Attack-Countering Objectives
Audit_Account - Auditing for user accountability
Crypto_Key_Man - Cryptographic Key Management
Crypto_Manage_Roles - Management of cryptographic roles
Objective Application - Limit cryptographic management to specially authorized administrators.
I&A_User_Action - User-action identification and authentication 
Environmental support may include operational requirements for security roles and proper handling of audit data.
The protection provided is dependent upon specializing the objectives as provided guidance indicates.
Attack-Countering Objectives
Audit_Admin_Role - Audit-administration role duties
Objective Rationale - Deter modification or destruction of audit data through the creation of an audit-administration role.
This objective attempts to prevent misuse of audit data by limiting access to it.
Purpose: Prevent modification or destruction of audit data by limiting possible threat sources.
Only the audit administrator can control the audit trail per FMT_SMR.2 and FMT_MTD.1.
Environmental support for this objective application could include the creation of procedures for the duties of the Audit Administration role.
Audit_Protect - Protect stored audit records
Objective Application - Select either variant to prevent this attack. The Availability is more effective because a maximum number of audit records lost can be specified and because it potentially addresses other failure scenarios for the audit mechanism.
I&A_User - Identify and authenticate each user
Attack-Countering Objectives
AC_Admin_Limit - Limitation of administrative access control
Objective Application - Consider preventing administrators from modifying user-defined access control attributes.
Objective Rationale - This objective is a preventive measure that - with some exceptions - allows the TOE to prevent unauthorized administrative access to user objects.
Audit_Account - Auditing for user accountability
X-Ray Application - FAU_GEN.1:
Auditable actions: modification of access-control attributes by administrators.
Auditable objects: all objects.
Objective Rationale - Auditing administrators serves as an identification measure that can help prevent future similar attacks. It also serves as a deterrent, reducing threat-agent motivation.
Audit_Loss_Respond - Respond to possible loss of stored audit records
Objective Rationale - The O.Audit_Loss_Respond objective helps counter the case where administrators take actions that result in the loss of incriminating audit records.
Audit_Protect - Protect stored audit records
Objective Application - Consider preventing administrators who control object attributes from modifying audit data.
Objective Rationale - The O.Audit_Protect objective deters the administrator from modifying the audit data storage.
Attack-Countering Objectives
AC_Admin_Limit - Limitation of administrative access control
Objective Application - Consider preventing privileged access to user data, except as necessary.
Objective Rationale - The O.AC_Admin_Limit objective has been imposed to stop the administrator from having access to the user's data.
Audit_Admin_Role - Audit-administration role duties
Objective Rationale - The O.Audit_Admin_Role objective should be considered when the administrator would cover his tracks when accessing a user's data to make the unauthorized modifications.
I&A_User - Identify and authenticate each user
Trusted_Path&Channel - Trusted path and channel
Objective Rationale - The objective O.Trusted_Int_Path should be selected when an administrator might attempt to gain user imposed data access information or user authentication data within the TSC.
Attack-Countering Objectives
Audit_Admin_Role - Audit-administration role duties
Objective Rationale - O.Audit_Admin_Role should be considered as a potential deterant to an administrator who may attempt any malicious modification of the information flow control policy.
Audit_Protect - Protect stored audit records
Objective Application - Access is limited to those authorized for the Audit Administrator role, per Objective O.Audit_Admin_Role.
Objective Rationale - O.Audit_Protect should be provided in a manner to stop an administrator from destroying the audit data collected on this attack.
I&A_User - Identify and authenticate each user
Info_Flow_Ctrl_Admin - Provide information flow control administration
X-Ray Application - FDP_IFC.1: This component should be implemented to provide a policy that would eliminate an administrator from redirecting traffic to an unauthorized location.
FDP_IFF.1: This component should implement the information flow to authorized location only.
Attack-Countering Objectives
AC_Admin_Limit - Limitation of administrative access control
Aud_Sys_Entry_Parms - Audit changes of system entry parameters
Audit_Admin_Role - Audit-administration role duties
I&A_User - Identify and authenticate each user
Attack-Countering Objectives
Obj_Protection - Object domain protection
Sys_Self_Protection - Protection of system security function
TSF_Mod_Limit - Limit administrator's modification of security-critical code or data
Attack-Countering Objectives
Adm_Limits_Bindings - Limit an administrator's ability to modify user-subject bindings
Attack-Countering Objectives
Adm_User_Att_Mod - Limit administrator's modification of user attributes
Attack-Countering Objectives
User_Auth_Management - User authorization management
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - Administrator guidance shall address administrator errors that change the access control or information flow policy enforced by the system or application in such a way that it no longer serves its intended purpose.
Security_Attr_Mgt - Manage security attributes
Objective Application - Disallow access control or information flow policies that are unsafe in any environment.
Security_Data_Mgt - Manage security-critical data
Objective Application - Security management functions shall provide a well-defined correspondence between available parameter settings and potentially desired access control or information flow policies.
Security_Func_Mgt - Manage behavior of security functions
Security_Roles - Security roles
Objective Application - Provide an administrative role specifically for managing access control or information flow policy.
X-Ray Application - FMT_SMR.1, FMT_SMR.2:
The authorised identified role: identified audit role.
Another example is when an administrator's error sets audit attributes in such a way as to allow inadmissible activities to go unaudited.
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - Administrator guidance shall address errors that change the audit policy enforced by the TSF.
Audit_Admin_Role - Audit-administration role duties
Objective Application - Provide an administrative role specifically for managing the audit mechanism.
Audit_Loss_Respond - Respond to possible loss of stored audit records
Audit_Protect - Protect stored audit records
I&A_User - Identify and authenticate each user
Security_Data_Mgt - Manage security-critical data
Security_Roles - Security roles
X-Ray Application - FMT_SMR.1, FMT_SMR.2:
The authorised identified role: identified audit role.
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - AGD_ADM.1:
Administrator guidance shall address errors that change the authentication policy enforced by the TSF.
Limit_Actions_Auth - Restrict actions before authentication
Security_Data_Mgt - Manage security-critical data
Another example is when an administrator erroneously sets performance-related parameters, which makes information unavailable.
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - AGD_ADM.1:
Administrator guidance shall address errors that interfere with availability of user information.
Priority_Of_Service - Provide priority of service
Resource_Quotas - Resource quotas for users and services
Security_Data_Mgt - Manage security-critical data
Security_Roles - Security roles
Objective Application - Restrict activities that could have a general impact on availability of information to an administrative role.
X-Ray Application - FMT_SMR.1, FMR_SMR.2:
The authorised identified role: identified audit role.
Attack-Countering Objectives
Maintenance_Access - Controlled access by maintenance personnel
Maintenance_Recover - Expiration of maintenance privileges
Prvlg_IF_Status - Privileged-interface status
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - AGD_ADM.1:
Administrator guidance shall address errors that interfere with availability of computing resources.
Security_Attr_Mgt - Manage security attributes
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - AGD_ADM.1:
Administrator guidance shall address errors that lead to inappropriate system-entry policies.
Security_Data_Mgt - Manage security-critical data
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
Audit_Account - Auditing for user accountability
Secure_Configuration - Security-relevant configuration management
Another example is when an administrator's error modifies a user's security attributes, which gives the user authorization greater than the authorization dictated by the security policy of the system or application.
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
Security_Attr_Mgt - Manage security attributes
Security_Data_Mgt - Manage security-critical data
Security_Func_Mgt - Manage behavior of security functions
Security_Roles - Security roles
X-Ray Application - FMT_SMR.1, FMT_SMR.2:
The authorised identified role: identified audit role.
User_Attributes - Maintain user attributes
The protection provided is dependent upon specializing the objective as provided guidance indicates.
---
Because this is an administrator attack, it is difficult to prevent the attack with high effectiveness. The O.Prevent_Observe objective limits who can observe service usage. However, it is expected that some administrative roles would still be able to observe some service usage in order to perform their duties. O.Limit_ObserveRoles provides a limit on which roles are able to observe service usage, thereby minimizing the opportunity for the attack. O.Prevent_Link limits administrators' ability to profile service usage.
Attack-Countering Objectives
Limit_ObserveRoles - Limit observation of service usage to authorized users
Objective Application - The authorized users are the administrator roles that you wish to constrain.
X-Ray Application - FPR_UNO.4:
List the administrator roles that you wish to constrain.
Prevent_Link - Prevent linking of multiple service use
Objective Application - Include administrators in the list of users who are unable to link multiple uses of a service or resource by a user.
Objective Rationale - This objective constrains the administrative roles identified in the attack as the threat agent.
Prevent_Observe - Prevent observation of service use
Objective Application - Choose the [Distribution] variant of this objective for higher effectiveness in countering this attack. Limit administrators' ability to observe operations to those which are necessary to perform their duties.
X-Ray Application - FPR_UNO.1, FPR_UNO.2:
Include administrators as appropriate to their duties in the list of users who are unable to observe operations. Tailor the lists of operations, objects, and protected users associated with each administrator role as required by your goals for privacy within the specific TOE environment.
Objective Rationale - The [Distribution] variant of this objective makes it more difficult for administrators to gather privacy information. Administrators typically have greater access than users. Distributing privacy information is additional step to make collect the data more difficult.
This objective is more effective if all administrators are constrained under this objective.
Attack-Countering Objectives
Prevent_AskPrivInfo - Prevent system from collecting user privacy information
Objective Rationale - This objective helps prevent the attack by prohibiting the system from collecting privacy-related information in the first place. Administrators are thereby prevented from ever seeing the privacy-related information because it never exists on the system.
The protection provided is dependent upon specializing the objective as provided guidance indicates.
---
Either objective prevents the attack by obscuring the identity of the user. (Note that by definition privacy-related information is associated with user identity.)
Attack-Countering Objectives
Permit_Aliases - Permit users to use services under aliases
Objective Application - Select the [Basic] variant unless there is a need for accountability.
X-Ray Application - FPR_PSE.1, FPR_PSE.2, FPR_PSE.3:
Include administrators in the list of users who are unable to determine the real user identity associated with protected subjects.
Objective Rationale - Any variant of the objective prevents the attacker from associating privacy-related information with a user.
Permit_Anonymity - Permit users to use services anonymously
Objective Application - Choose the [Enhanced] variant of this objective for higher effectiveness in countering this attack
X-Ray Application - FPR_ANO.1, FPR_ANO.2:
Include administrators in the list of users who are unable to determine the real user identity associated with protected subjects.
Objective Rationale - The [Enhanced] variant of this objective helps prevent the attack by prohibiting the system from collecting privacy-related information in the first place. Administrators are thereby prevented from ever seeing the privacy-related information because it never exists on the system.
Attack-Countering Objectives
Integrity_Attr_Exch - Correct attribute exchange with another trusted product
Attack-Countering Objectives
No_Residual_Info - Eliminate residual information
Attack-Countering Objectives
Integ_Sys_Data_Int - Integrity of system data transferred internally
Attack-Countering Objectives
Integ_Sys_Data_Ext - Integrity of system data transferred externally
Attack-Countering Objectives
Secure_State - Protect and maintain secure system state
Attack-Countering Objectives
Integrity_Data_Rep - Integrity of system data replication
Attack-Countering Objectives
Correct_Operation - Verify correct operation as designed
Sys_Self_Protection - Protection of system security function
Select O.Audit_Account to provide detection after the attack with low effectiveness (since the back door might bypass the audit mechanism).
Supplement O.Audit_Account with O.Audit_Admin_Role to counter the case where the developer uses the back door to obtain administrative privilege.
Supplement O.Audit_Admin_Role with O.I&A_User to prevent unauthorized use of the audit-administration role.
---
Note that the included safeguards address the primary threat of placing the back door but do not counter the exploitation attacks that the back door would allow.
Attack-Countering Objectives
Audit_Account - Auditing for user accountability
Objective Application - Audit all external communication, especially that not explicitly associated with legitimate user activity.
Objective Rationale - [Detection of trapdoors after installation.]
Objectives: O.Audit_Account - in using this objective you would be concerned with the audit trail being accountable so if the developer got in you could discover the entry. This objective provides low effectiveness against this attack.
Audit_Admin_Role - Audit-administration role duties
Objective Rationale - [Detection of trapdoors after installation.] O.Audit_Admin_Role - this objective would be needed if the developer could get in as an administrator. This objective provides low effectiveness against this attack.
Code_Signing - Code signing and verification
Objective Rationale - [Deterrence from writing trapdoors.] Objectives: O.Code_Signing - this objective would potentially deter the developer as potential legal action could possibly hinge on verification of code from alteration after leaving developer site. (See the T.Repudiate_Send threat.)
I&A_User - Identify and authenticate each user
Source_Code_Exam - Examine the source code for developer flaws
Objective Application - Require a search of the source code for evidence of trap-door functionality.
Objective Rationale - [Detection of trapdoors before installation.] Objectives: O.Source_Code_Exam - this objective would capture the source code assurance examination to prove no trapdoor exists from vendor.
Attack-Countering Objectives
Crypto_Extern_Depend - Cryptographic external dependencies
Objective Application - This objective is not directly implemented and is best dealt with by applying relevant TOE crypto objectives to the environment.
---
Fault tolerance is much more difficult to achieve for a distributed system and requires other objectives to supplement the protection it provides. O.Fault_Tolerance has to be applied with the idea that transient component failures will occur during normal system operations.
Attack-Countering Objectives
Fault_Tolerance - Provide fault tolerant operations for critical components
Objective Application - Apply Fault_Tolerance to faults that sever communication between security-critical components of the distributed system.
X-Ray Application - Specify security-critical functions that are to prevail, specify severed communicaitons among security-critical components as failures that are to be tolerated.
Integrity_Data_Rep - Integrity of system data replication
Trusted_DS_Recov - Trusted distributed system recovery
Attack-Countering Objectives
Apply_Code_Fixes - Apply patches to fix the code
Audit_Deter_Misuse - Audit system access to deter misuse
Attack-Countering Objectives
Hack_Limit_Sessions - Limit sessions to outside users
Trusted_Path - Provide a trusted path
Apply O.Data_Imp_Exp_Control and/or O.Hack_Traffic_Control to detect attempts and prevent success. This approach is useful when there is a specific policy against various classes of communication.
Apply O.Hack_Limit_Sessions, O.Priority_Of_Service, and/or O.Resource_Quotas to limit the extent of an attack without necessarily detecting specific occurrences.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
X-Ray Application - FAU_GEN.1:
Record actions likely to be result in overload of communication resources.
Objective Rationale - Audit data should be generated when a threat agent uses services in manner that causes multiple attempts to exceed resource quotas.
Data_Imp_Exp_Control - Data import/export to/from system control
Objective Application - For example, provide export of user data from the TOE with security attributes that limit the number of locations and specify which locations that the data can be sent to.
Objective Rationale - Allowing data to or from locations not specified by the organization's policy could put excessive strain on bandwidth of communication lines and cause legitimate data flows to be delayed or denied.
Hack_Limit_Sessions - Limit sessions to outside users
Hack_Traffic_Control - Control hacker communication traffic
Objective Rationale - O.Hack_Traffic_Control can be used to prevent communications overload by discarding the hacker traffic when a hacker causes overload on communication channels.
Priority_Of_Service - Provide priority of service
Objective Application - Heuristically give priority to those users that are least likely to cause a communications overload.
Resource_Quotas - Resource quotas for users and services
An example of this attack is when an outsider intercepts microwave transmissions or broadcast wireless transmissions using specialized devices.
Attack-Countering Objectives
Data_Exchange_Conf - Enforce data exchange confidentiality
Attack-Countering Objectives
Data_Exchange_Conf - Enforce data exchange confidentiality
When applied to communications lines, the effectiveness of these objectives will vary greatly as a function of both the sophistication of the attack and the capability to detect or resist those attacks, which depends on the physical properties of the communications lines. Complete, physical protection of external communications lines will be almost impossible to provide when the communications destination is a remote site. Some additional protection might be provided by a second party (e.g., the owners of the communications lines).
An example of this attack is when an outsider taps into either unprotected communications lines within the system enclave or into wide area communications lines that cannot be protected.
Choose O.Tamper_Resistance to prevent the attack.
Attack-Countering Objectives
Comm_Line_Protection - Physical protection of the communications line
Tamper_ID - Tamper detection
Objective Rationale - The effectiveness of this objective when applied to the communications lines will vary greatly as a function of both the sophistication of the attack as well as the capability to detect those attacks (which depends on the physical properties of the communications lines).
Complete, physical protection of external communications lines will be almost impossible to provide when the communications destination is a remote site. Some additional protection of this nature might be provided by a second party (e.g., the owners of the communications lines).
Tamper_Resistance - Tamper resistance
Attack-Countering Objectives
Encryption_Access - Protection of ciphertext
X-Ray Application - FDP_ACC.1:
Objective Rationale - O.Encryption_Access makes cryptoanalysis more difficult.
Encryption_Prohibit - Protection of corresponding plaintext-ciphertext pairs
Objective Rationale - O.Encryption_Prohibit prevents this specific attack.
Robust_Encryption - Robust encryption
Objective Rationale - O.Robust_Encryption makes cryptoanalysis more difficult.
Attack-Countering Objectives
Encryption_Access - Protection of ciphertext
Objective Rationale - O.Encryption_Access makes cryptoanalysis more difficult.
Encryption_Prohibit - Protection of corresponding plaintext-ciphertext pairs
Objective Rationale - O.Encryption_Prohibit prevents this specific attack.
Robust_Encryption - Robust encryption
Objective Rationale - O.Robust_Encryption makes cryptoanalysis more difficult.
Attack-Countering Objectives
Crypto_Data_Sep - Separation of cryptographic data
Encryption_Access - Protection of ciphertext
Objective Rationale - O.Encryption_Access prevents this specific attack.
Encryption_Prohibit - Protection of corresponding plaintext-ciphertext pairs
Objective Rationale - O.Encryption_Prohibit prevents this specific attack.
Robust_Encryption - Robust encryption
Objective Rationale - O.Robust_Encryption makes cryptoanalysis more difficult.
Attack-Countering Objectives
Encryption_Access - Protection of ciphertext
Robust_Encryption - Robust encryption
Attack-Countering Objectives
Encryption_Access - Protection of ciphertext
Objective Rationale - O.Encryption_Access makes cryptoanalysis more difficult.
Robust_Encryption - Robust encryption
Objective Rationale - O.Robust_Encryption makes cryptoanalysis more difficult.
Attack-Countering Objectives
Crypto_Import_Export - Cryptographic import, export, and inter-TSF transfer
Crypto_Manage_Roles - Management of cryptographic roles
Choose O.Trusted_Path to prevent the attack.
Attack-Countering Objectives
Audit_Gen_User - Individual accountability
Objective Rationale - O.Audit_Gen_User, User identity association is clearly necessary for user accountablility and is equally clearly violated by a successful session capture attack.
Trusted_Path - Provide a trusted path
Objective Rationale - O.Trusted_Path: masquerade threats are threats against the trusted path objective whose purpose is to ensure that I&A is done in a reliable way.
Attack-Countering Objectives
Audit_Gen_User - Individual accountability
Screen_Lock - User screen locking
Session_Termination - System terminates session for inactivity
Trusted_Path - Provide a trusted path
User_Guidance - User guidance documentation
X-Ray Application - AGD_USR.1:
Provide user guidance in order to reduce the risk of an active workstation being left unattended and to provide instructions for use of screen locking mechanisms.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
User_Auth_Enhanced - Enhanced user authentication
User_Auth_Multiple - Require multiple authentication mechanisms
Objective Application - Specialize this objective so that a user must use several mechanisms together to gain access to critical resources.
This could be accomplished as a man-in-the-middle attack.
Attack-Countering Objectives
TSF_Rcv_Err_ID_Loc - Local detection of received security-critical data modified in transit
TSF_Rcv_Err_ID_Rem - Remote detection of received security-critical data modified in transit
TSF_Rcv_Err_Rcvr_Loc - Local correction of received security-critical data that is modified in transit
TSF_Rcv_Err_Rcvr_Rem - Remote correction of security-critical data that is received by the system and modified in transit
This could be accomplished as a man-in-the-middle attack.
Choose O.Rcv_MsgMod_Rcvr to detect, recover from, and minimize adverse consequences of the attack.
Attack-Countering Objectives
Rcv_MsgMod_ID - Identify message modification in messages received
Rcv_MsgMod_Rcvr - Recovery from modification of received messages
This could be accomplished as a man-in-the-middle attack.
Attack-Countering Objectives
TSF_Snd_Err_ID_Loc - Local detection of sent security-critical data modified in transit
TSF_Snd_Err_ID_Rem - Remote detection of sent security-critical data modified in transit.
TSF_Snd_Err_Rcvr_Loc - Local Correction of sent security-critical data modified in transit
TSF_Snd_Err_Rcvr_Rem - Remote correction of sent security-critical data modified in transit
This could be accomplished as a man-in-the-middle attack.
Choose O.Snt_MsgMod_Rcvr to support detection of, and recovery from the attack.
Attack-Countering Objectives
Snt_MsgMod_ID - Identify message modification in messages sent
Snt_MsgMod_Rcvr - Support recovery from modification of sent messages
Attack-Countering Objectives
InterferEman_Control - Emissions interference control
Choose O.IntelEman_Contain to prevent the attack via environmental requirements.
Choose O.EMSEC_Design as an alternative to O.IntelEman_Control.
Specialize these objectives in such a way that any intelligible emanations escaping from the TOE are sufficiently weak that they do not get past barriers in the environment, at least not with sufficient strength to be detected and interpreted.
Attack-Countering Objectives
EMSEC_Design - Provide physical emanations security
IntelEman_Contain - Emanations containment
IntelEman_Control - Emanations control
Choose O.Tamper_ID to detect the attack.
Attack-Countering Objectives
Tamper_ID - Tamper detection
Tamper_Resistance - Tamper resistance
Objective Application - It may be appropriate to zeroize cryptographic registers and partially encrypted data, in order to prevent adverse consequences of the attack.
Choose O.Tamper_Resistance to prevent the attack.
Attack-Countering Objectives
Tamper_ID - Tamper detection
Tamper_Resistance - Tamper resistance
Attack-Countering Objectives
Audit_Generation - Audit records with identity
Objective Application - Apply O.Audit_Generation to the collection of audit records that are likely to be associated with task overloading.
X-Ray Application - FAU_GEN.1:
Audit data should be generated when a threat agent uses services in manner that causes multiple attempts to exceed resource quotas.
Hack_Limit_Sessions - Limit sessions to outside users
Hack_Traffic_Control - Control hacker communication traffic
Priority_Of_Service - Provide priority of service
Objective Application - Heuristically give priority to those users that are least likely to cause task overloading.
React_Discovered_Atk - React to discovered attacks
Objective Application - Specialize O.React_Discovered_Atk to the reporting of task overload.
Resource_Quotas - Resource quotas for users and services
Attack-Countering Objectives
Limit_Mult_Sessions - Limit multiple sessions
User_Auth_Enhanced - Enhanced user authentication
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - ADG_ADM.1:
Address social engineering attacks.
Audit_Unusual_User - Audit unusual user activity
Identify_Unusual_Act - Identify unusual user activity
User_Guidance - User guidance documentation
X-Ray Application - ADG_USR.1:
Address social engineering attacks.
Attack-Countering Objectives
Trusted_Path - Provide a trusted path
User_Auth_Enhanced - Enhanced user authentication
O.Comm_Trusted_Channel assumes the remote system is trusted.
O.Repudiate_Send_Local assumes the remote system is trusted.
O.Security_Data_Ext assumes the remote system is trusted.
Attack-Countering Objectives
Comm_Trusted_Channel - Trusted channel to remote trusted system
Crypto_Comm_Channel - Encrypted communications channel
Objective Application - Require that any clear-text headers be duplicated inside the encryption "envelope".
Integrity_Attr_Exch - Correct attribute exchange with another trusted product
NonRepudiate_Sent - Non-repudiation for sent information
Attack-Countering Objectives
Audit_Generation - Audit records with identity
Objective Application - Specialize O.Audit_Generation to the collection of audit records that are likely to be associated with storage overloading.
X-Ray Application - FAU_GEN.1:
Audit data should be generated when a threat agent uses services in manner that causes multiple attempts to exceed resource quotas.
Guarantee_Audit_Stg - Guarantee the availability of audit storage space
Hack_Limit_Sessions - Limit sessions to outside users
Hack_Traffic_Control - Control hacker communication traffic
Manage_TSF_Data - Manage security-critical data to avoid storage space being exceeded
Priority_Of_Service - Provide priority of service
Resource_Quotas - Resource quotas for users and services
Attack-Countering Objectives
Fail_Secure - Preservation of secure state for failures in critical components
Objective Application - This objective prevents the loss of security protection by preserving the TOE's secure state in the presence of specific hardware failures.
X-Ray Application - FPT_FLS.1:
List the types of hardware failures for which the TOE guarantees it will "fail safe" (i.e., protect its secure state). The definition of secure state should capture critical aspects of the security design that could be violated as a result of the identified hardware failures.
Objective Rationale - The definition of a secure state may regard missing functionality or TOE inoperability as "secure," unless availability is a concern.
Fault_Tolerance - Provide fault tolerant operations for critical components
Objective Application - Both variants are capable of protecting security-relevant functionality and may address availability in the general sense. The [Resistant] variant provides more comprehensive protection.
Some hardware components are intrinsic to TSF enforcement, while others may affect TOE functional capabilities. Both examples should be considered when specializing the objective.
X-Ray Application - FRU_FLT.1:
Specify the relevant hardware components and list the associated failures to which each must be tolerant.
FRU_FLT.2:
List the associated failures to which all TOE hardware capabilities must be resistant.
Objective Rationale - Explain the identified hardware components and the failures to which they are tolerant and/or resistant, with regard to the nature of protection being provided. If the [Basic] variant is used, protection is provided by avoiding the consequences of the attack. If the [Resistant] variant is used, the attack is prevented for the specified cases.
Choose O.Code_Signing to deter the attack and facilitate detection.
Choose O.Input_Inspection to detect and prevent the attack before it can succeed.
Choose O.General_Integ_Checks to detect the attack after it has occurred.
Choose O.Clean_Obj_Recovery to recover from the attack after it has occurred.
Attack-Countering Objectives
Clean_Obj_Recovery - Object and data recovery free from malicious code
Code_Signing - Code signing and verification
General_Integ_Checks - Periodically check integrity
Input_Inspection - Require inspection for absence of malicious code.
Objective Application - Specify inspection for absence of malicious code.
Obj_Protection - Object domain protection
Remote_Execution - Disable remote execution
X-Ray Application - FDP_ACF.1:
Rules governing access: Limit ability to modify trusted objects to a trusted role
Choose O.Code_Signing and O.General_Integ_Checks to detect the attack.
Choose O.Isolate_Executables to limit results of the attack.
Choose O.Clean_Obj_Recovery to recover from the attack after it has occurred.
Attack-Countering Objectives
Admin_Code_Val - Administrative validation of executables
Clean_Obj_Recovery - Object and data recovery free from malicious code
Code_Signing - Code signing and verification
General_Integ_Checks - Periodically check integrity
I&A_User_Action - User-action identification and authentication
Isolate_Executables - Isolate untrusted executables
Objective Rationale - These controls offer the user protection against maliciously executed code: (a) by constraining those individuals that can execute code, and/or (b) by constraining what damage maliciously executed code may do to protected data.
Remote_Execution - Disable remote execution
Trusted_Path - Provide a trusted path
Trusted_Path&Channel - Trusted path and channel
Choose O.Input_Inspection and O.Obj_Protection to detect the attack before it can lead to harm.
Choose O.Clean_Obj_Recovery to recover from the attack after it has occurred.
Attack-Countering Objectives
Clean_Obj_Recovery - Object and data recovery free from malicious code
Code_Signing - Code signing and verification
General_Integ_Checks - Periodically check integrity
Input_Inspection - Require inspection for absence of malicious code.
Objective Application - Specify inspection for absence of malicious code.
Obj_Protection - Object domain protection
Choose O.Code_Signing and O.General_Integ_Checks to detect the attack.
Choose O.Isolate_Executables to limit results of the attack.
Choose O.Clean_Obj_Recovery to recover from the attack after it has occurred.
Attack-Countering Objectives
Admin_Code_Val - Administrative validation of executables
Clean_Obj_Recovery - Object and data recovery free from malicious code
Code_Signing - Code signing and verification
General_Integ_Checks - Periodically check integrity
I&A_User_Action - User-action identification and authentication
Isolate_Executables - Isolate untrusted executables
Choose O.Code_Signing to limit opportunities for the attack.
Choose O.Input_Inspection to detect and prevent the attack before it lead to damage.
Attack-Countering Objectives
Clean_Obj_Recovery - Object and data recovery free from malicious code
Code_Signing - Code signing and verification
Input_Inspection - Require inspection for absence of malicious code.
Obj_Protection - Object domain protection
Choose O.Code_Signing and O.General_Integ_Checks to detect the attack.
Choose O.Isolate_Executables to limit results of the attack.
Choose O.Clean_Obj_Recovery to recover from the attack after it has occurred.
Attack-Countering Objectives
Admin_Code_Val - Administrative validation of executables
Clean_Obj_Recovery - Object and data recovery free from malicious code
Code_Signing - Code signing and verification
General_Integ_Checks - Periodically check integrity
I&A_User_Action - User-action identification and authentication
Isolate_Executables - Isolate untrusted executables
Attack-Countering Objectives
Priority_Of_Service - Provide priority of service
Resource_Quotas - Resource quotas for users and services
---
For both alternatives, O.Trusted_Recovery provides the capability to recover from power failures and O.Atomic_Functions automatically recovers and prevents the loss of security protection.
Attack-Countering Objectives
Atomic_Functions - Complete security functions or recover to previous state
X-Ray Application - FPT_RCV.4:
Specify the applicable security functions for which the PP will provide protection, and specify failures resulting from disruption of the power supply.
Objective Rationale - If a power disruption or unintential system reset were to occur without the protection provided here, the contents of security attributes or other TSF-critical data could be corrupted.
This objective addresses environmental power disruptions and unintentional system resets by providing automatic recovery from those failures. This also prevents the loss of security protection by avoiding insecure states that could result from partially completed, security-critical operations.
Trusted_Recovery - Trusted recovery of security functionality
Objective Application - Any variant of this objective is applicable to this attack. Each variant addresses system recovery to a secure state and may prevent security violations that would result from operating the system in an insecure state.
X-Ray Application - FPT_RCV.1:
No operations.
FPT_RCV.2:
Specify failures that correspond to unexpected power disruption.
FPT_RCV.3:
Specify failures that correspond to unexpected power disruption.
Objective Rationale - The degree of functionality chosen should justify the claim that the effects of power disruptions to the TOE have been adequately addressed.
Attack-Countering Objectives
NonRepud_Locals_Rcvd - Non-repudiation for received information, local users
In the event that the nonrepudiation evidence is generated for a remote user or administrator, also choose objective O.NonRepud_Assess_Recd, allocating this objective to the environment.
Attack-Countering Objectives
NonRepud_Assess_Recd - Non-repudiation support for received information by a nonlocal sender's TSF
Objective Application - This objective is allocated to the environment and addresses the case where those who handle nonrepudiation evidence are not associated with the TOE (e.g., the remote sender or a remote third party). In the statement of the objective, these people are referred to as "remote".
NonRepud_Gen_Recd - Non-repudiation support for received information by the recipient's TSF
Objective Application - This objective is allocated to the TOE, since the receiving user is local. When applying this objective, the term "receiving user" is interpreted to be the local user of the TOE that is repudiating receipt of the message.
In the event that the nonrepudiation evidence is generated for a local user or administrator, also choose objective O.NonRepud_Assess_Recd, allocating this objective to the TOE.
Attack-Countering Objectives
NonRepud_Assess_Recd - Non-repudiation support for received information by a nonlocal sender's TSF
Objective Application - This objective is allocated to the TOE and addresses the case where those who handle nonrepudiation evidence are associated with the TOE (e.g., the local sender or a local third party). In the statement of the objective, however, these people are referred to as "remote".
NonRepud_Gen_Recd - Non-repudiation support for received information by the recipient's TSF
Objective Application - This objective is allocated to the environment, since the receiving user is remote. When applying this objective, the term "receiving user" is interpreted to be the user of a remote trusted system who is repudiating receipt of the message.
Attack-Countering Objectives
NonRepud_Locals_Sent - Non-repudiation for sent information, local users
In the event that the nonrepudiation evidence is generated for a remote user or administrator, also choose objective O.NonRepud_Assess_Sent, allocating this objective to the environment.
Attack-Countering Objectives
NonRepud_Assess_Sent - Non-repudiation support for sent information by the nonlocal receiving TSF.
Objective Application - This objective is allocated to the environment and addresses the case where those who handle nonrepudiation evidence are not associated with the TOE (e.g., the remote recipient or a remote third party). In the statement of the objective, these people are referred to as "remote".
NonRepud_Gen_Sent - Non-repudiation support for sent information by the sender's TSF.
Objective Application - This objective is allocated to the TOE, since the sending user is local. When applying this objective, the term "sending user" is interpreted to be a local user of the TOE that is repudiating sending of the message.
In the event that the nonrepudiation evidence is generated for the recipient or a local administrator, also choose objective O.NonRepud_Assess_Sent, allocating this objective to the TOE.
Attack-Countering Objectives
NonRepud_Assess_Sent - Non-repudiation support for sent information by the nonlocal receiving TSF.
Objective Application - This objective is allocated to the TOE and addresses the case where those who handle nonrepudiation evidence are associated with the TOE (e.g., the remote recipient or a remote third party). In the statement of the objective, these people are referred to as "remote" despite being "local" in the context of this attack.
NonRepud_Gen_Sent - Non-repudiation support for sent information by the sender's TSF.
Objective Application - This objective is allocated to the environment, since the sending user is remote. When applying this objective, the term "sending user" is interpreted to be a remote user in the TOE environment that is repudiating sending of the message.
Attack-Countering Objectives
I&A_Transaction - Transaction identification and authentication
NonRepud_Locals_Rcvd - Non-repudiation for received information, local users
NonRepud_Locals_Sent - Non-repudiation for sent information, local users
Choose O.I&A_Transaction. Choose the following objectives allocated to TOE or environment as indicated:
O.NonRepud_Gen_Recd allocated to the TOE
O.NonRepud_Gen_Sent allocated to the TOE
O.NonRepud_Assess_Recd allocated to the environment
O.NonRepud_Assess_Sent allocated to the environment.
Be careful to use consistent component applications (e.g., so that the same user or administrator is cognizant of all nonrepudiation evidence for events in a given transaction).
Attack-Countering Objectives
I&A_Transaction - Transaction identification and authentication
NonRepud_Assess_Recd - Non-repudiation support for received information by a nonlocal sender's TSF
Objective Application - This objective is allocated to the environment and addresses the likely case where those who handle nonrepudiation evidence are associated with the remote system/application defining the transaction. In this case, the sending "user" is the system or application that defines the transaction.
NonRepud_Assess_Sent - Non-repudiation support for sent information by the nonlocal receiving TSF.
Objective Application - This objective is allocated to the environment and addresses the likely case where those who handle nonrepudiation evidence are not associated with the TOE (e.g., the remote recipient or a remote third party). The remote recipient, in this case, is the remote system/application defining the transaction.
NonRepud_Gen_Recd - Non-repudiation support for received information by the recipient's TSF
Objective Application - This objective is allocated to the TOE, since the receiving user is local. In this case, the sending "user" is the system or application that defines the transaction.
NonRepud_Gen_Sent - Non-repudiation support for sent information by the sender's TSF.
Objective Application - This objective is allocated to the TOE, since the sending user is local. In this case, the recipient is the system/application that defines the transaction.
O.NonRepud_Gen_Recd allocated to the environment
O.NonRepud_Gen_Sent allocated to the environment
O.NonRepud_Assess_Recd allocated to the TOE
O.NonRepud_Assess_Sent allocated to the TOE
Be careful to use consistent component applications (e.g., so that the same user or administrator is cognizant of all nonrepudiation evidence for events in a given transaction).
Attack-Countering Objectives
I&A_Transaction - Transaction identification and authentication
NonRepud_Assess_Recd - Non-repudiation support for received information by a nonlocal sender's TSF
Objective Application - This objective is allocated to the TOE and addresses the likely case where those who handle nonrepudiation evidence are associated with the TOE (e.g., the local sender or a local third party).
NonRepud_Assess_Sent - Non-repudiation support for sent information by the nonlocal receiving TSF.
Objective Application - This objective is allocated to the TOE and addresses the case where those who handle nonrepudiation evidence are associated with the TOE (e.g., the remote recipient or a remote third party).
NonRepud_Gen_Recd - Non-repudiation support for received information by the recipient's TSF
Objective Application - This objective is allocated to the environment, since the receiving user is remote.
NonRepud_Gen_Sent - Non-repudiation support for sent information by the sender's TSF.
Objective Application - This objective is allocated to the environment, since the sending user is remote.
Attack-Countering Objectives
Fail_Secure - Preservation of secure state for failures in critical components
Objective Application - Specialize this objective to prevent the loss of security protection by preserving the TOE's secure state in the presence of specific software failures.
X-Ray Application - FPT_FLS.1:
List the types of software failures for which the TOE guarantees it will "fail safe" (i.e., protect its secure state). The definition of secure state should capture critical aspects of the security design that could be violated as a result of the identified software failures.
Objective Rationale - The definition of a secure state may regard missing functionality or TOE inoperability as "secure," unless availability is a concern.
Fault_Tolerance - Provide fault tolerant operations for critical components
Objective Application - Both variants are capable of protecting security-relevant functionality and may address availability in the general sense. The [Resistant] variant provides more comprehensive protection.
Some software components are intrinsic to TSF enforcement, while others may affect TOE functional capabilities. Both examples should be considered when specializing the objective.
X-Ray Application - FRU_FLT.1:
Specify the relevant software components and list the associated failures to which each must be tolerant.
FRU_FLT.2:
List the associated failures to which all TOE software capabilities must be resistant.
Objective Rationale - Explain the identified software components and the failures to which they are tolerant and/or resistant, with regard to the nature of protection being provided. If the [Basic] variant is used, protection is provided by avoiding the consequences of the attack. If the [Resistant] variant is used, the attack is prevented for the specified cases.
Attack-Countering Objectives
Crypto_Data_Sep - Separation of cryptographic data
Crypto_Dsgn_Impl - Cryptographic Design and Implementation
Crypto_Key_Man - Cryptographic Key Management
Crypto_Modular_Dsgn - Cryptographic Modular Design
Crypto_Operation - Cryptographic function definition
Crypto_Self_Test - Cryptographic self test
Crypto_Test_Reqs - Test cryptographic functionality
Fail_Secure - Preservation of secure state for failures in critical components
Objective Application - Preserve secure state in case of cryptographic failure. To do this, it may be necessary to zeroize all cryptographic registers that contain red keys or partially encrypted data.
Secure_State - Protect and maintain secure system state
Objective Application - Define secure state so as to facilitate detection of:
a) Any failure that may allow the TOE to output unencrypted cryptographic keys,
plaintext sensitive data, or other secret cryptographic security parameters;
b) Failure of a cryptographic function;
c) TOE physical tampering (including environmental failure).
To maintain a secure state, it may be necessary to halt cryptographic operations and related I/O activity. It may also require the zeroizing of critical registers and keys.
Choose O.User_Defined_AC and/or O.Info_Flow_Control to prevent the gathering of arbitrary user data.
Choose O.Data_Imp_Exp_Control to prevent the attack by restricting what can be written to removable media. Choose O.Admin_Guidance to support O.Data_Imp_Exp_Control.
Attack-Countering Objectives
Admin_Guidance - Administrator guidance documentation
X-Ray Application - AGD_ADM.1:
Provide the administrator with the guidacne need to restrict access to removable media devices.
Audit_Account - Auditing for user accountability
X-Ray Application - FAU_GEN.1:
Include in the list of auditable events writing to removable media.
Data_Export_Control - Control user data exportation
Objective Application - Choose the [Unmarked] variant of this objective.
X-Ray Application - FDP_ETC.1:
Include rules in the information flow control policy that exclude writing sensitive or proprietary information to removable media.
In a typical attack, the user embeds sensitive information in a digitally encoded picture or audio file, where the added bits do not significantly modify the perceived image or sound track.
Another example is to embed information in unused or under-populated fields in a message header.
Document processors provide still more examples by providing hidden fields that give information about the document processor's software license number, the document's author, or the identity of the computer being used. In particular, word processors are providing an increasing array of information-hiding techniques for their users to employ, including hidden comment tags, hidden text, autotext, conditional text, document variables, hidden macros, previous-version data, uncollected "garbage," and more.
This attack is traditionally considered to be deliberate, as good steganographic techniques are unlikely to be accidental. However, word processors are increasingly making accidental steganography easy, if not unavoidable.
Steganographic smuggling can be difficult to detect on the basis of direct evidence. Without knowing the decryption technique, it is usually not feasible to tell steganographicly encrypted data from unencrypted data. However, there are some defenses against it.
Attack-Countering Objectives
Admin_Code_Val - Administrative validation of executables
Admin_Code_Val_Sten - Software validation for absence of steganography
Export_Control - Sanitize data objects containing hidden or unused data
Standard_Output_Pres - Standard presentation of output values
To prevent this attack, choose the O.User_Defined_AC and O.Info_Flow_Control objectives.
Attack-Countering Objectives
Audit_Account - Auditing for user accountability
X-Ray Application - FAU_GEN.1:
Specify the generation of audit records that record user data-collection activities.
Info_Flow_Control - System enforced information flow
User_Defined_AC - User-defined access control
To prevent this attack, choose the O.Trusted_Path objective.
Attack-Countering Objectives
Access_History - Access history for user session
Trusted_Path - Provide a trusted path
To prevent this attack, choose the O.User_Defined_AC and O.Info_Flow_Control objectives.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
Info_Flow_Control - System enforced information flow
User_Defined_AC - User-defined access control
Attack-Countering Objectives
Data_Exchange_Conf - Enforce data exchange confidentiality
Integ_User_Data_Int - Protect user data during internal transfer
Security_Roles - Security roles
X-Ray Application - FMT_SMR.1, FMT_SMR.2:
The authorised identified role: identified audit role.
Attack-Countering Objectives
No_Residual_Info - Eliminate residual information
See also attack DA.Hack_Comm_Overload
2. When a user has the ability to send data to inappropriate locations or to more locations than the organization's policy allows this objective should be considered.
3. When a hacker can flood the system (TOE) with illicit data, import control should be enforced.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
X-Ray Application - FAU_GEN.1:
Record actions likely to result in overload of communication resources.
Objective Rationale - Audit data should be generated when a threat agent uses services in manner that causes multiple attempts to exceed resource quotas.
Data_Imp_Exp_Control - Data import/export to/from system control
Objective Application - A user could send and/or receive unauthorized information. Therefore limits should be placed on the types of acceptable information flows and the limits on information flows. This would reduce bandwidth utilization and enforce organizational policy.
Objective Rationale - Allowing data to or from locations not specified by the organization's policy could put excessive strain on bandwidth of communication lines and cause legitimate data flows to be delayed or denied.
Limit_Comm_Sessions - Limit the number of user initiated communication sessions
Priority_Of_Service - Provide priority of service
Resource_Quotas - Resource quotas for users and services
Attack-Countering Objectives
AC_Label_Export - Object security attributes and exportation
X-Ray Application - FDP_ACC.1: Choose SFPs dealing with information quality
Attack-Countering Objectives
AC_Label_Export - Object security attributes and exportation
Objective Application - Specify an access control or information flow policy in which data is labeled according to its confidentiality or secrecy.
Objective Rationale - Effectiveness depends on accuracy of stored security attributes, on user compliance with procedural constraints on the use of output devices, and on correct functioning of TSF access control mechanisms.
Attack-Countering Objectives
Crypto_AC - Cryptographic access control policy
Crypto_Key_Man - Cryptographic Key Management
I&A_Domain - Identify and authenticate a user to support accountability
Objective Application - Specify role-related user attributes to assist in controlling user access to cryptographic assets.
I&A_User_Action - User-action identification and authentication
Attack-Countering Objectives
User_Conf_Prevention - Basic confidentiality-breach prevention
Objective Rationale - This is essentially just Bell-LaPadula star and simple security, no bells or whistles.
User accidentally deletes data by striking the wrong key on the keyboard or by striking the enter key as an automatic response.
User does not understand the implications of the prompt at hand and inadvertently gives a response that deletes user data.
User misunderstands a system command and issues a command that unintentionally deletes user data.
Attack-Countering Objectives
Rollback - Rollback
User_Guidance - User guidance documentation
X-Ray Application - AGD_USR.1:
User documentation shall address user errors that lead to loss of data.
User accidentally modifies data attributes incorrectly by striking the wrong key on the keyboard or by striking the enter key as an automatic response and thus makes the data inaccessible.
User does not understand the implications of the prompt at hand and inadvertently gives a response that modifies data attributes incorrectly. The resulting attributes make the data inaccessible.
User misunderstands a system command and issues a command that unintentionally modifies data attributes incorrectly. The resulting attributes make the data inaccessible.
Attack-Countering Objectives
Security_Attr_Mgt - Manage security attributes
User_Guidance - User guidance documentation
X-Ray Application - AGD_USR.1:
User documentation shall address user errors that lead to inaccessibility of user data.
This attack may also cause integrity and confidentiality breaches:
The user may present incorrect information without warning the recipient that it may be incorrect, thereby causing the recipient to make unwarranted use of the information.
The user may present confidential or classified information without mentioning its sensitivity, thereby causing the authorized recipient to pass the information along to unauthorized recipients.
Attack-Countering Objectives
AC_Label_Export - Object security attributes and exportation
Attack-Countering Objectives
AC_Label_Export - Object security attributes and exportation
Obj_Attr_Integrity - Basic object attribute integrity
User accidentally sets initial data attributes incorrectly by striking the wrong key on the keyboard or by striking the enter key as an automatic response and thus makes the data inaccessible.
User does not understand the implications of the prompt at hand and inadvertently gives a response that sets initial data attributes incorrectly. The resulting attributes make the data inaccessible.
User misunderstands a system command and issues a command that unintentionally sets initial data attributes incorrectly. The resulting attributes make the data inaccessible.
Attack-Countering Objectives
Security_Attr_Mgt - Manage security attributes
User_Guidance - User guidance documentation
X-Ray Application - AGD_USR.1:
User documentation shall address user errors that lead to inaccessibility of user data.
Attack-Countering Objectives
Audit_Loss_Respond - Respond to possible loss of stored audit records
Guarantee_Audit_Stg - Guarantee the availability of audit storage space
Manage_TSF_Data - Manage security-critical data to avoid storage space being exceeded
A user frames another user by modifying audit data in such a way that it seems to prove misconduct on the part of the user being framed.
User sets audit attributes in such a way as to allow inadmissible activities to go unaudited.
To prevent this attack, consider O.Audit_Protect and O.Security_Roles.
Attack-Countering Objectives
Audit_Gen_User - Individual accountability
Audit_Generation - Audit records with identity
Audit_Protect - Protect stored audit records
Security_Roles - Security roles
X-Ray Application - FMT_SMR.1, FMT_SMR.2:
The authorised identified role: identified audit role.
To prevent this attack, consider O.Security_Data_Mgt objective applied to authentication data.
Attack-Countering Objectives
Audit_Account - Auditing for user accountability
X-Ray Application - FAU_GEN.1:
Specify auditing of changes to authentication data.
Security_Data_Mgt - Manage security-critical data
Objective Application - Choose the [Basic] variant of this objective.
X-Ray Application - FMT_MTD.1:
Ensure that authentication data is included in the list of TSF data and is protected from unauthorized modification.
To prevent this attack, consider the O.User_Defined_AC or O.Info_Flow_Control.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
X-Ray Application - FAU_GEN.1:
Specify auditing of modifications to user data.
Info_Flow_Control - System enforced information flow
User_Defined_AC - User-defined access control
Choose O.User_Defined_AC or O.Info_Flow_Control, together with O.Maintain_Sec_Domain and O.Reference_Monitor to prevent this attack.
Choose O.Config_Management, O.Integ_Sys_Data_Int, and O.Integrity_Practice to recover from this attack.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
Config_Management - Implement operational configuration management
General_Integ_Checks - Periodically check integrity
Info_Flow_Control - System enforced information flow
Integ_Sys_Data_Int - Integrity of system data transferred internally
Integrity_Practice - Operational integrity system function testing
Maintain_Sec_Domain - Maintain security domain
Reference_Monitor - Provide reference monitor
User_Defined_AC - User-defined access control
Choose O.Manage_Res_Sec_Attr if incorrect or missing security attributes can result in loss of object availability.
Choose O.Priority_of_Service if potential threat agents include legitimate users.
Attack-Countering Objectives
Manage_Res_Sec_Attr - Manage resource security attributes
Priority_Of_Service - Provide priority of service
Tamper_ID - Tamper detection
Tamper_Resistance - Tamper resistance
Choose O.Priority_Of_Service if non-priority services can use processor resources that critical services need.
Choose O.Resource_Quotas if particular services or applications the user starts should be given resource quotas to allow them to run as expected.
Choose O.Audit_Generation to detect the attack.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
X-Ray Application - FAU_GEN.1:
Those events that are likely to be associated with task overloading.
Limit_Comm_Sessions - Limit the number of user initiated communication sessions
Priority_Of_Service - Provide priority of service
Objective Application - Heuristically give priority to those users that are least likely to cause task overloading.
Resource_Quotas - Resource quotas for users and services
Choose O.Integ_Data_Mark_Exp to prevent this attack.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
X-Ray Application - FAU_GEN.1:
Specify auditing of exported data.
Integ_Data_Mark_Exp - Data marking integrity export
Objective Application - Specify labels that reflect data confidentiality or secrecy.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
X-Ray Application - FAU_GEN.1:
Specify auditing of exported data.
Integ_Data_Mark_Exp - Data marking integrity export
Objective Application - Specify labels that reflect integrity of data or information content.
Attack-Countering Objectives
Audit_Generation - Audit records with identity
X-Ray Application - FAU_GEN.1:
Those events that are likely to be associated with storage overloading.
Objective Rationale - Audit data should be generated when a threat agent uses services in manner that causes multiple attempts to exceed resource quotas.
Limit_Comm_Sessions - Limit the number of user initiated communication sessions
Priority_Of_Service - Provide priority of service
Objective Application - Heuristically give priority to those users that are least likely to cause a storage overload.
Resource_Quotas - Resource quotas for users and services