Revisiting the analysis of references among Common Criteria certified products

Abstract

With almost six thousand security certificates for IT products and systems, the Common Criteria for Information Technology Security Evaluation has bred an ecosystem entangled with various kinds of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria-certified products remain largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem – making them a prime target for malicious actors. The impact of their compromise is assessed, and potentially problematic references to archived products are discussed. Processing of all public certificate artifacts additionally provides insights into the dynamics of the whole certification ecosystem in time, including the popularity of categories, average assurance levels, length of validity periods, the adoption rate of selected cryptographic algorithms, and cross-referencing among national schemes.