CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.2)  
ID

CWE-1297: Unprotected Confidential Information on Device is Accessible by OSAT Vendors

Weakness ID: 1297
Abstraction: Base
Structure: Simple
Status: Incomplete
Presentation Filter:
+ Description
The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.
+ Extended Description

In contrast to complete vertical integration of architecting, designing, manufacturing, assembling, and testing chips all within a single organization, an organization can choose to simply architect and design a chip before outsourcing the rest of the process to OSAT entities (e.g., external foundries and test houses). In the latter example, the device enters an OSAT facility in a much more vulnerable pre-production stage where many debug and test modes are accessible. Therefore, the chipmaker must place a certain level of trust with the OSAT. To counter this, the chipmaker often requires the OSAT partner to enter into restrictive non-disclosure agreements (NDAs). Nonetheless, OSAT vendors likely have many customers, which increases the risk of accidental sharing of information. There may also be a security vulnerability in the information technology (IT) system of the OSAT facility. Alternatively, a malicious insider at the OSAT facility may carry out an insider attack. Considering these factors, it behooves the chipmaker to minimize any confidential information in the device that may be accessible to the OSAT vendor.

Logic errors during design or synthesis could misconfigure the interconnection of the debug components, which could provide improper authorization to sensitive information.

+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
NatureTypeIDName
ChildOfClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.285Improper Authorization
+ Relevant to the view "Hardware Design" (CWE-1194)
NatureTypeIDName
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.1195Manufacturing and Life Cycle Management Concerns
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

PhaseNote
Implementation
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Verilog (Undetermined Prevalence)

VHDL (Undetermined Prevalence)

Class: Language-Independent (Undetermined Prevalence)

Operating Systems

Class: OS-Independent (Undetermined Prevalence)

Architectures

Class: Architecture-Independent (Undetermined Prevalence)

Technologies

Processor IP (Undetermined Prevalence)

Class: Technology-Independent (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Integrity
Access Control
Authentication
Authorization
Availability
Accountability
Non-Repudiation

Technical Impact: Gain Privileges or Assume Identity; Bypass Protection Mechanism; Execute Unauthorized Code or Commands; Modify Memory; Modify Files or Directories

The impact depends on the confidential information itself and who is inadvertently granted access. For example, if the confidential information is a key that can unlock all the parts of a generation, the impact could be severe.
Medium
+ Demonstrative Examples

Example 1

The following example shows how an attacker can take advantage of a piece of confidential information that has not been protected from the OSAT.

Suppose the preproduction device contains NVM (a storage medium that by definition/design can retain its data without power), and this NVM contains a key that can unlock all the parts for that generation. An OSAT facility accidentally leaks the key.

Compromising a key that can unlock all the parts of a generation can be devastating to a chipmaker.

The likelihood of such a compromise can be reduced by ensuring all memories on the preproduction device are properly scrubbed.

+ Potential Mitigations

Phase: Architecture and Design

  • • Ensure that when an OSAT vendor is allowed to access test interfaces necessary for preproduction and returned parts, the vendor only pulls the minimal information necessary. Also, architect the product in such a way that, when an “unlock device” request comes, it only unlocks that specific part and not all the parts for that product line.
  • • Ensure that the product’s non-volatile memory (NVM) is scrubbed of all confidential information and secrets before handing it over to an OSAT.
  • • Arrange to secure all communication between an OSAT facility and the chipmaker.

Effectiveness: Moderate

+ Detection Methods

Architecture or Design Review

Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.

Effectiveness: High

Dynamic Analysis with Manual Results Interpretation

Appropriate Post-Si tests should be carried out to ensure that residual confidential information is not left on parts leaving one facility for another facility.

Effectiveness: Moderate

+ Notes

Maintenance

This entry is still under development and will continue to see updates and content improvements.
+ References
[REF-1113] Muhammad Yasin, Abhrajit Sengupta, Mohammed Thari Nabeel, Mohammed Ashraf, Jeyavijayan (JV) Rajendran and Ozgur Sinanoglu. "Provably-Secure Logic Locking: From Theory To Practice". <https://dl.acm.org/doi/10.1145/3133956.3133985>.
[REF-1114] Muhammad Yasin, Jeyavijayan (JV) Rajendran and Ozgur Sinanoglu. "Trustworthy Hardware Design: Combinational Logic Locking Techniques". <https://link.springer.com/book/10.1007/978-3-030-15334-2>.
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2020-05-29Arun Kanuparthi, Hareesh Khattri, Parbati Kumar MannaIntel Corporation
More information is available — Please select a different filter.
Page Last Updated: August 20, 2020