From 682524d5e209c60f8d56f1de9bc9b129795289f8 Mon Sep 17 00:00:00 2001 From: Paul Albertella Date: Wed, 17 Nov 2021 17:31:19 +0000 Subject: [PATCH] Draft STPA for stack protection Signed-off-by: Paul Albertella --- stack-memory/README.md | 13 +++++++++++++ stack-memory/constraints.yml | 24 ++++++++++++++++++++++++ stack-memory/hazards.yml | 21 +++++++++++++++++++++ stack-memory/losses.yml | 15 +++++++++++++++ 4 files changed, 73 insertions(+) create mode 100644 stack-memory/README.md create mode 100644 stack-memory/constraints.yml create mode 100644 stack-memory/hazards.yml create mode 100644 stack-memory/losses.yml diff --git a/stack-memory/README.md b/stack-memory/README.md new file mode 100644 index 0000000..703c6bd --- /dev/null +++ b/stack-memory/README.md @@ -0,0 +1,13 @@ +# STPA results for Stack Memory Protection + +This directory contains the results of safety analysis using STPA relating to +the stack memory protection features of Linux. + +The goals of this analysis are: + +* To specify the risks for safety-critical applications that may arise from + faults affecting (or misuse of) stack memory by applications or the kernel +* To identify existing features or strategies that may be used to prevent or + mitigate the effects of these faults +* To specify how these features or strategies can address the identified risks + in the form of constraints (specific, verifiable requirements) diff --git a/stack-memory/constraints.yml b/stack-memory/constraints.yml new file mode 100644 index 0000000..9ce4b22 --- /dev/null +++ b/stack-memory/constraints.yml @@ -0,0 +1,24 @@ +# +# A system-level constraint specifies system conditions or behaviors that need +# to be satisfied to prevent hazards (and ultimately prevent losses) +# +# These constraints differ from controller constraints inasmuch as they +# describe how components in the system need to work together in order +# to prevent hazards. +# +Constraints: + +- Identifier: SC-1.1 + Text: > + Safety-critical data must be protected from stack overflow + Hazards: [ H-1 ] + +- Identifier: SC-1.1 + Text: > + Corruption of safety-critical data by stack overflow must be detected + Hazards: [ H-2 ] + +- Identifier: SC-2.1 + Text: > + Critical operating system data must be protected from stack depth overflow + Hazards: [ H-2 ] diff --git a/stack-memory/hazards.yml b/stack-memory/hazards.yml new file mode 100644 index 0000000..2233788 --- /dev/null +++ b/stack-memory/hazards.yml @@ -0,0 +1,21 @@ +# +# A hazard is a system state or set of conditions that, together with a +# particular set of worst-case environmental conditions, will lead to a loss. +# +Hazards: +- Identifier: H-1 + Text: > + Stack buffer overflow results in corruption of safety application data + Losses: [L-1] + +- Identifier: H-1 + Text: > + Undetected corruption of safety application data results in + Losses: [L-1] + + +- Identifier: H-2 + Text: > + Stack depth overflow results in corruption of kernel data structures + that are required for a safety-critical function + Losses: [L-2] diff --git a/stack-memory/losses.yml b/stack-memory/losses.yml new file mode 100644 index 0000000..7637988 --- /dev/null +++ b/stack-memory/losses.yml @@ -0,0 +1,15 @@ +# +# A loss involves something of value to stakeholders. Losses may include a loss +# of human life or human injury, property damage, environmental pollution, loss +# of mission, loss of reputation, loss or leak of sensitive information, or any +# other loss that is unacceptable to the stakeholders. +# +Losses: +- Identifier: L-1 + Text: Loss of application data integrity + +- Identifier: L-1 + Text: Loss of application data integrity + +- Identifier: L-2 + Text: Loss of system data integrity