JANOVSKÝ, Adam, Ján JANČÁR, Petr ŠVENDA, Lukasz Michal CHMIELEWSKI, Jiří MICHALÍK and Václav MATYÁŠ. sec-certs: Examining the security certification practice for better vulnerability mitigation. Computers & Security. 2024, vol. 2024, No 143, p. 103895-103907. ISSN 0167-4048. Available from: https://dx.doi.org/10.1016/j.cose.2024.103895.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name sec-certs: Examining the security certification practice for better vulnerability mitigation
Authors JANOVSKÝ, Adam, Ján JANČÁR, Petr ŠVENDA, Lukasz Michal CHMIELEWSKI, Jiří MICHALÍK and Václav MATYÁŠ.
Edition Computers & Security, 2024, 0167-4048.
Other information
Original language English
Type of outcome Article in a journal
Field of Study 10201 Computer sciences, information science, bioinformatics
Country of publisher United Kingdom of Great Britain and Northern Ireland
Confidentiality degree is not subject to a state or trade secret
WWW URL
Impact factor Impact factor: 5.600 in 2022
Organization unit Faculty of Informatics
Doi http://dx.doi.org/10.1016/j.cose.2024.103895
UT WoS 001248232600001
Keywords in English Security certification; Common Criteria; Vulnerability assessment; Data analysis; Smartcards
Tags International impact, Reviewed
Changed by Changed by: RNDr. Ján Jančár, učo 445358. Changed: 25/7/2024 10:19.
Abstract
Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certified products. To address these problems, we conducted a large-scale automated analysis of Common Criteria certificates. We trained unsupervised models to learn which vulnerabilities from NIST’s National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities. This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at https://sec-certs.org.
Links
MUNI/A/1586/2023, interní kód MUName: Aplikovaný výzkum na FI: Forenzní aspekty kritických infrastruktur, aplikovaná kryptografie, kyberbezpečnostní cvičení, algoritmy plánování v logistice a pro zpracování dat z fyzikálních sensorů
Investor: Masaryk University, Applied research at FI: Forensic aspects of critical infrastructures, applied cryptography, cybersecurity trainings, scheduling algorithms logistics and algorithms for physical sensors
MUNI/IGA/1046/2021, interní kód MUName: Automated text analysis of security certification reports
Investor: Masaryk University
VJ02010010, research and development projectName: Nástroje pro verifikaci bezpečnosti kryptografických zařízení s využitím AI (Acronym: AI-SecTools)
Investor: Ministry of the Interior of the CR
PrintDisplayed: 26/7/2024 08:35