Revisiting the analysis of references among Common Criteria certified products

IF 4.8 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Adam Janovsky, Łukasz Chmielewski, Petr Svenda, Jan Jancar, Vashek Matyas
{"title":"Revisiting the analysis of references among Common Criteria certified products","authors":"Adam Janovsky,&nbsp;Łukasz Chmielewski,&nbsp;Petr Svenda,&nbsp;Jan Jancar,&nbsp;Vashek Matyas","doi":"10.1016/j.cose.2025.104362","DOIUrl":null,"url":null,"abstract":"<div><div>With almost six thousand security certificates for IT products and systems, the Common Criteria for Information Technology Security Evaluation has bred an ecosystem entangled with various kinds of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria-certified products remain largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed, and potentially problematic references to archived products are discussed. Processing of all public certificate artifacts additionally provides insights into the dynamics of the whole certification ecosystem in time, including the popularity of categories, average assurance levels, length of validity periods, the adoption rate of selected cryptographic algorithms, and cross-referencing among national schemes.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"152 ","pages":"Article 104362"},"PeriodicalIF":4.8000,"publicationDate":"2025-02-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825000513","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

With almost six thousand security certificates for IT products and systems, the Common Criteria for Information Technology Security Evaluation has bred an ecosystem entangled with various kinds of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria-certified products remain largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed, and potentially problematic references to archived products are discussed. Processing of all public certificate artifacts additionally provides insights into the dynamics of the whole certification ecosystem in time, including the popularity of categories, average assurance levels, length of validity periods, the adoption rate of selected cryptographic algorithms, and cross-referencing among national schemes.
回顾通用标准认证产品之间的参考分析
《信息技术安全评估通用标准》拥有近6000个IT产品和系统的安全证书,已经形成了一个被认证产品之间各种关系纠缠在一起的生态系统。然而,共同标准认证产品之间的依赖程度和性质在很大程度上仍未得到探索。本研究设计了一种新的方法来构建通用标准认证产品之间的引用图,用监督机器学习算法确定引用的不同上下文,并测量引用构成认证产品之间实际依赖关系的频率。在最终参考图的帮助下,这项工作只确定了至少10%的整个生态系统所依赖的十几个经过认证的组件,这使它们成为恶意行为者的主要目标。他们的妥协的影响进行了评估,并讨论了存档产品的潜在问题的参考。对所有公共证书工件的处理还可以及时了解整个认证生态系统的动态,包括类别的流行程度、平均保证级别、有效期长度、所选加密算法的采用率以及国家方案之间的交叉引用。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Computers & Security
Computers & Security 工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍: Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信