Skip to main content

Annex I, Part I, Req 2k: Reducing Impact of Incidents (Exploitation Mitigation)

Even with the best defenses, security incidents can happen. The EU Cyber Resilience Act (CRA) requires your software to be prepared. Products with digital elements shall, where applicable, "be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques" (Annex I, Part I, Point 2k).

What is Exploitation Mitigation?

Exploitation mitigation techniques are security measures designed to make it harder for vulnerabilities to be successfully exploited, or to limit the damage an attacker can do if they do manage to exploit a flaw. The goal is to contain the blast radius.

Examples of Mitigation Techniques in Software

  • Address Space Layout Randomization (ASLR): Randomizes memory locations, making it harder for attackers to predict where to find specific code or data.
  • Data Execution Prevention (DEP)/No-eXecute (NX bit): Prevents code from running in memory regions marked as non-executable, stopping many types of shellcode.
  • Stack Canaries/Protectors: Help detect stack buffer overflows.
  • Sandboxing: Isolating processes or components so that a compromise in one doesn't immediately grant access to the whole system or other sensitive parts of your software.
  • Privilege Separation/Least Privilege: Running different parts of your software with different (minimal) privileges. If a low-privilege component is breached, the attacker has limited capabilities.
  • Input Validation and Sanitization: While also preventative, robust input handling can mitigate the impact of injection attacks by rendering malicious payloads inert.
  • Structured Exception Handling: Gracefully handling errors to prevent crashes that might reveal information or create unstable states.

"Appropriate" Mechanisms

The "appropriate" mitigations will depend on your software's architecture, the technologies used, and the risks identified in your cybersecurity risk assessment (Article 13, Paragraph 2). Modern compilers and operating systems often provide many of these features, but you may need to ensure they are enabled and configured correctly.

Key Takeway

Annex I, Part I, Point 2k of the CRA means your software should not just try to prevent breaches but also be designed to limit the damage if an attacker succeeds. Implement exploitation mitigation techniques like ASLR, DEP, and sandboxing where appropriate to make successful attacks harder and less impactful.