The archetypical EAL5 product is a smartcard or cryptographic coprocessor (same thing, different package). They're certifiable because they don't do much.
But if you'd like an example from the EAL4 list: start with FortiOS.
EAL4 and under is junk (with respect to security). I already said that. The standards committee has also always maintained that there is no meaningful security at EAL4. Earlier drafts of the standards said EAL4 is only meant to protect against “casual and inadvertent attacks”.
The general crappiness of EAL4 goes all the way back to the Orange Book where EAL4 maps approximately to Level C2 (contemporaneous projects got certified to those levels simultaneously). That level was intentionally meant for toys before they put on their big person pants and release a grown up product with actual security [1]. It is a mystery why anybody thinks EAL4 and security belong in the same sentence.
If you're saying "EAL4 and below is junk" (I'd say EAL* is junk, but whatever), all you're really saying is that minimal-function cryptographic coprocessors are safer than operating systems and applications. Well, yeah, sure. I don't think you needed the farce of Common Criteria to tell you that, though.
But upthread, you knocked Apple for not achieving an adequate assurance level. As you can see now, and from your own last comment, that doesn't make any sense. It's possible (though deeply silly) that there's some iPhone configuration that could "achieve" EAL4, but you yourself don't believe that has any meaning. I don't either.
I don't think EAL5 or EAL6 do, either, except that if you tell me your product is EAL5, I'll assume it's a small fixed-function device.
No. The Separation Kernel Protection Profile (SKPP) defines a model for a operating system kernel at EAL6+. So all I am really saying is that safe operating systems are safer than non-safe operating systems. You could also look backwards to the TCSEC and the comparable certified Level A1 systems for other operating systems designed for actual high security work.
You keep calling it a farce, but you keep pointing at EAL4 and lower systems. Yes, those levels are farces, that was the whole point. Those are the levels for the certification of toys where documentation and paperwork is all that is needed, not proper design.
Complaining about the Common Criteria in the context of EAL4 and lower systems is like complaining about tissue paper manufacturers putting their tissue paper through bulletproof vest testing and certifying that it does not stop bullets. Yes, that is pretty stupid, farcical, and probably a waste of time. But no, the test is not stupid. It can test actual bulletproof vests, you just keep seeing stupid waste of time tests proving a useless fact that everybody already knows, the EAL4 quality system sucks and has no place in a serious security organization.
There's probably better/longer, I just looked at the first page of "standards" search. The points are strong, like messageboard-argument-winning bear, though.
What'd I do here? You have me worried. Did I manage to back into an argument that standards processes are good? Really I'm just trying to say two things here:
* The Common Criteria process is a farce, and things that are secure by dint of being EAL5+ are really secure because they're so small you can almost prove them with formal methods (which is not to say that everything EAL5+ has usefully applied formal methods).
* The meaning of the word "operating system" is different when we're talking about EAL5+ stuff; seL4 is an "operating system" that has been proven secure with formal methods, and it is secure, but it's secure in large part because it does almost nothing; it isn't comparable to Windows, macOS, or Linux. You couldn't build an iPhone experience on top of it (you could --- and people do --- host Unix kernels on top of L4 OS's, but when you do that you keep many/most of the security issues of that Unix kernel).
No no, sorry, it wasn't intended as backhanded snark.
You've had a running critique of standards stuff here for years and it's good and the other person should read it. A bit of an unsuppressed "well, maybe if they looked at the principles, then they'll see the light" nerd-response on my part. You're not going to make an iPhone out of seL4, you're also not going to come up with a Secure Enclave or an IOMMU or an encrypted serial bus or whatever by reading standards/meeting certification reqs either because, generally, that's not how standards and certifications work. For multiple developed versions of this argument, see 'tptacek!
I'm sure you're right about the details of Jor-EAL5+ and the bottle city CRYSTALS-Kandor, just saying "also right in this other way but with less lore". Not that there is anything wrong with lore.
So what you are saying is that EAL >=5 does not imply secure, it is the formal methods that imply secure?
Well good news, that is not a mistake. EAL >=5 implies formal methods of various degrees. The standard demands the thing that works, amazing. It might be too hard for consumer companies to achieve, but that does not make the process a farce as long as there are companies that can certify useful functionality according to the process. And, although you seem to think the functionality that can be certified is limited, I doubt you consider secure cryptographic co-processors useless or unimportant.
In that paragraph, the words "of various degrees" is load-bearing.
I don't think you're making a coherent case for the security or insecurity of an iPhone with any of this stuff. Real security in complex products simply has nothing to do with the CCTL process. Which, I'm sorry to say again, is farcical.
If it's not clear: I've had the displeasure of working with this process in my career, most of which I've spent in vulnerability research.
Yes, various degrees; we are discussing three distinct levels. Why on earth would they all demand the same degree of formal methods?
Up to EAL4 all you need is a informal specification; what is basically useless paperwork.
It is only at EAL5 that you are required to supply a semi-formal design, ADV_TDS.4, and interface specification, ADV_FSP.5. At EAL6 you must also supply a formal model of the security policy, ADV_SPM.1, and a complete mapping between design and implementation, ADV_IMP.2. By EAL7 you are required to supply a complete formal design, ADV_TDS.6, and specification, ADV_FSP.6.
You then have a formal model of the security policy, the interface enforcing that policy, the design backing the interface, and a mapping from the formal design to the implementation. That is pretty dang exhaustive. I guess you could go further and demand a formal, machine-checkable correspondence between the implementation and the design?
Since you bring up that you have worked with the process, what products at EAL5 or higher have you had the displeasure of working on?
This thread keeps trying to escape down little rabbitholes of abstraction. I'll be clear: if Apple wanted to ship an EAL5 product, the very first product decision they would need to make in service of that would be to stop rendering HTML. No browsers. No rich media. No installable apps that could do any kind of IPC.
This is what we mean when we say an EAL5+ product is a different kind of thing. It's why this whole CCTL EAL thing is such a farce. The methods you're blaming big tech companies for not using are all things that preclude most of the products users want to use.
Can we stop pretending that any vendor in the industry has the option of serving customers with formally verified "EAL6" products? They don't. This isn't a thing, and hearing "EAL6" and "penetration testing" mentioned in the same sentence is grating. You don't penetration test a formally verified product. You do verification and assurance work for it, but nobody in the field would ever call it pentesting.
I am blaming them for selling products that are inadequate for the threat environment they are expected to operate in and lying and/or insinuating that they are adequate for that threat environment, especially when they know for certain that they are not and certify as such. If the customers truly want those products and features, security be damned, like you say then they will do that even if the companies are completely truthful. The companies do not because they know that it will hurt their margins or make their products non-viable.
In addition, the lies suck all of the air out of the room for actual secure products because why go through the extremely hard work of actually making something secure when you can just lie about it. This has happened time and time again. There were multiple TCSEC Level A1 certified implementations when the DoD demanded real security. But, as soon as they lowered requirements to allow consumer systems that were inadequate for the threat environment, all of the effort and funding behind actual secure systems dried up. What we are left with now is a total wasteland of insecure products controlling systems too big for their britches and endless attacks getting closer and closer to total societal disruption. The only saving grace is that it is taking time for the attackers to scale to exploit this entire greenfield opportunity.
As to your other points, the SKPP explicitly included a penetration test done by a NSA team of the formally verified product under certification [1]: "AVA_VLA_EXP.4.3E The NSA evaluator shall perform independent penetration testing.". So, actually, "EAL6" and "penetration testing" do belong in the same sentence.
If Apple did want to ship a EAL5 product, the very first product decision would be starting over. HTML support or not does not even figure into the list; they have to tackle much more basic defects before getting to that. And I do not see how HTML and rich media support is even a challenge unless you made your security properties depend on exact rendering. You just use a separation kernel architecture to isolate the untrusted HTML renderer into a ephemeral sandbox that takes a HTML file and outputs an image. You might then say, "Apple already sandboxes the renderer.". Yeah, but their sandbox sucks and is regularly defeated. Almost as if having formally verified separation kernels as an underpinning might allow the obvious solution to work; assuming the same minds that built on sand do not add in more harebrained ideas. Hard to put it past them when they made so many other terrible security decisions.
Also, you did not answer what EAL5 or higher products you worked on that informed your disgust with the high assurance Common Criteria process.
I am blaming them for selling products that are inadequate for the threat environment they are expected to operate in and lying and/or insinuating that they are adequate for that threat environment
You can make this argument and remove all the Jor-EAL5 stuff after and it's the exact same argument, in fact, a better one because you don't have all that superfluous stuff. It's a parasitic red herring.
> I am blaming them for selling products that are inadequate for the threat environment they are expected to operate in and lying and/or insinuating that they are adequate
You lost me here. Where has Apple "insinuated" anything else but "secure enough for consumers"? Really, I want to know where they promote their products as the choice to protect oneself from nation-state adversaries, because so far, the only security offers they have for iPhone users are threat notifications [0] and lockdown mode [1], and they make no guarantees on either of them.
Samsung [2] and Google [3] make similar assertions.
I believe you are targeting a strawman here, especially given the fact that there are zero consumer grade phones out there that are CC certified to a level that you may consider adequate.
> In addition, the lies suck all of the air out of the room for actual secure products because why go through the extremely hard work of actually making something secure when you can just lie about it.
This is blatantly false.
There aren't consumer ready operating systems that may replace Apple's, and are EAL5+ certified.
Unless your point is that some day you may be able to install System Z in your laptop, that is.
But if you'd like an example from the EAL4 list: start with FortiOS.