All posts by rocco

CWE

CWE-1257 – Improper Access Control Applied to Mirrored or Aliased Memory Regions

Read Time:45 Second

Description

Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284
CWE-119

 

Consequences

Confidentiality: Read Memory

Integrity: Modify Memory

Availability: DoS: Instability

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

The checks should be applied for consistency access rights between primary memory regions and any mirrored or aliased memory regions. If different memory protection units (MPU) are protecting the aliased regions, their protected range definitions and policies should be synchronized.

Phase: Architecture and Design, Implementation

Description: 

The controls that allow enabling memory aliases or changing the size of mapped memory regions should only be programmable by trusted software components.

CVE References

CWE

CWE-1258 – Exposure of Sensitive System Information Due to Uncleared Debug Information

Read Time:17 Second

Description

The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-212
CWE-200

 

Consequences

Confidentiality: Read Memory

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

CWE

CWE-1259 – Improper Restriction of Security Token Assignment

Read Time:1 Minute, 13 Second

Description

The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.

Systems-On-A-Chip (Integrated circuits and hardware engines) implement Security Tokens to differentiate and identify which actions originated from which agent. These actions may be one of the directives: ‘read’, ‘write’, ‘program’, ‘reset’, ‘fetch’, ‘compute’, etc. Security Tokens are assigned to every agent in the System that is capable of generating an action or receiving an action from another agent. Multiple Security Tokens may be assigned to an agent and may be unique based on the agent’s trust level or allowed privileges. Since the Security Tokens are integral for the maintenence of security in an SoC, they need to be protected properly. A common weakness afflicting Security Tokens is improperly restricting the assignment to trusted components. Consequently, an improperly protected Security Token may be able to be programmed by a malicious agent (i.e., the Security Token is mutable) to spoof the action as if it originated from a trusted agent.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284
CWE-1294

 

Consequences

Confidentiality, Integrity, Availability, Access Control: Modify Files or Directories, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Gain Privileges or Assume Identity, Modify Memory, Modify Memory, DoS: Crash, Exit, or Restart

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

CVE References

CWE

CWE-126 – Buffer Over-read

Read Time:1 Minute, 3 Second

Description

The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in exposure of sensitive information or possibly a crash.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-125
CWE-788

 

Consequences

Confidentiality: Read Memory

Confidentiality: Bypass Protection Mechanism

By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.

 

Potential Mitigations

CVE References

  • CVE-2014-0160
    • Chain: “Heartbleed” bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data.
  • CVE-2009-2523
    • Chain: product does not handle when an input string is not NULL terminated, leading to buffer over-read or heap-based buffer overflow.
CWE

CWE-1260 – Improper Handling of Overlap Between Protected Memory Ranges

Read Time:30 Second

Description

The product allows address regions to overlap, which can result in the bypassing of intended memory protection.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284
CWE-119

 

Consequences

Confidentiality, Integrity, Availability: Modify Memory, Read Memory, DoS: Instability

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation

Effectiveness: High

Description: 

CVE References

  • CVE-2008-7096
    • virtualization product allows compromise of hardware product by accessing certain remapping registers.
  • [REF-1100]
    • processor design flaw allows ring 0 code to access more privileged rings by causing a register window to overlap a range of protected system RAM [REF-1100]
CWE

CWE-1261 – Improper Handling of Single Event Upsets

Read Time:19 Second

Description

The hardware logic does not effectively handle when single-event upsets (SEUs) occur.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1384
CWE-1254

 

Consequences

Availability, Access Control: DoS: Crash, Exit, or Restart, DoS: Instability, Gain Privileges or Assume Identity, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

CVE References

CWE

CWE-1262 – Improper Access Control for Register Interface

Read Time:1 Minute, 12 Second

Description

The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality, Integrity: Read Memory, Read Application Data, Modify Memory, Modify Application Data, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Unexpected State, Alter Execution Logic

Confidentiality of hardware assets may be violated if the protected information can be read out by software through the register interface. Registers storing security state, settings, other security-critical data may be corruptible by software without correctly implemented protections.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Design proper policies for hardware register access from software.

Phase: Implementation

Description: 

Ensure that access control policies for register access are implemented in accordance with the specified design.

CVE References

  • CVE-2014-2915
    • virtualization product does not restrict access to debug and other processor registers in the hardware, allowing a crash of the host or guest OS
  • CVE-2021-3011
    • virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code
  • CVE-2020-12446
    • Driver exposes access to Model Specific Register (MSR) registers, allowing admin privileges.
  • CVE-2015-2150
    • Virtualization product does not restrict access to PCI command registers, allowing host crash from the guest.
CWE

CWE-1263 – Improper Physical Access Control

Read Time:1 Minute, 5 Second

Description

The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.

Sections of a product intended to have restricted access may be inadvertently or intentionally rendered accessible when the implemented physical protections are insufficient. The specific requirements around how robust the design of the physical protection mechanism needs to be depends on the type of product being protected. Selecting the correct physical protection mechanism and properly enforcing it through implementation and manufacturing are critical to the overall physical security of the product.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284
CWE-1191
CWE-1243

 

Consequences

Confidentiality, Integrity, Access Control: Varies by Context

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Specific protection requirements depend strongly on contextual factors including the level of acceptable risk associated with compromise to the product’s protection mechanism. Designers could incorporate anti-tampering measures that protect against or detect when the product has been tampered with.

Phase: Testing

Description: 

The testing phase of the lifecycle should establish a method for determining whether the protection mechanism is sufficient to prevent unauthorized access.

Phase: Manufacturing

Description: 

Ensure that all protection mechanisms are fully activated at the time of manufacturing and distribution.

CVE References

CWE

CWE-1264 – Hardware Logic with Insecure De-Synchronization between Control and Data Channels

Read Time:26 Second

Description

The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-821
CWE-1037

 

Consequences

Confidentiality: Read Memory, Read Application Data

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

  • CVE-2017-5754
    • Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CWE

CWE-1265 – Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls

Read Time:2 Minute, 22 Second

Description

During execution of non-reentrant code, the software performs a call that unintentionally produces a nested invocation of the non-reentrant code.

In complex software, a single function call may lead to many different possible code paths, some of which may involve deeply nested calls. It may be difficult to foresee all possible code paths that could emanate from a given function call. In some systems, an external actor can manipulate inputs to the system and thereby achieve a wide range of possible control flows. This is frequently of concern in software that executes script from untrusted sources. Examples of such software are web browsers and PDF readers. A weakness is present when one of the possible code paths resulting from a function call alters program state that the original caller assumes to be unchanged during the call.

Modes of Introduction:

 

 

Related Weaknesses

CWE-691
CWE-663
CWE-416

 

Consequences

Integrity: Unexpected State

Exploitation of this weakness can leave the application in an unexpected state and cause variables to be reassigned before the first invocation has completed. This may eventually result in memory corruption or unexpected code execution.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: High

Description: 

When architecting a system that will execute untrusted code in response to events, consider executing the untrusted event handlers asynchronously (asynchronous message passing) as opposed to executing them synchronously at the time each event fires. The untrusted code should execute at the start of the next iteration of the thread’s message loop. In this way, calls into non-reentrant code are strictly serialized, so that each operation completes fully before the next operation begins. Special attention must be paid to all places where type coercion may result in script execution. Performing all needed coercions at the very beginning of an operation can help reduce the chance of operations executing at unexpected junctures.

Phase: Implementation

Effectiveness: High

Description: 

Make sure the code (e.g., function or class) in question is reentrant by not leveraging non-local data, not modifying its own code, and not calling other non-reentrant code.

CVE References

  • CVE-2014-1772
    • In this vulnerability, by registering a malicious onerror handler, an adversary can produce unexpected re-entrance of a CDOMRange object. [REF-1098]
  • CVE-2018-8174
    • This CVE covers several vulnerable scenarios enabled by abuse of the Class_Terminate feature in Microsoft VBScript. In one scenario, Class_Terminate is used to produce an undesirable re-entrance of ScriptingDictionary during execution of that object’s destructor. In another scenario, a vulnerable condition results from a recursive entrance of a property setter method. This recursive invocation produces a second, spurious call to the Release method of a reference-counted object, causing a UAF when that object is freed prematurely. This vulnerability pattern has been popularized as “Double Kill”. [REF-1099]