Policy Uses Obsolete Encoding

The product uses an obsolete encoding mechanism to implement access controls.


Description

Within a System-On-a-Chip (SoC), various circuits and hardware engines generate transactions for the purpose of accessing (read/write) assets or performing various actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (identifying the originator of the transaction) and a destination identity (routing the transaction to the respective entity). Sometimes the transactions are qualified with a Security Token. This Security Token helps the destination agent decide on the set of allowed actions (e.g., access to an asset for reads and writes). A policy encoder is used to map the bus transactions to Security Tokens that in turn are used as access-controls/protection mechanisms. A common weakness involves using an encoding which is no longer trusted, i.e., an obsolete encoding.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

For example, consider a system that has four bus masters. The table below provides bus masters, their Security Tokens, and trust assumptions.

Bus Master

Security Token Decoding

Trust Assumptions

Master_0

"00"

Untrusted

Master_1

"01"

Trusted

Master_2

"10"

Untrusted

Master_3

"11"

Untrusted

The policy encoding is to be defined such that Security Token will be used in implemented access-controls. The bits in the bus transaction that contain Security-Token information are Bus_transaction [15:11]. The assets are the AES-Key registers for encryption or decryption. The key of 128 bits is implemented as a set of four, 32-bit registers.

Register

Field description

AES_ENC_DEC_KEY_0

AES key [0:31] for encryption or decryption, Default 0x00000000

AES_ENC_DEC_KEY_1

AES key [32:63] for encryption or decryption, Default 0x00000000

AES_ENC_DEC_KEY_2

AES key [64:95] for encryption or decryption, Default 0x00000000

AES_ENC_DEC_KEY_4

AES key [96:127] for encryption or decryption, Default 0x00000000

Below is an example of a policy encoding scheme inherited from a previous project where all "ODD" numbered Security Tokens are trusted.

If (Bus_transaction[14] == "1")
  Trusted = "1"
Else
  Trusted = "0"

If (trusted)
  Allow access to AES-Key registers
Else
  Deny access to AES-Key registers

The inherited policy encoding is obsolete and does not work for the new system where an untrusted bus master with an odd Security Token exists in the system, i.e., Master_3 whose Security Token is "11". Based on the old policy, the untrusted bus master (Master_3) has access to the AES-Key registers. To resolve this, a register AES_KEY_ACCESS_POLICY can be defined to provide necessary, access controls:

New Policy:

AES_KEY_ACCESS_POLICY

[31:0] Default 0x00000002 – agent with Security Token "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers

The AES_KEY_ACCESS_POLICY register defines which agents with a Security Token in the transaction can access the AES-key registers. Each bit in this 32-bit register defines a Security Token. There could be a maximum of 32 security Tokens that are allowed access to the AES-key registers. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent. Thus, any bus master with Security Token "01" is allowed access to the AES-Key registers. Below is the Pseudo Code for policy encoding:

Security_Token[4:0] = Bus_transaction[15:11]

If (AES_KEY_ACCESS_POLICY[Security_Token] == "1")
  Allow access to AES-Key registers
Else
  Deny access to AES-Key registers

See Also

Privilege Separation and Access Control Issues

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of s...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.