WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -158,13 +158,14 @@ Products in scope are products whose core function and intended or reasonably fo
This category includes but is not limited to:
* general purpose operating systems
* personal computing operating systems
* mobile phone operating systems
* server operating systems
* real-time operating systems
* embedded operating systems
* special purpose operating systems
* General purpose operating systems
* Personal computing operating systems
* Mobile operating systems
* Server operating systems
* Special purpose operating systems
* Real-time operating systems
* Embedded operating systems
* Single-purpose operating systems
Many products contain multiple operating systems which can affect the security functions of other operating system(s) in the product. For example, a Baseboard Management Controllers (BMC) contains an operating system that can manage most or all of the hardware managed by the main system operating system. Radiofrequency transmission devices often have an embedded real-time operating system and the ability to read or write to system memory or trigger interrupts.
@@ -375,11 +376,11 @@ Operating system architecture is quite varied, depending on factors such as the
### 4.3.2 Operating system security functions
To oversimplify, the security of an operating system depends on appropriately controlling the instructions to be executed on the processors on the system under its control. Instruction flow is dependent on the text of the executable, any data it accesses, and any hardware that has the ability to change either data or which instructions are being executed. For example, a network interface adapter can write to system memory, altering the data and changing the execution of any code that results in it. A USB controller can raise an interrupt which can cause the interrupt controller to force the CPU to switch to executing interrupt handling code, altering the instruction flow.
The security of an operating system relies heavily on properly controlling the instructions executed by the system processor. Instruction flow is dependent on the program instructions, any data it accesses, and any hardware that has the ability to change either data or which instructions are being executed. For example, a network interface adapter can write directly to system memory, potentially altering data values and thereby influencing the behavior of running programs or even causing unintended code execution. A USB controller can raise an interrupt which can cause the interrupt controller to force the CPU to switch to executing interrupt handling code, altering the instruction flow.
A fundamental building block of operating system is privileges. Privileges which control which system resources or functions that program can access. The operating system grants a defined set of privileges to itself, its subsystems, and any other executing software program.
A fundamental building block of operating system is privileges. Privileges determine which system resources or functions a program is allowed to access. The operating system grants a specific set of privileges to itself, its subsystems, and user-level programs, ensuring that each component operates within defined boundaries to maintain system security and stability.
Generally privileges are enforced using hardware features such as a memory management unit and processor-defined privilege levels. If the hardware does not provide these features, the operating system may use a best effort system, such as relying on the compiler to generate code that is less likely to accidentally interfere with the functions of the operating system or other parts of the system. A best-effort approach is only acceptable in low-risk, low-impact use cases where all elements and users of the systems can be trusted to not deliberately attempt to compromise the system.
Generally privileges are enforced using hardware features such as a memory management unit and processor-defined privilege levels. If the hardware does not provide these features, the operating system may use a best effort approach, such as relying on the compiler to generate code that is less likely to accidentally interfere with the functions of the operating system or other parts of the system. A best-effort approach is only acceptable in low-risk, low-impact use cases where all elements and users of the systems can be trusted to not deliberately attempt to compromise the system.
### 4.3.3 High-level operating system architectures
@@ -419,15 +420,15 @@ Operating systems control access to resources in different ways, including:
### 4.3.4 Resource management
Operating systems often allocate system resources among different applications or threads, including processor time, memory, storage, file descriptors, and process table entries. Operating systems may implement limits on the number or proportion of specific resourcs that an application or thread may use, and may group these limits by user, process, process group, or other mechanism.
Operating systems often allocate system resources among different processes and threads, including processor time, memory, storage, file descriptors, and process table entries. Operating systems may implement limits on the number or proportion of specific resourcs that an application or thread may use, and may group these limits by user, process, process group, or other mechanism.
### 4.3.5 Scheduling
Operating systems may provide voluntary or involuntary switching between different threads. Some common models include:
**Cooperative scheduling:** Each thread executes on a process as long as it likes until it voluntarily yields the processor to another thread.
**Cooperative scheduling:** Each thread runs until it voluntarily yields control of the processor to another thread. No thread is interrupted unless it explicitly yields the CPU.
**Preemptive scheduling:**Each thread can be involuntarily halted and replaced by a different thread, as well as voluntarily yielding the CPU.
**Preemptive scheduling:**Threads can be involuntarily suspended by the scheduler and replaced with other threads, and they may also voluntarily yield the CPU.
The operating system can choose which thread to schedule based on factors such as:
@@ -856,10 +857,11 @@ An operating system may provide, depending on the hardware available and its con
* Authentication
* Authorization
* Software management
* Software verification
* Software installation
* Security updates
* Software upgrade
* Software installation
* Software verification
* Software removal
* Firmware upgrades
* Load kernel modules
* Logging
@@ -1083,6 +1085,10 @@ The manufacturer shall document on which platforms the operating system mitigate
The manufacturer shall document that the risk of microarchitectural side channel data leaks has been transferred to the user, who must mitigate them sufficiently for their use case.
#### 5.2.X.x **MI-ASLR** Address Space Layout Randomization
The operating system shall enable Address Space Layout Randomization (ASLR) by default for all processes to mitigate exploitation of memory corruption vulnerabilities.
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
Mitigations satisfy technical requirements only under when they mitigate the relevant risks appropriately. Risk factors are used to determine this. The below table shows which mitigations are appropriate to which use cases or security profiles based on the risk factors determined in the risk assessment.
