B.5.3. Target of Evaluation Security Assurance Requirements

The security assurance requirements for the target of evaluation are the Evaluation Assurance Level 4 (EAL 4) components, as specified in Part 3 of Common Criteria version 3.1, augmented with ALC_FLR.2 as indicated in bold the following table.

Table B.6. Assurance Requirements (EAL 4 augmented)

Requirement Class

Requirement Component

ADV: Development

ADV_ARC.1: Security architecture description

ADV_FSP.4: Complete functional specification

ADV_IMP.1: Implementation representation of the TSF

ADV_TDS.3: Basic modular design

AGD: Guidance documents

AGD_OPE.1: Operational user guidance

AGD_PRE.1: Preparative procedures

ALC: Life-cycle support

ALC_CMC.4: Production support, acceptance procedures and automation

ALC_CMS.4: Problem tracking CM coverage

ALC_DEL.1: Delivery procedures

ALC_DVS.1: Identification of security measures

ALC_FLR.2: Flaw reporting procedures

ALC_LCD.1: Developer defined life-cycle model

ALC_TAT.1: Well-defined development tools

ATE: Tests

ATE_COV.2: Analysis of coverage

ATE_DPT.2: Testing: security enforcing modules

ATE_FUN.1: Functional testing

ATE_IND.2: Independent testing - sample

AVA: Vulnerability assessment

AVA_VAN.3: Focused vulnerability analysis

B.5.3.1. Development (ADV)

ADV_ARC.1 Security architecture description

ADV_ARC.1.1c: The security architecture description shall be at a level of detail commensurate with the description of the SFR-enforcing abstractions described in the target of evaluation design document.
ADV_ARC.1.1d: The developer shall design and implement the target of evaluation so that the security features of the target security functions cannot be bypassed.
ADV_ARC.1.1e: The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ADV_ARC.1.2c: The security architecture description shall describe the security domains maintained by the target security functions consistently with the SFRs.
ADV_ARC.1.2d: The developer shall design and implement the target security functions so that it is able to protect itself from tampering by untrusted active entities.
ADV_ARC.1.3c: The security architecture description shall describe how the target security functions initialization process is secure.
ADV_ARC.1.3d: The developer shall provide a security architecture description of the target security functions.
ADV_ARC.1.4c: The security architecture description shall demonstrate that the target security functions protects itself from tampering.
ADV_ARC.1.5c: The security architecture description shall demonstrate that the target security functions prevents bypass of the SFR-enforcing functionality.

ADV_FSP.4 Complete functional specification

ADV_FSP.4.1c: The functional specification shall completely represent the target security functions.
ADV_FSP.4.1d: The developer shall provide a functional specification.
ADV_FSP.4.1e: The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ADV_FSP.4.2c: The functional specification shall describe the purpose and method of use for all target security function instructions.
ADV_FSP.4.2d: The developer shall provide a tracing from the functional specification to the SFRs.
ADV_FSP.4.2e: The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs.
ADV_FSP.4.3c: The functional specification shall identify and describe all parameters associated with each target security function instructions.
ADV_FSP.4.4c: The functional specification shall describe all actions associated with each target security function instructions.
ADV_FSP.4.5c: The functional specification shall describe all direct error messages that may result from security enforcing effects and exceptions associated with an invocation of each target security function instructions.
ADV_FSP.4.6c: The tracing shall demonstrate that the SFRs trace to target security function instructions in the functional specification.

ADV_IMP.1 Implementation representation of the TSF

ADV_IMP.1.1c: The implementation representation shall define the target security functions to a level of detail such that the target security functions can be generated without further design decisions.
ADV_IMP.1.1d: The developer shall make available the implementation representation for the entire target security functions.
ADV_IMP.1.1e: The evaluator shall confirm that, for the selected sample of the implementation representation, the information provided meets all requirements for content and presentation of evidence.
ADV_IMP.1.2c: The implementation representation shall be in the form used by the development personnel.
ADV_IMP.1.2d: The developer shall provide a mapping between the target of evaluation design description and the sample of the implementation representation.
ADV_IMP.1.3c: The mapping between the target of evaluation design description and the sample of the implementation representation shall demonstrate their correspondence.

ADV_TDS.3 Basic modular design

ADV_TDS.3.10c: The mapping shall demonstrate that all behavior described in the target of evaluation design is mapped to the target security function instructions that invoke it.
ADV_TDS.3.1c: The design shall describe the structure of the target of evaluation in terms of subsystems.
ADV_TDS.3.1d: The developer shall provide the design of the target of evaluation.
ADV_TDS.3.1e: The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ADV_TDS.3.2c: The design shall describe the target security functions in terms of modules.
ADV_TDS.3.2d: The developer shall provide a mapping from the target security function instructions of the functional specification to the lowest level of decomposition available in the target of evaluation design.
ADV_TDS.3.2e: The evaluator shall determine that the design is an accurate and complete instantiation of all security functional requirements.
ADV_TDS.3.3c: The design shall identify all subsystems of the target security functions.
ADV_TDS.3.4c: The design shall provide a description of each subsystem of the target security functions.
ADV_TDS.3.5c: The design shall provide a description of the interactions among all subsystems of the target security functions.
ADV_TDS.3.6c: The design shall provide a mapping from the subsystems of the target security functions to the modules of the target security functions.
ADV_TDS.3.7c: The design shall describe each SFR-enforcing module in terms of its purpose.
ADV_TDS.3.8c: The design shall describe each SFR-enforcing module in terms of its SFR-related interfaces, return values from those interfaces, and called interfaces to other modules.
ADV_TDS.3.9c: The design shall describe each SFR-supporting or SFR-non-interfering module in terms of its purpose and interaction with other modules.