Evaluation Assurance Level
Encyclopedia
The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria
security evaluation, an international standard
in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.
To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.
Although every product and system must fulfill the same assurance requirements to achieve a particular level, they do not have to fulfill the same functional requirements. The functional features for each certified product are established in the Security Target
document tailored for that product's evaluation. Therefore, a product with a higher EAL is not necessarily "more secure" in a particular application than one with a lower EAL, since they may have very different lists of functional features in their Security Targets. A product's fitness for a particular security application depends on how well the features listed in the product's Security Target fulfill the application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL should indicate the more trustworthy product for that application.
threats to security are not viewed as serious. It will be of value where independent
assurance is required to support the contention that due care has been exercised with
respect to the protection of personal or similar information.
EAL1 provides an evaluation of the TOE (Target of Evaluation) as made available to the customer, including
independent testing against a specification, and an examination of the guidance
documentation provided. It is intended that an EAL1 evaluation could be successfully
conducted without assistance from the developer of the TOE, and for minimal cost. An
evaluation at this level should provide evidence that the TOE functions in a manner
consistent with its documentation, and that it provides useful protection against
identified threats.
information and test results, but should not demand more effort on the part of the
developer than is consistent with good commercial practice. As such it should not
require a substantially increased investment of cost or time.
EAL2 is therefore applicable in those circumstances where developers or users require a
low to moderate level of independently assured security in the absence of ready
availability of the complete development record. Such a situation may arise when
securing legacy systems.
security engineering at the design stage without substantial alteration of existing sound
development practices.
EAL3 is applicable in those circumstances where developers or users require a moderate
level of independently assured security, and require a thorough investigation of the TOE
and its development without substantial re-engineering.
Commercial operating system
s that provide conventional, user-based security features are typically evaluated at EAL4. Examples of such operating systems are AIX, HP-UX
, FreeBSD
, Novell NetWare
, Solaris
, SUSE Linux Enterprise Server 9
, SUSE Linux Enterprise Server 10
, Red Hat Enterprise Linux 5
, Windows 2000
Service Pack 3, Windows 2003, Windows XP
, Windows 7, and Windows Server 2008 R2
.
Operating systems that provide multilevel security
are evaluated at a minimum of EAL4. Examples include Trusted Solaris, Solaris 10 Release 11/06 Trusted Extensions, an early version of the XTS-400
, and VMware ESXi version 3.0.2, 3.5 and 4.0 (EAL 4+).
upon rigorous commercial development practices supported by moderate application of
specialist security engineering techniques. Such a TOE will probably be designed and
developed with the intent of achieving EAL5 assurance. It is likely that the additional
costs attributable to the EAL5 requirements, relative to rigorous development without
the application of specialized techniques, will not be large.
EAL5 is therefore applicable in those circumstances where developers or users require a
high level of independently assured security in a planned development and require a
rigorous development approach without incurring unreasonable costs attributable to
specialist security engineering techniques.
Numerous smart card
devices have been evaluated at EAL5, as have multilevel secure devices such as the Tenix Interactive Link
. XTS-400
(STOP 6) is a general-purpose operating system which has been evaluated at EAL5 augmented.
LPAR
on IBM System z is EAL5 Certified.
engineering techniques to a rigorous development environment in order to produce a
premium TOE for protecting high value assets against significant risks.
EAL6 is therefore applicable to the development of security TOEs for application in
high risk situations where the value of the protected assets justifies the additional costs.
Green Hills Software's INTEGRITY-178B RTOS has been certified to EAL6 augmented.
high risk situations and/or where the high value of the assets justifies the higher costs.
Practical application of EAL7 is currently limited to TOEs with tightly focused security
functionality that is amenable to extensive formal analysis. The Tenix Interactive Link
Data Diode Device and the Fox Data Diode have been evaluated at EAL7 augmented.
Open Kernel Labs
has also performed formal verification of their seL4 microkernel OS, allowing devices running seL4 to achieve EAL7.
Fox-IT
claim to have certified their one-way data communications device known as the "Fox Data Diode" at EAL7+.
published a report on Common Criteria evaluations that summarized a range of costs and schedules reported for evaluations performed at levels EAL2 through EAL4.
In the mid to late 1990s, vendors reported spending US$
1 million and even US$
2.5 million on evaluations comparable to EAL4. There have been no published reports of the cost of the various Microsoft Windows
security evaluations.
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
security evaluation, an international standard
International standard
International standards are standards developed by international standards organizations. International standards are available for consideration and use, worldwide...
in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.
To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.
Although every product and system must fulfill the same assurance requirements to achieve a particular level, they do not have to fulfill the same functional requirements. The functional features for each certified product are established in the Security Target
Security Target
In an IT product certification process according to the Common Criteria ,a Security Target is the central document, typically provided by the developer of the product,...
document tailored for that product's evaluation. Therefore, a product with a higher EAL is not necessarily "more secure" in a particular application than one with a lower EAL, since they may have very different lists of functional features in their Security Targets. A product's fitness for a particular security application depends on how well the features listed in the product's Security Target fulfill the application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL should indicate the more trustworthy product for that application.
EAL1: Functionally Tested
EAL1 is applicable where some confidence in correct operation is required, but thethreats to security are not viewed as serious. It will be of value where independent
assurance is required to support the contention that due care has been exercised with
respect to the protection of personal or similar information.
EAL1 provides an evaluation of the TOE (Target of Evaluation) as made available to the customer, including
independent testing against a specification, and an examination of the guidance
documentation provided. It is intended that an EAL1 evaluation could be successfully
conducted without assistance from the developer of the TOE, and for minimal cost. An
evaluation at this level should provide evidence that the TOE functions in a manner
consistent with its documentation, and that it provides useful protection against
identified threats.
EAL2: Structurally Tested
EAL2 requires the cooperation of the developer in terms of the delivery of designinformation and test results, but should not demand more effort on the part of the
developer than is consistent with good commercial practice. As such it should not
require a substantially increased investment of cost or time.
EAL2 is therefore applicable in those circumstances where developers or users require a
low to moderate level of independently assured security in the absence of ready
availability of the complete development record. Such a situation may arise when
securing legacy systems.
EAL3: Methodically Tested and Checked
EAL3 permits a conscientious developer to gain maximum assurance from positivesecurity engineering at the design stage without substantial alteration of existing sound
development practices.
EAL3 is applicable in those circumstances where developers or users require a moderate
level of independently assured security, and require a thorough investigation of the TOE
and its development without substantial re-engineering.
EAL4: Methodically Designed, Tested, and Reviewed
EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.Commercial operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s that provide conventional, user-based security features are typically evaluated at EAL4. Examples of such operating systems are AIX, HP-UX
HP-UX
HP-UX is Hewlett-Packard's proprietary implementation of the Unix operating system, based on UNIX System V and first released in 1984...
, FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, Novell NetWare
Novell NetWare
NetWare is a network operating system developed by Novell, Inc. It initially used cooperative multitasking to run various services on a personal computer, with network protocols based on the archetypal Xerox Network Systems stack....
, Solaris
Solaris Operating System
Solaris is a Unix operating system originally developed by Sun Microsystems. It superseded their earlier SunOS in 1993. Oracle Solaris, as it is now known, has been owned by Oracle Corporation since Oracle's acquisition of Sun in January 2010....
, SUSE Linux Enterprise Server 9
SUSE Linux Enterprise Server
SUSE Linux Enterprise Server is a Linux distribution supplied by SUSE and targeted at the business market. It is targeted for servers, mainframes, and workstations but can be installed on desktop computers for testing as well. New major versions are released at an interval of 3-4 years, while...
, SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server
SUSE Linux Enterprise Server is a Linux distribution supplied by SUSE and targeted at the business market. It is targeted for servers, mainframes, and workstations but can be installed on desktop computers for testing as well. New major versions are released at an interval of 3-4 years, while...
, Red Hat Enterprise Linux 5
Red Hat Enterprise Linux
Red Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64...
, Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
Service Pack 3, Windows 2003, Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, Windows 7, and Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
.
Operating systems that provide multilevel security
Multilevel security
Multilevel security or Multiple Levels of Security is the application of a computer system to process information with different sensitivities , permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for...
are evaluated at a minimum of EAL4. Examples include Trusted Solaris, Solaris 10 Release 11/06 Trusted Extensions, an early version of the XTS-400
XTS-400
The XTS-400 is a multi-level secure computer operating system. It is multi-user and multitasking. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6....
, and VMware ESXi version 3.0.2, 3.5 and 4.0 (EAL 4+).
EAL5: Semiformally Designed and Tested
EAL5 permits a developer to gain maximum assurance from security engineering basedupon rigorous commercial development practices supported by moderate application of
specialist security engineering techniques. Such a TOE will probably be designed and
developed with the intent of achieving EAL5 assurance. It is likely that the additional
costs attributable to the EAL5 requirements, relative to rigorous development without
the application of specialized techniques, will not be large.
EAL5 is therefore applicable in those circumstances where developers or users require a
high level of independently assured security in a planned development and require a
rigorous development approach without incurring unreasonable costs attributable to
specialist security engineering techniques.
Numerous smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
devices have been evaluated at EAL5, as have multilevel secure devices such as the Tenix Interactive Link
Interactive Link
The Interactive Link is a suite of hardware and software products designed for application within areas where network separation is implemented for security reasons...
. XTS-400
XTS-400
The XTS-400 is a multi-level secure computer operating system. It is multi-user and multitasking. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6....
(STOP 6) is a general-purpose operating system which has been evaluated at EAL5 augmented.
LPAR
LPAR
A logical partition, commonly called an LPAR, is a subset of computer's hardware resources, virtualized as a separate computer. In effect, a physical machine can be partitioned into multiple logical partitions, each hosting a separate operating system....
on IBM System z is EAL5 Certified.
EAL6: Semiformally Verified Design and Tested
EAL6 permits developers to gain high assurance from application of securityengineering techniques to a rigorous development environment in order to produce a
premium TOE for protecting high value assets against significant risks.
EAL6 is therefore applicable to the development of security TOEs for application in
high risk situations where the value of the protected assets justifies the additional costs.
Green Hills Software's INTEGRITY-178B RTOS has been certified to EAL6 augmented.
EAL7: Formally Verified Design and Tested
EAL7 is applicable to the development of security TOEs for application in extremelyhigh risk situations and/or where the high value of the assets justifies the higher costs.
Practical application of EAL7 is currently limited to TOEs with tightly focused security
functionality that is amenable to extensive formal analysis. The Tenix Interactive Link
Interactive Link
The Interactive Link is a suite of hardware and software products designed for application within areas where network separation is implemented for security reasons...
Data Diode Device and the Fox Data Diode have been evaluated at EAL7 augmented.
Open Kernel Labs
Open Kernel Labs
Open Kernel Labs is a privately owned company that develops microkernel-based hypervisors and operating systems for embedded systems. The company was founded in 2006 by Steve Subar and Gernot Heiser as a spinout from NICTA...
has also performed formal verification of their seL4 microkernel OS, allowing devices running seL4 to achieve EAL7.
Fox-IT
Fox-IT
Fox-IT is a Dutch consultancy company based in Delft. Fox-IT is active in the information technology security sector. Their mission-statement is: "Making technical and innovative contributions for a more secure society."-History:...
claim to have certified their one-way data communications device known as the "Fox Data Diode" at EAL7+.
Implications of assurance levels
Technically speaking, a higher EAL means nothing more, or less, than that the evaluation completed a more stringent set of quality assurance requirements. It is often assumed that a system that achieves a higher EAL will provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction), but there is little or no published evidence to support that assumption.Impact on cost and schedule
In 2006, the US Government Accountability OfficeGovernment Accountability Office
The Government Accountability Office is the audit, evaluation, and investigative arm of the United States Congress. It is located in the legislative branch of the United States government.-History:...
published a report on Common Criteria evaluations that summarized a range of costs and schedules reported for evaluations performed at levels EAL2 through EAL4.
In the mid to late 1990s, vendors reported spending US$
United States dollar
The United States dollar , also referred to as the American dollar, is the official currency of the United States of America. It is divided into 100 smaller units called cents or pennies....
1 million and even US$
United States dollar
The United States dollar , also referred to as the American dollar, is the official currency of the United States of America. It is divided into 100 smaller units called cents or pennies....
2.5 million on evaluations comparable to EAL4. There have been no published reports of the cost of the various Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
security evaluations.