Secnology EAL3+ Audit Appendix Issue 1.0 CSEC2022 EAL3+ Appendix A 3 Evaluation Configuration 3 1. TOE Identification 3 2. TOE Configuration 3 3. Environmental Configuration 4 Appendix B 5 Assurance classes 5 Class ACM: Configuration management 5 Introduction 5 Analysis 5 ICF files 6 GCF files 6 JSON files 6 File Management 9 Conclusion 9 Class ADO: Delivery and Operation 10 Introduction 10 Delivery (ADO_DEL) 10 Installation, generation and start-up (ADO_IGS) 11 Analysis 11 Conclusion 16 Class AVA: Vulnerability assessment 17 Introduction 17 Static code analysis 17 Dynamic Code Analysis 19 Class AGD: Guidance documents 21 Introduction 21 Administrator guidance (AGD_ADM) 21 User guidance (AGD_USR) 22 2 CSEC2022 EAL3+ Appendix A Evaluation Configuration 1. TOE Identification The TOE is uniquely identified as: SECNOLOGY 6.7 The supporting guidance documents evaluated were: ● SECNOLOGY_Admin_Guide_13E ● SECNOLOGY_User_Guide_15J ● SECNOLOGY_Technical_Presentation_15H28 2. TOE Configuration The TOE had the following configuration options: ● The TOE supports LDAP, Microsoft AD, or Local installation on multiple Operating System depending on the module to be installed ● There were no configuration options for the underlying operating system, Microsoft Windows XX/20XX with the latest service pack available/ Linux (Debian, SUSE, RedHat… with latest update), relevant to the TOE. The operating system requirements for installation of the TOE are documented in the Installation Guide 3 CSEC2022 EAL3+ ● There were no configuration options for the active directory relevant to the TOE, ie the TOE cannot be configured insecurely if the guidance documents are followed. ● The Evaluators determined that no TOE configuration options affected the security of the TOE. 3. Environmental Configuration The specific configurations of the machines used during the Evaluators’ tests ● Windows 11 Latest Service Pack 4 CSEC2022 EAL3+ Appendix B Assurance classes 1. Class ACM: Configuration management Introduction In this section of the Audit, we are required to test the Configuration Management System implemented. ACM prevents unauthorized modifications, additions, or deletions to the TOE, thus providing assurance that the TOE and documentation used for evaluation are the ones prepared for distribution. Analysis For SECNOLOGY, all of the configuration files are implemented in the “Cfg” directory and some of the functionalities are coded with Python, Perl, or windows scripting with CMD in “Data/Utilities”. There is no list of the configuration files, but it seems like all the configuration files are placed into one place which can make this absolute. 5 CSEC2022 EAL3+ There are three types: .icf, .gcf, .json which all appear to hold important data based on their types. ICF files ● Hold the environment variables that are rarely changed such as log files placements, paths for important files, or directories that can be used in scripts. This is the correct way of programming in order not to make it harder for programmers to make changes in file placement. Example: sec_path.icf, sec_LogFiles.icf ● The icf files hold password hashes and a lot of very important data that must be hidden GCF files There is one main file which is SECnology Configuration.gcf which holds a lot of pre-saved configuration and is used to display the default input fields (placeholders) when choosing to make an operation in the application. For example saved logging credentials or a type of filter to apply default values like a cache file. JSON files Json files do not hold a particular type of data but each file has a purpose on its own. The purpose of using the JSON format is for better compatibility with most of the frameworks or programming languages The evaluators tried to test the maximum of the interesting files: 6 CSEC2022 EAL3+ ● User_rights, summaryDictionary and SECnologyConfiguration and the API behind them is simple enough to be secure and they are placed as static JSON files which are changed with user input from SECmanage. ● Most of the Rules and commands to be used by the suite is hardcoded in the file in Cfg which limits the commands that can be used and manipulated and also creates an easy way to make the API change or add other rules, filters, or functionalities like user-specific configurations of the suite. ● Certificates are placed in a directory inside the Cfg directory but they did not enable the default encryption when generating the certificate. This can lead to certificate forgery attacks possible especially if the attacker was from the inside ● The user’s credentials are kept in a sec_users folder which contains all the user’s password hashes and the authentication does not use salts or any password encryption randomization but it is simple SHA-1 encryption. 7 CSEC2022 EAL3+ ● Some of the files contain absolute references to the application like the file SECcollectCtrl which contains the Seccollect.exe placement. This can be used to execute any other harmful executable with higher privileges if the attacker waits for a higher user to execute the functionality after changing the path. ● Listing all the configuration files is done in a static and secure manner in a JSON file which can be accessed by the admin and changed in the time of need: sec_path.json 8 CSEC2022 EAL3+ File Management Some configuration files have a direct API written as a script to manage the changes, the APIs are securely authorized using private passwords (in these cases they are weak passwords the likes of “root”) but that can be changed easily. Some of the less important files are changed directly with modification in the GUI of the application because they do not have any importance in terms of the security of the application. Conclusion ACM_CAP.3 Authorisation controls: ● Authorization controls are well defined and made through well know tested standard APIs ● This Sub-family just misses the human-sided security with choosing stronger passwords and password usage rules. ACM_SCP.1 TOE CM coverage: Configuration files are placed in not more than 4 places and put info 4 file types, so coverage wise the configuration files are well managed. One missing point which not a threat or a vulnerability that the file types does not change or affect the content of the file, so using one file format would be more ideal. 9 CSEC2022 EAL3+ 2. Class ADO: Delivery and Operation Introduction Assurance class ADO defines requirements for the measures, procedures, and standards concerned with secure delivery, installation, and operational use of the TOE. It ensures that the security protection offered by the TOE is not compromised during transfer, installation, and operation. Delivery (ADO_DEL) Delivery covers the procedures used to maintain security during transfer of the TOE to the user, both on initial delivery and as part of subsequent modification. It includes special procedures or operations required to demonstrate the authenticity of the delivered TOE. Such procedures and measures are the basis for ensuring that the security protection offered by the TOE is not compromised during transfer. While compliance with the delivery requirements cannot always be determined when a TOE is evaluated, it is possible to evaluate the procedures that a developer has developed to distribute the TOE to users. That being said, the application is delivered through an online platform and maintained and updated automatically, the use of a license key to follow up on application usage and user authenticity and non reproducibility. 10 CSEC2022 EAL3+ Installation, generation and start-up (ADO_IGS) Installation, generation, and start-up requires that the copy of the TOE is configured and activated by the administrator to exhibit the same protection properties as the master copy of the TOE. The installation, generation, and start-up procedures provide confidence that the administrator will be aware of the TOE configuration parameters and how they can affect the TSF. Analysis Installation Opening up the process monitor and making sure to register all network , process , file writes and reads upon installing the suite, and making a clear database or data sheet of the installation process and saving it for further analysis. (tool used : Microsoft Process Monitor) On Installation no Network bandwidth is used, which means everything is done locally, and everything seems to run well. Windows defender does not detect anything, the certificates are up to date so windows trust the application and it’s developer. 11 CSEC2022 EAL3+ Services Most of secnology services are set to be automatic and with a privileged Local System. Normal behavior for a service that is meant to always be working even after a startup. Environment variables added 12 CSEC2022 EAL3+ Hosts The local host 127.0.0.1 is mapped to display.secnology.com locally Private Keys and Certificates Private keys of certificates are accessible to anyone and should instead be protected (accessible only via passwords for example). Drivers 13 CSEC2022 EAL3+ ● CAT is a file used by the Windows operating system. It specifies that a group of files are from a verifiable source, and is used for security purposes and contains a digital signature, the catalog version, and an effective date; often used for verifying new software update files. ● An INF file is a plain text configuration file that defines what files are installed with a certain software program or update. It may also list the location of the files and the directories where the files are to be installed. Types of files in the app We have used the WinDirStat to get a general idea about various types of files in the SECnology app. 14 CSEC2022 EAL3+ Start-Up: The startup process is simple enough, as indicated by the process monitor execution tree each process launches a single job which a form of conhost or a console windows host, which is a form of a process or service that allows that application to execute commands and keep itself alive, so the start-up as simple as it’s coded is safe, the danger only comes from the commands executed by the application after that. The start up process opens up multiple ports locally for modules communication, or for ssl and web services ( port 3000 and 443) the rest are TCP for data exchange for modules. All the network exchanges are secure and Encrypted with the standard sockets and PKIArchitecture as we inspected the flow with Wireshark. 15 CSEC2022 EAL3+ Conclusion The suite passes both families since there weren’t any problems or vulnerabilities. 16 CSEC2022 EAL3+ 3. Class AVA: Vulnerability assessment Introduction Assurance class AVA defines requirements directed at the identification of exploitable vulnerabilities. Specifically, it addresses those vulnerabilities introduced in the construction, operation, misuse, or incorrect configuration of the TOE. Static code analysis Static code analysis or Static application security testing (SAST) is the process of examining the source code of an application without executing the program. It's a computer program method for detecting errors and security vulnerabilities that make an application susceptible to attacks. It’s also known as white box testing. Tools ● Horusec is an open source tool that orchestrates other security tools and identifies security flaws or vulnerabilities in projects. ● It supports many programming languages such as Python, JavaScript, TypeScript amd Java. 17 CSEC2022 EAL3+ Results 1. command injection attack : this type of attack exploits a programming flaw of a command execution that involves improper input validation. This may lead to arbitrary commands executed by a malicious attacker. 2. CWE-489: Active Debug Code: The application is deployed to unauthorized actors with debugging code still enabled or active. Alert statements are usually designed for debugging or testing purposes. In production, they may represent a type of 'backdoor' or entry points and expose sensitive data to attackers. 3. CWE-347: Improper Verification of Cryptographic Signature. The software does not verify, or incorrectly verifies, the cryptographic signature for data. In this case, an attacker can easily impersonate a user. 18 CSEC2022 EAL3+ Dynamic Code Analysis Dynamic code analysis is designed to test a running application for potentially exploitable vulnerabilities. DAST tools to identify both compile-time and runtime vulnerabilities, such as configuration errors that only appear within a realistic execution environment. Memory Errors with Intel Inspector ● Memory Leaks are unfreed objects in execution that are ignored, during the test case we made that lasted about 2minutes SECJobs leaked the most with about 20Kb/2minutes which is a problem if the application is going to be used 24/7 ● Some threads are never closed same a the spaces in memory which causes more system latency ● Intel Inspector cannot give the problem position or recommend fixes without the source code as input plus header files, so we only get the place of the problem in assembly which can't help us too much Python Files Valgrind Tests ● A small script that finds the python files ( except the files in python files in utilities/python_portable) and then tests everything with Valgrind with debugging option. ● Some of the files are vulnerable to integer overflow, but nothing major. Clear hashed passwords The file “sec_users.icf” in the SECnology folder contains usernames and their corresponding hashed passwords. This file is accessible to anyone. 19 CSEC2022 EAL3+ Default Credentials SECNOLOGY uses default credentials (same username and password "root") for authentication. 20 CSEC2022 EAL3+ 4. Class AGD: Guidance documents Introduction Assurance class AGD defines requirements directed at the understandability, coverage and completeness of the operational documentation provided by the developer. This documentation, which provides two categories of information, for users and for administrators, is an important factor in the secure operation of the TOE. Administrator guidance (AGD_ADM) Requirements for administrative guidance help ensure that the environmental constraints can be understood by administrators and operators of the TOE. In the TOE’s admin guide, Administrators can add, edit and delete user accounts. They are also responsible for assigning permissions to each user or group of users. 21 CSEC2022 EAL3+ User guidance (AGD_USR) Requirements for user guidance help ensure that users are able to operate the TOE in a secure manner. User guidance is the primary vehicle available to the developer for providing the TOE users with the necessary background and specific information on how to correctly use the TOE's protection function. SECNOLOGY's user guide provides a detailed explanation of how to use different components in a secure way. 22
Enter the password to open this PDF file:
-
-
-
-
-
-
-
-
-
-
-
-