Re: I-0451: When To Use IFF/IFC And ACF/ACC

["Dr.Ir. D.J. Out" <out@itsef.tno.nl>]

> There's a problem with your example. You're attempting to use natural language
> to express what probably isn't the requirement. In the case of
> FDP_ACC/FDP_ACF, remember access control is on objects. Unless the system in
> question defines "personnel record" as an object, the control wouldn't be to
> that level. Most likely, it would be to the level of a file. That's error 1.



> The second problem with your example is the records in /var/spool are not user
> data; they are system data. Thus, the TSF should protect them as they protect
> any other internal TSF data. 



I'm not at all sure what "system data" is. If you mean TSF data, that is 
"data on which the TSF makes decisions" and that it is not.

The reformulated question is:

If I have an FDP_ACC/ACF saying:
Users can read only their own files

but in this TO anyone can read the printer buffer (which is not a file) 
and printing files is normal user behavior

Does this constitute a vulnerability breaking FDP_ACC/ACF or not?

And the main question, if this is not a vulnerability, is it 
*reasonably* possible to specify confidentiality of user data inside a 
TOE without using FDP_IFF/IFC?

Dirk-Jan Out

-- 
TNO ITSEF BV
P.O. Box 96864          tel +31 70 374 0304
2509 JG The Hague       fax +31 70 374 0651
The Netherlands         www.commoncriteria.nl