Insights from Automated Large-Scale Analysis of Common Criteria Certificates (S12c)
Products certified under security certification frameworks like Common Criteria go through extensive scrutiny during the costly certification process. However, even products with high assurance levels may have critical vulnerabilities. Moreover, identifying which certified products are affected by these vulnerabilities is challenging due to the abundance of unstructured certification-related data and unclear connections between certificates. In response to these challenges, a large-scale automated analysis of Common Criteria certificates was undertaken.
This extensive analysis, which will be discussed in the talk, involved correlating certified devices with existing vulnerability databases and assessing the security impact of the certification process. The tooling employed in this analysis automates the examination of tens of thousands of certification-related documents, extracting machine-readable features that are otherwise inaccessible through manual analysis. The talk will also address the aspects of certification that correlate with higher security and how certified devices reference one another. Continuous updates and results can be found at https://seccerts.org.