These labels were automatically added by AI and may be inaccurate. For details, see About Literature Database.
Abstract
With 5394 security certificates of IT products and systems, the Common
Criteria for Information Technology Security Evaluation have bred an ecosystem
entangled with various kind of relations between the certified products. Yet,
the prevalence and nature of dependencies among Common Criteria certified
products remains largely unexplored. This study devises a novel method for
building the graph of references among the Common Criteria certified products,
determining the different contexts of references with a supervised
machine-learning algorithm, and measuring how often the references constitute
actual dependencies between the certified products. With the help of the
resulting reference graph, this work identifies just a dozen of certified
components that are relied on by at least 10% of the whole ecosystem -- making
them a prime target for malicious actors. The impact of their compromise is
assessed and potentially problematic references to archived products are
discussed.
External Datasets
394 relevant samples annotated by two co-authors
References
Product certification: IT security certification scheme Common Criteria (CC), version 4.1
Bundesamt für Sicherheit in der Informationstechnik
Published: 2023
ISO/IEC
ISO/IEC 15408 Information technology — Security techniques — Evaluation criteria for IT security
Common Criteria
Published: 2022
Assurance continuity: CCRA requirements
Common Criteria Recognition Arrangement Management Committee
Published: 2012
Operating procedures: Certificate validity
Common Criteria Recognition Arrangement Management Committee
Published: 2021
Proceedings of the 10th European Conference on Software Architecture Workshops
On the topology of package dependency networks: a comparison of three programming language ecosystems
