CWE-1324 – Sensitive Information Accessible by Physical Probing of JTAG Interface

Read Time:39 Second

Description

Sensitive information in clear text on the JTAG
interface may be examined by an eavesdropper, e.g.
by placing a probe device on the interface such as a logic
analyzer, or a corresponding software technique.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-300

 

Consequences

Confidentiality: Read Memory, Read Files or Directories, Read Application Data

 

Potential Mitigations

Phase: Manufacturing

Effectiveness: High

Description: 

Disable permanently the JTAG interface before releasing the system to untrusted users.

Phase: Architecture and Design

Effectiveness: High

Description: 

Encrypt all information (traffic) on the JTAG interface using an approved algorithm (such as recommended by NIST). Encrypt the path from inside the chip to the trusted user application.

Phase: Implementation

Effectiveness: High

Description: 

Block access to secret data from JTAG.

CVE References

CWE-1323 – Improper Management of Sensitive Trace Data

Read Time:25 Second

Description

Trace data collected from several sources on the
System-on-Chip (SoC) is stored in unprotected locations or
transported to untrusted agents.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality: Read Memory

An adversary can read secret values if they are captured in debug traces and stored unsafely.

 

Potential Mitigations

Phase: Implementation

Description: 

Tag traces to indicate owner and debugging privilege level (designer, OEM, or end user) needed to access that trace.

CVE References

CWE-1322 – Use of Blocking Code in Single-threaded, Non-blocking Context

Read Time:42 Second

Description

The product uses a non-blocking model that relies on a single threaded process
for features such as scalability, but it contains code that can block when it is invoked.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-834
CWE-835

 

Consequences

Availability: DoS: Resource Consumption (CPU)

An unexpected call to blocking code can trigger an infinite loop, or a large loop that causes the software to pause and wait indefinitely.

 

Potential Mitigations

Phase: Implementation

Description: 

Generally speaking, blocking calls should be
replaced with non-blocking alternatives that can be used asynchronously.
Expensive computations should be passed off to worker threads, although
the correct approach depends on the framework being used.

Phase: Implementation

Description: 

For expensive computations, consider breaking them up into
multiple smaller computations. Refer to the documentation of the
framework being used for guidance.

CVE References

CWE-1321 – Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’)

Read Time:1 Minute, 29 Second

Description

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-915
CWE-913
CWE-471

 

Consequences

Integrity: Modify Application Data

An attacker can inject attributes that are used in other components.

Availability: DoS: Crash, Exit, or Restart

An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

While this can mitigate this weakness completely, other methods are recommended when possible, especially in components used by upstream software (“libraries”).

Phase: Architecture and Design

Effectiveness: High

Description: 

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Phase: Implementation

Effectiveness: Limited

Description: 

When handling untrusted objects, validating using a schema can be used.

Phase: Implementation

Effectiveness: High

Description: 

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Phase: Implementation

Effectiveness: Moderate

Description: 

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CVE References

  • CVE-2019-10744
    • Prototype pollution by setting default values to object attributes recursively.
  • CVE-2020-8203
    • Prototype pollution by setting object attributes based on dot-separated path.

CWE-1320 – Improper Protection for Out of Bounds Signal Level Alerts

Read Time:25 Second

Description

Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Availability: DoS: Instability, DoS: Crash, Exit, or Restart, Reduce Reliability, Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Alert signals generated by critical events should be protected from access by untrusted agents. Only hardware or trusted firmware modules should be able to alter the alert configuration.

CVE References

CWE-1319 – Improper Protection against Electromagnetic Fault Injection (EM-FI)

Read Time:21 Second

Description

The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693

 

Consequences

Confidentiality, Integrity, Access Control, Availability: Modify Memory, Read Memory, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

CVE References

CWE-1318 – Missing Support for Security Features in On-chip Fabrics or Buses

Read Time:35 Second

Description

On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693

 

Consequences

Confidentiality, Integrity, Access Control, Availability: DoS: Crash, Exit, or Restart, Read Memory, Modify Memory

 

Potential Mitigations

Phase: Architecture and Design

Description: 

If fabric does not support security features, implement security checks in a bridge or any component that is between the master and the fabric. Alternatively, connect all fabric slaves that do not have any security assets under one such fabric and connect peripherals with security assets to a different fabric that supports security features.

CVE References

CWE-1317 – Missing Security Checks in Fabric Bridge

Read Time:47 Second

Description

A bridge that is connected to a fabric without security features forwards transactions to the slave without checking the privilege level of the master. Similarly, it does not check the hardware identity of the transaction received from the slave interface of the bridge.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality, Integrity, Access Control, Availability: DoS: Crash, Exit, or Restart, Bypass Protection Mechanism, Read Memory, Modify Memory

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Design includes provisions for access-control checks in the bridge for both upstream and downstream transactions.

Phase: Implementation

Description: 

Implement access-control checks in the bridge for both upstream and downstream transactions.

CVE References

  • CVE-2019-6260
    • Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC’s physical address space from the host, and possibly the network [REF-1138].

CWE-1316 – Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges

Read Time:54 Second

Description

The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality, Integrity, Access Control, Authorization: Bypass Protection Mechanism, Read Memory, Modify Memory

 

Potential Mitigations

Phase: Architecture and Design

Description: 

When architecting the address map of the chip, ensure that protected and unprotected ranges are isolated and do not overlap. When designing, ensure that ranges hardcoded in Register-Transfer Level (RTL) do not overlap.

Phase: Implementation

Description: 

Ranges configured by firmware should not overlap. If overlaps are mandatory because of constraints such as a limited number of registers, then ensure that no assets are present in the overlapped portion.

Phase: Testing

Description: 

Validate mitigation actions with robust testing.

CVE References

  • CVE-2009-4419
    • Attacker can modify MCHBAR register to overlap with an attacker-controlled region, which modification prevents the SENTER instruction from properly applying VT-d protection while a Measured Launch Environment is being launched.