Add watchdog mitigation, do mappings, add blank TR (792e6b8d) · Commits · STAN4CRA / EN 304 625 Network Interfaces

EN-304-625.md

+92 −31

Original line number	Diff line number	Diff line
		@@ -747,7 +747,7 @@ All mitigations for TR-TEST are required for all products.

		#### 5.2.X.x Requirement

		The network interface shall not process data originating from the attached network in such a way as to cause an internal memory safety error.
		The network interface shall not process data originating from the attached network in such a way as to cause an internal memory safety error that affects the security-relevant parts of the network interface.

		#### 5.2.X.x MI-SSCA: Static source code analysis for memory errors

		@@ -767,45 +767,106 @@ All warnings, annotations, or other method of suppressing warnings from the anal
		* Output: the output of the source code analysis checker
		* False negative test: for each kind of memory error in the above list, write a test program with the error, run the analysis tool on it, and show that it produces a warning for each error

		#### 5.2.X.x MI-FUZZ Check input handling with an automated fuzzer

		Fuzz packet input with memory use checker
		The manufacturer shall run a packet fuzzer on the security-relevant parts of the network interface firmware and/or software until it reaches NN% code coverage of the source code (NN based on overall risk) while monitoring for memory access errors.

		* Test: run a packet fuzzer on instrumented firmware in simulator with memory access checking until it reaches NN% code coverage (NN based on overall risk)
		* Result: simulator shows no out-of-bounds memory access
		* Documentation: what simulator and fuzzer was used, with what configuration
		* False negative prevention: create a firmware version that DOES allow an out-of-bounds write and show that it is logged by the simulator
		* Requirements: a way to run the network interface firmware and software that permits measuring which parts of the source code have been executed and detecting memory safety errors
		* Test: run a packet fuzzer until it reaches NN% code coverage (NN based on overall risk)
		* Result: no memory safety errors are detected
		* False negative prevention: create a version of the firmware and/or software that DOES allow an out-of-bounds write and show that it is detected with NN% code coverage

		Source code analysis
		#### 5.2.X.x MI-IMSL Implement in a memory-safe language

		* Test: run a source code analyzer that statically checks for out-of-bounds memory access
		* Result: analyzer results shows no out-of-bounds memory access
		* Documentation: source code, what source code analyzer was used, what parameters, any explanations of false positives or annotations in the source code that are instructions to the analyzer
		* False negative prevention: create a firmware version that DOES allow an out-of-bounds write and show that the analyzer catches it
		The manufacturer shall implement all security-relevant parts of the network interface firmware and/or software in a memory-safe language. The manufacturer shall document any use of unsafe memory features to explain why they are necessary and do not present a security risk.

		Implement in a memory-safe language
		TBD: define memory-safe language

		* Test: examine source code and firmware to see if they are in a memory-safe language
		* Result: source code is in a memory-safe language, binary appears to be built from the source, any part of the source code that allows unsafe memory access has documentation explaining why it does not affect memory safety
		* Documentation: source code, how to copy firmware from device
		* Test: review source code to determine its language and what exceptions to memory safety exists
		* Result: source code is in a memory-safe language and the documentation of all uses of unsafe memory features convincingly demonstrates that each one of them does not present a security risk
		* Documentation: source code and documentation of unsafe features

		### TR restart card when not functioning
		#### 5.2.X.x MI-ETIN Exhaustive testing of inputs

		Threat: Attacker causes network interface to stop functioning
		TBD describe this, basically smart fuzzing by hand :)

		Mitigations:
		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		Mitigations satisfy technical requirements only under when they mitigate the relevant risks appropriately. Risk factors are used to determine this. The below table shows which mitigations are appropriate to which use cases or security profiles based on the risk factors determined in the risk assessment.

		\| Mitigation \| Satisfies TR if risk factors are \|
		\|------------\|----------------------------------\|
		\| None \| ACC = 0 \|
		\| SSCA \| ACC <= 1 or COM = 0 \|
		\| FUZZ \| any \|
		\| IMSL \| any \|

		\| Mitigation \| Satisfies TR for these security profiles \|
		\|------------\|--------------------------------------------\|
		\| None \| VI-1 \|
		\| SSCA \| WD-2 \|
		\| FUZZ \| any \|
		\| MSEL \| any \|

		### 5.2.X.x TR-MDNF: Mitigate disabling of network functions

		#### 5.2.X.x Requirement

		The network interface shall implement mechanisms to observe when the firmware and/or software of the network interface is no longer capable of performing its functions and automatically reset the network interface to a functioning state.

		#### 5.2.X.x MI-WDOG: Watchdog to reset network interface

		The network interface shall implement a watchdog mechanism that observes whether the network interface is capable of performing its functions. If the watchdog observes that the interfaces is not capable of performing its functions for a significant period of time, it will reset the network interface to a functioning state using a hardware-based mechanism.

		* Applicabilty: only applies to physical network interfaces
		* Test: use a testing interface to halt the firmware or sofware, wait for the watchdog to reset the firmware, and then attempt to use a network interface function after any necessary initialization or configuration
		* Result: after a specific time period has elapsed, the interface restarts, any initialization or configuration succeeds, and the use of the network interface function succeeded
		* Output: error, log message, statistics update, or other information from card indicating reset has occurred, log message or statistic showing the post-reset test function succeeded
		* False positive prevention: do not use any network interface functions for N+1 seconds and see that it does not reset

		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Mitigation \| Satisfies TR if risk factors are \|
		\|------------\|----------------------------------\|
		\| WDOG \| any \|

		Watchdog resets interface after interface stops responding
		\| Mitigation \| Satisfies TR for these security profiles \|
		\|------------\|------------------------------------------\|
		\| WDOG \| WD-1, WD-2, WL-1, WL-2 \|

		* Test: use debug interface to halt firmware
		* Result: after N seconds, the interface restarts
		* Documentation: how to enable debug interface, how to halt firmware, how to get log of restart
		* False positive prevention: prevent any rx/tx/configuration/etc. activity on the card for N+1 seconds and see that it does not restart
		> Copy-n-paste mitigation format

		### TR
		### 5.2.X TR-XXXX:

		Threat: Packet processing errors (not memory) allow code execution or data modification on NIC or host
		#### 5.2.X.x MI-XXXX:

		### TR General cryptography issues
		_Description of mitigation in "shall" format._

		* Test:
		* Result:
		* Output:
		* False positive test:
		* Requirements:
		* Documentation:

		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Mitigation \| Satisfies TR if risk factors are \|
		\|------------\|----------------------------------\|
		\| XXXX \| USR ACC COM ADM \|

		\| Mitigation \| Satisfies TR for these security profiles \|
		\|------------\|--------------------------------------------\|
		\| XXXX \| WD-1, WD-2, WL-1, WL-2, VI-1, VI-2 \|

		Security profile to risk mapping for construction above tables

		\| SP-WD-1 \| USR-L-1 \| ACC-L-2 \| COM-L-2 \| ADM-L-0 \|
		\| SP-WD-2 \| USR-L-3 \| ACC-L-2 \| COM-L-0 \| ADM-L-1 \|
		\| SP-WL-1 \| USR-L-2 \| ACC-L-2 \| COM-L-3 \| ADM-L-1 \|
		\| SP-WL-2 \| USR-L-3 \| ACC-L-2 \| COM-L-3 \| ADM-L-1 \|
		\| SP-VI-1 \| USR-L-2 \| ACC-L-0 \| COM-L-0 \| ADM-L-1 \|
		\| SP-VI-2 \| USR-L-3 \| ACC-L-2 \| COM-L-1 \| ADM-L-1 \|



		@@ -818,17 +879,17 @@ Threat: Packet processing errors (not memory) allow code execution or data modif
		\| CRA requirement \| Technical security requirements(s) \|
		\|-------------------------------------------------\|------------------------------------\|
		\| No known exploitable vulnerabilities \| \|
		\| Secure design, development, production \| \|
		\| Secure design, development, production \| TEST \|
		\| Secure by default configuration \| \|
		\| Secure updates \| \|
		\| Authentication and access control mechanisms \| \|
		\| Confidentiality protection \| \|
		\| Integrity protection for data and configuration \| \|
		\| Integrity protection for data and configuration \| IMEM \|
		\| Data minimization \| \|
		\| Availability protection \| \|
		\| Minimize impact on other devices or services \| \|
		\| Availability protection \| MDNF \|
		\| Minimize impact on other devices or services \| MDNF \|
		\| Limit attack surface \| \|
		\| Exploit mitigation by limiting incident impact \| \|
		\| Exploit mitigation by limiting incident impact \| MDNF, IMEM \|
		\| Logging and monitoring mechanisms \| \|
		\| Secure deletion and data transfer \| \|