Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Chain of trust: Unraveling references among Common Criteria certified products

Adam Janovsky, Łukasz Chmielewski, Petr Svenda, Jan Jancar, Vashek Matyas

TL;DR

This paper addresses the opacity of dependencies among Common Criteria certified products by constructing a formal CC reference graph from certification artifacts using the sec-certs tool. It introduces a supervised learning pipeline to automatically label edge contexts (component reuse vs. predecessor) and applies it to reveal that a small set of high-reach components underpins a large portion of the ecosystem, with potential vulnerability propagation. The study provides empirical insights into referencing culture, ageing of certificates, and cross-category dynamics, showing that about 30% of products reference others and that the top-10 high-reach devices influence around 23% of active smartcards by 2023. The work offers practical implications for risk assessment, certification transparency, and dependency decisions, and supplies open-source artifacts to support ongoing CC monitoring and evaluation. Overall, the methodology enables scalable, automated analysis of CC references and highlights critical components that warrant tighter oversight and careful management of dependencies.

Abstract

With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem -- making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.

Chain of trust: Unraveling references among Common Criteria certified products

TL;DR

This paper addresses the opacity of dependencies among Common Criteria certified products by constructing a formal CC reference graph from certification artifacts using the sec-certs tool. It introduces a supervised learning pipeline to automatically label edge contexts (component reuse vs. predecessor) and applies it to reveal that a small set of high-reach components underpins a large portion of the ecosystem, with potential vulnerability propagation. The study provides empirical insights into referencing culture, ageing of certificates, and cross-category dynamics, showing that about 30% of products reference others and that the top-10 high-reach devices influence around 23% of active smartcards by 2023. The work offers practical implications for risk assessment, certification transparency, and dependency decisions, and supplies open-source artifacts to support ongoing CC monitoring and evaluation. Overall, the methodology enables scalable, automated analysis of CC references and highlights critical components that warrant tighter oversight and careful management of dependencies.

Abstract

With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem -- making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.
Paper Structure (21 sections, 5 figures, 1 table)

This paper contains 21 sections, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Common Criteria background
  3. Related work
  4. Methodology
  5. Building the vertices and edges
  6. Categorization of reference meanings
  7. Learning the edge-labelling function
  8. Segment extraction.
  9. Vector embeddings and feature extraction.
  10. Classifier training and evaluation.
  11. Reference analysis
  12. Referencing culture (RQ1)
  13. Certified products with high reach (RQ2)
  14. Ageing of referenced products (RQ3)
  15. Discussion
  16. ...and 6 more sections

Figures (5)

  • Figure 1: A high-level overview of the edge-labelling model.
  • Figure 1: Weighted F1 scores for different classifiers. Both binary and fine-grained taxonomies were evaluated.
  • Figure 2: Receiver operating characteristic of different classifiers for the binary taxonomy.
  • Figure 3: Subplot (\ref{['fig:subfig:context_prev']}) displays the reference context popularity among categories. In subplot (\ref{['fig:subfig:timeplot_avg_refs']}), the evolution of the average number of transitive component-reuse references in time is depicted. Similarly, subplot (\ref{['fig:subfig:timeplot_reach']}) shows how the average product reach evolves.
  • Figure 4: Analysis of referenced certificates with respect to archiving and ageing.