The components of this family ensure that at least one security domain is available for the TSF's own execution, and that the TSF is protected from external interference and tampering (e.g. by modification of TSF code or data structures) by untrusted subjects. Satisfying the requirements of this family makes the TSF self-protecting, meaning that an untrusted subject cannot modify or damage the TSF.
This family requires the following:
a) The resources of the TSF's security domain ("protected domain") and those of subjects and unconstrained entities external to the domain are separated such that the entities external to the protected domain cannot observe or modify data structures or code internal to the protected domain.
b) The transfer of subjects between domains are controlled such that arbitrary entry to, or return from, the protected domain is not possible.
c) The user or application parameters passed to the protected domain by addresses are validated with respect to the protected domain's address space, and those passed by value are validated with respect to the values expected by the protected domain.
d) The security domains of subjects are distinct except for controlled sharing via the TSF.
User notes
This family is needed whenever confidence is required that the TSF has not been subverted.
In order to obtain the equivalent of a reference monitor, the components FPT_SEP.2 (SFP domain separation) or FPT_SEP.3 (Complete reference monitor) from this family must be used in conjunction with FPT_RVM.1 (Non-bypassability of the TSP), and ADV_INT.3 (Minimisation of complexity). Further, if complete reference mediation is required, the components from Class FDP User data protection must cover all objects.