Requirements Traceability for CC Evaluation

Thesis description:

Common Criteria (CC) is an international standard for security certification of IT products. The CC does so by providing a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. These IT products may be implemented in hardware, firmware or software.
Different documentations exist for the evaluation. First of all, the criteria themselves: Evaluation Methodology (CEM) or in German schema "Anwendungshinweise und Interpretation" (AIS). While these documents assure the quality of the products, there is only an informal definition for the developer to prepare the evaluation documentation. Especially for the traceability of the requirement between documents, test definitions and code analysis are no standardized tools or processes defined. Customized solutions should support Evaluators and Developers during the evaluation process. The solution should act as an interface for documentation exchange between Developers and Evaluators and manage documents for BSI reviews.
 
The goal of this thesis is extension of YAKINDU Traceability (YT) with an CC-Requirements database and functionality for configuration and generating initial set of CC-Documents.

Your tasks:

•    Understand the CC requirements and useful deployment for YT.
•    Implementation of CC documentation generators depending on Protection Profile and Evaluation Assurance Level (EAL).
•    Implementation of the code analysis for requirements and documentation depending on the EAL.
•    Tool evaluation with evaluation body, for example, an evaluator of an evaluation house.
 

Related Work:

https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/Produktzertifizierung/ZertifizierungnachCC/zertifizierungnachcc_node.html
https://www.itemis.com/en/yakindu/traceability/documentation/user-guide/

Requirements:

•    Good understanding of Java language and Eclipse.
•    Very good German language skills.

Optional:

•    Prior knowledge about security certification processes.

Contact:

•    Prof. Dr. Eric Bodden, eric.bodden@upb.de