Mitigations
EMB3D™ Mitigations
- MID-001: Software Only Bootloader Authentication
- MID-002: Hardware-backed Bootloader Authentication
- MID-003: Periodic/Continuous Integrity Measurement and Remote Attestation
- MID-004: Memory Hardening Against Code Injection
- MID-005: Memory Safe Programming Languages
- MID-006: Driver Memory Isolation
- MID-007: Control Flow Manipulation Protections
- MID-008: Decidable Protocols and Parsers
- MID-009: Operating System-based Runtime Integrity Check
- MID-010: No Runtime OS Driver Load
- MID-011: OS Driver/Peripheral Authentication
- MID-012: OS-based Access Control Mechanisms
- MID-013: Process and Thread Memory Segmentation
- MID-014: Sandboxing
- MID-015: Containerization
- MID-016: Least Functionality
- MID-017: Security-relevant Auditing and Logging
- MID-018: Require Authentication for Privileged Functions
- MID-019: ROP Gadget Minimization
- MID-020: Pointer Authentication
- MID-021: VM Hardening
- MID-022: Segmentation Through Hardware-assisted VMs
- MID-023: Hypervisor Hardening
- MID-024: Encrypted VM Isolation
- MID-025: End-of-Life Management Features
- MID-026: Secure Firmware Update
- MID-027: Validated Cryptographic Libraries
- MID-028: Hardware-backed Key Storage
- MID-029: Hardware Root of Trust
- MID-030: Firmware Rollback Protections
- MID-031: Physical Presence Validation
- MID-032: System Service Availability Manager
- MID-033: Unique Factory Preinstalled Secret Keys
- MID-034: Authenticate Network Messages
- MID-035: Encrypt Network Traffic
- MID-036: Cryptographic Nonces
- MID-037: Network Timestamps
- MID-038: Authenticate for Administrative Actions
- MID-039: Restrict Software Diagnostic Functions
- MID-040: Cryptographically Signed Custom Programs
- MID-041: Cryptographically Signed Vendor-supplied Programs
- MID-042: Device Checks Consistency Between Binary/Running Code and Textual Code
- MID-043: Manage Default Login Credentials
- MID-044: Strong Cryptographic Algorithms and Protocols
- MID-045: Multi-factor Authentication
- MID-046: Authentication Attempts Timeouts and Lockouts
- MID-047: Sufficient Entropy for Keys
- MID-048: Hardware Random Number Generator
- MID-049: Secure Password Storage
- MID-050: Operating System Defenses Against Microarchitecture Feature Side Channels
- MID-051: Disallow User-Provided Code
- MID-052: Physically Protect Circuit Board Traces and Chip Pins
- MID-053: Use IOMMU to Implement DMA Access Controls
- MID-054: Encrypt and Authenticate Non-volatile Storage Contents
- MID-055: Use Highly Integrated Processors to Avoid Physical Attacks
- MID-056: Allow Device Administrators to Disable Removable Storage Support
- MID-057: Disable Physical Development and Debugging Ports
- MID-058: Engage Hardware Readout Protection Mechanisms
- MID-059: Software Patterns for Side Channel Resistance
- MID-060: Dedicated Hardware Cryptographic Modules
- MID-061: Use Separate Processors for Isolation
- MID-062: Hardware Mitigations for Fault Injection
- MID-063: Software Mitigations for Fault Injection
- MID-064: Store Critical Code and Data in On-Chip Memory
- MID-065: RAM Encryption
- MID-066: Implement Redundant Processing and Memory
- MID-067: Implement DRAM RowHammer-resistant DRAM and Memory Controllers
- MID-068: Data Bus Encryption and Message Authentication
- MID-069: Electrical Fault Protection
- MID-070: Peripheral Component Authentication
- MID-071: Sanitized and Escaped User Data for Web Applications
- MID-072: Parameterized SQL Queries
- MID-073: Secure HTTP Session Management
- MID-074: Cross Site Request Forgery Mitigations
- MID-075: Path Traversal Protections
- MID-076: Web Direct Object Reference Authentication
- MID-077: Secure Deserialization
- MID-078: HTTP Request/Response Validation
- MID-079: Remove Undocumented Network Functionality
- MID-080: Network Request Processing Limits
- MID-081: Secure Network Tunnels
- MID-082: Post-quantum Cryptography
- MID-083: Network Firewall/Access Control List