The TOE uses documented platform APIs.  FPT_IDV_EXT. 1 – The TOE is versioned with the year and month of release.  FPT_LIB_EXT.1 – The set of third-party libraries used by the TOE is well-defined.  FPT_TUD_EXT.1 – The TOE can be updated through installation packages. Updates are signed by the vendor and validated by the host OS platform prior to installation.  FPT_TUD_EXT.2 – Updates to the TOE are packaged using formats native to the supported OS platform and removal of the TOE does not preserve any executable code on the platform. 6.7 Trusted Path/Channels The TOE uses HTTPS / TLSv1.2 to secure sensitive data in transit over trusted channels and paths. The channels and paths supported by the TOE and the protocols used to establish them are listed in section 6.2. All trusted channel communications are provided by the TOE platform. The following data is considered by the TOE to be ‘sensitive’ and is therefore protected in transit to/from the system on which a TOE component resides:  User and administrator credential data (from user to TOE)  Configuration information (from user to TOE and between TOE and PL Client)  Credential data for environmental components (CPA) (from TOE to/from environmental components)  Authorizations to hold/release print jobs (between TOE and PL Client) The secure protocols are supported by NIST-validated cryptographic mechanisms provided by the operational environment. The administrator must configure the interfaces to use the trusted channels before the TOE has been placed into its evaluated configuration. The TOE can also interact with printers in the operational environment to query status information using SNMPv3, but this is not considered to be sensitive data as per section 6.2 and is therefore not protected with any of the trusted protocols specified in FTP_DIT_EXT.1. The Trusted Path/Channels security function is designed to satisfy the following security functional requirements:  FTP_DIT_EXT.1 – The TOE relies on platform-provided functionality to secure sensitive data in transit using TLS and HTTPS. Security Target Version 1.0, 11/27/2019 Page 26 of 52 7. Protection Profile Claims This ST is conformant to the Protection Profile for Application Software, Version 1.3, 1 March 2019 [App PP] along with all applicable errata and interpretations from the certificate issuing scheme. As explained in section 3, Security Problem Definition, the Security Problem Definition of [App PP] has been included by reference into this ST. As explained in section 4, Security Objectives, the Security Objectives of [App PP] has been included by reference into this ST. All claimed SFRs are defined in [App PP]. All mandatory SFRs are claimed. No optional or objective SFRs are claimed. Selection-based SFR claims are consistent with the selections made in the mandatory SFRs that prompt their inclusion. Security Target Version 1.0, 11/27/2019 Page 27 of 52 8. Rationale This Security Target includes by reference the [App PP] Security Problem Definition, Security Objectives, and Security Assurance Requirements. The Security Target does not add, remove, or modify any of these items. Security Functional Requirements have been reproduced with the Protection Profile operations completed. All selections, assignments, and refinements made on the claimed Security Functional Requirements have been performed in a manner that is consistent with what is permitted by the [App PP]. The proper set of selection-based requirements have been claimed based on the selections made in the mandatory requirements. Consequently, the claims made by this Security Target are sufficient to address the TOE’s security problem. Rationale for the sufficiency of the TOE Summary Specification is provided below. 8.1 TOE Summary Specification Rationale Each subsection in Section 6, the TOE Summary Specification, describes a security function of the TOE. Each description is followed with rationale that indicates which requirements are satisfied by aspects of the corresponding security function. The set of security functions work together to satisfy all of the security functions and assurance requirements. Furthermore, all of the security functions are necessary in order for the TSF to provide the required security functionality. This section in conjunction with Section 6, the TOE Summary Specification, provides evidence that the security functions are suitable to meet the TOE security requirements. The collection of security functions work together to provide all of the security requirements. The security functions described in the TOE summary specification are all necessary for the required security functionality in the TSF. The table below demonstrates the relationship between security requirements and security functions. Security Target Version 1.0, 11/27/2019 Page 28 of 52 Table 4 Security Functions vs Requirements Mapping Cryptographic Support User Data Protection Identification and Authentication Security Management Privacy Protection of the TSF Trusted Path/Channels FCS_CKM.1(1) X FCS_CKM.2 X FCS_CKM_EXT.1 X FCS_RBG_EXT.1 X FCS_STO_EXT.1 X FDP_DAR_EXT.1 X FDP_DEC_EXT.1 X FDP_NET_EXT.1 X FMT_CFG_EXT.1 X FMT_MEC_EXT.1 X FMT_SMF.1 X FPR_ANO_EXT.1 X FPT_AEX_EXT.1 X FPT_API_EXT.1 X FPT_IDV_EXT.1 X FPT_LIB_EXT.1 X FPT_TUD_EXT.1 X FPT_TUD_EXT.2 X FTP_DIT_EXT.1 X Security Target Version 1.0, 11/27/2019 Page 29 of 52 Appendix A: TOE Usage of Third-Party Components This Appendix lists the platform APIs and third-party libraries that are used by the TOE. A.1 Platform APIs The Windows platform APIs used by the Web Server are listed below. The Web Server also relies on the standalone IIS and MySQL components referenced in section 2.4.1.  COM controls o Microsoft XMLDOM (COM control) o NameTranslate  APIs in the following platform libraries: o activeds.dll o advapi32.dll o bcrypt.dll o comctl32.dll o comdig32.dll o cryp32.dll o fbwflib.dll o gdi32.dll o iphlpapi.dll o kernel32.dll o mpr.dll o msvcrt.dll o netapi32.dll o ole32.dll o oleaut32.dll o shell32.dll o user32.dll o userenv.dll o version.dll o winhttp.dll o wintrust.dll o wsock32.dll o wtsapi32.dll  APIs in the following platform drivers: o winspool.drv Security Target Version 1.0, 11/27/2019 Page 30 of 52 A.2 Third-Party Libraries The following section lists the third-party libraries used by the TOE:  calwin32.dll  netwin32.dll  locwin32.dll  clxwin32.dll  nwcalls.dll  nwnet.dll  nwlocale.dll The Web Server component also uses the following third-party libraries for PHP and Javascript, with applicable version information:  PHP libraries: o adambrett/shell-wrapper 0.8 o aws/aws-sdk-php 3.19.17 o aws/aws-sdk-php-laravel 3.1.0 o barryvdh/laravel-async-queue dev-master de900c0 o barryvdh/laravel-ide-helper 2.3.2 o barryvdh/laravel-snappy 0.3.1 o barryvdh/reflection-docblock 2.0.4 o bosnadev/repositories 0.9 o classpreloader/classpreloader 3.0.0 o danielstjules/stringy 2.3.2 o dnoegel/php-xdg-base-dir 0.1 o doctrine/annotations 1.2.7 o doctrine/cache 1.6.0 o doctrine/collections 1.3.0 o doctrine/common 2.6.1 o doctrine/dbal 2.5.5 o doctrine/inflector 1.1.0 o doctrine/instantiator 1.0.5 o doctrine/lexer 1.0.1 o evenement/evenement 2.0.1 o fzaninotto/faker 1.7.0 o guzzlehttp/guzzle 6.2.2 o guzzlehttp/promises 1.2.0 o guzzlehttp/psr7 1.3.1 o h4cc/wkhtmltoimage-amd64 0.12.3 Security Target Version 1.0, 11/27/2019 Page 31 of 52 o h4cc/wkhtmltopdf-amd64 0.12.3 o hamcrest/hamcrest-php 1.2.2 o intervention/image 2.3.8 o jakub-onderka/php-console-color 0.1 o jakub-onderka/php-console-highlighter 0.3.2 o jakub-onderka/php-parallel-lint 0.9.2 o jeremeamia/SuperClosure 2.2.0 o jeroen-g/laravel-packager 1.5 o knplabs/knp-snappy 0.4.3 o laravel/framework 5.2.45 o laravelcollective/html 5.2 o league/event 2.1.2 o league/flysystem 1.0.30 o league/fractal 0.13.0 o league/oauth2-server 4.1.6 o lucadegasperi/oauth2-server-laravel 5.1.4 o mockery/mockery 0.9.5 o monolog/monolog 1.21.0 o mtdowling/cron-expression 1.1.0 o mtdowling/jmespath.php 2.3.0 o myclabs/deep-copy 1.5.4 o nesbot/carbon 1.21.0 o nikic/php-parser 2.1.1 o paragonie/random_compat 1.4.1 o phpdocumentor/reflection-common 1.0 o phpdocumentor/reflection-docblock 3.1.1 o phpdocumentor/type-resolver 0.2 o phpspec/php-diff 1.0.2 o phpspec/phpspec 2.5.3 o phpspec/prophecy 1.6.1 o phpunit/php-code-coverage 4.0.1 o phpunit/php-file-iterator 1.4.1 o phpunit/php-text-template 1.2.1 o phpunit/php-timer 1.0.8 o phpunit/php-token-stream 1.4.8 o phpunit/phpunit 5.6.1 o phpunit/phpunit-mock-objects 3.4.0 Security Target Version 1.0, 11/27/2019 Page 32 of 52 o predis/predis 1.1.1 o printerlogic/copy-scan-tracking-pkg 1.0.3 o printerlogic/ms-auth-key-pkg 1.3 o printerlogic/php-coding-standards-pkg 1.1.0 o printerlogic/queuecommber 2.1.2 o printerlogic/site-id-pkg 1.0.0 o psr/http-message 1.0.1 o psr/log 1.0.2 o psy/psysh 0.7.2 o react/cache 0.4.2 o react/dns 0.4.13 o react/event-loop 0.5.2 o react/http 0.8.3 o react/promise 2.5.1 o react/promise-stream 1.1.1 o react/promise-timer 1.3.0 o react/socket 0.8.11 o react/stream 0.7.7 o ringcentral/psr7 1.2.2 o rlerdorf/opcache-status dev-master 4867346 o sebastian/code-unit-reverse-lookup 1.0.0 o sebastian/comparator 1.2.0 o sebastian/diff 1.4.1 o sebastian/environment 1.3.8 o sebastian/exporter 1.2.2 o sebastian/global-state 1.1.1 o sebastian/object-enumerator 1.0.0 o sebastian/recursion-context 1.0.2 o sebastian/resource-operations 1.0.0 o sebastian/version 2.0.0 o spatie/laravel-fractal 1.9.1 o squizlabs/php_codesniffer 3.0.2 o swiftmailer/swiftmailer 5.4.3 o symfony/class-loader 3.2.7 o symfony/console 3.0.9 o symfony/css-selector 3.1.5 o symfony/debug 3.0.9 Security Target Version 1.0, 11/27/2019 Page 33 of 52 o symfony/dom-crawler 3.1.5 o symfony/event-dispatcher 3.1.6 o symfony/finder 3.0.9 o symfony/http-foundation 3.0.9 o symfony/http-kernel 3.0.9 o symfony/polyfill-mbstring 1.3.0 o symfony/polyfill-php56 1.2.0 o symfony/polyfill-util 1.2.0 o symfony/process 3.0.9 o symfony/routing 3.0.9 o symfony/translation 3.0.9 o symfony/var-dumper 3.0.9 o symfony/yaml 3.1.5 o vlucas/phpdotenv 2.4.0 o webmozart/assert 1.1.0 o webpatser/laravel-uuid 2.2.1 o wemersonjanuario/wkhtmltopdf-windows 0.12.2.3 o wimg/php-compatibility 8.0.1  Javascript libraries: o JSONStream 1.3.2 o abbrev 1.1.1 o accounting 0.4.1 o acorn 4.0.13 o ajv 5.5.2 o ajv-keywords 2.1.1 o align-text 0.1.4 o amdefine 1.0.1 o ansi-gray 0.1.1 o ansi-regex 2.1.1 o ansi-styles 2.2.1 o ansi-wrap 0.1.0 o aproba 1.2.0 o archy 1.0.0 o are-we-there-yet 1.1.4 o argparse 1.0.9 o arr-diff 4.0.0 o arr-flatten 1.1.0 Security Target Version 1.0, 11/27/2019 Page 34 of 52 o arr-union 3.1.0 o array-differ 1.0.0 o array-each 1.0.1 o array-filter 0.0.1 o array-find-index 1.0.2 o array-map 0.0.0 o array-reduce 0.0.0 o array-slice 1.1.0 o array-union 1.0.2 o array-uniq 1.0.3 o array-unique 0.3.2 o arrify 1.0.1 o asap 2.0.6 o asn1 0.2.3 o asn1.js 4.9.2 o assert 1.4.1 o assert-plus 1.0.0 o assertion-error 1.1.0 o assign-symbols 1.0.0 o ast-types 0.9.6 o astw 2.2.0 o async 1.5.2 o async-foreach 0.1.3 o asynckit 0.4.0 o atob 2.0.3 o autoprefixer 7.2.5 o aws-sign2 0.7.0 o aws4 1.6.0 o babel-code-frame 6.26.0 o babel-core 6.24.0 o babel-generator 6.26.0 o babel-helper-builder-react-jsx 6.26.0 o babel-helper-call-delegate 6.24.1 o babel-helper-define-map 6.26.0 o babel-helper-function-name 6.24.1 o babel-helper-get-function-arity 6.24.1 o babel-helper-hoist-variables 6.24.1 Security Target Version 1.0, 11/27/2019 Page 35 of 52 o babel-helper-optimise-call-expression 6.24.1 o babel-helper-regex 6.26.0 o babel-helper-replace-supers 6.24.1 o babel-helpers 6.24.1 o babel-messages 6.23.0 o babel-plugin-check-es2015-constants 6.22.0 o babel-plugin-syntax-flow 6.18.0 o babel-plugin-syntax-jsx 6.18.0 o babel-plugin-transform-es2015-arrow-functions 6.22.0 o babel-plugin-transform-es2015-block-scoped-functions 6.22.0 o babel-plugin-transform-es2015-block-scoping 6.26.0 o babel-plugin-transform-es2015-classes 6.23.0 o babel-plugin-transform-es2015-computed-properties 6.24.1 o babel-plugin-transform-es2015-destructuring 6.23.0 o babel-plugin-transform-es2015-duplicate-keys 6.24.1 o babel-plugin-transform-es2015-for-of 6.23.0 o babel-plugin-transform-es2015-function-name 6.24.1 o babel-plugin-transform-es2015-literals 6.22.0 o babel-plugin-transform-es2015-modules-amd 6.24.1 o babel-plugin-transform-es2015-modules-commonjs 6.26.0 o babel-plugin-transform-es2015-modules-systemjs 6.24.1 o babel-plugin-transform-es2015-modules-umd 6.24.1 o babel-plugin-transform-es2015-object-super 6.24.1 o babel-plugin-transform-es2015-parameters 6.24.1 o babel-plugin-transform-es2015-shorthand-properties 6.24.1 o babel-plugin-transform-es2015-spread 6.22.0 o babel-plugin-transform-es2015-sticky-regex 6.24.1 o babel-plugin-transform-es2015-template-literals 6.22.0 o babel-plugin-transform-es2015-typeof-symbol 6.23.0 o babel-plugin-transform-es2015-unicode-regex 6.24.1 o babel-plugin-transform-flow-strip-types 6.22.0 o babel-plugin-transform-react-display-name 6.25.0 o babel-plugin-transform-react-jsx 6.23.0 o babel-plugin-transform-react-jsx-self 6.22.0 o babel-plugin-transform-react-jsx-source 6.22.0 o babel-plugin-transform-regenerator 6.26.0 o babel-plugin-transform-strict-mode 6.24.1 Security Target Version 1.0, 11/27/2019 Page 36 of 52 o babel-preset-es2015 6.24.0 o babel-preset-flow 6.23.0 o babel-preset-react 6.23.0 o babel-register 6.26.0 o babel-runtime 6.26.0 o babel-template 6.26.0 o babel-traverse 6.23.1 o babel-types 6.26.0 o babelify 7.3.0 o babylon 6.18.0 o balanced-match 1.0.0 o base 0.11.2 o base62 0.1.1 o base64-js 1.2.1 o bcrypt-pbkdf 1.0.1 o beeper 1.1.1 o bl 0.9.5 o block-stream 0.0.9 o bn.js 4.11.8 o boom 4.3.1 o bower 1.8.2 o brace-expansion 1.1.8 o braces 2.3.0 o brorand 1.1.0 o browser-pack 6.0.3 o browser-resolve 1.11.2 o browser-stdout 1.3.0 o browserify 14.3.0 o browserify-aes 1.1.1 o browserify-cipher 1.0.0 o browserify-des 1.0.0 o browserify-rsa 4.0.1 o browserify-sign 4.0.4 o browserify-zlib 0.1.4 o browserslist 2.11.3 o buffer 5.0.8 o buffer-xor 1.0.3 Security Target Version 1.0, 11/27/2019 Page 37 of 52 o builtin-modules 1.1.1 o builtin-status-codes 3.0.0 o cache-base 1.0.1 o cached-path-relative 1.0.1 o camelcase 2.1.1 o camelcase-keys 2.1.0 o caniuse-lite 1.0.30000792 o capitalize 1.0.0 o caseless 0.12.0 o center-align 0.1.3 o chai 3.5.0 o chalk 1.1.3 o cipher-base 1.0.4 o circular-json 0.3.3 o class-utils 0.3.6 o classnames 2.2.5 o cliui 3.2.0 o clone 1.0.3 o clone-buffer 1.0.0 o clone-regexp 1.0.0 o clone-stats 0.0.1 o cloneable-readable 1.0.0 o co 4.6.0 o code-point-at 1.1.0 o collection-visit 1.0.0 o color-convert 1.9.1 o color-name 1.1.3 o color-support 1.1.3 o combine-source-map 0.8.0 o combined-stream 1.0.5 o commander 2.9.0 o commoner 0.10.8 o component-emitter 1.2.1 o concat-map 0.0.1 o concat-stream 1.5.2 o concat-with-sourcemaps 1.0.5 o console-browserify 1.1.0 Security Target Version 1.0, 11/27/2019 Page 38 of 52 o console-control-strings 1.1.0 o constants-browserify 1.0.0 o convert-source-map 1.5.1 o copy-descriptor 0.1.1 o core-js 1.2.7 o core-util-is 1.0.2 o cosmiconfig 2.2.2 o create-ecdh 4.0.0 o create-hash 1.1.3 o create-hmac 1.1.6 o create-react-class 15.6.2 o cross-spawn 3.0.1 o cryptiles 3.1.2 o crypto-browserify 3.12.0 o css 2.2.1 o currently-unhandled 0.4.1 o dashdash 1.14.1 o date-now 0.1.4 o dateformat 2.0.0 o debug 2.6.9 o debug-fabulous 0.0.4 o decamelize 1.2.0 o decode-uri-component 0.2.0 o deep-eql 0.1.3 o deep-is 0.1.3 o defaults 1.0.3 o define-property 1.0.0 o defined 1.0.0 o del 2.2.2 o delayed-stream 1.0.0 o delegates 1.0.0 o deprecated 0.0.1 o deps-sort 2.0.0 o des.js 1.0.0 o detect-file 1.0.0 o detect-indent 4.0.0 o detect-newline 2.1.0 Security Target Version 1.0, 11/27/2019 Page 39 of 52 o detective 4.7.1 o diff 1.4.0 o diffie-hellman 5.0.2 o dom-helpers 3.3.1 o domain-browser 1.1.7 o duplexer 0.1.1 o duplexer2 0.1.4 o ecc-jsbn 0.1.1 o electron-to-chromium 1.3.31 o element-class 0.2.2 o elliptic 6.4.0 o encoding 0.1.12 o end-of-stream 0.1.5 o error-ex 1.3.1 o escape-string-regexp 1.0.5 o escodegen 1.8.1 o esprima 2.7.3 o estraverse 1.9.3 o esutils 2.0.2 o event-stream 3.3.4 o events 1.1.1 o evp_bytestokey 1.0.3 o execall 1.0.0 o exenv 1.2.0 o expand-brackets 2.1.4 o expand-range 1.8.2 o expand-tilde 2.0.2 o extend 3.0.1 o extend-shallow 2.0.1 o extglob 2.0.4 o extsprintf 1.3.0 o faker 4.1.0 o fancy-log 1.3.2 o fast-deep-equal 1.0.0 o fast-json-stable-stringify 2.0.0 o fast-levenshtein 2.0.6 o fbjs 0.8.16 Security Target Version 1.0, 11/27/2019 Page 40 of 52 o file-entry-cache 2.0.0 o filename-regex 2.0.1 o fill-range 4.0.0 o find-index 0.1.1 o find-up 1.1.2 o findup-sync 2.0.0 o fined 1.1.0 o first-chunk-stream 1.0.0 o flagged-respawn 1.0.0 o flat-cache 1.3.0 o flatten 1.0.2 o for-in 1.0.2 o for-own 1.0.0 o forever-agent 0.6.1 o form-data 2.3.1 o fragment-cache 0.2.1 o from 0.1.7 o fs.realpath 1.0.0 o fstream 1.0.11 o function-bind 1.1.1 o gauge 2.7.4 o gaze 0.5.2 o get-caller-file 1.0.2 o get-stdin 4.0.1 o get-value 2.0.6 o getpass 0.1.7 o glob 7.1.1 o glob-base 0.3.0 o glob-parent 2.0.0 o glob-stream 3.1.18 o glob-watcher 0.0.6 o glob2base 0.0.12 o global-modules 1.0.0 o global-prefix 1.0.2 o globals 9.18.0 o globby 5.0.0 o globjoin 0.1.4 Security Target Version 1.0, 11/27/2019 Page 41 of 52 o globule 0.1.0 o glogg 1.0.1 o graceful-fs 3.0.11 o graceful-readlink 1.0.1 o growl 1.9.2 o gulp 3.9.1 o gulp-babel 6.1.2 o gulp-clean 0.3.2 o gulp-concat 2.6.1 o gulp-rename 1.2.2 o gulp-sass 3.1.0 o gulp-sourcemaps 2.5.1 o gulp-util 3.0.8 o gulplog 1.0.0 o handlebars 4.0.11 o har-schema 2.0.0 o har-validator 5.0.3 o has 1.0.1 o has-ansi 2.0.0 o has-flag 1.0.0 o has-gulplog 0.1.0 o has-unicode 2.0.1 o has-value 1.0.0 o has-values 1.0.0 o hash-base 2.0.2 o hash.js 1.1.3 o hawk 6.0.2 o hmac-drbg 1.0.1 o hoek 4.2.0 o home-or-tmp 2.0.0 o homedir-polyfill 1.0.1 o hosted-git-info 2.5.0 o html-tags 2.0.0 o htmlescape 1.1.1 o http-signature 1.2.0 o https-browserify 1.0.0 o iconv-lite 0.4.19 Security Target Version 1.0, 11/27/2019 Page 42 of 52 o ieee754 1.1.8 o ignore 3.3.7 o imurmurhash 0.1.4 o in-publish 2.0.0 o indent-string 2.1.0 o indexes-of 1.0.1 o indexof 0.0.1 o inflight 1.0.6 o inherits 2.0.3 o ini 1.3.5 o inline-source-map 0.6.2 o insert-module-globals 7.0.1 o interpret 1.1.0 o invariant 2.2.2 o invert-kv 1.0.0 o is-absolute 1.0.0 o is-accessor-descriptor 1.0.0 o is-arrayish 0.2.1 o is-buffer 1.1.6 o is-builtin-module 1.0.0 o is-data-descriptor 1.0.0 o is-descriptor 1.0.2 o is-directory 0.3.1 o is-dotfile 1.0.3 o is-equal-shallow 0.1.3 o is-extendable 0.1.1 o is-extglob 2.1.1 o is-finite 1.0.2 o is-fullwidth-code-point 1.0.0 o is-glob 3.1.0 o is-number 3.0.0 o is-odd 1.0.0 o is-path-cwd 1.0.0 o is-path-in-cwd 1.0.0 o is-path-inside 1.0.1 o is-plain-object 2.0.4 o is-posix-bracket 0.1.1 Security Target Version 1.0, 11/27/2019 Page 43 of 52 o is-primitive 2.0.0 o is-regexp 1.0.0 o is-relative 1.0.0 o is-stream 1.1.0 o is-supported-regexp-flag 1.0.0 o is-typedarray 1.0.0 o is-unc-path 1.0.0 o is-utf8 0.2.1 o is-windows 1.0.1 o isarray 1.0.0 o isexe 2.0.0 o isobject 3.0.1 o isomorphic-fetch 2.2.1 o isstream 0.1.2 o istanbul 0.4.5 o js-base64 2.4.3 o js-tokens 3.0.2 o js-yaml 3.10.0 o jsbn 0.1.1 o jsesc 1.3.0 o json-schema 0.2.3 o json-schema-traverse 0.3.1 o json-stable-stringify 0.0.1 o json-stringify-safe 5.0.1 o json3 3.3.2 o json5 0.5.1 o jsonify 0.0.0 o jsonparse 1.3.1 o jsprim 1.4.1 o jstransform 10.1.0 o keycode 2.1.9 o kind-of 6.0.2 o known-css-properties 0.3.0 o labeled-stream-splicer 2.0.0 o lazy-cache 2.0.2 o lazy-debug-legacy 0.0.1 o lcid 1.0.0 Security Target Version 1.0, 11/27/2019 Page 44 of 52 o levn 0.3.0 o lexical-scope 1.2.0 o liftoff 2.5.0 o load-json-file 1.1.0 o lodash 4.17.4 o lodash._baseassign 3.2.0 o lodash._basecopy 3.0.1 o lodash._basecreate 3.0.3 o lodash._basetostring 3.0.1 o lodash._basevalues 3.0.0 o lodash._escapehtmlchar 2.4.1 o lodash._escapestringchar 2.4.1 o lodash._getnative 3.9.1 o lodash._htmlescapes 2.4.1 o lodash._isiterateecall 3.0.9 o lodash._isnative 2.4.1 o lodash._objecttypes 2.4.1 o lodash._reescape 3.0.0 o lodash._reevaluate 3.0.0 o lodash._reinterpolate 3.0.0 o lodash._reunescapedhtml 2.4.1 o lodash._root 3.0.1 o lodash._shimkeys 2.4.1 o lodash.assign 4.2.0 o lodash.clonedeep 4.5.0 o lodash.create 3.1.1 o lodash.defaults 2.4.1 o lodash.escape 3.2.0 o lodash.isarguments 3.1.0 o lodash.isarray 3.0.4 o lodash.isobject 2.4.1 o lodash.keys 3.1.2 o lodash.memoize 3.0.4 o lodash.mergewith 4.6.0 o lodash.restparam 3.6.1 o lodash.template 3.6.2 o lodash.templatesettings 3.1.1 Security Target Version 1.0, 11/27/2019 Page 45 of 52 o lodash.values 2.4.1 o log-symbols 2.2.0 o longest 1.0.1 o loose-envify 1.3.1 o loud-rejection 1.6.0 o lru-cache 2.7.3 o make-iterator 1.0.0 o map-cache 0.2.2 o map-obj 1.0.1 o map-stream 0.1.0 o map-visit 1.0.0 o mathml-tag-names 2.0.1 o md5.js 1.3.4 o meow 3.7.0 o micromatch 3.1.5 o miller-rabin 4.0.1 o mime-db 1.30.0 o mime-types 2.1.17 o minimalistic-assert 1.0.0 o minimalistic-crypto-utils 1.0.1 o minimatch 3.0.4 o minimist 0.0.8 o mixin-deep 1.3.0 o mkdirp 0.5.1 o mocha 3.2.0 o module-deps 4.1.1 o ms 2.0.0 o multipipe 0.1.2 o nan 2.8.0 o nanomatch 1.2.7 o natives 1.1.1 o node-fetch 1.7.3 o node-gyp 3.6.2 o node-sass 4.5.3 o nopt 3.0.6 o normalize-package-data 2.4.0 o normalize-path 2.1.1 Security Target Version 1.0, 11/27/2019 Page 46 of 52 o normalize-range 0.1.2 o normalize-selector 0.2.0 o npmlog 4.1.2 o num2fraction 1.2.2 o number-is-nan 1.0.1 o oauth-sign 0.8.2 o object-assign 4.1.1 o object-copy 0.1.0 o object-keys 0.4.0 o object-visit 1.0.1 o object.defaults 1.1.0 o object.map 1.0.1 o object.omit 2.0.1 o object.pick 1.3.0 o once 1.4.0 o optimist 0.6.1 o optionator 0.8.2 o orchestrator 0.3.8 o ordered-read-streams 0.1.0 o os-browserify 0.1.2 o os-homedir 1.0.2 o os-locale 1.4.0 o os-tmpdir 1.0.2 o osenv 0.1.4 o pako 0.2.9 o parents 1.0.1 o parse-asn1 5.1.0 o parse-filepath 1.0.2 o parse-glob 3.0.4 o parse-json 2.2.0 o parse-passwd 1.0.0 o pascalcase 0.1.1 o path-browserify 0.0.0 o path-exists 2.1.0 o path-is-absolute 1.0.1 o path-is-inside 1.0.2 o path-parse 1.0.5 Security Target Version 1.0, 11/27/2019 Page 47 of 52 o path-platform 0.11.15 o path-root 0.1.1 o path-root-regex 0.1.2 o path-type 1.1.0 o pause-stream 0.0.11 o pbkdf2 3.0.14 o performance-now 2.1.0 o pi-observer o pi-react-components o pify 2.3.0 o pinkie 2.0.4 o pinkie-promise 2.0.1 o posix-character-classes 0.1.1 o postcss 6.0.16 o postcss-less 1.1.3 o postcss-media-query-parser 0.2.3 o postcss-reporter 5.0.0 o postcss-resolve-nested-selector 0.1.1 o postcss-scss 1.0.3 o postcss-selector-parser 2.2.3 o postcss-sorting 3.1.0 o postcss-value-parser 3.3.0 o prelude-ls 1.1.2 o preserve 0.2.0 o pretty-hrtime 1.0.3 o private 0.1.8 o process 0.11.10 o process-nextick-args 1.0.7 o promise 7.3.1 o prop-types 15.6.0 o prop-types-extra 1.0.1 o pseudomap 1.0.2 o public-encrypt 4.0.0 o punycode 1.4.1 o q 1.5.1 o qs 6.5.1 o querystring 0.2.0 Security Target Version 1.0, 11/27/2019 Page 48 of 52 o querystring-es3 0.2.1 o randomatic 1.1.7 o randombytes 2.0.6 o randomfill 1.0.3 o react 15.4.2 o react-bootstrap 0.31.5 o react-bootstrap-table 4.3.1 o react-dom 15.4.2 o react-list-select 0.3.0 o react-modal 1.7.3 o react-overlays 0.7.4 o react-s-alert 1.4.1 o react-tools 0.13.3 o reactify 1.1.1 o read-only-stream 2.0.0 o read-pkg 1.1.0 o read-pkg-up 1.0.1 o readable-stream 2.3.3 o recast 0.11.23 o rechoir 0.6.2 o redent 1.0.0 o regenerate 1.3.3 o regenerator-runtime 0.11.1 o regenerator-transform 0.10.1 o regex-cache 0.4.4 o regex-not 1.0.0 o regexpu-core 2.0.0 o regjsgen 0.2.0 o regjsparser 0.1.5 o remove-trailing-separator 1.1.0 o repeat-element 1.1.2 o repeat-string 1.6.1 o repeating 2.0.1 o replace-ext 0.0.1 o request 2.83.0 o require-dir 0.3.2 o require-directory 2.1.1 Security Target Version 1.0, 11/27/2019 Page 49 of 52 o require-from-string 1.2.1 o require-main-filename 1.0.1 o resolve 1.5.0 o resolve-dir 1.0.1 o resolve-from 3.0.0 o resolve-url 0.2.1 o riek 1.1.0 o right-align 0.1.3 o rimraf 2.6.2 o ripemd160 2.0.1 o run-sequence 1.2.2 o safe-buffer 5.1.1 o sass-graph 2.2.4 o scss-tokenizer 0.2.3 o semver 4.3.6 o sequencify 0.0.7 o set-blocking 2.0.0 o set-getter 0.1.0 o set-value 2.0.0 o setimmediate 1.0.5 o sha.js 2.4.10 o shasum 1.0.2 o shell-quote 1.6.1 o sigmund 1.0.1 o signal-exit 3.0.2 o slash 1.0.0 o slice-ansi 1.0.0 o snapdragon 0.8.1 o snapdragon-node 2.1.1 o snapdragon-util 3.0.1 o sntp 2.1.0 o source-map 0.5.7 o source-map-resolve 0.5.1 o source-map-support 0.4.18 o source-map-url 0.4.0 o sparkles 1.0.0 o spdx-correct 1.0.2 Security Target Version 1.0, 11/27/2019 Page 50 of 52 o spdx-expression-parse 1.0.4 o spdx-license-ids 1.2.2 o specificity 0.3.2 o split 0.3.3 o split-string 3.1.0 o sprintf-js 1.0.3 o sshpk 1.13.1 o static-extend 0.1.2 o stdout-stream 1.4.0 o stream-browserify 2.0.1 o stream-combiner 0.0.4 o stream-combiner2 1.1.1 o stream-consume 0.1.0 o stream-http 2.8.0 o stream-splicer 2.0.0 o string-width 1.0.2 o string_decoder 0.10.31 o stringstream 0.0.5 o strip-ansi 3.0.1 o strip-bom 1.0.0 o strip-bom-string 1.0.0 o strip-indent 1.0.1 o style-search 0.1.0 o stylelint 8.1.1 o stylelint-order 0.7.0 o subarg 1.0.0 o sugarss 1.0.1 o supports-color 2.0.0 o svg-tags 1.0.0 o syntax-error 1.3.0 o table 4.0.2 o tar 2.2.1 o through 2.3.8 o through2 2.0.3 o tildify 1.2.0 o time-stamp 1.1.0 o timers-browserify 1.4.2 Security Target Version 1.0, 11/27/2019 Page 51 of 52 o to-arraybuffer 1.0.1 o to-fast-properties 1.0.3 o to-object-path 0.3.0 o to-regex 3.0.1 o to-regex-range 2.1.1 o tough-cookie 2.3.3 o trim-newlines 1.0.0 o trim-right 1.0.1 o tty-browserify 0.0.1 o tunnel-agent 0.6.0 o tweetnacl 0.14.5 o type-check 0.3.2 o type-detect 1.0.0 o typedarray 0.0.6 o ua-parser-js 0.7.17 o uglify-js 2.8.29 o uglify-to-browserify 1.0.2 o umd 3.0.1 o unc-path-regex 0.1.2 o uncontrollable 4.1.0 o union-value 1.0.0 o uniq 1.0.1 o unique-stream 1.0.0 o unset-value 1.0.0 o urix 0.1.0 o url 0.11.0 o use 2.0.2 o user-home 1.1.1 o utf8 2.1.2 o util 0.10.3 o util-deprecate 1.0.2 o uuid 3.2.1 o v8flags 2.1.1 o validate-npm-package-license 3.0.1 o verror 1.10.0 o vinyl 0.5.3 o vinyl-buffer 1.0.0 Security Target Version 1.0, 11/27/2019 Page 52 of 52 o vinyl-fs 0.3.14 o vinyl-source-stream 1.1.0 o vinyl-sourcemaps-apply 0.2.1 o vm-browserify 0.0.4 o warning 3.0.0 o whatwg-fetch 2.0.3 o which 1.3.0 o which-module 1.0.0 o wide-align 1.1.2 o window-size 0.1.0 o wordwrap 1.0.0 o wrap-ansi 2.1.0 o wrappy 1.0.2 o write 0.2.1 o xtend 4.0.1 o y18n 3.2.1 o yallist 2.1.2 o yargs 7.1.0 o yargs-parser 5.0.0