System Software for Security Target
Contents
1. Guidance e Operator s Manual for Basic Function AGD_USR 1 documents Europe e Data Overwrite Kit Insertion Sheet e SERVICE MANUAL Overview e SERVICE MANUAL Service ADO_IGS 1 SERVICE MANUAL ADO SERVICE HANDBOOK Delivery and GP 1060 for e STUDIO202L 232 282 operation Delivery procedures of the e STUDIO series TOE ADO_DEL 1 7 e Delivery procedures of the System Software These documents describe the procedures to help the TOE users securely install the product and software and perform operations This document describes the result of vulnerability analysis to ensure that obvious security vulnerability found will not be wrongfully used in TOE environments This document describes the analysis result of strength of function for security mechanisms which have probabilistic or permutational mechanisms excluding cryptographic mechanism for the TOE These documents describe the procedures to help the TOE users securely install the product and software and perform operations Table 8 3 2 List of Security Assurance Measures Note An asterisk in the table above indicates the document is available only in Japanese Two asterisks in the table above indicate the document is available both in Japanese and English 8 4 PP Claim rationale There are no Protection Profiles PPs to which this ST 1s conformant 2006 TOSHIBA TEC CORPORATION All rights reserved 202. 1 8 Minimum Strength of Function Declaration cc ccc cccccecccecceceeeceeeseeseeuseeeseeeesseeeeeesees 12 5 2 Security requirements for the IT environment ccccccccccccceecceecccessceecusccuseceseeccuusecesseeuseeeeees 12 TOE SUMMARY SPECIFICA FION retienen aea n a a aaa S 13 oL ROT me Cierra ON eo a a E aneae coe emedadaedt 13 6 1 1 TOL Securty FOCO eere E E 13 6 1 2 Securty Mechas M esii a a a a a a E 14 6 1 3 Streneth of Function Statements aee a T EE EO 14 GA Assurance Measure eraran a E T S 14 PROTECTION PROPILE PP CLAIM och deicose setuegicseeetadeuaatinnatic E eee eee 15 RATIONS Ua nna S E A A 16 S speeUiity Objectives RANON ales ici ossccece hese es siuhens A E 16 8 1 1 Necessity oreert ODECE S siuctdalosastadnes a a a a eeeseidatattenosaataudes 16 8 1 2 Sufficiency of Security Objective Snares eiistinchs aad eae ele acts EEE ould eee eared 16 8 2 Security Requirements Rationale 0 0 cccccccccccceccseccsscceccecceccceescesseeeseceeeuceseseeseuceseeeeseeeeeeness 16 8 2 1 Necessity of Security Functional Requirements cccccccccceecceecceccceceeseesseeeeeuseeeceesesesenes 16 8 2 2 Sufficiency of Security Functional Requirements ccccccccceccceeccesceecceecccsessseceeeeseeeseseeenes 17 8 2 38 Rational for Dependencies of Security Functional Requirements ccccceccecceeseeseeeeees 17 8 2 4 Mutually Supportive Security Requirements cccccccecceeccecceecceecceceeeseuseeuceees
3. Publication Date 7 March 2006 Authors of ST Document Processing amp Telecommunication Systems Company Toshiba TEC Corporation TOE Identification Japanese System Software for e STUDIO202L 232 282 in Japanese English System Software for e STUDIO202L 232 282 TOE Version V1 0 Authors of TOE Document Processing amp Telecommunication Systems Company Toshiba TEC Corporation Assurance Level gt EAL3 Keywords Digital multi function device MFP e STUDIO GP 1060 Data Delete Function Data Overwrite Toshiba TEC Corporation CC Identification Common Criteria for Information Technology Security Evaluation Version 2 1 CCIMB Interpretations as of 01 December 2003 Evaluation Methodology Common Methodology for Information Technology Security Evaluation Version 1 0 CCIMB Interpretations as of 01 December 2003 1 2 ST Overview This ST specifies the security functions of the System Software installed on the Toshiba TEC Corporation s digital multi function device e STUDIO202L 232 282 The e STUDIO202L 232 282 input a user document and output it in various formats hereinafter referred to as e STUDIO General Functions The TOE is the System Software of the e STUDIO202L 232 282 having both the e STUDIO General Functions and security functions The Data Delete Function a security function of the TOE provides the function which permanently erases user document data deleted by the operation system s file delete f
4. 1 FDP_RIP 2 1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the selection allocation of the resource to deallocation of the resource from all objects Dependencies No dependencies e FPT RVM 1 Non bypassability of the TSP Hierarchical to No other components FPT_RVM 1 1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed Dependencies No dependencies 5 1 2 TOE Security Assurance Requirement The target assurance level for the TOE is EAL3 The security assurance components of the TOE are as described below e ACM_CAP 3 Authorization controls e ACM_SCP 1 TOE CM coverage e ADO_DEL 1 Delivery procedures e ADO IGS 1 Installation generation and start up procedures e ADV_FSP 1 Informal functional specification e ADV_HLD 2 Security enforcing high level design e ADV_RCR 1 Informal correspondence demonstration e AGD_ADM 1 Administrator guidance e AGD_USR 1 User guidance e ALC_DVS 1 Identification of security measures e ATE_COV 2 Analysis of coverage e ATE_DPT 1 Testing high level design e ATE FUN 1 Functional testing e ATE_IND 2 Independent testing sample e AVA_MSU 1 Examination of guidance e AVA_SOF 1 Strength of TOE security function evaluation e AVA_VLA 1 Developer vulnerability analysis 2006 TOSHIBA TEC CORPORATION 11 All rights reserved 5 1 3 Minimum Strength of Function Dec
5. Guidance documents AGD_USR 1 Operator s Manual for Basic Function Europe Data Overwrite Kit Insertion Sheet SERVICE MANUAL Overview SERVICE MANUAL Service ADO ADO_IGS 1 SERVICE MANUAL Delivery and SERVICE HANDBOOK operation GP 1060 for e STUDIO202L 232 282 ADO DEL 1 Delivery procedures of the e STUDIO series TOE _ Delivery procedures of the System Software Table 6 2 1 Security Assurance Measures and Security Assurance Requirements Note An asterisk in the table above indicates the document is available only in Japanese Two asterisks in the table above indicate the document is available both in Japanese and English 2006 TOSHIBA TEC CORPORATION All rights reserved 14 7 PROTECTION PROFILE PP CLAIMS The TOE does not claim conformance to a PP 2006 TOSHIBA TEC CORPORATION All rights reserved 15 8 RATIONALE This chapter describes the rationale for the security objectives security requirements TOE summary specification and PP claims 8 1 Security Objectives Rationale 8 1 1 Necessity of Security Objectives The table below shows the mapping of security objectives to assumptions and threats and demonstrates that each security objective for the TOE 1s effective for at least one of the assumptions and threats O TEMPDATA OVERWRITE OE OVERWRITE COMPLETE O STOREDATA OVERWRITE OE HDD_ ERASE Table 8 1 1 Security Objectives to Assumptions and Threats 8 1 2 Sufficiency of Security
6. In addition SF STOREDATA OVERWRITE collectively and permanently erases all user document data whenever they are deleted from the HDD of the e STUDIO202L 232 282 Accordingly no bypassability is assured by SF TEMPDATA_ OVERWRITE and SF STOREDATA OVERWRITE 8 3 3 Rationale for Strength Of Function There are no security functions which have probabilistic or permutational mechanisms for which rationale must be 2006 TOSHIBA TEC CORPORATION All rights reserved 18 provided 8 3 4 Rationale for Assurance Measures This section describes the rationales which demonstrate that security measures for the TOE satisfy the assurance requirements Each security assurance requirement to meet EAL3 corresponds documents and TOE which are security assurance measures Such documents and TOE can provide all evidences for the security assurance requirements Table 8 3 2 below shows the details of each assurance measure Assurance Assurance Docunenteand TOE Descriptions Class Components Configuration List of System Software for These documents describe the e STUDIO202L 232 282 configuration management method for a ACM_CAP EAE m the TOE onfiguration Aey scp Configuration Management Plan for Also they describe references and nee eat a configuration list for the TOE CM plan and CM system These documents describe the TOE security functions TSF from the viewpoint of the behavior of the TSF and TSF interface external interfaces ADV_F
7. Normal Mode Data Delete Function 1 2 Data Overwrite registration process e After each process of the e STUDIO General Functions described above this process registers it with the trash box where user document data in the work area deleted by the operation system s file delete function is stored e During Process 7 of the e STUDIO General Functions described above this process registers it with the trash box where user document data which are stored in a e Filing Box and a shared folder in the HDD deleted by the operation system s file delete function is stored Data Overwrite process This TOE checks if user document data has been registered with the trash box and if any permanently erases it The method used here is DoD5220 22 M of the US Department of Defense While this process is being executed the message ERASING DATA is displayed on the control panel 2006 TOSHIBA TEC CORPORATION All rights reserved 6 22 2 Functions in Self diagnostic Mode and TOE Figure 2 2 2 shows the configuration of the e STUDIO202L 232 282 in self diagnostic mode Overall System Software shown in Figure 2 2 2 excluding the operation system is the TOE of this ST in self diagnostic mode F supi0202L 232 282 Control Panel Display e Filing Box Shared Folder GP 1060 OS VxWorks 5 5 TOE Storage for assets to be protected Figure 2 2 2 Product Configuration in Self diagnostic Mode 2 2 2 1 e STUDIO General F
8. Objectives This section describes sufficiency of security objectives against the TOE security environment assumptions and threats e T TEMPDATA ACCESS O TEMPDATA_OVERWRITE can prevent user document data deleted from the HDD of the e STUDIO202L 232 282 from being recovered and decoded OE OVERWRITE_COMPLETE ensures thatO TEMPDATA OVERWRITE was successfully performed Accordingly an attack method to T TEMPDATA ACCESS is invalidated e T STOREDATA ACCESS OE HDD_ERASE allows e STUDIO administrators to ask service engineers to execute Data Overwrite function on the HDD to permanently erase all files from the HDD O STOREDATA_ OVERWRITE can prevent user document data all files of which were permanently erased from the HDD of the e STUDIO202L 232 282 by the forcible Data Overwrite function from being recovered and decoded Accordingly an attack method to T STOREDATA_ ACCESS is invalidated 8 2 Security Requirements Rationale 8 2 1 Necessity of Security Functional Requirements The table below shows relations between security functional requirements and security objectives and demonstrates that each security functional requirement corresponds to at least one security objective 2006 TOSHIBA TEC CORPORATION All rights reserved 16 JE S o Mio sal ee ol ie lt I o Ala S Ale HIA olo FDP FDP_RIP ae RIP2 BE FPT RVM 1 UK Table 8 2 1 Correspondences between TOE Security Functional Requirements and TOE S
9. RIP 1 and FDP_RIP 2 do not function simultaneously because each of them functions in different mode FPT_RVM 1 lt Non bypassability gt FPT RVM 1 ensures that FDP_RIP 1 in normal mode or FDP_RIP 2 in self diagnostic mode functions without being bypassed lt No interference gt It is impossible to externally modify the TOE itself because it resides in the ROM to control overall e STUDIO202L 232 282 And there are no unauthorized subjects which modify the TSF data information in the trash box Therefore there are preventive measures against interference by unreliable subject and no 2006 TOSHIBA TEC CORPORATION All rights reserved 17 functional requirements are required to prevent the security functions from being modified e lt Prevention of Deactivation gt There are no functions which deactivate the security functions of the TOE 8 2 5 Validity of Minimum Strength of Function As it is assumed that attackers attack capabilities is low the appropriate minimum SOF is SOF basic 8 2 6 Rationale for Security Assurance Requirements The TOE is used in general office environments Therefore regarding the TOE opportunities of attack are limited and low attack capabilities of threat agents can be assumed In order to cope with the attacks by the threat agents security measures which must be analyzed during the development of the TOE systematic analysis and test of design and security assurance of development environment are
10. SP Functional specification for functions other than the TSF ADV_HLD 2 High level design functional specifications and the sub system ADV In addition they describe the TSF Development structure and interface of the sub system High level design This document provides analysis report on relations between security functions in the summary specification and the subsystem in the functional specification high level design for the ST This document describes the means for ALC assuring confidentiality and integrity Life Cycle ALC_DVS Development security of the design and implementation of Definition the TOE in the development environment ADV_RCR Representation correspondence These document describe functional ATE_COV test items and test procedures used for ATE_DPT e Functional tests proving that the TSF functions are as ATE_FUN e TOE specified expected test results and ATE_IND actual test results under the above mentioned conditions 2006 TOSHIBA TEC CORPORATION All rights reserved 19 ee ated ee Documents and TOE Descriptions ee e Operator s Manual Common e Operator s Manual for Basic Function North America AVA_MSU 1 l e Operator s Manual for Basic Function Europe e Data Overwrite Kit AVA Vulnerability AVA VLA 1 assessment 7 Vulnerability analysis AVA_SOF 1 e Operator s Manual Common e Operator s Manual for Basic Function AGD AGD_ADM 1 North America
11. TA ACCESS By using off the shelf tools and by means of reverse engineering to the areas where residual user document data exists a malicious e STUDIO user or non privileged user may attempt to recover or decode user document data deleted from the HDD of the e STUDIO202L 232 282 by the operation system s file delete function e T STOREDATA ACCESS Using off the shelf tools a malicious e STUDIO user or non privileged user may attempt to recover or decode the areas in the HDD of the e STUDIO202L 232 282 where user document data had existed and were deleted when all files were deleted collectively by the operation system s file delete function 3 3 Organizational Security Policies There are no organizational security policies for the TOE 2006 TOSHIBA TEC CORPORATION All rights reserved 9 4 SECURITY OBJECTIVES This chapter describes security objectives for the TOE and security objectives for the environment 4 1 Security Objectives for the TOE The following are the security objectives for the TOE e O TEMPDATA OVERWRITE The TOE must permanently erase the areas in the HDD of the ee STUDIO202L 232 282 from which user document data were deleted in order to prevent such areas from being recovered or decoded e O SSTOREDATA OVERWRITE The TOE must prevent the areas in the HDD of the e STUDIO202L 232 282 from which all files were deleted collectively from being recovered or decoded 4 2 Security Objectives for the Environment The f
12. TOSHIBA System Software for F supi0202L 232 282 Security Target 7 March 2006 Ver 2 1 This document is a translation of the security target written in Japanese which has been evaluated and certified The Japan Certification Body has reviewed and checked tt TOSHIBA TEC CORPORATION 2006 TOSHIBA TEC CORPORATION All rights reserved 1 Table of Contents SECURIFY TARGEL INTRODUCTION ws ciecsdensatocbestet ean ivnedetecisataneninnae T 1 EE SEa O a ana arte uso aces E N 1 Lo OO ROVE CW ernea E a 1 EO AO OC Gah mAN O a Ar ORTE EN pn seta aca ese eee done cata TTO 1 L14 Terms and APDbreviat Ons ct ate cost ons cats eed ncaa occas alles tN T tonn dani laa Suk etceta AS 2 to adoma k No Citra canoes wet acne a ua unseeded TEET E AOE dase eee menue neat 2 EOE TD Es GR PP TPO IN cua r a a eennw a eeaeanaamicieacasaevesecnes 3 2 1 Product Type and Usage Environment s esssessessesseserersesseserecssssrsescosesersescosesersoseesesessosereeseseesereee 3 22 Product PUNCH ONS Ai hl Ooi aasa cate seepentcnnesieniecuda teen wena ver E macau sa eawea es 5 2 2 1 Features in Normal Mode and TOE ccc ccecccecceeccessceusceecesccusesceucceueceessceuscecesecuueeeees 5 2 2 1 1 e STUDIO General Functions in Normal Mode ccc ccccceecceeceesseeseeeseesseseseeseeesees 5 2 2 1 2 Security Functions in Normal Mode Data Delete Function cccccsssssssccceeeeesessssseeeees 6 2 2 2 Functions in Self diagnostic Mode and TOE
13. cesses of copy print scan fax transmission fax reception and deletion of data from an e Filing Box hereinafter collectively referred to as e STUDIO General Functions as described in Section 1 2 The TOE is software for the e STUDIO202L 232 282 which resides in the ROM of these models and conducts overall control on them The e STUDIO202L 232 282 start in normal mode where e STUDIO users operate these models in ordinary cases In normal mode the e STUDIO General Functions and the security function in normal mode Refer to Section 2 2 1 2 are available Besides the normal mode the e STUDIO offers a self diagnostic mode where service engineers perform maintenance services When the e STUDIO starts in this mode the e STUDIO General Functions and security function in normal mode are disabled In self diagnostic mode only the security function in this mode Refer to Section 2 2 2 2 is available 2 2 1 Features in Normal Mode and TOE Figure 2 2 1 shows the configuration of the e STUDIO202L 232 282 in normal mode User document data exist only in the work area of the HDD specified e Filing Boxes and shared folder Overall System Software shown in Figure 2 2 1 excluding the operation system is the TOE of this ST in normal mode f stupio202L 232 282 Control Panel Display User document data GP 1060 deleted by OS s delete function LAN Line 7 az Printer PSTN FAX OS VxWorks 5 5 TOE Storage for as
14. data deleted from the HDD of the e STUDIO202L 232 282 are stored The method used here is DoD5220 22 M of the US Department of Defense FDP_RIP 1 Also in order to prevent this function from being bypassed the TOE must always execute SF TEMPDATA OVERWRITE whenever user document data is used by the e eSTUDIO General Functions by permanently erasing the allocated areas in the trash box where the user document data deleted from the HDD of the e STUDIO202L 232 282 are stored and by deallocating such storage areas FPT RVM 1 SF STOREDATA OVERWRITE The TOE must provide the following protection for all user document data to be collectively deleted from the HDD of the e STUDIO202L 232 282 deallocate the storage areas in the trash box and prevent the deleted user document data from being recovered or decoded Residual Information Protection e In self diagnostic mode this protection collectively and permanently overwrites all areas of the HDD The method used here is DoD5220 22 M of the US Department of Defense FDP_RIP 2 Also in order to prevent this function from being bypassed the TOE must execute SF STOREDATA OVERWRITE from the operation panel to overwrite all areas of the HDD and deallocate such areas FPT RVM 1 2006 TOSHIBA TEC CORPORATION All rights reserved 13 6 1 2 Security Mechanism The table below shows the security mechanism referred to in this ST and used by the TOE security functions Security Mechanis
15. ecurity Objectives 8 2 2 Sufficiency of Security Functional Requirements This section describes that the functional requirements sufficiently assure the security objectives for the TOE 8 2 3 O TEMPDATA_OVERWRITE FDP_RIP 1 ensures permanent deletion FPT_ RVM 1 reliably prevents the security functions from being bypassed Accordingly the security objective can be realized which prevents storage areas for user document data deleted from the HDD of the e STUDIO202L 232 282 from being recovered and decoded O STOREDATA_ OVERWRITE FDP_RIP 2 ensures collective permanent and forcible deletion FPT_RVM 1 reliably prevents the security functions from being bypassed Accordingly the security objective can be realized which prevents storage areas for user document data all files of which were deleted from the HDD of the e STUDIO202L 232 282 from being recovered and decoded Rational for Dependencies of Security Functional Requirements This section describes the rationale for the dependencies of the security functional requirements 8 2 4 FDP _RIP 1 There are no dependencies to be satisfied FDP_RIP 2 There are no dependencies to be satisfied FPT_ RVM 1 There are no dependencies to be satisfied Mutually Supportive Security Requirements This section describes that the security functional requirements mutually complement with each other are protected against bypass interference and deactivation Note that FDP _
16. elete function provided by the operation system except for the cases when the e STUDIO user stores his her user document data in an e Filing Box or a shared folder in the HDD User document data stored in e Filing Boxes in the HDD are managed by each e STUDIO user based on importance and confidentiality of the user document data and deleted using the operation system s file delete function as necessary Actually the operation system s file delete function only clears a file pointer in the FAT File Allocation Table managed by the operation system This means an entity of the user document data still exists in the HDD while the user believes the user document data no longer exists there Under this condition a thread exists because any attacker who has knowledge about OS tools may be able to directly access the HDD and recover the user document data deleted by the operation system s file delete function by reverse engineering the area where the applicable user document data is written The Data Delete Function which is a TOE s security function provides a function to permanently erase user document data deleted by the operation system s file delete function and a function to collectively and permanently erase residual user document data in the HDD before the HDD is disposed of or replaced Here permanently erase means the user document data is deleted in an unrecoverable manner Also residual user document data in e Filing Bo
17. esesesseseeesees 17 8 2 5 Validity of Minimum Strength of FUNCTION cccceccceecceeceeceeeceeeseeceusceeuceeseseeeeeeeesees 18 8 2 6 Rationale for Security Assurance Requirements cccccccceccecceesceesceeceuseeuceesseeseusseenseeesees 18 8 3 TOR summary specification Cat OM e icoscessssaciedcesiediasicuescsouetetet a e a a E a 18 8 3 1 Necessity of Security Funcions rosak E E RE 18 8 3 2 Sufficiency of Security Functions ccc ccc cecccecceecceecccececeeeceeceeeseuseeuseesececuseceseuesueeeeuceseseness 18 8 3 3 Rationale for Strength Of Function eseseeseesesssesesseserseessssesseseeseessesesserseseeseesesseseesseseeses 18 2006 TOSHIBA TEC CORPORATION All rights reserved 8 3 4 8 4 PP Claim rationale Rationale for Assurance Measures ccccececececccecccecececececsecceceueecesceuececeseseeceueecenesusueueeees 19 2006 TOSHIBA TEC CORPORATION All rights reserved 1 SECURITY TARGET INTRODUCTION This chapter describes security target hereinafter referred to as ST identification information overview of the ST conformance to the Common Criteria for Information Technology Security Evaluation hereinafter referred to as CC terms abbreviations and trademarks and registered trademarks used in this document 1 1 ST Identification Information to identify this ST is as described below ST Title System Software for e STUDIO202L 232 282 Security Target ST Version gt Verl 3
18. forcible Data Overwrite function to collectively and permanently erases all HDD areas of the e STUDIO202L 232 282 where user document data are stored 2 4 Assets to be Protected The assets to be protected by this TOE is an entity of residual user document data in the HDD after being deleted by the operation system s file delete function The user document data are deleted by the operation system s file delete function at the following timings when a job completes when a job is deleted when a job is cancelled when user document data stored is deleted and when all files are deleted collectively Job here means the e STUDIO General Functions such as copy and print executed by the e STUDIO202L 232 282 Data sent by a facsimile machine and automatically received by the e STUDIO using its standard fax function is not user document data of the e STUDIO user but the data of a person who has sent it Therefore it is not an asset to be protected User document data stored in e Filing Boxes and a shared folder are no longer recognized as assets to be protected after such data s effective period expires 2006 TOSHIBA TEC CORPORATION All rights reserved 8 3 TOE SECURITY ENVIRONMENT This chapter describes the assumptions threats and organizational security policies for the TOE 3 1 Assumptions There are no assumptions 3 2 Threats The following are the potential threats to the e STUDIO202L 232 2872 e T TEMPDA
19. ice ccccccccecceesceecceceeeseeseeeseeeeesseesseeeeeeeees 7 2 2 2 1 e STUDIO General Functions in Self diagnostic Mode c cece cecceeceecceeseeseeseesseesees 7 2 2 2 2 Security Functions in Self diagnostic Mode ccc cceccceseseccesccuseeeceeccuucceesscesseeeceseeuseeenes 7 23 WOR related Personne leuas nats tcovaetaawet at hesaswt easeau oak sane tet ousbe Dice ushocenes eat oaaw eh ia saateeesa amends 7 Zal o PUDO 0 OE e e ra A PR E T 292 eo ECD IO AG mil nist ra Or a ara a a a raea ANE 7 DOO DC EV Ce POT CCS onari Rads Bi aa dasheata aan set combs aad eaceoe tink Ue ads teenies poo ae oats iesiue 7 ZA AS ete obe PTOLCCUC a eae datas diese abe ashe a oie aces 8 TOESECURITY ENVIRONMENT oeei n E OE N R 9 E E ED A E E E E E ET A E E EE A O T 9 Da NCO ao e a E E A a A 9 Oo Orsamizaonal Security PONCICS ss deceit ea a a a T E aO 9 SECURITY ODIJEC TRIVES eeen a a a a EE 10 T peeurity Objectives forthe TOE oreore N A 10 4 2 Security Objectives for the Environment sseseeseeseesessereeseeseesessessssseseesessessssseseesesssesesseseeseeseso 10 IFS ECURIT REQUIREMENT einn TNR E T E a acaaeadeenaatn ose 11 Bek TOE DECUrIty Regu ire menteer darn T T E E A E OA 11 5 1 1 TOE Security Functional Requirements cccccccecceeceeccceseeeseeccuucccesscesseeecusecuseesseescuueeeenes 11 5 1 2 TOE Security Assurance Requirement cccccccceeccscccsccuusccesscessecccusccusecsecusecuseesseeseueseeesses 11 5
20. laration The minimum Strength of Function SOF claim for the TOE is SOF basic There are no probabilistic or permutational mechanisms in the TOE that the SOF claims 5 2 Security requirements for the IT environment There are no security functional requirements for the IT environment 2006 TOSHIBA TEC CORPORATION All rights reserved 12 6 TOE SUMMARY SPECIFICATION This chapter describes the TOE summary specification 6 1 TOE Security Functions As Table 6 1 1 below shows the TOE security functions described in Section 6 1 1 satisfy the security functional requirements described in Section 5 1 1 pO FDPRPI FP RIP FPT_RVM 1 SF TEMPDATA_OVERWRITE s 7v Table 6 1 1 Correspondences between TOE Security Functions and Security Functional Requirements 6 1 1 TOE Security Functions The following describes the TOE security functions SF TEMPDATA OVERWRITE The TOE must provide the following protection for user document data deleted from the HDD of the e STUDIO202L 232 282 erase the user document data registered with the trash box and prevent the deleted user document data from being recovered or decoded Residual Information Protection e In normal mode this protection registers it with the trash box where user document data deleted from the HDD of the e eSTUDIO202L 232 2872 is to be stored e In addition the protection permanently overwrites it which was registered with the trash box where the user document
21. lder in the HDD specified by the e STUDIO user Scan process When the START button is pressed while the SCAN button is being held down this process scans user document data using the scanner and performs both or either of the following processes e Saves the user document data in an e Filing Box or a shared folder in the HDD specified by the e STUDIO user e Sends Email to a destination specified by the e STUDIO user Fax transmission process When the START button is pressed while the FAX button is being held down this process scans user document data using the scanner and writes the scanned data in the work area of the HDD Then this process reads the user document data in the work area and sends the data to facsimile s The data can also be saved in a shared folder Fax reception process This process receives user document data from a facsimile and writes the data in the work area of the HDD Then this process reads the user document data in the work area and performs both or either of the following processes e Outputs the user document data to the printer e Saves the user document data in an e Filing Box or a shared folder in the HDD specified by the e STUDIO user Delete process of document in e Filing Box and shared folder This process deletes user document data which was saved in an e Filing Box or a shared folder in the HDD when commanded by the control panel or from a PC via a LAN line 2 2 1 2 Security Functions in
22. le the Data Delete Function a security function of the System Software VxWorks is a registered trademark or trademark of Wind River Systems Inc All other product names mentioned in this ST may be trademarks or registered trademarks of their respective Owners 2006 TOSHIBA TEC CORPORATION All rights reserved 2 2 TOE DESCRIPTION This chapter describes the product type usage environment product configuration functions and threads regarding the e STUDIO202L 232 282 2 1 Product Type and Usage Environment This ST defines four types of MFPs e STUDIO202L e STUDIO232 and e STUDIO282 each having different print speed The TOE is the common control software among them As shown in Figure 2 1 below the e STUDIO202L 232 282 are used as a terminal to send receive data to from facsimiles a terminal to send Email to Email servers and a remote printer for remote PCs in network environments as well as they are installed in general offices as a standalone copier PSTN _ FAX a 7 LAN jf Mail E O aes server PC Figure 2 1 Use of the e STUDIO in Network Environment The MFP is a digital multi function device which inputs processes and outputs user documents Its output processes are copy print scan and fax reception and fax transmission After each process completes user document data is deleted by the file d
23. m Security Functions SF TEMPDATA OVERWRITE DoD5220 22 M SF STOREDATA OVERWRITE Table 6 1 Security Mechanism and TOE Security Functions DoD5220 22 M compliant 0x00 Fill OxFF Fill random number Fill validation 6 1 3 Strength of Function Statement The TOE contains no security functions that are realized by a non cryptographic and probabilistic or permutational mechanisms 6 2 Assurance Measures The documents provided as security assurance measures of the TOE which satisfy the security assurance requirements are as described below A A ssurance Ssurance Documents and TOE Class Components ACM Configuration List of System Software for e STUDIO202L 232 282 l ACM_CAP 3 Configuration ACM SCP 1 Configuration Management Plan for System Software for management ee oN e STUDIO202L 232 282 ADV_FSP 1 i ADV p Functional specification High level design ADV_HLD 2 Development ADV_RCR 1 Representation correspondence ALC Lyfe cycle definition ALC_DVS 1 Development security ATE_COV 2 ATE_DPT 1 Functional tests ATE_FUN 1 TOE ATE_IND 2 Operator s Manual Common Operator s Manual for Basic Function North America Operator s Manual for Basic Function Europe Data Overwrite Kit assessment AVA VLA lanay e x AVA SOF 1 Vulnerability analysis Operator s Manual Common Operator s Manual for Basic Function North America AVA AVA_MSU 1 Vulnerability AGD AGD_ADM 1
24. ollowing are the security objective for the environment e OE OVERWRITE_COMPLETE When collecting printout from the e STUDIO202L 232 282 e STUDIO users must make sure that user document data has been permanently erased from the HDD by checking that the ERASING DATA message on the LCD display if displayed on the control panel has disappeared properly e OE HDD_ ERASE e STUDIO administrators must ask service engineers to execute the forcible Data Overwrite function on the HDD to permanently erase all user document data 2006 TOSHIBA TEC CORPORATION All rights reserved 10 5 IT SECURITY REQUIREMENTS This chapter describes the security requirements for the TOE and the IT environment 5 1 TOE Security Requirements 5 1 1 TOE Security Functional Requirements The following are the security functional requirements for the TOE e FDP RIP 1 Subset residual information protection Hierarchical to No other components FDP_RIP 1 1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the selection allocation of the resource to deallocation of the resource from the following objects assignment list of objects assignment list of objects The areas in the HDD of the e STUDIO202L 232 282 from which user document data was deleted by the operation system s file delete function Dependencies No dependencies e FDP RIP 2 Full residual information protection Hierarchical to FDP RIP
25. sets to be protected Figure 2 2 1 Product Configuration in Normal Mode 2 2 1 1 e STUDIO General Functions in Normal Mode 1 Process of GP 1060 Installation Information This process checks whether or not the GP 1060 is installed In order to make the e STUDIO users aware that the Data Delete Function is available the TOE name and TOE version SYS V1 0 are displayed next to the product name on the MFP s front cover and on the LCD display of the control panel 2 Copy process When the START button is pressed with the copy function selected this process scans user document data using 2006 TOSHIBA TEC CORPORATION All rights reserved 5 3 4 5 6 7 the scanner and writes the scanned data in the work area of the HDD Then this process reads the user document data in the work area and performs both or either of the following processes e Outputs the user document data to the printer e Saves the user document data in an e Filing Box or a shared folder in the HDD specified by the e STUDIO user Print process This process receives user document data via a LAN line PC or a USB or reads user document data in an e Filing Box and write the data in the work area of the HDD Then this process reads the user document data in the work area and performs both or either of the following processes e Outputs the user document data to the printer e Saves the user document data in an e Filing Box or a shared fo
26. to be evaluated Therefore an appropriate assurance level for the TOE is EAL3 8 3 TOE summary specification rationale 8 3 1 Necessity of Security Functions The table below shows relations between TOE security functions and security functional requirements and demonstrates that each TOE security function corresponds to at least one TOE security functional requirement SETEMPDATA_OVERWRITE 7 7 SF STOREDATA OVERWRITE 7 Table 8 3 1 Correspondences between TOE Security Functions and Security Functional Requirements FDP_RIP 2 FPT RVM 1 a4 a m Lo 8 3 2 Sufficiency of Security Functions This section describes that the security functions fully assure the security functional requirements for the TOE e FDP RIP 1 SF TEMPDATA OVERWRITE permanently erases user document data in the HDD of the STUDIO202L 232 282 to ensure that user document data deleted from the HDD are no longer available Accordingly residual information protection is assured by SF TEMPDATA_ OVERWRITE e FDP_RIP 2 SF STOREDATA OVERWRITE collectively and permanently erases all areas of the HDD of the e STUDIO202L 232 282 including user document data stored there to ensure that all user document data in the HDD are no longer available Accordingly residual information protection is assured by SF STOREDATA OVERWRITE e FPT RVM 1 SF TEMPDATA OVERWRITE permanently erases user document data whenever they are deleted from the HDD of the e STUDIO202L 232 282
27. unction from the hard disk drive of the e STUDIO202L 232 282 hereinafter referred to as HDD Note that permanently erase here means the user document data is deleted in an unrecoverable manner The Data Delete Function further provides the function which collectively and permanently erases all user document data from the HDD of the e STUDIO202L 232 282 before the HDD 1s disposed of or replaced This function permanently erases all residual user document data in the HDD 1 3 CC Conformance This ST conforms to the following CC specifications CC Version 2 1 Part 2 conformant CC Version 2 1 Part 3 conformant Assurance level EAL 3 conformant There are no Protection Profiles PPs to which this ST is conformant 2006 TOSHIBA TEC CORPORATION All rights reserved i 1 4 Terms and Abbreviations The following terms and abbreviations are used in this ST lt CC related abbreviations gt CC Common Criteria EAL Evaluation Assurance Level PP Protection Profile ST Security Target TOE Target Of Evaluation SOF Strength Of Function TSF TOE Security Function TSP TOE Security Policy TSC TSF Scope of Control lt TOE related terms and abbreviations gt 1 5 MFP e STUDIO HDD User document data e Filing Box Shared folder GP 1060 Trademark Notice Multi Function Peripherals Digital multi function device A single multi functional peripheral device which integrates several functions such as cop
28. unctions in Self diagnostic Mode e Process of GP 1060 Installation Information This process checks whether or not the GP 1060 is installed In order to make the e STUDIO users aware that the Data Delete Function is available the TOE name and TOE version are displayed on the LCD display 2 2 2 2 Security Functions in Self diagnostic Mode e Forcible Data Overwrite process When the TOE executes the forcible Data Overwrite process in self diagnostic mode it collectively and permanently erases all areas in the HDD where user document data are written The method used here is DoD5220 22 M of the US Department of Defense 2 3 TOE related Personnel The following describes personnel required for operating the TOE 2 3 1 e STUDIO Users Users who utilize the e STUDIO General Functions of the e STUDIO202L 232 282 2 3 2 e STUDIO Administrators Administrators make each setting of the TOE s General Functions including copy network and fax settings and ask service engineers to execute the forcible Data Overwrite function to the HDD Note that they do not manage the TOE s security functions 23535 Service Engineers Service engineers perform service maintenance operations such as installation of the e STUDIO202L 232 282 including installation of the GP1060 Upon request from the e STUDIO administrator the service engineer operates the TOE in self diagnostic mode then 2006 TOSHIBA TEC CORPORATION All rights reserved 7 executes the
29. xes and shared folder of the HDD means any data still remains in the e Filing Boxes and the shared folder not having been deleted by the e STUDIO users when the HDD will not be 2006 TOSHIBA TEC CORPORATION All rights reserved 3 managed by the e STUDIO users any longer for example at the time of disposal or replacement of the HDD Note that the e STUDIO s Data Delete Function becomes effective only when the GP 1060 is installed The following shows hardware and software configuration of the e STUDIO Hardware Configuration Specification e STUDIO202L 20 sheets min e STUDIO202L 232 282 e STUDIO232 23 sheets min LETTER sj e STUDIO282 28 sheets min RAN POER GP 1060 USB interface Table 2 1 1 e STUDIO Hardware Configuration Software Configuration System Software for controlling O ten Mare the e STUDIO202L 232 282 UI data Optional languages Japanese V011 000 2 American English V011 000 3 Copy print speed on A4 size or European English V011 000 4 French V010 000 6 Italian V011 000 10 German V011 000 7 Spanish V010 000 11 VxWorks 5 5 Language data for each destination nation Table 2 1 2 e STUDIO Software Configuration 2006 TOSHIBA TEC CORPORATION All rights reserved 4 2 2 Product Functions and TOE The products the e STUDIO202L 232 282 are special purpose equipment having IT features and Data Delete Function implemented on the operation system VxWorks Here the IT features are pro
30. y print and fax MFPs where the TOE is installed 1 e e STUDIO202L 232 282 e STUDIO202L e STUDIO232 and e STUDIO2872 Hard Disk Drive e STUDIO user s document data digitized utilizing the e STUDIO General Functions Note that data sent by a facsimile machine and received by the e STUDIO using its standard fax function is not user document data of the eeSTUDIO user but the data of a person who has sent it A filing box where the e STUDIO user stores his her user document data Such user document data is automatically deleted from the e Filing Box after a specified effective period expires There are two types of e Filing Boxes public box and private user box as described below e Public box All users can access edit and print user document data stored in this box e Private user box Every user can create his her own user boxes give each box a name and assign a password to each of them The user who created a private user box can access edit and print user document data in his her own private user box Note that the use of password does not contribute to the Data Delete Function which is the TOE security objective used as a preventive measure against potential threads to the TOE e STUDIO users can store and retrieve user document data in a shared folder Such user document data is automatically deleted from the shared folder after a specified effective period expires A product installed in the e STUDIO202L 232 282 to enab
Download Pdf Manuals
Related Search