Chain of Trust: Unraveling References Among Common Criteria Certified Products

Warning

This publication doesn't include Faculty of Arts. It includes Faculty of Informatics. Official publication website can be found on muni.cz.
Authors

JANOVSKÝ Adam CHMIELEWSKI Lukasz Michal ŠVENDA Petr JANČÁR Ján MATYÁŠ Václav

Year of publication 2024
Type Article in Proceedings
Conference ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology
MU Faculty or unit

Faculty of Informatics

Citation
Web https://link.springer.com/chapter/10.1007/978-3-031-65175-5_14
Doi http://dx.doi.org/10.1007/978-3-031-65175-5_14
Keywords security certification; Common Criteria; FIPS 140; security evaluation
Description With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.