Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.
NIST 800-53 (r4) Supplemental Guidance:
Some adversaries launch attacks with the intent of executing code in non- executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3.
NIST 800-53 (r5) Discussion:
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.
38North Guidance:
Meets Minimum Requirement:
Memory protection is typically provided through the hypervisor as well as the managed runtime through containerization (e.g., Docker). Each application should run in its own container.
IaaS CSP should perform resource management on the underlying infrastructure that supports all deployed resources. Platform and application provider should perform application-level resource prioritization based on system design and requirements. Limits should be set for memory, CPU, etc. The maximum resources available for each VM/container should be specified, thus protecting the availability of resources by not allowing any VM/container to consume excessive resources. Within the system architecture, components are not overloaded and resource availability conflicts do not occur.
Best Practice:
Memory protection is a way to control memory access rights on a computer and is a part of most modern instruction set architectures and operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug or malware within a process from affecting other processes, or the operating system itself. Protection may encompass all accesses to a specified area of memory, write accesses, or attempts to execute the contents of the area. Memory protection for computer security includes additional techniques such as address space layout randomization and executable space protection.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Configuration showing ASLR is enabled for Linux hosts (if applicable) (https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/).
Ensure all systems and operating systems are a current and supported version.
CSP Implementation Tips:
Amazon Web Services (AWS): Amazon S3 and Amazon Glacier
Microsoft Azure: Azure Blob storage
Google Cloud Platform: TBD
Page updated
Report abuse