The security-sensitive hardware module contains semiconductor defects.
Modes of Introduction:
– Manufacturing
Availability, Access Control: DoS: Instability
Phase: Testing
Description:
Phase: Operation
Description:
The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application’s model of the OS’s state is inconsistent with the OS’s actual state.
Modes of Introduction:
– Architecture and Design
Access Control: Varies by Context
Accountability: Hide Activities
Other: Unexpected State
Phase: Architecture and Design
Description:
The software reads data past the end, or before the beginning, of the intended buffer.
Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
Modes of Introduction:
– Implementation
CWE-119
CWE-119
CWE-119
CWE-119
Confidentiality: Read Memory
Confidentiality: Bypass Protection Mechanism
By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.
Phase: Implementation
Description:
Phase: Architecture and Design
Description:
Use a language that provides appropriate memory abstractions.
The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.
Modes of Introduction:
– Architecture and Design
Access Control: Bypass Protection Mechanism
If resources being used by a trusted user are shared with an untrusted user, the untrusted user may be able to modify the functionality of the shared resource of the trusted user.
Integrity: Quality Degradation
The functionality of the shared resource may be intentionally degraded.
Phase: Architecture and Design
Description:
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Integrity, Confidentiality, Availability: Execute Unauthorized Code or Commands, Modify Memory
If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer’s worth of memory (usually 32 or 64 bits), they can redirect a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data — such as a flag indicating whether the user is an administrator.
Availability, Confidentiality: Read Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Confidentiality: Read Memory
In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffers position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.
Phase: Requirements
Description:
Phase: Architecture and Design
Description:
This is not a complete solution, since many buffer overflows are not related to strings.
Phase: Build and Compilation
Effectiveness: Defense in Depth
Description:
This is not necessarily a complete solution, since these mechanisms can only detect certain types of overflows. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Implementation
Description:
Phase: Operation
Effectiveness: Defense in Depth
Description:
This is not a complete solution. However, it forces the attacker to guess an unknown value that changes every program execution. In addition, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Operation
Effectiveness: Defense in Depth
Description:
Use a CPU and operating system that offers Data Execution Protection (NX) or its equivalent [REF-60] [REF-61].
This is not a complete solution, since buffer overflows could be used to overwrite nearby variables to modify the software’s state in dangerous ways. In addition, it cannot be used in cases in which self-modifying code is required. Finally, an attack could still cause a denial of service, since the typical response is to exit the application.
Phase: Implementation
Effectiveness: Moderate
Description:
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
This approach is still susceptible to calculation errors, including issues such as off-by-one errors (CWE-193) and incorrectly calculating buffer lengths (CWE-131).
The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.
Modes of Introduction:
– Architecture and Design
Access Control: Bypass Protection Mechanism, Modify Memory
DMA devices have direct write access to main memory and
due to time of attack will be able to bypass OS or Bootloader
access control.
Phase: Architecture and Design
Description:
Utilize an IOMMU to orchestrate IO access from
the start of the boot process.
The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.
Modes of Introduction:
– Architecture and Design
Confidentiality: Read Application Data
Confidentiality: Read Memory
Authorization: Execute Unauthorized Code or Commands
Integrity: Modify Memory
Integrity: Modify Application Data
Access Control: Bypass Protection Mechanism
Phase: Architecture and Design
Effectiveness: High
Description:
If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.
The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.
Modes of Introduction:
– Architecture and Design
Access Control: Bypass Protection Mechanism
Phase: Architecture and Design
Description:
The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.
Modes of Introduction:
Access Control: Bypass Protection Mechanism
An untrusted component can master transactions on the HW bus and target memory or other assets to compromise the SoC boot firmware.
Phase: Architecture and Design
Description: