Commit 15e4404a authored by Kees Cook's avatar Kees Cook Committed by Valerie Aurora (Bow Shock)
Browse files

RF: Add rough "memory safety" risk factor 

Other Risk Factors have matching hardware/software pairs, but the
"threat actor" risk only had a hardware section.
parent 37bffa9f

EN-304-626.md

+10 −0
Original line number Diff line number Diff line
@@ -631,6 +631,16 @@ Note: "account" refers to a user in the operating systems sense: a unique system 
* PHYS-1: may be incidentally exposed to untrusted users

* PHYS-2: used primarily by untrusted users, e.g. the general public



#### 4.5.1.N+1 Software Access by Threat Actors to the Device



**[RF-SOFT]:** Manufacturers of operating systems may implement protective measures, such as hardening the system against loss of integrity (caused by existing interfaces or unknown flaws), to mitigate memory safety based threats to the device.



* PHYS-0: only used in environments without untrusted code and no processing of external inputs

* PHYS-1: may be incidentally exposed to untrusted software or external inputs

* PHYS-2: used primarily to run untrusted software or process external inputs



FIXME update RF/UC chart for RF-SOFT



#### 4.5.1.6 Probability of Loss of the Device



**[RF-LOSS]:** likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store sensitive personal data.