|
A Guide to Understanding Security Testing and Test Documentation
in Trusted Systems
TABLE OF CONTENTS
FOREWORD i
ACKNOWLEDGMENTS iii
l. INTRODUCTION 1
1.1 PURPOSE 1
1.2 SCOPE 1
1.3 CONTROL OBJECTIVES 2
2. SECURITY TESTING OVERVIEW 3
2.1 OBJECTIVES 3
2.2 PURPOSE 3
2.3 PROCESS 4
2.3.1 System Analysis 4
2.3.2 Functional Testing 4
2.3.3 Security Testing 5
2.4 SUPPORTING DOCUMENTATION 5
2.5 TEST TEAM COMPOSITION 6
2.6 TEST SITE 7
3. SECURITY TESTING - APPROACHES, DOCUMENTATION, AND EXAMPLES 8
3.1 TESTING PHILOSOPHY 8
3.2 TEST AUTOMATION 9
3.3 TESTING APPROACHES 11
3.3.1 Monolithic (Black-Box) Testing 11
3.3.2 Functional-Synthesis (White-Box) Testing 13
3.3.3 Gray-Box Testing 15
3.4 RELATIONSHIP WITH THE TCSEC SECURITY TESTING REQUIREMENTS 18
3.5 SECURITY TEST DOCUMENTATION 21
3.5.1 Overview 21
3.5.2 Test Plan 22
3.5.2.1 Test Conditions 22
3.5.2.2 Test Data 24
3.5.2.3 Coverage Analysis 25
3.5.3 Test Procedures 27
3.5.4 Test Programs 27
3.5.5 Test Log 28
3.5.6 Test Report 28
3.6 SECURITY TESTING OF PROCESSORS' HARDWARE/FIRMWARE PROTECTION
MECHANISMS 28
3.6.1 The Need for Hardware/Firmware Security Testing 29
3.6.2 Explicit TCSEC Requirements for Hardware Security Testing
30
3.6.3 Hardware Security Testing vs. System Integrity Testing 31
3.6.4 Goals, Philosophy, and Approaches to Hardware Security Testing
31
3.6.5 Test Conditions, Data, and Coverage Analysis for Hardware
Security Testing 32
3.6.5.1 Test Conditions for Isolation and Noncircumventability Testing
32
3.6.5.2 Text Conditions for Policy-Relevant Processor Instructions
33
3.6.5.3 Tests Conditions for Generic Security Flaws 33
3.6.6 Relationship between Hardware/Firmware Security Testing and
the TCSEC Requirements 34
3.7 TEST PLAN EXAMPLES 36
3.7.1 Example of a Test Plan for "Access" 37
3.7.1.1 Test Conditions for Mandatory Access Control of "Access"
38
3.7.1.2 Test Data for MAC Tests 38
3.7.1.3 Coverage Analysis 39
3.7.2 Example of a Test Plan for "Open" 43
3.7.2.1 Test Conditions for "Open" 43
3.7.2.2 Test Data for the Access Graph Dependency Condition 44
3.7.2.3 Coverage Analysis 46
3.7.3 Examples of a Test Plan for "Read" 46
3.7.3.1 Test Conditions for "Read" 47
3.7.3.2 Test Data for the Access-Check Dependency Condition 47
3.7.3.3 Coverage Analysis 51
3.7.4 Examples of Kernel Isolation Test Plans 51
3.7.4.1 Test Conditions 51
3.7.4.2 Test Data 51
3.7.4.3 Coverage Analysis 53
3.7.5 Examples of Reduction of Cyclic Test Dependencies 54
3.7.6 Example of Test Plans for Hardware/Firmware Security Testing
57
3.7.6.1 Test Conditions for the Ring Crossing Mechanism 58
3.7.6.2 Test Data 58
3.7.6.3 Coverage Analysis 60
3.7.7 Relationship with the TCSEC Requirements 62
4. COVERT CHANNEL TESTING 66
4.1 COVERT CHANNEL TEST PLANS 66
4.2 AN EXAMPLE OF A COVERT CHANNEL TEST PLAN 67
4.2.1 Test Plan for the Upgraded Directory Channel 67
4.2.1.1 Test Condition 68
4.2.1.2 Test Data 68
4.2.1.3 Coverage Analysis 70
4.2.2 Test Programs 70
4.2.3 Test Results 70
4.3 RELATIONSHIP WITH THE TCSEC REQUIREMENTS 70
5. DOCUMENTATION OF SPECIFICATION-TO-CODE CORRESPONDENCE 72
APPENDIX 73
1 Specification-to-Code Correspondence 73
2 Informal Methods for Specification-to-Code Correspondence 74
3 An Example of Specification-to-Code Correspondence 76
GLOSSARY 83
REFERENCES 90
|
