Commercial Database Management System Protection Profile: (C.Dbms PP)
Commercial Database Management System Protection Profile: (C.Dbms PP)
Commercial Database
Management System
Protection Profile
(C.DBMS PP)
March 1998
Issue 1.0
Common Commercial Database Management System
Protection Profile
Criteria
1 Introduction ....................................................................... 1
1.1 Identification of Protection Profile .................................... 1
1.2 Protection Profile Overview ............................................... 1
7 Rationale ........................................................................... 18
7.1 Security Objectives Rationale ........................................... 18
7.2 Security Requirements Rationale ......................................19
7.3 Strength of Functions Rationale ....................................... 23
7.4 Security Assurance Rationale ........................................... 23
iv March 1998
Issue 1.0
Common Commercial Database Management System
Protection Profile
Criteria
1 Introduction
1.1 Identification of Protection Profile
1 This is the first definitive issue of the Commercial Database Managemen Sys-
tem Protection Profile and is dated 19th March 1998. This version is intended to
be compliant with Issue 2.0 of the CC.
3 Security Environment
3.1 Threats
3.1.1 IT Assets and Threat Agents
10 The IT assets requiring protection comprise the information stored within the
database, the confidentiality, integrity or availability of which could be compro-
mised.
11 The threat agents are:
Outsiders Persons who are not authorised users of the underlying operating system and/or
network services (and hence cannot be authorised users of the TOE);
System Users Persons who are authorised users of the underlying operating system and/or
network services. System users may be:
a) system users who are not authorised database users; or
b) system users who are authorised database users.
External Events Interruptions to operations arising from failures of hardware, power supplies,
storage media, etc.
12 It is intended that all threats arising from outsiders are countered by technical
security measures provided by the underlying operating system and/or network
services, in conjunction with appropriate non-technical security measures. How-
ever, it is necessary to consider threats arising from outsiders in order to show
that the TOE can be adequately protected from these threats by the underlying
platform.
13 There are two forms of attack that might be carried out:
a) Unauthorised access to objects, resources and services; and
b) Impersonation.
14 The assumed threats to security are specified below. Each threat statement iden-
tifies a means by which the IT assets requiring protection might be compro-
mised. These threats will be countered by technical security measures provided
by the TOE, in conjunction with technical security measures provided by an
underlying secure platform (comprising a secure operating system and/or net-
work services) and appropriate non-technical security measures (personnel, pro-
cedural and physical measures) in the environment.
3.1.2 Threats countered by the DBMS and its IT environment
T.ACCESS Unauthorised Access to the Database. An outsider or system user who is not
(currently) an authorised database user accesses the database.
15 This threat includes:
a) A person, who may or may not be an authorised database user, accesses the
database, by impersonating an authorised database user (including an
authorised user impersonating a different user who has different - possibly
more privileged - access rights); and
b) A person, who may or may not be a database user accesses the database
anonymously (for example, accesses a remote database under a user id
shared with user users of the link or gains access to the database files via
the host operating system and thereby bypasses the DBMS altogether); this
also includes passive attacks (e.g. monitoring of network traffic).
T.DATA Unauthorised Access to Information. An authorised database user accesses
information contained within a database without the permission of the user who
owns or who has responsibility for protecting the data.
16 This threat includes unauthorised access to database information, residual infor-
mation held in memory or storage resources returned to the TOE, or database
control data.
T.RESOURCE Excessive Consumption of Resources. An authorised database user consumes
global database resources, in a way which compromises the ability of other
authorised users to access the database.
17 This represents a threat to the availability of the information held within a data-
base.
T.ATTACK Undetected Attack. An undetected compromise of the IT assets occurs as a result
of an attacker (whether an authorised user of the database or not) attempting to
perform actions that the individual is not authorised to perform.
18 This threat is included because, whatever countermeasures are provided to
address the other threats, there is still a residual threat of a violation of the secu-
rity policy occurring by attackers attempting to defeat those countermeasures.
T.ABUSE Abuse of Privilege. An undetected compromise of the IT assets occurs as a result
of an authorised database user (intentionally or otherwise) performing actions the
individual is authorised to perform.
19 This threat is included because, whatever countermeasures are provided to
address the other threats, there is still a residual threat of a violation of the secu-
rity policy occurring, or the IT assets being placed at risk, as a result of actions
taken by authorised users of the database. For example, an authorised database
user could perform actions which could consume excessive resources, prevent-
ing other authorised database users from legitimately accessing data, resources
and services in a timely manner. Such attacks may be malicious, inconsiderate
or careless, or the user may simply be unaware of the potential consequences of
his actions. The impact of such attacks on system availability and reliability
would be greatly amplified by multiple users acting concurrently.
20 Note that this threat does not extend to highly trusted users: see the threat
T.TRUSTED below.
3.1.3 Threats countered by the Operating Environment
T.OPERATE Insecure Operation. Compromise of the IT assets may occur because of improper
configuration, administration, and/or operation of the composite system.
T.CRASH Abrupt Interruptions. Abrupt interruptions to the operation of the TOE may cause
security related data, such as database control data and accounting data, to be lost
or corrupted. Such interruptions may arise from human error (see also
T.OPERATE) or from failures of software, hardware, power supplies, or storage
media.
T.BADMEDIA Corrupted Storage Media. Corruption of storage media may cause security related
data, such as database control data and accounting data, to be lost or corrupted.
Storage media include on-line storage (e.g. for database files and on-line
transaction logs) and off-line or archival storage (e.g. for database backups and
audit archives). Such failures may arise from aging of storage media, or from
improper storage or handling of removable media.
T.PHYSICAL Physical Attack. Security-critical parts of the TOE or the underlying operating
system and/or network services may be subjected to physical attack which could
compromise security.
T.TRUSTED Abuse of Privilege by Trusted Users. The IT assets cannot be reliably protected
by the TOE from highly trusted users who abuse the privileges they are granted.
This limits the scope of the threat T.ABUSE defined in the preceding section.
Procedural measures are required to ensure that these highly trusted users can
indeed be trusted not to abuse their privileges.
A.PEER Any other systems with which the TOE communicates are assumed to be under
the same management control and operate under the same security policy
constraints.
A.FILES All of the database-related files and directories (including executables, run-time
libraries, database files, export files, redo log files, control files, trace files, and
dump files) are protected from unauthorised access by the operating system DAC
mechanisms.
3.3.2 Physical Assumptions
A.LOCATE The processing resources of the TOE, the underlying operating system and/or
underlying network services are located within controlled access facilities which
will prevent unauthorised physical access.
A.PROTECT The hardware and software critical to security policy enforcement is physically
protected from unauthorised modification by potentially hostile outsiders.
3.3.3 Personnel Assumptions
A.ACCESS The underlying operating system and/or secure network services are configured
such that only the approved group of users for which the system is to be accredited
has access to the system.
A.MANAGE There will be one or more competent individuals assigned to manage the TOE and
the security of the information it contains, and can be trusted not to abuse their
privileges.
4 Security Objectives
4.1 IT Security Objectives
21 This section defines the IT security objectives that are to be satisfied by the TOE
in combination with the IT security environment.
O.I&A The TOE, with or without support from the underlying operating system, must
provide the means of identifying and authenticating users of the TOE.
22 Note that this security objective explicitly allows identification and authentica-
tion of users to be performed either by the TOE or by the underlying operating
system.
O.ACCESS The TOE must provide end-users and administrators with the capability of
controlling and limiting access, by identified individuals, to the data or resources
they own or are responsible for, in accordance with the P.ACCESS security policy.
To this end the TOE has the following more specific objectives:
O.ACCESS.DO The TOE must prevent the unauthorised or undesired
disclosure, entry, modification, or destruction of data and
data objects, in order to allow users who own or are
responsible for data to control the access to that data by other
authorised database users.
O.ACCESS.DA The TOE must prevent the unauthorised or undesired
disclosure, entry, modification, or destruction of specified
aggregations of data.
O.ACCESS.DC The TOE must prevent the unauthorised or undesired
disclosure, entry, modification, or destruction of database
control data or database accountability data.
O.ACCESS.REUSE The TOE must prevent unauthorised access to residual data
remaining in objects and resources following the use of those
objects and resources.
O.AUDIT The TOE must provide the means of recording security relevant events in
sufficient detail to help an administrator of the TOE to:
a) detect attempted security violations, or potential misconfiguration of the
TOE security features that would leave the IT assets open to compromise;
and
b) hold individual users accountable for any actions they perform that are
relevant to the security of the database.
O.RESOURCE The TOE must provide the means of controlling the consumption of global
resources by specified users of the TOE, including the number of concurrent
sessions.
O.ADMIN The TOE, where necessary in conjunction with the underlying operating system,
must provide functions to enable an authorised administrator to effectively
manage the TOE and its security functions, ensuring that only authorised
administrators can access such functionality.
O.MEDIA Those responsible for the TOE must ensure that the confidentiality, integrity and
availability of data held on storage media is adequately protected. In particular:
a) The on-line and off-line storage media on which database and security
related data (such as operating system backups, database backups and
transaction logs, and audit trails) must not be physically removable from
the underlying platform by unauthorised users.
b) The on-line and off-line storage media must be properly stored and
maintained, and routinely checked to ensure the integrity and availability
of the security related data.
c) The media on which database-related files (including database files, export
files, redo log files, control files, trace files, and dump files) have been stored
shall be purged prior to being re-used for any non-database purpose.
This objective counters threat T.BADMEDIA and maps onto environmental
assertion A.MANAGE.
5 IT Security Requirements
5.1 TOE IT Security Functional Requirements
24 The following table lists the functional components included in this PP.
Component Name
FIA_UID.1 Timing of Identification (refined)
FIA_ATD.1 Unique User Attribute Definition
FIA_USB.1 User-Subject Binding
FDP_ACC.1 Subset Object Access Control
FDP_ACF.1 Single Security Attribute Access Control
FDP_RIP.1 Subset Residual Information Protection
FMT_MSA.1 Basic User Attribute Administration
FMT_MSA.3 Static Attribute Initialisation
FMT_MTD.1 Management of TSF data
FMT_SMR.1 Security Management Roles
FMT_REV.1 Basic Revocation
FRU_RSA.1 Maximum Quotas
FTA_MCS.1 Basic Limitation on Multiple Concurrent Sessions
FAU_GEN.1 Audit Data Generation
FAU_GEN.2 User Identity Generation
FAU_SAR.1 Audit Review
FAU_SAR.3 Selectable Audit Review
FAU_SEL.1 Selective Audit
FAU_STG.1 Permanent Audit Trail Storage
Table 1: List of Security Functional Components
25 Note: FIA_UID.1 and FIA_UID.2 were integrated into FIA_UID.2 as the con-
cept of unique identification of users was no longer recognised in the CC.
FIA_UID.3 has become FIA_UID.1 as this was observed to provide a more
secure generic set of controls over actions permitted before identification
occurred.
FIA_ATD. 1.1 The TSF shall maintain privileges, roles, resource limits [assignment: additional
security attributes as specified by ST author] belonging to individual users.
Note: It is necessary to maintain a set of privileges, roles and resource limits for
each user in order to support the SFRs in this PP, other security attributes (for
example authentication credentials) may be required.
Note: part of the functionality provided by FIA_ATD and FIA_ATA have been
moved to the new FMT class.
FIA_USB.1.1 The TSF shall associate the appropriate user security attributes with subjects
acting on behalf of that user.
5.1.2 Security Attribute Based Access Control
FDP_ACC.1.1 The TSF shall enforce the database object access control SFP on:
a) subjects;
b) named objects;
c) all permitted operations on named objects by a subject.
FDP_ACF.1.1 The TSF shall enforce the database object access control SFP to objects based on:
a) the identity of the user associated with the database session and the
privileges (user or object specific) which are effective for the database
session;
b) the identity of the owner of the object and the object privileges which have
been granted on the object.
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among
controlled subjects and objects is allowed:
a) if the user is the owner of the object then the requested access is allowed;
b) if the database session has the necessary object privileges effective for the
object then the requested access is allowed;
c) if the user has a privilege enabling override of the object access controls
then the requested access is allowed;
d) otherwise access is denied.
FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made
unavailable upon the allocation of a resource to [assignment: list of objects
specified by the ST author].
FMT_MSA.1 All requests to use the user attribute Identification of the user
administration functions attributes modified
FIA_UID.1 All attempts to use the user identifica- User identity provided
tion mechanism
6 PP Application notes
6.1 Transaction Concurrency and Integrity
40 Early drafts of this PP contained a generic threat against database integrity, how-
ever it became clear that the rollback function FDP_ROL in CC Part 2 was inad-
equate of itself to counter this threat.
41 We did not wish however, to embark on a full scale implementation of all the
additional SFRs which would be needed to counter a generic threat, addressing
for example:
• referential integrity;
• transaction atomicity; and
• database recovery.
42 These issues have not yet featured in a security evaluation to date and it was felt
inappropriate to introduce them at this time. Therefore the threat, objective and
FDP_ROL SFR have been deleted from this issue.
43 We recommend that (in the absence of appropriate functionality in Part 2 of the
CC) the ST author considers carefully whether to include appropriate IT security
functions and SFRs written using CC Part 2 functional components ‘as a model
for presentation’(as per ASE_REQ.1.6C in CC Part 3).
7 Rationale
7.1 Security Objectives Rationale
44 This section provides a demonstration of why the identified security objectives
(section 3) are suitable to counter the identified threats and meet the stated secu-
rity policies (section 2).
45 The table below correlates the IT security objectives to each of the threats and
security policies, showing that each threat is countered by at least one IT secu-
rity objective, and that each security policy is satisfied by at least one IT security
objective. In Table 3, a YES indicates that the identified IT security objective is
relevant to the identified threat or security policy.
P.ACCESS YES
FIA_UID.1 YES
FDP_ACC.1 YES
FDP_ACF.1 YES
FDP_RIP.1 YES
FMT_MSA.3 YES
FMT_MTD.1 YES
FMT_SMR.1 YES
FMT_REV.1 YES
FRU_RSA.1 YES
FTA_MCS.1 YES
FAU_GEN.1 YES
FAU_GEN.2 YES
FAU_SAR.1 YES
FAU_SAR.3 YES
FAU_SEL.1 YES
FAU_STG.1 YES
tents of the audit trail, whilst FAU_SEL.2 provides the ability to select which
events are to be audited.
56 O.RESOURCE is provided by:
a) FRU_RSA.1, which provides the means of controlling consumption of
resources by individual users (supported by FIA_USB.1 in conjunction with
FIA_ATD.1); and
b) FTA_MCS.1, which provides the means of controlling the number of
multiple concurrent sessions a user may have.
57 O.ADMIN is directly provided by FMT_SMR.1, which provides essential
administrative functionality which is restricted to authorised administrators.
FIA_USB.1, in conjunction with FIA_ATD.1, provides support by ensuring that
the security attributes of users are associated with subjects acting on the user’s
behalf. FIA_ATA.1 is also relevant, providing the administrator with the means
of initialising user security attributes.
7.2.2 Dependency Analysis
58 The following table demonstrates that all dependencies of functional compo-
nents are satisfied (note that ‘(H)’indicates the dependency is satisfied through
the inclusion of a component that is hierarchical to the one required).
Component Dependency
Component Dependencies
Reference Reference
1 FIA_UID.1 - -
2 FIA_ATD.1 - -
3 FIA_USB.1 FIA_ATD.1 2
4 FDP_ACC.1 FDP_ACF.1 5
5 FDP_ACF.1 FDP_ACC.1 4
FMT_MSA.3 8
6 FDP_RIP.1 - -
7 FMT_MSA.1 FDP_ACC.1 4
FMT_SMR.1 11
8 FMT_MSA.3 ADV_SPM.1 note a)
FMT_MSA.1 7
FMT_SMR.1 11
9 FMT_MTD.1 FMT_SMR.1 11
10 FMT_REV.1 FMT_SMR.1 11
Component Dependency
Component Dependencies
Reference Reference
11 FMT_SMR.1 FIA_UID.1 1
12 FRU_RSA.1 - -
13 FTA_MCS.1 FIA_UID.1 1
15 FAU_GEN.2 FAU_GEN.1 14
FIA_UID.1 1
16 FAU_SAR.1 FAU_GEN.1 14
17 FAU_SAR.3 FAU_SAR.1 16
18 FAU_SEL.1 FAU_GEN.1 14
19 FAU_STG.1 FAU_GEN.1 14
59 The following dependencies are not satisfied in this PP because they are not
considered relevant to the threat:
a) ADV_SPM.1 is not an EAL3 assurance component, and therefore this
dependency has been omitted. Note that because FMT_MSA.3 is a
dependency of FDP_ACF.1 this would appear to rule out evaluating
anything with access control below EAL4! A CCOR has been raised
(#1246), which the CCIB appear to have accepted;
b) FPT_STM.1 has not been included since it is considered a matter for the
host operating system to provide the reliability of the time stamps used for
the TSF. Accordingly the IT environment section has been updated to
include this requirement.
60 It is asserted that EAL3 constitutes a set of assurance requirements for which
component dependencies are known to be satisfied. Hence no detailed depend-
ency analysis is required for such components.
for such a product. In practice it is expected that some products may seek assur-
ance to higher levels, and this will be reflected in the Security Target.
65 It should be noted that the possibility of tampering and bypass will be addressed
as part of the assurance requirements (e.g. vulnerability analysis AVA_VLA).
The role of supporting mechanisms provided by the host operating system will
be addressed also in ADV_HLD.2.