sec-certs: Examining the security certification practice for better vulnerability mitigation

Warning

This publication doesn't include Faculty of Arts. It includes Faculty of Informatics. Official publication website can be found on muni.cz.
Authors

JANOVSKÝ Adam JANČÁR Ján ŠVENDA Petr CHMIELEWSKI Lukasz Michal MICHALÍK Jiří MATYÁŠ Václav

Year of publication 2024
Type Article in Periodical
Magazine / Source Computers & Security
MU Faculty or unit

Faculty of Informatics

Citation
Web https://www.sciencedirect.com/science/article/pii/S0167404824001974
Doi http://dx.doi.org/10.1016/j.cose.2024.103895
Keywords Security certification; Common Criteria; Vulnerability assessment; Data analysis; Smartcards
Description Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certified products. To address these problems, we conducted a large-scale automated analysis of Common Criteria certificates. We trained unsupervised models to learn which vulnerabilities from NIST’s National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities. This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at https://sec-certs.org.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.