B.5.3. Target of Evaluation Security Assurance Requirements

The security assurance requirements for the target of evaluation are the Evaluation Assurance Level 4 (EAL 4) components, as specified in Part 3 of Common Criteria version 3.1, augmented with ALC_FLR.2 as indicated in bold the following table.

Table B.6. Assurance Requirements (EAL 4 augmented)

Requirement Class Requirement Component
ADV: Development
ADV_ARC.1: Security architecture description
ADV_FSP.4: Complete functional specification
ADV_IMP.1: Implementation representation of the TSF
ADV_TDS.3: Basic modular design
AGD: Guidance documents
AGD_OPE.1: Operational user guidance
AGD_PRE.1: Preparative procedures
ALC: Life-cycle support
ALC_CMC.4: Production support, acceptance procedures and automation
ALC_CMS.4: Problem tracking CM coverage
ALC_DEL.1: Delivery procedures
ALC_DVS.1: Identification of security measures
ALC_FLR.2: Flaw reporting procedures
ALC_LCD.1: Developer defined life-cycle model
ALC_TAT.1: Well-defined development tools
ATE: Tests
ATE_COV.2: Analysis of coverage
ATE_DPT.2: Testing: security enforcing modules
ATE_FUN.1: Functional testing
ATE_IND.2: Independent testing - sample
AVA: Vulnerability assessment AVA_VAN.3: Focused vulnerability analysis

B.5.3.1. Development (ADV)

ADV_ARC.1 Security architecture description
ADV_ARC.1.1c
The security architecture description shall be at a level of detail commensurate with the description of the SFR-enforcing abstractions described in the target of evaluation design document.
ADV_ARC.1.1d
The developer shall design and implement the target of evaluation so that the security features of the target security functions cannot be bypassed.
ADV_ARC.1.1e
The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ADV_ARC.1.2c
The security architecture description shall describe the security domains maintained by the target security functions consistently with the SFRs.
ADV_ARC.1.2d
The developer shall design and implement the target security functions so that it is able to protect itself from tampering by untrusted active entities.
ADV_ARC.1.3c
The security architecture description shall describe how the target security functions initialization process is secure.
ADV_ARC.1.3d
The developer shall provide a security architecture description of the target security functions.
ADV_ARC.1.4c
The security architecture description shall demonstrate that the target security functions protects itself from tampering.
ADV_ARC.1.5c
The security architecture description shall demonstrate that the target security functions prevents bypass of the SFR-enforcing functionality.
ADV_FSP.4 Complete functional specification
ADV_FSP.4.1c
The functional specification shall completely represent the target security functions.
ADV_FSP.4.1d
The developer shall provide a functional specification.
ADV_FSP.4.1e
The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ADV_FSP.4.2c
The functional specification shall describe the purpose and method of use for all target security function instructions.
ADV_FSP.4.2d
The developer shall provide a tracing from the functional specification to the SFRs.
ADV_FSP.4.2e
The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs.
ADV_FSP.4.3c
The functional specification shall identify and describe all parameters associated with each target security function instructions.
ADV_FSP.4.4c
The functional specification shall describe all actions associated with each target security function instructions.
ADV_FSP.4.5c
The functional specification shall describe all direct error messages that may result from security enforcing effects and exceptions associated with an invocation of each target security function instructions.
ADV_FSP.4.6c
The tracing shall demonstrate that the SFRs trace to target security function instructions in the functional specification.
ADV_IMP.1 Implementation representation of the TSF
ADV_IMP.1.1c
The implementation representation shall define the target security functions to a level of detail such that the target security functions can be generated without further design decisions.
ADV_IMP.1.1d
The developer shall make available the implementation representation for the entire target security functions.
ADV_IMP.1.1e
The evaluator shall confirm that, for the selected sample of the implementation representation, the information provided meets all requirements for content and presentation of evidence.
ADV_IMP.1.2c
The implementation representation shall be in the form used by the development personnel.
ADV_IMP.1.2d
The developer shall provide a mapping between the target of evaluation design description and the sample of the implementation representation.
ADV_IMP.1.3c
The mapping between the target of evaluation design description and the sample of the implementation representation shall demonstrate their correspondence.
ADV_TDS.3 Basic modular design
ADV_TDS.3.10c
The mapping shall demonstrate that all behavior described in the target of evaluation design is mapped to the target security function instructions that invoke it.
ADV_TDS.3.1c
The design shall describe the structure of the target of evaluation in terms of subsystems.
ADV_TDS.3.1d
The developer shall provide the design of the target of evaluation.
ADV_TDS.3.1e
The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
ADV_TDS.3.2c
The design shall describe the target security functions in terms of modules.
ADV_TDS.3.2d
The developer shall provide a mapping from the target security function instructions of the functional specification to the lowest level of decomposition available in the target of evaluation design.
ADV_TDS.3.2e
The evaluator shall determine that the design is an accurate and complete instantiation of all security functional requirements.
ADV_TDS.3.3c
The design shall identify all subsystems of the target security functions.
ADV_TDS.3.4c
The design shall provide a description of each subsystem of the target security functions.
ADV_TDS.3.5c
The design shall provide a description of the interactions among all subsystems of the target security functions.
ADV_TDS.3.6c
The design shall provide a mapping from the subsystems of the target security functions to the modules of the target security functions.
ADV_TDS.3.7c
The design shall describe each SFR-enforcing module in terms of its purpose.
ADV_TDS.3.8c
The design shall describe each SFR-enforcing module in terms of its SFR-related interfaces, return values from those interfaces, and called interfaces to other modules.
ADV_TDS.3.9c
The design shall describe each SFR-supporting or SFR-non-interfering module in terms of its purpose and interaction with other modules.