Evaluation Assurance Level

Last updated

The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principle security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.

Contents

To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

Although every product and system must fulfill the same assurance requirements to achieve a particular level, they do not have to fulfill the same functional requirements. The functional features for each certified product are established in the Security Target document tailored for that product's evaluation. Therefore, a product with a higher EAL is not necessarily "more secure" in a particular application than one with a lower EAL, since they may have very different lists of functional features in their Security Targets. A product's fitness for a particular security application depends on how well the features listed in the product's Security Target fulfill the application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL should indicate the more trustworthy product for that application.

Assurance levels

EAL1: Functionally Tested

EAL1 is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious. It will be of value where independent assurance is required support the contention that due care has been exercised with respect to the protection of personal or similar information. EAL1 provides an evaluation of the TOE (Target of Evaluation) as made available to the customer, including independent testing against a specification, and an examination of the guidance documentation provided. It is intended that an EAL1 evaluation could be successfully conducted without assistance from the developer of the TOE, and for minimal cost. An evaluation at this level should provide evidence that the TOE functions in a manner consistent with its documentation, and that it provides useful protection against identified threats.

EAL2: Structurally Tested

EAL2 requires the cooperation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of the developer than is consistent with good commercial practice. As such it should not require a substantially increased investment of cost or time. EAL2 is therefore applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems.

EAL3: Methodically Tested and Checked

EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices. EAL3 is applicable in those circumstances where developers or users require a moderate level of independently assured security, and require a thorough investigation of the TOE and its development without substantial re-engineering.

EAL4: Methodically Designed, Tested and Reviewed

EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4. Examples with expired Certificate are AIX, [1] HP-UX, [1] Oracle Linux, NetWare, Solaris, [1] SUSE Linux Enterprise Server 9, [1] [2] SUSE Linux Enterprise Server 10, [3] Red Hat Enterprise Linux 5, [4] [5] Windows 2000 Service Pack 3, Windows 2003, [1] [6] Windows XP, [1] [6] Windows Vista, [7] [8] Windows 7, [1] [9] Windows Server 2008 R2, [1] [9] z/OS version 2.1 and z/VM version 6.3. [1]

Operating systems that provide multilevel security are evaluated at a minimum of EAL4. Examples with active Certificate include SUSE Linux Enterprise Server 15 (EAL 4+). [10] Examples with expired Certificate are Trusted Solaris, Solaris 10 Release 11/06 Trusted Extensions, [11] an early version of the XTS-400, VMware ESXi version 4.1, [12] 3.5, 4.0, AIX 4.3, AIX 5L, AIX 6, AIX7, Red Hat 6.2 & SUSE Linux Enterprise Server 11 (EAL 4+). vSphere 5.5 Update 2 did not achieve EAL4+ level it was an EAL2+ and certified on June 30, 2015.

EAL5: Semiformally Designed and Tested

EAL5 permits a developer to gain maximum assurance from security engineering based upon rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a TOE will probably be designed and developed with the intent of achieving EAL5 assurance. It is likely that the additional costs attributable to the EAL5 requirements, relative to rigorous development without the application of specialized techniques, will not be large. EAL5 is therefore applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs attributable to specialist security engineering techniques.

Numerous smart card devices have been evaluated at EAL5, as have multilevel secure devices such as the Tenix Interactive Link. XTS-400 (STOP 6) is a general-purpose operating system which has been evaluated at EAL5 augmented.

LPAR on IBM System z is EAL5 Certified. [13]

EAL6: Semiformally Verified Design and Tested

EAL6 permits developers to gain high assurance from application of security engineering techniques to a rigorous development environment in order to produce a premium TOE for protecting high-value assets against significant risks. EAL6 is therefore applicable to the development of security TOEs for application in high risk situations where the value of the protected assets justifies the additional costs.

Green Hills Software's INTEGRITY-178B RTOS has been certified to EAL6 augmented. [1]

EAL7: Formally Verified Design and Tested

EAL7 is applicable to the development of security TOEs for application in extremely high risk situations and/or where the high value of the assets justifies the higher costs.

Practical application of EAL7 is currently limited to TOEs with tightly focused security functionality that is amenable to extensive formal analysis. The ProvenCore OS, developped by ProvenRun, has been certified to EAL7 in 2019 by the ANSSI. [14] The Tenix Interactive Link Data Diode Device and the Fox-IT Fox Data Diode (one-way data communications device) claimed to have been evaluated at EAL7 augmented (EAL7+). [15]

Implications of assurance levels

Technically speaking, a higher EAL means nothing more, or less, than that the evaluation completed a more stringent set of quality assurance requirements. It is often assumed that a system that achieves a higher EAL will provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction), but there is little or no published evidence to support that assumption.

Impact on cost and schedule

In 2006, the US Government Accountability Office published a report on Common Criteria evaluations that summarized a range of costs and schedules reported for evaluations performed at levels EAL2 through EAL4.

Range of completion times and costs for Common Criteria evaluations at EAL2 through EAL4. Common Criteria evaluation costs.gif
Range of completion times and costs for Common Criteria evaluations at EAL2 through EAL4.

In the mid to late 1990s, vendors reported spending US$1 million and even US$2.5 million on evaluations comparable to EAL4. There have been no published reports of the cost of the various Microsoft Windows security evaluations.

Augmentation of EAL requirements

In some cases, the evaluation may be augmented to include assurance requirements beyond the minimum required for a particular EAL. Officially this is indicated by following the EAL number with the word augmented and usually with a list of codes to indicate the additional requirements. As shorthand, vendors will often simply add a "plus" sign (as in EAL4+) to indicate the augmented requirements.

EAL notation

The Common Criteria standards denote EALs as shown in this article: the prefix "EAL" concatenated with a digit 1 through 7 (Examples: EAL1, EAL3, EAL5). In practice, some countries place a space between the prefix and the digit (EAL 1, EAL 3, EAL 5). The use of a plus sign to indicate augmentation is an informal shorthand used by product vendors (EAL4+ or EAL 4+).

Related Research Articles

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

Trusted Operating System (TOS) generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements.

<span class="mw-page-title-main">MontaVista</span> Software company

MontaVista Software is a company that develops embedded Linux system software, development tools, and related software. Its products are made for other corporations developing embedded systems such as automotive electronics, communications equipment, mobile phones, and other electronic devices and infrastructure.

In computing, security-evaluated operating systems have achieved certification from an external security-auditing organization, the most popular evaluations are Common Criteria (CC) and FIPS 140-2.

In computer security, mandatory access control (MAC) refers to a type of access control by which a secured environment constrains the ability of a subject or initiator to access or modify on an object or target. In the case of operating systems, the subject is a process or thread, while objects are files, directories, TCP/UDP ports, shared memory segments, or IO devices. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, the operating system kernel examines these security attributes, examines the authorization rules in place, and decides whether to grant access. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications, permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. There are two contexts for the use of multilevel security.

<span class="mw-page-title-main">SUSE Linux Enterprise</span> Linux distribution

SUSE Linux Enterprise (SLE) is a Linux-based operating system developed by SUSE. It is available in two editions, suffixed with Server (SLES) for servers and mainframes, and Desktop (SLED) for workstations and desktop computers.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity, and to store disk encryption keys.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

The XTS-400 is a multilevel secure computer operating system. It is multiuser and multitasking that uses multilevel scheduling in processing data and information. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6.

A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales.

A High Assurance Guard (HAG) is a multilevel security computer device which is used to communicate between different security domains, such as NIPRNet to SIPRNet. A HAG is one example of a Controlled Interface between security levels. HAGs are approved through the Common Criteria process.

The Common Criteria model provides for the separation of the roles of evaluator and certifier. Product certificates are awarded by national schemes on the basis of evaluations carried by independent testing laboratories.

SUSE Linux is a computer operating system developed by SUSE. It is built on top of the free and open-source Linux kernel and is distributed with system and application software from other open source projects. SUSE Linux is of German origin, its name being an acronym of "Software und System-Entwicklung", and it was mainly developed in Europe. The first version appeared in early 1994, making SUSE one of the oldest existing commercial distributions. It is known for its YaST configuration tool.

<span class="mw-page-title-main">Safelayer Secure Communications</span> Spanish software developer company

Safelayer Secure Communications S.A. is a Spanish private company founded in May 1999. It develops software products on the public key infrastructure area. Safelayer's technology is part of the three major certification and digital identity projects in Spain: Fábrica Nacional de Moneda y Timbre, the Spanish ID card DNI electrónico and the Spanish E-passport. Safelayer's technology also secures the NATO X400 messaging system.

The Interactive Link is a suite of hardware and software products designed for application within areas where network separation is implemented for security reasons. Manufactured and marketed by Tenix Datagate, the Interactive Link hardware products have been evaluated to the highest level under international security criteria with a strong focus on maintaining the confidentiality of the secure network. The technology underlying the products is drawn from Starlight Technology, developed by the Australian Defence Science and Technology Group.

Common Criteria for Information Technology Security Evaluation, version 3.1 Part 1 defines the Security Target (ST) as an "implementation-dependent statement of security needs for a specific identified Target of Evaluation (TOE)". In other words, the ST defines boundary and specifies the details of the TOE. In a product evaluation process according to the CC the ST document is provided by the vendor of the product.

HCL Commerce Cloud is a software platform framework for e-commerce, including marketing, sales, customer and order processing functionalities. WebSphere Commerce is built on the Java - Java EE platform using open standards, such as XML, and Web services. Formerly a product of IBM, the product was sold to HCL Technologies in July 2019.

LynxSecure is a least privilege real-time separation kernel hypervisor from Lynx Software Technologies designed for safety and security critical applications found in military, avionic, industrial, and automotive markets.

IBM Secure Service Container is the trusted execution environment available for IBM Z and IBM LinuxONE servers.

References

  1. 1 2 3 4 5 6 7 8 9 10 "Common Criteria certified product list". Archived from the original on 2013-12-31. Retrieved 2008-04-28.
  2. "Certification Report for SUSE Linux Enterprise Server 9" (PDF). Archived from the original (PDF) on 2015-09-23. Retrieved 2008-04-28.
  3. "SUSE Linux Enterprise Server 10 EAL4 Certificate". Archived from the original on 2008-05-22. Retrieved 2008-04-28.
  4. "Red Hat Enterprise Linux Version 5 EAL4 Certificate". Archived from the original on 2007-06-19. Retrieved 2007-06-16.
  5. "Red Hat Customer Portal".
  6. 1 2 Windows Platform Products Awarded Common Criteria EAL 4 Certification Archived 2006-04-20 at the Wayback Machine
  7. Myers, Tim. "Windows Vista and Windows Server 2008 are Common Criteria Certified at EAL4+". Microsoft. Retrieved May 15, 2013.
  8. "National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme" (PDF). Archived from the original (PDF) on March 27, 2014. Retrieved May 15, 2013.
  9. 1 2 Microsoft Windows 7, Windows Server 2008 R2 and SQL Server 2008 SP2 Now Certified as Common Criteria Validated Products
  10. "SUSE Linux Enterprise Server 15 SP2" (PDF). Common Criteria Portal. Retrieved 9 September 2022.
  11. Solaris 10 Release 11/06 Trusted Extensions EAL 4+ Certification Report
  12. "VMware Common Criteria Evaluation & Validation (CCEVS)" . Retrieved 2019-01-27.
  13. IBM System z Security; IBM System z partitioning achieves highest certification
  14. "Certifications ANSSI - ProvenCore" (PDF). Archived from the original (PDF) on 2022-12-04.
  15. "Certifications - Fox-IT". Archived from the original on 2020-09-23.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.