@@ -709,17 +709,13 @@ The product shall be checked for memory errors by running a tool that exercises
The manufacturer shall implement the network interface firmware and/or software in a memory-safe language. The manufacturer shall document any use of unsafe memory features to explain why they are necessary and do not present a security risk.
* Reference: TR-IMEM
* Reference: TR-SSDD, TR-MSAF
* Objective: Prevent unauthorized memory access
* Preparation: None
* Activities: Review source code to determine its language and what exceptions to memory safety exist
* Verdict: Source code is in a memory-safe language and the documentation of all uses of unsafe memory features convincingly demonstrates that each one of them does not present a security risk => PASS, otherwise FAIL
* Evidence: Source code, documentation of unsafe memory features
#### 5.2.X.x MI-MERR Memory error mitigations for device drivers
FIXME copy from OS
#### 5.2.X.x MI-ETIN Exhaustive testing of inputs that may cause memory errors
The manufacturer shall identify which input fields may produce memory errors in the firmware or device driver. The manufacturer shall conduct boundary tests for all such inputs while monitoring for memory errors.
@@ -744,6 +740,82 @@ Mitigations satisfy technical requirements only under when they mitigate the rel
| WD-2 | SSCA |
| all others | FZ95 or ETIN or IMSL |
### 5.2.X **TR-MSAF**: Memory error mitigations
#### 5.2.X.x Requirement
The product shall implement appropriate mitigations for memory errors.
> FIXME: Currrently copied from OS, need a plan to synchronize.
#### 5.2.X.x Default Preparation, Verdict, and Evidence
Most memory safety mitigations have the same Verdict and Evidence:
* Preparation: None
* Verdict: each involved thread fails to read or write the target data and takes a segmentation fault, has error handling code executed, or is terminated in all tests => PASS, otherwise FAIL
* Evidence: error messages, log message, or the product reboots or halts
For each mitigation grouped under requirement TR-MSAF, for each field Preparation, Verdict, or Evidence, if it is not specified for that test, then the above Preparation, Verdict, or Evidence field shall apply.
The product shall reject writes beyond the end of the stack.
* Reference: TR-MSAF
* Objective: Prevent thread from writing beyond end of stack
* Activities: Write beyond the end of the stack
Guidance: Two methods of exhausting stack memory include allocating a very large object on the stack, and performing an unbounded recursive function call.
#### 5.2.X.x **MI-MSAF-2**: Stack linear buffer overflow detection
The product shall reject stack buffer writes that go beyond the end of the stack frame.
* Reference: TR-MSAF
* Objective: Prevent thread from writing beyond end of stack
* Activities: Write beyond the end of the stack frame
#### 5.2.X.x **MI-MSAF-3**: Array bounds checking
The product shall reject writes to fixed-size arrays that are beyond the end of the array.
* Reference: TR-MSAF
* Objective: Prevent thread from writing beyond the end of a fixed-size array
* Activities: Write beyond the end of a fixed-size array
#### 5.2.X.x **MI-MZRO-1**: Stack memory zeroing
The product shall zero-initialize all stack memory before use.
* Reference: TR-MSAF
* Objective: Prevent attacker from exploiting erroneous use of uninitialized stack memory
* Activities: Sequentially call 2 functions that allocate the same amount of memory, fill the first with non-zero values and return, and during second function call, read the stack contents back
* Verdict: Stack contents are all zero on second call
* Evidence: Contents of stack before the first function return, contents of stack during the second function call
#### 5.2.X.x **MI-MZRO-2**: Heap memory zeroing
The product shall zero-initialize all heap memory before use.
* Reference: TR-MSAF
* Objective: Prevent attacker from exploiting erroneous use of uninitialized heap memory
* Activities: Allocate heap memory, fill with a non-zero value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents
* Verdict: Memory contents are all zero on second call
* Evidence: Contents of allocated memory before the free, contents of allocated memory after second allocation
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
