TÜV Rheinland Nederland B.V.
Head office Apeldoorn:
Boogschutterstraat 11A
P.O. Box 541
7300 AM Apeldoorn
The Netherlands
Tel. +31 (0)88 888 7 888
Fax +31 (0)88 888 7 879
Location Apeldoorn:
Vissenstraat 6
P.O. Box 541
7300 AM Apeldoorn
The Netherlands
Tel. +31 (0)88 888 7 888
Fax +31 (0)88 888 7 879
Location Enschede:
Josink Esweg 10
P.O. Box 337
7500 AH Enschede
The Netherlands
Tel. +31 (0)88 888 7 888
Fax +31 (0)88 888 7 859
TÜV Rheinland Nederland B.V. is a
registered company with the
Amsterdam Chamber of Commerce
under number 27288788
info@nl.tuv.com
www.tuv.com/nl
Version
20101101
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Certification Report
IAI/MLM Autonomous Air Combat Maneuvering
Instrumentation (AACMI) Trusted Data Guard (TDG) v1.0
Sponsor and developer: IAI/MLM
P.O. Box 45, Beer-Yaakov
70350
Israel
Evaluation facility: Brightsight
Delftechpark 1
2628 XJ Delft
The Netherlands
Report number: NSCIB-CC-12-36874-CR
Report version: 1
Project number: NSCIB-CC-12-36874
Authors(s): Denise Cater
Date: August 13, 2014
Number of pages: 14
Number of appendices: 0
Reproduction of this report is authorized provided the report is reproduced in its entirety.
Page: 3/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
CONTENTS:
Foreword 4
Recognition of the certificate 5
1 Executive Summary 6
2 Certification Results 7
2.1 Identification of Target of Evaluation 7
2.2 Security Policy 7
2.3 Assumptions and Clarification of Scope 7
2.4 Architectural Information 9
2.5 Documentation 10
2.6 IT Product Testing 10
2.7 Evaluated Configuration 11
2.8 Results of the Evaluation 11
2.9 Evaluator Comments/Recommendations 12
3 Security Target 13
4 Definitions 13
5 Bibliography 14
Page: 4/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Foreword
The Netherlands Scheme for Certification in the Area of IT Security (NSCIB) provides a third-party
evaluation and certification service for determining the trustworthiness of Information Technology (IT)
security products. Under this NSCIB, TÜV Rheinland Nederland B.V. has the task of issuing
certificates for IT security products.
A part of the procedure is the technical examination (evaluation) of the product according to the
Common Criteria assessment guidelines published by the NSCIB. Evaluations are performed by an IT
Security Evaluation Facility (ITSEF) under the oversight of the NSCIB Certification Body, which is
operated by TÜV Rheinland Nederland B.V. in cooperation with the Ministry of the Interior and
Kingdom Relations.
An ITSEF in the Netherlands is a commercial facility that has been licensed by TÜV Rheinland
Nederland B.V. to perform Common Criteria evaluations; a significant requirement for such a license is
accreditation to the requirements of ISO Standard 17025, General requirements for the accreditation
of calibration and testing laboratories.
By awarding a Common Criteria certificate, TÜV Rheinland Nederland B.V. asserts that the product
complies with the security requirements specified in the associated security target. A security target is
a requirements specification document that defines the scope of the evaluation activities. The
consumer of certified IT products should review the security target, in addition to this certification
report, in order to gain an understanding of any assumptions made during the evaluation, the IT
product's intended environment, its security requirements, and the level of confidence (i.e., the
evaluation assurance level) that the product satisfies the security requirements.
Reproduction of this report is authorized provided the report is reproduced in its entirety.
Page: 5/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Recognition of the certificate
The Common Criteria Recognition Arrangement and SOG-IS logos are printed on the certificate to
indicate that this certificate is issued in accordance with the provisions of the CCRA and the SOG-IS
agreement
The CCRA has been signed by the Netherlands in May 2000 and provides mutual recognition of
certificates based on the CC evaluation assurance levels up to and including EAL4. The current list of
signatory nations and approved certification schemes can be found on:
http://www.commoncriteriaportal.org.
The European SOGIS-Mutual Recognition Agreement (SOGIS-MRA) version 3 effective from April
2010 provides mutual recognition of Common Criteria and ITSEC certificates at a basic evaluation
level for all products. A higher recognition level for evaluation levels beyond EAL4 (resp. E3-basic) is
provided for products related to specific technical domains. This agreement was initially signed by
Finland, France, Germany, The Netherlands, Norway, Spain, Sweden and the United Kingdom. Italy
joined the SOGIS-MRA in December 2010. The current list of signatory nations, approved certification
schemes and the list of technical domains for which the higher recognition applies can be found on:
http://www.sogisportal.eu.
Page: 6/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
1 Executive Summary
This Certification Report states the outcome of the Common Criteria security evaluation of the
IAI/MLM Autonomous Air Combat Maneuvering Instrumentation (AACMI) Trusted Data Guard (TDG)
v1.0 (hereinafter referred to as “TDG v1.0”). The developer of the TDG v1.0 is IAI/MLM located in
Beer-Yaakov, Israel and they also act as the sponsor of the evaluation and certification. A Certification
Report is intended to assist prospective consumers when judging the suitability of the IT security
properties of the product for their particular requirements.
The IAI/MLM AACMI system is used for training fighter pilots. The IAI/MLM AACMI system consists of
a pod (referred to as ‘EHUD’) that is attached to a fighter aircraft to continuously record and broadcast
relevant training information such as position, speed, angle-of-attack, amount of weapons left, the
firing of simulated weapons, etc. The combination of the training information is then used to build and
maintain a coherent and realistic view of the current situation during the training flight.
The training information is recorded on a Removable Storage Media (RSM) or Simulation Platform
PCMCIA (SiPP) flash memory card and broadcast, via an unclassified AACMI RF Data Link network,
to other IAI/MLM AACMI-systems participants.
All the EHUD activities are managed and controlled by an on-board Data Processor (referred to as
‘IMM MK5’)
The information to be broadcasted via the AACMI RF Data Link can contain unauthorized information,
which would allow attackers to derive detailed weapons performance information. Also, residual
information left in the IMM MK5 memories after completing the exercise and shutdown pod power
might facilitate attackers to get said restricted information as well.
The TDG consists of two components in EHUD pod: the SDW (Security Double Wall) and IMM MK5
(Integrated Main Module).
The TOE has been evaluated by Brightsight B.V. located in Delft, The Netherlands and was completed
on 30 July 2014 with the delivery of the ETR. The certification procedure has been conducted in
accordance with the provisions of the Netherlands Scheme for Certification in the Area of IT Security
[NSCIB]. The certification was completed on 13 August 2014 with the preparation of this Certification
Report. It should be noted that the certification results only apply to the specific version of the product
as evaluated.
The scope of the evaluation is defined by the security target [ST], which identifies assumptions made
during the evaluation, the intended environment for the TDG v1.0, the security requirements, and the
level of confidence (evaluation assurance level) at which the product is intended to satisfy the security
requirements. Consumers of the TDG v1.0 are advised to verify that their own environment is
consistent with the security target, and to give due consideration to the comments, observations and
recommendations in this certification report.
The results documented in the evaluation technical report [ETR]
1
for this product provide sufficient
evidence that it meets the EAL4 augmented (EAL4+) assurance requirements for the evaluated
security functionality. This assurance level is augmented with ASE_TSS.2 (TOE summary
specification with architectural design summary).
The evaluation was conducted using the Common Methodology for Information Technology Security
Evaluation, Version 3.1 Revision 4 [CEM], for conformance to the Common Criteria for Information
Technology Security Evaluation, version 3.1 Revision 4 [CC].
TÜV Rheinland Nederland B.V., as the NSCIB Certification Body, declares that the TDG v1.0
evaluation meets all the conditions for international recognition of Common Criteria Certificates and
that the product will be listed on the NSCIB Certified Products list. It should be noted that the
certification results only apply to the specific version of the product as evaluated.
1
The Evaluation Technical Report contains information proprietary to the developer and/or the
evaluator, and is not releasable for public review.
Page: 7/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
2 Certification Results
2.1 Identification of Target of Evaluation
The Target of Evaluation (TOE) for this evaluation is the TDG v1.0 from IAI/MLM located in Beer-
Yaakov, Israel.
The TOE is comprised of the following main components:
Delivery
item type
Identifier Part Number
2
Version
3
Security Double Wall B-18600-***-300000 N/A
Hardware
IMM MK5 B-18500-+++-300000 N/A
FTG software B-00707-500000 A
FTG firmware B-610-00197 #
Software
HTG firmware B-610-00198 #
To ensure secure usage a set of guidance documents is provided together with the TDG v1.0. Details
can be found in section 2.5 of this report.
2.2 Security Policy
The major security features provided by the TOE are:
Ø The TOE filters: the TOE ensures that the end user filtering policy, as depicted in a CAT table,
is followed: no unauthorized information is passed to the Transmitter;
Ø The TOE filters under failure: the TOE tests itself upon start-up and, when a failure is
detected, ensures that no unauthorized information is passed to the Transceiver. In addition,
when the TOE undergoes a single failure during operation, it ensures that still no unauthorized
information is passed to the Transmitter;
Ø The TOE is tamper-evident: if it has been physically tampered with, this will be detectable;
Ø The TOE clears residual information in its non-volatile memory upon power down.
Ø The SDW protects against writing to its non-volatile memory.
Ø The IMM MK5 protects against accidental writing to its volatile memory.
2.3 Assumptions and Clarification of Scope
As far as security is concerned, the TOE exists in four distinct security environments:
Ø The Flight Environment: the TOE is connected to an Aircraft;
Ø The O-Level Environment: the TOE is stored at an Airbase;
Ø The I-Level Environment: the TOE is at an Intermediate Repair Facility;
Ø The D-Level Environment: the TOE is at the Developer.
2
"***" means any 3 digits. This value reflects the embedded CAT table and non-security-relevant
hardware changes. "+++" means any 3 digits. This value reflects non-security-relevant hardware
changes
3
“#” means any digit. This value reflects the embedded CAT table (which itself is out of scope of the
evaluation)
Page: 8/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
The normal transitions between these environments are provided in Figure 1. Each environment
contains its own threats, assumptions and organisational security policies (OSP). When transitioning
between the D-Level and I-Level environments (so the TOE is not contained within the Pod), the TOE
is transported in a tamper evident box.
Figure 1 Possible transitions between environments
2.3.1 Usage assumptions
The TOE is contained within the EHUD pod, which is a closed system requiring no user or
administrator interaction when installed in the Flight Environment.
For the other environments the following assumptions apply:
Ø The TOE assumes that in the O-Level environment, the Pod is never opened.
Ø The O-Level Staff will inspect (monitor) the Pod for failures, and if a failure is found the Pod is
transferred to the I-Level Environment.
Ø All TOEs brought into the I-Level Environment from the D-Level Environment will be inspected
by the I-Level Staff to determine whether physical tampering has occurred. If this has
occurred, the TOE will be handled according to the appropriate procedures.
Ø The TOE is normally never physically opened in the I-Level Environment. If TOEs are found to
be malfunctioning, the I-Level Staff will send the TOE to the D-Level Environment.
2.3.2 Environmental assumptions
The Flight Environment is the environment in which the TOE is operational. In this environment the
TOE is contained in a Pod, and the Pod is attached to the wing of an operational aircraft.
The O-Level Environment is typically an Airbase. In this environment the TOE is contained in a Pod,
and this Pod is stored on the Airbase.
The I-Level Environment is an Intermediate Repair Facility, which may be on the same location as the
O-Level environment (i.e. an Airbase).
When the TOE is broken, the I-level Environment can only replace the TOE in the Pod with a new
identical TOE: the TOE is never repaired in this environment. The I-Level Environment receives
broken-down Pods (containing the TOE) from the O-Level Environment. It then disassembles the Pod,
diagnoses the Pod, repairs/replaces faulty non-TOE parts or replaces the TOE and sends the Pod
back to the O-Level Environment. Any parts that were replaced are sent to the D-level Environment for
further repair or disposal.
D-Level
Environment
O-Level
Environment
I-Level
Environment
Flight
Environment
Pod
Pod
Pod
Pod
Pod /
Repaired TOE
(tamper box)
Pod /
Repaired TOE
(tamper box)
Page: 9/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
The D-Level Environment is the environment of the Developer. It produces Pods (containing the TOE)
and sends these to the I-Level Environment. It also receives faulty parts (including TOEs) from the I-
Level Environment. It sends back repaired or new parts (including TOEs) to the I-Level Environment.
Furthermore, the following organisational security policies relate to the environment in which the TOE
shall be operated (for the detailed and precise definition of the organisational security policy refer to
the [ST], chapter 3):
Ø P.F.CORRECT_OUT detailing the TOE must not transmit data objects containing
unauthorised information to the transmitter while in the Flight environment, as defined in [ST]
section 3.2.2;
Ø P.O.INSPECT detailing the inspection of the POD for failures in the O-Level environment, as
defined in [ST] section 3.3.2;
Ø P.I.INSPECT, P.I.NO_OPEN and P.I.SEALED detailing the inspection of the POD for failures,
receiving the sealed POD and the policy to never open the POD in the I-Level environment, as
defined in [ST] section 3.2.2;
Ø There are no Organisation Security Policies for the D-Level environment.
2.3.3 Clarification of scope
The software and firmware of the IMM MK5 and the CAT table (embedded within the SDW firmware)
are not included in the scope of the TOE, as detailed in Section 2.4 of this report.
As detailed in section 2.3.2 of this report, there are a number of environmental assumptions and OSPs
that counter threats to the TOE. These items must be addressed in the operational environment in
order to ensure all threats to the TOE are countered, as the TOE does not provide complete defence
against physical attack. The two measurement layers that prevent modification of the TOE and/or POD
to bypass the filter are:
Ø Tamper seals on the casing of the TOE (FPT_PHP.1)
Ø Delivery to the I-Level Environment in a tamper evident box
Both measurement layers have been subject of penetration tests, as detailed in section 2.6.2 of this
report.
2.4 Architectural Information
The target of evaluation (TOE) Trusted Data Guard (TDG) consists of the following components:
Ø The SDW which receives ‘data objects’ from the IMM MK5 and ‘data objects’ from the
Receiver. The SDW contains two filters:
o Firmware Trusted Guard - removes unauthorized information according to the rules
defined in the CAT table.
o Hardware Trusted Guard - verifies whether the data received from FTG indeed does
not contain unauthorized information (according to the rules defined in the CAT table),
and if so forwards it as authorized data to the transmitter.
Ø The IMM MK5, the main Data Processor in EHUD pod: It contains Firmware (not part of the
TOE), Software (not part of the TOE) and an RWD:
o The RWD, a Residual (non-volatile) memory Write Disable mechanism in IMM MK5
prevents write access (unless a SUC is inserted) to the non-volatile storage of the
IMM MK5.
The exact rules to determine which information is unauthorized are defined in a classified customized
CAT table. The CAT is a Certified Allocation Table embedded in the firmware of the SDW and holds
patterns which identify certified data objects allowed to pass through to the transmitter. While the
SDW firmware is included in the TOE, the embedded CAT table is not part of the TOE. The CAT is
prepared together with the final user and provides a fast and modular way to configure the SDW
security filter and match it to the specific security requirements of the end user. Non-volatile memory
components in the IMM MK5 are protected against accidental writing by the Software. RWD is an
Page: 10/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
electrical circuit that is intended to enable writing to some of the non-volatile memory of the IMM MK5
with the intention of software updates.
2.5 Documentation
The following documentation is provided with the product by the developer to the customer:
Identifier Part Number Version
[UG] User Guide B-00119-100000 Issue B
[TLTL] Tamper Label Track Log B-720-00125 Issue E
[HWDD] HW Design documentation for SDW FPGAs B-18617-300000 Issue C
2.6 IT Product Testing
Testing (depth, coverage, functional tests, independent testing): The evaluators examined the
developer’s testing activities documentation and verified that the developer has met their testing
responsibilities.
2.6.1 Testing approach and depth
The developer has performed testing at a TSFI and subsystem level. The developer has performed
manual testing of the IMM MK5 and extensive automated testing of the SDW.
The evaluators repeated all developer tests of the SDW. The evaluators performed 4 additional
functional tests of the SDW, tested the tamper seal on the TOE, and performed an analysis of the IMM
MK5 RWD circuitry against the schematics during a visit to the development site in Beer-Yaakov,
Israel.
2.6.2 Independent Penetration Testing
The evaluators performed penetration testing of the tamper seals on the TOE casings and penetration
testing of the tamper evident box in which the TOE is to be delivered.
2.6.3 Test Configuration
For functional testing, the TOE was installed according to the guidance and connected to the SDW
test tool (Tester) as shown below:
The SDW Tester Application runs on Windows XP SP3 and utilises a set of scripts for execution of the
test cases.
Page: 11/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
In addition to the test configuration above, a Quartus II (Altera) tool is used to update the CAT table
prior to execution of the test cases.
All SDW test cases were executed on the above test configuration.
To perform penetration testing of the tamper seals the evaluators received the seals glued on the
TOE, as if they were delivered to a customer. For penetration testing of the tamper evident box the
actual box and lock was used, as will be used in delivery of the TOE to the customer.
2.6.4 Testing Results
The testing activities, including configurations, procedures, test cases, expected results and observed
results are summarised in the [ETR], with references to the documents containing the full details.
The developer’s tests and the independent functional tests produced the expected results, giving
assurance that the TOE behaves as specified in its ST and functional specification.
No exploitable vulnerabilities were found with the independent penetration tests.
2.7 Evaluated Configuration
The TOE is defined uniquely by its name and version number TDG v1.0. This can be verified by the
customer as detailed in [UG] section 8.5.
It should be noted that the part numbers for the hardware implicitly identify the versions of
software/firmware installed on the hardware.
2.8 Results of the Evaluation
The evaluation lab documented their evaluation results in the [ETR]
4
which references several
Intermediate Reports and other evaluator documents. The verdict of each claimed assurance
requirement is given in the following tables:
Development Pass
Security architecture ADV_ARC.1 Pass
Functional specification ADV_FSP.4 Pass
Implementation representation ADV_IMP.1 Pass
TOE design ADV_TDS.3 Pass
Guidance documents Pass
Operational user guidance AGD_OPE.1 Pass
Preparative procedures AGD_PRE.1 Pass
Life-cycle support Pass
Configuration Management capabilities ALC_CMC.4 Pass
Configuration Management scope ALC_CMS.4 Pass
Delivery ALC_DEL.1 Pass
Development security ALC_DVS.1 Pass
Life-cycle definition ALC_LCD.1 Pass
Tools and techniques ALC_TAT.1 Pass
4
The Evaluation Technical Report contains information proprietary to the developer and/or the
evaluator, and is not releasable for public review.
Page: 12/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
Security Target Pass
Conformance claims ASE_CCL.1 Pass
Extended components definition ASE_ECD.1 Pass
ST introduction ASE_INT.1 Pass
Security objectives ASE_OBJ.2 Pass
Security requirements ASE_REQ.2 Pass
Security problem definition ASE_SPD.1 Pass
TOE summary specification ASE_TSS.2 Pass
Tests Pass
Coverage ATE_COV.2 Pass
Depth ATE_DPT.1 Pass
Functional tests ATE_FUN.1 Pass
Independent testing ATE_IND.2 Pass
Vulnerability assessment Pass
Vulnerability analysis AVA_VAN.3 Pass
Based on the above evaluation results the evaluation lab concluded the TDG v1.0, to be CC Part 2
conformant, CC Part 3 conformant, and to meet the requirements of EAL 4 augmented by
ASE_TSS.2. This implies that the product satisfies the security technical requirements specified in
Security Target for IAI/MLM Autonomous Air Combat Maneuvering Instrumentation (AACMI) Trusted
Data Guard (TDG) v1.0, Issue E.
2.9 Evaluator Comments/Recommendations
2.9.1 Obligations and hints for the developer
To remain within the scope of the certificate the developer must only apply the changes as described
in [SSR] and [FLASH]. This policy and procedure detail the limited (non-security-relevant) changes
that can be made to the hardware.
The CAT table is outside the scope of the evaluation and so can be updated as necessary. However,
no other firmware change is permissible in the evaluated version. No FTG software change is
permissible within the evaluated version.
2.9.2 Recommendations and hints for the customer
The User Guidance (as outlined in Section 2.5 of this report) contains necessary information about the
usage of the TOE. In particular the customer must ensure the environmental constraints, which
provide countermeasures against physical attacks, are implemented in the operational environments
to ensure the TOE is physically protected at all times. This guidance is documented in User Guide
([UG]) and Tamper Label Track Log ([TLTL]).
Customer must check the received TOE with tamper seals according to the user guidance, [UG].
The developer of the IMM MK5 software (assumed to be IAI/MLM) must apply the guidance provided
in HW Design documentation for SDW FPGAs ([HWDD])
Page: 13/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
3 Security Target
The Security Target for IAI/MLM Autonomous Air Combat Maneuvering Instrumentation (AACMI)
Trusted Data Guard (TDG) v1.0, Issue E, 17 July 2014 [ST] is included here by reference.
4 Definitions
This list of Acronyms and the glossary of terms contains elements that are not already defined by the
CC or CEM:
AACMI Autonomous Air Combat Maneuvering Instrumentation
CAT Certified Allocation table
FTG Firmware Trusted Guard
HTG Hardware Trusted Guard
IAI Israel Aerospace Industries
IMM Integrated Main Module
IT Information Technology
ITSEF IT Security Evaluation Facility
MK5 Mark 5
MLM Subsidary company of IAI
NSCIB Nederlands Schema voor Certificatie op het gebied van IT-Beveiliging
PCMCIA Personal Computer Memory Card International Association
PP Protection Profile
RWD Residual (non volatile) memory Write Disable
RSM Removable Storage Media
SDW Security Double Wall
SiPP Simulation Platform PCMCIA
TDG Trusted Data Guard
TOE Target of Evaluation
TSFI TOE Security Functionality Interface
Page: 14/14 of report number: NSCIB-CC-12-36874-CR, dated 13-08-2014
®
TÜV,
TUEV
and
TUV
are
registered
trademarks.
Any
use
or
application
requires
prior
approval.
5 Bibliography
This section lists all referenced documentation used as source material in the compilation of this
report:
[CC] Common Criteria for Information Technology Security Evaluation, Parts I, II and III,
version 3.1, Revision 4, September 2012.
[CEM] Common Methodology for Information Technology Security Evaluation, version 3.1,
Revision 4, September 2012.
[ETR] Brightight, Evaluation Technical Report IAI/MLM Autonomous Air Combat
Maneuvering Instrumentation (AACMI) Trusted Data Guard (TDG) v1.0, EAL4+,
version 3.0, 30 July 2014.
[FLASH] Flash Management for TDG System, Rev. C
[HWDD] HW Design documentation for SDW FPGAs, B-18617-300000, Issue C
[NSCIB] Nederlands Schema for Certification in the Area of IT Security, Version 2.0, 1 July
2011.
[SSR] System Security Requirements for the SDW, Issue E
[ST] Security Target for IAI/MLM Autonomous Air Combat Maneuvering Instrumentation
(AACMI) Trusted Data Guard (TDG) v1.0, Issue E, 17 July 2014.
[TLTL] Tamper Label Track Log, B-720-00125, Issue E
[UG] User Guide, B-00119-100000, Issue B
(This is the end of this report).