Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

sec-certs: Examining the security certification practice for better vulnerability mitigation (2311.17603v2)

Published 29 Nov 2023 in cs.CR

Abstract: Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certified products. To address these problems, we conducted a large-scale automated analysis of Common Criteria certificates. We trained unsupervised models to learn which vulnerabilities from NIST's National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities. This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at https://seccerts.org

Definition Search Book Streamline Icon: https://streamlinehq.com
References (55)
  1. Empirical analysis of security vulnerabilities in python packages. Empirical Software Engineering, 28(3), March 2023.
  2. ANSSI. Plateforme jTOP INFv#46 masquée sur composants Infineon SLE78CLX1600PM, SLE78CLX800P et SLE78CLX360PM, 2022. https://seccerts.org/cc/350581534e265186/.
  3. Cleaning the NVD: Comprehensive quality assessment, improvements, and analyses. IEEE Transactions on Dependable and Secure Computing, 19(6):4255–4269, November 2022.
  4. Max Bachmann. maxbachmann/rapidfuzz: Release 1.8.0, October 2021. https://github.com/maxbachmann/RapidFuzz.
  5. Mind the gap: Formal verification and the Common Criteria (discussion paper). In 6th International Verification Workshop, VERIFY-2010, Edinburgh, UK, July 20-21, 2010, volume 3 of EPiC Series in Computing, pages 4–12. EasyChair, 2010.
  6. CVEfixes: automated collection of vulnerabilities and their fixes from open-source software. In Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering, pages 30–39, 2021.
  7. Andrzej Bialas. Common Criteria Related Security Design Patterns—Validation on the Intelligent Sensor Example Designed for Mine Environment. Sensors, 10(5):4456–4496, 2010.
  8. Andrzej Białas. Patterns Improving the Common Criteria Compliant IT Security Development Process. In Dependable Computer Systems, volume 97, pages 1–16. Springer, Berlin, Heidelberg, 2011.
  9. https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf.
  10. Practical state recovery attacks against legacy RNG implementations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pages 265–280. ACM, 2018.
  11. Common Criteria Recognition Arrangement Management Committee. Assurance continuity: CCRA requrements, 2012. https://www.commoncriteriaportal.org/files/operatingprocedures/2012-06-01.pdf.
  12. MITRE Corporation. CWE: Common weakness enumeration. https://cwe.mitre.org, visited 2023-18-05.
  13. Common Criteria. Github organization Common Criteria. https://github.com/orgs/commoncriteria/repositories, visited 2023-18-05.
  14. Common Criteria. Common Criteria Portal, 2022. https://www.commoncriteriaportal.org/, visited 2023-18-05.
  15. Common Criteria. ISO/IEC 15408 Information technology — Security techniques — Evaluation criteria for IT security. In ISO/IEC 15408-1:2022. ISO/IEC, 2022.
  16. CVSS-SIG. CVSS v3.1 Specification Document. https://www.first.org/cvss/v3.1/specification-document, visited 2023-18-05.
  17. eIDAS Incident Report 163484, 2017. https://cybersec.ee/storage/Incident-report-ID-163484-Austria.pdf, visited 2023-18-05.
  18. EMVCo, LLC. EMVCo Product Certification Policy, Technical Requirements, Version 1.0. In EMV Security Guidelines, 2016. https://www.emvco.com/wp-content/uploads/documents/EMVCo-SEWG-15-P01-V1_Product_Certification_Policy_20160407044413218.pdf.
  19. Gabriel Ferreira. Software certification in practice: How are standards being applied? In Proceedings of the 39th International Conference on Software Engineering, pages 100–102. IEEE, 2017.
  20. Organizational views of NIST cryptographic standards and testing and validation programs. Technical Report NIST IR 8241, NIST, December 2018.
  21. Polisis: Automated analysis and presentation of privacy policies using deep learning. In USENIX Security 2018, pages 531–548. USENIX, 2018.
  22. Jim Hearn. Does the Common Criteria Paradigm Have a Future? IEEE Security and Privacy, 2(1):64–65, 2004.
  23. Debra S. Herrmann. Using the Common Criteria for IT security evaluation. Auerbach Publications, Boca Raton, 2003. OCLC: 890365475.
  24. Minerva: The curse of ECDSA nonces; Systematic analysis of lattice attacks on noisy leakage of bit-length of ECDSA nonces. IACR Transations on Cryptographic Hardware and Embedded System, 2020(4):281–308, 2020.
  25. jtsec. 2021 CC Statistics report, 2021. https://www.jtsec.es/papers/CC/ICCC21%202021%20Statistics%20Report.pdf, visited 2023-18-05.
  26. Jan Kallberg. The Common Criteria Meets Realpolitik: Trust, Alliances, and Potential Betrayal. IEEE Secur. Priv., 10(4):50–53, 2012.
  27. Bringing Common Criteria Certification to Web Services. In IEEE Ninth World Congress on Services, SERVICES 2013, Santa Clara, CA, USA, June 28 - July 3, 2013, pages 98–102. IEEE Computer Society, 2013.
  28. A quantitative analysis of Common Criteria certification practice. In TrustBus 2014, volume 8647 of LNCS, pages 132–143. Springer, 2014.
  29. How to Obtain Common Criteria Certification of Smart TV for Home IoT Security and Reliability. Symmetry, 9(10):233, 2017.
  30. A large-scale empirical study of security patches. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, October 2017.
  31. A Common Criteria based security requirements engineering process for the development of secure information systems. Comput. Stand. Interfaces, 29(2):244–253, 2007.
  32. TPM-FAIL: TPM meets timing and lattice attacks. In 29th USENIX Security Symposium, August 12-14, 2020, pages 2057–2073. USENIX Association, 2020.
  33. How certification systems fail: Lessons from the Ware report. IEEE Secur. Priv., 10(6):40–44, 2012.
  34. The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli. In Proceedings of the CCS 2017, pages 1631–1648. ACM, 2017.
  35. NIST. Official Common Platform Enumeration (CPE) Dictionary. https://nvd.nist.gov/products/cpe, visited 2023-18-05.
  36. NIST. FIPS PUB 140-2 - Federal Information Processing Standards Publication 140 - security requirements for cryptographic modules. Standard, National Institute for Standards and Technology, 2001.
  37. NIST. National Vulnerability Database - CVE-2021-3011, 2021. https://nvd.nist.gov/vuln/detail/CVE-2021-3011, visited 2023-18-05.
  38. NIST. Cryptographic Module Validation Program, 2022. https://csrc.nist.gov/projects/cryptographic-module-validation-program, visited 2023-18-05.
  39. United States Government Accountability Office. Information assurance: National partnership offers benefits, but faces considerable challenges. In Report to the Honorable William Lacy Clay, House of Representatives, 2006. https://www.gao.gov/assets/gao-06-392.pdf.
  40. Jason Alan Palmer. pdftotext: Simple PDF text extraction. https://github.com/jalan/pdftotext.
  41. Common Criteria Security Evaluation: A Time and Cost Effective Approach. In 2nd International Conference on Information & Communication Technologies, volume 2, pages 3287–3292, Damascus, Syria, 2006. IEEE.
  42. Hidden in plain sight: Automatically identifying security requirements from natural language artifacts. In IEEE 22nd International Requirements Engineering Conference, RE 2014, pages 183–192. IEEE Computer Society, 2014.
  43. A Side Journey To Titan. In 30th USENIX Security Symposium, USENIX Security 2021, pages 231–248. USENIX Association, 2021.
  44. Dariusz Rogowski. Software Support for Common Criteria Security Development Process on the Example of a Data Diode. In Proceedings of the 9th International Conference on Dependability and Complex Systems DepCoS-RELCOMEX, Poland, volume 286 of Advances in Intelligent Systems and Computing, pages 363–372. Springer, 2014.
  45. Luis Alberto Benthin Sanguino and Rafael Uetz. Software vulnerability analysis using CPE and CVE. CoRR, http://arxiv.org/abs/1705.05347, 2017.
  46. https://www.commoncriteriaportal.org/files/epfiles/SERTIT-115%20Hikvision%20CR%20v1.0.pdf.
  47. Jonathan S. Shapiro. Understanding the Windows EAL4 Evaluation. Computer, 36(2):103–105, 2003.
  48. Ray Smith. An overview of the Tesseract OCR engine. In Ninth international conference on document analysis and recognition (ICDAR 2007), volume 2, pages 629–633. IEEE, 2007.
  49. Common Criteria: Origins and Overview. In Smart Cards, Tokens, Security and Applications, Second Edition, pages 193–216. Springer, 2017. 10.1007/978-3-319-50500-8_8.
  50. Graph-based CPE matching for identification of vulnerable asset configurations. In 17th IFIP/IEEE International Symposium on Integrated Network Management, pages 986–991. IEEE, 2021.
  51. Apostol Vassilev. BowTie - A Deep Learning Feedforward Neural Network for Sentiment Analysis. In Machine Learning, Optimization, and Data Science - 5th International Conference, LOD 2019, volume 11943 of LNCS, pages 360–371. Springer, 2019.
  52. Costing Secure Software Development: A Systematic Mapping Study. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019, pages 9:1–9:11. ACM, 2019.
  53. Secure systems development based on the Common Criteria: the PalME project. In Proceedings of the Tenth ACM SIGSOFT Symposium on Foundations of Software Engineering 2002, pages 129–138. ACM, 2002.
  54. The technical specification for the security content automation protocol (SCAP) version 1.3. Technical Report NIST SP 800-126r3, NIST, Gaithersburg, MD, February 2018.
  55. Automated CPE labeling of CVE summaries with machine learning. In DIMVA 2020, volume 12223 of LNCS, pages 3–22. Springer, 2020.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now