In Part 1 of this series of articles, we discussed the Meltdown and Spectre flaws that impact virtually every processor (to varying extents) that are currently in use.  This article focuses on the way these flaws may impact Common Criteria (CC) evaluations.  We focus primarily on possible reactions from NIAP, but touch on other CC schemes as well.

Let’s start with the easy part.  From a security assurance perspective, these flaws represent new security-relevant vulnerabilities.  Period.

NIAP Policy Letter #17 Effects of Vulnerabilities in Evaluated Products deals with the impact of known vulnerabilities on TOEs that are currently in evaluation and as well as TOEs that have already been issued a certificate.  We do not yet know how NIAP will respond to news of these flaws.  However, the following extracts from Policy 17 provide insight into what their response may be:

PURPOSE:  Ensure products receiving a NIAP Common Criteria certificate do not contain known vulnerabilities.

BACKGROUND: A CC certificate carries with it an expectation of quality.  As such, consumers expect evaluated products do not contain known security-relevant vulnerabilities at the time the certificate was issued. Although it is not unusual for vulnerabilities to be discovered after a certificate has been issued, NIAP will not issue a certificate for a product with known security-relevant vulnerabilities.

POLICY:  This policy is applicable to products included on the NIAP Product Compliant List.  If a vulnerability is discovered before, during, or after an evaluation, NIAP may notify the company and require modifications in order for the Target of Evaluation (TOE) to remain on the Product Compliant List (PCL).

Based on this policy and the potential severity of the vulnerabilities, it is highly unlikely that NIAP will completely ignore these processor flaws.  Note that, in the extreme, the policy could result in existing evaluations not being issued a certificate, or even listings for existing certificates being removed from the PCL.

For some products, such as physical network devices/firewalls, the vendor may be able to argue that this known vulnerability can’t be exploited on their systems:

  • The TOE content is controlled by the vendor during development and when shipped from the factory.
  • Only trusted updates from the vendor may be applied in the field.
  • No general-purpose users gain shell-level access to the product (that potentially enables them to exploit these vulnerabilities in some ways).

The same argument probably applies for virtual network devices/firewalls since the collaborative Protection Profile for Network Devices (NDcPP) v2.0 states:

  • There is only one [virtual Network Device] vND instance for each physical hardware platform.
  • There are no other guest VMs on the physical platform providing non-network device functionality.

Printers complying with the Hard Copy Device (HCD) PP may fall into the same category as network devices, but that argument is not as clear.  Multiple users are supported.  Some printers support interactive sessions with users to query status, and all print jobs contain directives (e.g. Postscript, Printer Job Language) that cause the printer to perform actions.  NIAP may require fixes for the processor flaws to be applied.

Application conforming to the Application Software PP do not include the hardware (including the processor) and operating system in the evaluation boundary.  Therefore, these processor flaws do not directly apply.  However, the flaws introduce new attack vectors against the applications.  Since the TOE must reference specific versions of the operating system on which the application runs, NIAP may require those references to be to operating system versions that have the applicable fixes applied.  That information could be supplied in the Security Target and/or guidance documentation.

The impact on other evaluations (not conforming to NIAP-approved PPs) is much more difficult to predict and could vary between the CC schemes.

Acumen will pass along additional information as it becomes available.  In the interim, please don’t hesitate to contact us for help with your specific product or to answer any questions you may have.