Formatting fixes, remove duplicate use cases, trim notes

**Common Weakness Enumeration (CWE):** A community-developed list of software and hardware weaknesses that can become vulnerabilities. https://cwe.mitre.org/

**Elevated Privilege:**

**Elevated Privilege:** A level of access that allows accessing or changing security-relevant configuration, data, or functions on a system.

**Command Shell:**

**Process Isolation:**

> FIXME add any other terms we need to define

**Command Shell:** A text-based interface allowing execution of system programs.

**Process Isolation:** Techniques to prevent processes from accessing or changing each other's state.

## 3.2 Abbreviations

| MMU          | Memory Management unit      |

| IO           | Input/Output                |

> FIXME add more abbreviations

# 4 Product context

## 4.1 General

> FIXME: Use generic architectural descriptions (monolithic, microkernel, ...) or create a list of orthogonal properties (hardware access control for drivers, address space separation, ...) and differentiate based on that?

### 4.3.0 Hybrid monolithic/micro kernel operating systems

> FIXME: Use the definition from section 4.5 as a starting point?

#### 4.5.1.1 Number of Users

**[NUSR]:** Manufacturers of operating systems which are intended to store personal data, including user login data, shall account for the risk to such data in the risk calculation and ensure that appropriate protections are available. System-level users (such as root) do not count towards this risk.

* NUSR-0: the operating system is designed not to allow end-users to authenticate

* NUSR-1: the operating system is designed to only allow one end-user to authenticate; to switch users, the device must be reset

* NUSR-2: the operating system is designed to allow for more than one end-user account

#### 4.5.1.2 User Concurrency

**[CUSR]:** Manufacturers of operating systems which are intended to support end-user accounts, either concurrently or sequentially, shall account for the increased risk to per-user data from other users and ensure that appropriate protections are available. System-level users (such as root) count towards this if they are configurable or accessible by end-users.

* CUSR-0: the operating system is designed not to allow end-users to authenticate

* CUSR-1: the operating system is designed to only allow one end-user to authenticate; to switch users,t he device must be reset.

* CUSR-2: the operating system is designed to allow for more than one end-user account, and end-user accounts may be simultaneously active on the device.

#### 4.5.1.3 Sensitive or Artibrary Data Storage

**[DATA]:** Manufacturers of operating systems may implement measures to prevent the on-device storage of user data, and shall document this and implement appropriate steps to ensure that no user data is stored on the device. Manufacturers may also enable the storage of specific types of data or generally of any user-specified data, and shall document the measures available for the protection of such data.

* DATA-0: the operating system is effectively unable to store per-user data in its forseeable use

* DATA-1: the operating system is designed only to store limited data types

* DATA-2: the operating system is designed to store arbitrary data

#### 4.5.1.4 Physical Access by Threat Actors to the Device

**[PHYS]:** Manufacturers of operating systems may implement protective measures, such as preventing peripheral device driver loading or relying on hardware capabilities such as tamper-evident mechanisms, to mitigate physical access based threats to the device.

* PHYS-0: only used in environments with authorized users **[

* PHYS-1: may be incidentally exposed to untrusted users

* PHYS-2: used primarily by untrusted users, e.g. the general public

#### 4.5.1.5 Probability of Loss of the Device

**[LOSS]:** likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store sensitive personal data.

* LOSS-0: forseeable use of the operating system is limited to stationary devices or devices with other loss-prevention mechanisms

* LOSS-1: forseeable use of the operating system is in a device with only incidental loss likelyhood

* LOSS-2: forseeable use of the operating system is in a device with a high loss likelyhood, such as devices which are common targets of theft such as mobile phones

#### 4.5.1.6 Hardware Modifiabiliy by End Users

**[HWMD]:** Manufacturers of operating systems shall account for forseeable risks from hardware modifications within the intended use of the product.

* HWMD-0: forseeable use of the operating system is limited to devices with hardware that is not modifiable by end-users

* HWMD-1: forseeable use of the operating system includes hardware modifications by skilled or trusted users, such as corporate IT support staff

* HWMD-2: forseeable use of the operating system includes hardware modification by unskilled users, such as in a personal computer

#### 4.5.1.7 Software Modifiability by End Users

**[SWMD]:** Manufacturers of operating systems which are designed to allow end-users to install or substantially modify the software shall account for the risks from arbitrary software execution.

* SWMD-0: forseeable use lacks any reasonable means for end-users to install or modify the software

* SWMD-1: forseeable use only allows the installation of trusted and verified software

* SWMD-2: forseeable use allows for the installation of arbitrary software or for substantial modification of pre-installed software

#### 4.5.1.8 Untrusted Peripheral Devices

**[DVCS]:** Manufacturers of operating systems which are intended for devices that support attached peripheral devices, such as those utilizing USB or PCI conenctions, shall account for the risk posed by untrusted or compromised peripheral devices and implement appropriate safeguards.

* DVCS-0: forseeable use has no accessible peripheral ports

* DVCS-1: forseeable use includes only trusted and safe peripheral devices

* DVCS-2: forseeable use allows for arbitrary peripheral device attachment

#### 4.5.1.9 Access To The Internet

**[TNET]:** Manufacturers of operating systems designed to provide end-users with access to the internet shall implement appropriate safeguards based on the nature of internet access and forseeable use of the operating system.

* TNET-0: forseeable use has no mechanism to reasonably connect to the internet

* TNET-1: forseeable use allows internet access for only highly restricted functions, such as retrieving security updates

* TNET-2: forseeable use allows for arbitrary access to the internet, such as by browsing the web

#### 4.5.1.10 Accessed From Untrusted Networks Including The Internet

**[FNET]:** Manufacturers of operating systems designed to be connected to directly from the internet, rather than placed behind NAT or a firewall, shall implement appropriate safeguards to mitigate risks.

* FNET-0: forseeable use is limited to trusted and private networks.

* FNET-1: forseeable use includes untrusted local networks but not the open internet.

* FNET-1: forseeable use includes being connected directly to the open internet.

#### 4.5.1.11 Configurability

**[CONF]:** Manufacturers of operating systems which are intended to be configurable by end users shall provide secure-by-default configurations and document all available configuration options. Such documentation shall detail any effects on safety and security that such configuration changes may cause. 

* CONF-0: forseeable use of the operating system prevents or is incapable of storing configuration changes.

* CONF-1: forseeable use allows operating system configuration changes only by skilled or trusted users, such as corporate IT support staff.

* CONF-2: forseeable use of the operating system includes configuration changes by end-users.

|UC-PC-3| 2 | 2 | 2 | 0 | 0 | 1 | 1 | 1 | 2 | 0 | 1 | 12 |

> FIXME are these the right division of use cases into security levels?

Low security level

1. Simple low-risk embedded device (coffee machine, fridge)

   * Effectively zero users

   * Access controlled by physical environment

   * No user-installable software

   * Network connection used only to get software updates

   * Little or no sensitive data or functions

   * Behind a firewall

1. Stationary IoT embedded device (lightbulb, theromostat)

   * Effectively zero users

   * Access may be available to public

   * Complex user configuration options

   * Controls sensitive functions (e.g. lights, temperature)

   * Collects sensitive data (e.g. location of users)

   * Network connection used for RDPS, configuration, etc.

   * Behind a firewall except for physical access to wireless interface

1. Stateless multi-user terminal

   * Multi-user system

   * Handles different workloads of different users

   * No local data or session storage

   * Highly network dependent (likely company network with firewall)

Medium security level:

1. Limited use mobile embedded device (watch, LoRa radio, etc.)

   * One account, one or a few users

   * Often used by children

   * All interfaces constantly exposed to the public

   * Complex user configuration options

   * Some user-installable software from trusted soruces

   * Controls sensitive functions (e.g. lights, temperature)

   * Collects sensitive data (e.g. location of users)

   * Network connection used for RDPS, apps, upload/download data, etc.

1. Corporate server in data center

   * One account, multiple trusted users

   * Behind multiple professionally managed firewalls

   * Installed software is professionally controlled and managed

   * Automated management and monitoring by IT professionals

   * Processes sensitive data

1. Enterprise work station (stationary)

   * Effectively single user (unless shared, but then more likely to be a "stateless terminal"?)

   * Connected to enterprise network with firewall

   * Web browsing and office applications

   * Managed by the enterprise's IT department

   * Transmits and stores business-critical data

   * System failure can cause monetary loss (if no proper BCM)

   * Always stationary (and supervised), access to hardware interfaces unlikely

1. Personal server

   * Usually single account, may give accounts to small trusted circle

   * Not exposed to the public

   * Behind a firewall

   * Access from anywhere via the internet possible (depending on services running)

   * Semi-professional semi-automated management by one or a few people

   * Always stationary, access to hardware interfaces unlikely

High security level:

1. Enterprise laptop

   * Single account, single user

   * Connected to enterprise network with firewall, potentially via VPN

   * Web browsing and office applications

   * Managed by the enterprise's IT dep. (perhaps with Mobile Device Management)

   * Transmits and stores business-critical data

   * System failure can cause monetary loss (if no proper BCM)

1. Enterprise multi-user server, internal access only

   * Multiple accounts each with a trusted user

   * Users may install software into personal directories

   * Behind professionally managed firewall

   * Automated management and monitoring by IT professionals

   * Processes sensitive data

1. Personal desktop computer (stationary)

   * Single or very small number of accounts, may be shared among small trusted circle

   * Often used by children

   * Connected to a home network behind a rounter's firewall

   * Web browsing and applications for personal work/entertainment

   * More likely to access malicious web sites

   * Stored/Transmitted data can be sensitive (online banking, account passwords, ..)

   * Self-managed by potentially unexperienced users

   * Always stationary, access to hardware interfaces unlikely

1. Personal laptop

   * Single or very small number of accounts, may be shared among small trusted circle

   * Often used by children

   * Connects to various networks (home, public, mobile ..)

   * User installs and runs applications from both trusted and untrusted sources

   * Browses the web

   * Stored/transmitted data can be sensitive (online banking, account passwords, ..)

   * Self-managed by potentially unexperienced users

   * Not stationary, used for mobile working and travelling

   * Multiple interfaces (Bluetooth, Wifi, USB-A, USB-C ..)

Very high security level:

1. Firewalls

1. Corporate server providing services on public internet

   * Multiple accounts for isolation of services

   * Automated management and monitoring by IT professionals

   * Processes sensitive data

1. Corporate server hosting many public users

   * Many accounts, many users, no mutual trust

   * Automated management and monitoring by IT professionals

   * Processes sensitive data

1. Phone or tablet

   * Single account, may be shared among small trusted circle

   * Often used by children

   * Connects to various networks (home, public, mobile, ..)

   * What user can do to it is highly limited by default

   * User installs and runs applications from pre-approved sources only by default

   * Browses the web

   * Used for sensitive transactions/data storage (e.g. banking, health data)

   * Collects lots of user/usage data

   * Travels basically everywhere (risk of loss, exposed to more threats)

   * Multiple interfaces (Bluetooth, Wifi, NFC, USB-C ..)

> FIXME more use cases?

**Discussion**

MOVE TO STANDARDS ETSI 103 732 phones

* End user configurability (how locked down)

* End user modifiability to hardware

* Running on bare metal vs. hypervisor

We may be able to use these risk factors to calculate a recommended

security level for special purpose operating systems not covered by

use cases.

Les: level of exposure to the internet (proxy for an attacker)

How easy is it for an attacker to get access?

Break down mobile as proxy for physical access, wifi, much network

game os for consoles

rtos for an oscilloscope

Carl-Daniel: Any smart phone has two operating systems anyway: The user-facing operating system (Android/iOS) and the modem/baseband operating system (usually some RTOS, usually 5 years behind with patching security holes). So the smart phone is also a nice model for compound devices.

Baseband OS - think about distinction with chips a la boot managers

Many devices have multiple OS's for elements

* Many devices have multiple OS's for elements

## 4.6 Security levels

Security levels are associated with sets of risk factor levels.

> | Security level | USR     | ACC     | COM     | ADM     |

> |----------------|---------|---------|---------|---------|

> | SC-WD-1        | USR-L-1 | ACC-L-1 | COM-L-2 | ADM-L-0 |

> FIXME take filled out table of use case mapping to risk factor, simplify down, set levels

## 4.7 Essential functions