@@ -926,47 +926,53 @@ Each mitigation is described with the following fields:
* Requirements: features of the product as placed on the market necessary to run the test
* Documentation: what data the manufacturer must save for provision to the MSA
### 5.2.X **TR-TOUT**: Test output
The manufacturer shall provide a method of running the tests for technical requirements and outputting the test results in a machine readable format on the product as placed on the market. The manufacturer shall document the steps necessary to enable testing and collection of the test output. The manufacturer shall not add unnecessary barriers to activating and collecting test output by MSAs.
Test: Follow the instructions to set up testing, run one test for a technical requirement that produces test output, and collect the output.
Result: Test output matches expected output for that test.
### 5.2.X **TR-TDOC**: Test documentation
For any technical requirement which includes a test, the manufacturer shall document the instructions for setting up and running the test, as well as the expected output. Documentation shall include source code and usage documentation for each test, along with the options or inputs necessary to run the tests.
### 5.2.X **TR-MISO**: Memory isolation
#### 5.2.X.1 Threat description
Threat: attacker tries to access memory that belongs to another user or the kernel in an unauthorized manner.
#### 5.2.X.x **MI-USRSEP**: User account separation
#### 5.2.X.x **MI-SSCA**: Static source code analysis for memory protection
Use case: operating systems where all executables share a single address space, memory protection settings, and processor privilege level (e.g. embedded, low power, special purpose, unikernel)
* Mitigation: statically check source code for out-of-bounds memory access
* Test: source code that accesses memory out-of-bounds in a variety of defined ways (TBD)
* Result: warning or error
* Output: the warning or error message produced by the checker
* False positive test: source code that does not access memory out of bounds does not produce the warning or error
* Requirements: board support package
* Documentation: source code and output of the tests, source code of operating system, checker information
#### 5.2.X.x **MI-USEP**: User account separation
Use case: system where multiple users are expected to concurrently share the system's resources or services
* Mitigation: use user identifiers, discretionary access control, or mandatory access control to separate user data and processes
* Test: with the privileges of 1 user, attempt to read and modify stored private data and process memory owned by another user
* Test: with the privileges of one user, attempt to read and modify stored private data and process memory owned by another user
* Result: failure to read or modify stored data, failure to access process memory
* Output: error message logged by the test
* False positive test: read public data owned by another user
* Requirements: way to read log output on product as shipped
* Documentation: source code of test, log output during test
Use case: system where only a single user is expected to be logged in at a time
* Mitigation: reject a user account from logging in if another user is already logged in
* Test: with 1 logged in, attempt to log in as a second user
* Test: with one user logged in, attempt to log in as a second user
* Result: failure to log in
* Output: error message logged to system log
* False positive test: log in after a free system boot
* Requirements: way to read log output on product as shipped
* Documentation: source code of test, log output during test
#### 5.2.X.x **MI-SSCA**: Static source code analysis for memory protection
Use case: operating systems where all executables share a single address space, memory protection settings, and processor privilege level (e.g. embedded, low power, special purpose, unikernel)
* Mitigation: statically check source code for out-of-bounds memory access
* Test: source code that accesses memory out-of-bounds in a variety of defined ways (TBD)
* Result: warning or error
* Output: the warning or error message produced by the checker
* False positive test: source code that does not access memory out of bounds does not produce the warning or error
* Requirements: board support package
* Documentation: source code and output of the tests, source code of operating system, checker information
#### 5.2.X.x **MI-MMUP**: Memory protection using MMU
