Final Interpretation for RI # 243 - Must Test Setup And Cleanup Code Run Unprivileged?




Must Test Setup And Cleanup Code Run Unprivileged?

CC Part #1 Reference:


CC Part #2 Reference:

v2.2, CC Part 1, Section 1

CC Part #3 Reference:


CEM Reference:

V2.2 Clauses 6.8.3, 7.9.4 and 8.9.4 (ATE_FUN.1)



Can functional tests written by the developer to satisfy ATE_FUN be privileged to circumvent TSF policy, as long as those privileges are disabled in the code fragments that actually performs the tests? The same question can be applied to FPT_TST.


It is acceptable for test setup and cleanup code to run privileged, as long as the developer can provide a convincing argument to the evaluation team that the actual test runs in a "normal" mode (i.e., a mode appropriate to the commands and functions being tested, which is consistent with the TSP). Evaluators should be able to request the implementation of the setup and takedown code so that they can verify the argument, and the setup should do the minimum functions necessary to establish the test conditions.

Specific Changes

The following paragraph will be added to the guidance for ATE_FUN.1-4, inserted after paragraphs 765, 1078 and 1511:

“The test documentation will identify any instances where privileged modes are used to set up test conditions/cleanup for further tests.  The test documentation will describe why it was necessary to use privileged modes to obtain the necessary conditions (e.g. efficiency of the test harness, to generate specific objects required for a test that unprivileged users are unable to create) and also how the privileged modes are exited prior to the conduct of the test steps demonstrating the security functionality of the TOE.  Therefore, although the test configuration may be inconsistent with the TOE as described in the ST during the establishment of the test conditions the test documentation will describe how the configuration is returned to a state that is consistent with the configuration described in the ST for the conduct of the test steps.”


This interpretation allows for test setup and cleanup code to run privileged, by requiring developers to provide convincing arguments to do so, and evidence to the evaluators to verify their arguments.