Supporting Document v1.1 FPT_BDP_EXT.1 Section 2.4.1.7.1 - Impossible Test!

[xahun]

Supporting Document v1.1 FPT_BDP_EXT.1 Section 2.4.1.7.1 "a. Memory scan test" requires 1) the ability to essentially pause the TOE and dump a copy of memory, 2) resume normal operations after the dump, e.g., to perform a biometric function, and 3) the ability to pause and dump memory again. I don't know about iPhones, but Android phones engineered to dump memory reboot after the dump, so this is not possible with any Android phones tested to date to my knowledge. Note also that dumping might involve writing to an sdcard that lies under the phone battery, making this even more difficult for some TOE models. Even if this capability were developed, the evaluator is faced with comparing upwards of 16GB of memory images with likely a very large number of changes given the time it necessarily takes to dump up to 16GB of memory externally. Finally, how in the world would an evaluator determine if any memory changes "show access to biometric data"? This test is essentially impossible given any reasonable resources. The suggestion "If it is impractical or inadequate to conduct the following tests" of course then would always be true, but leaving it to the developer and evaluator to whip up and defend a test is not aligned with current CC direction - rather a reasonable test should be developed for this module. I suggest working along the lines of FCS_CKM_EXT.4 where applicable internal/secret biometric data is logged before or while a biometric activity occurs, then the TOE memory is dumped and searched for those values.

[woodbe]

Change the parameters in the PR to only test after a transaction (not during the transaction)

For the search parameters, focus most likely on template headers, but explicitly note that the search does not need to encompass the entire data block as one.

Look to add alternative design description about not being able to have this information dumped (not feasible to dump the template to do the search)

Consider adding search on input image (not clear how this could be handled)

[ccparran]

I copied the SFRs:

FPT_BDP_EXT.1.1 Processing of plaintext biometric data shall be inside the SEE in runtime. FPT_BDP_EXT.1.2 Transmission of plaintext biometric data between the capture sensor and the SEE shall be isolated from the main computer operating system on the TSF in runtime.

I am concerned that the changes proposed on the last call do not align with the SFR intentions.

Section 2.4.1.1 in the BS_SD states: "the evaluator shall examine that the TOE processes any plaintext biometric data within the boundary of the SEE, and that the transmission of this data is via a channel protected from the main computer operating system. The SEE is responsible for preventing any entities outside the environment from accessing plaintext biometric data."

In the proposed step #2 "The developer tools shall write the biometric template data to an accessible location (either prior or during, depending on the type of test)", are we asking the evaluator to write to an accessible place other than the SEE, in order to conduct the test? Maybe the intent should be that the template data can not be found in memory because it is only written to the SEE?

Or instead should the intent of the test be to ensure that the template data is not stored in plaintext outside of the SEE and that it is encrypted when in memory?