Commit 769c11f4 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Add some rough security requirements, assumptions, threats 

Summarize and copy some security requirements, assumptions, and
threats from NIAP OS PP and BSI OS PP.
parent 061590ba

EN-304-625.md

+93 −3
Original line number Diff line number Diff line
@@ -194,7 +194,6 @@ The following referenced documents are necessary for the application of the pres 


* <a name="_ref_1">[1]</a>    &lt;Standard Organization acronym> &lt;document number> (&lt;version number>): "&lt;Title>".





<mark> FIXME more normative references </mark>
@@ -540,6 +539,80 @@ _Example technical security requirements can be found in related standards, such 
* _Other vertical standards drafts in [ETSI GitLab](https://forge.etsi.org/rep/cyber/stan4cr2)_

* _Other vertical standards drafts as [contributions to verticals meetings on the ETSI Portal](https://portal.etsi.org/Meetings.aspx#/)_

* _PT2 drafts, available in the [ETSI DocBox](https://docbox.etsi.org/CYBER/CYBER/CEN-CLC/JTC13/WG09)_

* _ENISA's [CRA Requirements Standards Mapping](https://www.enisa.europa.eu/sites/default/files/2024-11/Cyber%20Resilience%20Act%20Requirements%20Standards%20Mapping%20-%20final_with_identifiers_0.pdf)



From NIAP PP for OS:



* Cryptographic support

  * Cryptographic key generation

  * Cryptographic key establishment

  * Cryptographic key destruction

  * Encryption/decryption

  * Cryptographic hashing/signing/authentication

  * Random data generation

  * Secure encrypted data storage

* User data protection

  * Access controls

  * VPN

* Security management

  * Management of security functions

  * Minimum security functions provided by user type

* Protection of security relevant assets (?)

  * Access controls to system data/assets

  * Address space layout randomization

  * Limitation of Bluetooth Profile Support

  * Software Restriction Policies

  * Stack buffer overflow protection

  * Boot integrity

  * Trusted update for OS

  * Trusted update for applications and other components

  * Read-only executable memory

* Audit data generation

  * Logging with timestamps

* Identification and authorization

  * Prevent brute force

  * Multifactor auth

  * Certificate validation

  * Certificate authentication

* Trusted paths/channels

  * Allows communication via secure channel (TLS etc.)



From BSI Operating Systems Protection Profile:



* Audit

  * Audit data generation

  * Audit review

  * Audit review restriction

  * Protected audit data storage

  * Notification of possible audit data loss

  * Prevention of possible audit data loss

* Cryptographic services

  * Cryptographic key generation

  * Cryptographic key distribution

  * Cryptographic key destruction

  * Cryptographic operation

* Data access control

  * Access control of persistent data (files)

  * Access control of temporay data (pipes)

  * Network information flow control

  * Import user data with access control

  * Secure deletion

* Authentication

  * Detect and prevent brute force attacks on auth

  * User attribute storage

  * Secret verification

  * Auth before accessing any security functions

  * Multifactor auth

  * Obscure auth feedback

  * Identification before access

* Secure configuration change and data access

  * Something about ACLs?

  * Security roles

* Reliable timestamps

* Session locking

  * Automatic

  * User-initiated

* Trusted channel (secure network access)



# Annex A (informative): Relationship between the present document and any related ETSI standards (if any)
@@ -596,8 +669,17 @@ _Based on the assets, what are the threats during:_ 


_Example threats can be found in the same documents suggested in the section on security requirements._



From NIAP PP for OS:



T.NETWORK ATTACK: An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may engage in communications with applications and services running on or part of the OS with the intent of compromise. Engagement may consist of altering existing legitimate communications.



T.NETWORK EAVESDROP: An attacker is positioned on a communications channel or elsewhere on the network infrastructure. Attackers may monitor and gain access to data exchanged between applications and services that are running on or part of the OS.



T.LOCAL ATTACK: An attacker may compromise applications running on the OS. The compromised application may provide maliciously formatted input to the OS through a variety of channels including unprivileged system calls and messaging via the file system.



<mark> FIXME list threats </mark>

T.LIMITED PHYSICAL ACCESS An attacker may attempt to access data on the OS while having a limited amount of time with the physical device.



<mark> FIXME list more threats </mark>



## C.3 Assumptions
@@ -607,6 +689,14 @@ _List assumptions that are relevant to the risk analysis for these threats. Ever 
* Not using sophisticated or expensive hardware snooping techniques

* No secret hardware backdoors



From NIAP PP for OS:



A.PLATFORM: The OS relies upon a trustworthy computing platform for its execution. This underlying platform is out of scope of this PP.



A.PROPER USER: The user of the OS is not willfully negligent or hostile, and uses the software in compliance with the applied enterprise security policy. At the same time, malicious software could act as the user, so requirements which confine malicious subjects are still in scope.



A.PROPER ADMIN: The administrator of the OS is not careless, willfully negligent or hostile, and administers the OS within compliance of the applied enterprise security policy.



<mark> FIXME list more assumptions </mark>



## C.4 Risk assessments of threats
@@ -637,7 +727,7 @@ _If any risks are not treated by the normative requirements, describe non-normat 


_Describe how to decide if residual risks are tolerable._



## D.4. Residual risks

## D.4 Residual risks



_Describe how to treat any residual risks, for example by documenting them or informing the user._