@@ -965,31 +965,23 @@ All warnings, annotations, or other method of suppressing warnings from the anal
* Output: the output of the source code analysis checker
* False negative test: for each kind of memory error in the above list, write a test program with the error, run the analysis tool on it, and show that it produces a warning for each error
#### 5.2.X.x **MI-KSEP**: Separation of operating systems memory from user account memory
#### 5.2.X.x **MI-MMAC**: Memory access control
The manufacturer shall implement MI-SSCA.
The manufacturer shall implement mechanisms to prevent unauthorized access to security-relevant parts of the operating system memory by unauthorized users or subsystems of the operating systems.
The manufacturer shall implement mechanisms to prevent unauthorized access to the memory used by security-relevant parts of the operating system. The manufacturer shall use user identifiers, discretionary access control, or mandatory access control to prevent unauthorized access of memory owned by user accounts by other user accounts.
* Test: from a user account, attempt to read, modify, and execute security-relevant parts of operating system memory that the user is not authorized to access
* Result: failure to access operating systems memory
* Test: from a user account, attempt to read, modify, and execute security-relevant parts of operating system memory that the user is not authorized to access in this way
* Result: failure to access memory
* Output: error message logged by the test
FIXME should have separate requirement for privileged user still not being able to access kernel memory
#### 5.2.X.x **MI-USEP**: Separation of memory by user account
The manufacturer shall implement MI-KSEP.
The manufacturer shall use user identifiers, discretionary access control, or mandatory access control to prevent access of the private in-memory data owned by one user account by different user account.
* Test: with the privileges of one user, attempt to read, modify, and execute process memory owned by another user
* Result: failure to access process memory
* Test: with the privileges of one user, attempt to read, modify, and execute process memory owned by another user that the user is not authorized to access in this way
The manufacturer shall implement MI-SCCA and MI-KSEP.
The manufacturer shall implement MI-SCCA and MI-MMAC.
The manufacturer shall implement mechanisms to reject a user account from logging in if a different user account is already logged in.
@@ -1012,15 +1004,29 @@ The manufacturer shall implement mechanisms to prevent leaking of memory data to
* Result: there is no difference reliable enough to deduce the contents of a memory address
* Output: the times measured by the tests
#### 5.2.X.x Mapping of mitigations to risk factors
Mitigations satisfy technical requirements only under when they mitigate the relevant risks appropriately. Risk factors are used to determine this. The below table shows which mitigations are appropriate to which use cases or risk profiles based on the risk factors determined in the risk assessment.
| Mitigation | Applies if risk factors satisfy |
|------------|----------------------------------|
| None | All risk factors are 0 |
| SSCA | CUSR = 0 & SWMD = 0 |
| MMAC | CUSR <= 2 & SWMD <= 2 |
| UCON | CUSR <= 1 |
| SPEX | any |
FIXME change the above mapping to be based on a combination of likelihood and impact
#### 5.2.X.x Mapping of mitigations to security profiles
