Trend Micro Virtual Mobile Infrastructure (TMVMI), Version 6 (ASPP13) Security Target Version 0.4 06/29/2020 Prepared for: SK Infosec, Inc. 23, Pangyo-ro 227beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do (13486) Prepared By: www.gossamersec.com Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 2 of 30 1. SECURITY TARGET INTRODUCTION....................................................................... 4 1.1 SECURITY TARGET REFERENCE .......................................................................................... 4 1.2 TOE REFERENCE................................................................................................................ 5 1.3 TOE OVERVIEW ................................................................................................................. 5 1.4 TOE DESCRIPTION ............................................................................................................. 6 1.4.1 TOE Architecture........................................................................................................ 6 1.4.2 TOE Documentation ................................................................................................... 7 2. CONFORMANCE CLAIMS............................................................................................. 8 2.1 CONFORMANCE RATIONALE............................................................................................... 9 3. SECURITY OBJECTIVES ............................................................................................. 10 3.1 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ....................................... 10 4. EXTENDED COMPONENTS DEFINITION ............................................................... 11 5. SECURITY REQUIREMENTS...................................................................................... 12 5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS ................................................................. 12 5.1.1 Cryptographic support (FCS)................................................................................... 13 5.1.2 User data protection (FDP)...................................................................................... 15 5.1.3 Identification and authentication (FIA).................................................................... 16 5.1.4 Security management (FMT) .................................................................................... 17 5.1.5 Privacy (FPR)........................................................................................................... 17 5.1.6 Protection of the TSF (FPT) ..................................................................................... 19 5.1.7 Trusted path/channels (FTP).................................................................................... 17 5.2 TOE SECURITY ASSURANCE REQUIREMENTS................................................................... 18 5.2.1 Development (ADV).................................................................................................. 18 5.2.2 Guidance documents (AGD)..................................................................................... 19 5.2.3 Life-cycle support (ALC)........................................................................................... 22 5.2.4 Tests (ATE)................................................................................................................ 23 5.2.5 Vulnerability assessment (AVA)................................................................................ 23 6. TOE SUMMARY SPECIFICATION............................................................................. 25 6.1 CRYPTOGRAPHIC SUPPORT................................................................................................ 25 6.2 USER DATA PROTECTION .................................................................................................. 26 6.3 IDENTIFICATION AND AUTHENTICATION........................................................................... 26 6.4 SECURITY MANAGEMENT.................................................................................................. 27 6.5 PRIVACY........................................................................................................................... 27 6.6 PROTECTION OF THE TSF.................................................................................................. 27 6.7 TRUSTED PATH/CHANNELS ............................................................................................... 29 7. SECURITY RELATED PLATFORM APIS INVOKED BY TOE ............................. 30 7.1 ANDROID JAVA APIS........................................................................................................ 30 7.2 IOS OBJ-C APIS ............................................................................................................... 30 LIST OF TABLES Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 3 of 30 Table 1 TOE Security Functional Components....................................................................... 13 Table 2 Assurance Components ................................................................................................ 18 Table 3 CAVP Certificates......................................................................................................... 25 Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 4 of 30 1. Security Target Introduction This section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, ST conformance claims, and the ST organization. The TOE is Trend Micro Virtual Mobile Infrastructure (TMVMI). The TOE is being evaluated as a software application. The Security Target contains the following additional sections: • Conformance Claims (Section 2) • Security Objectives (Section 3) • Extended Components Definition (Section 4) • Security Requirements (Section 5) • TOE Summary Specification (Section 6) Conventions The following conventions have been applied in this document: • Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may be applied to functional requirements: iteration, assignment, selection, and refinement. o Iteration: allows a component to be used more than once with varying operations. In the ST, iteration is indicated by a parenthetical number placed at the end of the component. For example FDP_ACC.1(1) and FDP_ACC.1(2) indicate that the ST includes two iterations of the FDP_ACC.1 requirement. o Assignment: allows the specification of an identified parameter. Assignments are indicated using bold and are surrounded by brackets (e.g., [assignment]). Note that an assignment within a selection would be identified in italics and with embedded bold brackets (e.g., [[selected-assignment]]). o Selection: allows the specification of one or more elements from a list. Selections are indicated using bold italics and are surrounded by brackets (e.g., [selection]). o Refinement: allows the addition of details. Refinements are indicated using bold, for additions, and strike-through, for deletions (e.g., “… all objects …” or “… some big things …”). • Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such as captions. 1.1 Security Target Reference ST Title – Trend Micro Virtual Mobile Infrastructure (TMVMI), Version 6 (ASPP13) Security Target ST Version – Version 0.4 Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 5 of 30 ST Date – 06/29/2020 1.2 TOE Reference TOE Identification – Trend Micro Virtual Mobile Infrastructure (TMVMI), Version 6 TOE Developer – Trend Micro, Inc. Evaluation Sponsor – SK Infosec, Inc. 1.3 TOE Overview The Target of Evaluation (TOE) is the Trend Micro Virtual Mobile Infrastructure (TMVMI), Version 6. The TOE is the Virtual Mobile Infrastructure Client application for Android and iOS platforms. The TOE is a thin client providing access to a Trend Micro Virtual Mobile Infrastructure (VMI) server from a mobile device. The TOE was tested on the following mobile devices. Device Name Processor Operating System Samsung Galaxy S10 Qualcomm Snapdragon 855 (SDM855) Android 9.0 Apple iPhone 7 Apple A10 Apple iOS 13.1 The TOE runs on a Samsung Galaxy S10, Note 10, S9, Note 9, S8, and Note 8 devices running Android 9. The TOE also runs on Apple iOS 13.1 on iPhone devices including iPhone X, 8, 7, and 6. The same application runs on all Android devices and the same application runs on all iPhone devices. The S10 was used for Android testing and iPhone 7 was used for iOS testing. All other devices are claimed as equivalent. Device Name Processor Operating System Samsung Devices Galaxy S10+ Qualcomm Snapdragon 855 (SDM855) Android 9.0 Galaxy S10 Qualcomm Snapdragon 855 (SDM855) Android 9.0 Galaxy Note10 Qualcomm Snapdragon 855 (SDM855) Android 9.0 Galaxy Note10+ Qualcomm Snapdragon 855 (SDM855) Android 9.0 Galaxy Note10+ 5G Qualcomm Snapdragon 855 (SDM855) Android 9.0 Galaxy S9+ Qualcomm Snapdragon 845 (SDM845) Android 9.0 Galaxy S9 Qualcomm Snapdragon 845 (SDM845) Android 9.0 Galaxy Note 9 Qualcomm Snapdragon 845 (SDM845) Android 9.0 Galaxy S8+ Qualcomm Snapdragon 835 (SDM845) Android 9.0 Galaxy S8 Qualcomm Snapdragon 835 (SDM845) Android 9.0 Galaxy Note 8 Qualcomm Snapdragon 835 (SDM845) Android 9.0 Apple Devices iPhone XS Apple A12 Bionic iOS 13.1 iPhone XS Max Apple A12 Bionic iOS 13.1 iPhone XR Apple A12 Bionic iOS 13.1 iPhone X Apple A11 iOS 13.1 iPhone 8 Plus Apple A11 iOS 13.1 Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 6 of 30 iPhone 8 Apple A11 iOS 13.1 iPhone 7 Plus Apple A10 iOS 13.1 iPhone 7 Apple A10 iOS 13.1 iPhone 6 Plus Apple A9 iOS 13.1 iPhone 6 Apple A9 iOS 13.1 1.4 TOE Description A VMI client is a service that hosts independent workspaces for every user. A user workspace is based on the Android operating system, which is accessible via the VMI mobile client application installed on an Android or iOS mobile device. Using the VMI client application, users can access the same mobile environment that includes all their applications and data from any location, without being tied to a single mobile device. The VMI client presents only the interface offered by the VMI server and ensures that communication with the server utilizes secured protocols. The TOE when executed, connects to the specified Trend Micro Virtual Mobile Infrastructure (VMI) server, authenticating the server's certificate received while negotiating the HTTPS or TLS session. The TOE is responsible only for protecting data-in-transit between the physical mobile device and the VMI server. 1.4.1 TOE Architecture The TOE is an application installed onto a physical mobile device from the Google Playstore or Apple App Store. 1.4.1.1 Physical Boundaries The physical boundary of the TOE is the physical perimeter of the device on which the TOE resides 1.4.1.2 Logical Boundaries This section summarizes the security functions provided by the VMI Client: - Cryptographic support - User data protection - Security management - Privacy - Protection of the TSF - Trusted path/channels 1.4.1.2.1 Cryptographic support The VMI client utilizes platform APIs to provide secure network communication using the HTTPS. The client also uses its own cryptography to establish a trusted TLS channels to transmit data to the VMI Server. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 7 of 30 1.4.1.2.2 User data protection The VMI client informs a user of hardware and software resources the TOE accesses. It uses the platform’s permission mechanism to get a user’s approval for access. The user initiates a secure network connection to the VMI server using the TOE. In general, sensitive data resides on the VMI server and not the VMI Client, although the client does store encrypted credentials. 1.4.1.2.3 Identification and authentication The VMI client performs certificate validation checking for TLS connections. Both Android and iOS applications support OCSP stapling when performing validity checks. 1.4.1.2.4 Security management The VMI client does not include any predefined or default credentials, and utilize the platform recommended storage process for configuration options. 1.4.1.2.5 Privacy The VMI client does not collect any PII and does not transmit any PII over a network. 1.4.1.2.6 Protection of the TSF The VMI client relies on the physical boundary of the evaluated platform as well as the Android and iOS operating system for the protection of the TOE’s application components. All compiled VMI client code is designed to utilize compiler provided anti-exploitation capabilities. The VMI client application is available through the Google Playstore and the Apple store. 1.4.1.2.7 Trusted path/channels The VMI client utilizes platform API to establish HTTPS connections to a VMI server. The client also uses OpenSSL to establish TLS connections to a VMI server. 1.4.2 TOE Documentation Trend Micro Virtual Mobile Infrastructure (TMVMI) User’s Guide, Version 0.3, 06/29/2020 Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 8 of 30 2. Conformance Claims This TOE is conformant to the following CC specifications: • Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1, Revision 5, April 2017. • Part 2 Extended • Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1, Revision 5, April 2017. • Part 3 Extended • Package Claims: • Protection Profile for Application Software, Version 1.3, 1 March 2019 (ASPP13) • Functional Package for Transport Layer Security (TLS), Version 1.1, 1 March 2019 (PKGTLS11) • NIAP Technical Decisions TD Number Summary Applied Rationale TD0510 Obtaining random bytes for iOS/macOS Yes TD0505 Clarification of revocation testing under RFC6066 Yes TD0499 Testing with pinned certificates Yes TD0498 Application Software PP Security Objectives and Requirements Rationale Yes TD0495 FIA_X509_EXT.1.2 Test Clarification Yes TD0486 Removal of PP-Module for VPN Clients from allowed with list Yes TD0473 Support for Client or Server TOEs in FCS_HTTPS_EXT No SFR not included TD0469 Modification of test activity for FCS_TLSS_EXT.1.1 test 4.1 No SFR not included TD0465 Configuration Storage for .NET Apps No Windows platform not included TD0445 User Modifiable File Definition Yes TD0444 IPsec selections No SFR not included TD0442 Updated TLS Ciphersuites for TLS Package Yes TD0437 Supported Configuration Mechanism Yes Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 9 of 30 TD0435 Alternative to SELinux for FPT_AEX_EXT.1.3 No Linux platform not included TD0434 Windows Desktop Applications Test No Windows platform not included TD0427 Reliable Time Source Yes TD0416 Correction to FCS_RBG_EXT.1 Test Activity Yes 2.1 Conformance Rationale The ST conforms to the ASPP13/PKGTLS11. As explained previously, the security problem definition, security objectives, and security requirements have been drawn from the PP. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 10 of 30 3. Security Objectives The Security Problem Definition may be found in the ASPP13/PKGTLS11and this section reproduces only the corresponding Security Objectives for operational environment for reader convenience. The ASPP13/PKGTLS11offers additional information about the identified security objectives, but that has not been reproduced here and the ASPP13 should be consulted if there is interest in that material. In general, the ASPP13/PKGTLS11has defined Security Objectives appropriate for a software application and as such are applicable to the VMI Client TOE. 3.1 Security Objectives for the Operational Environment OE.PLATFORM The TOE relies upon a trustworthy computing platform for its execution. This includes the underlying operating system and any discrete execution environment provided to the TOE. OE.PROPER_ADMIN The administrator of the application software is not careless, willfully negligent or hostile, and administers the software within compliance of the applied enterprise security policy. OE.PROPER_USER The user of the application software is not willfully negligent or hostile, and uses the software within compliance of the applied enterprise security policy. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 11 of 30 4. Extended Components Definition All of the extended requirements in this ST have been drawn from the ASPP13/PKGTLS11. The ASPP13/PKGTLS11defines the following extended requirements and since they are not redefined in this ST the ASPP13/PKGTLS11should be consulted for more information in regard to those CC extensions. Extended SFRs: - ASPP13:FCS_CKM_EXT.1: Cryptographic Key Generation Services - ASPP13:FCS_RBG_EXT.1: Random Bit Generation Services - ASPP13:FCS_STO_EXT.1: Storage of Credentials - PKGTLS11:FCS_TLS_EXT.1:TLS Protocol - PKGTLS11:FCS_TLSC_EXT.1:TLS Client Protocol - ASPP13:FDP_DAR_EXT.1: Encryption Of Sensitive Application Data - ASPP13:FDP_DEC_EXT.1: Access to Platform Resources - ASPP13:FDP_NET_EXT.1: Network Communications - ASPP13:FIA_X509_EXT.1: X.509 Certificate Validation - ASPP13:FIA_X509_EXT.2: X.509 Certificate Authentication - ASPP13:FMT_CFG_EXT.1: Secure by Default Configuration - ASPP13:FMT_MEC_EXT.1: Supported Configuration Mechanism - ASPP13:FPR_ANO_EXT.1: User Consent for Transmission of Personally Identifiable - ASPP13:FPT_AEX_EXT.1: Anti-Exploitation Capabilities - ASPP13:FPT_API_EXT.1: Use of Supported Services and APIs - ASPP13:FPT_IDV_EXT.1: Software Identification and Versions - ASPP13:FPT_LIB_EXT.1: Use of Third Party Libraries - ASPP13:FPT_TUD_EXT.1: Integrity for Installation and Update -ASPP13:FPT_TUD_EXT.2: Integrity for Installation and Update - ASPP13:FTP_DIT_EXT.1: Protection of Data in Transit Extended SARs: - ALC_TSU_EXT.1: Timely Security Updates Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 12 of 30 5. Security Requirements This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that serve to represent the security functional claims for the Target of Evaluation (TOE) and to scope the evaluation effort. The SFRs have all been drawn from the ASPP13/PKGTLS11. The refinements and operations already performed in the ASPP13/PKGTLS11are not identified (e.g., highlighted) here, rather the requirements have been copied from the ASPP13/PKGTLS11and any residual operations have been completed herein. Of particular note, the ASPP13/PKGTLS11made a number of refinements and completed some of the SFR operations defined in the Common Criteria (CC) and that PP should be consulted to identify those changes if necessary. The SARs are also drawn from the ASPP13/PKGTLS11which includes all the SARs for EAL 1. However, the SARs are effectively refined since requirement-specific 'Assurance Activities' are defined in the ASPP13/PKGTLS11that serve to ensure corresponding evaluations will yield more practical and consistent assurance than the EAL 1 assurance requirements alone. The ASPP13/PKGTLS11should be consulted for the assurance activity definitions. 5.1 TOE Security Functional Requirements The following table identifies the SFRs that are satisfied by VMI Client TOE. Requirement Class Requirement Component FCS: Cryptographic support ASPP13:FCS_CKM.2: Cryptographic Key Establishment ASPP13:FCS_CKM_EXT.1: Cryptographic Key Generation Services ASPP13:FCS_COP.1(1): Cryptographic Operation – Encryption/Decryption ASPP13:FCS_COP.1(2): Cryptographic Operation – Hashing ASPP13:FCS_RBG_EXT.1: Random Bit Generation Services ASPP13:FCS_STO_EXT.1: Storage of Credentials PKGTLS11:FCS_TLS_EXT.1:TLS Protocol PKGTLS11:FCS_TLSC_EXT.1:TLS Client Protocol FDP: User data protection ASPP13:FDP_DAR_EXT.1: Encryption Of Sensitive Application Data ASPP13:FDP_DEC_EXT.1: Access to Platform Resources ASPP13:FDP_NET_EXT.1: Network Communications FIA: Identification and Authentication ASPP13:FIA_X509_EXT.1: X.509 Certificate Validation ASPP13:FIA_X509_EXT.2: X.509 Certificate Authentication Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 13 of 30 FMT: Security management ASPP13:FMT_CFG_EXT.1: Secure by Default Configuration ASPP13:FMT_MEC_EXT.1: Supported Configuration Mechanism ASPP13:FMT_SMF.1: Specification of Management Functions FPR: Privacy ASPP13:FPR_ANO_EXT.1: User Consent for Transmission of Personally Identifiable FPT: Protection of the TSF ASPP13:FPT_AEX_EXT.1: Anti-Exploitation Capabilities ASPP13:FPT_API_EXT.1: Use of Supported Services and APIs ASPP13:FPT_IDV_EXT.1: Software Identification and Versions ASPP13:FPT_LIB_EXT.1: Use of Third Party Libraries ASPP13:FPT_TUD_EXT.1: Integrity for Installation and Update ASPP13:FPT_TUD_EXT.2: Integrity for Installation and Update FTP: Trusted path/channels ASPP13:FTP_DIT_EXT.1: Protection of Data in Transit Table 1 TOE Security Functional Components 5.1.1 Cryptographic support (FCS) 5.1.1.1 Cryptographic Key Establishment (ASPP13:FCS_CKM.2) ASPP13:FCS_CKM.2.1 The application shall [implement functionality] to perform cryptographic key establishment in accordance with a specified cryptographic key establishment method: [RSA-based key establishment schemes that meets the following: NIST Special Publication 800-56B, 'Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography”]]. 5.1.1.2 Cryptographic Key Generation Services (ASPP13:FCS_CKM_EXT.1) ASPP13:FCS_CKM_EXT.1.1 The application shall [generate no asymmetric cryptographic keys]. 5.1.1.3 Cryptographic Operation – Encryption/Decryption (ASPP13:FCS_COP.1(1)) ASPP13:FCS_COP.1(1) Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 14 of 30 The application shall perform encryption/decryption in accordance with a specified cryptographic algorithm [AES-CBC (as defined in NIST SP 800-38A) mode] and cryptographic key sizes [128-bit]. 5.1.1.4 Cryptographic Operation - Hashing (ASPP13:FCS_COP.1(2)) ASPP13:FCS_COP.1.1(2) The application shall perform cryptographic hashing services in accordance with a specified cryptographic algorithm [SHA-1] and message digest sizes [160, 256,] bits that meet the following: FIPS Pub 180-4. 5.1.1.5 Random Bit Generation Services (ASPP13:FCS_RBG_EXT.1) ASPP13:FCS_RBG_EXT.1.1 The application shall [invoke platform-provided DRBG functionality] for its cryptographic operations. 5.1.1.6 Storage of Credentials (ASPP13:FCS_STO_EXT.1) ASPP13:FCS_STO_EXT.1.1 The application shall [implement functionality to securely store [server account password] according to [FCS_COP.1(1)]] to non-volatile memory. 5.1.1.7 TLS Protocol (PKGTLS11:FCS_TLS_EXT.1) PKGTLS11:FCS_TLS_EXT.1.1 The product shall implement [TLS as a client]. 5.1.1.8 TLS Client Protocol (PKGTLS11:FCS_TLSC_EXT.1) PKGTLS11:FCS_TLSC_EXT.1.1 The product shall implement TLS 1.2 (RFC 5246) and [no earlier TLS versions] as a client that supports the cipher suites [TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246] and also supports functionality for [session renegotiation] (TD0442 applied) PKGTLS11:FCS_TLSC_EXT.1.2 The product shall verify that the presented identifier matches the reference identifier according to RFC 6125. PKGTLS11:FCS_TLSC_EXT.1.3 The product shall not establish a trusted channel if the server certificate is invalid [with no exceptions] Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 15 of 30 5.1.2 User data protection (FDP) 5.1.2.1 Encryption Of Sensitive Application Data (ASPP13:FDP_DAR_EXT.1) ASPP13:FDP_DAR_EXT.1.1 The application shall [protect sensitive data in accordance with FCS_STO_EXT.1] in non-volatile memory. 5.1.2.2 Access to Platform Resources (ASPP13:FDP_DEC_EXT.1) ASPP13:FDP_DEC_EXT.1.1 The application shall restrict its access to [ iOS: • Background operation • Camera • Location • Microphone • Photo library • Notifications • Bluetooth Android: • Access network state • Access WIFI state • Bluetooth • Change WIFI state • Internet • Request install packages • Use fingerprint • Vibrate • Wake lock • Foreground service • Access coarse location • Access fine location • Camera • Record audio ]. ASPP13:FDP_DEC_EXT.1.2 The application shall restrict its access to [no sensitive information repositories]. 5.1.2.3 Network Communications (ASPP13:FDP_NET_EXT.1) ASPP13:FDP_NET_EXT.1.1 The application shall restrict network communication to [ user-initiated communication for [connecting to a VMI server], Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 16 of 30 respond to [push notifications from Apple’s APNs server sent from VMI server (on iOS clients)] ]. 5.1.3 Identification and authentication (FIA) 5.1.3.1 X.509 Certificate Validation (ASPP13:FIA_X509_EXT.1) ASPP13:FIA_X509_EXT.1.1 The application shall [implement functionality] to validate certificates in accordance with the following rules: • RFC 5280 certificate validation and certificate path validation. • The certificate path must terminate with a trusted CA certificate. • The application shall validate a certificate path by ensuring the presence of the basicConstraints extension and that the CA flag is set to TRUE for all CA certificates. • The application shall validate the revocation status of the certificate using [OCSP TLS Multi-Certificate Status Request Extension (i.e.,OCSP Multi-stapling) as specified in RFC 6066]. (TD0505 applied) • The application shall validate the extendedKeyUsage field according to the following rules: o Certificates used for trusted updates and executable code integrity verification shall have the Code Signing purpose (id-kp 3 with OID 1.3.6.1.5.5.7.3.3) in the extendedKeyUsage field. o Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. o Client certificates presented for TLS shall have the Client Authentication purpose (id-kp 2 with OID 1.3.6.1.5.5.7.3.2) in the extendedKeyUsage field. o S/MIME certificates presented for email encryption and signature shall have the Email Protection purpose (id-kp 4 with OID 1.3.6.1.5.5.7.3.4) in the extendedKeyUsage field. o OCSP certificates presented for OCSP responses shall have the OCSP Signing purpose (id-kp 9 with OID 1.3.6.1.5.5.7.3.9) in the extendedKeyUsage field. o Server certificates presented for EST shall have the CMC Registration Authority (RA) purpose (id-kpcmcRA with OID 1.3.6.1.5.5.7.3.28) in the extendedKeyUsage field. ASPP13:FIA_X509_EXT.1.2 The application shall treat a certificate as a CA certificate only if the basicConstraints extension is present and the CA flag is set to TRUE. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 17 of 30 5.1.3.2 X.509 Certificate Authentication (ASPP13:FIA_X509_EXT.2) ASPP13:FIA_X509_EXT.2.1 The application shall use X.509v3 certificates as defined by RFC 5280 to support authentication for [HTTPS,TLS] (TD0444 applied) ASPP13:FIA_X509_EXT.2.2 When the application cannot establish a connection to determine the validity of a certificate, the application shall [not accept the certificate]. 5.1.4 Security management (FMT) 5.1.4.1 Secure by Default Configuration (ASPP13:FMT_CFG_EXT.1) ASPP13:FMT_CFG_EXT.1.1 The application shall provide only enough functionality to set new credentials when configured with default credentials or no credentials. ASPP13:FMT_CFG_EXT.1.2 The application shall be configured by default with file permissions which protect the application's binaries and data files from modification by normal unprivileged user. 5.1.4.2 Supported Configuration Mechanism (ASPP13:FMT_MEC_EXT.1) ASPP13:FMT_MEC_EXT.1.1 The application shall [invoke the mechanisms recommended by the platform vendor for storing and setting configuration options] (TD0437 applied) 5.1.4.3 Specification of Management Functions (ASPP13:FMT_SMF.1) ASPP13:FMT_SMF.1.1 The TSF shall be capable of performing the following management functions [ Specify the network address of a VMI server, Set the remember password option]. 5.1.5 Privacy (FPR) 5.1.5.1 User Consent for Transmission of Personally Identifiable (ASPP13:FPR_ANO_EXT.1) ASPP13:FPR_ANO_EXT.1.1 The application shall [not transmit PII over a network]. 5.1.6 Trusted path/channels (FTP) 5.1.6.1 Protection of Data in Transit (ASPP13:FTP_DIT_EXT.1) ASPP13:FTP_DIT_EXT.1.1 The application shall [ • encrypt all transmitted [data] with [TLS as defined in the TLS package] Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 18 of 30 • invoke platform-provided functionality to encrypt all transmitted data with [HTTPS] ] between itself and another trusted IT product. (TD0444 applied) 5.2 TOE Security Assurance Requirements The SARs for the TOE are the components as specified in Part 3 of the Common Criteria. Note that the SARs have effectively been refined with the assurance activities explicitly defined in association with both the SFRs and SARs. Requirement Class Requirement Component ADV: Development ADV_FSP.1: Basic Functional Specification AGD: Guidance documents AGD_OPE.1: Operational User Guidance AGD_PRE.1: Preparative Procedures ALC: Life-cycle support ALC_CMC.1: Labelling of the TOE ALC_CMS.1: TOE CM Coverage ALC_TSU_EXT.1: Timely Security Updates ATE: Tests ATE_IND.1: Independent Testing - Conformance AVA: Vulnerability assessment AVA_VAN.1: Vulnerability Survey Table 2 Assurance Components 5.2.1 Development (ADV) 5.2.1.1 Basic Functional Specification (ADV_FSP.1) ADV_FSP.1.1d The developer shall provide a functional specification. ADV_FSP.1.2d The developer shall provide a tracing from the functional specification to the SFRs. ADV_FSP.1.1c The functional specification shall describe the purpose and method of use for each SFR-enforcing and SFR-supporting TSFI. ADV_FSP.1.2c The functional specification shall identify all parameters associated with each SFR-enforcing and SFR-supporting TSFI. ADV_FSP.1.3c The functional specification shall provide rationale for the implicit categorization of interfaces as SFR-non-interfering. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 19 of 30 ADV_FSP.1.4c The tracing shall demonstrate that the SFRs trace to TSFIs in the functional specification. ADV_FSP.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ADV_FSP.1.2e The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs. 5.2.2 Protection of the TSF (FPT) 5.2.2.1 Anti-Exploitation Capabilities (ASPP13:FPT_AEX_EXT.1) ASPP13:FPT_AEX_EXT.1.1 The application shall not request to map memory at an explicit address except for [no exceptions]. ASPP13:FPT_AEX_EXT.1.2 The application shall [not allocate any memory region with both write and execute permissions]. ASPP13:FPT_AEX_EXT.1.3 The application shall be compatible with security features provided by the platform vendor. ASPP13:FPT_AEX_EXT.1.4 The application shall not write user-modifiable files to directories that contain executable files unless explicitly directed by the user to do so. ASPP13:FPT_AEX_EXT.1.5 The application shall be built with stack-based buffer overflow protection enabled. 5.2.2.2 Use of Supported Services and APIs (ASPP13:FPT_API_EXT.1) ASPP13:FPT_API_EXT.1.1 The application shall use only documented platform APIs. 5.2.2.3 Software Identification and Versions (ASPP13:FPT_IDV_EXT.1) ASPP13:FPT_IDV_EXT.1.1 The application shall be versioned with [other version information]] 5.2.2.4 Use of Third Party Libraries (ASPP13:FPT_LIB_EXT.1) ASPP13:FPT_LIB_EXT.1.1 The application shall be packaged with only [ iOS: openSSL (Toolkit for TLS protocol) AFNetworking (used for HTTPS request) ASIHTTPRequest (used for HTTP request) Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 20 of 30 Libegal (render remote user interface) Libjpeg (image processing) LibOpenGLRender (render remote user interface) FMDB (sqlite support) G726 (decode audio stream) EGOImageLoading (Image caching) MBProgressHUD (Client user interface) SFHFKeychainUtils (System keychain support) Reachability (Network detection) SBJson (deserialization and serialization) SPLockScreen (Client user interface) TheSidebarController (Client user interface) JSBadgeView (Client user interface) Android: Skia(render remote user interface) openSSL (Toolkit for TLS protocol) x264-152 (To encode video streams) ffmpeg(To decode video and audio streams) LibOpenGLRender (render remote user interface) com.google.code.gson (deserialization and serialization) org.samba.jcifs (For cryptography support) fr.avianey.com.viewpagerindicator (Client user interface) com.github.anzaizai:EasySwipeMenuLayout (Client user interface) ]. 5.2.2.5 Integrity for Installation and Update (ASPP13:FPT_TUD_EXT.1) ASPP13:FPT_TUD_EXT.1.1 The application shall [leverage the platform] to check for updates and patches to the application software. ASPP13:FPT_TUD_EXT.1.2 The application shall [leverage the platform] to query the current version of the application software. ASPP13:FPT_TUD_EXT.1.3 The application shall not download, modify, replace or update its own binary code. ASPP13:FPT_TUD_EXT.1.4 The application installation package and its updates shall be digitally signed such that its platform can cryptographically verify them prior to installation ASPP13:FPT_TUD_EXT.1.5 The application is distributed [as an additional software package to the platform OS] . Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 21 of 30 5.2.2.6 Integrity for Installation and Update (ASPP13:FPT_TUD_EXT.2) ASPP13:FPT_TUD_EXT.2.1 The application shall be distributed using the format of the platform-supported package manager. ASPP13:FPT_TUD_EXT.2.2 The application shall be packaged such that its removal results in the deletion of all traces of the application, with the exception of configuration settings, output files, and audit/log events. 5.2.3 Guidance documents (AGD) 5.2.3.1 Operational User Guidance (AGD_OPE.1) AGD_OPE.1.1d The developer shall provide the TOE, including its preparative procedures. AGD_OPE.1.1c The operational user guidance shall describe, for each user role, the user- accessible functions and privileges that should be controlled in a secure processing environment, including appropriate warnings. AGD_OPE.1.2c The operational user guidance shall describe, for each user role, how to use the available interfaces provided by the TOE in a secure manner. AGD_OPE.1.3c The operational user guidance shall describe, for each user role, the available functions and interfaces, in particular all security parameters under the control of the user, indicating secure values as appropriate. AGD_OPE.1.4c The operational user guidance shall, for each user role, clearly present each type of security-relevant event relative to the user-accessible functions that need to be performed, including changing the security characteristics of entities under the control of the TSF. AGD_OPE.1.5c The operational user guidance shall identify all possible modes of operation of the TOE (including operation following failure or operational error), their consequences, and implications for maintaining secure operation. AGD_OPE.1.6c The operational user guidance shall, for each user role, describe the security measures to be followed in order to fulfill the security objectives for the operational environment as described in the ST. AGD_OPE.1.7c The operational user guidance shall be clear and reasonable. AGD_OPE.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 22 of 30 5.2.3.2 Preparative Procedures (AGD_PRE.1) AGD_PRE.1.1d The developer shall provide the TOE, including its preparative procedures. AGD_PRE.1.1c The preparative procedures shall describe all the steps necessary for secure acceptance of the delivered TOE in accordance with the developer's delivery procedures. AGD_PRE.1.2c The preparative procedures shall describe all the steps necessary for secure installation of the TOE and for the secure preparation of the operational environment in accordance with the security objectives for the operational environment as described in the ST. AGD_PRE.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AGD_PRE.1.2e The evaluator shall apply the preparative procedures to confirm that the TOE can be prepared securely for operation. 5.2.4 Life-cycle support (ALC) 5.2.4.1 Labelling of the TOE (ALC_CMC.1) ALC_CMC.1.1d The developer shall provide the TOE and a reference for the TOE. ALC_CMC.1.1c The application shall be labelled with a unique reference. ALC_CMC.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 5.2.4.2 TOE CM Coverage (ALC_CMS.1) ALC_CMS.1.1d The developer shall provide a description in the TSS of how timely security updates are made to the TOE. Application developers must support updates to their products for purposes of fixing security vulnerabilities. ALC_CMS.1.1c The configuration list shall include the following: the TOE itself; and the evaluation evidence required by the SARs. ALC_CMS.1.2c The configuration list shall uniquely identify the configuration items. ALC_CMS.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 23 of 30 5.2.4.3 Timely Security Updates (ALC_TSU_EXT.1) ALC_TSU_EXT.1.1d The developer shall provide a description in the TSS of how timely security updates are made to the TOE. Note: Application developers must support updates to their products for purposes of fixing security vulnerabilities. ALC_TSU_EXT.1.2d The developer shall provide a description in the TSS of how users are notified when updates change security properties or the configuration of the product. ALC_TSU_EXT.1.1c The description shall include the process for creating and deploying security updates for the TOE software. ALC_TSU_EXT.1.2c The description shall express the time window as the length of time, in days, between public disclosure of a vulnerability and the public availability of security updates to the TOE. ALC_TSU_EXT.1.3c The description shall include the mechanisms publicly available for reporting security issues pertaining to the TOE. Note: The reporting mechanism could include web sites, email addresses, as well as a means to protect the sensitive nature of the report (e.g., public keys that could be used to encrypt the details of a proof-of-concept exploit). ALC_TSU_EXT.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 5.2.5 Tests (ATE) 5.2.5.1 Independent Testing - Conformance (ATE_IND.1) ATE_IND.1.1d The developer shall provide the TOE for testing. ATE_IND.1.1c The TOE shall be suitable for testing. ATE_IND.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ATE_IND.1.2e The evaluator shall test a subset of the TSF to confirm that the TSF operates as specified. 5.2.6 Vulnerability assessment (AVA) 5.2.6.1 Vulnerability Survey (AVA_VAN.1) AVA_VAN.1.1d The developer shall provide the TOE for testing. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 24 of 30 AVA_VAN.1.1c The TOE shall be suitable for testing. AVA_VAN.1.1e The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AVA_VAN.1.2e The evaluator shall perform a search of public domain sources to identify potential vulnerabilities in the TOE. AVA_VAN.1.3e The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 25 of 30 6. TOE Summary Specification This chapter describes the security functions: - Cryptographic support - User data protection - Security management - Privacy - Protection of the TSF - Trusted path/channels 6.1 Cryptographic support ASPP13:FCS_CKM.2 The TOE supports RSA key establishment (key size 2048) as part of HTLS. The TOE acts as a client for TLS (RSA) when communicating with the VMI Server. ASPP13:FCS_CKM_EXT.1 The TOE does not generate asymmetric cryptographic keys. The TOE does use RSA keys as part of RSA key establishment when making TLS connections. Key generation is not required as the ASPP13 notes that if the TOE acts as a receiver in the RSA key establishment scheme, the TOE does not need to implement RSA key generation. ASPP13:FCS_COP.1(1)(2) The TOE provides cryptographic functions using its internal OpenSSL library. The AES operations are used in HTTPS/TLS as well as password storage. The hash function is used as part of HTTPS/TLS cipher negotiation. The TOE has the following Cryptographic Algorithm Validation Program (CAVP) certificates. Functions Requirement Cert # Encryption/Decryption AES CBC (128 bits) ASPP13:FCS_COP.1(1)/Encryption/Decryption 1598, 1599 Cryptographic hashing SHA-1 (digest sizes 160) ASPP13:FCS_COP.1(2)/Hashing 1598, 1599 Table 3 CAVP Certificates ASPP13:FCS_RBG_EXT.1 The TOE uses random data as part of its HTTPS/TLS connection and this random data is obtained from an approved DRBG provided by the platform. The TOE uses the javax.crypto.KeyGenerator class on Android and /dev/random directly on iOS when invoking the DRBG. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 26 of 30 ASPP13:FCS_STO_EXT.1 The client implements functionality securely store server and account information in a local database. For the VMI server, the TOE stores the server address, port, username and password. The stored password is encrypted with AES128 CBC mode according to FCS_COP.1(1). PKGTLS11:FCS_TLS_EXT.1/ PKGTLS11:FCS_TLSC_EXT.1 The TOE communicates with the VMI Server using HTTPS/TLS. The HTTPS portion of the connection is implemented by the platform. The TOE supports protected communication channels using TLS v1.2 (RFC 5246) secure communication protocols. The TOE supports use of the following ciphersuite: TLS_RSA_WITH_AES_128_CBC_SHA. The following reference identifiers are supported - Subject Alternate Name (SAN) (i.e., DNS or IP Address). Wildcards are supported in certificates and certificate pinning is not supported. If the server certificate is invalid, then a connection is not made. 6.2 User data protection ASPP13:FDP_DAR_EXT.1 The only sensitive data in the TOE is the server password and that is protected as described in FCS_STO_EXT.1. ASPP13:FDP_DEC_EXT.1 The TOE can access the physical resources on the mobile device. For an Android device, the TOE can access Location services, Camera, Phone, Wake lock, Microphone, Bluetooth, Network Access, Audio Settings, and Vibration. For an iOS device, the TOE can access location services, camera, photos, microphone, notifications, Bluetooth, and cellular data. However, the TOE cannot access any of the logical data repositories. ASPP13:FDP_NET_EXT.1 The TOE allows network communication to be initiated by a user in order to connect to a VMI server. The VMI client use VMI Server-initiated network communications to check for notifications and display to user (on iOS). 6.3 Identification and Authentication ASPP13:FIA_X509_EXT.1/2 The TOE performs certificate validation checking for TLS connections. The TOE comes pre- loaded with a certificate. The following fields are verified as appropriate: SAN checks, key Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 27 of 30 usages, chain validation, and lastly expiration status. Wildcards are not allowed in certificates. Both Android and iOS applications support OCSP stapling when performing validity checks. Both applications do not accept certificates as valid when revocation status cannot be determined. 6.4 Security management ASPP13:FMT_CFG_EXT.1 The VMI client does not include any predefined or default credentials. ASPP13:FMT_MEC_EXT.1 The evaluated Android platform on which the TOE executes automatically uses /data/data/package/shared_prefs/ to store configuration options and settings. For an iOS platform, all settings are stored in the iOS the user defaults system. ASPP13:FMT_SMF.1 The TOE provides the ability to specify the network address of a VMI server. The VMI Client can enable the Remember Password setting for each account. The VMI Client Remember Password setting can also be disabled by policies received from the server. 6.5 Privacy ASPP13:FPR_ANO_EXT.1 The VMI client does not collect any PII and does not intentionally transmit any PII over a network. Users may choose to transmit any data over an established connection to the VMI server, but it is not specifically identifiable as PII. 6.6 Protection of the TSF ASPP13:FPT_AEX_EXT.1 Memory mapping and permissions on memory regions are not functions applicable to a Java script application. However, some 3rd party libraries are written in a language other than Java and thus are subject to the requirement for Anti-Exploitation Capabilities. However, none of the 3rd party libraries used by the TOE request memory mapping at explicit addresses, and none allocate memory for both write and execute permission. Android's application management requires application updates to be signed with an Android key, thus allowing the secure updates of its applications. The Android OS Linux kernel is capable of ASLR (address space layout randomization), ensuring that no application uses the same address layout on two different devices. The TOE libraries are also compiled with the '-fstack-protector-all –fno-exceptions' flags in order to enable ASLR and stack-based buffer over flow protections. On iOS the ASLR feature (-pie) is not set by a compiler flag, because it is on by default on the C-language compiler and this setting is required by the Apple App store. The TOE produces such pieces of executable code in runtime and are available in-memory only for the running instance of the application. No piece of user-initiated JIT executable code is ever Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 28 of 30 stored on disk. Also, after the Javascript engine has finished producing this JIT code it is turned into read-only executable memory, limiting the exposure of write-and-execute memory areas. ASPP13:FPT_API_EXT.1 The TOE uses the platform provided APIs for random number operations and HTTPS connections. Refer to the Section 7 for a full list of APIs used by the TOE. ASPP13:FPT_IDV_EXT.1 The platform user interface provides a method to query the current version of many components, including the TOE software. The TOE software version can be accessed on the Settings display in both devices. It is showed in format of “6.0.xxxx”, the “6.0” is the major version, the xxxx is the build number. ASPP13:FPT_LIB_EXT.1 The TOE uses the following third-party libraries: iOS: • openSSL (Toolkit for TLS protocol) • AFNetworking (used for HTTPS request) • ASIHTTPRequest (used for HTTP request) • Libegal (render remote user interface) • Libjpeg (image processing) • LibOpenGLRender (render remote user interface) • FMDB (sqlite support) • G726 (decode audio stream) • EGOImageLoading (Image caching) • MBProgressHUD (Client user interface) • SFHFKeychainUtils (System keychain support) • Reachability (Network detection) • SBJson (deserialization and serialization) • SPLockScreen (Client user interface) • TheSidebarController (Client user interface) • JSBadgeView (Client user interface) Android: • Skia(render remote user interface) • openSSL (Toolkit for TLS protocol) Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 29 of 30 • x264-152 (To encode video streams) • ffmpeg(To decode video and audio streams) • com.google.code.gson (deserialization and serialization) • org.samba.jcifs (For cryptography support) • fr.avianey.com.viewpagerindicator (Client user interface) • com.github.anzaizai:EasySwipeMenuLayout (Client user interface) ASPP13:FPT_TUD_EXT.1/ASPP13:FPT_TUD_EXT.2 The TOE (VIM client) application is available through the Google Playstore and the Apple store. The platform will be providing all required capabilities for trusted updates for store version. TrendMicro will notify customer of updates using each customer’s preferred communication mechanism. Bug reporting is available to users as described in ASPP13:ALC_TSU_EXT.1. ASPP13:ALC_TSU_EXT.1 Trend Micro accepts bug reports (including reports for security vulnerabilities) through email (mobilelab@trendmicro.com) and web (https://www.trendmicro.com) support channels. Trend Micro reviews all bug reports when making product changes to resolve issues associated with the TOE. Trend Micro makes updates and code patches to resolve issues as quickly as possible, and makes updates available to customers. TOE updates are distributed through the Apple App Store and Google Play. For maximum compatibility, Trend Micro recommends customers use the iOS and Android update mechanisms to keep Trend Micro VMI client up-to-date. 6.7 Trusted path/channels ASPP13:FTP_DIT_EXT.1 The TOE utilizes platform API to establish HTTPS to a VMI server. The TOE utilizes its internal OpenSSL to establish TLS1.2 connections to a VMI server. Trend Micro VMI (ASPP13) Security Target Version 0.4, 06/29/2020 Page 30 of 30 7. Security Related Platform APIs Invoked by TOE This section identifies the Platform APIs that are invoked by the TOE which utilize security functions provided by the platform. 7.1 Android Java APIs android.net.http.X509TrustManagerExtensions android.security.KeyChain java.security.KeyStore java.security.KeyStoreException java.security.MessageDigest java.security.NoSuchAlgorithmException java.security.cert.Certificate java.security.cert.CertificateException java.security.cert.CertificateExpiredException java.security.cert.CertificateNotYetValidException java.security.cert.X509Certificate javax.net.ssl.TrustManager javax.net.ssl.TrustManagerFactory javax.net.ssl.X509TrustManager javax.crypto.Cipher; javax.crypto.spec.IvParameterSpec javax.crypto.spec.SecretKeySpec 7.2 iOS Obj-C APIs NSURLProtocol NSURLRequest NSURLConnection [NSURLConnection willSendRequestForAuthenticationChallenge] [NSURLConnection willSendRequest] [NSURLConnection didFailWithError] CCCrypt