Give threats names, fix a list render error, add some explanation

## 5.2 Technical security requirements specifications

**FIRST DRAFT**

### 5.2.1 General

### 5.2.1 Mitigations for out-of-bound memory access

This section is a list of technical requirements necessary to satisfy the CRA essential requirements. Each technical requirement can be satisfied by one or more potential mitigations. Each mitigation may or may not be appropriate for an individual use case. The following section will define which mitigations will be required, depending on a risk factor, the overall risk tolerance, and/or a use case in the following section.

FIXME link to risk factors/use cases

### 5.2.2 **TR-OOBM**: Mitigations for out-of-bounds memory access

Kernel stack exhaustion detection

#### 5.2.2.1 Threat description

* Threat: kernel stack exhaustion causes thread to write beyond end of stack

* Mitigation: kernel stack limits validated

Threat: attacker uses an operating systems vulnerability to access memory in an unauthorized manner.

#### 5.2.2.2 **MI-KSED**: Kernel stack exhaustion detection

* Sub-threat: kernel stack exhaustion causes thread to write beyond end of stack

* Mitigation: kernel validates the limits of the kernel stack

* Test: perform unbounded recursive kernel call to use all stack memory

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel stack linear buffer overflow detection

#### 5.2.2.3 **MI-KSBO**: Kernel stack linear buffer overflow detection

* Threat:  unbounded kernel stack buffer write goes beyond stack frame

* Sub-threat: unbounded kernel stack buffer write goes beyond stack frame

* Mitigation: kernel stack frame limits validated

* Test: write beyond the end of a stack buffer

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel array bounds checking

#### 5.2.2.4 **MI-KABC**: Kernel array bounds checking

* Threat:  unbounded kernel array access

* Sub-threat: unbounded kernel array access

* Mitigation: array bounds validated

* Test: declare an array of fixed size and write beyond the max index

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel heap linear overflow detection

#### 5.2.2. **MI-KHLO**: Kernel heap linear overflow detection

* Threat:  kernel heap memory overflow

* Sub-threat: kernel heap memory overflow

* Mitigation: check heap memory allocation bounds

* Test: in separate threads, allocate a fixed size from each class of kernel heap memory, write beyond it

* Result: each thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel heap user-after-free write prevention

#### 5.2.2. **MI-KUFW**: Kernel heap user-after-free write prevention

* Threat:  kernel heap use-after-free write

* Sub-threat: kernel heap use-after-free write

* Mitigation: memory tagging prevents use of un/re-allocated memory

* Test: allocate kernel heap memory, free it, write to the allocation

* Result: thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel heap user-after-free read prevention

#### 5.2.2. **MI-KUFR**: Kernel heap user-after-free read prevention

* Threat:  kernel heap use-after-free read

* Sub-threat: kernel heap use-after-free read

* Mitigation: memory tagging prevents use of un/re-allocated memory

* Test: allocate kernel heap memory, free it, read from the allocation

* Result: thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel heap free checking

#### 5.2.2. **MI-KHFC**: Kernel heap free checking

* Threat:  kernel heap free corruption

* Sub-threat: kernel heap free corruption

* Mitigation: validate heap origin on free

* Test: allocate kernel heap, free it twice

* Result: second free is rejected

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel stack memory zeroing

#### 5.2.2. **MI-KSMZ**: Kernel stack memory zeroing

* Threat:  uninitialized kernel stack memory controlled by attacker

* Sub-threat: uninitialized kernel stack memory controlled by attacker

* Mitigation: zero-initialize all kernel stack memory before use

* Test: sequentially call 2 functions that allocate the same amount of memory, fill the first with known values and return, and during second function call, read the stack contents back

* Result: stack contents are clear on second call

* Output: action logged as an event

* Requirements: way to read log output on product as shipped

Kernel heap memory zeroing

#### 5.2.2. **MI-KHMO**: Kernel heap memory zeroing

* Threat:  uninitialized kernel heap memory controlled by attacker

* Sub-threat: uninitialized kernel heap memory controlled by attacker

* Mitigation: zero-initialize all kernel heap memory before use

* Test: allocate heap memory, fill with a known value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents

* Result: heap contents are clear on second allocation

* Output: action logged as an event

* Requirements: way to read log output on product as shipped

Kernel linked list protection

#### 5.2.2. **MI-KLLP**: Kernel linked list protection

* Threat:  kernel doubly linked list corruption

* Sub-threat: kernel doubly linked list corruption

* Mitigation: linked list implementation checks prev/next pointers on add/del

* Test: add or delete an item to an uninitialized list

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Prevent execution of non-kernel code memory

#### 5.2.2. **MI-KPXM**: Prevent execution of non-kernel code memory

* Threat:  Non-code executable kernel memory

* Sub-threat: Non-code executable kernel memory

* Mitigation: Only kernel code memory regions are executable

* Test: copy a trivial return-only function into every class of non-code memory in the kernel (e.g. stack, heap, read-only data), one to a thread, and attempt to execute each one

* Result: each thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Prevent writes to kernel code and read-only data memory

#### 5.2.2. **MI-KPWM**: Prevent writes to kernel code and read-only data memory

* Threat:  Writable kernel code or read-only memory

* Sub-threat: Writable kernel code or read-only memory

* Mitigation: All kernel code memory and non-writable data is read-only

* Test: from separate threads, write to each portion of kernel code

	      and non-writable data region

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Prevent unintentional kernel access to unprivileged memory

#### 5.2.2. **MI-KPUM**: Prevent unintentional kernel access to unprivileged memory

* Threat:  Unexpected access to userspace memory from OS kernel

* Sub-threat: Unexpected access to userspace memory from OS kernel

* Mitigation: block cross-privilege level memory read/write/execute

* Test: in separate kernel threads, read, write, and execute memory regions that are mapped to userspace without going through dedicated userspace memory access routines

* Result: each thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel reference counter protection

#### 5.2.2. **MI-KRCP**: Kernel reference counter protection

* Threat:  Kernel reference counter overflow

* Sub-threat: Kernel reference counter overflow

* Mitigation: bounds check reference counters

* Test: set resource reference counter to 1 less than maximum representable value, increment it twice

* Result: reference counter does not overflow but resource is pinned

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

Kernel forward control flow integrity

#### 5.2.2. **MI-KFCI**: Kernel forward control flow integrity

* Threat:  Kernel function pointer overwrite

* Sub-threat: Kernel function pointer overwrite

* Mitigation: Protect saved function pointers from overwrite

* Test: Save a kernel function pointer to heap, overwrite it with a different function, make indirect call to the saved function pointer

* Result: thread is killed

https://cs.android.com/android/platform/superproject/+/android-latest-release:cts/hostsidetests/security/src/android/security/cts/KernelConfigTest.java

**Hardware-Based Countermeasures**

* Secure boot with HW Root of Trust: Ensures that only authenticated firmware is executed, anchored in immutable hardware

* Hardware-backed Key Storage (e.g., TPM, Secure Enclave): Protects cryptographic keys from software-level attacks and unauthorized access

* Memory Protection Units (MPU and/or MMU): Enforces access control policies at hardware level, isolating critical OS components

## 5.3 Risk Mitigations

## 5.3 Risk Mitigation Sets

> **TODO**: Connect the technical security requirements in Section 5.2 to specific Risk Factors, and define these as sets of Risk Mitigations that will be referenced in section 6.