Missing Support for Security Features in On-chip Fabrics or Buses

On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.


Description

Certain on-chip fabrics and buses, especially simple and low-power buses, do not support security features. Apart from data transfer and addressing ports, some fabrics and buses do not have any interfaces to transfer privilege, immutable identity, or any other security attribute coming from the bus master. Similarly, they do not have dedicated signals to transport security-sensitive data from slave to master, such as completions for certain types of transactions. Few other on-chip fabrics and buses support security features and define specific interfaces/signals for transporting security attributes from master to slave or vice-versa. However, including these signals is not mandatory and could be left unconfigured when generating the register-transfer-level (RTL) description for the fabric. Such fabrics or buses should not be used to transport any security attribute coming from the bus master. In general, peripherals with security assets should not be connected to such buses before the transaction from the bus master reaches the bus, unless some form of access control is performed at a fabric bridge or another intermediate module.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

Several systems on chips (SoCs) use the Advanced-Microcontroller Bus Architecture (AMBA) Advanced-Peripheral Bus (APB) protocol. APB is a simple, low-power bus and uses the PPROT[2:0] bits to indicate the security state of the bus masters ;PPROT[0] indicates privilege, PPROT[1] indicates secure/non-secure transaction, and PPROT[2] indicates instruction/data. Assume that there is no fabric bridge in the SoC. One of the slaves, the power-management unit, contains registers that store the thermal-shutdown limits.

The APB bus is used to connect several bus masters, each with a unique and immutable hardware identity, to several slaves. For a CPU supporting 8 potential identities (each with varying privilege levels), 16 types of outgoing transactions can be made--8 read transactions with each supported privilege level and 8 write transactions with each supported privilege level.

Since APB PPROT can only support up to 8 transaction types, access-control checks cannot be performed on transactions going to the slaves at the right granularity for all possible transaction types. Thus, potentially, user code running on the CPU could maliciously corrupt the thermal-shutdown-configuration registers to burn the device, resulting in permanent denial of service.

In this scenario, only peripherals that need access protection from 8 of the 16 possible transaction types can be connected to the APB bus. Peripherals that require protection from the remaining 8 transaction types can be connected to a different APB bus. Alternatively, a bridge could be implemented to handle such complex scenarios before forwarding traffic to the APB bus.

Example Two

The Open-Core-Protocol (OCP) fabric supports two configurable, width-optional signals for transporting security attributes: MReqInfo and SRespInfo. MReqInfo is used to transport security attributes from bus master to slave, and SRespInfo is used to transport security attributes from slave to bus master. An SoC uses OCP to connect several bus masters, each with a unique and immutable hardware identity, to several slaves. One of the bus masters, the CPU, reports the privilege level (user or super user) in addition to the unique identity. One of the slaves, the power-management unit, contains registers that store the thermal-shutdown limits.

Since MReqInfo and SRespInfo are not mandatory, these signals are not configured when autogenerating RTL for the OCP fabric. Thus, the fabric cannot be used to transport security attributes from bus masters to slave.

Code running at user-privilege level on the CPU could maliciously corrupt the thermal-shutdown-configuration registers to burn the device and cause permanent denial of service.

To address this, configure the fabric to include MReqInfo and SRespInfo signals and use these to transport security identity and privilege level to perform access-control checks at the slave interface.

See Also

Privilege Separation and Access Control Issues

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of s...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.