Improper Translation of Security Attributes by Fabric Bridge

The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.


Description

A bridge allows IP blocks supporting different fabric protocols to be integrated into the system. Fabric end-points or interfaces usually have dedicated signals to transport security attributes. For example, HPROT signals in AHB, AxPROT signals in AXI, and MReqInfo and SRespInfo signals in OCP.

The values on these signals are used to indicate the security attributes of the transaction. These include the immutable hardware identity of the controller initiating the transaction, privilege level, and type of transaction (e.g., read/write, cacheable/non-cacheable, posted/non-posted).

A weakness can arise if the bridge IP block, which translates the signals from the protocol used in the IP block endpoint to the protocol used by the central bus, does not properly translate the security attributes. As a result, the identity of the initiator could be translated from untrusted to trusted or vice-versa. This could result in access-control bypass, privilege escalation, or denial of service.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The bridge interfaces between OCP and AHB end points. OCP uses MReqInfo signal to indicate security attributes, whereas AHB uses HPROT signal to indicate the security attributes. The width of MReqInfo can be customized as needed. In this example, MReqInfo is 5-bits wide and carries the privilege level of the OCP controller.

The values 5’h11, 5’h10, 5’h0F, 5’h0D, 5’h0C, 5’h0B, 5’h09, 5’h08, 5’h04, and 5’h02 in MReqInfo indicate that the request is coming from a privileged state of the OCP bus controller. Values 5’h1F, 5’h0E, and 5’h00 indicate untrusted, privilege state.

Though HPROT is a 5-bit signal, we only consider the lower, two bits in this example. HPROT values 2’b00 and 2’b10 are considered trusted, and 2’b01 and 2’b11 are considered untrusted.

The OCP2AHB bridge is expected to translate trusted identities on the controller side to trusted identities on the responder side. Similarly, it is expected to translate untrusted identities on the controller side to untrusted identities on the responder side.

module ocp2ahb
(
ahb_hprot,
ocp_mreqinfo
);

output [1:0] ahb_hprot;        // output is 2 bit signal for AHB HPROT
input [4:0] ocp_mreqinfo;      // input is 5 bit signal from OCP MReqInfo
wire [6:0] p0_mreqinfo_o_temp; // OCP signal that transmits hardware identity of bus controller

wire y;
reg [1:0] ahb_hprot;

// hardware identity of bus controller is in bits 5:1 of p0_mreqinfo_o_temp signal
assign p0_mreqinfo_o_temp[6:0] = {1'b0, ahb_hprot[4:0], y};

always @*

begin
case (p0_mreqinfo_o_temp[4:2])
000: ahb_hprot = 2'b11;    // OCP MReqInfo to AHB HPROT mapping
001: ahb_hprot = 2'b00;
010: ahb_hprot = 2'b00;
011: ahb_hprot = 2'b01;
100: ahb_hprot = 2'b00;
101: ahb_hprot = 2'b00;
110: ahb_hprot = 2'b10;
111: ahb_hprot = 2'b00;
endcase
end
endmodule

Logic in the case statement only checks for MReqInfo bits 4:2, i.e., hardware-identity bits 3:1. When ocp_mreqinfo is 5’h1F or 5’h0E, p0_mreqinfo_o_temp[2] will be 1. As a result, untrusted IDs from OCP 5’h1F and 5’h0E get translated to trusted ahb_hprot values 2’b00.

See Also

Peripherals, On-chip Fabric, and Interface/IO Problems

Weaknesses in this category are related to hardware security problems that apply to peripheral devices, IO interfaces, on-chip interconnects, network-o...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.