CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (4.1)  
ID

CWE-1268: Agents Included in Control Policy are not Contained in Less-Privileged Policy

Weakness ID: 1268
Abstraction: Base
Structure: Simple
Status: Draft
Presentation Filter:
+ Description
The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.
+ Extended Description

Integrated circuits and hardware engines may provide access to resources (device-configuration, encryption keys, etc.) belonging to trusted firmware or software modules (commonly set by a BIOS or a bootloader). These accesses are typically controlled and limited by the hardware. Hardware design access control is sometimes implemented using a policy. A policy defines which entity or agent may or may not be allowed to perform an action. When a system implements multiple levels of policies, a control policy may allow direct access to a resource as well as changes to the policies themselves.

Such resources that include agents in the control policy but not in write policy could unintentionally allow the untrusted agent to insert itself in the write policy register. Inclusion in the write policy register could allow a malicious or misbehaving agent write access to resources. This action could result in security risks consisting of leaked information, leaked encryption keys, or even modification of device configuration.

+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
NatureTypeIDName
ChildOfPillarPillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things.284Improper Access Control
+ Relevant to the view "Hardware Design" (CWE-1194)
NatureTypeIDName
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.1198Privilege Separation and Access Control Issues
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

PhaseNote
Architecture and DesignThis weakness may be introduced during the design of a device when the architect does not sufficiently specify which policies may run an agent to effect policy changes.
ImplementationThis weakness may be introduced during the implementation of a device misses restrictions required of agents being run by less-priviledged clients.
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Language-Independent (Undetermined Prevalence)

Operating Systems

Class: OS-Independent (Undetermined Prevalence)

Architectures

Class: Architecture-Independent (Undetermined Prevalence)

Technologies

Class: Technology-Independent (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Integrity
Availability
Access Control

Technical Impact: Modify Memory; Read Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands; Gain Privileges or Assume Identity; Bypass Protection Mechanism; Read Files or Directories; Reduce Reliability

High
+ Demonstrative Examples

Example 1

Consider a system with a register for storing an AES key for encryption or decryption. The key is composed of 128 bits implemented as a set of four 32-bit registers. The key registers are resources and registers, AES_KEY_CONTROL_POLICY, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary, access controls.

The control-policy register defines which agents can write to the read-policy and write-policy registers. The read-policy register defines which agents can read the AES-key registers, and write-policy register defines which agents can program or write to those registers. Each 32-bit register can support access control for a maximum of 32 agents. The number of the bit when set (i.e., “1”) allows respective action from an agent whose identity matches the number of the bit and, if “0” (i.e., Clear), disallows the respective action to that corresponding agent.

(bad code)
 
RegisterField description
AES_ENC_DEC_KEY_0AES key [0:31] for encryption or decryption
Default 0x00000000
AES_ENC_DEC_KEY_1AES key [32:63] for encryption or decryption
Default 0x00000000
AES_ENC_DEC_KEY_2AES key [64:95] for encryption or decryption
Default 0x00000000
AES_ENC_DEC_KEY_3AES key [96:127] for encryption or decryption
Default 0x00000000
AES_KEY_CONTROL_POLICY[31:0] Default 0x00000018, meaning agent with identities “4” and “3” has read/write access to this register (i.e., AES_KEY_CONTROL_POLICY), AES_KEY_READ_POLICY, and AES_KEY_WRITE_POLICY registers
AES_KEY_READ_POLICY[31:0] Default 0x00000002, agent with identity “1” can only read AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers
AES_KEY_WRITE_POLICY[31:0] Default 0x00000004, agent with identity “2” can only write to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers

In the above example, the AES_KEY_CONTROL_POLICY register has agents with identities “4”and “3” in its policy. Assuming the agent with identity “4” is trusted and the agent with identity “3” is untrusted. The untrusted agent “3” can write to AES_KEY_WRITE_POLICY with a value of 0x0000000C thus allowing write access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers.

  1. The AES_KEY_CONTROL_POLICY defines which agents have write access to the AES_KEY_CONTROL_POLICY, AES_KEY_READ_POLICY, and the AES_KEY_WRITE_POLICY registers,
  2. The AES-key registers can only be read or used by a crypto agent with identity “1” when bit #1 is set.
  3. The AES-key registers can only be programmed by a trusted firmware with identity “2” when bit #2 is set.

For the above example, the control, read-and-write-policy registers’ values are defined as below.

(good code)
 
RegisterField description
AES_KEY_CONTROL_POLICY[31:0] Default 0x00000010, meaning only agents with an identity of “4” have read/write access to this register (i.e., AES_KEY_CONTROL_POLICY), AES_KEY_READ_POLICY, and AES_KEY_WRITE_POLICY registers
AES_KEY_READ_POLICY[31:0] Default 0x00000002, meaning only trusted firmware with an identity of “1” can program registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3
AES_KEY_WRITE_POLICY[31:0] Default 0x00000004, meaning only trusted firmware with an identity of “2” can program registers: AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3
+ Potential Mitigations

Phase: Architecture and Design

Access-control-policy definition and programming flow must be tested in pre-silicon and post-silicon testing

Phase: Implementation

Access-control-policy definition and programming flow must be tested in pre-silicon and post-silicon testing
+ Notes

Maintenance

This entry is still under development and will continue to see updates and content improvements.
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2020-02-12Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V MangipudiIntel Corporation
More information is available — Please select a different filter.
Page Last Updated: June 25, 2020