Add static analysis, MMU, MTE mitigations for memory errors

This section is a list of technical requirements necessary to satisfy the CRA essential requirements. Each technical requirement can be satisfied by one or more potential mitigations. Each mitigation may or may not be appropriate for an individual use case. The following section will define which mitigations will be required, depending on a risk factor, the overall risk tolerance, and/or a use case in the following section.

### 5.2.2 **TR-OOBM**: Mitigations for out-of-bounds memory access

Each mitigation is described with the following fields:

#### 5.2.2.1 Threat description

* Mitigation: brief description of the mitigation

* Test: how to test that the mitigation is implemented

* Result: what output

* Output: the warning or error message produced by the checker

* False negative/positive prevention: if necessary, a way to prove that the test distinguishes between conformant and non-conformant products

* Requirements: features of the product as placed on the market necessary to run the test

* Documentation: what data the manufacturer must save for provision to the MSA

Threat: attacker uses an operating systems vulnerability to access memory in an unauthorized manner.

> Copy-n-paste mitigation format

#### 5.2.2.2 **MI-KSED**: Kernel stack exhaustion detection

#### 5.2.X.x **MI-XXXX**:

Use case:

* Mitigation:

* Test:

* Result:

* Output:

* False positive test:

* Requirements:

* Documentation:

### 5.2.X **TR-MISO**: Memory isolation

#### 5.2.X.1 Threat description

Threat: attacker tries to access memory that belongs to another user or the kernel in an unauthorized manner.

#### 5.2.X.x **MI-SSCA**: Static source code analysis for memory protection

Use case: operating systems where all executables share a single address space, memory protection settings, and processor privilege level (e.g. embedded, low power, special purpose, unikernel)

* Mitigation: statically check source code for out-of-bounds memory access

* Test: source code that accesses memory out-of-bounds in a variety of defined ways (TBD)

* Result: warning or error

* Output: the warning or error message produced by the checker

* False positive test: source code that does not access memory out of bounds does not produce the warning or error

* Requirements: board support package

* Documentation: source code and output of the tests, source code of operating system, checker information

#### 5.2.X.x **MI-XXXX**: Memory protection using MMU

Use case: Any operating system that requires process isolation (anything with multiple users, potentially untrusted users, untrusted userspace executables, etc.)

* Mitigation: Use MMU to mark memory regions as inaccessible to an executable before scheduling it

* Test: Attempt to read, write, or execute memory in a different memory isolation domain

* Result: error, trap, signal, or kill thread

* Output: executes error handling code or thread is killed

* Requirements: ability to compile and execute code

* Documentation: test source code, instructions to compile, output of error handling or log message for thread kill

### 5.2.X **TR-OOBM**: Out-of-bounds memory access prevention or mitigation

#### 5.2.X.1 Threat description

Threat: attacker uses an operating systems vulnerability to access memory in an unauthorized manner while possessing elevated memory access privileges.

#### 5.2.X.x **MI-KSED**: Kernel stack exhaustion detection

Use case: phone, general purpose, desktop, server, router, firewall

* Sub-threat: kernel stack exhaustion causes thread to write beyond end of stack

* Mitigation: kernel validates the limits of the kernel stack

* Test: perform unbounded recursive kernel call to use all stack memory

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Requirements: way to read log output on product as shipped, ability to build and run new kernel code

* Documentation: source code of test, log output during test

#### 5.2.2.3 **MI-KSBO**: Kernel stack linear buffer overflow detection

#### 5.2.X.x **MI-KSBO**: Kernel stack linear buffer overflow detection

* Sub-threat: unbounded kernel stack buffer write goes beyond stack frame

* Mitigation: kernel stack frame limits validated

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2.4 **MI-KABC**: Kernel array bounds checking

#### 5.2.X.x **MI-KABC**: Kernel array bounds checking

* Sub-threat: unbounded kernel array access

* Mitigation: array bounds validated

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KHLO**: Kernel heap linear overflow detection

#### 5.2.X. **MI-KHLO**: Kernel heap linear overflow detection

* Sub-threat: kernel heap memory overflow

* Mitigation: check heap memory allocation bounds

* Result: each thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KUFW**: Kernel heap user-after-free write prevention

#### 5.2.X. **MI-KUFW**: Kernel heap user-after-free write prevention

* Sub-threat: kernel heap use-after-free write

* Mitigation: memory tagging prevents use of un/re-allocated memory

* Result: thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KUFR**: Kernel heap user-after-free read prevention

#### 5.2.X. **MI-KUFR**: Kernel heap user-after-free read prevention

* Sub-threat: kernel heap use-after-free read

* Mitigation: memory tagging prevents use of un/re-allocated memory

* Result: thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KHFC**: Kernel heap free checking

#### 5.2.X. **MI-KHFC**: Kernel heap free checking

* Sub-threat: kernel heap free corruption

* Mitigation: validate heap origin on free

* Result: second free is rejected

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KSMZ**: Kernel stack memory zeroing

#### 5.2.X. **MI-KSMZ**: Kernel stack memory zeroing

* Sub-threat: uninitialized kernel stack memory controlled by attacker

* Mitigation: zero-initialize all kernel stack memory before use

* Result: stack contents are clear on second call

* Output: action logged as an event

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KHMO**: Kernel heap memory zeroing

#### 5.2.X. **MI-KHMO**: Kernel heap memory zeroing

* Sub-threat: uninitialized kernel heap memory controlled by attacker

* Mitigation: zero-initialize all kernel heap memory before use

* Result: heap contents are clear on second allocation

* Output: action logged as an event

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KLLP**: Kernel linked list protection

#### 5.2.X. **MI-KLLP**: Kernel linked list protection

* Sub-threat: kernel doubly linked list corruption

* Mitigation: linked list implementation checks prev/next pointers on add/del

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KPXM**: Prevent execution of non-kernel code memory

#### 5.2.X. **MI-KPXM**: Prevent execution of non-kernel code memory

* Sub-threat: Non-code executable kernel memory

* Mitigation: Only kernel code memory regions are executable

* Result: each thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KPWM**: Prevent writes to kernel code and read-only data memory

#### 5.2.X. **MI-KPWM**: Prevent writes to kernel code and read-only data memory

* Sub-threat: Writable kernel code or read-only memory

* Mitigation: All kernel code memory and non-writable data is read-only

* Result: each thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KPUM**: Prevent unintentional kernel access to unprivileged memory

#### 5.2.X. **MI-KPUM**: Prevent unintentional kernel access to unprivileged memory

* Sub-threat: Unexpected access to userspace memory from OS kernel

* Mitigation: block cross-privilege level memory read/write/execute

* Result: each thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KRCP**: Kernel reference counter protection

#### 5.2.X. **MI-KRCP**: Kernel reference counter protection

* Sub-threat: Kernel reference counter overflow

* Mitigation: bounds check reference counters

* Result: reference counter does not overflow but resource is pinned

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.2. **MI-KFCI**: Kernel forward control flow integrity

#### 5.2.X. **MI-KFCI**: Kernel forward control flow integrity

* Sub-threat: Kernel function pointer overwrite

* Mitigation: Protect saved function pointers from overwrite

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X.x **MI-XXXX**: Memory protection using Pointer Authentication Codes

Use case: phone, other devices at higher risk of malicious code execution

* Mitigation:

* Test:

* Result:

* Output:

* False positive test:

* Requirements:

* Documentation:

#### 5.2.X.x **MI-XXXX**: Memory protection using hardware memory tagging

Use case: phone, other devices at higher risk of malicious code execution

* Mitigation: Use hardware memory tagging feature for kernel memory allocations

* Test: Allocate memory with a tag, attempt to access the memory without the tag

* Result: segmentation fault, error handling code executed or thread killed

* Output: error message or log message for killed thread

* Requirements: way to read output on product as shipped

* Documentation: source code of tests, output of error message or thread kill

#### 5.2.X.x **MI-XXXX**: Memory protection using enhanced hardware memory tagging

Use case: phone, other devices at higher risk of malicious code execution

* Mitigation:

* Test:

* Result:

* Output:

* False positive test:

* Requirements:

* Documentation:

### NOTES