Formatting fix to make Word doc render lists properly (b6a9d177) · Commits · STAN4CRA / EN 304 626 Operating Systems

EN-304-626.md

+29 −14

Original line number	Diff line number	Diff line
		@@ -879,6 +879,7 @@ Mitigations are how a technical requirement can be satisfied. Mitigations must b
		FIXME link to risk factors/use cases

		Kernel stack exhaustion detection

		* Threat: kernel stack exhaustion causes thread to write beyond end of stack
		* Mitigation: kernel stack limits validated
		* Test: perform unbounded recursive kernel call to use all stack memory
		@@ -887,6 +888,7 @@ Kernel stack exhaustion detection
		* Requirements: way to read log output on product as shipped

		Kernel stack linear buffer overflow detection

		* Threat: unbounded kernel stack buffer write goes beyond stack frame
		* Mitigation: kernel stack frame limits validated
		* Test: write beyond the end of a stack buffer
		@@ -895,6 +897,7 @@ Kernel stack linear buffer overflow detection
		* Requirements: way to read log output on product as shipped

		Kernel array bounds checking

		* Threat: unbounded kernel array access
		* Mitigation: array bounds validated
		* Test: declare an array of fixed size and write beyond the max index
		@@ -903,6 +906,7 @@ Kernel array bounds checking
		* Requirements: way to read log output on product as shipped

		Kernel heap linear overflow detection

		* Threat: kernel heap memory overflow
		* Mitigation: check heap memory allocation bounds
		* Test: in separate threads, allocate a fixed size from each class of kernel heap memory, write beyond it
		@@ -911,6 +915,7 @@ Kernel heap linear overflow detection
		* Requirements: way to read log output on product as shipped

		Kernel heap user-after-free write prevention

		* Threat: kernel heap use-after-free write
		* Mitigation: memory tagging prevents use of un/re-allocated memory
		* Test: allocate kernel heap memory, free it, write to the allocation
		@@ -919,6 +924,7 @@ Kernel heap user-after-free write prevention
		* Requirements: way to read log output on product as shipped

		Kernel heap user-after-free read prevention

		* Threat: kernel heap use-after-free read
		* Mitigation: memory tagging prevents use of un/re-allocated memory
		* Test: allocate kernel heap memory, free it, read from the allocation
		@@ -927,6 +933,7 @@ Kernel heap user-after-free read prevention
		* Requirements: way to read log output on product as shipped

		Kernel heap free checking

		* Threat: kernel heap free corruption
		* Mitigation: validate heap origin on free
		* Test: allocate kernel heap, free it twice
		@@ -935,6 +942,7 @@ Kernel heap free checking
		* Requirements: way to read log output on product as shipped

		Kernel stack memory zeroing

		* Threat: uninitialized kernel stack memory controlled by attacker
		* Mitigation: zero-initialize all kernel stack memory before use
		* Test: sequentially call 2 functions that allocate the same amount of memory, fill the first with known values and return, and during second function call, read the stack contents back
		@@ -943,6 +951,7 @@ Kernel stack memory zeroing
		* Requirements: way to read log output on product as shipped

		Kernel heap memory zeroing

		* Threat: uninitialized kernel heap memory controlled by attacker
		* Mitigation: zero-initialize all kernel heap memory before use
		* Test: allocate heap memory, fill with a known value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents
		@@ -951,6 +960,7 @@ Kernel heap memory zeroing
		* Requirements: way to read log output on product as shipped

		Kernel linked list protection

		* Threat: kernel doubly linked list corruption
		* Mitigation: linked list implementation checks prev/next pointers on add/del
		* Test: add or delete an item to an uninitialized list
		@@ -959,6 +969,7 @@ Kernel linked list protection
		* Requirements: way to read log output on product as shipped

		Prevent execution of non-kernel code memory

		* Threat: Non-code executable kernel memory
		* Mitigation: Only kernel code memory regions are executable
		* Test: copy a trivial return-only function into every class of non-code memory in the kernel (e.g. stack, heap, read-only data), one to a thread, and attempt to execute each one
		@@ -967,6 +978,7 @@ Prevent execution of non-kernel code memory
		* Requirements: way to read log output on product as shipped

		Prevent writes to kernel code and read-only data memory

		* Threat: Writable kernel code or read-only memory
		* Mitigation: All kernel code memory and non-writable data is read-only
		* Test: from separate threads, write to each portion of kernel code
		@@ -976,6 +988,7 @@ Prevent writes to kernel code and read-only data memory
		* Requirements: way to read log output on product as shipped

		Prevent unintentional kernel access to unprivileged memory

		* Threat: Unexpected access to userspace memory from OS kernel
		* Mitigation: block cross-privilege level memory read/write/execute
		* Test: in separate kernel threads, read, write, and execute memory regions that are mapped to userspace without going through dedicated userspace memory access routines
		@@ -984,6 +997,7 @@ Prevent unintentional kernel access to unprivileged memory
		* Requirements: way to read log output on product as shipped

		Kernel reference counter protection

		* Threat: Kernel reference counter overflow
		* Mitigation: bounds check reference counters
		* Test: set resource reference counter to 1 less than maximum representable value, increment it twice
		@@ -992,6 +1006,7 @@ Kernel reference counter protection
		* Requirements: way to read log output on product as shipped

		Kernel forward control flow integrity

		* Threat: Kernel function pointer overwrite
		* Mitigation: Protect saved function pointers from overwrite
		* Test: Save a kernel function pointer to heap, overwrite it with a different function, make indirect call to the saved function pointer