ATEN/IOGear Secure KVM Switch Series
Security Target
File Name: ATEN&IOGear Secure KVM Switch Series Security Target.DOC
Version: 1.5.1
Date: 2011/06/28
Author: ATEN
page 1
Contents
1 ST Introduction...........................................................................................................2
1.1 ST and TOE Reference..................................................................................2
1.1.1 Document Conventions...............................................................................2
1.2 TOE Overview................................................................................................3
1.3 TOE Description ............................................................................................4
1.4 TOE Boundaries.............................................................................................4
2 Conformance Claims ..................................................................................................8
2.1 Common Criteria Conformance...................................................................8
2.2 Protection Profile Conformance...................................................................8
2.3 Evaluation Assurance Level..........................................................................8
3 Security Problem Definition .......................................................................................9
3.1 Threats ............................................................................................................9
3.2 Organizational Security Policies...................................................................9
3.3 Assumptions....................................................................................................9
4 Security Objectives ...................................................................................................11
4.1 Security Objectives for the TOE ................................................................11
4.2 Security Objectives for the Environment ..................................................11
5 Extended Components Definition.............................................................................13
5.1 Class EXT: Extended...................................................................................13
6 Information Technology Security Requirements......................................................16
6.1 Target of Evaluation Security Requirements............................................16
6.2 Target of Evaluation Security Assurance Requirements.........................18
7 TOE Summary Specification....................................................................................20
7.1 TOE Security Functions..............................................................................20
8 Rationale ...................................................................................................................23
8.1 Rationale for Security Objectives...............................................................23
8.2 Rationale for Security Requirements.........................................................23
8.3 TOE Summary Specification Rationale.....................................................25
9 Acronyms & Reference.............................................................................................26
9.1 Acronyms......................................................................................................26
9.2 Reference ......................................................................................................26
page 2
1 ST Introduction
This Security Target (ST) defines the scope of the evaluation in terms of the
assumptions made, the intended environment for the ATEN/IOGear Secure KVM
Switch, the Information Technology (IT) security functional and assurance
requirements to be met, and the level of confidence (evaluation assurance level) to
which it is asserted that the ATEN/IOGear Secure KVM Switch satisfies its IT
security requirements. This document forms the baseline for the Common Criteria
(CC) evaluation.
1.1 ST and TOE Reference
ST Title: ATEN/IOGear Secure KVM Switch Series Security Target
TOE Identification:
 ATEN Secure KVM Model CS1182
 ATEN Secure KVM Model CS1184
 IOGear Secure KVM Model GCS1212TAA
 IOGear Secure KVM Model GCS1214TAA
ST Version: Version 1.5.1
Publication Date: 2011/06/28
Assurance Level: EAL 2 augmented with ALC_FLR.2
ST Author: ATEN
1.1.1 Document Conventions
The CC permits four types of operations to be performed on security functional
requirements: selection, assignment, refinement, and iteration. These operations are
identified in this ST in the following manner:
a. Selection: Indicated by surrounding brackets and italicized text, e.g., [selected
item].
b. Assignment: Indicated by surrounding brackets and regular text, e.g., [assigned
item].
c. Refinement: Indicated by underlined text, e.g., refined item for additions. Deleted
item for deletion.
The functional security requirements beyond those defined in the claimed PP are
page 3
identified by italicized text, e.g. FMT_SMF.1 (Specification of Management
Functions)
1.2 TOE Overview
This document addresses a DEVICE, hereinafter referred to as a “Peripheral Sharing
Switch” (PSS) or simply “SWITCH”--the Target of Evaluation (TOE)--permitting a
single set of HUMAN INTERFACE DEVICES to be shared among two or more
COMPUTERS.
The TOE must not have, and in fact must specifically preclude, any features that
permit USER information to be shared or transferred between COMPUTERS via the
TOE.
A PERIPHERAL PORT GROUP is a collection of DEVICE PORTS treated as a
single entity by the TOE. There is one GROUP for the set of SHARED
PERIPHERALS and one GROUP for each CONNECTED SWITCHED COMPUTER.
Each SWITCHED COMPUTER GROUP has some unique associated logical ID (i.e.
the SHARED PERIPHERALS PORT GROUPT include the console monitor, USB
mouse, USB keyboard, analog audio input device (ex: microphone) and analog audio
output device (ex: speaker), while the SWITCHED COMPUTER PERIPHERAL
PORT GROUP includes the DVI monitor connection, USB connection, and audio
input/output connection). The SHARED PERIPHERAL GROUP ID is considered to
be the same as that of the SWITCHED COMPUTER GROUP currently selected by
the TOE.
1.2.1 TOE Type
The TOE is with KVM (USB Keyboard, DVI-I Video, USB Mouse) switch
functionality by combining a 2/4 port KVM switch and audio (input & output) ports.
The TOE is normally installed in settings where a single USER with limited work
surface space needs to access two or more COMPUTERS, collectively termed
SWITCHED COMPUTERS (which need not be physically distinct entities). The
USER may have a KEYBOARD, a visual display (e.g., MONITOR), a POINTING
DEVICE (e.g., mouse) and audio input/output device. These are collectively referred
to as the SHARED PERIPHERALS.
In operation, the TOE will be CONNECTED to only one COMPUTER at a time. To
use a different COMPUTER, the USER must perform some specific action. The TOE
page 4
will then visually indicate which COMPUTER was selected by the USER. Such
indication is persistent and not transitory in nature.
1.2.2 Non-TOE hardware/software/firmware
There are no hardware/software/firmware components of the TOE that are outside of
the scope of evaluation.
1.3 TOE Description
The TOE is with KVM (USB Keyboard, DVI-I Video, USB Mouse) switch
functionality by combining a 2/4 port KVM switch and audio (input & output) ports.
As a KVM switch, the TOE allows users to access two or four computers from a
single set USB keyboard, USB mouse, and DVI-I monitor console.
In ATEN/IOGear Secure KVM Switch, keyboard/mouse, video, and audio are
processed by different chipsets. The keyboard/mouse is processed by ATEN
developed ASIC. The video signal is process by a video switch chipset and the audio
is process by another analog switch (multiplexer). For video and audio, the chipsets
only switch between different channels and let the video/audio signal pass through.
Setup is fast and easy; simply plug cables into their appropriate ports. There is no
software to configure, no firmware to be upgraded, no boards to configure, no
installation routines, and no incompatibility problems. The only one method to access
the computers is by pushbuttons located on the unit’s front panel. Since the TOE
intercepts keyboard input directly, it works on multiple computing platforms (PC
(x86/x64), Macintosh PowerPC, and Sun Microsystems Sparc). The TOE is designed
by its unique security architecture which the TOE itself doesn’t allow the private data
shared among the connected computers. Thus users can access to connected
computers from a single set of console via TOE even the computers are located in
different networks (classified/unclassified) since the private data are totally separated.
1.4 TOE Boundaries
1.4.1 Physical Boundary
This following tables list the hardware/firmware components and its accompanying
guidance documents of the product and denotes which are in the TOE and which are
in the environment.
Hardware Components
page 5
TOE Model Ports Interface
ATEN CS1182 2 Dual Link DVI-I, USB Keyboard, USB mouse,
Analog Audio input (ex: Microphone) and
Analog Audio output (ex: Speaker), Switch
Buttons, LED indicators
ATEN CS1184 4 Dual Link DVI-I, USB Keyboard, USB mouse,
Analog Audio input (ex: Microphone) and
Analog Audio output (ex: Speaker), Switch
Buttons, LED indicators
IOGear
GCS1212TAA
2 Dual Link DVI-I, USB Keyboard, USB mouse,
Analog Audio input (ex: Microphone) and
Analog Audio output (ex: Speaker), Switch
Buttons, LED indicators
IOGear
GCS1214TAA
4 Dual Link DVI-I, USB Keyboard, USB mouse,
Analog Audio input (ex: Microphone) and
Analog Audio output (ex: Speaker), Switch
Buttons, LED indicators
TOE/Environment Component Description
TOE ATEN CS1182
ATEN CS1184
IOGear GCS1212TAA
IOGear GCS1214TAA
TOE Hardware
Environment USB Keyboard Member of Peripheral
Group
Environment USB Mouse Member of Peripheral
Group
Environment DVI Monitor Member of Peripheral
Group
Environment Audio Input/Output (eg: Speaker
and Microphone)
Member of Peripheral
Group
Environment Host Computers Computer Environment
Firmware Components
TOE Model Firmware
ATEN CS1182
FW v1.0.064
ATEN CS1184
IOGear GCS1212TAA
page 6
IOGear GCS1214TAA
Guidance Documents
The guidance documents that accompany the TOE are:：
TOE Model AGD_OPE/AGD_PRE Guidance
ATEN CS1182 ATEN Secure KVM Switch Series Guidance v1.2.pdf
ATEN CS1184
IOGear GCS1212TAA IOGear Secure KVM Switch Series Guidance v1.2.pdf
IOGear GCS1214TAA
1.4.2 Logical Boundaries
The Logical Scope and Boundary of the TOE consists of the security functions and
features provided by the TOE. The security functions include Information Flow
Control (TSF_IFC), Security Management (TSF_MGT), and Self Protection
(TSF_SPT).
1.4.2.1 Information Flow Control (TSF_IFC)
Per request of Peripheral Sharing Switch (PSS) for Human Interface Devices
Protection Profile, Version 2.1, dated September 07, 2010. Data Separation Security
Function Policy (SFP) is implemented in the TOE. The TOE shall allow
PERIPHERAL DATA to be transferred only between PERIPHERAL PORT
GROUPS with the same ID. The TOE processes mainly keyboard/mouse data,
keyboard LED data, Data Display Channel information, video signals, audio data and
USB status. The TOE itself is neither concerned with the USER’S information in the
shared computers nor the information flowing between the SHARED PERIPHERALS
and the SWITCHED COMPUTERS. It is only providing a CONNECTION between
the HUMAN INTERFACE DEVICES and a selected COMPUTER at any given
instant. As long as the guidance is followed by the Administrator while configuring
and using the TOE, only valid USB devices are accepted by the TOE. Therefore the
user information flows are safe. A more detailed explanation of TSF_IFC
implementation is described in Section 7.1.1.
All USB devices connected to the USB keyboard/mouse ports of the Peripheral switch
shall be interrogated to ensure that they are valid (pointing device, keyboard). No
further interaction with non-valid devices shall be performed.
1.4.2.2 Security Management (TSF_MGT)
There are two (CS1182/GCS1212TAA) or four (CS1184/GCS1214TAA) pushbuttons
page 7
on the TOE front panel. The only one method to access the computers via TOE is by
pushbuttons. By pressing the pushbutton, user can explicitly determine which port he
wants to select or which computer he wants to switch to, which means user can
explicitly determine which computer is connected to the shared set of peripherals.
There are also two LED indicators (one green, one orange) located above each
pushbutton. The green LED indicator of a specific port lights when there is a
computer connected on that port and powered on (the green LED indicator is lit when
there is a powered-on USB connection between the TOE and any connected
computers). Once a specific computer is selected by the user, which means the share
set of peripherals switches to that port of computer, the orange LED indicator lights.
An explanation of TSF_MGT implementation is described in Section 7.1.2
1.4.2.3 Self Protection (TSF_SPT)
This function intends to protect the set of peripheral devices connected to the TOE.
Any attempt to open the TOE will trigger a Tamper Detection switch. Once the TOE
is physically tampered, The LED lights on the front panel flash to remind and alert the
administrator. All TOE functions are disabled.
The firmware of the TOE embedded in the ROMs is contained in
one-time-programmable ROM inside the ASIC which is permanently attached
(non-socketed) to a circuit assembly. So there is no way to modify the firmware. A
more detailed explanation of TSF_SPT implementation is described in Section 7.1.3
page 8
2 Conformance Claims
2.1 Common Criteria Conformance
This ST has been prepared in accordance with and is conformant to:
 Common Criteria for Information Technology Security Evaluation (CC), Version
3.1, Revision 3, July 2009 (CCMB-2009-07-001, CCMB-2009-07-002,
CCMB-2009-07-003)
 Common Methodology for Information Technology Security Evaluation,
Evaluation Methodology, Version 3.1, Revision 3, July 2009
(CCMB-2009-07-004).
The ST claims the following CC conformance:
 Parts 2 extended and contain 4 extended security requirements
 EXT_VIR.1 Visual Indication Rule
 EXT_IUC.1 Invalid USB Connection
 EXT_ROM.1 Read-Only ROMs
 EXT_TMP.1 Physical Tampering Security
 Parts 3 conformant
2.2 Protection Profile Conformance
This ST claims demonstrable compliance to the Protection Profile:
Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile,
Version 2.1 dated September 7, 2010
2.3 Evaluation Assurance Level
EAL 2+ (augmented with ALC_FLR.2 (Flaw reporting procedures)
page 9
3 Security Problem Definition
The security problem definition shows the threats, Organizational security policies
(OSPs) and assumptions that must be countered, enforced and upheld by the TOE and
its operational environment.
3.1 Threats
A threat consists of a threat agent, an asset and an adverse action of that threat agent
on that asset.
T.INVALIDUSB The AUTHORIZED USER will connect unauthorized USB
devices to the peripheral switch.
T.RESIDUAL RESIDUAL DATA may be transferred between PERIPHERAL
PORT GROUPS with different IDs.
T.ROM_PROG The TSF may be modified by an attacker such that code
embedded in reprogrammable ROMs is overwritten, thus leading
to a compromise of the separation-enforcing components of the
code and subsequent compromise of the data flowing through
the TOE.
T.SPOOF Via intentional or unintentional actions, a USER may think the
set of SHARED PERIPHERALS are CONNECTED to one
COMPUTER when in fact they are connected to a different one.
T.TRANSFER A CONNECTION, via the TOE, between COMPUTERS may
allow information transfer.
3.2 Organizational Security Policies
None.
3.3 Assumptions
The following usage assumptions are made about the intended environment of the
TOE.
A.ACCESS An AUTHORIZED USER possesses the necessary privileges to
access the information transferred by the TOE. USERS are
AUTHORIZED USERS.
A.MANAGE The TOE is installed and managed in accordance with the
manufacturer’s directions.
page 10
Application Note: The installed USB devices connected to the
TOE do not buffer and transfer data to other COMPUTERS
except the currently CONNECTED COMPUTER.
A.NOEVIL The AUTHORIZED USER is non-hostile and follows all usage
guidance.
A.PHYSICAL The TOE is physically secure.
page 11
4 Security Objectives
4.1 Security Objectives for the TOE
The following security objectives are intended to be satisfied by the TOE
O.CONF The TOE shall not violate the confidentiality of information
which it processes. Information generated within any
PERIPHERAL GROUP COMPUTER CONNECTION shall not
be accessible by any other PERIPHERAL GROUP with a
different GROUP ID.
O.INDICATE The AUTHORIZED USER shall receive an unambiguous
indication of which SWITCHED COMPUTER has been
selected.
O.ROM TOE software/firmware shall be protected against unauthorized
modification. Embedded software must be contained in
mask-programmed or one-time-programmable read-only
memory permanently attached (non-socketed) to a circuit
assembly.
O.SELECT An explicit action by the AUTHORIZED USER shall be used to
select the COMPUTER to which the shared set of
PERIPHERAL DEVICES is CONNECTED Single push button,
multiple push button, or rotary selection methods are used by
most (if not all) current market products. Automatic switching
based on scanning shall not be used as a selection mechanism.
O.SWITCH All DEVICES in a SHARED PERIPHERAL GROUP shall be
CONNECTED to at most one SWITCHED COMPUTER at a
time.
O.USBDETECT The TOE shall detect any USB connection that is not a pointing
device, keyboard, or display and will perform no interaction with
that device after the initial identification.
4.2 Security Objectives for the Environment
The following security objectives for the environment of the TOE must be satisfied in
order for the TOE to fulfill its own security objectives.
OE.ACCESS The AUTHORIZED USER shall possess the necessary privileges
page 12
to access the information transferred by the TOE. USERS are
AUTHORIZED USERS.
OE.MANAGE The TOE shall be installed and managed in accordance with the
manufacturer’s directions.
OE.NOEVIL The AUTHORIZED USER shall be non-hostile and follow all
usage guidance.
OE.PHYSICAL The TOE shall be physically secure.
page 13
5 Extended Components Definition
This section specifies the extended SFRs for the TOE.
5.1 Class EXT: Extended
This class provides four families specifically concerned with Part 2 of the Common
Criteria does not provide a component appropriate to express the requirement for
 EXT_VIR.1 Visual Indication Rule
 EXT_IUC.1 invalid USB Connection
 EXT_ROM.1 Read-Only ROMs
 EXT_TMP.1 Physical Tampering Security
5.1.1 Visual Indication Rule (EXT_VIR)
Family Behaviour
This family defines requirements for the visual method of indicating which
COMPUTER is CONNECTED to the shared set of PERIPHERAL DEVICES shall be
provided that is persistent for the duration of the CONNECTION
Component leveling
Management: EXT_VIR.1
There are no management activities foreseen.
Audit: EXT_VIR.1
There are no auditable events foreseen.
EXT_VIR.1 Visual Indication Rule
Hierarchical to: No other components
Dependencies: None
EXT_VIR.1.1 A visual method of indicating which COMPUTER is
CONNECTED to the shared set of PERIPHERAL DEVICES
shall be provided that is persistent for the duration of the
CONNECTION.
EXT_VIR: Visual Indication Rule 1
page 14
5.1.2 Invalid USB Connection (EXT_IUC)
Family Behaviour
This family defines requirements for the interrogation of all USB devices connected
to the Peripheral switch to ensure that they are valid (pointing device, keyboard,
display).
Component leveling
Management: EXT_IUC.1
There are no management activities foreseen.
Audit: EXT_IUC.1
There are no auditable events foreseen.
EXT_IUC.1 Invalid USB Connection
Hierarchical to: No other components
Dependencies: None
EXT_IUC.1.1 All USB devices connected to the Peripheral switch shall be
interrogated to ensure that they are valid (pointing device,
keyboard, display). No further interaction with non-valid devices
shall be performed.
5.1.3 Read-Only ROMs (EXT_ROM)
Family Behaviour
This family defines requirements for the TSF software/firmware which must be
contained in mask-programmed or one-time-programmable read-only memory
permanently attached (non-socketed) to a circuit assembly.
Component leveling
Management: EXT_ROM.1
There are no management activities foreseen.
EXT_ROM: Read-Only ROMs 1
EXT_IUC: Invalid USB Connection 1
page 15
Audit: EXT_ROM.1
There are no auditable events foreseen.
EXT_ROM.1 Read-Only ROMs
Hierarchical to: No other components
Dependencies: None
EXT_ ROM.1.1 EXT_ROM.1.1 TSF software embedded in TSF ROMs must be
contained in mask-programmed or one-time-programmable
read-only memory permanently attached (non-socketed) to a
circuit assembly.
5.1.4 Physical Tampering Security (EXT_TMP)
Family Behaviour
This family defines requirements for the protection of the set of peripheral devices
connected to the TOE. Any attempt to open the enclosure will trigger a Tamper
Detection switch. Once the Tamper Detection switch is triggered, all TOE functions
are disabled
Component leveling
Management: EXT_TMP.1
There are no management activities foreseen.
Audit: EXT_TMP.1
There are no auditable events foreseen.
EXT_TMP.1 Physical Tampering Security
Hierarchical to: No other components
Dependencies: None
EXT_TMP.1.1 Any attempt to open the enclosure of the TOE will trigger a
Tamper Detection switch. Once the Tamper Detection switch is
triggered, all TOE functions are disabled.
EXT_TMP: Physical Tampering Security 1
page 16
6 Information Technology Security Requirements
6.1 Target of Evaluation Security Requirements
Words which appear in italics are tailoring (via permitted operations) of requirement
definitions.
6.1.1 User Data Protection (FDP)
6.1.1.2 FDP_IFC.1 (Subset Information Flow Control)
[Dependencies FDP_IFF.1]
1. The TSF shall enforce the [Data Separation SFP] on [the set of
PERIPHERAL PORT GROUPS, and the bi-directional flow of
PERIPHERAL DATA between the SHARED PERIPHERALS and the
SWITCHED COMPUTERS].
6.1.1.3 FDP_IFF.1 (Simple Security Attributes) [Dependencies: FDP_IFC.1
and FMT_MSA.3]
1. The TSF shall enforce the [Data Separation SFP] based on the
following types of subject and information security attributes:
[PERIPHERAL PORT GROUPS (SUBJECTS), PERIPHERAL
DATA, and PERIPHERAL PORT GROUP IDs (ATTRIBUTES)].
2. The TSF shall permit an information flow between a controlled subject
and controlled information via a controlled operation if the following
rules hold:
[Switching Rule: PERIPHERAL DATA can flow to a PERIPHERAL
PORT GROUP with a given ID only if it was received from a
PERIPHERAL PORT GROUP with the same ID].
3. The TSF shall enforce the [No additional information flow control SFP
rules.]
4. The TSF shall provide the following: [No additional SFP capabilities.]
5. The TSF shall explicitly authorize an information flow based on the
following rules: [No additional rules.]
6. The TSF shall explicitly deny an information flow based on the
following rules: [No additional rules.]
6.1.2 Security Management (FMT)
6.1.2.1 FMT_MSA.1 (Management of Security Attributes)
[Dependencies: (FDP_ACC.1 or FDP_IFC.1) FMT_SMR.1, and
page 17
FMT_SMF.1]
1. The TSF shall enforce the [Data Separation SFP] to restrict the ability
to [modify] the security attributes [PERIPHERAL PORT GROUP IDS]
to [the USER].
Application Note: An AUTHORIZED USER shall perform an explicit
action to select the COMPUTER to which the shared set of
PERIPHERAL devices is CONNECTED, thus effectively modifying
the GROUP ID associated with the PERIPHERAL DEVICES.
6.1.2.2 FMT_MSA.3 (Static Attribute Initialization)
[Dependencies: FDP_MSA.1 and FMT_SMR.1]
1. The TSF shall enforce the [Data Separation SFP] to provide [restrictive]
default values for security attributes that are used to enforce the SFP.
Application Note: On start-up, one and only one attached COMPUTER
shall be selected.
2. The TSF shall allow the [none] to specify alternative initial values to
override the default values when an object or information is created.
6.1.2.3 FMT_SMF.1 (Specification of Management Functions)
[No dependencies]
1. The TSF shall be capable of performing the following management
functions: [selection of the CONNECTED PERIPHERAL PORT
GROUP].
Application Note: This SFR is missing in the PSS PP which is required
by FMT_MSA.1.
6.1.3 Extended Requirements (EXT)
6.1.3.1 EXT_VIR.1 (Visual Indication Rule)
[No dependencies]
1. A visual method of indicating which COMPUTER is CONNECTED to
the shared set of PERIPHERAL DEVICES shall be provided that is
persistent for the duration of the CONNECTION.
Application Note: Does not require tactile indicators, but does not
preclude their presence.
6.1.3.2 EXT_IUC.1 (Invalid USB Connection)
[No dependencies]
1. All USB devices connected to the Peripheral switch shall be
interrogated to ensure that they are valid (pointing device, keyboard,
display). No further interaction with non-valid devices shall be
performed.
page 18
6.1.3.3 EXT_ROM.1 (Read-Only ROMs)
[No dependencies]
1. TSF software embedded in TSF ROMs must be contained in
mask-programmed or one-time-programmable read-only memory
permanently attached (non-socketed) to a circuit assembly.
6.1.3.4 EXT_TMP.1 (Physical Tampering Security)
[No dependencies]
1. Any attempt to open the enclosure of the TOE will trigger a Tamper
Detection switch. Once the Tamper Detection switch is triggered, all
TOE functions are disabled.
6.2 Target of Evaluation Security Assurance Requirements
The following table describes the TOE security assurance requirements drawn from
Part 3 of the CC. The security assurance requirements represent EAL2 augmented
with ALC_FLR.2.
Assurance Class
Assurance Components
Identifier Name
ADV: Development
ADV_ARC.1 Security architecture description
ADV_FSP.2
Security-enforcing Functional
Specification
ADV_TDS.1 Basic design
AGD: Guidance
documents
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC: Life-cycle support
ALC_CMC.2 Use of a CM system
ALC_CMS.2 Parts of the TOE CM coverage
ALC_DEL.1 Delivery procedures
ALC_FLR.2 Flaw Reporting Procedures
ASE: Security Target
evaluation
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
page 19
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
ATE: Tests
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
AVA: Vulnerability
assessment
AVA_VAN.2 Vulnerability analysis
page 20
7 TOE Summary Specification
This section summarizes the security functions and described the security functions
implemented in the TOE. This section also describes the applied assurance measures
to ensure the correct security function implementation
7.1 TOE Security Functions
The security functions performed by the TOE include Data Separation (TSF_IFC),
Security Management (TSF_MGT), and Self Protection (TSF_SPT)
7.1.1 Information Flow Control (TSF_IFC)
Per requirement of Peripheral Sharing Switch (PSS) for Human Interface Devices
Protection Profile, Version 2.1, dated September 07, 2010. , Data Separation Security
Function Policy (SFP) is implemented in the TOE. The TOE shall allow
PERIPHERAL DATA to be transferred only between PERIPHERAL PORT GROUPS
with the same ID. The TOE processes mainly keyboard/mouse data, keyboard LED
data, Data Display Channel information, video signals, audio data and USB status.
The TOE itself is neither concerned with the USER’S information in the shared
computers nor the information flowing between the SHARED PERIPHERALS and
the SWITCHED COMPUTERS. It is only providing a CONNECTION between the
HUMAN INTERFACE DEVICES and a selected COMPUTER at any given instant.
As long as the guidance is followed by the Administrator while configuring and using
the TOE, only valid USB devices are accepted by the TOE. Therefore the user
information flows are safe.
The TOE deals with following type of signals: keyboard (including its LED) data,
mouse data, USB status, audio (input/output) data and video signals. The TOE
collects subsets of the signals and transfer to connected switched computers. There is
no data or information flowed between CONNECTED COMPUTERS.
By using specifically designed hardware and firmware, The TOE ensures the data
separation for all paths of signals. The user data is not stored or buffered for video and
audio data in the TOE. The keyboard and mouse data are not stored but are buffered
and sent to the CONNECTED COMPUTER. These buffers are zeroized before the
PERIPHERAL GROUP ID is changed. However the keyboard Num/Cap/Scr lock
status for each COMPUTER is kept in the TOE to resume lock status of the keyboard.
page 21
There is no possibility to forward the buffered data to the next selected COMPUTER.
In the firmware, specially designed functions are dedicated for Data Separation
Functions. Static memory is assigned for these functions without any third-party
libraries or multitasking executives.
Concerning the audio (input/output), the audio data separation mechanism is the same
as the above mechanism. No data will be buffered and sent to other computer.
In operation the TOE itself is neither concerned with the USER’S information in the
shared computers nor the information flowing between the SHARED PERIPHERALS
and the SWITCHED COMPUTERS. It only provides a single connection between the
shared peripheral group and the one selected computer supporting the Data Separation
Security Functional Policy – “the TOE shall allow peripheral data and state
information to be transferred only between peripheral port groups with the same ID.”
FUNCTIONAL REQUIREMENTS SATISFIED: FDP_IFC.1, FDP_IFF.1
All USB devices connected to the Peripheral switch shall be interrogated to ensure
that they are valid (pointing device and keyboard). No further interaction with
non-valid devices shall be performed.
FUNCTIONAL REQUIREMENTS SATISFIED: EXT_IUC
7.1.2 Security Management (TSF_MGT)
There are two (CS1182/GCS1212TAA) or four (CS1184/GCS1214TAA) pushbuttons
on the TOE front panel. The only one method to access the computers via TOE is by
pushbuttons. By pressing the pushbutton, user can explicitly determine which port he
wants to select or which computer he wants to switch to, which means user can
explicitly determine which computer is connected to the shared set of peripherals.
There are also two LED indicators (one green, one orange) located above each
pushbutton. The green LED indicator of a specific port lights when there is a
computer connected on that port and powered on. Once a specific computer is
selected by the user, which means the share set of peripherals switches to that port of
computer, the orange LED indicator lights.
FUNCTIONAL REQUIREMENTS SATISFIED: FMT_MSA.1, FMT_MSA.3,
TMT_SMF.1, EXT_VIR.1, FDP_IFF.1
7.1.3 Self Protection (TSF_SPT)
This function intends to protect the set of peripheral devices connected to the TOE.
Any attempt to open the TOE will trigger a Tamper Detection switch. The Tamper
page 22
Detection switch inside the TOE is powered by a dedicated battery. This switch will
be triggered once the enclosure cover of the TOE is opened. Once the Tamper
Detection switch is removed, the orange LED lights on the front panel flash to remind
and alert the administrator. All TOE functions and the TOE itself are disabled. All the
operations could not be restored. Since the ROM inside the TOE is OTP (One time
programmable), there is no way for the user to reset or recover the system once the
firmware runs into the disable loop after the switch is triggered. The TOE has to be
returned to ATEN/IOGEAR. ATEN/IOGear will either change a new main board and
then send back to the customer or exchange with new hardware. The contact
information is listed as follows:
ATEN/IOGEAR U.S.A Subsidiary
ATEN Technology Inc.
Website:
Address:
Phone:
Fax:
E-mail:
http://www.aten-usa.com
19641 DaVinci
Foothill Ranch, CA 92610, U.S.A
+1-949-428-1111
+1-949-428-1100
sales@aten-usa.com
For customers outside the US, please contact our regional branch offices or
headquarters listed below for more detailed information
http://www.aten.com/about/about_branch.php?cssflag=branch
FUNCTIONAL REQUIREMENTS SATISFIED: EXT_TMP
The OTP ROM in the ASIC which is soldered on the PCB ensures the firmware
inside the TOE will not be modified or corrupted.
FUNCTIONAL REQUIREMENTS SATISFIED: EXT_ROM
page 23
8 Rationale
8.1 Rationale for Security Objectives
This section shows that all assumptions and threats are countered by security
objectives, and that each security objective addresses at least one assumption or
threat.
8.1.1 Rationale for Security Objectives for the TOE
This section provides a mapping of TOE security objectives to those threats that the
TOE is intended to counter, and to those assumptions that must be met.
This ST claims conformance to the [PSS_PP] with identical security objectives for the
TOE. Therefore the security objectives rationale provided in “[PSS_PP] - Section 6.1”
are claimed to be consistent with this ST.
8.1.2 Rationale for Security Objectives for the Environment
This section provides a mapping of environment security objectives to those threats
that the environment is expected to counter, and to those assumptions that must be
met.
This ST claims conformance to the [PSS_PP] with identical security objectives for the
Environment. Therefore the security objectives rationale provided in “[PSS_PP] -
Section 6.2” are claimed to be consistent with this ST.
8.2 Rationale for Security Requirements
In this section, the security objectives are mapped to the functional requirements and
the rationale is provided for the selected EAL and its components and augmentation.
8.2.1 Rationale for TOE security functional requirements
This section demonstrates that all security objectives for the TOE are met by security
functional requirements for the TOE, and that each security functional requirement for
the TOE addresses at least one security objective for the TOE. The functional
requirements are mutually supportive, and their combination meets the security
objectives.
This ST claims conformance to the [PSS_PP] with identical security objectives and
page 24
security functional requirements (except: EXT_TMP.1 Physical Tampering Security)
for the TOE. Therefore the security objectives rationale provided in “[PSS_PP] -
Section 6.3” are claimed to be consistent with this ST. The rationale of the additional
security functional requirements (EXT_TMP.1 Physical Tampering Security) is
provided in the following table.
Objective
Requirements
Addressing
the Objective
Rationale
O.ROM
TOE software/firmware shall be
protected against unauthorized
modification. Embedded
software must be contained in
mask-programmed or
one-time-programmable
read-only memory permanently
attached (non-socketed) to a
circuit assembly.
EXT_TMP.1
Physical
Tampering
Security
EXT_TMP.1 implements the
O.ROM objective indirectly.
Any attempt to open the
enclosure of the TOE will
trigger a Tamper Detection
switch. Once the Tamper
Detection switch is triggered, all
TOE functions are disabled.
Therefore this requirement
ensures that the TSF code will
not be overwritten or modified.
NOTE: There are some previous information (not necessary anymore),
FDP_ETC.1 and FDP_ITC.1, remained in “[PSS_PP] - Section 6.3”.
8.2.2 Rationale for Security Assurance Requirements (SAR)
EAL2 augmented with ALC_FLR.2 was chosen to provide a low to moderate level of
assurance that is consistent with good commercial practices. As such minimal
additional tasks are placed upon the vendor assuming the vendor follows reasonable
software engineering practices and can provide support to the evaluation for design
and testing efforts. The chosen assurance level is appropriate with the threats defined
for the environment. The TOE is expected to be in a non-hostile position and
embedded in or protected by other products designed to address threats that
correspond with the intended environment. At EAL2 augmented with ALC_FLR.2,
the TOE will have incurred a search for obvious flaws to support its introduction into
the non-hostile environment. The assurance claim is consistent to meet the
requirements of a Basic Robustness TOE environment.
8.2.3 Dependencies Rationale
page 25
The dependency of FMT_SMR.1 is not meet with CC. The rationale is as follow.
FMT_SMR.1 (Security Roles)
The TOE is not required to associate USERS with roles; hence, there is only one
“role”, that of USER. This deleted requirement, a dependency of FMT_MSA.1 and
FMT_MSA.3, allows the TOE to operate normally in the absence of any formal roles.
8.3 TOE Summary Specification Rationale
This section contains a table which relates the security functional requirements to the
TOE security functions. The rationale that the security functions cover the security
functional requirements is provided in Section 7.1 TOE Security Functions.
Information
Flow
Control
(TSF_IFC)
Security
Management
(TSF_MGT)
Self
Protection
(TSF_SPT)
FDP_IFC.1 X
FDP_IFF.1 X X
FMT_MSA.1 X
FMT_MSA.3 X
FMT_SMF.1 X
EXT_VIR.1 X
EXT_IUC.1 X
EXT_ROM.1 X
EXT_TMP.1 X
page 26
9 Acronyms & Reference
9.1 Acronyms
CC Common Criteria
DVI-I Digital Video Interface - Integrated
LED Light Emitting Diode
USB Universal Serial Bus
9.2 Reference
[PSS_PP] Peripheral Sharing Switch (PSS) for Human Interface Devices Protection
Profile, Version 2.1, dated September 7, 2010