SI-16 MEMORY PROTECTION

Page last updated:

PCF Compliance

The PCF product feature set is sufficient to satisfy the technical requirements implied in SI-16. Each instance of an app deployed to PCF runs within its own container, a self-contained environment. This container isolates processes, memory, and the filesystem using operating system features and the characteristics of the virtual and physical infrastructure where PCF is deployed.

PCF stemcells follow industry-standard hardening guidance and maintain a secure posture by default. For example, PCF is preconfigured to randomize address space layout and restrict file system mount options such as noexec and read-only.

For more information, see Understanding Container Security.


Control Description

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

Supplemental Guidance

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.