Commit b3cb0641 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Rewrite risk factors without "shall", add/refine risk factors

parent 50c5f1ec

EN-304-626.md

+65 −68
Original line number Diff line number Diff line
@@ -598,144 +598,149 @@ The pre-defined Security Profiles in Section 6 list the appropriate mitigations 


Note: "account" refers to a user in the operating systems sense: a unique system identity associated with certain authorization and permissions. "User" refers to an entity that uses the device for some purpose. Users may have many accounts and accounts may have many users.



#### 4.5.1.1 Number of Users

#### 4.5.1.1 Number of User Accounts



**[RF-NUSR]:** The greater the number of users capable of using an operating system, the greater the risk to each user's assets stored or processed by that operating system.

**[RF-NUSR]:** The number of user accounts that end-users may authenticate to, excluding administrator accounts.



Recommendation: Therefore, manufacturers of operating systems which are intended to store personal data, including user login data, shall account for the risk to such data in the risk calculation and ensure that appropriate protections are available. System-level users (such as root) do not count towards this risk.

* NUSR-0: the operating system does not allow end-users to authenticate

* NUSR-1: the operating system allows only one end-user to authenticate; to switch users, the user must reset the device or otherwise fully delete the current user's data before creating a new user

f* NUSR-2: foreseeable use of the operating system is primarily that of a single end-user authenticating, but supports multiple end-users authenticating

* NUSR-3: foreseeable use of the operating system is multiple end-users authenticating



* NUSR-0: the operating system does not allow end-users to authenticate.

* NUSR-1: the operating system allows only one end-user to authenticate; to switch users, the user must reset the device or otherwise fully delete the current user's data before creating a new user.

* NUSR-2: the operating system's forseeable use is a single user device.

* NUSR-3: the operating system is designed for a high number of users.

FIXME add the separate concept of users apart from accounts



#### 4.5.1.2 User Concurrency

#### 4.5.1.2 User Account Concurrency



**[RF-CUSR]:** The greater the number of concurrent users active on an operating system, the greater the risk to each user's assets stored or processed by that operating system.



Recommendation: Therefore, manufacturers of operating systems which are intended to support concurrent use by multiple end-users accounts shall account for the increased risk to per-user data from other users, and ensure that appropriate protections are available. System-level users (such as root) count towards this if they are configurable or accessible by end-users.

**[RF-CUSR]:** The number of user accounts that may use the system concurrently, including administrator accounts if they are configurable or accessible by end-users.



* CUSR-0: the operating system does not allow end-users to authenticate

* CUSR-1: the operating system only allows one end-user to authenticate concurrently; to switch users, the authenticated user must logout.

* CUSR-2: the operating system's forseeable use allows for more than one end-user account, and end-user accounts may be simultaneously active on the device.

* CUSR-3: the operating system is designed for highly concurrent use.

* CUSR-1: the operating system only allows one end-user to authenticate concurrently; to switch users, the authenticated user must logout

* CUSR-2: forseeable use of the operating system is with one end-user authenticated concurrently, but multiple end-user accounts may be simultaneously active on the operating system

* CUSR-3: foreseeable use of the operating system is multiple authenticated users simultaneously active on the operating system



#### 4.5.1.3 Data Storage



**[RF-DATA]:** Manufacturers of operating systems may implement measures to prevent the on-device storage of user data, and shall document this and implement appropriate steps to ensure that no user data is stored on the device. Manufacturers may also enable the storage of specific types of data or generally of any user-specified data, and shall document the measures available for the protection of such data.

**[RF-DATA]:** What kind of data is stored by the operating system.



* DATA-0: the operating system is effectively unable to store per-user data in its foreseeable use

* DATA-1: the operating system is designed only to store limited data types

* DATA-2: the operating system is designed to store arbitrary data



#### 4.5.1.4 Collection or sharing of sensitive personal data

#### 4.5.1.4 Sensitivity of Data



**[RF-SENS]:** Sensitivity of data collected, as measured by impact of loss of its integrity, confidentiality, or availability.



* SENS-0: the operating system is effectively unable to collect sensitive data

* SENS-1: foreseeable use limits collection of sensitive data

* SENS-2: foreseeable use may collect arbitrary amounts of sensitive data

* SENS-3: foreseeable use collects extensive amounts of sensitive data by default



**[RF-SENS]:** Manufacturers of operating systems whose common use case allows collection or sharing of sensitive personal data may implement measures to prevent or limit the collection or sharing of sensitive personal data, and shall document this and implement appropriate steps to ensure that sensitive personal data is not collected or shared. Manufacturers may also enable the collection or sharing of sensitive personal data, and shall document the measures available for the protection of such data.

#### 4.5.1.5 Sensitivity of Functions



* SENS-0: the operating system is effectively unable to collect sensitive personal data

* SENS-1: the operating system is designed to limit collection of sensitive personal data

* SENS-2: the operating system is designed to collect sensitive personal data

* SENS-3: the operating system is collects sensitive personal data by default

**[RF-SENS]:** Sensitivity of functions of device, as measured by impact of loss of its integrity, confidentiality, or availability.



#### 4.5.1.5 Physical Access by Threat Actors to the Device

* SENS-0: the operating system is effectively unable to provide sensitive functions

* SENS-1: foreseeable use limits provision of sensitive functions

* SENS-2: foreseeable use may provide arbitrary functions

* SENS-3: foreseeable use provides sensitive functions by default



**[RF-PHYS]:** Manufacturers of operating systems may implement protective measures, such as preventing peripheral device driver loading or relying on hardware capabilities such as tamper-evident mechanisms, to mitigate physical access based threats to the device.

#### 4.5.1.6 Physical Access by Threat Actors to the Device



**[RF-PHYS]:** Exposure of the device to physical access by users.



* PHYS-0: only used in environments with authorized users

* PHYS-1: may be incidentally exposed to untrusted users

* PHYS-2: used primarily by untrusted users, e.g. the general public



#### 4.5.1.N+1 Software Access by Threat Actors to the Device

#### 4.5.1.7 Logical Access by Threat Actors Via Local Software



**[RF-UEXC]:** Exposure to untrusted executables running on the platform.



**[RF-SOFT]:** Manufacturers of operating systems may implement protective measures, such as hardening the system against loss of integrity (caused by existing interfaces or unknown flaws), to mitigate memory safety based threats to the device.

* UEXC-0: only used in environments without untrusted software

* UEXC-1: may be incidentally exposed to untrusted software

* UEXC-2: used primarily to run untrusted software



* SOFT-0: only used in environments without untrusted code and no processing of external inputs

* SOFT-1: may be incidentally exposed to untrusted software or external inputs

* SOFT-2: used primarily to run untrusted software or process external inputs

#### 4.5.1.8 Processing of Untrusted External Inputs



FIXME this may be a useful summary of exposure to hostile software or it may be more useful to split it into the sources of risk

**[RF-UEIN]:** Exposure to untrusted external inputs that are processed by the platform.



FIXME update RF/UC chart for RF-SOFT

* UEIN-0: only used in environments without processing of untrusted external inputs

* UEIN-1: may incidentally process untrusted external inputs

* UEIN-2: used primarily to process untrusted external inputs



#### 4.5.1.6 Probability of Loss of the Device

#### 4.5.1.9 Probability of Loss of the Device



**[RF-LOSS]:** likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store sensitive personal data.

**[RF-LOSS]:** Likelihood of loss or theft of the device, allowing threat actors unlimited physical access to the device.



* LOSS-0: foreseeable use of the operating system is limited to stationary devices or devices with other loss-prevention mechanisms

* LOSS-1: foreseeable use of the operating system is in a device with only incidental loss likelihood

* LOSS-2: foreseeable use of the operating system is in a device with moderate loss likelihood

* LOSS-3: foreseeable use of the operating system is in a device with a high loss likelihood, such as devices which are common targets of theft such as mobile phones



#### 4.5.1.7 Hardware Modifiability by End Users

#### 4.5.1.10 Hardware Modifiability by End Users



**[RF-HWMD]:** Manufacturers of operating systems shall account for foreseeable risks from hardware modifications within the intended use of the product.

**[RF-HWMD]:** Likelihood that the hardware of the platform will be changed from its secure-by-default state.



* HWMD-0: foreseeable use of the operating system is limited to devices with hardware that is not modifiable by end-users

* HWMD-1: foreseeable use of the operating system includes hardware modifications by skilled or trusted users, such as corporate IT support staff

* HWMD-2: foreseeable use of the operating system includes hardware modification by unskilled users, such as in a personal computer



#### 4.5.1.8 Software Modifiability by End Users

#### 4.5.1.11 Software Modifiability by End Users



**[RF-SWMD]:** Manufacturers of operating systems which are designed to allow end-users to install or substantially modify the software shall account for the risks from arbitrary software execution.

**[RF-SWMD]:** Likelihood that the software on the platform (including firmware) will be changed from its secure-by-default state.



* SWMD-0: foreseeable use lacks any reasonable means for end-users to install or modify the software

* SWMD-0: foreseeable use lacks any reasonable means for end-users to install or modify the software other than by secure updates provided by the manufacturer

* SWMD-1: foreseeable use only allows the installation of trusted and verified software

* SWMD-2: foreseeable use allows for the installation of arbitrary software or for substantial modification of pre-installed software

* SWMD-3: foreseeable use actively encourages and facilitates the installation of arbitrary software



#### 4.5.1.9 Untrusted Peripheral Devices

#### 4.5.1.12 Untrusted Peripheral Devices



**[RF-DVCS]:** Manufacturers of operating systems which are intended for devices that support attached peripheral devices, such as those utilizing USB or PCI connections, shall account for the risk posed by untrusted or compromised peripheral devices and implement appropriate safeguards.

**[RF-DVCS]:** Likelihood of unstrusted peripheral devices being attached to the platform via a connection that is a plausible attack vector, such as by USB or PCI bus.



* DVCS-0: foreseeable use has no accessible peripheral ports

* DVCS-1: foreseeable use includes only trusted and safe peripheral devices

* DVCS-2: foreseeable use allows for arbitrary peripheral device attachment



#### 4.5.1.10 Access To The Internet

#### 4.5.1.13 Access To The Internet



**[RF-TNET]:** Manufacturers of operating systems designed to provide end-users with access to the internet shall implement appropriate safeguards based on the nature of internet access and foreseeable use of the operating system.

**[RF-TNET]:** Likelihood that the device will initiate connections to public networks.



* TNET-0: foreseeable use has no mechanism to reasonably connect to the internet

* TNET-1: foreseeable use allows internet access for only highly restricted functions, such as retrieving security updates

* TNET-2: foreseeable use allows for arbitrary access to the internet, such as by browsing the web



#### 4.5.1.11 Accessed From Untrusted Networks Including The Internet

#### 4.5.1.14 Accessed From Untrusted Networks Including The Internet



**[RF-FNET]:** Manufacturers of operating systems designed to be connected to directly from the internet, rather than placed behind NAT or a firewall, shall implement appropriate safeguards to mitigate risks.

**[RF-FNET]:** Likelihood that the device will be exposed to incoming traffic from public networks.



* FNET-0: foreseeable use is limited to trusted and private networks

* FNET-1: foreseeable use includes untrusted local networks but not the open internet

* FNET-2: foreseeable use includes being connected directly to the open internet

* FNET-3: foreseeable use includes being a firewall connected directly to the open internet



#### 4.5.1.N+1 Web browsing



**[RF-BRWS]:** Manufacturers of operating systems whose expected use includes browsing the web, shall implement appropriate safeguards to mitigate risks.

#### 4.5.1.15 Configurability



* FNET-0: no browser possible or foreseeable use does not include web browsing

* FNET-1: foreseeable use includes incidental or occasional web browsing

* FNET-2: foreseeable use includes web browsing as a normal activity

**[RF-CONF]:** Degree of security-relevant configuration change possible on the operating system.



#### 4.5.1.12 Configurability

* CONF-0: foreseeable use of the operating system prevents or is incapable of storing configuration changes

* CONF-1: foreseeable use allows operating system configuration changes only by skilled or trusted users, such as corporate IT support staff

* CONF-2: foreseeable use of the operating system includes configuration changes by end-users



**[RF-CONF]:** Manufacturers of operating systems which are intended to be configurable by end users shall provide secure-by-default configurations and document all available configuration options. Such documentation shall detail any effects on safety and security that such configuration changes may cause.

#### 4.5.1.16 Administration



* CONF-0: foreseeable use of the operating system prevents or is incapable of storing configuration changes.

* CONF-1: foreseeable use allows operating system configuration changes only by skilled or trusted users, such as corporate IT support staff.

* CONF-2: foreseeable use of the operating system includes configuration changes by end-users.



#### 4.5.1.13 Administration



**[RF-ADMN]:** Manufacturers of operating systems which require a privileged administrator role to perform their functions shall document the expected level of administrative skill and availability and implement appropriate safeguards based on the expected level associated with the foreseeable use of the operating system.

**[RF-ADMN]:** Availability and skill of administrators.



* ADMN-0: no administration is necessary

* ADMN-1: foreseeable use of the operating system includes skilled administration available on call.

* ADMN-2: foreseeable use of the operating system includes unskilled or no administration.

* ADMN-1: foreseeable use of the operating system includes skilled administration available on call

* ADMN-2: foreseeable use of the operating system includes unskilled administration



### 4.5.2 Mapping of Use Cases to Risk Factors



**NOTE:** The "TOTAL" field is referenced by but does not define the Risk Tolerance assignments table in Section 6.3. It is primarily a consistency check to see if the risk factors sufficiently distinguish the differences in risk tolerance between use cases.



FIXME needs updates



|Risk Factor | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|------------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|**Use Case**|------|------|------|------|------|------|------|------|------|------|------|------|---------|
@@ -766,14 +771,6 @@ FIXME update RF/UC chart for RF-SOFT 


Potential additional risk factors:



* Is audit/logging being watched?

* Web browsing or not

* Sensitivity of functions

* Running on bare metal vs. hypervisor

* Many devices have multiple OS's for elements



Phone should be significantly riskier than a personal laptop. The phone goes everywhere, is always on, always connected, filled with sensors, super loaded with personally identifiable data, practically begs you to install with data stealing apps.



Separate question for the application delivery mechanism:

1. App is not preinstalled, but by default gets installed during initial configuration by the user if the user always picks the preselected option -> IMHO part of the device, forcing installation later should not be an allowed trick to make the scope smaller.

2. Third party app is installed through the official app store/repository, but vetted less (or not at all) by the OS vendor. Do we want to require a vetting level indicator if the same source has multiple tiers of vetting?