Evaluation of IBM PR/SM z/Series990/890

2005-05-19

atsec information security is pleased to announce completion of a Common Criteria security evaluation of IBM PR/SM LPAR for eServer zSeries990 and zSeries8901 at levels EAL4 and EAL5. atsec is the first Common Criteria lab to successfully complete an EAL5 evaluation following specific evaluator guidance issued as AIS34 by the German Certification Body, the Bundesamt fuer Sicherheit in der Informationstechnik (BSI).

Copies of the certificates can be found here (EAL4) and here (EAL5).

The Processor Resource/Systems Manager (PR/SM) is a hardware facility enabling the resources of a single physical zSeries machine to be divided and shared by distinct logical machines, each capable of running an operating system such as z/OS, z/VM, VM/ESA, or Linux2.

Using PR/SM and the graphical user interfaces provided by the Hardware Management Console and the Support Element (HMC/SE), the Security Administrator can configure those distinct logical machines such that complete isolation is ensured; i.e., sharing of I/O resources is disallowed, which effectively prevents any logical machine from gaining knowledge of any other logical machine's available I/O resources or performed operations. As a result, PR/SM meets the stringent requirements for confidentiality of processed information that are often imposed by the financial and governmental sectors.

A central, security-relevant part of PR/SM is the “Interpretive Execution Facility” that allows execution of processor instructions in a specific and controlled user context defined for each managed logical machine. Any violation of the pre-defined context results in immediate return of processor control to the PR/SM kernel, which simulates intercepted I/O instructions and privileged commands and then adjusts the respective results to the context of the calling logical machine before processor control is returned to that machine. The PR/SM-kernel also manages allocation of processors to logical machines and enforces processor time slices, so that overall machine capacity is distributed among the logical machines as configured by the System Administrator.

Prior to the evaluation, IBM and BSI agreed to pursue a formal base certification of the product instead of a recertification, even though PR/SM has been certified and recertified multiple times. Base certification considers the complete Target of Evaluation (TOE), rather than focusing only on the changes applied to the TOE since a previous evaluation, as is the scope in a recertification. Choosing base certification instead produces a consolidated basis for future recertifications of PR/SM.

While evaluation at level EAL4 can be performed according to the Common Evaluation Methodology (CEM), for the evaluation at level EAL5, specific guidance issued as AIS34 by BSI in July 2004 had to be followed for the first time.

The CEM does not include any evaluator guidance for evaluation levels exceeding EAL4; therefore, in past EAL5 evaluations, atsec analyzed additional assurance requirements imposed by EAL5 and defined additional work units, which were then forwarded to BSI for final approval. The additional work units mainly addressed the required analysis of covert channels and the assessment of modularity in design, both of which are introduced at level EAL5 and, hence, are beyond the scope of the CEM.

Regarding AIS34, Michael Robrecht, Senior Evaluator of the PR/SM evaluation, points out:

“Publication of the AIS34, which basically confirms and refines atsec’s recent approaches and work units for EAL5, now provides all labs recognized by the German Certification Scheme with detailed and mandatory guidance to perform evaluations at levels EAL5 to EAL7.”

During application of the AIS34 guidance as part of the IBM PR/SM LPAR for eServer zSeries990 and zSeries890 EAL5 evaluation, atsec provided additional feedback, comments, and requests for modification to BSI, thus contributing to further updates of EAL5-specific evaluator guidance.

About atsec information security

atsec information security is the leading provider of high-quality information security services. These include laboratory services including product evaluation, as well as general consulting in a wide range of information security areas including Information Security Management Systems (ISMS), risk management, PKI consulting, privacy assessment, and security auditing.

More information about atsec information security can be found at http://www.atsec.com.

atsec information security was founded in 2000 and operates in the U.S. and Europe, including Austin, Munich, Cologne, and Stockholm.

_____________________________

1 © Copyright International Business Machines Corporation 2005
IBM Corporation, New Orchard Rd, Armonk, NY 10504
Produced in the United States of America, All Rights Reserved
PR/SM™, IBM®, eServer™, zSeries™, z/OS™, z/VM™, VM/ESA®, LINUX®, z/Architecture™ are trademarks or registered trademarks of the International Business Corporation in the United States, other countries, or both.

2 Linux is a registered trademark of Linus Torvalds.