CWE-1257: Improper Access Control Applied to Mirrored or Aliased Memory Regions
Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by hardware. In this way, it could be possible that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.
Hardware product designs often need to implement memory protection features that enable privileged software to define isolation memory regions and access control (read/write) policies. Isolated memory regions can be defined on different memory spaces in a design (e.g. system physical address, virtual address, memory mapped IO).
Each memory cell must be mapped and assigned a system address that the core software can use to read/write to that memory. It is possible to map the same memory cell to multiple system addresses such that read/write to any of the aliased system addresses would be decoded to the same memory cell.
This is commonly done in hardware designs for redundancy and simplifying address decode logic. If one of the memory regions is corrupted or faults, then the hardware can switch to using the data in the mirrored memory region. Memory aliases can also be created in system address map if the address decoder unit ignores higher order address bits when mapping a smaller address region into the full system address.
A common security weakness that can exist in such memory mapping is that aliased memory regions could have different read/write access protections enforced by hardware such that an untrusted agent is blocked from accessing a memory address but is not blocked from accessing the corresponding aliased memory address. Such inconsistency can then be used to bypass the access protection and read or modify the protected memory.
An untrusted agent can also maliciously create memory aliases in the system address map if it is able to change the mapping of an address region or modify memory region sizes.
The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (CWE-1000)
Relevant to the view "Hardware Design" (CWE-1194)
The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
Class: Language-Independent (Undetermined Prevalence)
Class: OS-Independent (Undetermined Prevalence)
Class: Architecture-Independent (Undetermined Prevalence)
Memory IP (Undetermined Prevalence)
Processor IP (Undetermined Prevalence)
Microcontroller IP (Undetermined Prevalence)
Network on Chip IP (Undetermined Prevalence)
Class: System on Chip (Undetermined Prevalence)
The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
For example, in a System on Chip (SoC) design the system fabric uses 16 bit addresses. An IP unit (Unit_A) has 4 kilobyte internal memory and is mapped into 16 kilobyte address range in system fabric address map.
To protect the register controls in Unit_A unprivileged software is blocked from accessing addresses between 0x0000 – 0x0FFF.
The address decoder of Unit_A masks off the higher order address bits and decodes only lower 12bits for computing the offset into the 4 kilobyte internal memory space.
Example Language: Other
In this design the aliased memory address ranges are these: 0x0000 – 0x0FFF, 0x1000 – 0x1FFF, 0x2000 – 0x2FFF, 0x3000 – 0x3FFF
Such that the same register can be accessed using four different addresses (e.g. 0x0000, 0x1000,0x2000,0x3000 all map to same register in Unit_A).
The system address filter only blocks access to range 0x0000 - 0x0FFF and does not block access to the aliased addresses in 0x1000 - 0x3FFF range. Thus, untrusted software can leverage the aliased memory addresses to bypass the memory protection.
Example Language: Other
In this design the aliased memory addresses (0x1000 - 0x3FFF) could be blocked from all system software access since they are not used by software.
Alternately, the MPU logic can be changed to apply the memory protection policies to the full address range mapped to Unit_A (0x0000 - 0x3FFF).
More information is available — Please select a different filter.