Check: SRG-APP-999999-MAPP-00067
Mobile Application SRG:
SRG-APP-999999-MAPP-00067
(in version v1 r1)
Title
The mobile application must clear or overwrite memory blocks used to process sensitive data. (Cat II impact)
Discussion
Sensitive data in memory should be cleared or overwritten to protect data that may be available to an attacker seeking ways to gain access to data that otherwise appears erased. Unless an application can overwrite memory blocks, the possibility exists for an attacker to cause the application to crash and analyze a memory dump of the application for sensitive information. Clearing memory will ensure the DoD the application can operate more securely, with greater protection applied to sensitive data that will be properly removed when no longer required. Additional overwriting requirements may be applicable to classified applications. Please refer to CWEs: 14, 226, 244, and 591 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.
Check Content
If the application does not contain sensitive or classified information this check is not applicable. Furthermore, if the MOS on which the application runs clears memory whenever an application releases memory, this check is not applicable. Otherwise, perform a dynamic program analysis of the application and assess how memory blocks are cleared of sensitive or classified data. This will likely require the use of a MOS emulator. If the application releases memory blocks before clearing them, this is a finding.
Fix Text
Modify code to clear memory blocks used for storing sensitive and classified data before the memory is released to other processes.
Additional Identifiers
Rule ID: SV-47035r1_rule
Vulnerability ID: V-35748
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |