|
Date: |
04/04/2005 |
|
Subject: |
Must Test Setup And Cleanup Code Run Unprivileged? |
|
CC Part #1 Reference: |
|
|
CC Part #2 Reference: |
v2.2, CC Part 1, Section 1 |
|
CC Part #3 Reference: |
|
|
CEM Reference: |
V2.2 Clauses 6.8.3, 7.9.4 and 8.9.4 (ATE_FUN.1) |
Issue
Can functional tests
written by the developer to satisfy ATE_FUN be privileged to circumvent
TSF
policy, as long as those privileges are disabled in the code fragments
that actually performs the tests? The same question can be
applied to
FPT_TST.
Interpretation
It is acceptable for test
setup and cleanup code to run privileged, as long as the developer can
provide
a convincing argument to the evaluation
team that the
actual test runs in a "normal" mode (i.e., a mode appropriate to the
commands and functions being tested, which is consistent with the TSP).
Evaluators should be able to request the implementation of the setup
and
takedown code so that they can verify the argument, and the setup
should do the
minimum functions necessary to establish the test conditions.
Specific
Changes
The following
paragraph will be added to the guidance for ATE_FUN.1-4, inserted after
paragraphs 765, 1078 and 1511:
“The test
documentation will identify any instances where privileged modes are
used to
set up test conditions/cleanup for further tests. The
test documentation will describe why it
was necessary to use privileged modes to obtain the necessary
conditions (e.g.
efficiency of the test harness, to generate specific objects required
for a
test that unprivileged users are unable to create) and also how the
privileged
modes are exited prior to the conduct of the test steps demonstrating
the
security functionality of the TOE.
Therefore, although the test configuration may be inconsistent
with the
TOE as described in the ST during the establishment of the test
conditions the
test documentation will describe how the configuration is returned to a
state
that is consistent with the configuration described in the ST for the
conduct
of the test steps.”
Rationale
This
interpretation allows for test
setup and cleanup code to run
privileged, by requiring developers to provide convincing arguments to
do so,
and evidence to the evaluators to verify their arguments.