Family behaviour
The components of this family ensure that at least one security domain is available for the TSF's own execution and that the TSF is protected from external interference and tampering (e.g. by modification of TSF code or data structures) by untrusted subjects. Satisfying the requirements of this family makes the TSF self-protecting, meaning that an untrusted subject cannot modify or damage the TSF.
This family requires the following:
a) The resources of the TSF's security domain ("protected domain") and those of subjects and unconstrained entities external to the domain are separated such that the entities external to the protected domain cannot observe or modify TSF data or TSF code internal to the protected domain.
b) The transfers between domains are controlled such that arbitrary entry to, or return from, the protected domain is not possible.
c) The user or application parameters passed to the protected domain by addresses are validated with respect to the protected domain's address space, and those passed by value are validated with respect to the values expected by the protected domain.
d) The security domains of subjects are distinct except for controlled sharing via the TSF.
Component levelling
FPT_SEP.1 TSF domain separation, provides a distinct protected domain for the TSF and provides separation between subjects within the TSC.
FPT_SEP.2 SFP domain separation, requires that the TSF be further subdivided, with distinct domain(s) for an identified set of SFPs that act as reference monitors for their policies, and a domain for the remainder of the TSF, as well as domains for the non-TSF portions of the TOE.
FPT_SEP.3 Complete reference monitor, requires that there be distinct domain(s) for TSP enforcement, a domain for the remainder of the TSF, as well as domains for the non-TSF portions of the TOE.
Management: FPT_SEP.1, FPT_SEP.2, FPT_SEP.3
There are no management activities foreseen.
Audit: FPT_SEP.1, FPT_SEP.2, FPT_SEP.3
There are no actions identified that should be auditable if FAU_GEN Security audit data generation is included in the PP/ST.