On 6/29/12 5:45 PM, Willy Santos wrote:
CCI-000028 requires the OS to prevent encrypted data from bypassing
content checking mechanisms. This mapping is open to discussion and change.
SRG-OS-000012 CCI-000028 The operating system must prevent encrypted
data from bypassing content checking mechanisms. Information flow
control regulates where information is allowed to travel within an
information system and between information systems (as opposed to who is
allowed to access the information) and without explicit regard to
subsequent accesses to the information. _When data is encrypted,
mechanisms designed to examine data content to detect attacks or
malicious code are unable to accomplish this task unless they are
capable of unencrypting the data._
So... this requirement wants to the OS to mysteriously decrypt the data,
pass it through an inspection tool, then re-encrypt it. My vote is
/both/ unmet_impractical_guidance and unmet_impractical_product on this
one.