Several things here. I don't understand what you mean the difference is between exhaustion (MSAF-1) and overflow (MSAF-2). You don't overflow unless you exhaust. Doing it through some buffer or some other way seems irrelevant. This rather fits into the "two different methods" as mentioned in MSAF-1. Please clarify what difference you see between these two. Also the assessment criteria must support systems which do not have an MPU/HW-support for the detection. The assessment criteria should be solution-neutral and be implementable on existing systems. I also think you should have an acceptance clause which makes it feasible to not implement things like this which can risk very negatively impacting performance of legacy systems, so if that can be shown and on a risk-basis, then it should be possible to justify not implementing the specific mitigation.