AVA_MSU.3 Analysis and testing for insecure states
Objectives
The objective is to ensure that misleading, unreasonable and conflicting guidance is absent from the guidance documentation, and that secure procedures for all modes of operation have been addressed. Insecure states should be easy to detect. In this component, an analysis of the guidance documentation by the developer is required to provide additional assurance that the objective has been met, and this analysis is validated and confirmed through testing by the evaluator.
Application notes
In this component the evaluator is required to undertake testing to ensure that if and when the TOE enters an insecure state this may easily be detected. This testing may be considered as a specific aspect of penetration testing.
Dependencies:
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
Developer action elements:
AVA_MSU.3.1D The developer shall provide guidance documentation.
AVA_MSU.3.2D The developer shall document an analysis of the guidance documentation.
Content and presentation of evidence elements:
AVA_MSU.3.1C The guidance documentation shall identify all possible modes of operation of the TOE (including operation following failure or operational error), their consequences and implications for maintaining secure operation.
AVA_MSU.3.2C The guidance documentation shall be complete, clear, consistent and reasonable.
AVA_MSU.3.3C The guidance documentation shall list all assumptions about the intended environment.
AVA_MSU.3.4C The guidance documentation shall list all requirements for external security measures (including external procedural, physical and personnel controls).
AVA_MSU.3.5C The analysis documentation shall demonstrate that the guidance documentation is complete.
Evaluator action elements:
AVA_MSU.3.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
AVA_MSU.3.2E The evaluator shall repeat all configuration and installation procedures, and other procedures selectively, to confirm that the TOE can be configured and used securely using only the supplied guidance documentation.
AVA_MSU.3.3E The evaluator shall determine that the use of the guidance documentation allows all insecure states to be detected.
AVA_MSU.3.4E The evaluator shall confirm that the analysis documentation shows that guidance is provided for secure operation in all modes of operation of the TOE.
AVA_MSU.3.5E The evaluator shall perform independent testing to determine that an administrator or user, with an understanding of the guidance documentation, would reasonably be able to determine if the TOE is configured and operating in a manner that is insecure.