EAL – Evaluation assurance level

Evaluation assurance level – به اختصار EAL – مجموعه ای از هفت قرار داد است تا نیازهای CC – Common Criteria – را بر آورده کند.بیشتر این استاندارد ها برای استفاده مشتریان  دولتی و نظامی لازم است. هر کدم از این هفت سطح فراهم آورنده میزان اعتماد و اطمینان پذیری یک محصول است.

به اختصار می توان این 7 سطح را در غالب جدول زیر بیان کرد :

EAL 0

Inadequate Assurance

EAL 1

Functionally Tested. Provides
analysis of the security functions, using a functional and interface
specification of the TOE, to understand the security behaviour. The analysis
is supported by independent testing of the security functions.

EAL 2

Structurally Tested. Anaysis of
the security functions using a functional and interface specification and
the high level design of the subsystems of the TOE. Independent testing of
the security functions, evidence of developer “black box” testing, and
evidence of a development search for obvious vulnerabilities.

EAL 3

Methodically Tested and
Checked. The analysis is supported by “grey box” testing, selective
independent confirmation of the developer test results, and evidence of a
developer search for obvious vulnerablitities. Development environment
controls and TOE configuration management are also required.

EAL 4

Methodically Designed, Tested
and Reviewed. Analysis is supported by the low-level design of the modules
of the TOE, and a subset of the implementation. Testing is supported by an
independent search for obvious vulnerabilities. Development controls are
supported by a life-cycle model, identification of tools, and automated
configuration management.

EAL 5

Semiformally Designed and
Tested. Analysis includes all of the implementation. Assurance is
supplemented by a formal model and a semiformal presentation of the
functional specification and high level design, and a semiformal
demonstration of correspondence. The search for vulnerabilities must ensure
relative resistance to penetration attack. Covert channel analysis and
modular design are also required.

EAL 6

Semiformally Verified Design
and Tested. Analysis is supported by a modular and layered approach to
design, and a structured presentation of the implementation. The independent
search for vulnerabilities must ensure high resistance to penetration
attack. The search for covert channels must be systematic. Development
environment and configuration management controls are further strengthened.

EAL 7

Formally Verified Design and
Tested. The formal model is supplemented by a formal presentation of the
functional specification and high level design showing correspondence.
Evidence of developer “white box” testing and complete independent
confirmation of developer test results are required. Complexity of the
design must be minimised.

می توانید تفصیلات کامل هر سطح را در این جا بخوانید : Evaluation assurance levels

اطلاعات بیشتری را هم در این سایت ها پیدا خواهید کرد: www.cesg.gov.uk | Common Criteria Assurance Levels | The National Information Assurance  Partnership

علت این نوشته هم خبری بود که حاکی از تلاش Red Hat برای گرفتن EAL 2 برای محصول Red Hat Enterprise Linux می داد.می توانید اصل خبر را در اینجا ببینید.

نکته ای که جالب به نظر می رسد این است که برخی از نسخه های ویندوز EAL4 را کسب کرده اند و کمپانی Red Hat به تازگی توانسته است با کمک از Oracle به EAL 2 دست پیدا کند.آیا این چیز ها هم با پول خریداری می شود؟ شاید هر چه قدر مبلغ بیشتری پرداخت شود سطح امنیتی بالاتری کسب شود ، به این جمله توجه کنید :

Security is not a destination; it’s a way of travelling. It’s not a product; it’s a procedure.


دیدگاه‌ها

2 پاسخ به “EAL – Evaluation assurance level”

  1. نکته جالبی که نوشته بودید به هیچ عنوان علمی نبود! در مورد استاندارد cc یا ISO 15408 چقدر می دانید ؟