Propose schema for enumerating use cases (617bcc36) · Commits · STAN4CRA / EN 304 626 Operating Systems

EN-304-626.md

+53 −0

Original line number	Diff line number	Diff line
		@@ -295,6 +295,59 @@ _When you have many use cases, group them into 3 - 5 levels of risk. These will

		Note: "account" refers to a user in the operating systems sense: a unique system identity associated with certain authorization and permissions. "User" refers to an entity that uses the device for some purpose. Users may have many accounts and accounts may have many users.


		For each operating system placed on the market, the manufacturer shall develop a threat model and risk profile of the forseeable use of the operating system, and shall consider the interplay between:
		- complexity of forseeable use
		- likelihood of an incident, given the forseeable use
		- impact of an incident, given the forseeable use

		These risks are grouped into risk categories and assigned unique identifiers below.

		* Number of Users
		* Rationale: the storage of personal data on device should be accounted for in the risk calculation
		* Rationale: the capability to support multiple user accounts significantly increases product complexity and threat surface
		* [USR-L-0] no user data stored on device
		* [USR-L-1] single user
		* [USR-L-2] multiple users

		* [USR-L-1-RQ-1] An operating system which is intended for use cases that allow storage of personal information shall implement appropriate cryptographic libraries to allow the protection of the personal information according to the requirements of the forseeable use.
		* [USR-L-2-RQ-1] An operating system which is supports multiple users shall implement and document appropriate safeguards to protect each user's personal information according to the requirements of the forseeable use.

		* Location
		* Rationale: likelihood of physical access by threat actors should be accounted for in the risk calculation
		* Rationale: likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store personal data
		* [LOC-L-1] designed for use in private locations (e.g., home or office)
		* [LOC-L-2] designed for use outside of private locations
		* [LOC-L-2-RQ-1] operating systems intended for use in devices that have a forseeable likelihood of theft, such as mobile phones, shall include appropriate measures to prevent access to personal information by unauthorized and unauthenticated users, including the ability to remotely erase personal information from the device under appropriate circumstances.

		* Hardware Modifiability
		* Rationale: operating system complexity increases proportionally with complexity of supported hardware configurations
		* Rationale: peripheral-based compromises shall be accounted for if the connectivity of third-party or end-user-supplied hardware is forseeable
		* [HWM-L-0] relies on hardware which prevents user modifiability or connection of peripheral devices
		* [HWM-L-1] relies on hardware which prevents user modifiability but which allows peripheral use
		* [HWM-L-2] relies on hardware designed for user modifiability

		* Software Modifiability
		* [SW-L-0] prevents or does not support
		* [SW-L-1] allows installation only of trusted applications
		* [SW-L-2] allows installation of applications by end-users

		* Internet Access
		* [IAC-L-1] limits access TO the internet (no web browser)
		* [IAC-L-2] does not limit access TO the internet (can browse the web)
		* [IAC-L-3] not intended for direct access FROM the internet
		* [IAC-L-4] intended for direct access FROM the internet

		* Configurability
		* [CNF-L-1] no end-user configurability
		* [CNF-L-2] allows end-users to modify pre-boot, boot, or post-boot configuration


		The following use-cases are provided as illustrative examples of applying the risk profiles above to developing a threat model. This is not intended to be an exhaustive or complete list of all possible use cases.

		* Simple Home Automation Device
		*

		<mark> FIXME are these the right division of use cases into security levels? </mark>

		Low security level

Original line number	Diff line number	Diff line
		@@ -295,6 +295,59 @@ _When you have many use cases, group them into 3 - 5 levels of risk. These will

		Note: "account" refers to a user in the operating systems sense: a unique system identity associated with certain authorization and permissions. "User" refers to an entity that uses the device for some purpose. Users may have many accounts and accounts may have many users.


		For each operating system placed on the market, the manufacturer shall develop a threat model and risk profile of the forseeable use of the operating system, and shall consider the interplay between:
		- complexity of forseeable use
		- likelihood of an incident, given the forseeable use
		- impact of an incident, given the forseeable use

		These risks are grouped into risk categories and assigned unique identifiers below.

		* Number of Users
		* Rationale: the storage of personal data on device should be accounted for in the risk calculation
		* Rationale: the capability to support multiple user accounts significantly increases product complexity and threat surface
		* [USR-L-0] no user data stored on device
		* [USR-L-1] single user
		* [USR-L-2] multiple users

		* [USR-L-1-RQ-1] An operating system which is intended for use cases that allow storage of personal information shall implement appropriate cryptographic libraries to allow the protection of the personal information according to the requirements of the forseeable use.
		* [USR-L-2-RQ-1] An operating system which is supports multiple users shall implement and document appropriate safeguards to protect each user's personal information according to the requirements of the forseeable use.

		* Location
		* Rationale: likelihood of physical access by threat actors should be accounted for in the risk calculation
		* Rationale: likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store personal data
		* [LOC-L-1] designed for use in private locations (e.g., home or office)
		* [LOC-L-2] designed for use outside of private locations
		* [LOC-L-2-RQ-1] operating systems intended for use in devices that have a forseeable likelihood of theft, such as mobile phones, shall include appropriate measures to prevent access to personal information by unauthorized and unauthenticated users, including the ability to remotely erase personal information from the device under appropriate circumstances.

		* Hardware Modifiability
		* Rationale: operating system complexity increases proportionally with complexity of supported hardware configurations
		* Rationale: peripheral-based compromises shall be accounted for if the connectivity of third-party or end-user-supplied hardware is forseeable
		* [HWM-L-0] relies on hardware which prevents user modifiability or connection of peripheral devices
		* [HWM-L-1] relies on hardware which prevents user modifiability but which allows peripheral use
		* [HWM-L-2] relies on hardware designed for user modifiability

		* Software Modifiability
		* [SW-L-0] prevents or does not support
		* [SW-L-1] allows installation only of trusted applications
		* [SW-L-2] allows installation of applications by end-users

		* Internet Access
		* [IAC-L-1] limits access TO the internet (no web browser)
		* [IAC-L-2] does not limit access TO the internet (can browse the web)
		* [IAC-L-3] not intended for direct access FROM the internet
		* [IAC-L-4] intended for direct access FROM the internet

		* Configurability
		* [CNF-L-1] no end-user configurability
		* [CNF-L-2] allows end-users to modify pre-boot, boot, or post-boot configuration


		The following use-cases are provided as illustrative examples of applying the risk profiles above to developing a threat model. This is not intended to be an exhaustive or complete list of all possible use cases.

		* Simple Home Automation Device
		*

		<mark> FIXME are these the right division of use cases into security levels? </mark>

		Low security level