Australasian Information
Security Evaluation Program
Certification Report
Certificate Number: 2009/54
2 June 2009
Version 1.0
2 June 2009 Version 1.0 Page i
Commonwealth of Australia 2009.
Reproduction is authorised provided
that the report is copied in its entirety.
2 June 2009 Version 1.0 Page ii
Amendment Record
Version Date Description
1.0 02/06/2009 Public release.
2 June 2009 Version 1.0 Page iii
Executive Summary
1 The target of evaluation (TOE) is the Xerox Workcentre 4150, 4150s,
4150x and 4150xf Multifunction Systems which consists of a single
product with varying feature sets.
2 The TOE is a Multifunction device (MFD) that copies and prints, with
scan-to-e-mail, network scan and fax option. A standard component of the
TOE is the image overwrite security package. This function forces any
temporary image files created on the hard disk drive during a copy, print,
network scan or scan-to-email to be overwritten when those files are no
longer needed.
3 This report describes the findings of the IT security evaluation of Xerox
Corporation’s Xerox Workcentre 4150, 4150s, 4150x and 4150xf
Multifunction Systems to Common Criteria (CC) evaluation assurance
level EAL3 augmented with systematic flaw remediation (ALC_FLR.3).
The report concludes that the product has met the target assurance level of
EAL3 augmented with ALC_FLR.3 and that the evaluation was conducted
in accordance with the relevant criteria and the requirements of the
Australasian Information Security Evaluation Program (AISEP). The
evaluation was performed by the AISEP evaluation facility Computer
Science Corporation (CSC) and was completed on 13 May 09.
4 With regard to the secure operation of the TOE, the Australasian
Certification Authority (ACA) recommends that the TOE is :
a) used only in its evaluated configuration;
b) operated according to the administrator’s guidance;
c) located in a secure area, visible to the workgroup using the MFD; and
d) cleared of pending print jobs and printed documents promptly.
5 This report includes information about the underlying security policies and
architecture of the TOE, and information regarding the conduct of the
evaluation.
6 It is the responsibility of the user to ensure that the TOE meets their
requirements. For this reason, it is recommended that a prospective user of
the TOE refer to the Security Target (Ref [1]), and read this Certification
Report prior to deciding whether to purchase the product.
2 June 2009 Version 1.0 Page iv
Table of Contents
CHAPTER 1 - INTRODUCTION ........................................................................................................5
1.1 OVERVIEW ................................................................................................................................5
1.2 PURPOSE....................................................................................................................................5
1.3 IDENTIFICATION ........................................................................................................................5
CHAPTER 2 - TARGET OF EVALUATION.....................................................................................6
2.1 OVERVIEW ................................................................................................................................6
2.2 DESCRIPTION OF THE TOE ........................................................................................................6
2.3 SECURITY POLICY .....................................................................................................................7
2.4 TOE ARCHITECTURE.................................................................................................................7
2.5 CLARIFICATION OF SCOPE .........................................................................................................8
2.5.1 Evaluated Functionality....................................................................................................8
2.5.2 Non-evaluated Functionality and Services.......................................................................8
2.6 USAGE.......................................................................................................................................9
2.6.1 Evaluated Configuration ..................................................................................................9
2.6.2 Delivery procedures .........................................................................................................9
2.6.3 Determining the Evaluated Configuration........................................................................9
2.6.4 Documentation................................................................................................................10
CHAPTER 3 - EVALUATION ...........................................................................................................11
3.1 OVERVIEW ..............................................................................................................................11
3.2 EVALUATION PROCEDURES.....................................................................................................11
3.3 FUNCTIONAL TESTING.............................................................................................................11
3.4 PENETRATION TESTING ...........................................................................................................12
CHAPTER 4 - CERTIFICATION......................................................................................................12
4.1 OVERVIEW ..............................................................................................................................12
4.2 CERTIFICATION RESULT ..........................................................................................................12
4.3 RECOMMENDATIONS ...............................................................................................................13
ANNEX A - REFERENCES AND ABBREVIATIONS....................................................................14
A.1 REFERENCES ...........................................................................................................................14
A.2 ABBREVIATIONS......................................................................................................................15
2 June 2009 Version 1.0 Page 5
Chapter 1 - Introduction
1.1 Overview
7 This chapter contains information about the purpose of this document and
how to identify the Target of Evaluation (TOE).
1.2 Purpose
8 The purpose of this Certification Report is to:
a) report the certification of results of the IT security evaluation of the
TOE, Xerox Workcentre 4150/ 4150s/ 4150x / 4150xf Multifunction
Systems against the requirements of the Common Criteria (CC)
evaluation assurance level EAL3+, and
b) provide a source of detailed security information about the TOE for
any interested parties.
9 This report should be read in conjunction with the TOE’s Security Target
(Ref [1]) which provides a full description of the security requirements and
specifications that were used as the basis of the evaluation.
1.3 Identification
10 Table 1 provides identification details for the evaluation. For details of all
components included in the evaluated configuration refer to section 2.6.1
Evaluated Configuration.
Table 1: Identification Information
Item Identifier
Evaluation Scheme Australasian Information Security Evaluation Program
TOE Xerox Workcentre 4150/4150s/ 4150x / 4150xf Multifunction
Systems
Software Version System Software
Main Controller
IOT Software
UI
Network Controller
Document Feeder Software
Finisher Software (optional)
Tray Firmware (optional)
10.100.45.021
1.01.04.35A
1.00.28
0.030.32.004
2.01.56A
1.02
3.06.05
1.00.00
Security Target Xerox Workcentre 4150/4150s/ 4150x / 4150xf Multifunction
Systems Security Target version 1.0 April 6, 2009
Evaluation Level EAL3
Evaluation XEROX WORKCENTRE MULTIFUNCTION SYSTEMS
2 June 2009 Version 1.0 Page 6
Technical Report EVALUATION TECHNICAL REPORT version 2.0, 13 May
2009
Criteria
CC Version 2.3, August 2005, with interpretations as of 21-
Dec-2007
Methodology
Common Criteria, Common Methodology for Information
Technology Security Evaluation, Evaluation Methodology
August 2005 Version 2.3 CCMB-2005-08-004 with
interpretations as of 21-Dec-2007
Conformance CC Part 2 Conformant
CC Part 3 Augmented with systematic flaw remediation
(ALC_FLR.3).
Sponsor Xerox Corporation
Developer Xerox Corporation
Evaluation Facility CSC
Chapter 2 - Target of Evaluation
2.1 Overview
11 This chapter contains information about the Target of Evaluation (TOE),
including: a description of functionality provided; its architecture
components; the scope of evaluation; security policies; and its secure
usage.
2.2 Description of the TOE
12 The TOE is the Xerox Workcentre 4150, 4150s, 4150x and 4150xf
Multifunction Systems developed by Xerox Corporation. Their primary
role is to copy and print, with scan-to-e-mail, network scan and fax option.
13 A standard component of the TOE is the image overwrite security
package. This function forces any temporary image files created on the
hard disk drive during a copy, print, network scan or scan-to-email to be
over written when those files are no longer needed.
14 The TOE stores temporary image data created during a copy
(landscape/stapled type only), print, network scan or scan to e-mail job on
an internal hard disk drive (HDD). This temporary image data consists of
the original data submitted and additional files created during a job.
Because FAX jobs are not written to the HDD, there are no temporary
images files to be overwritten for this service. Print, network scan and scan
to e-mail jobs are written directly to the HDD when the job enters the
2 June 2009 Version 1.0 Page 7
system. Copy jobs are buffered in volatile memory with one exception:
only copy jobs of type “landscape/stapled” are written to the disk. Any
data that gets written to the disk will be overwritten at the completion of
the job.
2.3 Security Policy
15 The TOE Security Policy (TSP) is a set of rules that defines how the
information within the TOE is managed and protected. The TSP is defined
in the Security Target (Ref [1]). A summary of the TSP is provided
below:
i) User data protection policy ;
ii) Information flow control policy;
iii) SSL security function policy;
i) IP filter security function policy; and
ii) Privileged user access security function policy.
2.4 TOE Architecture
16 The TOE consists of the following subsystems:
a) Copy Controller subsystem
The Copy Controller provides all of the functions necessary to implement
a digital copier, and works together with the fax card to implement
embedded fax functionality. The Copy Controller contains the image path,
which uses proprietary hardware and algorithms to process the scanned
images into high quality reproductions. Among other common copier
functions, the Mass Storage Controller (MSC) works with the dynamic
random access memory (DRAM) to enable electronic pre-collation,
sometimes referred to as scan-once/printmany.
b) Network Controller subsystem
The Network Controller provides both network and direct-connect
external interfaces, and enables print, email, network scan, and LanFAX
functionality. The Network Controller also incorporates an open-source
web server (Apache) that exports a Web User Interface (WebUI) through
which users can submit jobs and check job and machine status, and
through which system administrators can remotely administer the
machine.
2 June 2009 Version 1.0 Page 8
c) Fax card subsystem
The embedded FAX service uses an optionally installed embedded fax
card to send and receive images over the telephone interface. The FAX
card plugs into a local bus on the copy controller.
d) Scanner subsystem.
The purpose of the Scanner Subsystem is to provide mechanical transport
of hardcopy originals and to convert hardcopy originals to electronic data.
e) Graphical User Interface (GUI) subsystem
The GUI Subsystem detects soft and hard button actuations at the local
user interface, and provides text and graphical prompts to the user. The
GUI is sometimes referred to as the Local User Interface (LUI) to
distinguish it from the WebUI which is exported by the web service that
runs in the Network Controller.
f) Marking Engine subsystem
The Marking Engine performs copy or print paper feeding and transport,
image marking and fusing, and document finishing. Images are not stored
at any point in these subsystems.
2.5 Clarification of Scope
17 The scope of the evaluation was limited to those claims made in the
Security Target (Ref [1]). It includes all software and firmware that are
installed on the product.
2.5.1 Evaluated Functionality
18 The TOE evaluated security functionality is described in detail in the
Security Target (Ref [1]) and includes:
a) security audit;
b) cryptographic support;
c) user data protection;
d) identification and authentication;
e) security management; and
f) protection of the TOE security functions.
2.5.2 Non-evaluated Functionality and Services
19 Potential users of the TOE are advised that some functions and services
have not been evaluated as part of the evaluation. Potential users of the
2 June 2009 Version 1.0 Page 9
TOE should carefully consider their requirements for using functions and
services outside of the evaluated configuration; Australian Government
users should refer to Australian Government Information and Technology
Security Manual (ISM) (Ref [2]) for policy relating to using an evaluated
product in an un-evaluated configuration. New Zealand Government users
should consult the Government Communications Security Bureau (GCSB).
20 The functions and services that have not been included as part of the
evaluation are provided below:
a) printer drivers.
2.6 Usage
2.6.1 Evaluated Configuration
21 This section describes the configurations of the TOE that were included
within scope of the evaluation. The assurance gained via evaluation
applies specifically to the TOE in these defined evaluated configuration(s).
Australian Government users should refer to the ISM (Ref [2]) to ensure
that configuration(s) meet the minimum Australian Government policy
requirements. New Zealand Government users should consult the
Government Communications Security Bureau (GCSB).
22 The TOE is comprised of the software components identified in the
Security Target (Ref [1]).
2.6.2 Delivery procedures
23 When placing an order for the TOE, purchasers should make it clear to
their supplier that they wish to receive the evaluated product.
24 The following delivery procedures will be utilised during delivery of the
TOE:
a) A customer representative at the delivery centre will contact the
customer to arrange a delivery date.
b) A Xerox Authorised Representatives (XAR) or a local delivery
contractor (e.g. UPS) will deliver the device to the customer site.
c) The Xerox Authorised Representatives (XAR) or the customer will
install the TOE per installation instructions. If there is an issue
during delivery, the XAR will order and install replacement parts, or
commence re-delivery of the TOE if necessary.
2.6.3 Determining the Evaluated Configuration
25 In accordance with the Security Target delivery and installation of the
TOE will be by a Xerox-authorised representative (XAR) using the
appropriate Xerox delivery and installation guidance. This provides
assurance that the correct version of the TOE has been delivered.
2 June 2009 Version 1.0 Page 10
26 For additional assurance, it is recommended end users of the TOE verify
the following:
a) Model: To verify that the correct model has been delivered, inspect
the front of the device for a model number. WorkCentre 4150
should be clearly labelled on the front of the unit. If this cannot be
found, on the rear of the copier there should be a Xerox Corporation
sticker that identifies the “WorkCentre 4150” model number along
with the device serial number and other information.
b) Features: Ensure that all components received (including optional
features) are consistent with those ordered. Confirm that the features
received are consistent with the features identified for the model and
ensure all required features as identified in the evaluated
configuration are installed.
c) Firmware: After powering on the device, print a configuration page
via the LUI. Verify the device firmware version is consistent with
the version stated in Security Target (Ref [1]). If the firmware is not
consistent with the Security Target, update the version as per the
administrator guidance (Ref [3]).
2.6.4 Documentation
27 It is important that the TOE is used in accordance with guidance
documentation in order to ensure secure usage. The following
documentation is provided with the TOE:
i) User Guidance CD-ROM, ID: 538N00053. The User
Guidance CD-ROM contains a PDF document that provides
in-depth configuration and usage instructions for the TOE.
The guidance serves to assist both the administrator and users
of the TOE.
ii) Administrative Guidance CD-ROM, ID: 538N00058. The
Administrative Guidance CD-ROM contains an interactive
flash program that serves to assist the administrator in
configuring all features of the TOE.
iii) Installation Instructions, ID: 700N00130. The installation
instructions provide a language independent guide for
accepting and installing the TOE. The instructions use clear
pictures that demonstrate step-by-step the initial physical
installation procedures.
iv) WorkCentre 4150 Getting Started Guide, ID: 700N00139 The
Getting Started Guide gives a quick introduction to the
installation, configuration and operation of the TOE.
2 June 2009 Version 1.0 Page 11
28 The evaluation of the TOE took into account certain assumptions about its
operational environment. These assumptions must hold in order to ensure
the security objectives of the TOE are met.
29 Section 3: ‘TOE Security Environment’ in the Security Target (Ref [1])
provides a full description of the assumptions. Assumptions are made in
the following areas:
a) installation;
b) access;
c) management;
d) administration;
e) network;
f) control;
g) compliance;
h) pins; and
i) procedures.
Chapter 3 - Evaluation
3.1 Overview
30 This chapter contains information about the procedures used in conducting
the evaluation and the testing conducted as part of the evaluation.
3.2 Evaluation Procedures
31 The criteria against which the Target of Evaluation (TOE) has been
evaluated are contained in the Common Criteria for Information
Technology Security Evaluation (Refs [4], [5] and [6]). The methodology
used is described in the Common Methodology for Information
Technology Security Evaluation (CEM) (Ref [7]). The evaluation was also
carried out in accordance with the operational procedures of the
Australasian Information Security Evaluation Program (AISEP) (Refs[8],
[9], [10] and [11]). In addition, the conditions outlined in the Arrangement
on the Recognition of Common Criteria Certificates in the field of
Information Technology Security (Ref [12]) were also upheld.
3.3 Functional Testing
32 To gain confidence that the developer’s testing was sufficient to ensure the
correct operation of the TOE, the evaluators analysed the evidence of the
2 June 2009 Version 1.0 Page 12
developer’s testing effort. This analysis included examining: test coverage;
test plans and procedures; and expected and actual results. The evaluators
drew upon this evidence to perform a sample of the developer tests in
order to verify that the test results were consistent with those recorded by
the developers. The security features tested by the evaluators were:
a) cryptographic algorithms;
b) audit;
c) admin pin strength;
d) image overwrite;
e) system authentication;
f) network authentication;
g) SSL and audit logs;
h) TOE administration;
i) IP filtering; and
j) diagnostics functionality and SNMP
3.4 Penetration Testing
33 The developer performed a vulnerability analysis of the TOE in order to
identify any obvious vulnerability in the product and to show that the
vulnerabilities were not exploitable in the intended environment of the
TOE. This analysis included a search for possible vulnerability sources in
publicly available information.
Chapter 4 - Certification
4.1 Overview
34 This chapter contains information about the result of the certification, an
overview of the assurance provided by the level chosen, and
recommendations made by the certifiers.
4.2 Certification Result
35 After due consideration of the conduct of the evaluation as witnessed by
the certifiers, and of the Evaluation Technical Report (Ref [13]), the
Australasian Certification Authority certifies the evaluation of Xerox
Workcentre 4150, 4150s, 4150x and 4150xf Multifunction Systems
performed by the Australasian Information Security Evaluation Facility,
CSC.
2 June 2009 Version 1.0 Page 13
36 CSC has found that Xerox Workcentre 4150, 4150s, 4150x and 4150xf
Multifunction Systems upholds the claims made in the Security Target
(Ref [1]) and has met the requirements of Common Criteria (CC)
evaluation assurance level EAL3 augmented with systematic flaw
remediation (ALC_FLR.3)
37 Certification is not a guarantee of freedom from security vulnerabilities.
38 EAL3 provides assurance by an analysis of the security functions, using a
functional and interface specification, guidance documentation, and the
high-level design of the TOE, to understand the security behaviour.
39 The analysis is supported by independent testing of the TOE security
functions, evidence of developer testing based on the functional
specification and high-level design, selective independent confirmation of
the developer test results, strength of function analysis, and evidence of a
developer search for obvious vulnerabilities (e.g. those in the public
domain).
40 EAL3 also provides assurance though the use of development environment
controls, TOE configuration management, and evidence of secure delivery
procedures.
4.3 Recommendations
41 Not all of the evaluated functionality present in the TOE may be suitable
for Australian and New Zealand Government users. For further guidance,
Australian Government users should refer to the ISM (Ref [2]) and
New Zealand Government users should consult the Government
Communications Security Bureau (GCSB).
42 In addition to ensuring that the assumptions concerning the operational
environment are fulfilled and the guidance document is followed (Ref [3]),
the ACA also recommends that users and administrators ensure that the
TOE is:
a) used only in its evaluated configuration;
b) operated according to the administrator’s guidance;
c) located in a secure area, visible to the group using the MFD; and
d) cleared of pending print jobs and documents promptly.
2 June 2009 Version 1.0 Page 14
Annex A - References and Abbreviations
A.1 References
[1] Xerox WorkCentre 4150/4150s/4150x/4150xf Multifunction Systems
Security Target version 1.0, Revision 1.06, April 6, 2009.
[2] Australian Government Information and Communications Technology
Security Manual (ISM), 2008, Defence Signals Directorate, (available at
www.dsd.gov.au).
[3] Xerox WorkCentre 4150 System Administration CD1, SN: 538N00058,
2006
[4] Common Criteria for Information Technology Security Evaluation, Part 1:
Introduction and General Model (CC), Version 2.3, August 2005, CCMB-
2005-08-001, incorporated with interpretations as of 21-Dec-2007
[5] Common Criteria for Information Technology Security Evaluation, Part 2:
Security Functional Requirements (CC), Version 2.3, August 2005,
CCMB-2005-08-002, incorporated with interpretations as of 21-Dec-2007
[6] Common Criteria for Information Technology Security Evaluation, Part 3:
Security Assurance Requirements (CC), Version 2.3, August 2005,
CCMB-2005-08-003, incorporated with interpretations as of 21-Dec-2007
[7] Common Methodology for Information Technology Security Evaluation,
Evaluation Methodology (CEM), Version 2.3, August 2005, CCMB-2005-
08-004, incorporated with interpretations as of 21-Dec-2007
[8] AISEP Publication No. 1 – Program Policy, AP 1, Version 3.1, 29
September 2006, Defence Signals Directorate.
[9] AISEP Publication No. 2 – Certifier Guidance, AP 2. Version 3.1,29
September 2006, Defence Signals Directorate.
[10] AISEP Publication No. 3 – Evaluator Guidance, AP 3. Version 3.1, 29
September 2006, Defence Signals Directorate
[11] AISEP Publication No. 4 – Sponsor and Consumer Guidance, AP 4.
Version 3.1, 29 September 2006, Defence Signals Directorate
[12] Arrangement on the Recognition of Common Criteria Certificates in the
field of Information Technology Security, May 2000
[13] XEROX WORKCENTRE MULTIFUNCTION SYSTEMS
EVALUATION TECHNICAL REPORT version 2.0, 13 May 2009
2 June 2009 Version 1.0 Page 15
A.2 Abbreviations
AISEF Australasian Information Security Evaluation Facility
AISEP Australasian Information Security Evaluation Program
CC Common Criteria
CEM Common Evaluation Methodology
DSD Defence Signals Directorate
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
GCSB Government Communications Security Bureau
LUI Local user interface
PP Protection Profile
SFP Security Function Policy
SFR Security Functional Requirements
SSL Secure Sockets Layer
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functions
TSP TOE Security Policy
XAR Xerox Authorised Representative
+ augmented