With 5394 security certificates of IT products and systems, the Common Criteria for Information Technology Security Evaluation have bred an ecosystem entangled with various kind of relations between the certified products. Yet, the prevalence and nature of dependencies among Common Criteria certified products remains largely unexplored. This study devises a novel method for building the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm, and measuring how often the references constitute actual dependencies between the certified products. With the help of the resulting reference graph, this work identifies just a dozen of certified components that are relied on by at least 10% of the whole ecosystem -- making them a prime target for malicious actors. The impact of their compromise is assessed and potentially problematic references to archived products are discussed.

翻译：随着5394份IT产品及系统的安全认证证书问世，《信息技术安全评估通用准则》催生了一个认证产品间存在各类关联关系的生态系统。然而，通用准则认证产品间依赖关系的普遍性及其本质至今仍鲜有探究。本研究提出一种创新方法，用于构建认证产品间的引用关系图谱——通过监督式机器学习算法判定不同引用语境，并量化这些引用构成实际依赖关系的频率。借助生成的引用图谱，研究发现仅有十余个认证组件被整个生态系统中至少10%的产品所依赖——这使其成为恶意行为者的首要攻击目标。本研究不仅评估了这些组件遭入侵时的影响，还探讨了已归档产品中可能存在的隐患引用。