Draft STPA for stack protection

Signed-off-by: Paul Albertella <[email protected]>

stack-memory/README.md

@@ -0,0 +1,13 @@
+# STPA results for Stack Memory Protection
+
+This directory contains the results of safety analysis using STPA relating to  
+the stack memory protection features of Linux.
+
+The goals of this analysis are:
+
+* To specify the risks for safety-critical applications that may arise from
+  faults affecting (or misuse of) stack memory by applications or the kernel
+* To identify existing features or strategies that may be used to prevent or
+  mitigate the effects of these faults
+* To specify how these features or strategies can address the identified risks
+  in the form of constraints (specific, verifiable requirements)

stack-memory/constraints.yml

@@ -0,0 +1,24 @@
+#
+# A system-level constraint specifies system conditions or behaviors that need
+# to be satisfied to prevent hazards (and ultimately prevent losses)
+#
+# These constraints differ from controller constraints inasmuch as they
+# describe how components in the system need to work together in order
+# to prevent hazards.
+#
+Constraints:
+
+- Identifier: SC-1.1
+  Text: >
+    Safety-critical data must be protected from stack overflow
+  Hazards: [ H-1 ]
+
+- Identifier: SC-1.1
+  Text: >
+    Corruption of safety-critical data by stack overflow must be detected
+  Hazards: [ H-2 ]
+
+- Identifier: SC-2.1
+  Text: >
+    Critical operating system data must be protected from stack depth overflow
+  Hazards: [ H-2 ]

stack-memory/hazards.yml

@@ -0,0 +1,21 @@
+#
+# A hazard is a system state or set of conditions that, together with a
+# particular set of worst-case environmental conditions, will lead to a loss.
+#
+Hazards:
+- Identifier: H-1
+  Text: >
+    Stack buffer overflow results in corruption of safety application data
+  Losses: [L-1]
+
+- Identifier: H-1
+  Text: >
+    Undetected corruption of safety application data results in 
+  Losses: [L-1]
+
+
+- Identifier: H-2
+  Text: >
+    Stack depth overflow results in corruption of kernel data structures
+    that are required for a safety-critical function
+  Losses: [L-2]

stack-memory/losses.yml

@@ -0,0 +1,15 @@
+#
+# A loss involves something of value to stakeholders. Losses may include a loss
+# of human life or human injury, property damage, environmental pollution, loss
+# of mission, loss of reputation, loss or leak of sensitive information, or any
+# other loss that is unacceptable to the stakeholders.
+#
+Losses:
+- Identifier: L-1
+  Text: Loss of application data integrity
+
+- Identifier: L-1
+  Text: Loss of application data integrity
+
+- Identifier: L-2
+  Text: Loss of system data integrity