CCDM: Using the CC as a design methodology

The CCDM project focuses on the use of the Common Criteria for Information Technology Security Evaluation (CC) as the basis for a methodology for designing secure IT products.

In relation to the CC, the methodology involves proceeding from a specification of a Protection Profile, which gives an abstract description of a whole class of IT products, via the specification of a Security Target to the production of an Implementation Representation which in detail describes the concrete final product which can operate in a specified environment:

For the PP and ST, a set of Threats, Assumptions and Organizational Security Policies (OSPs) are identified and used to produce a set of Security Objectives (SOs) for the product and the environment in which it is to operate. From these objectives, sets of Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) are derived. Finally, concrete components are selected and an Implementation Representation is produced which fulfils the SFRs of the ST. This systematic procedure ensures that the product addresses the threats to which it will be exposed, and the SARs provide rules for achieving some agreed level of assurance that the design and subsequent implementation are correct from a security point of view.

At each step, more details are added to the specification, so in slightly more detail the process is as shown below:

Case Studies

To validate the method, we have studied a number of cases in which concrete products have been designed: A report on these cases was presented at the International Symposium on Engineering Secure Software and Systems (ESSoS09) held in Leuven in February 2009.

If you have a case which you would like considered, please contact us.

Tool Development

The above-mentioned case studies have all been based on paper documents, generated "by hand". This is a tedious and somewhat error-prone way of producing the necessary specifications, and computer assistance would be very helpful to improving the usefulness of the method.

A first step toward producing a tool has been to formulate a formal ontology for the concepts used in the Common Criteria. This ontology is technically speaking a Domain Ontology under SUMO, the Suggested Upper Merged Ontology (SUMO) defined by the IEEE P1600.1 Working Group. It has been formulated in SUO-KIF, the knowledge representation language designed by Niles and Pease in order to support the definition of the SUMO. You can see the latest version of the ontology here. This ontology won the 2006 SUMO Prize for the best submission of a new formalised domain ontology under SUMO.

The tool will support design at assurance levels up to EAL4, following the methodology described above. For further details, please contact us.

Robin Sharp, e-mail: robin (at)
Last modified 111027