Mining Issued Common Criteria and FIPS 140-2 Certificates – More Transparency for Developers, Vulnerability Researchers and Society
In the second Research Days 2021 event, Petr Švenda from the Faculty of Informatics at Masaryk University in Brno will feature a data-based insight into certification ecosystems with an open source tool for automatic analysis of publicly available certification reports. The talk will take place virtually on March 24th at 2:00-3:30 PM CET (9:00 AM EDT, 3:00 PM IST).
Abstract
Security certification reports might be long, but they are also a trove of publicly available data about proprietary devices and other products otherwise available only under NDAs. While downloading and reading a single certificate is easy, reasoning about the characteristics of the whole ecosystem, which covers more than ten thousand certified devices based on human-written documents, is different. Are there observable systematic differences between the Common Criteria and FIPS 140-2 certificates? Can I quickly find out if my device is using a certified component recently found vulnerable? Most importantly, can we measure and quantify whether the whole process is actually increasing the security of the products being certificated? This talk address these questions using an open source tool for automatic analysis of publicly available certification reports, accompanied by catchy graphs.
Speaker: Petr Švenda, Faculty of Informatics, Masaryk University
For more information, contact brno-research@redhat.com
Session Recording