KECS-CR-07-11 Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 of TSonNet Co., Ltd. Certification No. : KECS-CISS-0070-2007 June 2007 National Intelligence Service IT Security Certification Center This document is the certification report on REDOWL SecuOS V4.0 for MS Windows 2003 of TSonNet. Certification Committee Ministry of Information and Communication: Cho, Gyu Jo National Security Research Institute: Park, Jong Wook Korea University: Lim, Jong In Sung Kyun Kwan University: Kim, Seung Joo Soon Chun Hyang University: Youm, Heung Youl Ewha Womans University: Chae, Ki Joon Chungnam National University: Ryou, Jae Cheol Electronics and Telecommunications Research Institute: Sohn, Sung Won Hannam University: Lee, Kang Soo Certification Body National Intelligence Service IT Security Certification Center Evaluation Body Korea Information Security Agency Table of Contents 1. Overview ······································································································1 2. TOE Identification ···················································································2 3. Security Policy ··························································································3 4. TOE Assumptions and Scope ·····························································4 4.1 Assumptions ·····································································································4 4.2 Scope to Counter a Threat ·········································································5 5. TOE Information ······················································································5 6. Guidance ······································································································6 7. TOE Test ····································································································6 7.1 Developer's Test ····························································································6 7.2 Evaluator's Test ·····························································································7 8. Evaluation Configuration ······································································8 9. Evaluation Result ·····················································································8 10. Recommendations ·················································································13 11. Acronyms and Glossary ···································································13 12. Reference ·································································································14 Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 1 - 1. Overview This report is for the certification body to describe the certification result, which inspects the results of the EAL3+ evaluation of REDOWL SecuOS V4.0 for MS Windows 2003 with regard to the Common Criteria for Information Technology Security Evaluation (Notification No. 2005-25 of the Ministry of Information and Communication; "CC" hereinafter). The Korea Information Security Agency (KISA) has finished the evaluation of the REDOWL SecuOS V4.0 for MS Windows 2003 on the 15th of May, 2006. This report is written based on the Evaluation Technical Report produced and provided by the KISA. The evaluation concludes that the TOE satisfies the CC part 2 and the EAL3 of the part 3 assurance requirements with augmenting ADV_IMP.2, ADV_LLD.1, ALC_TAT.1, ATE_DPT.2, AVA_VLA.2; thus, it is assigned the verdict 'pass' on the basis of the paragraph 191 of the CC part 1. In addition, the TOE satisfies the Label-based Access Control System Protection Profile for Government V1.1(May. 17. 2006). REDOWL is installed in a specific system shall be protected, and it is the label-based access control system, which provides the security function of mandatory access control, discretionary access control, etc. REDOWL provides the security functions such as the mandatory access control, the discretionary access control, the identification and authentication, and the security audit, and other functions to protect the system. The evaluation covers the following security functions provided by the TOE : • Security Audit • User Date Protection • Security Management • Identification and Authentication • TSF Protection • Trusted Path/Channels - TOE uses SHA-1(160 bits) and SEED(128 bits) algorithm to connect trusted channels • TOE Access - TOE controls access to the administrators and users session The certification body has examined the evaluation activities and testing procedures, provided the guidance regarding the technical problems and Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 2 - evaluation procedures, and reviewed each evaluation work package and evaluation technical report. In conclusion, the certification body has confirmed that the evaluation results gave assurance that the TOE meets all security functional requirements and assurance requirements described in the Security Target(ST). As a result, the certification body has certified that the evaluator's observations and evaluation results were accurate and reasonable, and his verdict on each work package was correct. Certification Validity: The information contained in this certification report does not mean that the use of REDOWL SecuOS V4.0 for MS Windows 2003 is approved or its quality is guaranteed by governmental agency of the Republic of Korea. 2. TOE Identification The [Table 1] summarizes the information of the TOE identification. Evaluation Guidance Korea IT Security Evaluation and Certification Guidance (Apr. 11, 2007) Korea IT Security Evaluation and Certification Scheme (Apr. 15, 2007) TOE REDOWL SecuOS V4.0 for MS Windows 2003 Protection Profile Label-based Access Control System Protection Profile for Government V1.1(May. 17. 2006) Security Target REDOWL SecuOS V4.0 for MS Windows 2003 ST V1.7 (May. 11, 2007) ETR REDOWL SecuOS V4.0 for MS Windows 2003 ETR V1.0 (May. 15, 2007) Evaluation Result Conformance to the CC V2.3 part 2 Conformance to the augmented part 3 (ADV_IMP.2, ADV_LLD.1, ALC_TAT.1, ATE_DPT.2, AVA_VLA.2) Evaluation Criteria Common Criteria for Information Technology Security Evaluation (May. 21, 2005) Evaluation Methodology Common Methodology for Informations Technology Security Evaluation V2.3 Sponsor TSonNet Co., Ltd. Developer TSonNet Co., Ltd. Evaluation Team KISA IT Security Evaluation Center, Evaluation Team 1 Kyungho Son, Taeseung Lee, Namkyun Baik, Hoch대l Chae, Ilgon Kim, Jinsu Hyun Certification Body National Intelligence Service [Table 1] TOE Identification Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 3 - [Table 2] describes the system specification of the TOE. [Table 2] REDOWL SecuOS V4.0 for MS Windows 2003 Operating Environment Category Specification REDOWL Enterprise CPU Intel Pentium 4, 1GHz Memory 1Gbyte Interface 10/100base Ethernet card 1 HDD 36Gbyte Operating System Windows 2003 Server REDOWL Agent CPU Intel Pentium 4, 1GHz Memory 1Gbyte Interface 10/100base Ethernet card 1 HDD 18Gbyt Operating System Windows 2003 Server REDOWL Manager CPU Pentium III(500MHz) Memory 256Mbyte Interface 10/100base Ethernet card 1 HDD 10Gbyte Operating System MS Windows 2000 Professional 3. Security Policy The TOE operation conforms to the security policies stated below: Audit Record Every security-relevant event should be recorded and saved to make it possible to trace the responsibility of every action; the recorded data should be reviewed. Mandatory Access Control TOE should have capability of controlling accesses toward objects by the basis of subject’s security labeling. Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 4 - Allowance of security labels TOE should have capability of allowing or canceling of security labels in accordance with the organization’s access control policies and procedures. Identification & Authentication The administrator should pass through the process of identification and authentication before using the security functions of the TOE. Security Management Only an authorized administrator who accesses through trusted communication can use the security management function. Cryptographic The cryptographic algorithm and module used in the TOE must be approved by the Director of National Intelligence Service. Discretionary Access Control TOE should have capability of controlling accesses toward information by identities of users or user-belonged groups. 4. TOE Assumptions and Scope 4.1 Assumptions The TOE installation and operation should conform to the assumptions stated below: A.Physical Security The TOE is located in physically secure environment where only authorized administrators are allowed the access. A.Trusted Administrator An authorized administrator of the TOE possesses no malicious intention, is adequately educated, and performs his/her duties in accordance with the administrative guideline. A.Hardened OS The underlying OS of the TOE ensures the reliability and stability by both eliminating the unnecessary services or means not required by the TOE and installing the OS patches. Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 5 - A.TIME The IT environment of the TOE is provided with a reliable Timestamp from the NTP server which conforms to RFC 1305 or from the OS. 4.2 Scope to Counter a Threat The TOE provides a means to counter security threat such as intrusion attempts on server assets, etc. Although the TOE does not have a countermeasure for a direct physical attack which disables or bypasses security functions, it provides a countermeasure for a logical attack occurred by threat agents possessing low-level expertise, resources, and motivation. All security objectives and security policies are described to provide a means to counter an identified security threat. 5. TOE Information The TOE provides an label based access control function. The figure below shows the structure of the TOE. (Figure 1) REDOWL basic structure Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 6 - The main components of TOE include LKM, CUI and GUI. As the core component, LKM performs MAC (Mandatory Access Control), detecting hacking attacks by tracing ‘root’privileged daemon processes, prevention mechanism of resource reuse and controls executions of system commands by users or IP addresses by managing extra access control lists. And LKM also collects and generates audit data for every security events. CUI(Character User Interface) is the interface between securityadministrator, GUI(Graphic User Interface) and LKM. By using CUI, it is able to operate the activation and termination of REDOWL system, setting up and inquiry of security information or audit data. GUI(Graphic User Interface) provides graphical interfaceto REDOWL administrator. GUI performs the same functions as CUI component, and those commands called by GUI are conducted through CUI subsystem. And separately from CUI, GUI presents statistics and analysis for audit data. 6. Guidance The TOE provides the following guidances: - REDOWL SecuOS V4.0 for MS Windows 2003 Administrator Guidance V1.5, May. 11, 2007 - REDOWL SecuOS V4.0 for MS Windows 2003 Delivery and Operation V1.3, May. 11, 2007 7. TOE Test 7.1 Developer's Test • Test Method The developer produced the test considering the security function of the TOE. Each test is described in test documentation including the following items in detail: - Test No./Tester : The identifier of the test and the developer who participated in testing Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 7 - - Purpose of the test : Describes the purpose of the test including security function and security module to be tested - Test configuration : Detailed environment where the test is carried out - Detailed test procedure : Detailed procedure to test security functions - Expected result : Test result expected when performing the test procedure - Actual result : Test result acquired when the test is performed The evaluator performed an evaluation of the validity such as the test configuration, test procedure, test scope analysis, and the low-level design test. The evaluator verified that the developer's test and its results were adequate for the evaluation configuration. • Test configuration The test configuration described in the test documentation includes the detailed configuration such as the organization of network for the test, the TOE, PC and the server. In addition, it describes detailed test configuration such as the application sever(e.g. web server, mail server, etc.) and test tools required to perform each test. • Test Scope Analysis/Low-Level Design Test The detailed evaluation results are described in the ATE_COV and ATE_DPT evaluation result. • Test Result The test documentation describes the expected result and actual result of each test. The actual result is confirmed through the audit record as well as the GUI of the TOE. 7.2 Evaluator's Test The evaluator installed the TOE using the evaluation configuration and evaluation tools identical to those of the developer test and performed testing for the overall tests provided by the developer. The evaluator confirmed that the actual result of every test was consistent with the expected result. Moreover, the evaluator devised and performed additional evaluator's tests on the basis of the developer's test, and confirmed that the actual test result was Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 8 - consistent with the expected test result. The evaluator carried out the vulnerability test and confirmed that there was no exploitable vulnerability in the evaluation configuration. The evaluator's test result assured that the TOE worked normally as described in the design documentation. 8. Evaluation Configuration The network configuration for the evaluation is only internal network. The following information is about the hardware used for the evaluation configuration: Category REDOWL Enterprise REDOWL Agent REDOWL Manager CPU Pentium Ⅳ 1GHz Pentium Ⅳ 1.8GHz Pentium Ⅲ 1GHz Memory 1 Gbyte 2 Gbyte 512 Mbyte Total 3 [Table 3] Hardware used for the evaluation configuration The following information is about the software used for the evaluation configuration: - Windows 2003 Server - Windows 2000 Professional All security functions provided by the TOE are included in the scope of evaluation. The evaluation configuration is based on the detailed security attributes and configuration of each security function. 9. Evaluation Result The evaluation is on the basis of the Common Criteria for Information Technology Security Evaluation, Common Methodology for Information Technology Security Evaluation V2.3. It concludes that the TOE satisfies the CC V2.3 part 2 and EAL3+ of the CC V2.3 part 3 assurance requirements. The detailed information regarding the evaluation is described in the ETR Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 9 - • ST Evaluation (ASE) The evaluator applied the ASE sub-activities described in the CEM V2.2 to the evaluation of the ST of the TOE. The ST introduction is complete and consistent with other parts of the ST, and correctly identifies the ST. The TOE description contains relevant information to aid the understanding of the purpose of the TOE and its functionality, and is complete, internally consistent, and consistent with other parts of the ST. The TOE security environment in the ST clearly and consistently defines the assumptions, threats, and organizational security policies related to the security problem that the TOE and its environment are intended to address, and is described completely and consistently. The security objectives counter the identified threats, achieve the organizational security policies, and satisfy the stated assumptions. The IT security requirements (both the TOE security functional requirements and the TOE security assurance requirements) and the security requirements for the IT environment are described completely and consistently and provide an adequate basis for the development of a TOE that will achieve its security objectives. The TOE summary specification provides a clear and consistent definition of the security functions and assurance measures and satisfies the specified TOE security requirements. The ST is a correct instantiation of any PP for which compliance is being claimed. Thus, the ST is complete, consistent, technically sound, and hence suitable for use as the basis for the corresponding TOE evaluation. • Configuration Management Evaluation (ACM) The evaluator applied the ACM sub-activities described in the CEM V2.3 to the evaluation of the configuration management of the TOE. The evaluator confirmed the following through an examination of the configuration management documentation: - The developer controls changes of the implementation representation with the support of automated tools. - The developer has clearly identified the TOE and its associated configuration items; the ability to modify these items is properly controlled. - The developer performs configuration management on, at a minimum, the TOE implementation representation, the evaluation evidence required by the assurance components in the ST, and security flaws. Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 10 - Thus, the configuration management documentation assists the consumer in identifying the evaluated TOE, and ensures that the configuration items are uniquely identified and that the procedures used by the developer to control and track changes of the TOE are adequate. • Delivery and Operation Evaluation (ADO) The evaluator applied the ADO sub-activities described in the CEM V2.3 to the evaluation of the delivery and operation of the TOE. The delivery documentation describes all procedures used to maintain the security of the TOE and detect modification or substitution of the TOE when distributing the TOE to the user's site. The procedures and steps for the secure installation, generation, and start-up of the TOE have been documented, which ensures a secure configuration of the TOE. Thus, the delivery and operation documentation is adequate to ensure that the TOE is installed, generated, and started in the same way the developer intended it and that it is delivered without modification. • Development Evaluation (ADV) The evaluator applied the ADV sub-activities described in the CEM V2.3 to the evaluation of the development of the TOE. The functional specification adequately describes all security functions of the TOE and explains that the security functions of the TOE are sufficient to satisfy the security functional requirements in the ST. The security policy modeling clearly and consistently describes the rules and characteristics of the security policies; this description corresponds with the security functions described in the functional specification. The high-level design describes the TSF in terms of subsystems, major TOE structural units, and adequately explains the interfaces to the subsystems. It is a correct realization of the functional specification. The low-level design describes the internal workings of the TSF in terms of modules and their interrelationships and dependencies. It is sufficient to satisfy the functional requirements in the ST and is a correct and effective refinement of the high-level design. The implementation representation is sufficient to satisfy the functional requirements in the ST and is a correct realization of the low-level design. Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 11 - The representation correspondence shows that the developer has correctly and completely implemented the requirements in the ST into the functional specification, high-level design, low-level design, and implementation representation. Thus, the following design documentations are adequate to aid understanding how the TSFs are provided: the functional specification which describes the external interfaces to the TOE; the high-level design which describes the architecture of the TOE in terms of internal subsystems; the low-level design which describes the architecture of the TOE in terms of internal modules; the implementation representation in the form of source code-level description; and the representation correspondence which maps representations of the TOE to one another in order to ensure consistency. • Guidance Evaluation (AGD) The evaluator applied the AGD sub-activities described in the CEM V2.3 to the evaluation of the guidance of the TOE. The administrator guidance describes how to administer the TOE in a secure manner. Thus, the guidance documentation adequately describes how to use the TOE in a secure manner. • Life Cycle Support Evaluation (ALC) The evaluator applied the ALC sub-activities described in the CEM V2.3 to the evaluation of the life cycle support of the TOE. The evaluator confirmed that the developer's control on the security of the development environment was adequate to provide the confidentiality and integrity of the TOE design and implementation that are necessary to ensure secure operation of the TOE; that the developer had used a documented life-cycle model of the TOE; and that the developer had used well-defined development tools that yield consistent and predictable results. Thus, the life cycle support adequately describes the procedures which the developer uses during the development and maintenance of the TOE, including the security procedures and tools used in the development of the TOE. • Tests Evaluation (ATE) The evaluator applied the ATE sub-activities described in the CEM V2.3 to the evaluation of the test of the TOE. Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 12 - The testing is sufficient to establish that the TSF has been systematically tested against the functional specification. The evaluator confirmed that the developer had tested the TSF against its high-level design. The developer's functional test documentation is sufficient to demonstrate that the security functions perform as specified. The evaluator confirmed that the TOE behaved as specified by performing independent testing of a subset of the TSF and gained confidence in the developer's test results by performing entire developer's tests. Thus, by performing independent testing of a subset of the TSF, the evaluator confirmed that the TSF behaved in accordance with the TOE security functional requirements stated in the ST and the design documentation. • Vulnerability Assessment Evaluation (AVA) The evaluator applied the AVA sub-activities described in the CEM V2.3 to the evaluation of the vulnerability assessment of the TOE. From the misuse analysis, it is confirmed that the guidance is not misleading, unreasonable, or conflicting; that secure procedures for all modes of operation have been addressed; and that the use of the guidance will facilitate prevention and detection of insecure TOE state. It is confirmed that the SOF claims are made for all probabilistic or permutational mechanisms in the ST and that the analysis of the developer's SOF claims is correct. The vulnerability analysis document describes the identified vulnerabilities of the TOE and appropriate countermeasures, for example, by specifying operational environment in the functional specification or guidance documents. The evaluator confirmed the accuracy of the vulnerability analysis by conducting independent vulnerability analysis. From the vulnerability analysis, it is confirmed that the TOE, in its intended environment, has no vulnerability exploitable by attackers possessing low attack potential. Thus, based upon the developer/evaluator's vulnerability analysis and the evaluator's penetration testing, it is confirmed that there are no flaws or weaknesses of the TOE that are exploitable in its intended environment. Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 13 - 10. Recommendations • The port control function in this product provides the default policy as all port being ‘disable’ except some necessary port(11102(TCP), 4001(UDP) port for communicating between REDOWL Enterprise and Manager) to operate the product. Therefore, the security administrator should re-configure the port policy for the organization. • The product provides the function sending m ail to the security administrator whenever the storage space is arrived in the limit space. So, the security administrator must check the storage media and make more space. • The product provides trusted channel using SEED algorithm. TOE and security administrator will be able to access the pre-shared key which is used for trusted channel. Administrator Guidance ‘6.5 Matters that require attention when it is installing' describes secure key management. Security administrator should establish the product according to this guidance • The only security administrator uses and manages the configuration of product. Accordingly, security administrator should change security password periodically for secure management. 11. Acronyms and Glossary The following acronyms are used in this certification report. CR Certification Report EAL Evaluation Assurance Level IT Information Technology KECS Korea IT security Evaluation and Certification Scheme TOE Target of Evaluation The following terms are used in this certification report. TOE An IT product or system and its associated guidance documentation that are the subject of evaluation Certification Report on REDOWL SecuOS V4.0 for MS Windows 2003 - 14 - Audit record Audit data to save an auditable event relevant to the security of the TOE User Any entity (either human or external IT entity) outside the TOE that interacts with the TOE Authorized administrator Authorized user that can manage the TOE in accordance with the TSP Authorized user User that can run functions of the TOE in accordance with the TSP Identity A representation uniquely identifying an authorized user External IT entity Any IT product or system, either trusted or untrusted, outside the TOE that interacts with the TOE Assets Information and resources to be protected by the security measures of the TOE NTP An internet standard protocol that assures accurate synchronization to the millisecond of computer clock times in a network of computers 12. References The certification body has used the following documents to produce the certification report: [1] Common Criteria for Information Technology Security Evaluation (May. 21, 2005.) [2] Common Methodology for Information Technology Security Evaluation V2.3 [3] Label-based Access Control System Protection Profile for Government V1.1(May. 17. 2006) [4] Korea IT Security Evaluation and Certification Guidance (Apr. 11, 2007) [5] Korea IT Security Evaluation and Certification Scheme (Apr. 15, 2007) [6] REDOWL SecuOS V4.0 for MS Windows 2003 ST V1.7 (May. 11, 2007) [7] REDOWL SecuOS V4.0 for MS Windows 2003 ETR, V1.00 (May. 11, 2007)