Software component Software component evaluationevaluation
A developer’s perspectiveA developer’s perspective
Sony Corporation’s presentation for theSony Corporation’s presentation for the66thth International Common Criteria International Common Criteria ConferenceConference
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 22
ContentsContents
The discussion of the modularity of systems The discussion of the modularity of systems versus the modularity of softwareversus the modularity of software
The discussion of disparity between the The discussion of disparity between the hardware and software evaluationshardware and software evaluations
The discussion of the complexity of software The discussion of the complexity of software and componentsand components
A preview of what is comingA preview of what is coming
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 33
System securitySystem security
Current approach is to evaluate “finished Current approach is to evaluate “finished products”products”
Those products are later used as components Those products are later used as components to build secure systemsto build secure systems
Security of the system depends more on the Security of the system depends more on the overall security policies and system design overall security policies and system design than on the product securitythan on the product security
Products specify how they should be used to Products specify how they should be used to remain secure even inside a systemremain secure even inside a system
Most of the time, systems are not externally Most of the time, systems are not externally evaluatedevaluated
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 44
Product securityProduct security
Products are seen as almost completely Products are seen as almost completely independent unitsindependent units
Products are rigorously evaluated for their Products are rigorously evaluated for their securitysecurity
Product is seen as a big lump of matter, thus Product is seen as a big lump of matter, thus contradicting the design principles of the productcontradicting the design principles of the product
The consequence is that the effort is wasted on The consequence is that the effort is wasted on reinventing the wheelreinventing the wheel
Product security should be looked at from the Product security should be looked at from the point of view of a system and components that point of view of a system and components that go into this systemgo into this system
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 55
Component securityComponent security
Products consist of componentsProducts consist of components At the system level, we can evaluate At the system level, we can evaluate
individual components, known as “products”, individual components, known as “products”, independentlyindependently
At the product level, we may not evaluate At the product level, we may not evaluate individual components?individual components?
There is an obvious disparity between the There is an obvious disparity between the approaches to the security at different levelsapproaches to the security at different levels
This disparity is greatest when we look at the This disparity is greatest when we look at the software evaluationssoftware evaluations
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 66
The spectrum of The spectrum of securitysecurity
Systemsecurity
Componentsecurity
Productsecurity
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 77
Overall securityOverall security
The components of a product must be The components of a product must be evaluated the way we evaluate the productsevaluated the way we evaluate the products
The context of a product provides the The context of a product provides the environment for the component just as the environment for the component just as the system provides the context for the productsystem provides the context for the product
The approach must be systematically The approach must be systematically consistent from evaluating software and consistent from evaluating software and hardware components all the way to building hardware components all the way to building the systemsthe systems
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 88
Current stateCurrent state
Lots of experience in evaluating hardware Lots of experience in evaluating hardware and hardware-based productsand hardware-based products
Even complex composite products are Even complex composite products are evaluated without much troubleevaluated without much trouble
Evaluation of software components is far Evaluation of software components is far behindbehind
Lagging of software component evaluations Lagging of software component evaluations drags down the natural process of product drags down the natural process of product composition from certified componentscomposition from certified components
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 99
What is so peculiar about What is so peculiar about software?software? Much higher complexityMuch higher complexity Much easier to develop using logically Much easier to develop using logically
separated componentsseparated components Quick development of the functionality but Quick development of the functionality but
long time to get the details rightlong time to get the details right Infinite stabilityInfinite stability
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1010
ComplexityComplexity
Software is much easier to develop Software is much easier to develop compared to hardwarecompared to hardware
Therefore we make very complex things in Therefore we make very complex things in softwaresoftware
The way we deal with the increasing The way we deal with the increasing complexity is to split the software into complexity is to split the software into componentscomponents
Components, in turn, get increasingly Components, in turn, get increasingly complexcomplex
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1111
Development cycleDevelopment cycle
There are different models for managing the There are different models for managing the complexity of developmentcomplexity of development
In the end, there are always two phases:In the end, there are always two phases:– Development of the functionalityDevelopment of the functionality– Getting the functionality exactly rightGetting the functionality exactly right
The second stage may take longerThe second stage may take longer A fully understood, tested and verified A fully understood, tested and verified
software can be easily reusedsoftware can be easily reused
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1212
Software stabilitySoftware stability
As opposed to the hardware, the software is As opposed to the hardware, the software is not subject to wear and tearnot subject to wear and tear
Software does not need the maintenance or Software does not need the maintenance or protection required for the hardwareprotection required for the hardware
Software will keep performing the required Software will keep performing the required function indefinitelyfunction indefinitely
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1313
Software vs. Software vs. hardware: hardware: implementationimplementation Hardware is built from real-world matter Hardware is built from real-world matter
while software is built of ideal mathematical while software is built of ideal mathematical objects with behaviour defined precisely with objects with behaviour defined precisely with abstract rulesabstract rules
Hardware can fail, software cannotHardware can fail, software cannot Hardware can have dependencies that would Hardware can have dependencies that would
be absurd for the softwarebe absurd for the software The dependencies in the software are much The dependencies in the software are much
easier to identify and analyze.easier to identify and analyze.
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1414
What is the point?What is the point?
Software, once written, stays functional Software, once written, stays functional foreverforever
Software can be evaluated once and for allSoftware can be evaluated once and for all The total sum of software in a product is The total sum of software in a product is
usually split into building blocks – usually split into building blocks – componentscomponents
A product may be created by using infinitely A product may be created by using infinitely stable, evaluated componentsstable, evaluated components
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1515
More interestinglyMore interestingly
Hardware does not know how it will be used, Hardware does not know how it will be used, software knows exactly what it needs to do software knows exactly what it needs to do and how it will use the hardware. and how it will use the hardware.
Hardware is operated according to the plan Hardware is operated according to the plan that is the software.that is the software.
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1616
Software summarySoftware summary
Software is the master plan of functionSoftware is the master plan of function High level of complexityHigh level of complexity Precisely defined behaviourPrecisely defined behaviour Infinite stabilityInfinite stability No possibility of failureNo possibility of failure Dependencies are easy to defineDependencies are easy to define
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1717
What all this leads to?What all this leads to?
The software should be the basis of the The software should be the basis of the evaluationevaluation
We are used to evaluating the hardware first We are used to evaluating the hardware first and then seeing how it is used by the and then seeing how it is used by the softwaresoftware
We should do the other way aroundWe should do the other way around
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1818
Compare with the Compare with the evaluation flowevaluation flow In a CC evaluation, we start from ST to see In a CC evaluation, we start from ST to see
what has to be done and we proceed what has to be done and we proceed downwards to see how it is supporteddownwards to see how it is supported
The current state is like starting from the The current state is like starting from the code to see what it can do and proceeding code to see what it can do and proceeding upwards to check that ST does not break the upwards to check that ST does not break the security of the codesecurity of the code
Let’s start from the logical beginning – the Let’s start from the logical beginning – the software that rules the functionality!software that rules the functionality!
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 1919
Certified componentsCertified components
The purpose is to make components self-The purpose is to make components self-containedcontained
The functionality of a component is not The functionality of a component is not affected by the functionality of other affected by the functionality of other componentscomponents
A component can be fully tested and relied A component can be fully tested and relied on to keep the set functionalityon to keep the set functionality
Certified components become the basis for Certified components become the basis for building secure systemsbuilding secure systems
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 2020
What is in it for us?What is in it for us?
Assembly from certified components: lower Assembly from certified components: lower costcost
Independent component support: lower effortIndependent component support: lower effort Clear “separation of duty”: higher securityClear “separation of duty”: higher security
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 2121
What is the problem What is the problem then?then? Software requires some hardware to be able Software requires some hardware to be able
to run for testing.to run for testing. Hardware introduces dependencies.Hardware introduces dependencies. Software is much more complex and big, it Software is much more complex and big, it
takes a lot of time to analyze, especially takes a lot of time to analyze, especially when it has many dependencies.when it has many dependencies.
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 2222
And what is the And what is the solution?solution? The solution is to use the component The solution is to use the component
evaluation.evaluation. The solution is two-fold:The solution is two-fold:
– Make sure the components are self-contained for Make sure the components are self-contained for the most part and contain a clearly defined and the most part and contain a clearly defined and stable functionalitystable functionality
– Make sure the component describes clearly what it Make sure the component describes clearly what it will expect from the environment and how that will expect from the environment and how that environment will be used.environment will be used.
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 2323
What do we need?What do we need?
An agreed way to provide the description of An agreed way to provide the description of the software and hardware dependenciesthe software and hardware dependencies– PoliciesPolicies– Security Functional RequirementsSecurity Functional Requirements– Developer documentationDeveloper documentation– … … ??
An agreed evaluation methodologyAn agreed evaluation methodology A product to test all of these onA product to test all of these on
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 2424
What will we do then?What will we do then?
We started a project for software component We started a project for software component evaluation that will allow us to test the evaluation that will allow us to test the methodology and gain some experiencemethodology and gain some experience
The product is a smart card with a bit The product is a smart card with a bit complicated structure of softwarecomplicated structure of software
The purpose is to certify the software The purpose is to certify the software components separately and then reassemble components separately and then reassemble the product from those certified componentsthe product from those certified components
6th ICCC Presentation6th ICCC Presentation Copyright © 2005 Sony CorporationCopyright © 2005 Sony Corporation 2525
Who is at the Who is at the forefront?forefront? Certification body: CESG of UKCertification body: CESG of UK Evaluation labs: LogicaCMG and SiVentureEvaluation labs: LogicaCMG and SiVenture Developer: Sony CorporationDeveloper: Sony Corporation
The “guinea pig” product: Sony FeliCa smart The “guinea pig” product: Sony FeliCa smart cardcard
Thank you!Thank you!
Albert DorofeevAlbert DorofeevGeneral ManagerGeneral ManagerSony Secure Communications EuropeSony Secure Communications [email protected]@eu.sony.com
Top Related