Insufficient Protection Against Instruction Skipping Via Fault Injection

The device is missing or incorrectly implements circuitry or sensors to detect and mitigate CPU instruction skips that can be caused by fault injection.


Fault Injection is a technique used by adversaries to alter the operating conditions of hardware so that unexpected behavior occurs. Generally, this is accomplished by causing the device to operate outside of its expected conditions or by inducing electrical disturbances in the device. A weakness may arise in systems that do not properly protect against common fault injection techniques targeting the skipping of security critical instructions.

In practice, application code may contain conditional branches that are security-sensitive (e.g., accepting or rejecting a user-provided password. These conditional branches are typically implemented by a single conditional branch instruction in the program binary which, if skipped through fault injection, may lead to flipping the branch condition - i.e., causing the wrong security-sensitive branch to be taken. This affects processes such as firmware authentication, password verification, and other security-sensitive decision points.

See Also

Power, Clock, and Reset Concerns

Weaknesses in this category are related to system power, voltage, current, temperature, clocks, system state saving/restoring, and resets at the platform and SoC level.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.