Formatting fixes to break up list of reqs (a5eb2bbe) · Commits · STAN4CRA / EN 304 626 Operating Systems

EN-304-626.md

+16 −16

Original line number	Diff line number	Diff line
		@@ -878,7 +878,7 @@ Mitigations are how a technical requirement can be satisfied. Mitigations must b

		FIXME link to risk factors/use cases

		* Short name: Kernel stack exhaustion detection
		Kernel stack exhaustion detection
		* Threat: kernel stack exhaustion causes thread to write beyond end of stack
		* Mitigation: kernel stack limits validated
		* Test: perform unbounded recursive kernel call to use all stack memory
		@@ -886,7 +886,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel stack linear buffer overflow detection
		Kernel stack linear buffer overflow detection
		* Threat: unbounded kernel stack buffer write goes beyond stack frame
		* Mitigation: kernel stack frame limits validated
		* Test: write beyond the end of a stack buffer
		@@ -894,7 +894,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel array bounds checking
		Kernel array bounds checking
		* Threat: unbounded kernel array access
		* Mitigation: array bounds validated
		* Test: declare an array of fixed size and write beyond the max index
		@@ -902,7 +902,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel heap linear overflow detection
		Kernel heap linear overflow detection
		* Threat: kernel heap memory overflow
		* Mitigation: check heap memory allocation bounds
		* Test: in separate threads, allocate a fixed size from each class of kernel heap memory, write beyond it
		@@ -910,7 +910,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel heap user-after-free write prevention
		Kernel heap user-after-free write prevention
		* Threat: kernel heap use-after-free write
		* Mitigation: memory tagging prevents use of un/re-allocated memory
		* Test: allocate kernel heap memory, free it, write to the allocation
		@@ -918,7 +918,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel heap user-after-free read prevention
		Kernel heap user-after-free read prevention
		* Threat: kernel heap use-after-free read
		* Mitigation: memory tagging prevents use of un/re-allocated memory
		* Test: allocate kernel heap memory, free it, read from the allocation
		@@ -926,7 +926,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel heap free checking
		Kernel heap free checking
		* Threat: kernel heap free corruption
		* Mitigation: validate heap origin on free
		* Test: allocate kernel heap, free it twice
		@@ -934,7 +934,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel stack memory zeroing
		Kernel stack memory zeroing
		* Threat: uninitialized kernel stack memory controlled by attacker
		* Mitigation: zero-initialize all kernel stack memory before use
		* Test: sequentially call 2 functions that allocate the same amount of memory, fill the first with known values and return, and during second function call, read the stack contents back
		@@ -942,7 +942,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel heap memory zeroing
		Kernel heap memory zeroing
		* Threat: uninitialized kernel heap memory controlled by attacker
		* Mitigation: zero-initialize all kernel heap memory before use
		* Test: allocate heap memory, fill with a known value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents
		@@ -950,7 +950,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel linked list protection
		Kernel linked list protection
		* Threat: kernel doubly linked list corruption
		* Mitigation: linked list implementation checks prev/next pointers on add/del
		* Test: add or delete an item to an uninitialized list
		@@ -958,7 +958,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Prevent execution of non-kernel code memory
		Prevent execution of non-kernel code memory
		* Threat: Non-code executable kernel memory
		* Mitigation: Only kernel code memory regions are executable
		* Test: copy a trivial return-only function into every class of non-code memory in the kernel (e.g. stack, heap, read-only data), one to a thread, and attempt to execute each one
		@@ -966,7 +966,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Prevent writes to kernel code and read-only data memory
		Prevent writes to kernel code and read-only data memory
		* Threat: Writable kernel code or read-only memory
		* Mitigation: All kernel code memory and non-writable data is read-only
		* Test: from separate threads, write to each portion of kernel code
		@@ -975,7 +975,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Prevent unintentional kernel access to unprivileged memory
		Prevent unintentional kernel access to unprivileged memory
		* Threat: Unexpected access to userspace memory from OS kernel
		* Mitigation: block cross-privilege level memory read/write/execute
		* Test: in separate kernel threads, read, write, and execute memory regions that are mapped to userspace without going through dedicated userspace memory access routines
		@@ -983,7 +983,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel reference counter protection
		Kernel reference counter protection
		* Threat: Kernel reference counter overflow
		* Mitigation: bounds check reference counters
		* Test: set resource reference counter to 1 less than maximum representable value, increment it twice
		@@ -991,7 +991,7 @@ FIXME link to risk factors/use cases
		* Output: action logged as an event or the OS reboots
		* Requirements: way to read log output on product as shipped

		* Short name: Kernel forward control flow integrity
		Kernel forward control flow integrity
		* Threat: Kernel function pointer overwrite
		* Mitigation: Protect saved function pointers from overwrite
		* Test: Save a kernel function pointer to heap, overwrite it with a different function, make indirect call to the saved function pointer
		@@ -1486,7 +1486,7 @@ _List any related ETSI standards and how they interact with the present document

		### C.1.2 Product functions

		> See the functions in Section 4.4.
		> See the functions in Section 4.7.

		## C.2 Threats