Abstract
With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The data collected for this paper dates to November 1, 2023. When preparing the camera-ready version in April 2024, we repeated the automated experiments and confirmed that the results were consistent with those from November 2023. Due to the time-consuming nature of the manual experiments, we did not update the overall results in the paper.
- 2.
The sec-certs tool monitors for such mentions with 25 distinct regular expressions described in the related study [6].
- 3.
We provide the complete codebook for both the coarse-grained and the fine-grained categories from our repository [7].
- 4.
The ideal surrounding length was identified through a hyperparameter search.
- 5.
The largest component, an outlier with 707 certified products, was infeasible to be analyzed manually and was excluded from the analysis.
References
Bundesamt für Sicherheit in der Informationstechnik: Product certification: IT security certification scheme Common Criteria (CC), version 4.1 (2023)
Common Criteria: ISO/IEC 15408 Information technology - Security techniques - Evaluation criteria for IT security. In: ISO/IEC 15408-1:2022. ISO/IEC (2022)
Common Criteria Recognition Arrangement Management Committee: Assurance continuity: CCRA requrements (2012)
Common Criteria Recognition Arrangement Management Committee: Operating procedures: Certificate validity (2021)
Decan, A., Mens, T., Claes, M.: On the topology of package dependency networks: a comparison of three programming language ecosystems. In: Proccedings of the 10th European Conference on Software Architecture Workshops, p. 21. ACM (2016)
Janovsky, A., Jancar, J., Svenda, P., Chmielewski, Ł., Michalik, J., Matyas, V.: sec-certs: examining the security certification practice for better vulnerability mitigation. arXiv preprint (2023). https://www.sciencedirect.com/science/article/abs/pii/S0167404824001974
Janovsky, A., Jancar, J., Svenda, P., et al.: sec-certs: a tool for data scraping and analysis of security certificates from Common Criteria and FIPS 140-2/3 frameworks (2024). https://github.com/crocs-muni/sec-certs/
Joint Interpretation Library: Composite product evaluation for smartcards and similar devices (2018). Version 1.5.1
jtsec: 2022 CC statistics report (2022). https://www.jtsec.es/files/2022%20CC%20Statistics%20Report.pdf. Accessed 14 Feb 2024
Kaluvuri, S.P., Bezzi, M., Roudier, Y.: A quantitative analysis of common criteria certification practice. In: Eckert, C., Katsikas, S.K., Pernul, G. (eds.) TrustBus 2014. LNCS, vol. 8647, pp. 132–143. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-09770-1_12
Liu, C., Chen, S., Fan, L., Chen, B., Liu, Y., Peng, X.: Demystifying the vulnerability propagation and its evolution via dependency trees in the NPM ecosystem. In: 44th IEEE/ACM 44th International Conference on Software Engineering, ICSE 2022 (2022)
McInnes, L., Healy, J., Melville, J.: UMAP: uniform manifold approximation and projection for dimension reduction. arXiv (2018). https://arxiv.org/abs/1802.03426
Nemec, M., Sýs, M., Svenda, P., Klinec, D., Matyas, V.: The return of coppersmith’s attack: practical factorization of widely used RSA moduli. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1631–1648. ACM (2017)
Netherlands Scheme for Certification in the Area of IT Security (NSCIB): NSCIB application form (2020). https://tuv-nederland.nl/assets/files/general-files/2020/01/nst_01_nscib_application_form_v2020-01-2020-01-31.doc
Tierney, J., Boswell, T.: Common criteria: origins and overview. In: Mayes, K., Markantonakis, K. (eds.) Smart Cards, Tokens, Security and Applications, pp. 193–216. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-50500-8_8
Zimmermann, M., Staicu, C., Tenny, C., Pradel, M.: Small world with high risks: a study of security threats in the NPM ecosystem. In: Heninger, N., Traynor, P. (eds.) 28th USENIX Security Symposium, USENIX Security 2019, pp. 995–1010 (2019)
Acknowledgements
The authors would like to thank the reviewers for their helpful comments. This paper is supported by the European Union under Grant Agreement No. 101087529. J. Jancar was supported by Red Hat Czech. A. Janovsky was supported by Invasys.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Janovsky, A., Chmielewski, Ł., Svenda, P., Jancar, J., Matyas, V. (2024). Chain of Trust: Unraveling References Among Common Criteria Certified Products. In: Pitropakis, N., Katsikas, S., Furnell, S., Markantonakis, K. (eds) ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology, vol 710. Springer, Cham. https://doi.org/10.1007/978-3-031-65175-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-65175-5_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-65174-8
Online ISBN: 978-3-031-65175-5
eBook Packages: Computer ScienceComputer Science (R0)
