Annex J
(informative)

Protection of the TOE Security Functions (FPT)

This class contains families of functional requirements that relate to the integrity and management of the mechanisms that provide the TSF (independent of TSP-specifics), and to the integrity of TSF data (independent of the specific contents of the TSP data). In some sense, families in this class may appear to duplicate components in the FDP (User data protection) class and may even be implemented using the same mechanisms. However, FDP focuses on user data protection, while FPT focuses on TSF data protection. In fact, components from the FPT class are necessary in order to provide requirements that the SFPs in the TOE cannot be tampered with or bypassed.

    


Figure J.1 - Protection of the TOE Security Functions class decomposition


Figure J.2 - Protection of the TOE Security Functions class decomposition (Cont.)

From the point of view of this class, there are three significant portions that make up the TSF:

a)    The TSF's abstract machine, which is the virtual or physical machine upon which the specific TSF implementation under evaluation executes.

b)    The TSF's implementation, which executes on the abstract machine and implements the mechanisms that enforce the TSP.

c)    The TSF's data, which are the administrative databases that guide the enforcement of the TSP.

All of the families in the FPT class can be related to these areas, and fall into the following groupings:

a)    FPT_PHP (TSF physical protection), which provides an authorised user with the ability to detect external attacks on the parts of the TOE that comprise the TSF.

b)    FPT_AMT (Underlying abstract machine test) and FPT_TST (TSF self test), which provide an authorised user with the ability to verify the correct operation of the underlying abstract machine and the TSF as well as the integrity of the TSF data and executable code.

c)    FPT_SEP (Domain separation) and FPT_RVM (Reference mediation), which protect the TSF during execution and ensure that the TSF cannot be bypassed. When appropriate components from these families are combined with the appropriate components from ADV_INT (TSF internals), the TOE can be said to have what has been traditionally called a "Reference Monitor."

d)    FPT_RCV (Trusted recovery), FPT_FLS (Fail secure), and FPT_TRC (Internal TOE TSF data replication consistency), which address the behaviour of the TSF when failure occurs and immediately after.

e)    FPT_ITA (Availability of exported TSF data), FPT_ITC (Confidentiality of exported TSF data), FPT_ITI (Integrity of exported TSF data), which address the protection and availability of TSF data between the TSF and a remote trusted IT product.

f)    FPT_ITT (Internal TOE TSF data transfer), which addresses protection of TSF data when it is transmitted between physically-separated parts of the TOE.

g)    FPT_RPL (Replay detection), which addresses the replay of various types of information and/or operations.

h)    FPT_SSP (State synchrony protocol), which addresses the synchronisation of states, based upon TSF data, between different parts of a distributed TSF.

i)    FPT_STM (Time stamps), which addresses reliable timing.

j)    FPT_TDC (Inter-TSF TSF data consistency), which addresses the consistency of TSF data shared between the TSF and a remote trusted IT product.