@@ -1199,9 +1199,209 @@ The product shall enable Address Space Layout Randomization (ASLR) by default fo
| FIXME list RT-High | none |
| FIXME RT-Med, RT-Low | ALSR |
### 5.2.X **TR-MSAF**: Memory safety
### 5.2.X **TR-MSAF**: Memory error mitigations
Implement all relavent mitigations listed in Annex MEMORY-SAFETY-MITIGATIONS
#### 5.2.X.x Requirement
The product shall implement appropriate mitigations for memory errors.
#### 5.2.X.x Default Preparation, Verdict, and Evidence
Most memory safety mitigations have the same Verdict and Evidence:
* Preparation: None
* Verdict: each involved thread fails to read or write the target data and takes a segmentation fault, has error handling code executed, or is terminated in all tests => PASS, otherwise FAIL
* Evidence: error messages, log message, or the OS reboots or halts
For each mitigation grouped under requirement TR-MSAF, for each field Preparation, Verdict, or Evidence, if it is not specified for that test, then the above Preparation, Verdict, or Evidence field shall apply.
Both kernel and userspace threads shall reject writes beyond the end of the stack.
* Reference: TR-MSAF
* Objective: Prevent thread from writing beyond end of stack
* Activities: For each of kernel and userspace, write beyond the end of the stack
Guidance: Two methods of exhausting stack memory include allocating a very large object on the stack, and performing an unbounded recursive function call.
#### 5.2.X.x **MI-MSAF-2**: Stack linear buffer overflow detection
Both kernel and userspace threads shall reject stack buffer writes that go beyond the end of the stack frame.
* Reference: TR-MSAF
* Objective: Prevent thread from writing beyond end of stack
* Activities: For each of kernel and userspace, write beyond the end of the stack frame
#### 5.2.X.x **MI-MSAF-3**: Array bounds checking
Both kernel and userspace threads shall reject writes to fixed-size arrays that are beyond the end of the array.
* Reference: TR-MSAF
* Objective: Prevent thread from writing beyond the end of a fixed-size array
* Activities: For each of kernel and userspace, write beyond the end of a fixed-size array
#### 5.2.X.x **MI-MSAF-4**: Heap linear buffer overflow detection
Both kernel and userspace threads shall reject writes beyond the bounds of allocated heap memory.
* Reference: TR-MSAF
* Objective: Prevent thread from writing beyond the end of heap memory
* Activities: For each of kernel and userspace, for each type of heap memory, allocate a fixed size from each class of heap memory, write beyond it
Both kernel and userspace threads shall reject use of allocated memory that has been freed.
* Reference: TR-MSAF
* Objective: Prevent thread from using memory that was allocated then freed
* Activities: For each of kernel and userspace, allocate from heap memory, free it, then try to read it, repeat but with a write
#### 5.2.X.x **MI-MSAF-6**: Heap free checking
Both kernel and userspace threads shall reject freeing of memory that was allocated and previously freed.
* Reference: TR-MSAF
* Objective: Prevent thread from freeing memory that is already free
* Activities: For each of kernel and userspace, allocate from heap memory, free it, then free again
#### 5.2.X.x **MI-MZRO-1**: Stack memory zeroing
Both kernel and userspace threads shall zero-initialize all stack memory before use.
* Reference: TR-MSAF
* Objective: Prevent attacker from exploiting erroneous use of uninitialized stack memory
* Activities: For each of kernel and userspace, sequentially call 2 functions that allocate the same amount of memory, fill the first with non-zero values and return, and during second function call, read the stack contents back
* Verdict: stack contents are all zero on second call
* Evidence: contents of stack before the first function return, contents of stack during the second function call
#### 5.2.X.x **MI-MZRO-2**: Heap memory zeroing
Both kernel and userspace threads shall zero-initialize all heap memory before use.
* Reference: TR-MSAF
* Objective: Prevent attacker from exploiting erroneous use of uninitialized heap memory
* Activities: For each of kernel and userspace, allocate heap memory, fill with a non-zero value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents
* Verdict: memory contents are all zero on second call
* Evidence: contents of allocated memory before the free, contents of allocated memory after second allocation
#### 5.2.X.x **MI-MRWX-1**: Prevent writes to executable and read-only data memory
Both kernel and userspace threads shall reject writes to executable and read-only data memory
* Reference: TR-MSAF
* Objective: Prevent writes to executable and read-only data memory
* Activities: For each of kernel and userspace, for each portion of executable and non-writable data regions, write to it
#### 5.2.X.x **MI-MRWX-2**: Prevent execution of non-kernel code memory
Kernel threads shall prevent execution of non-kernel code memory.
* Reference: TR-MSAF
* Objective: Mitigate exploits that use execution of arbitrary memory
* Activities: For each class of non-code memory in the kernel (e.g. stack, heap, read-only data), copy a trivial return-only function into the memory, and attempt to execute each one
#### 5.2.X.x **MI-NKAM**: Prevent unintentional kernel access to userspace memory
* Applicability: Product has multiple privilege levels
* Reference: TR-MSAF
* Objective: Mitigate exploits that use kernel privileges to access arbitrary userspace memory
* Activities: For each of read, write, and execute operations, use a kernel thread to attempt to use the operation on memory regions that are mapped to a different privilege level without going through dedicated memory access routines
Guidance: The most common privilege levels are kernel and userspace.
#### 5.2.X.x **MI-PLLC**: Prevent linked list corruption
Both kernel and userspace threads shall check the consistency of the previous and next pointers it manipulates when adding or deleting an item to or from a linked list and reject the operation if they are not consistent.
* Reference: TR-MSAF
* Objective: Prevent linked list corruption
* Activities: For each of kernel and userspace, add or delete an item to an uninitialized list
Both kernel and userspace threads shall mitigate the effects of reference counter overflows
* Reference: TR-MSAF
* Objective: Prevent exploitation of bugs in reference counting to overflow the counter to zero, causing a free and subsequent use-after-free accesses
* Activities: For each of kernel and userspace, set resource reference counter to 1 less than maximum representable value, increment it twice
* Verdict: reference counter does not overflow and resource is permanently pinned (no longer can be freed)
* Evidence: test output showing reference counter values before and after the operation, allocation status of the resources
#### 5.2.X.x **MI-CFIN**: Control flow integrity
Both kernel and userspace threads shall protect saved function and return pointers from overwrite
* Reference: TR-MSAF
* Objective: Mitigate exploits by preventing overwrite of function and return pointers
* Activities: For each of kernel and userspace, save a function pointer to the heap, overwrite it with a different function, make indirect call to the saved function pointer, then repeat but with a return address that was stored to the stack
Guidance: This mitigation can be implemented via software (e.g. ASan) or hardware (e.g. Pointer Authentication), or validating transitions of expected control flow graph (e.g. KCFI, Shadow Stack).
#### 5.2.X.x **MI-MPMT**: Memory protection using memory tagging
Both kernel and userspace threads shall use hardware-supported memory tagging to reject erroneous memory accesses.
* Reference: TR-MSAF
* Objective: Mitigate exploits by preventing memory errors
* Activities: For each of kernel and userspace, allocate 2 adjacent memory regions with separate tags. Attempt to read and write memory with a positive offset into trailing region from leading region's tagged pointer. Attempt to read and write with negative offset into leading region using trailing region's tagged pointer. Free a region and read and write to the region using the original tagged pointer.
TODO:
#### Kernel and userspace memory safety mitigations
FIXME: Stack ASLR
FIXME: Exec ASLR
#### Kernel-specific memory safety mitigations
FIXME: Module ASLR
FIXME: JIT ASLR
#### Userspace-specific memory safety mitigations
FIXME: Sym-/Hard-Link restrictions
FIXME: FIFO restrictions
FIXME: Libs/mmap ASLR
FIXME: brk ASLR
##### Toolchain hardening
FIXME: PIE
FIXME: FORTIFY_SOURCE
FIXME: RELRO (merge below into "binary runtime metadata"?)
FIXME: BIND_NOW (merge above into "binary runtime metadata"?)
FIXME: -fstack-clash-protection (covered by "stack exhaustion"?)
FIXME: -fcf-protection (covered by "CFI"?)
#### Kernel provided userspace mitigations
FIXME: vDSO ASLR
FIXME: NULL-address protection
FIXME: ptrace scope
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
> FIXME: Figure out which risk factors/use cases require CFIN or else delete it.
* Mitigation: check for allocation state and prevent use of un/re-allocated memory
* Test: allocate heap memory, free it, write to the allocation
### **MI-HFC**: Heap free checking
* Sub-threat: heap free corruption
* Mitigation: validate heap origin on free
* Test: allocate heap, free it twice
* Result: second free is rejected
### **MI-SMZ**: Stack memory zeroing
* Sub-threat: uninitialized stack memory controlled by attacker
* Mitigation: zero-initialize all stack memory before use
* Test: sequentially call 2 functions that allocate the same amount of memory, fill the first with known values and return, and during second function call, read the stack contents back
* Result: stack contents are clear on second call
### **MI-HMZ**: Heap memory zeroing
* Sub-threat: uninitialized heap memory controlled by attacker
* Mitigation: zero-initialize all heap memory before use
* Test: allocate heap memory, fill with a known value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents
* Result: heap contents are clear on second allocation
### **MI-MWX**: Prevent writes to code and read-only data memory
* Sub-threat: Writable code or intended read-only memory
* Mitigation: All code memory and non-writable data is read-only
* Test: from separate threads, write to each portion of kernel code and non-writable data region
### **MI-LLP**: Linked list protection
* Sub-threat: doubly linked list corruption
* Mitigation: linked list implementation checks prev/next pointers on add/del
* Test: add or delete an item to an uninitialized list
### **MI-RCP**: Reference counter protection
* Sub-threat: reference counter overflow
* Mitigation: bounds check reference counters
* Test: set resource reference counter to 1 less than maximum representable value, increment it twice
* Result: reference counter does not overflow but resource is pinned
### **MI-CFI**: Control flow integrity
Use case: laptop, phone, other devices at higher risk of malicious code execution
* Sub-threat: Function pointer and return pointer overwrite
* Mitigation: Protect saved pointers from overwrite via software (e.g. ASan) or hardware (e.g. Pointer Authentication), or validate transitions of expected control flow graph (e.g. KCFI, Shadow Stack)
* Test: Save a function pointer to heap, overwrite it with a different function, make indirect call to the saved function pointer. Repeat but with a return address that was stored to the stack.
### **MI-MPMT**: Memory protection using memory tagging
Use case: laptop, phone, other devices at higher risk of malicious code execution
* Mitigation: Use software or hardware memory tagging feature for memory allocations
* Test: Allocate 2 adjacent memory regions with separate tags. Attempt to read and write memory with a positive offset into trailing region from leading region's tagged pointer. Attempt to read and write with negative offset into leading region using trailing region's tagged pointer. Free a region and read and write to the region using the original tagged pointer.
FIXME: Stack ASLR
FIXME: Exec ASLR
## Userspace-specific memory safety mitigations
FIXME: Sym-/Hard-Link restrictions
FIXME: FIFO restrictions
FIXME: Libs/mmap ASLR
FIXME: brk ASLR
### Toolchain hardening
FIXME: PIE
FIXME: FORTIFY_SOURCE
FIXME: RELRO (merge below into "binary runtime metadata"?)
FIXME: BIND_NOW (merge above into "binary runtime metadata"?)
FIXME: -fstack-clash-protection (covered by "stack exhaustion"?)
FIXME: -fcf-protection (covered by "CFI"?)
## Kernel provided userspace mitigations
FIXME: vDSO ASLR
FIXME: NULL-address protection
FIXME: ptrace scope
## Kernel-specific memory safety mitigations
FIXME: Module ASLR
FIXME: JIT ASLR
### **MI-KPXM**: Prevent execution of non-kernel code memory
* Sub-threat: Non-code executable kernel memory
* Mitigation: Only kernel code memory regions are executable
* Test: copy a trivial return-only function into every class of non-code memory in the kernel (e.g. stack, heap, read-only data), one to a thread, and attempt to execute each one
### **MI-KPUM**: Prevent unintentional kernel access to unprivileged memory
* Sub-threat: Unexpected access to userspace memory from OS kernel
* Test: in separate kernel threads, read, write, and execute memory regions that are mapped to userspace without going through dedicated userspace memory access routines
# Annex A (informative): Relationship between the present document and any related ETSI standards (if any)
