FDRERASE

Introduction

Purpose of this Manual

The purpose of this manual is to provide you with the information to install, use, and understand FDRERASE.

What is FDRERASE?

FDRERASE is used to erase all data from DASD volumes before they are reused or removed from a data center.

FDRERASE is a proprietary program product of Compuware Corporation and is available for license exclusively from Compuware Corporation.

Note

The version number of FDRERASE always shows as Release 05.04.70 regardless of the version number printed in the documentation or the version number of FDRPAS and FDRMOVE.

CCEVS Certification

FDRERASE Release 05.04.50, the first z/OS secure erase utility to complete Common Criteria Evaluation and Validation Scheme (CCEVS) evaluation and Common Criteria EAL2 Augmented validation, has earned the right to display the International Common Criteria Recognition Arrangement (CCRA) certification mark on August 9, 2005.

FDRPAS_Chapter_330_image1.gif

FDRERASE is designed to comply with current U.S Government guidelines for erasing computer DASD prior to disposal… the Department of Defense concurring that the erasure of computer DASD prior to disposal, as specified in the ASD(C31) memo of June 4, 2001.

For common criteria EAL2 augmented evaluation Certificate to:
http://www.niap-ccevs.org/cc-scheme/st/index.cfm/vid/10064/maint/146

Validated Product

FDRERASE, Release 05.04.70

Product Name:
FDRERASE, Version 5.4, Level 70

Key Words: None

Product Type: Sensitive Data Protection

Vendor: Compuware Corporation

Date: 23 January 2007

POC: Thomas J Meehan

Conformance Claim:
EAL2 Augmented with ADV_SPM.1,ALC_FLR.2

Phone: 973-890-7300

PP Identifier: None

Email: tmeehan@compuware.com

Security Target :

Validation Report :FDRPAS_Chapter_330_image9.gif

CC Testing Lab:
SAIC Common Criteria Testing Laboratory

CC Certificate Image :FDRPAS_Chapter_330_image11.gif

Assurance Continuity Maintenance Report :FDRPAS_Chapter_330_image13.gif

Product Description

The TOE is an application that runs on a mainframe computer running the IBM z/OS operating systems. The TOE provides two different levels of DASD erasures. They are the ERASE and SECUREERASE functions. DASD erasures are actually performed by overwriting stored data to make the original data unrecoverable. This overwrite includes the Volume Table of Contents (VTOC), that is, the DASD directory. The TOE also provides a method to verify that user data has been erased. This is the VERIFY function.

The ERASE function overwrites every track of DASD with a track-length record, consisting of binary zeros by default. This single overwrite makes all data originally on each track unrecoverable by any normal system program running anywhere that has direct access to the DASD or through the DASD control unit. Original data, however, may still be recoverable through sophisticated laboratory techniques and special programs whose purpose is to recover data on DASD by commanding the DASD to skew read heads plus or minus a number of degrees. Any residual data recording on the “edge” of the track may be recoverable using such a technique.

The SECUREERASE function overwrites each DASD track a minimum of three times, writing a random pattern, a complement of the first pattern, and finally another random pattern, by default. This multiple overwrite process (optionally up to eight overwrites) makes the original data unrecoverable, even by sophisticated laboratory techniques applied to hard drives removed from the control unit.

The VERIFY function can be used to sample tracks on the erased volumes to ensure that they have been erased. By default it verifies a percentage of the volume but can verify the entire volume if needed.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Compuware Corporation, FDRERASE, Version 5.4, Level 50 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2 and International Interpretations effective on 28 January 2005. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2, Revision 256, January 2004. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 augmented with ADV_SPM.1 and ALC_FLR.2 family of assurance requirements. The product, when configured as specified in the Compuware Corporation Software Distribution Process Description and Software Distribution Facility User Guide and the Compuware Corporation FDRPAS and FDRERASE User Manual and Installation Guide, satisfies all of the security functional requirements stated in the Compuware Corporation, FDRERASE Security Target, Version 1.0. One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in June 2005. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-05-0109, dated 5 August 2005) prepared by CCEVS.

Environmental Strengths

The TOE is a commercial product whose users require a low to moderate level of independently assured security. Compuware Corporation, FDRERASE, Version 5.4, Level 50 is targeted at a relatively benign environment with good physical access security and competent TOE administrators and users. Within such environments, it is assumed that attackers will have a low attack potential. Compuware Corporation, FDRERASE, Version 5.4, Level 50 supports the following five security functions:

  1. Security Audit – The TOE writes to every track on the DASD in order to erase it. If this operation fails, the I/O is automatically retried by the DASD subsystem (hardware) and by standard IBM error recovery software in the operating system.
    If the TOE finds the DASD is not off-line, the TOE terminates with a non-zero completion code (return code) and outputs an error message with asterisks to the console and program listing indicating the erasure was incomplete, and the TOE makes no attempt to overwrite the data on that specific DASD volume.
  2. User Data Protection – The TOE provides two DASD erasure functions: ERASE and SECUREERASE. Both functions overwrite DASD to ensure the risk of remaining residual data, if any, is commensurate with the risk of a person scavenging for user data. The ERASE function overwrites the DASD with one pass (or more, selectable by an input option, up to 8) of binary zero or of hexadecimal bytes chosen by the TOE user. The SECUREERASE function overwrites a DASD volume with a minimum of three passes (or more, selectable by an input option, up to 8) of hexadecimal bytes determined by the TOE.
    In addition, the TSF provides the VERIFY function to enable the TOE user to verify that physical tracks of the DASD have indeed been overwritten sufficiently that no residual information remains.
  3. Security Management – The TOE provides two DASD erasure options and identifies the DASD to be cleared.
    The TOE reports to the TOE user the outcome of a DASD overwrite, including: success; failure to access the DASD because the DASD is found to be on-line; and failure to overwrite a bad DASD track after successive attempts.
    The TOE provides the VERIFY function, to enable the user to verify that physical tracks of a DASD have indeed been overwritten sufficiently that no residual information remains.
  4. Protection of Security Functions – The TOE protects against failure with loss of the secure state, which requires that the TOE preserve a secure state in the face of the identified failures. The TOE ensures that only DASD that has been varied off-line is available to the TOE. If it is not, the TOE does not attempt to overwrite the DASD and reports the failure to the TOE user. Also, the TOE checks before every write to see if the DASD has been varied online; if so, the operation is terminated with an error message.
    The TOE determines the manufacturer of the DASD before beginning to execute. This test is necessary since the external interface of the DASD for committing data to be written from a cache to the hard drive (termed “hardening”) varies by manufacturer, and the TOE has to determine the type and size of DASD it is attempting to overwrite.
    Throughout the process of performing a DASD overwrite, the TOE continually monitors for any I/O errors on the write and other I/O issued to the DASD. During an overwrite of a DASD, if twenty write errors are encountered, the TOE sends a message to the console and the TOE user identifying the DASD, and that the overwrite was a failure. The TOE then terminates and automatically returns to its inactive maintenance mode (that is, resident in the authorized library on DASD where it was originally installed).
  5. Resource Utilization – The TOE notifies the user an operation did not complete in the event of identified failures. When a failure to write to a specific area of DASD occurs because of damage to the surface of the DASD, the TSF makes multiple attempts to write to the area in an attempt to overwrite any data that may reside there. If this fails, the TOE skips the affected area and continues with the overwrite until the complete DASD volume is overwritten.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*