122-B
UK IT SECURITY EVALUATION AND
CERTIFICATION SCHEME
COMMON CRITERIA CERTIFICATION REPORT No. P222
Oracle Label Security for Oracle Database 10g Enterprise Edition
Release 1 (10.1.0.4)
with Critical Patch Update - July 2005
running on specifiedplatforms
Issue 1.0
November 2005
© Crown Copyright 2005
Reproduction is authorised provided the report
is copied in its entirety
UK IT Security Evaluation and Certification Scheme,Certification Body,
CESG,Hubble Road, Cheltenham GL51 0EX
United Kingdom
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page ii Issue 1.0 November2005
ARRANGEMENT ON THE
RECOGNITION OF COMMON CRITERIA CERTIFICATES
IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY
The Certification Body of the UK IT Security Evaluation and Certification Scheme is a member of
the above Arrangement and as such this confirms that the Common Criteria certificate has been
issued by or under the authority of a Party to this Arrangement and is the Party’s claim that the
certificate has been issued in accordance with the terms of this Arrangement.
The judgements contained in the certificate and Certification Report are those of the Qualified
Certification Body which issued it and of the Evaluation Facility which carried out the evaluation.
There is no implication of acceptance by other Members of the Agreement Group of liability in
respect of those judgements or for loss sustained as a result of reliance placed upon those
judgements by a third party.
Trademarks:
All product and company names are used for identification purposes only and may be trademarks of their owners.
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November2005 Issue 1.0 Page iii
CERTIFICATION STATEMENT
Oracle Label Security (OLS) is a security option for Oracle Database 10g Enterprise Edition.
Both products were developed by Oracle Corporation.
Oracle Database 10g Enterprise Edition is an object-relational database management system.
OLS enables application developers to add label-based access control to their Oracle 10g
applications, in addition to the discretionary access control provided by Oracle Database 10g
Enterprise Edition.
OLS Release 1 (10.1.0.4), used with Oracle Database 10g Enterprise Edition Release 1
(10.1.0.4) with Critical Patch Update - July 2005, has been evaluated under the terms of the UK
IT Security Evaluation and Certification Scheme and has met the CC Part 3 augmented
requirements of Evaluation Assurance Level EAL4 (i.e. augmented by ALC_FLR.3) for the
specified CC Part 2 conformant functionality in the specified environment when running on the
platforms specified in Annex A.
OLS Release 1 (10.1.0.4), used with Oracle Database 10g Enterprise Edition Release 1
(10.1.0.4) with Critical Patch Update - July 2005, was evaluated on Red Hat Enterprise Linux
AS Version 3 Update 2, which has previously been certified to EAL3 augmented by
ALC_FLR.3.
When running on the operating system platform specified in Annex A, OLS Release 1
(10.1.0.4), used with Oracle Database 10g Enterprise Edition Release 1 (10.1.0.4) with Critical
Patch Update - July 2005, conforms to the CC Database Management System Protection Profile
with the Database Authentication functional package.
Originator CESG
Certifier
Approval and
Authorisation
CESG
Technical Manager of the
Certification Body
Date authorised 25 November 2005
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page iv Issue 1.0 November2005
(This page is intentionally left blank)
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November2005 Issue 1.0 Page v
TABLE OF CONTENTS
CERTIFICATION STATEMENT.............................................................................................iii
TABLE OF CONTENTS..............................................................................................................v
ABBREVIATIONS.....................................................................................................................vii
REFERENCES.............................................................................................................................ix
I. EXECUTIVE SUMMARY.................................................................................................1
Introduction............................................................................................................................1
Evaluated Product..................................................................................................................1
TOE Scope .............................................................................................................................2
Protection Profile Conformance ............................................................................................3
Assurance...............................................................................................................................4
Strength of Function Claims ..................................................................................................4
Security Function Policy........................................................................................................4
Security Claims......................................................................................................................4
Evaluation Conduct...............................................................................................................5
General Points........................................................................................................................6
II. EVALUATION FINDINGS................................................................................................7
Introduction............................................................................................................................7
Delivery .................................................................................................................................7
Installation and Guidance Documentation.............................................................................8
Flaw Remediation ..................................................................................................................8
Strength of Function ..............................................................................................................9
Vulnerability Analysis ...........................................................................................................9
Platform Issues.....................................................................................................................10
III. EVALUATION OUTCOME............................................................................................11
Certification Result..............................................................................................................11
Recommendations................................................................................................................11
ANNEX A: EVALUATED CONFIGURATION.....................................................................13
ANNEX B: PRODUCT SECURITY ARCHITECTURE .......................................................15
ANNEX C: PRODUCT TESTING............................................................................................19
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page vi Issue 1.0 November2005
(This page is intentionally left blank)
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November2005 Issue 1.0 Page vii
ABBREVIATIONS
CAPP Controlled Access Protection Profile
CC Common Criteria
CEM Common Evaluation Methodology
CESG Communications -Electronics Security Group
CLEF Commercial Evaluation Facility
CPU Critical Patch Update
DAC Discretionary Access Control
DBMS Database Management System
DBMSPP Database Management System Protection Profile
DML Data Manipulation Language
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
LBAC Label-Based Access Control
MLR Merge Label Request
OCI Oracle Call Interface
OLS Oracle Label Security
ONS Oracle Net Services
O-RDBMS Object-Relational Database Management System
OS Operating System
PGA Program Global Area
PL/SQL Programming Language / Structured Query Language
RDBMS Relational Database Management System
SFP Security Function Policy
SFR Security Functional Requirement
SGA System Global Area
SOF Strength of Function
SQL Structured Query Language
SQLJ Structured Query Language Java
TOE Target of Evaluation
TSF TOE Security Functions
TSFI TOE Security Functions Interface
UKSP United Kingdom Scheme Publication
VPD Virtual Private Database
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page viii Issue 1.0 November2005
(This page is intentionally left blank)
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November2005 Issue 1.0 Page ix
REFERENCES
Standards and Criteria
a. Common Criteria for Information Technology Security Evaluation,
Part 1: Introductionand GeneralModel,
Common Criteria Interpretations Management Board,
CCIMB-2004-01-001, Version 2.2, January 2004.
b. Common Criteria for Information Technology Security Evaluation,
Part 2:Security FunctionalRequirements,
Common Criteria Interpretations Management Board,
CCIMB-2004-01-002, Version 2.2, January 2004.
c. Common Criteria for Information Technology Security Evaluation,
Part 3:Security Assurance Requirements,
Common Criteria Interpretations Management Board,
CCIMB-2004-01-003, Version 2.2, January 2004.
d. Common Methodology for Information Technology Security Evaluation,
Part 2: Evaluation Methodology,
Common Criteria Interpretations Management Board,
CCIMB-2004-01-004, Version 2.2, January 2004.
e. Database Management System Protection Profile,
Oracle Corporation,
Issue 2.1,May 2000.
f. Controlled Access Protection Profile,
US National Security Agency,
Version 1.d, 8 October 1999.
g. Description of the Scheme,
UK IT Security Evaluation and Certification Scheme,
UKSP 01, Issue 5.0, July 2002.
h. CLEF Requirements: Part I – Startup and Operation,
UK IT Security Evaluation and Certification Scheme,
UKSP 02 Part I, Issue 4.0, April 2003.
i. CLEF Requirements: Part II – Conduct of an Evaluation,
UK IT Security Evaluation and Certification Scheme,
UKSP 02 Part II, Issue 1.1, October 2003.
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page x Issue 1.0 November2005
Previous Certification Reports
j. Common Criteria Certification Report No. P221:
Oracle Database 10g Enterprise Edition Release 1 (10.1.0.4),
UK IT Security Evaluation and Certification Scheme,
Issue 1.0,November 2005.
k. Common Criteria Certification Report No. P212:
Oracle Label Security for Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0),
UK IT Security Evaluation and Certification Scheme,
Issue 1.0, February 2005.
l. Common Criteria Certification Report No. P179:
Oracle Label Security for Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0),
UK IT Security Evaluation and Certification Scheme,
Issue 1.0, September 2003.
m. Common Criteria Certification Report No. BSI-DSZ-CC-0257-2004:
Red Hat Enterprise Linux AS Version 3, Update 2 with eal3-certification package,
Bundesamt für Sicherheit in der Informationstechnik, Germany,
2 August 2004.
TOE Evaluation Reports
n. Task LFL/T210Evaluation Technical Report 1,
LogicaCMG CLEF,
310.EC201124:30.1, Issue 1.0, 14 October 2004.
o. Task LFL/T210 Evaluation Technical Report 2,
LogicaCMG CLEF,
Task210.EC201124:30.2.2, Issue 1.0, 9 June 2005.
p. Task LFL/T210Evaluation Technical Report 3,
LogicaCMG CLEF,
Task210.EC201124:30.3.4, Issue 1.0, 8 September 2005.
q. Email from the Sponsor to the Certifier, 7 November 2005.
r. Emails from the Evaluators to the Certifier,
16 November 2005, 18 November 2005and 21 November 2005.
Evidence for Evaluation and Certification
s. OLS Security Target for Oracle Database, 10g Release 1 (10.1.0),
Oracle Corporation,
Issue 1.2,November 2005.
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November2005 Issue 1.0 Page xi
t. OLS Evaluated Configuration for Oracle Database 10g Release 1 (10.1.0),
Oracle Corporation,
Issue 0.5,November 2005.
u. Oracle Label Security Administrator’s Guide, 10g Release 1 (10.1),
Oracle Corporation,
Part No. B10774-01, December 2003
v. Oracle Database Administrator’s Guide, 10g Release 1 (10.1),
Oracle Corporation,
Part No. B10739-01, December 2003.
w. Oracle Database Installation Guide, 10g Release 1 (10.1.0.3) for Linux x86-64,
Oracle Corporation,
Part No. B14399-01, October 2004.
x. Oracle Database SecurityGuide, 10g Release 1 (10.1),
Oracle Corporation,
Part No. B10773-01, December 2003.
y. Oracle Database Concepts, 10g Release 1 (10.1),
Oracle Corporation,
Part No. B10743-01, December 2003.
z. Oracle Database Reference, 10g Release 1 (10.1),
Oracle Corporation,
Part No. B10755-01, December 2003.
aa. Oracle Database Application Developer’s Guide - Fundamentals, 10g Release 1 (10.1),
Oracle Corporation,
Part No. B10795-01, December 2003.
bb. Oracle Database SQL Reference, 10g Release 1 (10.1),
Oracle Corporation,
Part No. B10759-01, December 2003.
cc. SQL *Plus User’s Guide and Reference, Release 10.1,
Oracle Corporation,
Part No. B12170-01, December 2003.
dd. Oracle Call Interface Programmer’s Guide, 10g Release 1 (10.1),
Oracle Corporation,
Part No. B10779-01, December 2003.
ee. Oracle Database Patch Set Notes, 10g Release 1 (10.1.0.4), Patch Set 2 for Linux x86,
Oracle Corporation
Available from Oracle MetaLink:
http://metalink.oracle.com
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page xii Issue 1.0 November2005
ff. Oracle Critical Patch Update - July 2005, Release Notes for Oracle Database Server
Version (10.1.0.4), README for Patch Number 4392423,
Oracle Corporation
Available from Oracle MetaLink:
http://metalink.oracle.com
gg. EAL3 Evaluated Configuration Guide for Red Hat Enterprise Linux,
Klaus Weidner,
Version 1.2, 29 June 2004
Available from:
ftp://www6.software.ibm.com/software/developer/library/os-ltc-security/RHEL-EAL
3-Configuration-Guide.pdf
hh. Deploying Oracle9i Database on Red Hat Enterprise Linux,
Jennifer Lamb, Red Hat Inc,
March 2004
Available from:
http://www.redhat.com
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November 2005 Issue 1.0 Page 1
I. EXECUTIVE SUMMARY
Introduction
1. This Certification Report states the outcome of the Common Criteria (CC) IT security
evaluation of Oracle Label Security (OLS) Release 1 (10.1.0.4) used with Oracle Database 10g
Enterprise Edition Release 1 (10.1.0.4) with Critical Patch Update - July 2005 (‘Oracle 10g’),
running on specified platforms, to the Sponsor (Oracle Corporation) and is intended to assist
prospective consumers when judging the suitability of the product for their particular
requirements.
2. Prospective consumers are advised to read this report in conjunction with the Security
Target [Reference s], which specifies the functional, environmental and assurance evaluation
requirements.
Evaluated Product
3. The version of the product evaluated was:
Oracle Label Security Release 1 (10.1.0.4), used with
Oracle Database 10g Enterprise Edition, Release 1 (10.1.0.4) with
CriticalPatch Update - July 2005.
4. This report describes the product as the Target of Evaluation (TOE) and identifies it as
‘Oracle 10g OLS’. The Developer was Oracle Corporation.
5. Oracle 10g is an Object-Relational Database Management System (O-RDBMS) that has
been developed to provide comprehensive security functionality for multi-user distributed
database environments.
6. OLS provides label-based access control (LBAC), in addition to the discretionary access
control (DAC) provided by Oracle 10g. OLS mediates the labels and privileges associated with
each user session and it controls access to rows in database table s, based on the label(s)
contained in each row.
7. The main security features provided by the TOE are:
• user identification and authentication, with password management options;
• DAC on database objects;
• LBAC;
• granular privileges for the enforcement of least privilege;
• user-configurable roles for privilege management;
• extensive and flexible auditing options;
• secure access to remote Oracle databases;
• stored procedures, triggers and security policies for user-defined access controls and
auditing.
8. Annex A summarises the evaluated configuration, including its guidance documentation.
Annex B outlines the security architecture. Annex C summarises the product testing.
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page 2 Issue 1.0 November 2005
TOE Scope
9. The scope of the certification includes the following Oracle server products:
• Oracle Label Security, Release 1 (10.1.0.4);
• Oracle Database 10g Enterprise Edition, Release 1 (10.1.0.4)
with Critical Patch Update - July 2005.
10. Access to the above products is provided via the Oracle Call Interface (OCI) Release 1
(10.1.0.4) product, which constitutes the TOE Security Functions Interface (TSFI).
11. OCI Release 1 (10.1.0.4) is part of the evaluated configuration of the TOE. It provides a
client-side, application programming interface (API) for developing database applications
written in high level languages such as C.
12. The TOE can operate in standalone, client/server and distributed configurations.
Oracle client products are outside the scope of the TOE’s certification. (The Evaluators used
Oracle Database 10g Client, Release 1 (10.1.0.3), but only for testing the TOE.) Database links
may be provided to connect different O-RDBMS servers over a network
13. The TOE can also operate in a multi-tier environment, but that is actually a particular type
of client/server configuration in which the client application is located on a middle -tier, whilst
the user interface is located on a separate ‘thin’ client (e.g. a web browser or a network terminal).
In a multi-tier environment, any middle tier that communicates with the server is an Oracle client
(which is outside the scope of the certification) and any lower tiers are also outside the scope of
the certification.
14. The scope of the certification applies to the TOE running on the following operating
system platform:
Red Hat Enterprise Linux AS Version 3, Update 2 with eal3-certification package
(identified in this report as ‘Red Hat Linux AS 3’).
15. Annex A summarises the platforms on which the TOE was evaluated.
16. The previously evaluated version of the product was OLS Release 2 (9.2.0.1.0) used with
Oracle9i Database Server Enterprise Edition Release 2 (9.2.0.1.0), identified in this report as
‘Oracle9i OLS’ (see Certification Reports [k, l]). The TOE includes the following new or
modified security related features since Oracle9i OLS (note: they are all provided by Oracle 10g,
there are no OLS-specific new or modified features):
• ‘drop database’ function;
• enhancements to standard auditing and fine grained auditing;
• uniform audit trail;
• Virtual Private Database (VPD) static and dynamic policies;
• column level VPD;
• shared VPD policy types;
• SYSAUX tablespace;
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November 2005 Issue 1.0 Page 3
• enhancements to flashback (i.e. flashback database, flashback table, flashback
version query, flashback drop, flashback transaction query);
• Structured Query Language (SQL) syntax.
17. The TOE should not be connected to any untrusted or potentially hostile network (such as
the Internet), unless additional security measures are applied. Hence use of the TOE when
connected to such a network is outside the scope of the certification.
18. The scope of the certification also excludes various features of the product which are
related to security but do not directly address any of the functional requirements identified in the
Security Target [s]. Those features, which are specified in the section ‘Other Oracle Database
10g Security Features’ in Chapter 2 of the Security Target, are as follows:
• data integrity;
• import/export;
• backup and recovery;
• Oracle Advanced Security;
• supplied packages;
• external authentication services;
• application-specific security;
• support for Structured Query Language Java (SQLJ).
Protection Profile Conformance
19. The Security Target [s] claims conformance with the DBMSPP [e], with that profile’s
Database Authentication functional package,whenrunning on Red Hat LinuxAS 3.
20. The evaluated configuration of the TOE (when running on Red Hat Linux AS 3) supports
one mode of authentication in accordance with the above claim, namely O-RDBMS Mode. In
that mode, Database Authentication is performed directly by the Oracle 10g server, using
passwords managed directly by that server.
21. The claimed SFRs in the Security Target [s] were all included in the CC Database
Management System Protection Profile (DBMSPP) [e],except that:
a. FMT_SMF.1 has been added to reflect a change to the CC after the DBMSPP was
published. The Security Target claims that this change does not affect its
conformance with the DBMSPP because FMT_SMF.1 only specifies the
management functions for which the other families in the FMT class define usage
restrictions.
b. FDP_IFC.1.1, FDP_IFF.2.1 - 2.7, FMT_MOF.1.1, FMT_MSA.1.1.2 and
FMT_MSA.3.1.2 - 3.2.2 have been added to reflect LBAC, which is a topic that was
not covered in the DBMSPP.
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page 4 Issue 1.0 November 2005
Assurance
22. The Security Target [s] specifies the assurance requirements for the evaluation.
These comprise CC predefined Evaluation Assurance Level EAL4, augmented by ALC_FLR.3.
23. CC Part 1 [a] provides an overview of the CC.
24. CC Part 3 [c] describes the scale of assurance given by predefined levels EAL1 to EAL7,
and provides details of ALC_FLR.3.
Strength of Function Claims
25. The Security Target [s] claims that the minimum Strength of Function (SOF) for the TOE
is SOF-high. This exceeds the requirement in the DBMSPP [e], which requires at least
SOF-medium overall for the TOE and the operating system.
26. The claim of SOF-high for the TOE is only applicable to its Database Authentication,
which includes a one-way encryption algorithm (modified Data Encryption Standard (DES)) to
encrypt passwords before storing them in the database. The Security Target [s] refers to the
TOE’s password management functions collectively as the PWD (i.e. password) mechanism and
claims SOF-high for the password space that they provide. However the modified DES
encryption algorithm is publicly known and as such it is the policy of the UK national authority
for cryptographic mechanisms, Communications-Electronics Security Group (CESG), not to
comment on its appropriateness or strength.
Security Function Policy
27. The TOE has an explicit access control Security Function Policy (SFP), defined in the
following Security Functional Requirements (SFRs) of the TOE:
• (user data protection): FDP_ACC.1,FDP_ACF.1, FDP_IFC.1 and FDP_IFF.2;
• (security management): FMT_MSA.1 and FMT_MSA.3.
28. See the Security Target [s] for further details.
Security Claims
29. The Security Target [s] claims conformance against the DBMSPP [e]. In the Security
Target:
a. The claimed threats are as per the DBMSPP, plus T.LBAC.
b. The claimed Orga nisational Security Policies are as per the DBMSPP, plus
P.LABEL and P.INFOFLOW.
c. The claimed assumptions are as per the DBMSPP, plus the following:
i. A.TOE.CONFIG is modified (to refer to the Evaluated Configuration
document [t], but is otherwise unchanged) ;
ii. A.MIDTIER and A.USERS are added.
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November 2005 Issue 1.0 Page 5
d. The claimed TOE security objectives are as per the DBMSPP, plus
O.ACCESS.LBAC.
e. The claimed environmental security objectives are as per the DBMSPP, plus
O.USERS.
f. The claimedSFRsare as in the DBMSPP (which draws its SFRs from CC Part 2 [b]),
except that the Security Target adds FMT_SMF.1(to reflect a change to CC Part 2
after the DBMSPP was published), and adds FDP_IFC.1.1, FDP_IFF.2.1 - 2.7,
FMT_MOF.1.1, FMT_MSA.1.1.2 and FMT_MSA.3.1.2- 3.2.2 (to reflect LBAC,
which was not covered in the DBMSPP). Use of CC Part 2, as a standard, facilitates
comparison with other evaluated products.
g. The claimed assurance requirements are strengthened from those in the DBMSPP
(i.e. the TOE’s target assurance level is EAL4 augmented with ALC_FLR.3, which
exceeds the DBMSPP assurance requirement of EAL3).
30. The Security Target [s] groups the specifications of the security functions as follows:
• identification and authentication (i.e. F.IA);
• access control: database resources (i.e. F.LIM)
;
• access control: object access control (i.e. F.ACCESS);
• access control: discretionary access control (i.e. F.DAC);
• access control: label-based access control (i.e. F.LBAC);
• access control: roles and privileges (i.e. F.APR and F.PRI);
• audit and accountability (i.e. F.AUD).
Evaluation Conduct
31. The evaluation was performed in accordance with the requirements of the UK IT Security
Evaluation and Certification Scheme, as described in United Kingdom Scheme Publication
(UKSP) 01 [g] and UKSP 02 [h, i]. The Scheme has established a Certification Body, which is
managed by CESG on behalf of Her Majesty’s Government.
32. As stated on page ii of this report, the Certification Body is a member of the Common
Criteria Mutual Recognition Arrangement. The evaluation was performed in accordance with
the terms of that Arrangement.
33. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE
in meeting its Security Target [s], which prospective consumers are advised to read.
34. To ensure that the Security Target [s] gave an appropriate baseline for a CC evaluation, it
was itself first evaluated. The TOE was then evaluated against that baseline.
35. The evaluation was performed in accordance withthe following requirements:
• the EAL4 requirements specified in CC Part 3 [c];
• the Common Evaluation Methodology (CEM) [d];
• appropriate interpretations.
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page 6 Issue 1.0 November 2005
36. Some results were re-used from the following previous evaluations, where such results
complied with the above requirements and remained valid for the TOE:
a. the evaluation of Oracle 10g to EAL4 augmented with ALC_FLR.3 (see Certification
Report P221 [j]);
b. the evaluation of Oracle9i OLS (running on SuSE Linux Enterprise Server V8) to
EAL4 augmented with ALC_FLR.3 (see Certification Report P212 [k]);
c. the evaluation of Oracle9i OLS (running on Solaris 8 and NT4.0) to EAL4
augmented with ALC_FLR.3 (see Certification Report P179 [l]).
37. The Certification Body monitored the evaluation, which was performed by the
LogicaCMG Commercial Evaluation Facility (CLEF).
38. The evaluation of Oracle 10g OLS (when running on Red Hat Linux AS 3) was completed
in September 2005, when the CLEF submitted the last of its Evaluation Technical Reports
(ETRs) [n - p] to the Certification Body. The Certification Body requested further clarification
and, following satisfactory responses from the Sponsor [q] and the CLEF [r], the Certification
Body produced this Certification Report.
General Points
39. The evaluation addressed the security functionality claimed in the Security Target [s], with
reference to the assumed operating environment specified in that Security Target. The evaluated
configuration is specified in Annex A. Prospective consumers of the TOE are advised to check
that it matches their identified requirements and to give due consideration to the
recommendations and caveats of this report.
40. Certification is not a g
uarantee of freedom from security vulnerabilities; there remains a
small probability (smaller with greater assurance) that exploitable vulnerabilities may be
discovered after a certificate has been awarded. This Certification Report reflects the
Certification Body’s view at the time of certification (September 2005). Consumers (both
prospective and existing) should check regularly for themselves whether any security
vulnerabilities have been discovered since then and, if appropriate, should check with the Vendor
to see if any patches exist for the product and what assurance exists for such patches.
41. The issue of a Certification Report is not an endorsement of a product.
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November 2005 Issue 1.0 Page 7
II. EVALUATION FINDINGS
Introduction
42. The evaluation addressed the requirements specified in the Security Target [s]. The results
of this work were reported in the ETRs [n - p] under the CC Part 3 [c] headings.
43. The following sections note considerations of particular relevance to consumers.
Delivery
44. When a consumer orders the TOE from the Vendor, Oracle provides the consumer with the
order number and invoice detailing the items ordered. The order is shipped via a trusted carrier
to the consumer, who is informed separately of the identity of the carrier and the shipment details
(e.g. the waybill number). Packages are marked with the name and address of the sender, the
name and address of the addressee and the Oracle logo.
45. The consumer should check that the order number of the delivery is the same as the order
number on the invoice and that the part numbers of all items supplied are the same as indicated
on the invoice.
46. The above measures are intended to ensure that a third party could not masquerade as the
Vendor and supply potentially malicious software. Nevertheless, the consumer must rely on
Oracle’s manufacturing procedures and the trust placed in the carrier, to counter the threat of
interference to the TOE along the delivery path. The Evaluators confirmed that Oracle would
use high security couriers, or other measures, if required by the consumer.
47. On receiving the TOE, the consumer should check that it is the evaluated version and
should check that the security of the TOE has not been compromised during delivery.
48. The TOE is delivered to the consumer as three separate components:
a. The appropriate CD pack, i.e. 10.1.0.3 (for Linux).
Note: The Evaluators and the Certification Body recommend that consumers should obtain
delivery of this via physical media (e.g. CD-ROMs for software; printed documentation).
b. The patch set to make 10.1.0.4.
c. The critical patch update – July 2005.
Note: Oracle currently issues patches via the Internet only, i.e. at its MetaLink website
(http://metalink.oracle.com). This includes checksums for recent patches and recent critical
patch updates (including those in b. and c. above), for consumers to verifythe identity and
integrity of their downloaded patch files. MetaLink is available only to consumers with
Oracle support contracts; it requires an account and a purchased licence, and this is
valuable for providing an audit trail and accountability. A consumer can guard against
spoofing of the Oracle website by phoning Oracle support and asking them to check their
patch download audit log; a log entry would confirm that Oracle initiated the download
and would identify the consumer’s MetaLink account that downloaded the patch.
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page 8 Issue 1.0 November 2005
49. Those components are described in the Evaluated Configuration document [t] and
summarised below, for the TOE running on Red Hat Linux AS 3 (Note that ‘OLS’ is not
identified on the product packaging, as OLS is delivered as part of Oracle 10g as a configurable
option):
a. The consumer orders and receives the CD pack from Oracle, which is labelled as:
‘Oracle Database 10g Release 1 (10.1.0.3) CD/Media Pack v4 for Linux x86,
Oracle Part Number B18736-01’.
b. The consumer downloads the 10.1.0.4 patch set from Oracle’s MetaLinkwebsite:
‘10.1.0.4patch setfor Oracle Database Server
Patchset 4163362
Linux x86’.
c. The consumer downloads the critical patch update from Oracle’s MetaLink website:
‘Patch Number 4392423
MLR ON TOP OF 10.1.0.4 FOR CPUJUL2005
RDBMS Server
Oracle 10.1.0.4
Linux x86
14-Jul-2005’.
Installation and Guidance Documentation
50. The Evaluated Configuration document [t] specifies the steps that a consumer must
perform to ensure the secure installation and configuration of the TOE. The Evaluators
confirmed that the TOE generated by the installation and configuration procedures is unique, if
the steps in the Evaluated Configuration document are followed.
51. Guidance to administrators and end-users regarding security of the TOE is provided in the
Evaluated Configuration document [t], the 10g OLS Administrator’s Guide [u] and the Oracle
10g Administrator’s Guide [v]. Those documents also indicate how the TOE’s environment can
be secured. The procedures in the Evaluated Configuration document that are relevant to end-
users are generally limited to common-sense measures (e.g. non-disclosure of passwords).
52. The Evaluated Configuration document [t], the 10g OLS Administrator’s Guide [u] and the
Oracle 10g Administrator’s Guide [v] also refer to supporting documentation [s - hh], as
appropriate.
53. The Evaluated Configuration document [t] is released by Oracle to consumers on request.
It is anticipated that Oracle may also make the document available for download from one of its
websites (e.g. via http://www.oracle.com/technology/deploy/security).
Flaw Remediation
54. Oracle’s flaw remediation information for consumers is available from two websites:
a. Oracle’s ‘MetaLink’ website (http://metalink.oracle.com), which enables consumers
with an Oracle support contract to:
i. email details of flaws to Oracle, and receive technical support, by submitting a
Technical Assistance Request;
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November 2005 Issue 1.0 Page 9
ii. receive email alerts from Oracle regarding flaws, fixes and workarounds;
iii. read alerts and news posted on the MetaLink website by Oracle regarding
flaws, fixes and workarounds ;
iv. download patches from Oracle via the MetaLinkwebsite.
b. Oracle’s public website (http://www.oracle.com), which enables other consumers
and the public to:
i. email details of security flaws to Oracle, at secalert_us@oracle.com;
ii. read alerts and news posted on the public website by Oracle regarding flaws,
fixes and workarounds.
55. Oracle currently issues patches via the Internet only (at http://metalink.oracle.com , for
consumers with Oracle support contracts only), as noted in paragraph 48 above.
Strength of Function
56. Regarding the TOE’s Database Authentication, the Security Target [s] claims SOF-high
for the password space provided by the TOE’s password management functions (i.e. the ‘PWD
mechanism’). That claim applies to two different password profiles:
a. a password of minimum length 8 characters, with no lockout;
b. a password of minimum length 6 characters, with a 1 minute lockout after
3 consecutive failed login attempts.
57. The Evaluated Configuration document [t] specifies the password controls that must be
applied to the password profiles in the evaluated configuration of the TOE.
58. The Evaluated Configuration document [t] also specifies a requirement that administrators
of the TOE must ensure that “no applications shall be permitted to run on any client or server
machines which access the network, unless they have been shown not to compromise the TOE’s
security objectives stated in the DBMSPP [e] and the Security Target [s]”. This counters the risk
of automated login attacks from the client when no lockout is configured.
59. The Evaluators found that the TOE’s password space met the SOF-high claim of the
Security Target [s].
Vulnerability Analysis
60. The Evaluators searched for vulnerabilities regarding the TOE and its components.
They also searched for vulnerabilities in the TOE’s operating system environment (i.e. Red Hat
Linux AS 3) that could be used to compromise the TOE, e.g. from client machines.
61. The Evaluators’ vulnerability analysis was based on public domain sources and on the
visibility of the TOE given by the evaluation process.
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page 10 Issue 1.0 November 2005
Platform Issues
62. The TOE was evaluated on the operating system platform and hardware platforms
specifiedin Annex A.
63. The certified configuration is that running on those platforms only, i.e. it excludes all other
platforms.
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
November 2005 Issue 1.0 Page 11
III. EVALUATION OUTCOME
Certification Result
64. After due consideration of the ETRs [n - p] produced by the Evaluators, and the conduct of
the evaluation as witnessed by the Certifier, the Certification Body has determined that Oracle
Label Security Release 1 (10.1.0.4) used with Oracle Database 10g Enterprise Edition Release 1
(10.1.0.4) with Critical Patch Update – July 2005 meets the CC Part 3 augmented requirements
of Evaluation Assurance Level EAL4 (i.e. augmented by ALC_FLR.3), for the specified CC
Part 2 conformant functionality in the specified environment when running on the platforms
specified in Annex A.
65. Oracle Label Security Release 1 (10.1.0.4), used with Oracle Database 10g Enterprise
Edition Release 1 (10.1.0.4) with Critical Patch Update – July 2005, was evaluated on Red Hat
Enterprise Linux AS Version 3, Update 2 with eal3-certification package (which has previously
been certified [m] against CC EAL3 augmented by ALC_FLR.3, with CAPP).
66. Oracle Label Security Release 1 (10.1.0.4) used with Oracle Database 10g Enterprise
Edition Release 1 (10.1.0.4) with Critical Patch Update – July 2005 conforms to the DBMSPP
[e], with the Database Authentication functional package, when running on that operating
system platform.
67. The Strength of Function claim of SOF-high for Database Authentication in the Security
Target [s] is satisfied.
68. This report certifies only the TOE to assurance level EAL4 augmented by ALC_FLR.3,
when running on the operating system platform specified in Annex A (i.e. Red Hat Linux AS 3).
Prospective consumers should be aware that:
a. Red Hat Linux AS 3 is not certified to that assurance level. (It has been certified to
EAL3 augmented by ALC_FLR.3; see its Certification Report [m].)
b. The security functionality of the TOE relies on the security functionality of the
operating system platform, as specified in Section 5.5 of the DBMSPP [e].
Recommendations
69. Prospective consumers of the TOE should understand the specific scope of the certification
by reading this report in conjunction with the Security Target [s]. In particular, certification of
the TOE does not apply to its use in an untrusted or potentially hostile network environment
(such as the Internet).
70. The product provides some features that were not within the scope of the certification as
identified in Chapter I under the heading ‘TOE Scope’. Those features should therefore not be
used if the TOE is to comply with its evaluated configuration.
71. Only the evaluated TOE configuration, as specified in Annex A, should be installed.
Subsequent updates to the TOE are covered by Oracle’s flaw remediation process.
EAL4 OLS for Oracle Database 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Page 12 Issue 1.0 November 2005
72. The TOE should be administered and used in accordance with:
a. the guidance documentation [t-v], which refers to supporting documentation [s-hh] as
appropriate;
b. the environmental considerations outlined in the Security Target [s] and the
Evaluated Configuration document [t].
73. As stated in the DBMSPP [e], it is recommended that TOE administrators ensure that any
audit records written to the underlying operating system do not result in space exhaustion on
secondary storage devices. TOE administrators should use appropriate operating system tools to
monitor the audit log size and to archive the oldest logs before the audit space is exhausted.
74. Further details are given in Chapter I under the heading ‘TOE Scope’ and in Chapter II.
OLS for Oracle Database 10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
Annex A
November 2005 Issue 1.0 Page 13
ANNEX A: EVALUATED CONFIGURATION
TOE Identification
1. The TOE is uniquely identified as:
Oracle Label Security Release 1 (10.1.0.4),
used with Oracle 10g Enterprise Edition Release 1 (10.1.0.4)
with Critical Patch Update – July 2005.
TOE Documentation
2. The relevant guidance documents, as evaluated for the TOE or referenced from the
evaluated documents, were:
• Oracle 10g OLS Security Target [s];
• Oracle 10g OLS Evaluated Configuration document [t];
• Oracle 10g OLS Administrator’s Guide [u];
• Oracle 10g Administrator’s Guide [v];
• Oracle 10g Installation Guide for Linux x86-64 [w];
• Oracle 10g Security Guide [x];
• Oracle 10g Concepts [y];
• Oracle 10g Reference [z];
• Oracle 10g Application Developer’s Guide [aa];
• Oracle 10g SQL Reference [bb];
• SQL *Plus User’s Guide and Reference [cc];
• OCI Programmer’s Guide [dd];
• Oracle 10g Patch Set 2 Notes for Linux x86 [ee];
• Oracle 10g Critical Patch Update – July 2005, Release Notes [ff];
• EAL3 Evaluated Configuration Guide for Red Hat Linux [gg];
• Deploying Oracle 9i on Red Hat Linux[hh].
3. Further discussion of the guidance documents is provided in Chapter II under the heading
‘Installation and Guidance Documentation’.
TOE Configuration
4. The TOE should be installed, configured and maintained in accordance with the Evaluated
Configuration document [t], which refers to supporting documentation [s - hh] as appropriate , as
indicated above under the heading ‘TOE Documentation’.
Environmental Configuration
5. The TOE has no hardware or firmware dependencies.
EAL4 OLS for OracleDatabase 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Annex A
Page 14 Issue 1.0 November 2005
6. The TOE has software dependencies, in that it relies on the host operating system to:
a. Protect the TOE’s security features that are within the scope of its evaluation and
certification, including its:
i. access control;
ii. identification and authentication (Note: the TOE does not use
OS Authentication, as no Microsoft Windows operating system platforms are
used for the TOE);
iii. auditing (including audit records, if writtento the operating system rather than
to the RDBMS audit trail);
iv. security management;
v. secured distributed processing.
b. Protect the TOE from being bypassed, tampered with, misused or directly attacked.
7. Hence the security of the TOE depends not only on secure administration of the TOE, but
also on secure administration of the host operating system in configurations using the TOE.
8. The environmental configuration used by the Developer to test the TOE was as
summarised in Table A-1. The environmental configuration used by the Evaluators to test the
TOE was as summarised in Table A-2.
9. Further details of the TOE’s environmental configuration are provided in Chapter I under
the heading ‘TOE Scope’.
Configuration Type Oracle 10g OLS on Red Hat Linux AS 3
Machine Dell Power Edge 2650 (used as the server and the client)
Processor dual Intel Xeon (2 x 3.06GHz)
Memory 6GB RAM
Operating System Red Hat Enterprise Linux AS Version 3, Update 2 with eal3-certification package
Drives 290GB hard drive
Network Connection 10/100BaseT network connection on motherboard
Table A-1: Environmental Configuration (Developer’s Tests)
Configuration Type Oracle 10g O LS on Red Hat Linux AS 3
Machine IBM xSeries 335 (used as the server)
Processor Intel Xeon 2.86GHz
Memory 2.5GB RAM
Operating System Red Hat Enterprise Linux AS Version 3, Update 2 with eal3-certification package
Drives 40GB hard drive; 3.5” floppy drive, CD-ROM
Network Connection 10/100/1000BaseT network connection on motherboard
A Compaq Deskpro EN machine (with Intel Pentium III processor 866MHz, 512MB RAM and 30GB hard disc)
was used as the client, running on SUSE Linux 9, connected to the above server via a LAN.
Table A-2: Environmental Configuration (Evaluators’ Tests)
OLS for OracleDatabase10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
AnnexB
November 2005 Issue 1.0 Page 15
ANNEX B: PRODUCT SECURITY ARCHITECTURE
Introduction
1. The evaluated product was Oracle 10g OLS.
2. OLS builds upon the VPD technology of Oracle 10g.
3. The Oracle 10g security architecture is summarised in Annex B of the Oracle 10g
Certification Report [j]. The OLS specific security architecture is summarised in the following
two sections.
OLS Label-Based Access Control
4. OLS enables application developers to add LBAC to their applications for Oracle 10g.
If used, OLS mediates access to rows in database tables, based on a label contained in each row
and based on the label and privileges associated with each user session.
5. OLS provides an out-of-the-box VPD policy that enables administrative users to create one
or more custom security policies for label access decisions, without knowledge of a
programming language. There is no need to write the additional code that is normally required
for direct use of VPD, because in a single step a security policy can be applied to a given table.
In this way, OLS provides a straightforward and efficient way to implement fine-grained security
policies using data label technology.
6. Figure B-1 illustrates the process of accessing data under OLS. Within an application and
an Oracle 10g session, a user issues a SQL request. Oracle 10g checks the DAC privileges,
checking that the user has SELECT privileges on the table. Then it checks to see if a VPD policy
has been attached to the table. It finds that the table is protected by OLS, so the SQL statement is
modified on the fly to enforce the policy. Each data record has a label; OLS is invoked for each
row to determine whether, based on the label, the user can or cannot access the row.
Figure B-1: Accessing Data Under OLS
EAL4 OLS for OracleDatabase 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Annex B
Page 16 Issue 1.0 November 2005
7. To create a customised OLS policy, an administrative user defines a set of labels and a set
of rules that govern data access, based on those labels. For example, assume that a user has
SELECT privilege on an application table. Figure B-2 illustrates that, when the user executes a
SELECT statement, OLS assesses each row selected and determines whether the user can access
it (i.e. based on the privileges and access labels assigned to the user by the administrative user).
OLS can also be configured to perform security checks on UPDATE, DELETE, and INSERT
statements.
Figure B-2: OLS Determines If The User Can Access Each Row Selected
8. OLS mediates access to data in a table according to the label associated with each row of
data, the label associated with the user session, the policy privileges associated with the user
session, and the policy enforcement options associated with the table. Consider, for example, a
standard Data Manipulation Language (DML) operation (such as SELECT) performed upon a
row of data. OLS assesses a request by a user with the IN_CONFIDENCE label to access a data
row with the IN_CONFIDENCE label; OLS determines that this access can be achieved. Inthis
way, data of different sensitivities, or belonging to different companies, can be stored and
managed on a single system, while preserving data security through standard Oracle access
controls. Likewise, applications from a broad range of industries can each use row labels to
provide additional access control functionality where necessary.
9. Individual application tables can be protected, and not all of the tables in the application
need to be protected by an OLS policy. Lookup tables such as zip codes, for example, do not
need to be protected. Multiple OLS policies can be created. For example, a human resources
policy could co-exist with a de fence policy in the same database. Each of the policies can be
independently configured and can have its own unique label definitions.
10. In OLS, each row of a table can be labelled as to its level of confidentiality. The label
contains three components: a single level or sensitivity ranking; one or more horizontal
compartments or categories; and one or more hierarchical groups. The level specifies the
sensitivity of the data. A government organisation might define levels UNCLASSIFIED,
IN_CONFIDENCE, SENSITIVE and HIGHLY_SENSITIVE. A commercial organisation
might define levels PUBLIC and COMPANY_IN_CONFIDENCE data. The compartment
component is non-hierarchical; compartments are typically defined to segregate data, such as
data related to an ongoing strategic initiative. Finally, groups are used to record ownership and
can be used hierarchically. For example, FINANCE, SALES and ENGINEERING groups can
be defined as children of a CORPORATION group, creating an ownership relation. Labels can
contain a single level component, or a level combined with a set of either compartments or
groups, or a level with both compartments and groups.
OLS for OracleDatabase10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
AnnexB
November 2005 Issue 1.0 Page 17
11. Users can be granted label authorisations for each OLS policy, which determine the kind of
access (read or write) they have to the rows in tables to which that policy has been applied.
12. Policy privileges enable a user or stored program unit to bypass aspects of the label-based
access control policy. In addition, the administrator can authorise the user or program unit to
perform specific actions, such as the ability of one user to assume the authorisations of a
different user. Privileges can be granted to program units, i.e. authorising the procedure (rather
than the user) to perform privileged operations.
13. In OLS, administrators can apply different enforcement options for maximum flexibility in
controlling the different DML operations that users can perform. For each SELECT, INSERT,
UPDATE and DELETE operation, administrative users can specify a particular type of
enforcement of the security policy on a per-table basis. In this way, the label-based access
controls can be customised for each table.
Audit
14. OLS supplements the Oracle 10g audit facility, by tracking the use of its own OLS
administrative operations and policy privileges. Under OLS, audit trail records contain a label
associated with the session that generated the audit, so that the relationship between operations,
data labels and the label of the user performing the operation can be seen.
EAL4 OLS for OracleDatabase 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Annex B
Page 18 Issue 1.0 November 2005
(This page is intentionally left blank)
OLS for Orac le Database10g Enterprise Edition EAL4
Release 1 (10.1.0.4) with Critical Patch Update- July 2005 augmented by ALC_FLR.3
running on specified platforms DBMSPP
Annex C
November 2005 Issue 1.0 Page 19
ANNEX C: PRODUCT TESTING
Developer’s Testing
1. The Developer installed and tested the TOE on the platforms as specified in Annex A.
2. The Developer’s testing was designed to test the security mechanisms of the TOE, which
implement the security functions identified in the Security Target [s] and their representations
identified in the high level design, low level design and source code modules.
3. The Developer’s testing consisted of an automated test suite and manual test suites.
Evaluators’ Testing
4. The Evaluators installed and tested the TOE on the platforms as specified in Annex A.
5. All of the Evaluators’ testing was performed via the TOE’s external interface (i.e. OCI),
using SQL.
6. For their testing, the Evaluators used sampling as required for the appropriate work-units
for EAL4, following the guidance in the CEM [d], Section B.2. They confirmed sample sizes
and methods in advance with the Certifier.
7. The Evaluators assessed t
he Developer’s testing approach, coverage, depth and results.
This included:
a. witnessing the initiation of the Developer’s suites of general tests;
b. witnessing the initiation of the Developer’s suite of TOE-specific tests;
c. witnessing all of the Developer’s tests relevant to the security of the TOE, including
all of the Developer’s tests regarding new or modified features of the TOE since
Oracle9i OLS;
d. checking that the Developer’s tests covered all of the TOE Security Functions (TSF),
subsystems and TSFI;
e. performing a series of independently devised functional tests, in the form of
automated SQL scripts, to cover all of the TSF.
8. The Evaluators’ findings confirmed that:
a. the Developer’s testing approach, depth, coverage and results were all adequate;
b. the Developer’s tests covered all of the TSF, subsystems and the TSFI;
c. (for all of the Developer’s tests relevant to the security of the TOE): the actual test
results were consistent with the expected test results and any deviations were
satisfactorily accounted for ;
d. (for the Evaluators’ functional tests): the actual test results were consistent with the
expected test results.
EAL4 OLS for OracleDatabase 10g Enterprise Edition
augmented by ALC_FLR.3 Release 1 (10.1.0.4) with Critical Patch Update- July 2005
DBMSPP running on specified platforms
Annex C
Page 20 Issue 1.0 November 2005
9. The Evaluators then performed penetration testing of the TOE. Those tests were based on
samples of previous tests (i.e. from the Oracle 9i OLS evaluations [k, l]), supplemented by new
tests to search for potential vulnerabilities introduced by new or modified features of the TOE.
10. From checking various sources on the Internet, the Evaluators found no publicly known,
exploitable vulnerabilities applicable to the TOE, its components and its operating system
environment (i.e. Red Hat Linux AS 3).
11. The evaluators found publicly-known vulnerabilities regarding ONS (ONS was within the
scope of the evaluated configuration), but those vulnerabilities were not exploitable. The ways
by which those vulnerabilities were countered mean that, for the TOE’s evaluated configuration,
the network on which the O-RDBMS and all of its client applications run:
a. should be under the control of a trusted administrator;
b. should not be connected to any untrusted or potentially hostile networks (e.g. the
Internet).
12. In any case, the TOE’s evaluated configuration cannot consider the threats on untrusted or
potentially hostile networks, since the evaluated configuration of the TOE’s underlying operating
system (i.e. RedHat Linux AS 3) does not consider such threats.
13. The results of the Evaluators’ penetration testing confirmed:
a. the claimed SOF in the Security Target [s] for the password space for Database
Authentication (i.e. SOF-high);
b. that all identified potential vulnerabilities in the TOE have been addressed, i.e. the
TOE in its intended environment has no exploitable vulnerabilities.