Transcription
FireEye xAgent ApplicationSecurity TargetAcumen Security, LLC.Document Version: 1.01
Table Of Contents12Security Target Introduction . 51.1Security Target and TOE Reference . 51.2TOE Overview . 51.3TOE Architecture . 51.3.1Physical Boundaries . 51.3.2Security Functions provided by the TOE . 61.3.2.1Cryptographic Support . 61.3.2.2Secure Software Update . 61.3.2.3Protection of the TSF . 61.3.2.4Trusted Path/Channels. 71.3.3TOE Documentation . 71.3.4Other References . 7Conformance Claims . 82.1CC Conformance . 82.2Protection Profile Conformance . 82.3Conformance Rationale . 82.3.13452Technical Decisions . 8Security Problem Definition . 93.1Threats . 93.2Assumptions . 93.3Organizational Security Policies . 9Security Objectives. 104.1Security Objectives for the TOE . 104.2Security Objectives for the Operational Environment . 11Security Requirements . 125.1Conventions . 125.2Security Functional requirements. 135.2.1Cryptographic Support (FCS) . 135.2.2User Data Protection (FDP) . 15
65.2.3Identification and Authentication (FIA) . 155.2.4Security Management (FMT) . 165.2.5Protection of TSF (FPT) . 175.2.6Trusted Path/Channel (FTP) . 185.3TOE SFR Dependencies Rationale for SFRs . 185.4Security Assurance Requirements . 185.5Rationale for Security Assurance Requirements . 185.6Assurance Measures . 19TOE Summary Specification . 206.13ANSI X9.31 1998 Conformance . 23
Revision HistoryVersion1.04DateJuly 2016DescriptionPublication
1 Security Target Introduction1.1 Security Target and TOE ReferenceThis section provides information needed to identify and control this ST and its TOE.CategoryST TitleST VersionST DateST AuthorTOE IdentifierTOE Software VersionTOE DeveloperKey WordsIdentifierFireEye Endpoint Agent Security Target1.0July 2016Acumen Security, LLC.FireEye Endpoint Agent21FireEye, Inc.SoftwareTable 1 TOE/ST Identification1.2 TOE OverviewThe TOE is a software agent that resides on a host platform. The software exclusively interacts with theNIAP validated FireEye HX Series Appliances (NIAP VID 10675). This interaction consists of the TOEreceiving policies from an external HX series appliance (validated separately) and sending any alerts thatare found as a result of these scans. This is done via polling. The TOE is an enterprise managed agentthat runs in the background of an endpoint platform. It is intended that the user will have no interactionwith the software and will not be alerted of communications with the external HX appliance.The frequency at which the agent communicates with the HX appliance is set by the enterprise. Bydefault, each agent polls the HX appliance every 600 seconds (10 minutes) to obtain information andtask requests and polls the appliance every 30 minutes to obtain the latest indicators. When newpolicies are received, they are used to identify potential intrusions on the host platform.1.3 TOE Architecture1.3.1 Physical BoundariesThe TOE boundary is the application software which runs on the host platform. The software is pushedto the host platform from a FireEye HX series and installs natively as a kernel and user space application.The software runs on Microsoft Operating Systems. The following Operating Systems are included in thisevaluation, 5Windows 7 (SP1) x64 running on an Intel Xeon processorWindows 7 (SP1) x32 running on an Intel Xeon processorWindows Server 2012R2 x64 running on an Intel Xeon processorWindows Server 2008R2 (SP1) x64 running on an Intel Xeon processorWindows 10 x64 running on an Intel Xeon processorWindows 10 x32 running on an Intel Xeon processor
1.3.2 Security Functions provided by the TOEThe TOE provides the security functionality required by [SWAPP].1.3.2.1 Cryptographic SupportThe TOE provides cryptographic support for the following features, TLS connectivity with the following entities:o HX Series Appliance (NIAP VID 10675)Digital certificate generationThe cryptographic services provided by the TOE are described below.Cryptographic MethodRSA Signature ServicesSP 800-90 DRBGSHSHMAC-SHSAESUse within the TOEUsed in TLS session establishment.Used in secure software update.Used in TLS session establishment.Used in digital certificate generation.Used in secure software update.Used in digital certificate generation.Used to provide TLS traffic integrity verification.Used to encrypt TLS trafficSecure certificate storageTable 2 TOE Provided CryptographyEach of these cryptographic algorithms have been validated for conformance to the requirementsspecified in their respective standards, as identified below. Each of these algorithms are implemented aspart of the OpenSSL cryptographic library, version 1.0.1.AlgorithmRSASP 800-90DRBGSHSHMAC-SHSAESStandardFIPS PUB 186-4 (Signature generation/verification)SP 800-90CAVP Certificate #Cert. #1976, 1977Cert. #1103, 1104ProcessorIntel XeonIntel XeonFIPS Pub 180-4FIPS Pub 198-1, FIPS Pub 180-4NIST SP 800-38ACert. #3194, 3195Cert. #2517, 2518Cert. #3873, 3874Intel XeonIntel XeonIntel XeonTable 3 CAVP Algorithm Testing References1.3.2.2 Secure Software UpdateThe TOE is distributed as a Microsoft .MSI file providing a consistent and reliable versioning. After initialinstallation, all updates to the xAgent are distributed as .MSI. Each TOE installation and update is signedby FireEye and can only come from the HX Series appliance associated with the TOE.1.3.2.3 Protection of the TSFThe TOE employs several mechanisms to ensure that it is secure on the host platform. The TOE neverallocates memory with both write and execute permission. The TOE is designed to operate in anenvironment in which the following security techniques are in effect, Data execution prevention,6
Mandatory address space layout randomization (no memory map to an explicit address), Structuredexception handler overwrite protection, Export address table access filtering, Anti-Return OrientedProgramming, and SSL/TLS certificate trust pinning. This allows the TOE to operate in an environment inwhich the Enhanced Mitigation Experience Toolkit is also running. During compilation the TOE is builtwith several flags enabled that check for engineering flaws. The TOE is built with the /GS flag enabled.This reduces the possibilities of stack-based buffer overflows in the product.1.3.2.4 Trusted Path/ChannelsThe TOE receives scanning policies from the associated HX Series appliance over the network which ituses on the host platform. This connection is always secured using TLS.1.3.3 TOE Documentation [ST] FireEye xAgent Application Security Target, version 1.0[AGD] Common Criteria FireEye Endpoint Agent Addendum, Release 211.3.4 Other ReferencesProtection Profile for Application Software, version 1.1, dated, 05 November 2014 [SWAPP].7
2 Conformance Claims2.1 CC ConformanceThis TOE is conformant to: Common Criteria for Information Technology Security Evaluations Part 1, Version 3.1, Revision 4,September 2012Common Criteria for Information Technology Security Evaluations Part 2, Version 3.1, Revision 4,September 2012: Part 2 extendedCommon Criteria for Information Technology Security Evaluations Part 2, Version 3.1, Revision 4,September 2012: Part 3 extended2.2 Protection Profile ConformanceThis TOE is conformant to: Protection Profile for Application Software, version 1.1, dated, 05 November 2014 [SWAPP].2.3 Conformance RationaleThis Security Target provides exact conformance to Version 1.1 of the Protection Profile for ApplicationSoftware, version 1.1. The security problem definition, security objectives and security requirements inthis Security Target are all taken from the Protection Profile performing only operations defined there.2.3.1Technical DecisionsThe following Technical Decisions have been considered for this evaluation: 8TD0073: Additional Option to meet FPT TUD EXT.1.2 in App PP v1.1TD0072: FIA X509 EXT.1.1 Certificate Depth in App PP v1.1TD0070: Assurance Activity Clarification for FCS RGB EXT.1 in Software Application PPTD0054: Clarification of FPT API EXT.1.1 Requirement in APP PP v1.1TD0051: Android Implementation of TLS in App PP v1.1TD0050: FMT CFG EXT.1.2 Change in APP SW PPv1.1TD0025: Update to FCS COP.1(2)TD0024: Application Settings Clarification for FMT MEC EXT.1
3 Security Problem DefinitionThe security problem definition has been taken from [SWAPP] and is reproduced here for theconvenience of the reader. The security problem is described in terms of the threats that the TOE isexpected to address, assumptions about the operational environment, and any organizational securitypolicies that the TOE is expected to enforce.3.1 ThreatsThe following threats are drawn directly from the SWAPP.IDThreatT.NETWORK ATTACKAn attacker is positioned on a communications channel or elsewhere on thenetwork infrastructure. Attackers may engage in communications with theapplication software or alter communications between the application softwareand other endpoints in order to compromise it.An attacker is positioned on a communications channel or elsewhere on thenetwork infrastructure. Attackers may monitor and gain access to data exchangedbetween the application and other endpoints.An attacker can act through unprivileged software on the same computingplatform on which the application executes. Attackers may provide maliciouslyformatted input to the application in the form of files or other localcommunications.An attacker may try to access sensitive data at rest.T.NETWORK EAVESDROPT.LOCAL ATTACKT.PHYSICAL ACCESSTable 4 Threats3.2 AssumptionsThe following assumptions are drawn directly from the SWAPP.IDAssumptionA.PLATFORMThe TOE relies upon a trustworthy computing platform for its execution. Thisincludes the underlying platform and whatever runtime environment it provides tothe TOE.The user of the application software is not willfully negligent or hostile, and usesthe software in compliance with the applied enterprise security policy.The administrator of the application software is not careless, willfully negligent orhostile, and administers the software within compliance of the applied enterprisesecurity policy.A.PROPER USERA.PROPER ADMINTable 5 OSPs3.3 Organizational Security PoliciesThere are no OSPs for the application9
4 Security ObjectivesThe security objectives have been taken from [SWAPP] and are reproduced here for the convenience ofthe reader.4.1 Security Objectives for the TOEThe following security objectives for the TOE were drawn directly from the SWAPP.IDTOE ObjectiveO.INTEGRITYConformant TOEs ensure the integrity of their installation and update packages,and also leverage execution environment-based mitigations. Software is seldom ifever shipped without errors, and the ability to deploy patches and updates tofielded software with integrity is critical to enterprise network security. Processormanufacturers, compiler developers, execution environment vendors, andoperating system vendors have developed execution environment-basedmitigations that increase the cost to attackers by adding complexity to the task ofcompromising systems. Application software can often take advantage of thesemechanisms by using APIs provided by the runtime environment or by enabling themechanism through compiler or linker options.Addressed by: FDP DEC EXT.1, FMT CFG EXT.1, FPT AEX EXT.1, FPT TUD EXT.1To ensure quality of implementation, conformant TOEs leverage services and APIsprovided by the runtime environment rather than implementing their own versionsof these services and APIs. This is especially important for cryptographic servicesand other complex operations such as file and media parsing. Leveraging thisplatform behavior relies upon using only documented and supported APIs.Addressed by: FMT MEC EXT.1, FPT API EXT.1, FPT LIB EXT.1To facilitate management by users and the enterprise, conformant TOEs provideconsistent and supported interfaces for their security-relevant configuration andmaintenance. This includes the deployment of applications and application updatesthrough the use of platform-supported deployment mechanisms and formats, aswell as providing mechanisms for configuration.Addressed by: FMT SMF.1, FPT IDV EXT.1, FPT TUD EXT.1.5To address the issue of loss of confidentiality of user data in the event of loss ofphysical control of the storage medium, conformant TOEs will use data-at-restprotection. This involves encrypting data and keys stored by the TOE in order toprevent unauthorized access to this data.Addressed by: FDP DAR EXT.1, FCS STO EXT.1, FCS RBG EXT.1To address both passive (eavesdropping) and active (packet modification) networkattack threats, conformant TOEs will use a trusted channel for sensitive data.Sensitive data includes cryptographic keys, passwords, and any other data specificto the application that should not be exposed outside of the application.Addressed by: FTP DIT EXT.1, FCS TLSC EXT.1, FCS DTLS EXT.1, FCS RBG EXT.1O.QUALITYO.MANAGEMENTO.PROTECTED STORAGEO.PROTECTED COMMSTable 6 Objectives for the TOE10
4.2 Security Objectives for the Operational EnvironmentThe following security objectives for the operational environment assist the TOE in correctly providingits security functionality. These track with the assumptions about the environment.IDObjective for the Operation EnvironmentOE.PLATFORMThe TOE relies upon a trustworthy computing platform for its execution. Thisincludes the underlying operating system and any discrete execution environmentprovided to the TOE.The user of the application software is not willfully negligent or hostile, and usesthe software within compliance of the applied enterprise security policy.The administrator of the application software is not careless, willfully negligent orhostile, and administers the software within compliance of the applied enterprisesecurity policy.OE.PROPER USEROE.PROPER ADMINTable 7 Objectives for the environment11
5 Security RequirementsThis section identifies the Security Functional Requirements for the TOE and/or Platform. The SecurityFunctional Requirements included in this section are derived from Part 2 of the Common Criteria forInformation Technology Security Evaluation, Version 3.1, Revision 4, dated: September 2012 and allinternational interpretations.RequirementFCS CKM EXT.1FCS CKM.1FCS CKM.2FCS COP.1(1)FCS COP.1(2)FCS COP.1(3)FCS COP.1(4)FCS RBG EXT.1FCS RBG EXT.2FCS STO EXT.1FCS TLSC EXT.1FDP DEC EXT.1FDP DAR EXT.1FIA X509 EXT.1FIA X509 EXT.2FMT MEC EXT.1FMT CFG EXT.1FMT SMF.1FPT API EXT.1FPT AEX EXT.1FPT TUD EXT.1FPT LIB EXT.1FTP DIT EXT.1Auditable EventCryptographic Key Generation ServicesCryptographic Key GenerationCryptographic Key EstablishmentCryptographic Operation - Encryption/DecryptionCryptographic Key EstablishmentCryptographic Operation - Encryption/DecryptionCryptographic Operation - SigningCryptographic Operation - Keyed-Hash Message AuthenticationRandom Bit Generation from ApplicationStorage of SecretsTLS Client ProtocolAccess to Platform ResourcesEncryption Of Sensitive Application DataX.509 Certificate ValidationX.509 Certificate AuthenticationSupported Configuration MechanismSecure by Default ConfigurationSpecification of Management FunctionsUse of Supported Services and APIsAnti-Exploitation CapabilitiesIntegrity for Installation and UpdateUse of Third Party LibrariesProtection of Data in TransitTable 8 SFRs5.1 ConventionsThe CC defines operations on Security Functional Requirements: assignments, selections, assignmentswithin selections and refinements. This document uses the following font conventions to identify theoperations defined by the CC: 12Assignment: Indicated with italicized text;Refinement: Indicated with bold text;Selection: Indicated with underlined text;Iteration: Indicated by appending the iteration number in parenthesis, e.g., (1), (2), (3).
Where operations were completed in the PP itself, the formatting used in the PP has beenretained.Explicitly stated SFRs are identified by having a label ‘EXT’ after the
ST Title FireEye Endpoint Agent Security Target ST Version 1.0 ST Date July 2016 ST Author Acumen Security, LLC. TOE Identifier FireEye Endpoint Agent TOE Software Version 21 TOE Developer FireEye, Inc. Key Words Software Table 1 TOE/ST Identification 1.2 TOE Overview The
