|
|
|
|
Role of the Security Function Testing |
|
Aspects of the System Security Realization |
|
ATE_COV: The High Level (Security) Design |
|
ATE_DPT: The Low Level (Security) Design |
|
ATE_FUN: TSF Internals |
|
ATE_IND: The Implementation Representation |
|
Security Function Testing In EROS |
|
|
|
|
|
Show That TOE Functional Requirements Are
Satisfied |
|
Emphasis Is On Confirming That TOE Operates
According To Its Specification |
|
Positive testing to show presence of required
behaviors |
|
Negative testing to show absence of
prohibited behaviors |
|
Can be Applied Recursively to TOE Internal
Structure |
|
|
|
|
|
Penetration Testing Covered Under Vulnerability
Assessment Class |
|
Functional Testing Limitations |
|
Only shows behavior for tested configurations |
|
Cannot be exhaustive for complex systems |
|
Cannot show absence of unspecified functions |
|
Main Value of Functional Testing Is to Show That
There Is At Least One TOE Configuration That Meets ST SFRs |
|
|
|
|
|
Definition |
|
Aspects |
|
Components |
|
Evidence Of Coverage |
|
Analysis of Coverage |
|
Rigorous Analysis of Coverage |
|
|
|
|
|
Coverage Is A Measure Of The Extent To Which The
Test Cases Demonstrate That The Specified TSF Are Present And Operate As
Specified |
|
i.e., a measure of how many of the TSF
interfaces specified in the Functional Specification are actually exercised
by tests |
|
|
|
|
Correspondence |
|
Completeness |
|
|
|
|
Provide An Analysis that Shows or Demonstrates
Which TSF Interface(s) Each Test Is Exercising |
|
“Show” Only Requires An Assertion That A Test
Exercises An Interface |
|
“Demonstrate” Requires An Explanation Of How The
Test Exercises The Interface(s) |
|
|
|
|
|
Provide An Analysis That Demonstrates That The
Full Set Of Tests Exercises The Full Range Of TSF Interfaces |
|
Rigorous Demonstration Requires That It Be Shown
That The Testing Of Each Interface Be Complete (i.e., exhaustive) |
|
Potentially a flawed requirement, since it is
generally acknowledged that complex system interfaces cannot be
exhaustively tested |
|
|
|
|
“The developer shall provide evidence of the
test coverage.” |
|
“The evidence of the test coverage shall show
the correspondence between the tests identified in the test documentation
and the TSF as described in the functional specification.” |
|
|
|
|
The developer shall provide an analysis of the
test coverage. |
|
The analysis of the test coverage shall demonstrate
the correspondence between the tests identified in the test documentation
and the TSF as described in the functional specification. |
|
The analysis of the test coverage shall
demonstrate that the correspondence between the TSF as described in the
functional specification and the tests identified in the test documentation
is complete. |
|
|
|
|
The analysis of the test coverage shall
rigorously demonstrate that all external interfaces of the TSF identified
in the functional specification have been completely tested. |
|
|
|
|
|
Definition |
|
Aspects |
|
Components |
|
Testing: High-Level Design |
|
Testing: Low-Level Design |
|
Testing: Implementation Representation |
|
|
|
|
|
Depth Is The Level Of Detail To Which TSF Is
Tested |
|
Keyed to the ADV representations |
|
Objective Is To Catch Both Subtle Errors That
Are Only Visible At Internal Interfaces And Insertion Of Malicious Code |
|
|
|
|
|
Granularity Of Testing |
|
Essentially specifies the resolution of the
white/grey box testing that most be done |
|
|
|
|
The developer shall provide the analysis of the
depth of testing. |
|
The depth analysis shall demonstrate that the
tests identified in the test documentation are sufficient to demonstrate
that the TSF operates in accordance with its high-level design. |
|
|
|
|
The depth analysis shall demonstrate that the
tests identified in the test documentation are sufficient to demonstrate
that the TSF operates in accordance with its high-level design and
low-level design. |
|
|
|
|
The depth analysis shall demonstrate that the
tests identified in the test documentation are sufficient to demonstrate
that the TSF operates in accordance with its high-level design, low-level
design and implementation representation. |
|
|
|
|
|
Definition |
|
Aspects |
|
Components |
|
Functional Testing |
|
Ordered Functional Testing |
|
|
|
|
Functional Testing Is Performed By The Developer
To Establish That The TSF Exhibit The Properties Necessary To Satisfy The
Functional Requirements Of The PP/ST |
|
The Chosen ATE_COV and ATE_DPT Components Will
Determine The Amount Of Evidence Required By ATE_FUN |
|
|
|
|
Plans |
|
Procedures |
|
Expected Results |
|
Actual Results |
|
Ordering Dependencies |
|
|
|
|
|
Focus Of The Test Plans Is On The Security
Functions Being Tested |
|
Essentially rationalize each test |
|
The plan for each test describes its goal(s) in
terms of the security functions it will exercise |
|
|
|
|
|
The Focus Of The Test Procedures Is On The
Mechanics Of Executing The Tests |
|
Each Test Procedure Includes: |
|
Description of how to run the test |
|
Description of the system security state assumed
by the test |
|
Description of other tests that must be executed
first to bring system to the required security state (i.e., test ordering
dependencies) |
|
|
|
|
Actually An Aspect Of The Test Procedures That
Identifies The Output Predicted By The Specification From Which The Test Is
Derived |
|
|
|
|
The Log Of The Results Obtained When The
Developer Actually Runs The Test And A Demonstration That Those Results Are
Consistent With The Expected Results And Therefore With The Specified
Security Behavior Of The TSF |
|
|
|
|
An Analysis That Rationalizes The Test Ordering
Dependencies |
|
Is Useful In Determining Adequacy Of Testing,
Since It Might Allow Discovery Of Boundary Conditions That Can Be Concealed
By Careful Ordering Of The Tests |
|
|
|
|
The developer shall test the TSF and document
the results. |
|
The developer shall provide test documentation. |
|
The test documentation shall consist of test
plans, test procedure descriptions, expected test results and actual test
results. |
|
The test plans shall identify the security
functions to be tested and describe the goal of the tests to be performed. |
|
The test procedure descriptions shall identify
the tests to be performed and describe the scenarios for testing each
security function. These scenarios shall include any ordering dependencies
on the results of other tests. |
|
The expected test results shall show the
anticipated outputs from a successful execution of the tests. |
|
The test results from the developer execution of
the tests shall demonstrate that each tested security function behaved as
specified. |
|
|
|
|
The test documentation shall include an analysis
of the test procedure ordering dependencies. |
|
Notes