WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -759,17 +759,20 @@ The manufacturer shall implement the network interface firmware and/or software
* Verdict: Source code is in a memory-safe language and the documentation of all uses of unsafe memory features convincingly demonstrates that each one of them does not present a security risk => PASS, otherwise FAIL
* Evidence: Source code, documentation of unsafe memory features
#### 5.2.X.x MI-ETIN Exhaustive testing of inputs that may cause memory errors
#### 5.2.X.x MI-BTIN Boundary testing of inputs that may cause memory errors
The manufacturer shall identify which input fields may produce memory errors in the firmware or device driver. The manufacturer shall conduct boundary tests for all such inputs while monitoring for memory errors.
The input fields of the product that may produce memory errors in the firmware or device driver shall be identified. The product shall be boundary tested for all such inputs while monitoring for memory errors. All memory errors detected shall be documented with a rationale for why it does not constitute an unacceptable risk.
* Test: run boundary tests for all identified inputs while monitoring for memory errors
* Result: no memory errors
* Documentation: documentation of identified inputs and what inputs were boundary testing
* Reference: TR-SSDD, TR-MSAF
* Objective: Prevent unauthorized memory access
* Preparation: Identify input fields in the product that may produce memory errors
* Activities: Run a tool that tests input values that test the boundaries of the input values (minimum valid, maximum valid, minimum possible, maximum possible, off-by-one, etc.) while monitoring for memory errors
* Verdict: All boundary values tested and all memory errors detected are documented and justified => PASS, otherwise FAIL
* Evidence: Logs of boundary testing tool, memory error report, documentation of any memory errors
The manufacturer shall ensure that all security-relevant firmware and software are compiled with secure compilation flags and options appropriate to the target platform and language. The manufacturer shall document the compilation flags used, their rationale, and any exceptions or limitations. Any exceptions to the flags or warnings shall be documented as to why they do not affect the security of the system.
All security-relevant firmware and software shall be compiled with secure compilation flags and options appropriate to the target platform and language. All compilation flags used shall be documented as to their rationale, along with any exceptions or limitations. Any exceptions to the flags or warnings shall be documented as to why they do not create an unacceptable risk.
* Applicability: Product implemented in a compiled language
* Reference: TR-SDDV
@@ -785,13 +788,13 @@ The manufacturer shall ensure that all security-relevant firmware and software a
