Improper Restriction of Write-Once Bit Fields

The hardware design control register "sticky bits" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.


Description

Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to define default values that are hard coded in the hardware description language (HDL) code of the hardware unit. A common security protection method used to protect register settings from modification by software is to make the settings write-once or "sticky." This allows writing to such registers only once, whereupon they become read-only. This is useful to allow initial boot software to configure systems settings to secure values while blocking runtime software from modifying such hardware settings.

Failure to implement write-once restrictions in hardware design can expose such registers to being re-programmed by software and written multiple times. For example, write-once fields could be implemented to only be write-protected if they have been set to value "1", wherein they would work as "write-1-once" and not "write-once".

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

Consider the example design module system verilog code shown below. register_write_once_example module is an example of register that has a write-once field defined. Bit 0 field captures the write_once_status value. This implementation can be for a register that is defined by specification to be a write-once register, since the write_once_status field gets written by input data bit 0 on first write.

module register_write_once_example
(
input [15:0] Data_in,
input Clk,
input ip_resetn,
input global_resetn,
input write,
output reg [15:0] Data_out
);

reg Write_once_status;

always @(posedge Clk or negedge ip_resetn)

  if (~ip_resetn)
  begin

    Data_out <= 16'h0000;
    Write_once_status <= 1'b0;

  end
  else if (write & ~Write_once_status)
  begin

    Data_out <= Data_in & 16'hFFFE;
    Write_once_status <= Data_in[0]; // Input bit 0 sets Write_once_status

  end
  else if (~write)
  begin

    Data_out[15:1] <= Data_out[15:1];
    Data_out[0] <= Write_once_status;

  end

endmodule

The above example only locks further writes if write_once_status bit is written to one. So it acts as write_1-Once instead of the write-once attribute.

module register_write_once_example
(
input [15:0] Data_in,
input Clk,
input ip_resetn,
input global_resetn,
input write,
output reg [15:0] Data_out
);

reg Write_once_status;

always @(posedge Clk or negedge ip_resetn)

  if (~ip_resetn)
  begin

    Data_out <= 16'h0000;
    Write_once_status <= 1'b0;

  end
  else if (write & ~Write_once_status)
  begin

    Data_out <= Data_in & 16'hFFFE;
    Write_once_status <= 1'b1; // Write once status set on first write, independent of input

  end
  else if (~write)
  begin

    Data_out[15:1] <= Data_out[15:1];
    Data_out[0] <= Write_once_status;

  end


endmodule

See Also

Comprehensive Categorization: Access Control

Weaknesses in this category are related to access control.

General Circuit and Logic Design Concerns

Weaknesses in this category are related to hardware-circuit design and logic (e.g., CMOS transistors, finite state machines, and registers) as well as issues related t...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Weaknesses Introduced During Design

This view (slice) lists weaknesses that can be introduced during design.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.