Remove redundant parts of mitigation descriptions

FIXME: also require of all security-relevant parts of userspace where applicable

#### 5.2.X.1 Example threat

attacker uses an operating systems vulnerability to access memory in an unauthorized manner while possessing elevated memory access privileges.

#### 5.2.X.x **MI-KSED**: Kernel stack exhaustion detection

Use case: phone, general purpose, desktop, server, router, firewall

* Sub-threat: kernel stack exhaustion causes thread to write beyond end of stack

* Mitigation: kernel validates the limits of the kernel stack

* Test: perform unbounded recursive kernel call to use all stack memory

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped, ability to build and run new kernel code

* Documentation: source code of test, log output during test

#### 5.2.X.x **MI-KSBO**: Kernel stack linear buffer overflow detection

* Test: write beyond the end of a stack buffer

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X.x **MI-KABC**: Kernel array bounds checking

* Test: declare an array of fixed size and write beyond the max index

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KHLO**: Kernel heap linear overflow detection

* Test: in separate threads, allocate a fixed size from each class of kernel heap memory, write beyond it

* Result: each thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KUFW**: Kernel heap user-after-free write prevention

* Test: allocate kernel heap memory, free it, write to the allocation

* Result: thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KUFR**: Kernel heap user-after-free read prevention

* Test: allocate kernel heap memory, free it, read from the allocation

* Result: thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KHFC**: Kernel heap free checking

* Test: allocate kernel heap, free it twice

* Result: second free is rejected

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KSMZ**: Kernel stack memory zeroing

* Test: sequentially call 2 functions that allocate the same amount of memory, fill the first with known values and return, and during second function call, read the stack contents back

* Result: stack contents are clear on second call

* Output: action logged as an event

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KHMO**: Kernel heap memory zeroing

* Test: allocate heap memory, fill with a known value, free it, allocate it again in a deterministic way to get the same heap region, and read back the contents

* Result: heap contents are clear on second allocation

* Output: action logged as an event

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KLLP**: Kernel linked list protection

* Test: add or delete an item to an uninitialized list

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KPXM**: Prevent execution of non-kernel code memory

* Test: copy a trivial return-only function into every class of non-code memory in the kernel (e.g. stack, heap, read-only data), one to a thread, and attempt to execute each one

* Result: each thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KPWM**: Prevent writes to kernel code and read-only data memory

	      and non-writable data region

* Result: each thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KPUM**: Prevent unintentional kernel access to unprivileged memory

* Test: in separate kernel threads, read, write, and execute memory regions that are mapped to userspace without going through dedicated userspace memory access routines

* Result: each thread killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X. **MI-KRCP**: Kernel reference counter protection

* Test: set resource reference counter to 1 less than maximum representable value, increment it twice

* Result: reference counter does not overflow but resource is pinned

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X.x **MI-KFCI**: Kernel control flow integrity

* Test: Save a kernel function pointer to heap, overwrite it with a different function, make indirect call to the saved function pointer. Repeat but with a return address that was stored to the stack.

* Result: thread is killed

* Output: action logged as an event or the OS reboots

* Requirements: way to read log output on product as shipped

* Documentation:

#### 5.2.X.x **MI-KMT**: Kernel memory protection using memory tagging

* Test: Allocate 2 adjacent memory regions with separate tags. Attempt to read and write memory with a positive offset into trailing region from leading region's tagged pointer. Attempt to read and write with negative offset into leading region using trailing region's tagged pointer. Free a region and read and write to the region using the original tagged pointer.

* Result: segmentation fault, error handling code executed or thread killed under in all test conditions

* Output: error message or log message for killed thread

* Requirements: way to read output on product as shipped

* Documentation: source code of tests, output of error message or thread kill

### 5.2.X **TR-LSRE**: Logging of security-relevant events

  * enough information to directly repair the change without scanning the whole system

  * enough log storage ??? amount

* Test: For each type of logged event, execute the action that should be logged

* Result: Log output for each event

* Result: Each event is logged

* Output: Log output for each event

* Requirements: way to read log output on product as shipped

* Documentation: list of security-relevant configuration, description of tests, source code of tests, output of tests

#### 5.2.X.x **MI-RLOG**: Remote logging

* Mitigation: same as MI-LLOG but with ability to send logs via a verifiable channel to an authorized log server, as long as the connection to the server is available

* Test: For each type of logged event that would result in the logging server becoming unavailable, execute the action that would result in that log event

* Result: Log output for each event is sent to log server

* Output: Log output for each event as sent to log server

* Output: Log output as sent to log server or as recorded on log server

* Requirements: way to setup remote log server for product as shipped

* Documentation: description of tests, source code of tests, output of tests, instructions for setting up log server

### 5.2.X **TR-LLTP**: Local log tamper prevention

* Test: attempt to write to, delete, and move each log file by an unauthorized user

* Result: access is denied, log is not changed

* Output: error messages, comparison of log status shows no changes

* Requirements: way to attempt to tamper with logs on product as shipped, way to read log output

* Documentation: how to get access to the device to attempt log tampering, source code of tests, documentation to run tests, output of tests

* Requirements: way to attempt to tamper with logs on product as shipped

FIXME: what about append-only?

* Mitigation: Authentication of remote log server

* Test: Attempt to intercept initial connection to log server using identical responses as the authorized log server, except where using only publicly available information would be different

* Result: Failure to connect to remote log server

* Output: Log message, error message, no logs are sent

* Requirements: way to read local log output

* Documentation: documentation, source, output for tests, information/software necessary to masquerade as a log server

* Result: Failure to connect to remote log server and no logs are sent

* Output: Error message

#### 5.2.X.x **MI-RLET**: Encrypt log message stream with tamper-evident protocol

* Mitigation: Use tamper-resistant encryption on the log stream such as TBD LIST OR REFER

* Test: Alter, insert, and delete log message stream using only publicly available data

* Result: Log server rejects tampered/false log message

* Output: Local log shows lack of confirmation of data sent or error message indicating loss/corruption of data

* Requirements: way to read local log output

* Documentation: documentation, source, output for tests

* Output: Error message

### 5.2.X **TR-PCFG**: Prevent unauthorized changes of security-relevant configuration

* Mitigation: Security relevant configuration can only be edited by authorized user

* Test: For each security-relevant configuration item, attempt to edit, delete, or disable

* Result: Failure messages, configuration does not change

* Output: Failure messages, before and after comparison of configuration shows no change

* Requirements: way to attempt configuration changes as unauthorized user, way to read error messages, way to compare configuration before and after

* Documentation: list of all security-relevant configuration items, source, description, output of tests, documentation on how to set up tests, read configuration

* Result: Configuration does not change

* Output: Error messages, before and after comparison of configuration shows no change

* Documentation: list of all security-relevant configuration items

### 5.2.X **TR-MINI**: Minimize exposed interfaces

An interface unnecessary for the default functioning of the product is exposed and has a vulnerability.

#### 5.2.X.x **MI-JUST**: List and justify all exposed interfaces

#### 5.2.X.x **MI-DIDO**: Disable unnecessary interfaces and document remaining interfaces

Use case: Above a certain level of risk

* Mitigation: Reduce exposed privilege boundary interfaces to the minimum required and describe why each is necessary for default behavior

* Mitigation: Disable interfaces that are unnecessary for default state of product

* Test: Compare available interfaces to documentation, completely enumerating all reachable privilege boundries via:

  * network ports

  * system calls

  * handle based interfaces (e.g. /dev, /sys, /proc)

  * shared memory regions (e.g. GPU, MMIO)

  * FIXME more

* Result: No undocumented interfaces

* Output: Documentation of interfaces, results of scans

* Requirements: Ability to enumerate interfaces on shipped product

* Documentation: Source, documentaition, output of tests

* Result: No undocumented interfaces are found

* Output: List of interfaces found by tests

* Documentation: List all enabled interfaces, document each element, and explain why each is necessary for the default function of the product

FIXME: separate MI for minimum process privileges?