This section is intended for those who will be using both the knowledge base
and the CC Toolbox. Section 5.1 explains how the CC
Toolbox makes use of the knowledge base, and Section 5.2
shows how to port new versions of the knowledge base to the CC Toolbox
This section is organized around the seven main tabs of the CC Toolbox interface, i.e., the Environment Interview, Context, Component Interview, Allocation, Elaboration, EAL, and Report tabs. However, the Elaboration and EAL tabs do not play a significant role in utilization of the knowledge base.
In addition to the main tabs, there is a pop-up tab for Objectives. In
any tab where an objective is listed, you may get this pop-up tab by double
clicking on an Objective (or by selecting the Objective, right clicking, and
selecting Show Detail).
In the Environment Interview, the knowledge base categories and the organization provided by the Prompts hierarchy (see Section 4.3) allow for efficiency in interviewing you about relevant environmental aspects. For example, if some threat agents are not a concern for a particular PP, a large number of threats involving those agents may be immediately skipped over.
Table 5-1 lists the panes of the Environment Interview tab and
shows which knowledge base tables and fields are displayed in
each pane.
Table 5-1. Origin of Environment Interview Data
Pane |
Table(s) |
Field(s) |
Prompt | Prompts | PromptString |
Answer Options | Prompts | AnswerList |
Detail / Identifier | Prompts | Environment statement identifier |
Detail
/ Descriptive Name, Detail / Description |
Category or Environment table for selected answer from Prompts AnswerList | Descriptive
Name, Description field |
Detail
/ Guidance Selection Guidance Implementation Guidance |
Environment table for selected nontrivial answer | Selection Guidance, Coverage Rationale |
Detail / Objective List | Mapping table for
selected environment
statement, Objectives |
Identifier key field, Descriptive name Description field |
Unnamed Bottom Pane | Prompts | PromptStrings |
The information for this tab is taken primarily from environment-statement tables (see Sections 4.1.5, 4.1.6, 4.1.7) and from detail tables (see Sections 4.1.8, 4.1.9), with additional related information from Objectives (see Section 4.1.10) and other tables depending on what item is highlighted.
Table 5-2 treats the case where a general environment statement is highlighted. The additional information comes from the mapping queries that link the environment statement to Objectives (see Sections 4.2.10 and 4.2.11).
If an environment statement is selected, clicking on a "" icon in the Context tab changes the icon to "" and reveals those detailed statements that are linked to the environment statement by its mapping table (see Sections 4.2.5, 4.2.6). Table 5-3 treats the case where a detailed environment statement has then been selected.
Table 5-2. Origin of Context Data for a General Environment Statement
Pane |
Tables or Queries |
Field(s) |
Top left pane | Objectives | Identifier key field, Descriptive name |
Policies,
Threats, Assumptions |
General
Policy Statements, General Threats, General Assumptions |
Identifier key field, Descriptive name |
Above, with Filter 1 | Above restricted to PP-selected items amplified via the Attributes table | Identifier key field, Descriptive name |
Above, with Filter 2 | Above restricted to interview-selected items amplified via the Attributes table | Identifier key field, Descriptive name |
Policy, Threat, or Assumption Detail | Table associated with selected item | Identifier key field, Descriptive name Description field |
Guidance
/ Selection Guidance |
Table associated with selected item | Selection Guidance |
Guidance
/ Implementation Guidance |
Table associated with selected item | Coverage Rationale |
Objective List | General Policy / Objective Mapping Query, | Objective key field, Descriptive name |
As explained in Sections 4.1.8 and 4.1.9, Detailed Attacks and Policies play a crucial role by supporting the security analyses used to justify knowledge base content. For the same reason, they play a major role in the CC Toolbox, both in selecting Objectives and in building Rationale. Table 5-3 shows how they relate to Objective selection. Section 5.1.7 explains how they are used in building the Rationale.
Table 5-3. Origin of Context Data for a Detailed Environment Example
Pane |
Tables or Queries |
Field(s) |
Top left pane | Objectives | Identifier key field, Descriptive name |
Top right pane | Detailed environment statement table | Identifier key field |
Select an Objective and a
Detailed Example from the above two panes; in the upper
right pane, right click on Objective Usage. Objective Application Objective Component Application Objective Application Rationale |
Mappings from detailed statements to Objectives | Objective Application, X-Ray Component Application, Objective Application Rationale |
Lower left pane; Policies, Threats, Assumptions | Detailed environment statement table | Identifier key field, Descriptive name |
Lower right pane * Detail, * Example tabs |
Table associated with selected item | Identifier key field, Descriptive name, Description field |
Lower right pane Guidance / Selection Guidance |
Table associated with selected item | Selection Guidance |
Lower right pane Guidance / Implementation Guidance |
Table associated with selected item | Safeguard Application, Countermeasure Application |
Lower right pane Objective List | Mappings from detailed
statements to Objectives, Objectives |
Objective key field, Descriptive name |
The Component Interview tab draws primarily on the Common Criteria for component names, but also makes use of the CC-Extending tables if available (see Section 4.5). In addition, this tab includes an Objectives pane that may contain information from the Objectives table (see Section 4.1.10).
Table 5-4. Origin of Component Interview Data
Pane |
Tables or Queries |
Field(s) |
Top left pane Prompt |
CC-Extending tables (plus other CC Toolbox prompts) | Prompt
for PP Report, Prompt for ST Report |
Bottom left pane Functional Components, Assurance Components |
CC-Extending tables (plus CC Class, Family, and Component names) | Identifier key field, Descriptive Name, (Parent table field) |
Top right pane Elements |
CC-Extending Elements (plus CC Element descriptions) | Element
Identifier, Element Description, Containing Component |
Top right pane Dependencies |
(Common Criteria) | (Not supported) |
Top right pane Mapped Objectives |
Objectives | Identifier key field, Descriptive Name |
Select a Component, right
click on Component Usage. Component Application |
Objective/Component Mapping | Component Application |
This tab uses knowledge-base information in essentially the same way as the Component Interview tab.
The Allocation tab draws primarily on the Common Criteria for component names, but also makes use of the CC-Extending tables if available (see Section 4.5). In addition, this tab includes an Objectives pane that may contain information from the Objectives table (see Section 4.1.10), as well as a pop-up menu. The pop-up menu may provide component-usage information from the Objective/Component Mapping, Detailed Policy Statement/Objective Mapping, and Attack/Objective Mapping tables (see Sections 4.2.9, 4.2.8, and 4.2.7, respectively).
Table 5-5. Origin of Allocation Data
Pane |
Tables or Queries |
Field(s) |
Top left pane Security Objectives |
Objectives | Identifier key field, Descriptive Name |
Top right pane TOE, Non-TOE sub-panes |
CC Components, CC-Extending Components | Identifier key field |
Top right pane Elements |
CC-Extending Elements (plus CC Element descriptions) | Element
Identifier, Element Description, Containing Component |
Top right pane Dependencies |
(Common Criteria) | (Not supported) |
Top right pane Mapped Objectives |
Objectives | Identifier key field, Descriptive Name |
Select an
Objective, select a Component, right click on Component Usage. Component Application Component Application Rationale
Detailed stmt ID
|
Objective/CC Component Mapping Mapping table linking detailed statement to Objectives |
Component Application Component Application Rationale
|
The knowledge base does not play a significant role in the workings of the Elaboration tab. However, a Component Usage pop-up tab is available that provides information from the knowledge base:
Table 5-6. Component Usage data in the Elaboration tab
Pane |
Tables or Queries |
Field(s) |
Select a
Component, right click on Component Usage.
Objective ID Detailed stmt ID
|
Objective/CC Component Mapping Mapping table linking detailed statement to Objectives |
Component Application Component Application Rationale
|
The knowledge base does not play a significant role in the workings of the EAL tab.
Information from all major knowledge-base tables turns up in the PP and ST reports, in the sections indicated in Table 5-7.
Table 5-7. Disposition of Knowledge-Base Data in PP Reports
PP Section |
Tables or Queries |
Field(s) |
1 -
Introduction The Knowledge Base does not contribute to this portion of the PP Report. |
||
2
- TOE Description The CC Toolbox does not place knowledge base information here, but this may be the best place for some General Assumptions. |
||
3 - TOE
Security Environment The toolbox does not output category identifiers, names, or descriptions. However, some of this information may be useful for organizing the Environment section of a PP. |
||
3.1 - Secure Usage Assumptions | General Assumptions | Identifier key field, Descriptive Name, Description field |
3.2 - Threats to Security | General Threats. (In addition, some Detailed Attacks may be appropriate here.) | Identifier key field, Descriptive Name, Description field |
3.3 - Organisational Security Policies | General Policy Statements. (In addition, some Detailed Policy Statements may be appropriate here.) | Identifier key field, Descriptive Name, Description field |
4 - Security Objectives | ||
4.1 - Security Objectives for the TOE 4.2 - Security Objectives for the Environment |
Objectives | Identifier key field, Descriptive Name, Description field |
5 - IT Security Requirements | ||
5.1 - TOE Security Functional Requirements 5.2 - TOE Security Assurance Requirements 5.3 - Security Requirements for the IT Environment |
(CC Components), CC-Extending Components |
Identifier key field, Descriptive Name Identifier key field, |
5.4 - Security Requirements for the Non-IT Environment | Not used. However, some refinements of AGD_ADM and AGD_USR supplied by the knowledge base might be placed here. | |
6 - Rationale | ||
Table 6-1 Tracing of Security Objectives to the TOE Security Environment | Threat/Objective Mapping Query, | Source key field, Target key field |
6.2.1 -
Policies DP ID as Title Safeguard Application Objective ID as Title Objective Application Objective Component Application Objective Application Rationale |
General Policy Statements | Identifier key field, Descriptive Name, Description field |
Detailed Policy Statements selected via the Detailed Policy Statement/Objective Mapping | Identifier key field, Descriptive Name, Description field, Safeguard Application field |
|
Objectives | Identifier key field, Descriptive Name, Description field |
|
Detailed Policy Statement/Objective Mapping | Objective
Application, X-Ray Component Application, Objective Application Rationale |
|
6.2.2 -
Threats Attack ID as Title Objective ID as Title Objective Application Objective Component Application Objective Application Rationale |
General threats | Identifier key field, Descriptive Name, Description field Coverage rationale |
Detailed Attacks selected via the Threat/Attack mapping | Identifier key field, Descriptive Name, Description field, Safeguard Application field |
|
Supporting Objectives for each Attack | Identifier key field, Descriptive Name, Description field |
|
Attack/Objective Mapping | Objective
Application, X-Ray Component Application, Objective Application Rationale |
|
Table 6-2 Functional Component to Security Objective Mapping | Objective/Component Mapping | Source key field, Target key field |
6.3.1, 6.3.2
- * Security Requirements Rationale Implementation Application Component ID as Title Component Application Component Application Rationale |
Objectives | Identifier key field, Descriptive Name, Description field, Implementation Application |
Objective/Component
Mapping, Related descriptive-name data |
Target Identifier key
field, Descriptive Name, Component Application, Component Application Rationale |
|
Table 6-4 Requirements to Objectives Mapping | Objective/Component
Mapping, Related descriptive-name data |
Source Identifier key
field, Target Identifier key field |
6.6 - Rationale for Extensions | CC-Extending Components | Rationale |
In any tab where an objective is listed, you may get this pop-up tab by double clicking on an Objective (or by selecting the Objective, right clicking, and selecting Show Detail).
Table 5-8. Origin of Objective Pop-Up Data
Pane |
Tables or Queries |
Field(s) |
|
Objective Detail | Objectives | Identifier key field, Descriptive name Description field |
|
Guidance tab | Objectives | Objective-Selection
Guidance, Implementation Application |
|
Component List | Objective/Component Mapping, All Components Query |
Identifier key field, Descriptive name |
|
Select a Component, right click on Component Usage. | Objective/Component Mapping | Component
Application Component Application Rationale |
|
Non IT | This tab is not used. Although the CC allows for non-IT requirements, we found it expedient to codify such requirements as refinements to documentation requirements, i.e., Components AGD_ADM.1 and AGD_USR.1. |
The knowledge base can be edited within the bounds specified
in Sections 3 and 4 of this document and then used as a new
source of domain knowledge for the CC ToolBox. Once
the knowledge base has been edited, it is stored in a
transitional format that cannot be accessed directly by the
CC ToolBox, which must then be transformed into another
format. The following sections describe all actions needed
to transform the knowledge base into the appropriate format, first in a general way, then in terms of practical specifics.
Figure 5-1 indicates how to edit the knowledge base and make it accessible to the CC ToolBox. The action labeled Edit knowledge base represents interactions with the knowledge base that are required to create a new CC Profiling knowledge base for use with the CC ToolBox. Information needed to perform the Edit knowledge base action is given above in Sections 4 and 5.1. The resulting new knowledge base is depicted as the box labeled Knowledge base.
Figure 5-1: Knowledge Source Conversion
The Dump Tables action transfers the knowledge base elements and relationships among those elements from the Knowledge base to a new Knowledge Source file. This is a Java .properties file with the structure specified in Appendix A.5.4.
Once the Knowledge Source
has been created in the form of a .properties
file, you interact with another program to transform it into a
format that is accessible to the CC ToolBox. This is
represented in Figure 5-1, by the action Transform Source. The results of
this action are a new file, CCToolboxSouce,
which contains serialized objects for use by the CC ToolBox.
If you have version 1.0j of the knowledge base, the following steps will dump the knowledge base tables into a properties file:
Press the CC Toolbox button () on the Main menu. The first time you do this, you may see a red message asking you to specify the actual path to the CC Toolbox,
Provide a name for your exported knowledge base, e.g., CC PKB Modified. The form will tell you whether the name is new. If it isn't, a View Properties File button allows you to display the existing properties file for the exported knowledge base.
Press the Create Properties File button and wait for the properties file to be produced.
Press the Generate PDE File button. The PDE Generator program will start and will display the names of all exported knowledge bases, including the one you just created.
Select the appropriate Knowledge Source file and click the OK button. The PDE Generator will perform the transformation and display the results in two windows using MS NotePad (unless the default text viewer has been changed). One window represents the outputs sent to the program's standard output channel and the other the outputs to the standard error channels.
Finally, if no errors are displayed, you can press the Run CC Toolbox button to run the CC Toolbox, and you will be able to select your new knowledge base.
If you do not have version 1.0j, go to the Modules tab of the main MS Access Database window, double click on the BuildPropertySheet module, and run the DumpTables procedure. We recommend giving the resulting file a unique name. You can do this before running the DumpTables procedure by changing the constant DumpFilePrefix$, which is defined near the top of the BuildPropertySheet module. If the knowledge base contains CC-Extending Components, you may set the ShowCCExtensions constant to True, in order to have them dumped and treated in the same way as ordinary CC Components. The ShowCCExtensions constant is also defined at the beginning of the BuildPropertySheet module.
Perform the Transform Source action as follows, where CCTInstallDir is the main CC ToolBox installation directory, where the CC ToolBox and its various subdirectories are located. For example if you installed the CC ToolBox in the folder D:\Programs\CCToolbox-V5, then CCTInstallDir is the folder D:\Programs\CCToolbox-V5.
The following section explains the set of possible errors that
may occur.
Table 5-7 explains the transformation errors that may appear in the standard error output display after step 5 of the above Transform Source action. The first column identifies the error label, the second column expands on the problem encountered in the Knowledge Source, and the third column states what action(s) to take to correct the error.
Table 5-7: Conversion Errors
Example Errors |
Source Problem |
Action |
Could Not Find [X000001.EffectList] |
This key was not found in the file. |
Add this key and its value. |
Did Find
[O.Crypto_Extern_Depend.Components] |
The key was found but there was no value following it. |
Add the data if required. |
No Agent
Created For
[P.Accountability.Agent_Types]= |
No threat agent was created because some of the required attributes were missing. |
Add the required attribute. |
AnswerList too short [A000004.AnswerList]=[Yes] |
There must be at least two values in AnswerList. |
Typically Yes and No. |
Could
Not Find
[A.Forgot_To_Define] |
All values for EffectList must be defined in this *-dk.properties file. |
Define the missing category or remove it from the EffectList. |
List sizes don't match [A000005.AnswerList]=[Trusted, Hostile, Negligent] and [A000005.EffectList]=[A.Well_Behaved_Admin, A.Hostile_Sys_Admin, A.Negligent_Admin, A.Forgot_To_Define] |
The number of comma-separated values in AnswerList must equal the number of comma-separated values in EffectList. |
Adjust the lists to match sizes. |
Could Not Find [X000001.EffectList] |
This EffectList key was not found in the file. |
Add this key and its value. |
Could Not Find [O.Not_Defined] But It Is In [P.Authorities.Objectives] |
All values for Objectives must be defined in this *-dk.properties file. |
Define the missing objective or remove it from the Objectives. |
Could Not Find [DP.Not_Defined] But It Is In [P.Authorities.Examples] |
All values for Examples must be defined in this *-dk.properties file. |
Define the missing example or remove it from the Examples. |
Could Not Find [Not_Def.1] But It Is In [O.AC_Admin_Limit.Components] |
All values for Components must be defined by the Common Criteria or in this *-dk.properties file. |
Define the missing component or remove it from the Components. |
Could Not Find [F_Not_Def] but it is [F_PhysEnv_Cnf.Parent] |
All values for Parent must be defined by the Common Criteria or in this *-dk.properties file. |
Define the missing Parent. |
Never Used [A.Acc_Ovrwrit_SysData.Forces] |
This property key and value was not used. |
Could indicate a problem like a typographical error. |