CDD: Strongly recommend kernel heap initialization

The idea is to eliminate bugs related to using uninitialized heap
variables in the kernel by force-initializing all the heap allocations
(page alloc and kmalloc()). This includes potential stability bugs as well
as information leaks as well as vulnerabilities related to control flow
subversion. Together with stack initialization, this change is going to
mitigate most of the bugs related to uninitialized memory in the kernel.

Test: None
Bug: 143931827

Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I3af6f5d8a02fd3895b9c5e125a602e8672478488
diff --git a/9_security-model/9_7_security-features.md b/9_security-model/9_7_security-features.md
index 6b5a175..49fa244 100644
--- a/9_security-model/9_7_security-features.md
+++ b/9_security-model/9_7_security-features.md
@@ -81,6 +81,10 @@
 `CONFIG_INIT_STACK_ALL_ZERO`).
 Also, device implementations SHOULD NOT assume the value used by the compiler to
 initialize the locals.
+*   [C-SR] Are STRONGLY RECOMMENDED to enable heap initialization in the kernel
+to prevent uses of uninitialized heap allocations
+(`CONFIG_INIT_ON_ALLOC_DEFAULT_ON`) and they SHOULD NOT assume the value used by
+the kernel to initialize those allocations.
 
 If device implementations use a Linux kernel, they: