PSTdiode ATKDDL
Security Target Lite
27/06/2019
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 2/24
Ref. 0555-24 R1.3
Copyright © 2019 Autek Ingeniería. All rights reserved.
No part of this document may be reproduced, even for personal use, by any means and in any form, whether per-
manent or temporary. Nor are they permitted the translation, adaptation, arrangement or any other transformation,
modification and/or manipulation of all or part of the document, the transfer in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise without the prior written permission of Autek Ingeniería, S.L.
The authors of this document have been very careful in its preparation but we cannot offer any warranty or assume
any responsibility for errors, omissions or damages resulting from the use of the information contained herein.
Autek Ingeniería, S.L. PSTdiode ATKDDL
Security Target Lite
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 3/24
Ref. 0555-24 R1.3
Table of Contents
1. Introduction ...................................................................................................... 9
1.1. Security Target Reference ..................................................................... 9
1.2. TOE Reference ...................................................................................... 9
1.3. TOE Overview ...................................................................................... 9
1.3.1. TOE Use ..................................................................................... 9
1.3.2. Type of TOE .............................................................................. 9
1.3.3. Required Hardware and Software ............................................... 9
1.4. TOE Description ................................................................................. 10
1.4.1. Physical Scope .......................................................................... 10
1.4.2. Logical Scope ........................................................................... 10
1.5. Product Description ............................................................................. 10
1.5.1. Use Cases ................................................................................. 11
1.5.2. Product Content ........................................................................ 11
2. Conformance Claims ...................................................................................... 13
2.1. CC Conformance Claim ...................................................................... 13
2.2. PP Conformance Claim ....................................................................... 13
3. Security Problem Definition ........................................................................... 15
3.1. Assets .................................................................................................. 15
3.2. Threats ................................................................................................. 15
3.2.1. Information flow ....................................................................... 15
3.3. Assumptions ........................................................................................ 15
3.4. Organisational Policies ........................................................................ 15
4. Security Objectives ........................................................................................ 17
4.1. Security Objectives for the TOE ......................................................... 17
4.2. Security Objectives for the Operational Environment ......................... 17
4.3. Justification of Security Objectives ..................................................... 17
5. TOE Security Requirements ........................................................................... 19
5.1. Security Functional Requirements ....................................................... 19
5.1.1. FDP_IFC.2 Complete information flow control ....................... 19
5.1.2. FDP_IFF.1 Simple security attributes ....................................... 19
5.2. Security Assurance Requirements ....................................................... 20
5.3. Security Functional Requirements Rationale ....................................... 21
5.3.1. Non Satisfied Dependencies Justification ................................. 21
5.3.2. Security Functional Requirements Rationale ............................ 21
5.4. Security Assurance Requirements Rationale ....................................... 21
6. TOE Summary Specification ......................................................................... 23
6.1. Hardware Design ................................................................................. 23
6.1.1. Interfaces .................................................................................. 23
PSTdiode ATKDDL
Security Target Lite
Pág. 4/24
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 5/24
Ref. 0555-24 R1.3
List of Figures
1. TOE Overview ............................................................................................... 10
2. TOE Interfaces and Information Flow ........................................................... 23
PSTdiode ATKDDL
Security Target Lite
Pág. 6/24
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 7/24
Ref. 0555-24 R1.3
List of Tables
1. Confidentiality Guarantee .............................................................................. 11
2. Integrity and Availability Guarantee .............................................................. 11
3. Security Objectives for the TOE .................................................................... 17
4. Security Objectives for the Operational Environment .................................... 17
5. Security Assurance Requirements .................................................................. 20
6. Security Requirements Rationale ................................................................... 21
PSTdiode ATKDDL
Security Target Lite
Pág. 8/24
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 9/24
Ref. 0555-24 R1.3
1. Introduction
1.1. Security Target Reference
1 Title: PSTdiode ATKDDL Security Target
2 Security Target Version: 1.3
3 Author: Autek Ingeniería, S.L.
4 Security Target Date: 27/06/2019
1.2. TOE Reference
5 TOE Name: PSTdiode ATKDDL.
6 TOE Version: 1.0.0
7 Manufacturer: Autek Ingeniería, S.L.
1.3. TOE Overview
8 The TOE is composed of two PCI-Express cards. One of the cards is equipped with
a fibre optic transmitter, referred to as TX card (ATKDDL_TX). The other card is
equipped with a fibre optic receiver, referred to as RX card (ATKDDL_RX). The set
supports unidirectional data transfers of 1 Gbps.
1.3.1. TOE Use
9 The TOE has been designed to be installed in two standard PCs. The forseen use for
the TOE is unidirectional data transmission from the PC hosting the TX card to the
PC hosting the RX card. The TOE design guarantees that there is no information flow
in the reverse direction, making it adequate for all uses in which a physically assured
one-way information flow is required.
1.3.2. Type of TOE
10 The TOE is a hardware set (two PCI-Express cards) that constitute the core to build
a unidirectional transmission system between two networks not connected by any
other means.
1.3.3. Required Hardware and Software
11 The TOE needs two standard computers (not considered part of the TOE) with a PCI-
Express bus 2.1 or higher.
12 The operating system (not considered part of the TOE) of the computers can be Win-
dows (7 or higher) o Linux (Debian 9 or higher is recommended).
PSTdiode ATKDDL
Security Target Lite
Pág. 10/24
Ref. 0555-24 R1.3
13 Two software components, at a minimum, developed specifically to build a system
to allow data transmission and reception using the TOE.
1.4. TOE Description
14 The TOE is composed of two PC expanssion cards, PCI-Express. One of the cards is
exclussivelly a transmitter and the other is exclussivelly a receiver.
15 The set has been designed to be used as the core componenent to build a unidirec-
tional data transmission system, normally known as 'Data diode'. The TOE physically
guarantees a unidirectional communication.
16 The transmission speed of PSTdiode ATKDDL is 1 Gbps.
RX
RX
TX
TX
ATKDDL_TX
555-D-2
ATKDDL_RX
555-D-3
Figure 1. TOE Overview
1.4.1. Physical Scope
17 The TOE components are hand delivered by personnel from Autek Ingeniería S.L.
18 The TOE is composed of the following components:
• Transmitter card (ATKDDL_TX 1.0.0)
• Receiver card (ATKDDL_RX 1.0.0)
19 And by the CD-ROM ‘Software and Documentation’, containing:
• The 'User Manual' in PDF format (um_0555-10_r4.pdf).
1.4.2. Logical Scope
20 The TOE provides the following functionality:
• Unidirectional type of information transmission. Meaning that it guarantees that
all the information transferred between the transmitter card and the receiver
card flows in one unique direction, from the transmitter card to the receiver card.
1.5. Product Description
21 The TOE enables building a unidirectional transmission system.
PSTdiode ATKDDL
Security Target Lite
Pág. 11/24
Ref. 0555-24 R1.3
1.5.1. Use Cases
22 The use of a unidirectional transmission system built using the TOE is applicable to
several secure information exchange scenarios. Two of the most typical uses are de-
scribed in the following sections. In all cases, the unidirectional transmission system
must be the only connection path between the isolated security domains.
1.5.1.1. Confidentiality Guarantee
Security Proper-
ties
Typical Use Description
Confidentiality Classified net-
works
Introduction of information in a network with
a higher classification level than that of the
origin network. Guarantees that there is no in-
formation flow in the reverse direction, from
the network of higher classification or security
level to the lower one.
Table 1. Confidentiality Guarantee
1.5.1.2. Integrity and Availability Guarantee
Security Proper-
ties
Typical Use Description
Integrity
Availability
Isolated control
networks
Extraction of information to monitor an isolat-
ed industrial control network. Precludes intro-
duction of malware which may affect the in-
tegrity or availability of the industrial control
network.
Table 2. Integrity and Availability Guarantee
1.5.2. Product Content
23 The product is composed of the TOE and a fibre optic cable (LC-LC simplex) which
provides the physical connection between the transmitter card, TX card, and the re-
ceiver card, RX card, of the TOE.
24 Additionally, the product includes the following software components:
• Windows drivers to access the TOE.
• Libraries and TOE access application samples, as C++ source code, that facil-
itate the development of unidirectional transmission systems.
PSTdiode ATKDDL
Security Target Lite
Pág. 12/24
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 13/24
Ref. 0555-24 R1.3
2. Conformance Claims
2.1. CC Conformance Claim
25 This Security Target is conformant with sections 2 and 3 of the CC v. 3.1, rev 5 stan-
dard and defines an evaluation assurance level EAL4 augmented with ALC_FLR.3
and AVA_VAN.5.
2.2. PP Conformance Claim
26 This Security Target has been developed specifically for PSTdiode ATKDDL
system's security problem and does not claim conformance with any protection pro-
file.
PSTdiode ATKDDL
Security Target Lite
Pág. 14/24
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 15/24
Ref. 0555-24 R1.3
3. Security Problem Definition
3.1. Assets
27 There is only one asset to be protected by the TOE: the unidirectionality of the data
sent from the transmitter card to the receiver card.
3.2. Threats
28 The following threats are considered:
3.2.1. Information flow
29 T.R_TO_T_TRANSFER.
1. A remote user (without physical access to the PC hosting the transmitter card,
but with nework connectivity to it), manages to obtain, through the system, in-
formation from the receiver PC or other systems conncected to it.
2. A remote user (without physical access to the PC hosting the receiver card, but
with network connectivity to it), manages to transmit any kind of information
through the system, from the receiver PC to the transmitter PC.
3.3. Assumptions
30 A.PHYSEC. Both PCs hosting the transmitter and receiver cards (TOE hardware),
shall be deployed in a physically controlled environment.
31 A.LOCNOEVIL. Authorized administrators with physical access to the TOE
will not try to bypass the security functionality of the TOE.
32 A.SINGLECHAN. There are no other channels, apart from the TOE, through
which information can flow between both PCs in which the transmitter and receiver
cards are installed.
3.4. Organisational Policies
33 There are no organisational policies to be enforced by the TOE or its operational
environment.
PSTdiode ATKDDL
Security Target Lite
Pág. 16/24
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 17/24
Ref. 0555-24 R1.3
4. Security Objectives
4.1. Security Objectives for the TOE
34 O.FLOW. The TOE implements the following information flow policy:
1. There are no restrictions on the information transmitted from transmitter to re-
ceiver.
2. There must be no information flowing from receiver to transmitter.
4.2. Security Objectives for the Operational
Environment
35 OE.PHYSEC. The PCs where both (transmitter and receiver) cards will be in-
stalled, will be placed in a physically controlled environment with access restrictions.
Obvious ways to bypass the system (such as directly connecting both computers with
a network cable) will be prevented by the organizational or physical measures of the
operational environment.
36 OE.LOCNOEVIL. The TOE will be installed and administered by authorized
administrators with physical access, and they will follow the TOE's secure use pro-
cedures.
37 OE.TOPOLOGY. The only possible way to connect the transmitter to receiver
PC is through the TOE.
4.3. Justification of Security Objectives
O.FLOW
T.R_TO_T_TRANSFER X
Table 3. Security Objectives for the TOE
38 Flow control objective O.FLOW counters the T.R_TO_T_TRANSFER threat.
OE.PHYSEC OE.LOCNOEVIL OE.TOPOLOGY
A.PHYSEC X
A.LOCNOEVIL X
A.SINGLECHAN X
Table 4. Security Objectives for the Operational Environment
39 The security objective for the operational environment OE.PHYSEC ensures that the
the A.PHYSEC assumption is directly fullfilled.
PSTdiode ATKDDL
Security Target Lite
Pág. 18/24
Ref. 0555-24 R1.3
40 The security objective for the operational environment OE.LOCNOEVIL directly
upholds the assumption A.LOCNOEVIL.
41 The security objective for the operational environment OE.TOPOLOGY directly up-
holds the assumption A.SINGLECHAN.
PSTdiode ATKDDL
Security Target Lite
Pág. 19/24
Ref. 0555-24 R1.3
5. TOE Security Requirements
5.1. Security Functional Requirements
42 This note applies to all security functional requirements: The TOE uses two sub-
jects: 'Input' and 'Output'. These subjects represent the information flowing into the
transmitter part and the information leaving the receiver part. These subjects have
no attributes.
43 Note: Despite the existence of a dependency, the FMT_MSA.3 requirement is not
included because there are no security attributes.
5.1.1. FDP_IFC.2 Complete information flow control
Hierarchical to: FDP_IFC.1 Subset information flow control
Dependencies: FDP_IFF.1 Simple security attributes
5.1.1.1. FDP_IFC.2.1
44 The TSF shall enforce the [assignment: information transfer policy] on [assignment:
'Input’, ‘Output’, all information] and all operations that cause that information to
flow to and from subjects covered by the SFP.
5.1.1.2. FDP_IFC.2.2
45 The TSF shall ensure that all operations that cause any information in the TOE to flow
to and from any subject in the TOE are covered by an information flow control SFP.
5.1.2. FDP_IFF.1 Simple security attributes
Hierarchical to: No other components
Dependencies: FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attribute initialization
5.1.2.1. FDP_IFF.1.1
46 The TSF shall enforce the [assignment: information transfer policy] based on the
following types of subject and information security attributes: [assignment: ‘Input’,
‘Output’, all information].
5.1.2.2. FDP_IFF.1.2
47 The TSF shall permit an information flow between a controlled subject and controlled
information via a controlled operation if the following rules hold: [assignment: In-
formation flow from ‘Input’ to ‘Output’ is permitted].
5.1.2.3. FDP_IFF.1.3
48 The TSF shall enforce the [assignment: N/A].
PSTdiode ATKDDL
Security Target Lite
Pág. 20/24
Ref. 0555-24 R1.3
5.1.2.4. FDP_IFF.1.4
49 The TSF shall explicitly authorise an information flow based on the following rules:
[N/A].
5.1.2.5. FDP_IFF.1.5
50 The TSF shall explicitly deny an information flow based on the following rules: [as-
signment: Information flow from ‘Output’ to ‘Input’ is denied].
5.2. Security Assurance Requirements
51 TOE development and evaluation will be done in conformity with the following as-
surance level:
• EAL4 + ALC_FLR.3 + AVA_VAN.5
52 The security assurance requirements corresponding to this level with the cited en-
hancements are shown in Table 5, “Security Assurance Requirements”. Part 3 of
Common Criteria for Information Technology Securtiy Evaluation contains the de-
tailed description of these components.
Assurance Class Assurance components
ADV_ARC.1 Security architecture description
ADV_FSP.4 Complete functional specification
ADV_IMP.1 Implementation representation of the
TSF
ADV: Development
ADV_TDS.3 Basic modular design
AGD_OPE.1 Operational user guidance
AGD: Guidance documents
AGD_PRE.1 Preparative procedures
ALC_CMC.4 Production support, acceptance proce-
dures and automation
ALC_CMS.4 Problem tracking CM coverage
ALC_DEL.1 Delivery procedures
ALC_DVS.1 Identification of security measures
ALC_FLR.3 Systematic flaw remediation
ALC_LCD.1 Developer defined life-cycle model
ALC: Life-cycle support
ALC_TAT.1 Well-defined development tools
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE: Security Target evaluation
ASE_REQ.2 Derived security requirements
PSTdiode ATKDDL
Security Target Lite
Pág. 21/24
Ref. 0555-24 R1.3
Assurance Class Assurance components
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: basic design
ATE_FUN.1 Functional testing
ATE: Tests
ATE_IND.2 Independent testing - sample
AVA: Vulnerability assessment
AVA_VAN.5 Advanced methodical vulnerability
analysis
Table 5. Security Assurance Requirements
5.3. Security Functional Requirements Rationale
O.FLOW
FDP_IFC.2 X
FDP_IFF.1 X
Table 6. Security Requirements Rationale
5.3.1. Non Satisfied Dependencies Justification
53 FMT_MSA.3 dependency has not been satisfied because there are no security attrib-
utes.
5.3.2. Security Functional Requirements Rationale
54 The flow objective O.FLOW is met due to the existence of a complete flow control
policy FDP_IFC.2 between 'Input' and 'Output' subjects, managed in accordance with
the restrictions established in FDP_IFF.1.
5.4. Security Assurance Requirements Rationale
55 The desired security assurance for the TOE is the one provided by the evaluation
level EAL4 + ALC_FLR.3 + AVA_VAN.5.
56 This security assurance level has been chosen to assure the final user that the product
has been developed following a systematic engineering approach and development
best practices, beeing capable of resisting attacks of adversaries with high attack po-
tential.
PSTdiode ATKDDL
Security Target Lite
Pág. 22/24
Ref. 0555-24 R1.3
PSTdiode ATKDDL
Security Target Lite
Pág. 23/24
Ref. 0555-24 R1.3
6. TOE Summary Specification
57 The product PSTdiode ATKDDL guarantees compliance with security functional re-
quirements: FDP_IFC.2 and FDP_IFF.1. The information flow control policy is com-
plete and it explicitly applies in all cases.
58 The following sections detail the ways in which PSTdiode ATKDDL guarantees that
it explicitly allows the flow from 'Input' to 'Output' and explicitly denies any infor-
mation flow from 'Output' to 'Input'.
RX
RX
TX
TX
ATKDDL_TX
555-D-2
ATKDDL_RX
555-D-3
Input Output
I_WRITE I_READ
I_TRANSFER
Figure 2. TOE Interfaces and Information Flow
6.1. Hardware Design
59 PSTdiode ATKDDL is composed of one transmitter card (TX) and one receiver card
(RX). The information flow allowed is the one flowing from the transmitter card (TX)
to the receiver card (RX).
60 The hardware design of the product guarantees there cannot be an information flow
in the reverse direction, from the 'Output' to the 'Input':
• The transmitter card (TX) hardware lacks the components that would be nec-
essary to receive any information flow from the receiver card (RX).
• The receiver card (RX) hardware lacks the components that would be necessary
to transfer any information flow to the transmitter card (TX).
6.1.1. Interfaces
61 The TOE implements the hardware interfaces that allow data to enter the transmitter
card (TX), to be sent from the transmitter card (TX) to the receiver card (RX) and
to exit the receiver card (RX):
• The data input interface (I_WRITE) allows data to be sent to the transmitter
card (TX), through the PCI-Express bus, to be transferred in a unidirectional
manner to the receiver card (RX).
• The unidirectional data transfer interface (I_TRANSFER) allows transfer of
information from the transmitter card (TX) to the receiver card (RX) via fiber
optics.
PSTdiode ATKDDL
Security Target Lite
Pág. 24/24
Ref. 0555-24 R1.3
• The data output interface (I_READ) allows reading the data received by the
receiver card (RX), through the PCI-Express bus.