|
4 | 4 | <PP xmlns="https://niap-ccevs.org/cc/v1" |
5 | 5 | xmlns:sec="https://niap-ccevs.org/cc/v1/section" |
6 | 6 | xmlns:h="http://www.w3.org/1999/xhtml" boilerplate="yes"> |
7 | | - <!-- <inline-comment color='green'>Initial PSD-AI Template on 5/8.</inline-comment> --> |
| 7 | + <!-- <inline-comment color='green'>Initial PSD-AO Template on 5/8.</inline-comment> --> |
8 | 8 | <!-- <inline-comment color='blue' linebreak='yes'> Hello World QQQQ </inline-comment> --> |
9 | 9 |
|
10 | 10 | <PPReference> |
|
143 | 143 | <cc-pp-conf/> |
144 | 144 | <cc-pp-config-with> |
145 | 145 | <PP-cc-ref>Protection Profile for Peripheral Sharing Device, Version 5.0</PP-cc-ref> |
146 | | - <Mod-cc-ref>PP-Module for Keyboard/Mouse Devices, Version 1.0</Mod-cc-ref> |
147 | | - <Mod-cc-ref>PP-Module for User Authentication Devices, Version 1.0</Mod-cc-ref> |
148 | | - <Mod-cc-ref>PP-MOdule for Video/Display Devices, Version 1.0</Mod-cc-ref> |
| 146 | + <Mod-cc-ref>PP-Module for Keyboard/Mouse Devices, Version 2.0</Mod-cc-ref> |
| 147 | + <Mod-cc-ref>PP-Module for User Authentication Devices, Version 2.0</Mod-cc-ref> |
| 148 | + <Mod-cc-ref>PP-MOdule for Video/Display Devices, Version 2.0</Mod-cc-ref> |
149 | 149 | </cc-pp-config-with> |
150 | 150 | <cc-pkg-claim/> |
151 | 151 | </CClaimsInfo> |
152 | 152 | </section> |
153 | 153 |
|
154 | 154 | <sec:spd title="Security Problem Description"> |
155 | | - <sec:Threats> |
156 | | - This PP‐Module describes the security problem in terms of the threats the TOE is expected to address, |
| 155 | + This PP‐Module describes the security problem in terms of the threats the TOE is expected to address, |
157 | 156 | assumptions about its operational environment, and any organizational security policies (OSPs) that the |
158 | 157 | TOE is expected to enforce.<h:br/><h:br/> |
159 | 158 | Note that as a PP‐Module of the PSD PP, all threats, assumptions, and Organizational Security Policies (OSP) |
160 | 159 | defined in the base PP will also apply to the TOE unless otherwise specified. |
| 160 | + <sec:Threats> |
161 | 161 | <threat name="T.AUDIO_REVERSED"> |
162 | | - <description>A malicious agent could repurpose an authorized audio output peripheral device by converting it to a |
| 162 | + <description>A malicious agent could re-purpose an authorized audio output peripheral device by converting it to a |
163 | 163 | low‐gain microphone to eavesdrop on the surrounding audio or transfer data across an air‐gap |
164 | 164 | through audio signaling.</description> |
165 | 165 | <consistency-rationale>The PSD PP does not identify any threats specific to analog audio output |
166 | 166 | peripheral devices. This threat is specific to analog audio output devices and |
167 | 167 | therefore is an additional threat to this module supplementing those in PSD |
168 | 168 | PP.</consistency-rationale> |
169 | | - <addressed-by>FDP_APC_EXT.1 (Modified)</addressed-by><rationale></rationale> |
170 | | - <addressed-by>FDP_AFL_EXT.1</addressed-by><rationale></rationale> |
171 | | - <addressed-by>FDP_UDF_EXT.1/AO</addressed-by><rationale></rationale> |
| 169 | + <addressed-by>FDP_APC_EXT.1 (Modified)</addressed-by><rationale>Mitigates this threat by |
| 170 | + ensuring no data or electrical signals can flow between connections and only user-selected |
| 171 | + interfaces can rout data.</rationale> |
| 172 | + <addressed-by>FDP_AFL_EXT.1</addressed-by><rationale>Mitigates this threat by ensuring |
| 173 | + outgoing audio signals are within the range of human hearing.</rationale> |
| 174 | + <addressed-by>FDP_UDF_EXT.1/AO</addressed-by><rationale>Mitigates this threat by ensuring |
| 175 | + output data transit unidirectionally between interfaces.</rationale> |
172 | 176 | </threat> |
173 | 177 |
|
174 | 178 | <threat name="T.DATA_LEAK"> |
175 | 179 | <from base="bpp-psd"/> |
176 | | - <addressed-by>FDP_APC_EXT.1 (Modified)</addressed-by><rationale></rationale> |
177 | | - <addressed-by>FDP_AFL_EXT.1</addressed-by><rationale></rationale> |
178 | | - <addressed-by>FDP_UDF_EXT.1/AO</addressed-by><rationale></rationale> |
| 180 | + <addressed-by>FDP_APC_EXT.1 (Modified)</addressed-by><rationale>Mitigates this threat by |
| 181 | + requiring restrictions on how data is routed between interfaces.</rationale> |
| 182 | + <addressed-by>FDP_PDC_EXT.1 (Modified)</addressed-by><rationale>Mitigates this threat by |
| 183 | + requiring connections to be only from an authorized list of peripheral devices.</rationale> |
| 184 | + <addressed-by>FDP_AFL_EXT.1</addressed-by><rationale>Mitigates this threat by ensuring |
| 185 | + signals are filtered within the range of human hearing.</rationale> |
| 186 | + <addressed-by>FDP_UDF_EXT.1/AO</addressed-by><rationale>Mitigates this threat by ensuring |
| 187 | + output data transit unidirectionally between interfaces.</rationale> |
179 | 188 | </threat> |
180 | 189 |
|
181 | | - <threat name="T.MICROPHONE_USE"> |
182 | | - <addressed-by>FDP_APC_EXT.1 (Modified)</addressed-by><rationale></rationale> |
183 | | - <addressed-by>FDP_AFL_EXT.1</addressed-by><rationale></rationale> |
184 | | - <addressed-by>FDP_UDF_EXT.1/AO</addressed-by><rationale></rationale> |
| 190 | + <threat name="T.MICROPHONE_USE"> |
| 191 | + <description>A malicious agent could use an unauthorized peripheral device such as a microphone, connected to |
| 192 | + the TOE audio out peripheral device interface to eavesdrop or transfer data across an air‐gap through |
| 193 | + audio signaling.</description> |
| 194 | + <consistency-rationale>The PSD PP does not identify any threats specific to analog audio output |
| 195 | + peripheral devices. This threat is specific to analog audio output devices and |
| 196 | + therefore is an additional threat to this module supplementing those in PSD |
| 197 | + PP.</consistency-rationale> |
| 198 | + <addressed-by>FDP_APC_EXT.1 (Modified)</addressed-by><rationale>Mitigates this threat by |
| 199 | + preventing data and electrical signals from flowing between connections.</rationale> |
| 200 | + <addressed-by>FDP_AFL_EXT.1</addressed-by><rationale>Mitigates this threat by ensuring |
| 201 | + outgoing signals are filtered to within the range of human hearing.</rationale> |
| 202 | + <addressed-by>FDP_PDC_EXT.2/AO</addressed-by><rationale>Mitigates this threat by only |
| 203 | + allowing authorized devices to connect upon power up and when a peripheral device is |
| 204 | + connected. |
| 205 | + </rationale> |
| 206 | + <addressed-by>FDP_UDF_EXT.1/AO</addressed-by><rationale>Mitigates this threat by ensuring |
| 207 | + output data transit unidirectionally between interfaces.</rationale> |
185 | 208 | </threat> |
186 | 209 |
|
187 | 210 | <threat name="T.SIGNAL_LEAK"> |
188 | 211 | <from base="bpp-psd"/> |
189 | | - <addressed-by>FDP_APC_EXT.1 (Modified)</addressed-by><rationale></rationale> |
190 | | - <addressed-by>FDP_AFL_EXT.1</addressed-by><rationale></rationale> |
191 | | - <addressed-by>FDP_UDF_EXT.1/AO</addressed-by><rationale></rationale> |
| 212 | + <addressed-by>FDP_APC_EXT.1 (Modified)</addressed-by><rationale>Mitigates this threat by |
| 213 | + requiring restrictions on how signals are routed between interfaces.</rationale> |
| 214 | + <addressed-by>FDP_PDC_EXT.1 (Modified)</addressed-by><rationale>Mitigates this threat by |
| 215 | + requiring connections to be only from an authorized list of peripheral devices.</rationale> |
| 216 | + <addressed-by>FDP_AFL_EXT.1</addressed-by><rationale>Mitigates this threat by ensuring |
| 217 | + signals are filtered within the range of human hearing.</rationale> |
| 218 | + <addressed-by>FDP_UDF_EXT.1/AO</addressed-by><rationale>Mitigates this threat by ensuring |
| 219 | + signals transit unidirectionally between interfaces.</rationale> |
192 | 220 | </threat> |
193 | 221 |
|
194 | 222 | </sec:Threats> |
|
0 commit comments