Incorrect Comparison Logic Granularity

The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.


Description

Comparison logic is used to compare a variety of objects including passwords, Message Authentication Codes (MACs), and responses to verification challenges. When comparison logic is implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a comparison failure, an attacker can exploit this implementation to identify when exactly the failure occurred. With multiple attempts, the attacker may be able to guesses the correct password/response to challenge and elevate their privileges.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

Consider an example hardware module that checks a user-provided password to grant access to a user. The user-provided password is compared against a golden value in a byte-by-byte manner.

always_comb @ (posedge clk)

begin

  assign check_pass[3:0] = 4'b0;
  for (i = 0; i < 4; i++) begin

    if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 - 1) : i])

      assign check_pass[i] = 1;
      continue;

    else

      assign check_pass[i] = 0;
      break;

    end

  assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0;

end

Since the code breaks on an incorrect entry of password, an attacker can guess the correct password for that byte-check iteration with few repeat attempts.

To fix this weakness, either the comparison of the entire string should be done all at once, or the attacker is not given an indication whether pass or fail happened by allowing the comparison to run through all bits before the grant_access signal is set.

always_comb @ (posedge clk)
begin

  assign check_pass[3:0] = 4'b0;
  for (i = 0; i < 4; i++) begin

    if (entered_pass[(i*8 - 1) : i] eq golden_pass([i*8 -1) : i])

      assign check_pass[i] = 1;
      continue;

    else

      assign check_pass[i] = 0;
      continue;

    end

  assign grant_access = (check_pass == 4'b1111) ? 1'b1: 1'b0;

end

See Also

Comprehensive Categorization: Sensitive Information Exposure

Weaknesses in this category are related to sensitive information exposure.

General Circuit and Logic Design Concerns

Weaknesses in this category are related to hardware-circuit design and logic (e.g., CMOS transistors, finite state machines, and registers) as well as issues related t...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Weaknesses Introduced During Design

This view (slice) lists weaknesses that can be introduced during design.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.