Family behaviour
This family descibes the rules for the specific functions that can implement the information flow control SFPs named in FDP_IFC, which also specifies the scope of control of the policy. It consists of two kinds of requirements: one addressing the common information flow function issues, and a second addressing illicit information flows (i.e. covert channels). This division arises because the issues concerning illicit information flows are, in some sense, orthogonal to the rest of an information flow control SFP. By their nature they circumvent the information flow control SFP resulting in a violation of the policy. As such, they require special functions to either limit or prevent their occurrence.
Component levelling
FDP_IFF.1 Simple security attributes requires security attributes on information, and on subjects that cause that information to flow and on subjects that act as recipients of that information. It specifies the rules that must be enforced by the function, and describes how security attributes are derived by the function.
FDP_IFF.2 Hierarchical security attributes expands on the requirements of FDP_IFF.1 Simple security attributes by requiring that all information flow control SFPs in the TSP use hierarchical security attributes that form a lattice.
FDP_IFF.3 Limited illicit information flows requires the SFP to cover illicit information flows, but not necessarily eliminate them.
FDP_IFF.4 Partial elimination of illicit information flows requires the SFP to cover the elimination of some (but not necessarily all) illicit information flows.
FDP_IFF.5 No illicit information flows requires SFP to cover the elimination of all illicit information flows.
FDP_IFF.6 Illicit information flow monitoring requires the SFP to monitor illicit information flows for specified and maximum capacities.
Management: FDP_IFF.1, FDP_IFF.2
The following actions could be considered for the management functions in FMT Management:
a) Managing the attributes used to make explicit access based decisions.
Management: FDP_IFF.3, FDP_IFF.4, FDP_IFF.5
There are no management activities foreseen for these components.
Management: FDP_IFF.6
The following actions could be considered for the management functions in FMT Management:
a) The enabling or disabling of the monitoring function.
b) Modification of the maximum capacity at which the monitoring occurs.
Audit: FDP_IFF.1, FDP_IFF.2, FDP_IFF.5
The following events should be auditable if FAU_GEN Security audit data generation is included in a PP/ST:
a) Minimal: Decisions to permit requested information flows.
b) Basic: All decisions on requests for information flow.
c) Detailed: The specific security attributes used in making an information flow enforcement decision.
d) Detailed: Some specific subsets of the information that has flowed based upon policy goals (e.g. auditing of downgraded material).
Audit: FDP_IFF.3, FDP_IFF.4, FDP_IFF.6
The following events should be auditable if FAU_GEN Security audit data generation is included in a PP/ST:
a) Minimal: Decisions to permit requested information flows.
b) Basic: All decisions on requests for information flow.
c) Basic: Basic: The use of identified illicit information flow channels.
d) Detailed: The specific security attributes used in making an information flow enforcement decision.
e) Detailed: Some specific subsets of the information that has flowed based upon policy goals (e.g. auditing of downgraded material).
f) Detailed: The use of identified illicit information flow channels with estimated maximum capacity exceeding a specified value.