Saved in:
Bibliographic Details
Main Authors: Janovsky, Adam, Chmielewski, Łukasz, Svenda, Petr, Jancar, Jan, Matyas, Vashek
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2404.14246
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909290668752896
author Janovsky, Adam
Chmielewski, Łukasz
Svenda, Petr
Jancar, Jan
Matyas, Vashek
author_facet Janovsky, Adam
Chmielewski, Łukasz
Svenda, Petr
Jancar, Jan
Matyas, Vashek
contents With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem -- making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.
format Preprint
id arxiv_https___arxiv_org_abs_2404_14246
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Chain of trust: Unraveling references among Common Criteria certified products
Janovsky, Adam
Chmielewski, Łukasz
Svenda, Petr
Jancar, Jan
Matyas, Vashek
Cryptography and Security
10.1007/978-3-031-65175-5_14
With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem -- making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.
title Chain of trust: Unraveling references among Common Criteria certified products
topic Cryptography and Security
10.1007/978-3-031-65175-5_14
url https://arxiv.org/abs/2404.14246