Objectives
The components in this family deal with the level of detail to which the TSF is tested. Testing of security functions is based upon increasing depth of information derived from analysis of the representations.
The objective is to counter the risk of missing an error in the development of the TOE. Additionally, the components of this family, especially as testing is more concerned with the internal structure of the TSF, are more likely to discover any malicious code that has been inserted.
Testing that exercises specific internal interfaces can provide assurance not only that the TSF exhibits the desired external security behaviour, but also that this behaviour stems from correctly operating internal mechanisms.
Component levelling
The components in this family are levelled on the basis of increasing detail provided in the TSF representations, from the high-level design to the implementation representation. This levelling reflects the TSF representations presented in the ADV class.
Application notes
The specific amount and type of documentation and evidence will, in general, be determined by the chosen component from ATE_FUN.
Testing at the level of the functional specification is addressed by ATE_COV.
The principle adopted within this family is that the level of testing be appropriate to the level of assurance being sought. Where higher components are applied, the test results will need to demonstrate that the implementation of the TSF is consistent with its design. For example, the high-level design should describe each of the subsystems and also describe the interfaces between these subsystems in sufficient detail. Evidence of testing must show that the internal interfaces between subsystems have been exercised. This may be achieved through testing via the external interfaces of the TSF, or by testing of the subsystem interfaces in isolation, perhaps employing a test harness. In cases where some aspects of an internal interface cannot be tested via the external interfaces there should either be justification that these aspects need not be tested, or the internal interface needs to be tested directly. In the latter case the high-level design needs to be sufficiently detailed in order to facilitate direct testing. The higher components in this family aim to check the correct operation of internal interfaces that become visible as the design becomes less abstract. When these components are applied it will be more difficult to provide adequate evidence of the depth of testing using the TSF's external interfaces alone, and modular testing will usually be necessary.