Moved MI‑MSAF‑1/2/3, MI‑MZRO‑1/2 from Limit Incident Impact (ER-LMII) to ...

See clause 5.3 for which mitigations are necessary for which security profiles and clause C.4 for the rationale.

### 5.2.3 ER-LMII: Limit incident impact

#### 5.2.3.1 Cybersecurity requirement

The product shall implement appropriate mitigations to limit incident impact.

#### 5.2.3.2 Default Preparation, Verdict, and Evidence for memory safety mitigations

Most memory safety mitigations have the same Verdict and Evidence:

* Preparation: None

* Verdict: each involved thread fails to read or write the target data and takes a segmentation fault, has error handling code executed, or is terminated in all tests => PASS, otherwise FAIL

* Evidence: error messages, log message, or the product reboots or halts

For each mitigation grouped under cybersecurity requirement ER-LMII, for each field Preparation, Verdict, or Evidence, if it is not specified for that test, then the above Preparation, Verdict, or Evidence field shall apply.

#### 5.2.3.3 MI-MSAF-1: Stack exhaustion detection

#### 5.2.2.8 MI-MSAF-1: Stack exhaustion detection

The product shall reject writes beyond the end of the stack.

* Reference: ER-LMII

* Reference: ER-SSDD

* Objective: Prevent thread from writing beyond end of stack

* Activities: Write beyond the end of the stack

Guidance: Two methods of exhausting stack memory include allocating a very large object on the stack, and performing an unbounded recursive function call.

#### 5.2.3.4 MI-MSAF-2: Stack linear buffer overflow detection

#### 5.2.2.9 MI-MSAF-2: Stack linear buffer overflow detection

The product shall reject stack buffer writes that go beyond the end of the stack frame.

* Reference: ER-LMII

* Reference: ER-SSDD

* Objective: Prevent thread from writing beyond end of stack

* Activities: Write beyond the end of the stack frame

#### 5.2.3.5 MI-MSAF-3: Array bounds checking

#### 5.2.2.10 MI-MSAF-3: Array bounds checking

The product shall reject writes to fixed-size arrays that are beyond the end of the array.

* Reference: ER-LMII

* Reference: ER-SSDD

* Objective: Prevent thread from writing beyond the end of a fixed-size array

* Activities: Write beyond the end of a fixed-size array

#### 5.2.3.6 MI-MZRO-1: Stack memory zeroing

#### 5.2.2.11 MI-MZRO-1: Stack memory zeroing

The product shall zero-initialize all stack memory before use.

* Reference: ER-LMII

* Reference: ER-SSDD

* Objective: Prevent attacker from exploiting erroneous use of uninitialized stack memory

* Activities: Sequentially call 2 functions that allocate the same amount of memory, fill the first with non-zero values and return, and during second function call, read the stack contents back

* Verdict: Stack contents are all zero on second call

* Evidence: Contents of stack before the first function return, contents of stack during the second function call

#### 5.2.3.7 MI-MZRO-2: Heap memory zeroing

#### 5.2.2.12 MI-MZRO-2: Heap memory zeroing

The product shall zero-initialize all heap memory before use.

* Reference: ER-LMII

* Reference: ER-SSDD

* Objective: Prevent attacker from exploiting erroneous use of uninitialized heap memory

* Activities: Allocate heap memory, fill with a non-zero value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents

* Verdict: Memory contents are all zero on second call

* Evidence: Contents of allocated memory before the free, contents of allocated memory after second allocation

### 5.2.3 ER-LMII: Limit incident impact

#### 5.2.3.1 Cybersecurity requirement

The product shall implement appropriate mitigations to limit incident impact.

#### 5.2.3.2 Default Preparation, Verdict, and Evidence for memory safety mitigations

Most memory safety mitigations have the same Verdict and Evidence:

* Preparation: None

* Verdict: each involved thread fails to read or write the target data and takes a segmentation fault, has error handling code executed, or is terminated in all tests => PASS, otherwise FAIL

* Evidence: error messages, log message, or the product reboots or halts

For each mitigation grouped under cybersecurity requirement ER-LMII, for each field Preparation, Verdict, or Evidence, if it is not specified for that test, then the above Preparation, Verdict, or Evidence field shall apply.

#### 5.2.3.8 Mapping of mitigations to risk factors and security profiles

See clause 5.3 for which mitigations are necessary for which security profiles and Annex C.4 for the rationale.