Lines Matching refs:be
13 to be created. After the process is implemented and all supporting
35 Finally, a process shall be defined for reporting, classifying,
40 how these assets are protected. Certification claims shall be
60 "OPTIONAL" are to be interpreted as described in [RFC2119]_.
67 SHOULD NOT be done may be very subtle. Document authors should take the
77 changes are identified, they will be added to this document through the
80 1. Changes will be submitted from the interested party(ies) via pull
105 requires all code to be reviewed before being committed to the
178 concrete and detailed guidelines need to be developed and aligned with
199 Execution protection is supported and can be categorized into the
202 - **Memory separation:** Memory will be partitioned into regions and
212 resources owned by that thread will be accessible. Topics such as
220 examples of these would be:
236 to be in place to produce a full solution for the application.
242 include coding guidelines and development processes that can be roughly
244 software security. Furthermore, a system architecture document shall be
262 be created and kept up to date with future development. This document
265 document shall be created and evaluated against the implementation.
274 Designing an open software system such as Zephyr to be secure requires
282 protection mechanisms cannot be kept secret on any system in
285 well established cryptographic libraries shall be used.
288 system shall be kept as simple and small as possible. In the
289 context of the Zephyr project, this can be realized, e.g., by
293 process needs to be authenticated first. Mechanisms to store
294 access conditions shall be avoided if possible.
299 Furthermore, default settings for services shall be chosen in a
304 more need to be satisfied before access is granted. In the
315 than one user or process shall not be shared if not strictly
317 be implemented as a shared library executed by each user and not
332 paradigm shall be used.
336 shall not be enabled by default if they are only rarely used (a
338 this can be realized using the configuration management. Each
339 functionality and module shall be represented as a configuration
340 option and needs to be explicitly enabled. Then, all features,
342 be disabled. The user shall be notified if low-level options and
349 shall be provided. All commits shall be related to a bug report
351 reference shall be denied.
354 secure development guide shall be developed, published, and implemented
374 and shall be performed on each proposed code change prior to
375 check-in. Code reviews shall be performed by at least one
377 These reviews shall be performed by the subsystem maintainers and
378 developers on a functional level and are to be distinguished from
383 mistakes in large code bases. All code shall be analyzed using an
385 is not per individual commit, but is to be run on some interval
388 Waivers shall be documented centrally and
394 main release branch and on the security branch. It shall be
400 - **Complexity Analyses** shall be performed as part of the development
401 process and metrics such as cyclomatic complexity shall be
407 ensure consistent application, they shall be automated as part of
422 - **Lifecycle management:** system stages shall be defined and
431 purposes the integrity of the release needs to be ensured in a
433 can be easily detected.
437 needs to be ensured by an appropriate rights management (e.g.,
440 between several parties, measures shall be taken that no
443 These points shall be evaluated with respect to their impact on the
450 needs to be clearly defined and its application needs to be monitored
453 issues. Furthermore, threat models need to be created for currently
455 be investigated and mitigated. Please refer to the
464 can be partially achieved by automated tests, it is inevitable to
468 - **Security Reviews** shall be performed by a security architect in
480 These criteria and tasks need to be integrated into the development
481 process for secure software and shall be automated wherever possible. On
483 of Zephyr, a directly responsible security architect shall be defined to
489 The general guidelines above shall be accompanied by an architectural
524 The security architecture shall be harmonized with the existing system
529 Additionally, their impact on the system level security shall be
544 of assets to be protected by the system. The next step then models how
550 it resides in, and the overall system is to be estimated. This threat
555 In short, the threat modeling process can be separated into these steps
568 This procedure shall be carried out during the design phase of modules
570 Additionally, new models shall be created, or existing ones shall be
573 be evaluated by the responsible security architect.
575 From these threat models and mitigation techniques tests shall be
577 shall be integrated into the continuous integration workflow to ensure
584 vulnerability analyses (VA) shall be performed. Of special interest are
595 should be considered. For instance, ensuring **timing
600 - **Fuzzing tests** shall be performed on both exposed APIs and
605 hardware platform), a suitable VA plan shall be created and executed.
606 The findings of these analyses shall be considered in the security issue
607 management process, and learnings shall be formulated as guidelines and
610 If possible (as in case of fuzzing analyses), these tests shall be
618 scope and scheme are yet to be decided. However, many certifications such
622 certification scheme and evaluation level, this process needs to be
631 1. The **definition of assets** to be protected within the Zephyr RTOS.
639 including the hardware platform, this might be realized by a
645 **certification claims** on the security of the assets to be
655 consider those components that shall be covered by the certification.
662 For the security certification as such, the following options can be
669 full certification can be more easily achieved. This option is
678 product can be certified with little effort.
687 certification/assurance level need to be determined.
706 These assumptions shall be part of the security claim and evaluation