EAL is not a measure of security but a measure of the depth of analysis. Looking at the complexity of monolithic-kernel-based operating systems, I don't much can be derived from certifications with an EAL < 5.
Evaluated assurance levels (EAL) are a bundle of security assurance requirements (SAR) that reasonably trace to varying levels of assurance that the target of evaluation (TOE) enforces the Security Functional Requirements (SFR) of the product. One of the core SARs being AVA (vulnerability assessment) which evaluates resistance to penetration attackers and the presence of vulnerabilities. It is only at EAL5 that you are required to demonstrate AVA_VAN.4 which is resistance to penetration attackers with a moderate attack potential.
What we derive from companies only able to achieve EAL < 5 is that their systems are not designed, nor capable of protecting against moderate attackers. This has been borne out by decades of experience where the security properties of these systems have been routinely defeated by attackers with moderate or lower attack potential. The certification process is both effective and accurate at identifying that these consumer operating systems are inadequate against attackers of moderate ability as an upper bound.
We further know from decades of experience that any system that attempts EAL5 certification and then fails has structural deficiencies that make it practically impossible for any configuration to ever be certified without a total redesign. As far as I know, nobody has ever achieved that despite decades of attempts and billions of dollars spent attempting to retrofit inherently insecure designs such as Windows, Linux, or macOS.
So, what we know is that macOS, iOS, Linux, Windows, BSDs, etc. are structurally insecure against moderate attacks such as those employed by commercial hackers and organized crime, let alone state-level actors, and that it is hopeless for them to ever be improved to reach such a level. Anything less than EAL5 is inadequate for the modern threat landscape of established commercial hackers and state actors as experienced by consumers, businesses, and governments. Therefore, the systems currently deployed are universally unfit for their usage in these connected systems and we have the certifications and continuous examples to prove it.
How do you define "penetration attackers with a moderate attack potential"?
No EAL>4 certification does not imply that something is insecure.
Judging something as "insecure" or "structurally insecure" is highly opinionated. Not everyone has the same tolerance of risk. For most users the common operating system is secure enough. Besides that security is not only depending on the kernel. Smartphone operating systems which are based on Linux practically provide more security through app isolation than most desktop-oriented Linux-based distributions.
Besides that a CC certification does not necessary certify the product as a whole which finally means you cannot even derive a state of security statement for the end user.
Another example was the genugate firewall which has been certified on EAL4+ (including ALC_FLR.2, ALC_PAM.1, ASE_TSS.2, AVA_VAN.5), so in the end it was certified against attack with a high attack potential. Yet, the product was vulnerable to a simple authentication bypass of the management interface resulting in a CVSS score of 9.8:
https://nvd.nist.gov/vuln/detail/CVE-2021-27215
“Moderate potential” is defined in the standard [1]. As we are generally discussing blackbox attacks on publicly accessible remote endpoints, basically the only relevant factors are “Elapsed Time”, “Expertise”. So, a “moderate attack potential” is: expert proficiency attacking team over four months. A “high attack potential” is expert proficiency attacking team over six months.
I know, the standard is embarrassingly low by modern attack standards. It really should be much stricter these days, but even at these embarrassingly low levels the standard commercial vendors such as Apple can not achieve them.
No, my statement on structural insecurity is quite objective. I said they are structurally insecure against commercial hackers and organized crime. That is a statement relative to a threat model and can be objectively verified.
Our objective verification is that their security properties get routinely invalidated by such attackers thousands of times a year. You would be hard pressed to find a professional hacker who would say something like: “Oh no, they are using a Mac, my plans are foiled.”
Commercial hackers and organized crime are expected threat actors. If you are running a commercial enterprise, you will be attacked by commercial hackers these days. If your systems are useless against them, then your security is objectively inadequate for your use case. Using systems certified to be inadequate for your use case is just engineering malpractice.
Yes, a Common Criteria certification does not mean the entire product is certified in much the same way that a nail certification does not mean your airplane is certified. You need to certify the entire product for the entire product to be certified. That should be obvious.
I do not know why you bring up uncertified composed products having problems in uncertified components. Yes, those components suck, we already know that. That in no way supports using composed products consisting entirely of inadequate components.
You seem to be confused about how you should use a Common Criteria certification to evaluate a product. EAL5 does not mean you are guaranteed to be protected against moderate attackers. It just provides some reasonable confidence that might be the case. What it really tells you is that you should have minimal or no confidence in systems not certified (or even worse failed certification) to EAL5.
A AVA_VAN.5 component might be vulnerable to moderate attacks. But a component that failed certification to AVA_VAN.3 is certainly vulnerable to moderate attacks.
The genugate firewall is EAL4. I do not see how this bolsters your point. There is a reason why we use EAL instead of just reporting the AVA_VAN requirement.
I do not have any particular insights into their product or that vulnerability. It is certainly possible they were over certified.
Looking at the PoC, it seems to indicate a administrator login authentication bypass. In the genugate firewall TOE [2] it indicates that the administrator network is assumed to be isolated and trusted. If an administrator login page is only meant to be accessible from the administrator network then the CVE would be out of scope of their certification. Though the CVE indicates other logins that might be affected, so I can not speculate any further. Certainly could be over-certified. But again, certification does not mean confidently secure, it is non-certification which means confidently insecure.
