diff --git a/src/ontologies/CC_2022_R1/Common_Criteria.thy b/src/ontologies/CC_2022_R1/Common_Criteria.thy index 24e0b8c..8fe097f 100644 --- a/src/ontologies/CC_2022_R1/Common_Criteria.thy +++ b/src/ontologies/CC_2022_R1/Common_Criteria.thy @@ -12,474 +12,14 @@ identifies: (*<<*) theory Common_Criteria - imports "Isabelle_DOF.technical_report" + imports "Isabelle_DOF.Common_Criteria_terms" begin - -text\We re-use the class \<^typ>\math_content\, which provides also a framework for -semi-formal "math-alike" terminology, which we re-use by this definition.\ - -doc_class semi_formal_content = math_content + - status :: status <= "semiformal" - mcc :: math_content_class - - - -type_synonym sfc = semi_formal_content - -doc_class cc_term = semi_formal_content + - mcc :: math_content_class <= "terminology" - -type_synonym common_criteria_term = cc_term - -text\ in the following, all \<^theory_text>\Definition*\ statements are interpreted as - \<^doc_class>\cc_term\s, i.e. semi-formal teminological definitions.\ - -declare[[ Definition_default_class="cc_term"]] - - -text\ Excerpt of the BE EN 50128:2011, page 22. \ - -section\Terms and Definitions\ - -declare_reference*[evaluator] -declare_reference*[developer] -Definition*[action] -\documented activity of the @{cc_term (unchecked) \evaluator\} - or @{cc_term (unchecked) \developer\}\ - -declare_reference*[entity] -declare_reference*[TSF] -Definition*[admministrator] -\ @{cc_term (unchecked) \entity\} that has a level of trust with respect to -all policies implemented by the @{cc_term (unchecked) \TSF\}\ - -Definition*[API, short_name="''application programming interface''"] -\\ - -declare_reference*[threat_agent] -declare_reference*[asset] -Definition*[adverse_action] -\ \<^cc_term>\action\ performed by a @{cc_term (unchecked) \threat_agent\} -on an @{cc_term (unchecked) \asset\}\ - -declare_reference*[TOE] -Definition*[asset] -\ @{cc_term (unchecked) \entity\} that the owner of -the @{cc_term (unchecked) \TOE\} presumably places value on\ - -Definition*[assignement] -\specification of an identified parameter in a functional or assurance component\ - -declare_reference*[SFR] -Definition*[assurance] -\grounds for confidence that a @{cc_term (unchecked) \TOE\} meets -the security functional requirements @{cc_term (unchecked) \SFR\}s \ - -declare_reference*[SAR] -Definition*[AP, short_name="''assurance package''"] -\named set of @{cc_term (unchecked) \SAR\}s\ - -Definition*[attack_potential] -\measure of the effort needed to exploit a vulnerability in a @{cc_term (unchecked) \TOE\} \ - -Definition*[attack_surface] -\set of logical or physical interfaces to a target, consisting of points - through which access to the target and its functions may be attempted\ - -Definition*[augmentation] -\addition of one or more requirements to a package\ - -Definition*[autorized_user] -\ @{cc_term (unchecked) \entity\} who may, in accordance with the @{cc_term (unchecked) \SFR\}s, - perform an operation on the @{cc_term (unchecked) \TOE\}\ - -declare_reference*[independent_entity] -declare_reference*[dependent_component] -Definition*[base_component] -\ @{cc_term (unchecked) \independent_entity\} in a multi-component product that provides - services and resources to one or more @{cc_term (unchecked) \dependent_component\}(s)\ - -declare_reference*[PP] -declare_reference*[PP_module] -declare_reference*[PP_module_base] -declare_reference*[PP_config] -Definition*[base_PP, short_name="''base Protection Profile''"] -\ @{cc_term (unchecked) \PP\} specified in a @{cc_term (unchecked) \PP_module\}, -as part of that @{cc_term (unchecked) \PP_module\}’s @{cc_term (unchecked) \PP_module_base\}, -used as a basis to build a @{cc_term (unchecked) \PP_config\}\ - -Definition*[base_PP_module, short_name="''base PP-Module''"] -\@{cc_term (unchecked) \PP_module\} specified in a different @{cc_term (unchecked) \PP_module\}, -as part of that @{cc_term (unchecked) \PP_module\}’s @{cc_term (unchecked) \PP_module_base\}, -used as a basis to build a @{cc_term (unchecked) \PP_config\}\ - -Definition*[base_TOE, short_name="''base target of evaluation''"] -\@{cc_term (unchecked) \base_component\} which is itself the subject of an evaluation\ - -Definition*[class_cc, short_name="''class''"] -\〈taxonomy〉 set of families that share a common focus\ - -Definition*[CD, short_name="''compact disk''"] -\\ - -Definition*[component] -\〈taxonomy〉 smallest selectable set of elements on which requirements may be based OU - @{cc_term (unchecked) \entity\} which provides resources and services in a product\ - -declare_reference*[composed_TOE] -Definition*[component_TOE, short_name="''component target of evaluation''"] -\(evaluated) @{cc_term (unchecked) \TOE\} - that is a component of another @{cc_term (unchecked) \composed_TOE\}\ - -Definition*[CAP, short_name="''composition assurance package''"] -\ \<^cc_term>\AP\ consisting of components drawn predominately from the ACO \<^cc_term>\class_cc\, - representing a point on the pre-defined scale for composition assurance\ - -Definition*[composed_TOE, short_name="''composed target of evaluation''"] -\@{cc_term (unchecked) \TOE\} comprising solely two or more separately identified components - with a security relationship between their @{cc_term (unchecked) \TSF\}\ - -Definition*[composed_evaluation, short_name="''composed evaluation''"] -\evaluation of a \<^cc_term>\composed_TOE\ using the specific evaluation technique applicable to \<^cc_term>\composed_TOE\s\ - -declare_reference*[composite_product] -declare_reference*[composite_TOE] -Definition*[composite_evaluation, short_name="''composite evaluation''"] -\evaluation of a @{cc_term (unchecked) \composite_TOE\}/@{cc_term (unchecked) \composite_product\} - using the specific composite evaluation technique\ - -Definition*[composite_product, short_name="''composite product''"] -\product comprised of two or more components which can be organized in two layers: - a layer of one already evaluated \<^cc_term>\base_component\ (\<^cc_term>\base_TOE\) - and a layer of one @{cc_term (unchecked) \dependent_component\}\ - -Definition*[COMP, short_name="''composite product assurance package''"] -\\ - -Definition*[composite_TOE, short_name="''composite target of evaluation''"] -\part of a \<^cc_term>\composite_product\ including the \<^cc_term>\base_TOE\ - and the @{cc_term (unchecked) \dependent_component\}\ - -Definition*[CM, short_name="''configuration management''"] -\discipline applying technical and administrative direction and surveillance to: - identify and document the functional and physical characteristics of a configuration item, - control changes to those characteristics, record and report change processing - and implementation status, and verify compliance with specified requirements\ - -Definition*[CMS, short_name="''configuration management system''"] -\set of procedures and tools (including their documentation) used by a @{cc_term (unchecked) \developer\} - to develop and maintain configurations of their products during their life-cycles\ - -Definition*[counter] -\act on or respond to a particular threat so that the threat is eradicated or mitigated\ - -declare_reference*[ST] -declare_reference*[PP_configuration] -Definition*[DC, short_name="''demonstrable conformance''"] -\relation between a @{cc_term (unchecked) \PP\}/@{cc_term (unchecked) \ST\} (PP/ST) - and a @{cc_term (unchecked) \PP\}, or an @{cc_term (unchecked) \ST\} and - a @{cc_term (unchecked) \PP_configuration\}, where the PP/ST provides an equivalent or - more restrictive solution that solves the generic security problem in the PP/PP-Configuration\ - -declare_reference*[FP] -Definition*[dependency] -\relationship between components such that a @{cc_term (unchecked) \PP\}, @{cc_term (unchecked) \ST\}, - @{cc_term (unchecked) \FP\} or \<^cc_term>\AP\} including a component - also includes any other \<^cc_term>\component\s that are identified as being depended upon - or include a rationale as to why they are not\ - -declare_reference*[dependent_entity] -Definition*[dependent_component, short_name="''dependent component''"] -\@{cc_term (unchecked)\dependent_entity\} in a multi-component product that relies on - the provision of services and resources by one or more \<^cc_term>\base_component\s\ - -Definition*[dependent_TOE, short_name="''dependent target of evaluation''"] -\\<^cc_term>\dependent_component\ which is itself the subject of an evaluation\ - -Definition*[developper] -\organization responsible for the development of the @{cc_term (unchecked)\TOE\}\ - -declare_reference*[SPD] -declare_reference*[SO] -declare_reference*[operational_environment] -Definition*[direct_rationale, short_name="''direct rationale''"] -\type of @{cc_term (unchecked)\PP\}, @{cc_term (unchecked)\PP_module\} or @{cc_term (unchecked)\ST\} - in which the @{cc_term (unchecked)\SPD\} elements are mapped directly to - the @{cc_term (unchecked)\SFR\}) and possibly to the @{cc_term (unchecked)\SO\}s - for the @{cc_term (unchecked)\operational_environment\}\ - -Definition*[DAC, short_name="''discretionary access control''"] -\\ - -Definition*[element] -\〈taxonomy〉 self-contained description of a security need assigned to @{cc_term (unchecked)\SAR\} - or @{cc_term (unchecked)\SFR\}\ - -Definition*[entity] -\identifiable item that is described by a set or collection of properties\ - -Definition*[evaluation] -\assessment of a @{cc_term (unchecked)\PP_configuration\}, @{cc_term (unchecked)\PP\}, - a @{cc_term (unchecked)\ST\}, or a @{cc_term (unchecked)\TOE\}, against defined criteria -\ - -Definition*[EA, short_name="''evaluation activity''"] -\activity derived from one or more work units\ - -Definition*[EAL, short_name="''evaluation assurance level''"] -\well-formed package of @{cc_term (unchecked)\SAR\} representing a point on the pre- defined assurance scale\ - -declare_reference*[evaluation_scheme] -Definition*[evaluation_authority, short_name="''evaluation authority''"] -\body operating an @{cc_term (unchecked)\evaluation_scheme\}\ - -Definition*[EM, short_name="''evaluation method''"] -\set of one or more \<^cc_term>\EA\ for application in a specific context\ - -Definition*[evaluation_scheme, short_name="''evaluation scheme''"] -\rules, procedures and management to carrying evaluations of IT product security\ - -declare_reference*[overall_verdict] -Definition*[ETR, short_name="''evaluation technical report''"] -\documentation of the @{cc_term (unchecked)\overall_verdict\} and its justification, produced - by the @{cc_term (unchecked)\evaluator\}, and submitted to an \<^cc_term>\evaluation_authority\\ - -Definition*[ETR_COMP, short_name="''evaluation technical report for composite evaluation''"] -\documentation intended to be used within the \<^cc_term>\composite_evaluation\ approach and derived - by the \<^cc_term>\base_component\ @{cc_term (unchecked)\evaluator\} from the full \<^cc_term>\ETR\ -for the evaluated \<^cc_term>\base_component\\ - -Definition*[evaluator] -\individual assigned to perform evaluations in accordance with a given evaluation standard and - associated evaluation methodology\ - -Definition*[EC, short_name="''exact conformance''"] -\hierarchical relationship between a @{cc_term (unchecked)\PP\} or @{cc_term (unchecked)\PP_configuration\} - and a @{cc_term (unchecked)\ST\} where all the requirements in the ST are drawn only from the PP/PP- Configuration\ - -Definition*[exploitable_vulnerability, short_name="''exploitable vulnerability''"] -\weakness in the @{cc_term (unchecked)\TOE\} that can be used to violate the @{cc_term (unchecked)\SFR\}s - in the @{cc_term (unchecked)\operational_environment\} for the @{cc_term (unchecked)\TOE\}\ - -Definition*[extended_security_requirement, short_name="''extended security requirement''"] -\security requirement developed according to the rules in this document, - but which are not listed in any part of the CC\ - -Definition*[user, short_name="''external entity''"] -\human technical system or one of its components interacting with the @{cc_term (unchecked)\TOE\} - from outside of the TOE boundary\ - -Definition*[family] -\〈taxonomy〉 set of components that shares a similar goal but differs in emphasis or rigour\ - -Definition*[FP, short_name="''functional package''"] -\named set of @{cc_term (unchecked)\SFR\}s that may be accompanied by a @{cc_term (unchecked)\SPD\} - and @{cc_term (unchecked)\SO\}s derived from that SPD -\ - -declare_reference*[multi_assurance_evaluation] -Definition*[global_AP, short_name="''global assurance package''"] -\\<^cc_term>\AP\ that applies to the entire @{cc_term (unchecked)\TOE\} in a - @{cc_term (unchecked)\multi_assurance_evaluation\}\ - -Definition*[guidance_documentation, short_name="''guidance documentation''"] -\documentation that describes the delivery, preparation, operation, management and/or use of the @{cc_term (unchecked)\TOE\}\ - -declare_reference*[refinement] -Definition*[implementation_representation, short_name="''implementation representation''"] -\least abstract representation of the @{cc_term (unchecked)\TSF\}, specifically the one - that is used to create the TSF itself without further design @{cc_term (unchecked)\refinement\}\ - -Definition*[internally_consistent, short_name="''internally consistent''"] -\no apparent contradictions exist between any aspects of an \<^cc_term>\entity\\ - -Definition*[interpretation_cc, short_name="''interpretation''"] -\clarification or amplification of a standard or an \<^cc_term>\evaluation_scheme\ requirement\ - -Definition*[iteration] -\use of the same \<^cc_term>\component\ to express two or more distinct requirements\ - -Definition*[layering] -\design technique where separate groups of components are hierarchically organized to have separate - responsibilities such that a group of components depends on groups of components below it in - the hierarchy for services, and provides its services to the groups of components above it\ - -Definition*[module_cc, short_name="''module''"] -\architectural unit specified at a level suitable for implementation of the unit\ - -Definition*[multi_assurance_evaluation, short_name="''multi-assurance evaluation''"] -\evaluation of a @{cc_term (unchecked)\TOE\} using a @{cc_term (unchecked)\PP_configuration\} - where each PP- Configuration component is associated with its own set of assurance requirements\ - -Definition*[object] -\\<^cc_term>\entity\in the @{cc_term (unchecked)\TOE\} that contains or receives information, and - upon which subjects perform operations\ - -Definition*[operation] -\〈on an \<^cc_term>\object\〉 specific type of \<^cc_term>\action\ performed by a subject on an object -\ - -Definition*[operational_environment, short_name="''operational environment''"] -\environment in which the @{cc_term (unchecked)\TOE\} is operated, consisting of everything - that is outside the TOE boundary\ - -Definition*[optional_SFR, short_name="''optional Security Functional Requirement''"] -\@{cc_term (unchecked)\SFR\} in a @{cc_term (unchecked)\PP\}, @{cc_term (unchecked)\FP\}, or - @{cc_term (unchecked)\PP_module\} that contributes to a stated aspect of the PP’s security problem - description but whose inclusion in a conformant PP’s or @{cc_term (unchecked)\ST\} list of - SFRs is not mandatory\ - -Definition*[OSP, short_name="''organizational security policy''"] -\set of security rules, procedures, or guidelines for an organization\ - -Definition*[overall_verdict, short_name="''overall verdict''"] -\statement issued by an \<^cc_term>\evaluator\ with respect to the result of an \<^cc_term>\evaluation\\ - -Definition*[potential_vulnerability, short_name="''potential vulnerability''"] -\suspected, but not confirmed, weakness -\ - -Definition*[PP, short_name="''Protection Profile''"] -\implementation-independent statement of security needs for a @{cc_term (unchecked)\TOE\} type\ - -Definition*[PP_configuration, short_name="''Protection Profile Configuration''"] -\implementation-independent statement of security needs for a @{cc_term (unchecked)\TOE\} type - containing at least one \<^cc_term>\PP\ and an additional non-empty set of @{cc_term (unchecked)\PP_module\} - (with the associated PP-Modules Bases)\ - -Definition*[PP_configuration_component, short_name="''Protection Profile Configuration component''"] -\\<^cc_term>\PP\ or @{cc_term (unchecked)\PP_module\} included in a \<^cc_term>\PP_configuration\\ - -Definition*[PP_module, short_name="''Protection Profile module''"] -\implementation-independent statement of security needs for a @{cc_term (unchecked)\TOE\} type - complementary to one or more base \<^cc_term>\PP\ and possibly some \<^cc_term>\base_PP_module\\ - -Definition*[PP_module_base, short_name="''Protection Profile Module Base''"] -\set of either \<^cc_term>\PP_module\ or \<^cc_term>\PP\ or both, specified by a PP- Module as a basis - for building a \<^cc_term>\PP_configuration\\ - -Definition*[refinement] -\addition of details to a security component\ - -Definition*[residual_vulnerability, short_name="''residual vulnerability''"] -\weakness that cannot be exploited in the \<^cc_term>\operational_environment\ for the - @{cc_term (unchecked)\TOE\}, but that can be used to violate the @{cc_term (unchecked)\SFR\}s by - an attacker with greater \<^cc_term>\attack_potential\ than is anticipated in the operational - environment for the TOE\ - -Definition*[role] -\pre-defined set of rules establishing the allowed interactions between a user and the @{cc_term (unchecked)\TOE\}\ - -Definition*[SAR, short_name="''security assurance requirement''"] -\security requirement that refers to the conditions and processes for the development and delivery - of the @{cc_term (unchecked)\TOE\}, and the \<^cc_term>\action\s required of \<^cc_term>\evaluator\s - with respect to evidence produced from these conditions and processes -\ - -Definition*[security_attribute, short_name="''security attribute''"] -\property of subjects, users, objects, information, sessions and/or resources that is used in - defining the @{cc_term (unchecked)\SFR\}s and whose values are used in enforcing the SFRs -\ - -Definition*[SFR, short_name="''security functional requirement''"] -\security requirement, which contributes to fulfil the @{cc_term (unchecked)\TOE\} - @{cc_term (unchecked)\SPD\} as defined in a specific @{cc_term (unchecked)\ST\} or in a \<^cc_term>\PP\\ - -Definition*[SO, short_name="''security objective''"] -\statement of an intent to \<^cc_term>\counter\ identified threats and/or satisfy identified - organization security policies and/or assumptions\ - -Definition*[SPD, short_name="''security problem definition''"] -\statement, which in a formal manner defines the nature and scope of the security that the - @{cc_term (unchecked)\TOE\} is intended to address\ - -Definition*[SR, short_name="''security requirement''"] -\requirement, which is part of a @{cc_term (unchecked)\TOE\} security specification as defined - in a specific @{cc_term (unchecked)\ST\} or in a \<^cc_term>\PP\\ - -Definition*[ST, short_name="''Security Target''"] -\implementation-dependent statement of security requirements for a @{cc_term (unchecked)\TOE\} - based on a \<^cc_term>\SPD\\ - -Definition*[selection] -\specification of one or more items from a list in a component\ - -Definition*[selection_based_SFR, short_name="''selection-based security functional requirement''"] -\\<^cc_term>\SFR\s in a \<^cc_term>\PP\, \<^cc_term>\PP_module\, or \<^cc_term>\FP\ that contributes to a state - aspect of the PP’s, PP-Module’s or functional package’s \<^cc_term>\SPD\ that is to be included - in a conformant PP or ST if a selection choice identified in the PP/PP-Module/functional package - indicates that it has an associated selection-based SFR\ - -Definition*[single_assurance_evaluation, short_name="''single-assurance evaluation''"] -\evaluation of a @{cc_term (unchecked)\TOE\} using one set of assurance requirements\ - -Definition*[SC, short_name="''strict conformance''"] -\hierarchical relationship between a \<^cc_term>\PP\ and a PP/\<^cc_term>\PP\ where all the requirements - in the PP also exist in the PP/ST\ - -Definition*[sub_TSF, short_name="''sub-TOE security functionality''"] -\combined functionality of all hardware, software, and firmware of a @{cc_term (unchecked)\TOE\} - that is relied upon for the correct enforcement of the \<^cc_term>\SFR\s defined in one - \<^cc_term>\PP_configuration\ component\ - -Definition*[subject] -\\<^cc_term>\entity\ in the @{cc_term (unchecked)\TOE\} that performs operations on objects\ - -Definition*[tailoring] -\addition of one or more functional requirements to a \<^cc_term>\FP\, and/or the addition of one or - more selections to a \<^cc_term>\SFR\ in a functional package\ - -Definition*[TOE, short_name="''target of evaluation''"] -\set of software, firmware and/or hardware possibly accompanied by guidance, which is the subject of an evaluation\ - -Definition*[threat_agent, short_name="''threat agent''"] -\\<^cc_term>\entity\ that has potential to exercise \<^cc_term>\adverse_action\ on \<^cc_term>\asset\s - protected by the \<^cc_term>\TOE\\ - -Definition*[TSF, short_name="''TOE security functionality''"] -\combined functionality of all hardware, software, and firmware of a \<^cc_term>\TOE\ that is relied - upon for the correct enforcement of the \<^cc_term>\SFR\s\ - -Definition*[TOE_type, short_name="''TOE type''"] -\set of characteristics common to a group of \<^cc_term>\TOE\\ - -Definition*[translation] -\process of describing security requirements in a standardized language\ - -Definition*[vulnerability] -\weakness in the \<^cc_term>\TOE\ that can be used to violate the \<^cc_term>\SFR\s in some environment\ - -Definition*[DPA, short_name="''differential power analysis''"] -\\ - -Definition*[DRBG, short_name="''deterministic random bit generator''"] -\\ - -Definition*[ES, short_name="''electromagnetic spectrum''"] -\\ - -Definition*[GAP, short_name="''global assurance package''"] -\\ - -Definition*[GB, short_name="''gygabyte''"] -\\ - -Definition*[GHz, short_name="''gigahertz''"] -\\ - -Definition*[GUI, short_name="''graphical user interface''"] -\\ - define_shortcut* csp \ \CSP\ holcsp \ \HOL-CSP\ hol \ \HOL\ isabelle \ \Isabelle/HOL\ -(*text\ - @{boxed_theory_text [display] -\\ -}\*) datatype cc_spec = package diff --git a/src/tests/Common_Criteria_Tests.thy b/src/tests/Common_Criteria_Tests.thy index e75f7b1..34866fb 100644 --- a/src/tests/Common_Criteria_Tests.thy +++ b/src/tests/Common_Criteria_Tests.thy @@ -79,7 +79,9 @@ text*[ex_SPD::SPD]\ SECURITY PROBLEM DEFINITION The security problem definition of the DBMS PP Extended Package – Access History does not change the security problem definition of the DBMS PP base. \ -text*[ex_error::text_element]\\ +(* text*[ex_error::text_element]\ +This instance is an example of the use of the reject clause by \<^monitor_PP_control>\PP_monitor2\ +\ *) text*[ex_treats::Threats]\ Threats This extended package neither adds to nor alters the threats given in [DBMS PP].