@@ -252,27 +252,45 @@ This section provides terms and definitions based on CEN/CLC JTC13 WG09's work o
For the purposes of the present document, the following terms apply:
1.**Operating System (OS)**: Software products with digital elements that provide an abstract interface of the underlying hardware and control the execution of software, and that may provide services such as computing resource management and configuration, scheduling, input-output control, managing data, and providing an interface through which applications interact with system resources and peripherals. This category includes but is not limited to real-time operating systems, general-purpose and special-purpose operating systems.
1.**General Purpose Operating System**: A class of operating system designed to support a wide variety of workloads consisting of concurrent applications or services. Typical characteristics of this category include support for third-party applications, support for multiple users, and security separation between users and their respective resources. General Purpose Operating Systems lack the operational constraints which define Special Purpose Operating Systems and Real Time Operating System (RTOS) that are typically used in routers, switches, and embedded devices.
1.**Application Programming Interface (API)**: A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform.
1.**System Call Interface**: A specification for the API between the application layer and the kernel or system layer.
1.**Input/Output**: The process or function for passing data to or from a given process over a specific interface. Such I/O interfaces include, but are not limited to, serial ports, network ports, long-term storage devices including hard drives and flash drives, as well as human-interface ports such as display and audio devices.
1.**Common Criteria (CC)**: Common Criteria for Information Technology Security Evaluation (International Standard
**Operating System (OS):** Software products with digital elements that provide an abstract interface of the underlying hardware and control the execution of software, and that may provide services such as computing resource management and configuration, scheduling, input-output control, managing data, and providing an interface through which applications interact with system resources and peripherals. This category includes but is not limited to real-time operating systems, general-purpose and special-purpose operating systems.
**General Purpose Operating System:** A class of operating system designed to support a wide variety of workloads consisting of concurrent applications or services. Typical characteristics of this category include support for third-party applications, support for multiple users, and security separation between users and their respective resources. General Purpose Operating Systems lack the operational constraints which define Special Purpose Operating Systems and Real Time Operating System (RTOS) that are typically used in routers, switches, and embedded devices.
**Application Programming Interface (API):** A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform.
**System Call Interface:** A specification for the API between the application layer and the kernel or system layer.
**Input/Output:** The process or function for passing data to or from a given process over a specific interface. Such I/O interfaces include, but are not limited to, serial ports, network ports, long-term storage devices including hard drives and flash drives, as well as human-interface ports such as display and audio devices.
**Common Criteria (CC):** Common Criteria for Information Technology Security Evaluation (International Standard
ISO/IEC 15408).
1.**Administrator**: An administrator is responsible for management activities, including setting policies that are applied by the enterprise on the operating system. This administrator could be acting remotely through a management server, from which the system receives configuration policies. An administrator can enforce settings on the system which cannot be overridden by non-administrator users.
1.**User**: A user is subject to configuration policies applied to the operating system by administrators. On some systems under certain configurations, a normal user can temporarily elevate privileges to that of an administrator. At that time, such a user should be considered an administrator.
1.**Application**: Software that runs on a platform and performs tasks on behalf of the user or owner of the platform, as well as its supporting documentation.
1.**Credential**: Data that establishes the identity of a user, e.g. a cryptographic key or password.
1.**Personally Identifiable Information (PII)**: Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, government-issued identity numbers, date and place of birth, biometric records, etc., including any other personal information which is linked or linkable to an individual.
1.**Sensitive Data**: Sensitive data may include all user or enterprise data or may be specific application data such as PII, emails, messaging, documents, calendar items, and contacts. Sensitive data must minimally include credentials and keys.
1.**Data Execution Prevention**: An anti-exploitation feature of modern operating systems executing on modern computer hardware, which enforces a non-execute permission on pages of memory. This prevents pages of memory from containing both data and instructions, which makes it more difficult for an attacker to introduce and execute code.
1.**Credential**: Data that establishes the identity of a user, e.g. a cryptographic key or password.
1.**Address Space Layout Randomization (ASLR)**: An anti-exploitation feature which loads memory mappings into unpredictable locations. ASLR makes it more difficult for an attacker to redirect control to code that they have introduced into the address space of a process.
1.**Common Weakness Enumeration (CWE)**: A community-developed list of software and hardware weaknesses that can become vulnerabilities. https://cwe.mitre.org/
1.**Elevated Privilege**:
1.**Command Shell**:
1.**Process Isolation**:
1.
**Administrator:** An administrator is responsible for management activities, including setting policies that are applied by the enterprise on the operating system. This administrator could be acting remotely through a management server, from which the system receives configuration policies. An administrator can enforce settings on the system which cannot be overridden by non-administrator users.
**User:** A user is subject to configuration policies applied to the operating system by administrators. On some systems under certain configurations, a normal user can temporarily elevate privileges to that of an administrator. At that time, such a user should be considered an administrator.
**Application:** Software that runs on a platform and performs tasks on behalf of the user or owner of the platform, as well as its supporting documentation.
**Credential:** Data that establishes the identity of a user, e.g. a cryptographic key or password.
**Personally Identifiable Information (PII):** Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, government-issued identity numbers, date and place of birth, biometric records, etc., including any other personal information which is linked or linkable to an individual.
**Sensitive Data:** Sensitive data may include all user or enterprise data or may be specific application data such as PII, emails, messaging, documents, calendar items, and contacts. Sensitive data must minimally include credentials and keys.
**Data Execution Prevention:** An anti-exploitation feature of modern operating systems executing on modern computer hardware, which enforces a non-execute permission on pages of memory. This prevents pages of memory from containing both data and instructions, which makes it more difficult for an attacker to introduce and execute code.
**Credential:** Data that establishes the identity of a user, e.g. a cryptographic key or password.
**Address Space Layout Randomization (ASLR):** An anti-exploitation feature which loads memory mappings into unpredictable locations. ASLR makes it more difficult for an attacker to redirect control to code that they have introduced into the address space of a process.
**Common Weakness Enumeration (CWE):** A community-developed list of software and hardware weaknesses that can become vulnerabilities. https://cwe.mitre.org/
**Elevated Privilege:**
**Command Shell:**
**Process Isolation:**
> FIXME add any other terms we need to define
@@ -282,10 +300,11 @@ ISO/IEC 15408).
For the purposes of the present document, the following abbreviations apply:
* OS Operating system
* MMU Memory Management unit
* IO Input/Output
| Abbreviation | Description |
|--------------|-----------------------------|
| OS | Operating system |
| MMU | Memory Management unit |
| IO | Input/Output |
> FIXME add more abbreviations
@@ -459,77 +478,77 @@ Note: "account" refers to a user in the operating systems sense: a unique system
#### 4.5.1.1 Number of Users
**[NUSR]**: Manufacturers of operating systems which are intended to store personal data, including user login data, shall account for the risk to such data in the risk calculation and ensure that appropriate protections are available. System-level users (such as root) do not count towards this risk.
**[NUSR]:** Manufacturers of operating systems which are intended to store personal data, including user login data, shall account for the risk to such data in the risk calculation and ensure that appropriate protections are available. System-level users (such as root) do not count towards this risk.
* NUSR-0: the operating system is designed not to allow end-users to authenticate
* NUSR-1: the operating system is designed to only allow one end-user to authenticate; to switch users, the device must be reset
* NUSR-2: the operating system is designed to allow for more than one end-user account
#### 4.5.1.2 User Concurrency
**[CUSR]**: Manufacturers of operating systems which are intended to support end-user accounts, either concurrently or sequentially, shall account for the increased risk to per-user data from other users and ensure that appropriate protections are available. System-level users (such as root) count towards this if they are configurable or accessible by end-users.
**[CUSR]:** Manufacturers of operating systems which are intended to support end-user accounts, either concurrently or sequentially, shall account for the increased risk to per-user data from other users and ensure that appropriate protections are available. System-level users (such as root) count towards this if they are configurable or accessible by end-users.
* CUSR-0: the operating system is designed not to allow end-users to authenticate
* CUSR-1: the operating system is designed to only allow one end-user to authenticate; to switch users,t he device must be reset.
* CUSR-2: the operating system is designed to allow for more than one end-user account, and end-user accounts may be simultaneously active on the device.
#### 4.5.1.3 Sensitive or Artibrary Data Storage
**[DATA]**: Manufacturers of operating systems may implement measures to prevent the on-device storage of user data, and shall document this and implement appropriate steps to ensure that no user data is stored on the device. Manufacturers may also enable the storage of specific types of data or generally of any user-specified data, and shall document the measures available for the protection of such data.
**[DATA]:** Manufacturers of operating systems may implement measures to prevent the on-device storage of user data, and shall document this and implement appropriate steps to ensure that no user data is stored on the device. Manufacturers may also enable the storage of specific types of data or generally of any user-specified data, and shall document the measures available for the protection of such data.
* DATA-0: the operating system is effectively unable to store per-user data in its forseeable use
* DATA-1: the operating system is designed only to store limited data types
* DATA-2: the operating system is designed to store arbitrary data
#### 4.5.1.4 Physical Access by Threat Actors to the Device
**[PHYS]**: Manufacturers of operating systems may implement protective measures, such as preventing peripheral device driver loading or relying on hardware capabilities such as tamper-evident mechanisms, to mitigate physical access based threats to the device.
**[PHYS]:** Manufacturers of operating systems may implement protective measures, such as preventing peripheral device driver loading or relying on hardware capabilities such as tamper-evident mechanisms, to mitigate physical access based threats to the device.
* PHYS-0: only used in environments with authorized users **[
* PHYS-1: may be incidentally exposed to untrusted users
* PHYS-2: used primarily by untrusted users, e.g. the general public
#### 4.5.1.5 Probability of Loss of the Device
**[LOSS]**: likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store sensitive personal data.
**[LOSS]:** likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store sensitive personal data.
* LOSS-0: forseeable use of the operating system is limited to stationary devices or devices with other loss-prevention mechanisms
* LOSS-1: forseeable use of the operating system is in a device with only incidental loss likelyhood
* LOSS-2: forseeable use of the operating system is in a device with a high loss likelyhood, such as devices which are common targets of theft such as mobile phones
#### 4.5.1.6 Hardware Modifiabiliy by End Users
**[HWMD]**: Manufacturers of operating systems shall account for forseeable risks from hardware modifications within the intended use of the product.
**[HWMD]:** Manufacturers of operating systems shall account for forseeable risks from hardware modifications within the intended use of the product.
* HWMD-0: forseeable use of the operating system is limited to devices with hardware that is not modifiable by end-users
* HWMD-1: forseeable use of the operating system includes hardware modifications by skilled or trusted users, such as corporate IT support staff
* HWMD-2: forseeable use of the operating system includes hardware modification by unskilled users, such as in a personal computer
#### 4.5.1.7 Software Modifiability by End Users
**[SWMD]**: Manufacturers of operating systems which are designed to allow end-users to install or substantially modify the software shall account for the risks from arbitrary software execution.
**[SWMD]:** Manufacturers of operating systems which are designed to allow end-users to install or substantially modify the software shall account for the risks from arbitrary software execution.
* SWMD-0: forseeable use lacks any reasonable means for end-users to install or modify the software
* SWMD-1: forseeable use only allows the installation of trusted and verified software
* SWMD-2: forseeable use allows for the installation of arbitrary software or for substantial modification of pre-installed software
#### 4.5.1.8 Untrusted Peripheral Devices
**[DVCS]**: Manufacturers of operating systems which are intended for devices that support attached peripheral devices, such as those utilizing USB or PCI conenctions, shall account for the risk posed by untrusted or compromised peripheral devices and implement appropriate safeguards.
**[DVCS]:** Manufacturers of operating systems which are intended for devices that support attached peripheral devices, such as those utilizing USB or PCI conenctions, shall account for the risk posed by untrusted or compromised peripheral devices and implement appropriate safeguards.
* DVCS-0: forseeable use has no accessible peripheral ports
* DVCS-1: forseeable use includes only trusted and safe peripheral devices
* DVCS-2: forseeable use allows for arbitrary peripheral device attachment
#### 4.5.1.9 Access To The Internet
**[TNET]**: Manufacturers of operating systems designed to provide end-users with access to the internet shall implement appropriate safeguards based on the nature of internet access and forseeable use of the operating system.
**[TNET]:** Manufacturers of operating systems designed to provide end-users with access to the internet shall implement appropriate safeguards based on the nature of internet access and forseeable use of the operating system.
* TNET-0: forseeable use has no mechanism to reasonably connect to the internet
* TNET-1: forseeable use allows internet access for only highly restricted functions, such as retrieving security updates
* TNET-2: forseeable use allows for arbitrary access to the internet, such as by browsing the web
#### 4.5.1.10 Accessed From Untrusted Networks Including The Internet
**[FNET]**: Manufacturers of operating systems designed to be connected to directly from the internet, rather than placed behind NAT or a firewall, shall implement appropriate safeguards to mitigate risks.
**[FNET]:** Manufacturers of operating systems designed to be connected to directly from the internet, rather than placed behind NAT or a firewall, shall implement appropriate safeguards to mitigate risks.
* FNET-0: forseeable use is limited to trusted and private networks.
* FNET-1: forseeable use includes untrusted local networks but not the open internet.
* FNET-1: forseeable use includes being connected directly to the open internet.
#### 4.5.1.11 Configurability
**[CONF]**: Manufacturers of operating systems which are intended to be configurable by end users shall provide secure-by-default configurations and document all available configuration options. Such documentation shall detail any effects on safety and security that such configuration changes may cause.
**[CONF]:** Manufacturers of operating systems which are intended to be configurable by end users shall provide secure-by-default configurations and document all available configuration options. Such documentation shall detail any effects on safety and security that such configuration changes may cause.
* CONF-0: forseeable use of the operating system prevents or is incapable of storing configuration changes.
* CONF-1: forseeable use allows operating system configuration changes only by skilled or trusted users, such as corporate IT support staff.
* CONF-2: forseeable use of the operating system includes configuration changes by end-users.
