Device Class 1: Memory Protection

Control ID: SI-16 Memory Protection Family: System and Information Integrity Source: NIST 800-53r4
Control: The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.
Supplemental Guidance:
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.

Related Controls: SC-3, AC-25
Control Enhancements: N/A
References: N/A
Mechanisms:

  • The device shall implement data execution prevention .
  • The device may implement address space layout randomization .
  • The implementations shall be hardware-enforced.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SI-16/1 Implements data execution prevention M
SI-16/1.1 Data execution prevention is hardware-enforced M
SI-16/2 Implements address space layout randomization O
SI-16/2.1 Address space layout is hardware-enforced M if SI-16/2