Transcription
BSI-CC-PP-0088DBMS Working GroupTechnical CommunitySeptember 9th, 2015Base Protection ProfileforDatabase Management Systems(DBMS PP)Version 2.07
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-0088Revision HistoryVersionDateDescription1.0September 30, 2004U.S. Government Protection Profile for Database Management Systems inBasic Robustness EnvironmentsBR-DBMSPP1.1June 7, 2006U.S. Government Protection Profile for Database Management Systems inBasic Robustness EnvironmentsBR-DBMSPP1.2July 25, 2007U.S. Government Protection Profile for Database Management Systems inBasic Robustness EnvironmentsBR-DBMSPP1.3December 24, 2010U.S. Government Protection Profile for Database Management SystemsDBMSPP2.0December 15, 2014Base Protection Profile for Database Management SystemsDBMS PP2.07September 9th, 2015Certified Version of Base Protection Profile for Database ManagementSystems DBMS PPFurther information, including the status and updates of this protection profile can be found in theDBMS WG/TC project area on the CCUF ts/projects/tasks.aspx?prjID 410822Comments on this document should be submitted to the DBMS WG/TC workspace. The commentshould include the title and version of the document, the page, the section number, the line number,and the detailed comment and recommendation.Protection Profile Title:Base Protection Profile for Database Management SystemsCommon Criteria Version:This Protection Profile “Base Protection Profile for Database Management Systems”(DBMS PP) was updated using Version 3.1 of the Common Criteria (CC) [REF 1].Page 2
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-0088Table of Contents1234567INTRODUCTION TO THE PROTECTION PROFILE61.1PP Identification61.2TOE Overview61.3PP Configurations61.4Document Conventions71.5Glossary of Terms81.6Document Organization8TOE DESCRIPTION92.1Product Type92.2TOE Definition102.3Security Functionality Provided by the TOE112.4Optional Security Functionality112.5 TOE Operational Environment2.5.1Enclave2.5.2TOE Architectures2.5.3TOE Administration12121213CONFORMANCE CLAIMS143.1Conformance with CC parts 2 and 3143.2Conformance with Packages143.3Conformance with other Protection Profiles143.4Conformance Statement14SECURITY PROBLEM DEFINITION154.1Informal Discussion154.2Assets and Threat Agents154.3Threats164.4Organizational Security Policies174.5Assumptions18SECURITY OBJECTIVES195.1TOE Security Objectives195.2Operational Environment Security Objectives20Extended Security Functional Requirements22FTA TAH (EXT).1 TOE access information22FIA USB (EXT).2 Enhanced user-subject binding23SECURITY REQUIREMENTS7.124Security Functional Requirements24Page 3
Base Protection Profile for Database Management Systems V 2.077.1.17.1.27.1.37.1.47.1.57.1.67.289Security Audit (FAU)User data protection (FDP)Identification and authentication (FIA)Security management (FMT)Protection of the TOE Security Functions (FPT)TOE Access (FTA)Security Assurance 88.1 Rationale for TOE Security Objectives8.1.1TOE Security Objectives Coverage8.1.2Rationale for TOE Security Objectives3839408.250Rationale for the Environmental Security Objectives8.3 Rationale for Security Functional Requirements8.3.1Rationale for Extended Security Functional Requirements8.3.2Rationale for TOE Security Functional Requirements8.3.3Rationale for Satisfying All Security Functional Requirement Dependencies646465708.4Rationale for Satisfying all Security Assurance Requirements728.5Conclusion73APPENDICES74Appendix A.REFERENCES75Appendix B.GLOSSARY76Appendix C.ABBREVIATIONS AND ACRONYMS79Page 4
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-0088List of TablesTable 1: Threats Applicable to the TOE. 16Table 2: Policies Applicable to the TOE . 17Table 3: Assumptions Applicable to the TOE Environment . 18Table 4: TOE Security Objectives . 19Table 5: Operational Environment Security Objectives. 20Table 6: Operational Environment IT Security Objectives. 21Table 7: Security Functional Requirements . 24Table 8: Auditable Events . 27Table 9: Assurance Requirements . 37Table 10: Coverage of Security Objectives for the TOE . 39Table 11: Rationale for the TOE Security Objectives . 40Table 12: Coverage of SPF Items for the TOE Environment Security Objectives . 50Table 13: Rationale for Environmental Security Objectives . 51Table 14: Rationale for Extended Security Functional Requirements . 64Table 15: Rationale for TOE Security Functional Requirements . 65Table 16: Security Functional Requirement Dependencies . 70Page 5
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-00881 INTRODUCTION TO THE PROTECTION PROFILE1.1 PP IdentificationTitle: Base Protection Profile for Database Management Systems (DBMS PP)Sponsor: DBMS Working Group / Technical CommunityCC Version: Common Criteria (CC) Version 3.1 [REF 1]PP Version: 2.07Publication Date: 9th September, 2015Keywords: database management system, DBMS PP, DBMS, COTS, commercialsecurity, access control, CC EAL2 augmented.1.2 TOE OverviewThe “Base Protection Profile for Database Management Systems” specifies security requirementsfor a commercial-off-the-shelf (COTS) database management system (DBMS). The TOE type is adatabase management system.A TOE compliant with this Protection Profile includes, but is not limited to, a DBMS server and canbe evaluated as a software only application layered on an underlying system, i.e., operating system,hardware, network services, and/or custom software, and is usually embedded as a component of alarger system within an operational environment. This profile establishes the requirementsnecessary to achieve the security objectives of the Target of Evaluation (TOE) and its environment.Conformant TOEs provide access control based on user identity and, optionally, groupmembership, e.g., Discretionary Access Control (DAC), and generation of audit records forsecurity relevant events. Authorized administrators of the TOE are trusted to not misuse theprivileges assigned to them.Security Targets (STs) that claim conformance to this PP shall meet a minimum standard ofdemonstrable-PP conformance as defined in section D3 of Part 1 of the CC. [REF 1a]1.3 PP ConfigurationsThe Protection Profile for Database Management Systems (DBMS PP) is structured as a BaseProtection Profile, ready to accommodate a set of (optional) Protection Profile extended packages1.This structure was chosen to maximize adaptability for different operational environments anddifferent operational requirements, since Database Management Systems may provide functionalityin a variety of ways.The following PP configuration is allowed:1These are also known as "Protection Profile modules". Please see [REF 2] for more details.Page 6
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-00881. Base PP only (DBMS PP)1.4 Document ConventionsExcept for replacing United Kingdom spelling with American spelling, the notation, formatting,and conventions used in this PP are consistent with version 3.1 of the CC. Selected presentationchoices are discussed here to aid the PP reader.The CC allows several operations to be performed on functional requirements; refinement,selection, assignment, and iteration are defined in clause 8 of Part 1 of the CC [REF 1a]. Each ofthese operations is used in this PP.The refinement operation is used to add detail to a requirement, and thus further restricts arequirement. Refinement of security requirements is denoted by bold text or in the case ofdeletions, by crossed out bold text.The selection operation is used to select one or more options provided by the CC in stating arequirement. Selections that have been made by the PP authors are denoted by italicized text,selections to be filled in by the Security Target (ST) author appear in square brackets with anindication that a selection is to be made, [selection:], and are not italicized.The assignment operation is used to assign a specific value to an unspecified parameter, such asthe length of a password. Assignments that have been made by the PP authors are denoted byshowing the value in square brackets, [assignment value], assignments to be filled in by the STauthor appear in square brackets with an indication that an assignment is to be made [assignment:].The iteration operation is used when a component is repeated with varying operations.Iteration is denoted by showing the iteration number in parenthesis following the componentidentifier, (iteration number).The CC paradigm also allows protection profile and security target authors to create their ownrequirements. Such requirements are termed “extended requirements” and are permitted if the CCdoes not offer suitable requirements to meet the author’s needs. Extended requirements must beidentified and are required to use the CC class/family/component model in articulating therequirements. In this PP, extended requirements will be indicated with the “(EXT)” following thecomponent name.Application Notes are provided to help the developer, either to clarify the intent of a requirement,identify implementation choices, or to define “pass-fail” criteria for a requirement. For thosecomponents where Application Notes are appropriate, the Application Notes will follow therequirement component.Page 7
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-00881.5 Glossary of TermsSee Appendix B for the Glossary of Terms.1.6 Document OrganizationSection 1 provides the introductory material for the protection profile.Section 2 describes the Target of Evaluation in terms of its envisaged usage and connectivity.Section 3 gives the conformance claims made by this protection profile.Section 4 defines the security problem in terms of threats and security problems.Section 5 identifies the security objectives derived from these threats and policies.Section 6 identifies and defines the extended security requirements.Section 7 identifies and defines the security functional requirements from the CC that must be metby the TOE in order for the functionality-based objectives to be met. This section also identifiesthe security assurance requirements for evaluation security level (EAL) 2 augmented.Section 8 provides a rationale to demonstrate that the Information Technology Security Objectivessatisfy the policies and threats. Arguments are provided for the coverage of each policy and threat.The section then explains how the set of requirements are complete relative to the objectives, andthat each security objective is addressed by one or more component requirement. Arguments areprovided for the coverage of each objective.Section 9, Appendices, includes the appendices that accompany the PP and provides clarity and/orexplanation for the reader.Appendix A, References, provides background material for further investigation by usersof the PP.Appendix B, Glossary, provides a listing of definitions of terms.Appendix C, Abbreviations and Acronyms, provides a listing of abbreviations andacronyms used throughout the document.Page 8
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-00882 TOE DESCRIPTION2.1 Product TypeThe product type of the Target of Evaluation (TOE) described in this Protection Profile (PP) is adatabase management system (DBMS).A DBMS is a computerized repository that stores information and allows authorized users toretrieve and update that information. A DBMS may be a single-user system, in which only oneuser may access the DBMS at a given time, or a multi-user system, in which many users mayaccess the DBMS simultaneously.The DBMS will have the capability to limit DBMS access to authorized users, enforceDiscretionary Access Controls on objects under the control of the database management systembased on user and optionally, group authorizations, and provide user accountability via audit ofusers' actions.A DBMS is comprised of the DBMS server application that performs some or all of the followingfunctions:Controlling users' accesses to user data and DBMS data;Interacting with, and possibly supplementing portions of, the underlying operatingsystem to retrieve and present the data that are under the DBMS's management;Indexing data values to their physical locations for quick retrievals based on a valueor range of values;Executing pre-written programs (i.e., utilities) to perform common tasks like databasebackup, recovery, loading, and copying;Supporting mechanisms that enable concurrent database access (e.g., locks);Assisting recovery of user data and DBMS data (e.g., transaction log); andTracking operations that users perform.Most commercial DBMS server applications also provide the following functions. A data model with which the DBMS data structures and organization can beconceptualized (e.g., hierarchical, object-oriented, relational data models) and DBMSobjects defined. High-level language(s) or interfaces that allow authorized users to define databaseconstructs; access and modify user or DBMS data; present user or DBMS data; andperform operations on those data.A DBMS supports two major types of users: Users who interact with the DBMS to observe and/or modify data objects for which theyPage 9
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-0088have authorization to access; and The authorized administrators who implement and manage the various information-relatedpolicies of an organization (e.g., access, integrity, consistency, availability) for thedatabases that they install, configure, manage, and/or own.A DBMS stores and controls access to two types of data: The first type is the user data that the DBMS maintains and protects. User data may consistof the following:The user data stored in or as database objects;The definitions of user databases and database objects, commonly known as DBMSmetadata; andThe user-developed queries, functions, or procedures that the DBMS maintains forusers. The second type is the DBMS data (e.g., configuration parameters, user security attributes,transaction log, audit instructions, and records) that the DBMS maintains and may use tooperate the DBMS.DBMS specifications identify the detailed requirements for the DBMS server functions given inthe above list.2.2 TOE DefinitionThe TOE consists of at least one instance of the security functions (i.e. the database engine) of theDBMS server application with its associated guidance documentation and the interfaces to theexternal IT entities with which the DBMS interacts.This PP does not dictate a specific architecture. The ST writer will need to identify and describe theTOE architecture to be evaluated.The external IT entities, with which the DBMS may interact, if they are outside the TOE, includethe following: Client applications that allow users to interface with the DBMS server. The host operating system (host OS) on which the TOE has been installed; The networking, printing, data-storage, and other devices and services with which the hostOS may interact on behalf of the DBMS or the DBMS user; and the other IT products suchas application servers, web servers, authentication servers, directory services, auditservers, and transaction processors with which the DBMS may interact to perform aDBMS function or a security function.If the host OS is outside the TOE, the DBMS must specify the host OS on which it must reside toprovide the desired degree of security feature integration as well as the configuration of thosePage 10
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-0088OS(es) required to support the DBMS functions. However, the goals of confidentiality, integrity,and availability for the TOE must be met by the total package: the DBMS and the external ITentities with which it interacts. In all cases, the TOE must be installed and administered inaccordance with the TOE installation and administration instructions.2.3 Security Functionality Provided by the TOEA DBMS evaluated against this PP will provide the following security services.Security services that must be provided by the TOE: Discretionary Access Control (DAC) limits access to objects based on the identity of thesubjects or groups to which the subjects and objects belong, and which allows authorizedusers to specify how the objects that they control are protected. Audit Capture for creation of information on all auditable events. Authorized administration role to allow authorized administrators to configure the policiesfor discretionary access control, identification and authentication, and auditing. The TOEmust enforce the authorized administration role.NOTE: Some administrative tasks may be delegated to specific users (which by thatdelegation become administrators although they can only perform some limitedadministrative actions). Ensuring that those users cannot extend the administrative rightsassigned to them is a security functionality the TOE has to provide.2.4 Optional Security FunctionalitySecurity services that must be provided either by the TOE and/or by the IT environment.This security functionality is not modeled in the following chapters of the DBMS Base PP. The STauthor must integrate the description of the additional (optional) security functionality and thecorresponding security functional requirements. Identification and Authentication (I&A) by which users are uniquely identified andauthenticated before they are authorized to access information stored on the DBMS. Audit Storage service that stores records for all security-relevant operations that usersperform on user and DBMS data. Audit Review service that allows the authorized administrator to review stored auditrecords in order to detect potential and actual security violations.However, compliance with this PP will not guarantee the following: Physical protection mechanisms and the administrative procedures for using them are inplace. Mechanisms to ensure the complete availability of the data residing on the DBMS are inPage 11
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-0088place. The DBMS can provide simultaneous access to data to make the data available tomore than one person at a given time, and it can enforce DBMS resource allocation limitsto prevent users from monopolizing a DBMS service/resource. However, it cannot detector prevent the unavailability that may occur because of a physical or environmentaldisaster, a storage device failure, or a hacker attack on the underlying operating system.For such threats to availability, the environment must provide the requiredcountermeasures. Mechanisms to ensure that users properly secure the data that they retrieve from theDBMS are in place. The security procedures of the organization(s) that use and managethe DBMS must define users' data retrieval, storage, export, and dispositionresponsibilities. Mechanisms to ensure that authorized administrators wisely use DAC. Although theDBMS can support an access control policy by which users and optionally users indefined groups, are granted access only to the data that they need to perform their jobs, itcannot completely ensure that authorized administrators who are able to set accesscontrols will do so prudently.2.5 TOE Operational Environment2.5.1 EnclaveThe term "enclave" further characterizes the environment in which the TOE is intended to operate.An enclave is under the control of a single authority and has a homogeneous security policy,including personnel and physical security, to protect it from other environments. An enclave can bespecific to an organization or a mission and it may contain multiple networks. Enclaves may belogical, such as an operational area network, or be based on physical location and proximity. Anylocal and external elements that access resources within the enclave must satisfy the policy of theenclave.The DBMS is expected to interact with other IT products that reside in the host OS, in the ITenvironment in which the host computer and host OS reside, and outside that environment butinside the enclave. The IT and non-IT mechanisms used for secure exchanges of informationbetween the DBMS and such products are expected to be administratively determined andcoordinated. Similarly, the IT and non-IT mechanisms for negotiating or translating the DACpolicy involved in such exchanges are expected to be resolved by the organizations involved.The DBMS may also interact with IT products outside the enclave such as a certificate authority(CA) that is defined as a trusted CA by an IT product within the enclave.2.5.2 TOE ArchitecturesThis PP does not dictate a specific architecture. A TOE compliant with this PP may be evaluatedand may operate in several architectures, including but not limited to one or more of the following: A stand-alone system running the DBMS server application; a stand-alone system runningthe DBMS server and DBMS client(s) and serving one, or more than one, online user at agiven time;Page 12
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-0088 A network of systems communicating with several distributed DBMS serverssimultaneously; A network of workstations or terminals running DBMS clients and communicating with aDBMS server simultaneously; these devices may be hardwired to the host computer or beconnected to it by means of local or wide-area networks; A network of workstations communicating with one or more application servers, which inturn interact with the DBMS on behalf of the workstation users or other subjects (e.g., aDBMS server interacting with a transaction processor that manages user requests); and A network of workstations communicating with several distributed DBMS serverssimultaneously; the DBMS servers may all be within a single local area network, or theymay be distributed geographically.This PP allows each of these architectures to be supported as well as others. A possible architectureis an enclave in which DBMS users access the TOE via a local area network (LAN). Users inother enclaves will access the LAN and the host computers and servers on it by way of one ormore boundary protection mechanisms (e.g., a firewall) and then through a communications serveror router to the LAN. Depending on the particular enclave configuration and the DBMS accesspolicy that it supports, all users (both inside and outside the enclave) may then access anapplication server, which either connects the TOE user to the enclave computer on which the TOEoperates or manages the complete user/DBMS session.2.5.3 TOE AdministrationThis PP defines one necessary administrator role (authorized administrator) which is establishedby the developer of the DBMS. This PP allows the DBMS developer or security target writer todefine more roles.If the security target allows it, the administrators of the system may assign privileges to users.When the DBMS is established, the ability to assign privileges and their associated responsibilitiesmust also exist.Authorized administrators of the TOE will have capabilities that are commensurate with theirassigned administrative privileges. Of course, the very ability to establish and assign privilegeswill itself be a privileged function.Page 13
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-00883 CONFORMANCE CLAIMSThe following sections describe the conformance claims of the Database Management SystemProtection Profile (DBMS PP).3.1 Conformance with CC parts 2 and 3DBMS PP is CC version 3.1 revision 4 Part 2 extended and Part 3 conformant.3.2 Conformance with PackagesThe DBMS PP claims an evaluation assurance level of EAL2 augmented by ALC FLR.2.3.3 Conformance with other Protection ProfilesDBMS PP does not claim conformance to any other Protection Profile.3.4 Conformance StatementDBMS PP requires demonstrable conformance by an ST.Page 14
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-00884 SECURITY PROBLEM DEFINITIONIn this section, the security problem definition (SPD) for a DBMS is described. First, the informaldiscussion of the SPD is presented followed by a more formal description in terms of the identifiedthreats, policies, and assumptions that will be used to identify the specific security requirementsaddressed by this PP.4.1 Informal DiscussionGiven their common usage as repositories of high value data, attackers routinely target DBMSinstallations for compromise. Vulnerabilities that attackers may take advantage of are: Design flaws and programming bugs in the DBMS and the associated programs andsystems, creating various security vulnerabilities (e.g. weak or ineffective access controls)which can lead to data loss/corruption, performance degradation etc. Unauthorized or unintended activity or misuse by authorized database users, ornetwork/systems managers, or by unauthorized users or hackers (e.g. inappropriate accessto sensitive data, metadata or functions within databases, or inappropriate changes to thedatabase programs, structures or security configurations) Malware infections causing incidents such as unauthorized access, leakage or disclosure ofpersonal or proprietary data, deletion of or damage to the data or programs, interruption ordenial of authorized access to the database, attacks on other systems and the unanticipatedfailure of database services Data corruption and/or loss caused by the entry of invalid data or commands, mistakes indatabase or system administration processes, sabotage/criminal damage etc.4.2 Assets and Threat AgentsThe threats given in Section 4.3 refer to various threat agents and assets. The term "threat agent" isdefined in CC Part 1. The term "A user or a process acting on behalf of a user" used in this PP,specifies a particular class of entities that can adversely act on assets.The assets, mentioned in Table 1 below are either defined in CC part 1 [REF 1a], or in the glossarygiven in Appendix B of this document.The terms "TSF data", "TSF" and "user data", are defined in CC Part 1. The terms "executable codewithin the TSF", " public objects ", "TOE resources" and "configuration data" are given in theglossary given in Appendix B of this document:Page 15
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-00884.3 ThreatsThe following threats are identified and addressed by the TOE, and should be read in conjunctionwith the threat rationale, in Section 8.1.Compliant TOEs will provide security functionality that addresses threats to the TOE andimplements policies that are imposed by law or regulation.Table 1: Threats Applicable to the TOEThreatDefinitionT.ACCESS TSFDATAA threat agent may read or modify TSF data using functions of the TOEwithout the proper authorization.T.ACCESS TSFFUNCA threat agent may use or manage TSF, bypassing the protectionmechanisms of the TSF.T.IA MASQUERADEA user or a process acting on behalf of a user may masquerade as anauthorized entity in order to gain unauthorized access to user data, TSFdata, or TOE resources.T.IA USERA threat agent may gain access to user data, TSF data, or TOE resourceswith the exception of public objects without being identified andauthenticated.T.RESIDUAL DATAA user or a process acting on behalf of a user may gain unauthorizedaccess to user or TSF data through reallocation of TOE resources fromone user or process to another.T.TSF COMPROMISEA user or a process acting on behalf of a use may cause configurationdata to be inappropriately accessed (viewed, modified or deleted), ormay compromise executable code within the TSF.T.UNAUTHORIZED ACCESSA threat agent may gain unauthorized access to user data for which theyare not authorized according to the TOE security policy.Page 16
Base Protection Profile for Database Management Systems V 2.07BSI-CC-PP-00884.4 Organizational Security PoliciesThe following organizational security policies are addressed by PP-conformant TOEs:Table 2: Policies Applicable to the TOEPolicyDefinitionP.ACCOUNTABILITYThe authorized users of the TOE shall be held accountable for their act
Keywords: database management system, DBMS PP, DBMS, COTS, commercial security, access control, CC EAL2 augmented. 1.2 TOE Overview The "Base Protection Profile for Database Management Systems" specifies security requirements for a commercial-off-the-shelf (COTS) database management system (DBMS). The TOE type is a database management system.
