@@ -451,8 +451,6 @@ The following risks are delegated by the VPN product to other components within
## 4.7 Use cases
### 4.7.1 Description of use cases
This list of use cases is an informative resource to the manufacturer to simplify choosing a set of security requirements. It is not an exhaustive list, and deployments may cross over more than one use.
See [i.3] for formal definitions of micro, small, and medium-sized enterprises.
@@ -659,7 +657,7 @@ Rationale: More features mean more code and more interfaces mean attack surface.
### C.2.10 RF-CON: Connectivity offered
Description: Whether the VPN connects different endpoints to each other via a private network or simply provides a tunnel from a single endpoint to a public netowrk
Description: Whether the VPN connects different endpoints to each other via a private network or simply provides a tunnel from a single endpoint to a public network
Rationale: Different connectivity requirements create different risks and mitigations.
@@ -738,13 +736,11 @@ Requirements that mitigate this threat: SSDD, NUTI, LOGG
Mitigations for Likelihood:
* Medium to Low: SSCA, SCFS
* High to Low: SSCA, (FZ95 or BTIN or IMSL), SCFS, NUTI-1, NUTI-2
Mitigations for Impact:
* Medium to Low: LOGG-1, CDST
* High to Low: LOGG-1, LOGG-2, CDST
### C.4.4 TH-KEVU: Known exploitable vulnerabilities
@@ -772,7 +768,6 @@ All mitigations from TH-UEVU apply (using that requirement's risk formula), in a
Mitigations for Likelihood:
* Medium to Low: (KEVD or KEVA), (KEVM or KEVT or SCAN), (SUVP or SUAP or SUOE or SUAO), VULH
* High to Low: KEVD, KEVA, (KEVM or KEVT or SCAN), (SUAP or SUAO), SUCS, SUAU, SUVH, SURP, SURC, SUSR, SUMV, SUED, VULH
### C.4.5 TH-UEAC: Unauthorised endpoint access
@@ -800,13 +795,11 @@ Requirements that mitigate this threat: AUTH, DMIN
Mitigations for Likelihood:
* Medium to Low: TODO: add risk transfer to environment
* High to Low: TODO: add risk transfer to environment
Mitigations for Impact:
* Medium to Low: AUTH-3, AUTH-5, CDST
* High to Low: AUTH-3, AUTH-4, AUTH-5, CDST
### C.4.6 TH-RDOS: Denial of service on remote data processing
@@ -834,13 +827,11 @@ Requirements that mitigate this threat: AVAI
Mitigations for Likelihood:
* Medium to Low: DOST
* High to Low: DOST
Mitigations for Impact:
* Medium to Low: FDRP, LMEM
* High to Low: FDRP, LMEM, FAIR
### C.4.7 TH-MITM: Machine-in-the-middle
@@ -868,13 +859,11 @@ Requirements that mitigate this threat: CRYPT, LOGG
Mitigations for Likelihood:
* Medium to Low: CRYPT-2
* High to Low: CRYPT-1, CRYPT-2
Mitigations for Impact:
* Medium to Low: LOGG-1
* High to Low: LOGG-1, LOGG-2
### C.4.8 TH-LEAK: Sensitive data leaks
@@ -901,13 +890,11 @@ Requirements that mitigate this threat: ROUT, CONF, DNSL, IPv6, CRYPT
Mitigations for Likelihood:
* Medium to Low: ROUT-1, ROUT-2, CONF-1, CONF-2, CONF-3, CONF-4, CONF-5, DNSL-1, DNSL-2, DNSL-7, DNSL-8, IPv6-1, IPv6-2
### C.4.15 TH-USED: Access to data via access to used product
### C.4.17 TH-USED: Access to data via access to used product
Attacker may get unauthorised access to confidential data stored on the product through access to or acquisition of a device containing the used product.
@@ -1187,7 +1158,7 @@ Attacker may get unauthorised access to confidential data stored on the product
| all others | Medium | SP-2, SP-5 |
| DAT = 0 | Low | SP-1 |
Table: _Table C.25_
Table: _Table C.29_
| Risk factors | Impact | Security profiles |
|--------------|--------|-------------------|
@@ -1195,23 +1166,21 @@ Table: _Table C.25_
| all others | Medium | SP-2, |
| DAT = 0 | Low | SP-1 |
Table: _Table C.26_
Table: _Table C.30_
Requirements that mitigate this threat: AUTH, CDST, SCDL, SDEF
Requirements that mitigate this threat: AUTH, CDST, SCDL, SDRF
Mitigations for Likelihood:
* Medium to Low: (RSET or INST or DELE), SDRF, SDTR
* High to Low: (RSET or INST or DELE), SDRF, SDTR
Mitigations for Impact:
* Medium to Low: AUTH-5, CDST
* High to Low: AUTH-3, AUTH-4, AUTH-5, CDST
### C.4.15 TH-CPII: Compromise of PII stored or transmitted by the product
### C.4.18 TH-CPII: Compromise of PII stored or transmitted by the product
Attacker may get unauthorised access to personally identifiable information stored or transmitted by the product.
@@ -1220,23 +1189,22 @@ Attacker may get unauthorised access to personally identifiable information stor
Requirements that mitigate this threat: AUTH, DMIN, CRYPT, AUTH, ROUT, DNSL, CDST, SCDL, SDEF, LOGG
Requirements that mitigate this threat: AUTH, DMIN, CRYPT, AUTH, ROUT, DNSL, CDST, SCDL, SDRF, LOGG
All mitigations from TH-UEAC, TH-MITM, TH-LEAK, TH-PLNS, TH-PLNM, TH-UNAA, TH-CONF, TH-META, TH-RCOM, TH-USED apply (using those requirement's risk formula), in addition to:
Mitigations for Impact:
* Medium to Low: NPII-1
* High to Low: NPII-1, NPII-2, NPII-3, NPII-4
## C.5 Mapping of use cases to risk factors and security profiles
@@ -168,7 +168,7 @@ The input fields of the product that may produce memory errors shall be identifi
All security-relevant software shall be compiled with secure compilation flags and options appropriate to the target platform and language. All compilation flags used shall be documented as to their rationale, along with any exceptions or limitations. Any exceptions to the flags or warnings shall be documented as to why they do not create an unacceptable risk.
* Applicability: Product implemented in a compiled language
* Reference: TR-SDDV
* Reference: TR-SSDD
* Objective: Secure design and development
* Preparation: Document which flags should be used
* Activities: Review compilation flags, warnings, and documentation for exceptions
