Modeling Trusted Computing Support in a Protection Profile for High Assurance Security Kernels

  • Hans Löhr
  • Ahmad-Reza Sadeghi
  • Christian Stüble
  • Marion Weber
  • Marcel Winandy
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5471)


This paper presents a Common Criteria protection profile for high assurance security kernels (HASK-PP) based on the results and experiences of several (international) projects on design and implementation of trustworthy platforms. Our HASK-PP was motivated by the fact that currently no protection profile is available that appropriately covers trusted computing features such as trusted boot, sealing, and trusted channels (secure channels with inherent attestation).

In particular, we show how trusted computing features are modeled in the HASK protection profile without depending on any concrete implementation for these features. Instead, this is left to the definition of the security targets of a an IT product which claims conformance to the HASK-PP. Our HASK protection profile was evaluated and certified at evaluation assurance level five (EAL5) by the German Federal Office for Information Security (BSI).


Trusted Platform Module Trust Computing Security Objective Trust Computing Group Separation Kernel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Common Criteria for Information Technology Security Evaluation,
  2. 2.
    Trusted Computing Group: TPM Main Specification Version 1.2 rev. 103 (July 2007),
  3. 3.
    Smith, S.W., Weingart, S.: Building a high-performance, programmable secure coprocessor. Computer Networks 31(8), 831–860 (1999)CrossRefGoogle Scholar
  4. 4.
    Yee, B.S.: Using Secure Coprocessors. PhD thesis, School of Computer Science, Carnegie Mellon University, CMU-CS-94-149 (May 1994)Google Scholar
  5. 5.
    Kurth, H., Krummeck, G., Stüble, C., Weber, M., Winandy, M.: HASK-PP: Protection profile for a high assurance security kernel (2008),
  6. 6.
    European Multilaterally Secure Computing Base,
  7. 7.
    Open Trusted Computing,
  8. 8.
    Sichere Inter-Netzwerk Architektur (SINA),
  9. 9.
    Sadeghi, A.R., Stüble, C., Pohlmann, N.: European multilateral secure computing base - open trusted computing for you and me. Datenschutz und Datensicherheit DuD 28(9), 548–554 (2004)Google Scholar
  10. 10.
    Schroeder, M.D.: Engineering a security kernel for Multics. In: SOSP 1975: Proceedings of the fifth ACM symposium on Operating systems principles, pp. 25–32. ACM, New York (1975)Google Scholar
  11. 11.
    Walter, K.G., Schaen, S.I., Ogden, W.F., Rounds, W.C., Shumway, D.G., Schaeffer, D.D., Biba, K.J., Bradshaw, F.T., Ames, S.R., Gilligan, J.M.: Structured specification of a security kernel. In: Proceedings of the international conference on Reliable software, pp. 285–293. ACM, New York (1975)CrossRefGoogle Scholar
  12. 12.
    Chittenden, B., Higgins, P.J.: The security kernel approach to secure operating systems. In: ACM-SE 17: Proceedings of the 17th Annual Southeast Regional Conference, pp. 136–137. ACM, New York (1979)CrossRefGoogle Scholar
  13. 13.
    Ames Jr., S.R., Gasser, M., Schell, R.R.: Security kernel design and implementation: An introduction. Computer 16(7), 14–22 (1983)CrossRefGoogle Scholar
  14. 14.
    Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A retrospective on the VAX VMM security kernel. IEEE Transactions on Software Engineering 17(11), 1147–1163 (1991)CrossRefGoogle Scholar
  15. 15.
    Kemmerer, R.A.: Formal verification of the UCLA security kernel: abstract model, mapping functions, theorem generation, and proofs. PhD thesis (1979)Google Scholar
  16. 16.
    Millen, J.K.: Security kernel validation in practice. Commun. ACM 19(5), 243–250 (1976)CrossRefGoogle Scholar
  17. 17.
    Rushby, J.: Design and verification of secure systems. In: SOSP 1981: Proceedings of the 8th ACM Symposium on Operating Systems Principles, pp. 12–21. ACM, New York (1981)Google Scholar
  18. 18.
    Silverman, J.M.: Reflections on the verification of the security of an operating system kernel. In: SOSP 1983: Proceedings of the ninth ACM symposium on Operating systems principles, pp. 143–154. ACM, New York (1983)CrossRefGoogle Scholar
  19. 19.
    DeLong, R.J.: LynxSecure separation kernel – a high-assurance security RTOS. Technical report, LynuxWorks, San Jose, CA (May 2007)Google Scholar
  20. 20.
    Green Hills Software Inc.: INTEGRITY PC Technology (November 2008),
  21. 21.
    Wind River Systems Inc.: Wind River High-Assurance Solutions for Aerospace & Defense. Whitepaper (February 2008),
  22. 22.
    Martin, W.B., White, P.D., Taylor, F.S.: Creating high confidence in a separation kernel. Automated Software Engineering. 9(3), 263–284 (2002)CrossRefzbMATHGoogle Scholar
  23. 23.
    Heitmeyer, C.L., Archer, M., Leonard, E.I., McLean, J.: Formal specification and verification of data separation in a separation kernel for an embedded system. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 346–355. ACM, New York (2006)Google Scholar
  24. 24.
    Information Assurance Directorate: U.S. government protection profile for separation kernels in environments requiring high robustness (SKPP) (2007),
  25. 25.
    Nguyen, T., Levin, T., Irvine, C.: High robustness requirements in a common criteria protection profile. In: IEEE International Information Assurance Workshop (2006)Google Scholar
  26. 26.
    DeLong, R.J., Nguyen, T., Irvine, C., Levin, T.: Toward a medium-robustness separation kernel protection profile. In: ACSAC 2007. IEEE Computer Society Press, Los Alamitos (2007)Google Scholar
  27. 27.
    Levin, T.E., Irvine, C.E., Weissman, C., Nguyen, T.D.: Analysis of three multilevel security architectures. In: CSAW 2007: Proceedings of the 2007 ACM workshop on Computer security architecture, pp. 37–46. ACM, New York (2007)CrossRefGoogle Scholar
  28. 28.
    National Security Agency: Controlled access protection profile (CAPP) (1999),
  29. 29.
    National Security Agency: Labeled security protection profile (LSPP) (1999),
  30. 30.
    Reynolds, J., Chandramouli, R.: Role-based access control protection profile (RBAC-PP), CygnaCom Solutions, Inc. and National Institute of Standards and Testing (1998),
  31. 31.
    Arbaugh, W.A., Farber, D.J., Smith, J.M.: A secure and reliable bootstrap architecture. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 65–71. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  32. 32.
    Arbaugh, W.A., Keromytis, A.D., Farber, D.J., Smith, J.M.: Automated recovery in a secure bootstrap process. In: Proceedings of the Symposium on Network and Distributed Systems Security (NDSS 1998), San Diego, California, pp. 155–167 (2008)Google Scholar
  33. 33.
    Goldman, K., Perez, R., Sailer, R.: Linking remote attestation to secure tunnel endpoints. In: Proceedings of the 1st ACM Workshop on Scalable Trusted Computing (STC 2006), pp. 21–24. ACM, New York (2006)CrossRefGoogle Scholar
  34. 34.
    Stumpf, F., Tafreschi, O., Röder, P., Eckert, C.: A robust integrity reporting protocol for remote attestation. In: Proceedings of the Second Workshop on Advances in Trusted Computing (WATC 2006) (Fall 2006)Google Scholar
  35. 35.
    Sadeghi, A.R., Wolf, M., Stüble, C., Asokan, N., Ekberg, J.E.: Enabling fairer digital rights management with trusted computing. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 53–70. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  36. 36.
    Gasmi, Y., Sadeghi, A.-R., Stewin, P., Unger, M., Asokan, N.: Beyond secure channels. In: Proceedings of the 2nd ACM Workshop on Scalable Trusted Computing (STC 2007), pp. 30–40. ACM, New York (2007)CrossRefGoogle Scholar
  37. 37.
    Armknecht, F., Gasmi, Y., Sadeghi, A.R., Stewin, P., Unger, M., Ramunno, G., Vernizzi, D.: An efficient implementation of trusted channels based on OpenSSL. In: Proceedings of the 3rd ACM Workshop on Scalable Trusted Computing (STC 2008), pp. 41–50. ACM, New York (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Hans Löhr
    • 1
  • Ahmad-Reza Sadeghi
    • 1
  • Christian Stüble
    • 2
  • Marion Weber
    • 3
  • Marcel Winandy
    • 1
  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumGermany
  2. 2.Sirrix AGBochumGermany
  3. 3.Bundesamt für Sicherheit in der Informationstechnik (BSI)BonnGermany

Personalised recommendations