Other formats:
BibTeX
LaTeX
RIS
@article{2418937, author = {Janovský, Adam and Jančár, Ján and Švenda, Petr and Chmielewski, Lukasz Michal and Michalík, Jiří and Matyáš, Václav}, article_number = {143}, doi = {http://dx.doi.org/10.1016/j.cose.2024.103895}, keywords = {Security certification; Common Criteria; Vulnerability assessment; Data analysis; Smartcards}, language = {eng}, issn = {0167-4048}, journal = {Computers & Security}, title = {sec-certs: Examining the security certification practice for better vulnerability mitigation}, url = {https://www.sciencedirect.com/science/article/pii/S0167404824001974}, volume = {2024}, year = {2024} }
TY - JOUR ID - 2418937 AU - Janovský, Adam - Jančár, Ján - Švenda, Petr - Chmielewski, Lukasz Michal - Michalík, Jiří - Matyáš, Václav PY - 2024 TI - sec-certs: Examining the security certification practice for better vulnerability mitigation JF - Computers & Security VL - 2024 IS - 143 SP - 1-13 EP - 1-13 SN - 01674048 KW - Security certification KW - Common Criteria KW - Vulnerability assessment KW - Data analysis KW - Smartcards UR - https://www.sciencedirect.com/science/article/pii/S0167404824001974 N2 - Products certified under security certification frameworks such as Common Criteria undergo significant scrutiny during the costly certification process. Yet, critical vulnerabilities, including private key recovery (ROCA, Minerva, TPM-Fail...), get discovered in certified products with high assurance levels. Furthermore, assessing which certified products are impacted by such vulnerabilities is complicated due to the large amount of unstructured certification-related data and unclear relationships between the certified products. To address these problems, we conducted a large-scale automated analysis of Common Criteria certificates. We trained unsupervised models to learn which vulnerabilities from NIST’s National Vulnerability Database impact existing certified products and how certified products reference each other. Our tooling automates the analysis of tens of thousands of certification-related documents, extracting machine-readable features where manual analysis is unattainable. Further, we identify the security requirements that are associated with products being affected by fewer and less severe vulnerabilities. This indicates which aspects of certification correlate with higher security. We demonstrate how our tool can be used for better vulnerability mitigation on four case studies of known, high-profile vulnerabilities. All tools and continuously updated results are available at https://sec-certs.org. ER -
JANOVSKÝ, Adam, Ján JANČÁR, Petr ŠVENDA, Lukasz Michal CHMIELEWSKI, Jiří MICHALÍK and Václav MATYÁŠ. sec-certs: Examining the security certification practice for better vulnerability mitigation. \textit{Computers \&{} Security}. 2024, vol.~2024, No~143, p.~1-13. ISSN~0167-4048. Available from: https://dx.doi.org/10.1016/j.cose.2024.103895.
|