Rename TR-MSAF to TR-LMII (c6946b53) · Commits · STAN4CRA / EN 304 625 Network Interfaces

EN-304-625.md

+25 −25

Original line number	Diff line number	Diff line
		@@ -808,13 +808,13 @@ All security-relevant firmware and software shall be compiled with secure compil
		\| WL-1 \| SCFS, SSCA \|
		\| all others \| SCFS, SSCA, (FZ95 or BTIN or IMSL) \|

		### 5.2.X TR-MSAF: Memory error mitigations
		### 5.2.X TR-LMII: Limit incident impact

		#### 5.2.X.x Requirement

		The product shall implement appropriate mitigations for memory errors.
		The product shall implement appropriate mitigations to limit incident impact

		#### 5.2.X.x Default Preparation, Verdict, and Evidence
		#### 5.2.X.x Default Preparation, Verdict, and Evidence for memory safety mitigations

		Most memory safety mitigations have the same Verdict and Evidence:

		@@ -822,13 +822,13 @@ Most memory safety mitigations have the same Verdict and Evidence:
		* Verdict: each involved thread fails to read or write the target data and takes a segmentation fault, has error handling code executed, or is terminated in all tests => PASS, otherwise FAIL
		* Evidence: error messages, log message, or the product reboots or halts

		For each mitigation grouped under requirement TR-MSAF, for each field Preparation, Verdict, or Evidence, if it is not specified for that test, then the above Preparation, Verdict, or Evidence field shall apply.
		For each mitigation grouped under requirement TR-LMII, for each field Preparation, Verdict, or Evidence, if it is not specified for that test, then the above Preparation, Verdict, or Evidence field shall apply.

		#### 5.2.X.x MI-MSAF-1: Stack exhaustion detection

		The product shall reject writes beyond the end of the stack.

		* Reference: TR-MSAF
		* Reference: TR-LMII
		* Objective: Prevent thread from writing beyond end of stack
		* Activities: Write beyond the end of the stack

		@@ -838,7 +838,7 @@ Guidance: Two methods of exhausting stack memory include allocating a very large

		The product shall reject stack buffer writes that go beyond the end of the stack frame.

		* Reference: TR-MSAF
		* Reference: TR-LMII
		* Objective: Prevent thread from writing beyond end of stack
		* Activities: Write beyond the end of the stack frame

		@@ -846,7 +846,7 @@ The product shall reject stack buffer writes that go beyond the end of the stack

		The product shall reject writes to fixed-size arrays that are beyond the end of the array.

		* Reference: TR-MSAF
		* Reference: TR-LMII
		* Objective: Prevent thread from writing beyond the end of a fixed-size array
		* Activities: Write beyond the end of a fixed-size array

		@@ -854,7 +854,7 @@ The product shall reject writes to fixed-size arrays that are beyond the end of

		The product shall zero-initialize all stack memory before use.

		* Reference: TR-MSAF
		* Reference: TR-LMII
		* Objective: Prevent attacker from exploiting erroneous use of uninitialized stack memory
		* Activities: Sequentially call 2 functions that allocate the same amount of memory, fill the first with non-zero values and return, and during second function call, read the stack contents back
		* Verdict: Stack contents are all zero on second call
		@@ -864,7 +864,7 @@ The product shall zero-initialize all stack memory before use.

		The product shall zero-initialize all heap memory before use.

		* Reference: TR-MSAF
		* Reference: TR-LMII
		* Objective: Prevent attacker from exploiting erroneous use of uninitialized heap memory
		* Activities: Allocate heap memory, fill with a non-zero value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents
		* Verdict: Memory contents are all zero on second call
		@@ -1536,17 +1536,17 @@ SP-VI-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or BTIN or IMSL), IMSL or (MSAF
		\| CRA requirement \| Technical security requirements(s) \|
		\|-------------------------------------------------\|------------------------------------\|
		\| No known exploitable vulnerabilities \| NKEV \|
		\| Secure design, development, production \| SSDD, MSAF \|
		\| Secure design, development, production \| SSDD, LMII \|
		\| Secure by default configuration \| SDEF \|
		\| Secure updates \| SCUD \|
		\| Authentication and access control mechanisms \| AUTH\* \|
		\| Confidentiality protection \| CDST, CDTX, CRYP\* \|
		\| Integrity protection for data and configuration \| IDST, IDTX \|
		\| Data minimization \| DMIN \|
		\| Availability protection \| AVAI, MSAF \|
		\| Minimize impact on other devices or services \| SDEF, AVAI, SSDD, MSAF \|
		\| Limit attack surface \| LMAS, SSDD, MSAF \|
		\| Exploit mitigation by limiting incident impact \| AVAI, SSDD, MSAF \|
		\| Availability protection \| AVAI, LMII \|
		\| Minimize impact on other devices or services \| SDEF, AVAI, SSDD, LMII \|
		\| Limit attack surface \| LMAS, SSDD, LMII \|
		\| Exploit mitigation by limiting incident impact \| LMII, AVAI, SSDD \|
		\| Logging and monitoring mechanisms \| LOGG \|
		\| Secure deletion and data transfer \| SCDL, SDTR \|
		\| Vulnerability handling \| VULH \|
		@@ -1857,7 +1857,7 @@ Requirements: NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, VULH
		\| max(SYS, SDS, SDT, FUN, DOS) = 1 \| Medium \|
		\| max(SYS, SDS, SDT, FUN, DOS) = 0 \| Low \|

		Requirements: SSDD, MSAF, DMIN, LMAS, LOGG
		Requirements: SSDD, LMII, DMIN, LMAS, LOGG

		[TH-PHYS]: Attacker may get unauthorized access to confidential data stored on the product through acquisition of a used product.

		@@ -1920,7 +1920,7 @@ Requirements: CDTX, DMIN, LMAS
		\| max(SDS, SDT, FUN) = 1 \| Medium \|
		\| max(SDS, SDT, FUN) = 0 \| Low \|

		Requirements: AVAI, MSAF, LMAS, LOGG, VULH
		Requirements: AVAI, LMII, LMAS, LOGG, VULH

		[TH-FDOS]: Attacker may use host system or network access for a denial-of-service attack on product functions.

		@@ -1936,7 +1936,7 @@ Requirements: AVAI, MSAF, LMAS, LOGG, VULH
		\| FUN = 1 \| Medium \|
		\| FUN = 0 \| Low \|

		Requirements: AVAI, MSAF, LMAS, LOGG
		Requirements: AVAI, LMII, LMAS, LOGG

		[TH-DDOS]: Attacker may exploit vulnerabilities in the product to attack other products.

		@@ -1952,7 +1952,7 @@ Requirements: AVAI, MSAF, LMAS, LOGG
		\| DOS = 1 \| Medium \|
		\| DOS = 0 \| Low \|

		Requirements: AVAI, MSAF, LMAS, LOGG, VULH
		Requirements: AVAI, LMII, LMAS, LOGG, VULH

		[TH-MQSE]: Attacker may masquerade as an authorized server to get unauthorized access to product assets.

		@@ -1984,7 +1984,7 @@ Requirements: CDTX, IDTX, SCUD, LOGG
		\| max(SDS, SDT, FUN, SYS) = 1 \| Medium \|
		\| max(SDS, SDT, FUN, SYS) = 0 \| Low \|

		Requirements: NKEV, SCUD, SSDD, MSAF, LMAS, LOGG
		Requirements: NKEV, SCUD, SSDD, LMII, LMAS, LOGG

		### C.5.2 Mapping of use cases to risk factors and security profiles

		@@ -2096,16 +2096,16 @@ This clause describes the metholodogy followed in the current text.

		\| Threat \| Requirements \|
		\|--------\|------------------------------------------\|
		\| KEVU \| NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, VULH \|
		\| UEVU \| SSDD, MSAF, DMIN, LMAS, LOGG \|
		\| KEVU \| NKEV, SCUD, SSDD, LMII, LMAS, LOGG, VULH \|
		\| UEVU \| SSDD, LMII, DMIN, LMAS, LOGG \|
		\| PHYS \| SDEL, SDEF \|
		\| CONF \| SDEF \|
		\| UADT \| CDTX, DMIN, LMAS \|
		\| AVAI \| AVAI, MSAF, LMAS, LOGG, VULH \|
		\| FDOS \| AVAI, MSAF, LMAS, LOGG \|
		\| DDOS \| AVAI, MSAF, LMAS, LOGG, VULH \|
		\| AVAI \| AVAI, LMII, LMAS, LOGG, VULH \|
		\| FDOS \| AVAI, LMII, LMAS, LOGG \|
		\| DDOS \| AVAI, LMII, LMAS, LOGG, VULH \|
		\| MQSE \| CDTX, IDTX, SCUD, LOGG \|
		\| AHHS \| NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, SDEF \|
		\| AHHS \| NKEV, SCUD, SSDD, LMII, LMAS, LOGG, SDEF \|

		## D.3 Risks not treated by the requirements

Admin message