CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (4.1)  
ID

CWE-1257: Improper Access Control Applied to Mirrored or Aliased Memory Regions

Weakness ID: 1257
Abstraction: Base
Structure: Simple
Status: Incomplete
Presentation Filter:
+ Description
Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by hardware. In this way, it could be possible that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.
+ Extended Description

Hardware product designs often need to implement memory protection features that enable privileged software to define isolation memory regions and access control (read/write) policies. Isolated memory regions can be defined on different memory spaces in a design (e.g. system physical address, virtual address, memory mapped IO).

Each memory cell must be mapped and assigned a system address that the core software can use to read/write to that memory. It is possible to map the same memory cell to multiple system addresses such that read/write to any of the aliased system addresses would be decoded to the same memory cell.

This is commonly done in hardware designs for redundancy and simplifying address decode logic. If one of the memory regions is corrupted or faults, then the hardware can switch to using the data in the mirrored memory region. Memory aliases can also be created in system address map if the address decoder unit ignores higher order address bits when mapping a smaller address region into the full system address.

A common security weakness that can exist in such memory mapping is that aliased memory regions could have different read/write access protections enforced by hardware such that an untrusted agent is blocked from accessing a memory address but is not blocked from accessing the corresponding aliased memory address. Such inconsistency can then be used to bypass the access protection and read or modify the protected memory.

An untrusted agent can also maliciously create memory aliases in the system address map if it is able to change the mapping of an address region or modify memory region sizes.

+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
NatureTypeIDName
ChildOfPillarPillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things.284Improper Access Control
CanPrecedeClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.119Improper Restriction of Operations within the Bounds of a Memory Buffer
+ Relevant to the view "Hardware Design" (CWE-1194)
NatureTypeIDName
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.1202Memory and Storage Issues
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

PhaseNote
Architecture and DesignSuch issues could be introduced during hardware architecture and design or implementation and identified later during Testing phase.
ImplementationSuch issues could be introduced during hardware architecture and design or implementation and identified later during Testing phase.
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Language-Independent (Undetermined Prevalence)

Operating Systems

Class: OS-Independent (Undetermined Prevalence)

Architectures

Class: Architecture-Independent (Undetermined Prevalence)

Technologies

Memory IP (Undetermined Prevalence)

Processor IP (Undetermined Prevalence)

Microcontroller IP (Undetermined Prevalence)

Network on Chip IP (Undetermined Prevalence)

Class: System on Chip (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality

Technical Impact: Read Memory

High
Integrity

Technical Impact: Modify Memory

High
Availability

Technical Impact: DoS: Instability

High
+ Demonstrative Examples

Example 1

For example, in a System on Chip (SoC) design the system fabric uses 16 bit addresses. An IP unit (Unit_A) has 4 kilobyte internal memory and is mapped into 16 kilobyte address range in system fabric address map.

System Address Mapped to
0x0000 – 0x3FFF Unit_A registers : 0x0000 – 0x0FFF
0x4000 – 0xFFFF Other IPs & Memory

To protect the register controls in Unit_A unprivileged software is blocked from accessing addresses between 0x0000 – 0x0FFF.

The address decoder of Unit_A masks off the higher order address bits and decodes only lower 12bits for computing the offset into the 4 kilobyte internal memory space.

(bad code)
Example Language: Other 

In this design the aliased memory address ranges are these: 0x0000 – 0x0FFF, 0x1000 – 0x1FFF, 0x2000 – 0x2FFF, 0x3000 – 0x3FFF

Such that the same register can be accessed using four different addresses (e.g. 0x0000, 0x1000,0x2000,0x3000 all map to same register in Unit_A).

The system address filter only blocks access to range 0x0000 - 0x0FFF and does not block access to the aliased addresses in 0x1000 - 0x3FFF range. Thus, untrusted software can leverage the aliased memory addresses to bypass the memory protection.

(good code)
Example Language: Other 

In this design the aliased memory addresses (0x1000 - 0x3FFF) could be blocked from all system software access since they are not used by software.

Alternately, the MPU logic can be changed to apply the memory protection policies to the full address range mapped to Unit_A (0x0000 - 0x3FFF).

+ Potential Mitigations

Phases: Architecture and Design; Implementation

The same memory access control checks must be applied for any mirrored or aliased memory regions. If different memory protection units (MPU) are protecting the aliased regions, their protected range definitions and policies must be synchronized.

Phases: Architecture and Design; Implementation

The controls that allow enabling memory aliases or changing size of mapped memory regions must only be programmable by trusted software components.
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2020-04-29Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V MangipudiIntel Corporation
More information is available — Please select a different filter.
Page Last Updated: June 25, 2020