CWE-1251: Mirrored Regions with Different Values
The product's architecture mirrors regions without ensuring that their contents always stay in sync.
Having mirrored regions with different values might result in the exposure of sensitive information and/or other consequences, including loss of access control.
Due to architectural and performance constraints, one might need to duplicate a resource. The most common example of doing this in computer architecture is the concept of cache, which keeps a "local" copy of the data element in memory, because the time to access the memory (which is located far off from the computing core) is significantly longer compared to the time it takes to access a local copy (cache). Thus, keeping a local copy of some distant entity provides significant performance improvement. Unfortunately, this improvement also comes with a downside, since the product needs to ensure that the local copy always mirrors the original copy truthfully. If they get out of sync somehow, the computational result is no longer true.
In designing hardware, memory is not the only thing that gets mirrored. There are many other entities that get mirrored, too: registers, memory regions, and, in some cases, even whole units. For example, for a multi-core processor, if every memory access from any of those tens of cores goes through a single memory-management unit (MMU) for security reasons, then the MMU becomes a performance bottleneck. In such cases, it might make sense to create duplicate, local MMUs that will serve only a subset of the cores of processors rather than all of them. These local copies are also called "shadow copies" or "mirrored copies."
If the original resource that was being duplicated into these local copies never changed, the question of the local copies getting out of sync would not arise. Unfortunately, in many cases, the values inside the original copy change. For example, a memory range might be inaccessible during boot time, but once the boot process is over and the system is now in a stable state, that memory range may now be opened up for access. So, if a register(s) in the access-control unit stores the start and end addresses of the "accessible" memory chunks, those values would change after the boot process is over. Now, when the original copy changes, the mirrored copies must also change, and change fast.
This situation of shadow-copy-possibly-out-of-sync-with-original-copy might occur as a result of multiple scenarios, including the following:
The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (CWE-1000)
Relevant to the view "Hardware Design" (CWE-1194)
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
VHDL (Undetermined Prevalence)
Verilog (Undetermined Prevalence)
Class: OS-Independent (Undetermined Prevalence)
Class: Architecture-Independent (Undetermined Prevalence)
Security IP (Undetermined Prevalence)
The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.
Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario.
Issues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It likely has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.
More information is available — Please select a different filter.