CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.2)  
ID

CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

Weakness ID: 1304
Abstraction: Base
Structure: Simple
Status: Draft
Presentation Filter:
+ Description
The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.
+ Extended Description

Before powering down, the Intellectual Property (IP) saves current state (S) to persistent storage such as flash or always-on memory in order to optimize the restore operation. During this process, an attacker with access to the persistent storage may alter (S) to a configuration that could potentially modify privileges, disable protections, and/or cause damage to the hardware. If the IP does not validate the configuration state stored in persistent memory, upon regaining power or becoming operational again, the IP could be compromised through the activation of an unwanted/harmful configuration.

+ Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

+ Relevant to the view "Research Concepts" (CWE-1000)
NatureTypeIDName
ChildOfPillarPillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things.284Improper Access Control
PeerOfClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.345Insufficient Verification of Data Authenticity
+ Relevant to the view "Hardware Design" (CWE-1194)
NatureTypeIDName
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.1206Power, Clock, and Reset Concerns
PeerOfClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.1271Unitialized Value on Reset for Registers Holding Security Settings
+ Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

PhaseNote
Architecture and DesignWeakness introduced via missing internal integrity guarantees during power save/restore
IntegrationWeakness introduced via missing external integrity verification during power save/restore
+ Applicable Platforms
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Language-Independent (Undetermined Prevalence)

Operating Systems

Class: OS-Independent (Undetermined Prevalence)

Architectures

Class: Architecture-Independent (Undetermined Prevalence)

Technologies

Class: Technology-Independent (Undetermined Prevalence)

+ Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Integrity

Technical Impact: DoS: Instability; DoS: Crash, Exit, or Restart; DoS: Resource Consumption (Other); Gain Privileges or Assume Identity; Bypass Protection Mechanism; Alter Execution Logic; Quality Degradation; Unexpected State; Reduce Maintainability; Reduce Performance; Reduce Reliability

High
+ Demonstrative Examples

Example 1

The following pseudo code demonstrates the power save/restore workflow which may lead to weakness through a lack of validation of the config state after restore.

(bad code)
Example Language:
void save_config_state()
{
void* cfg;

cfg = get_config_state();
save_config_state(cfg);

go_to_sleep();
}

void restore_config_state()
{
void* cfg;
cfg = get_config_file();
load_config_file(cfg);
}

The following pseudo-code is the proper workflow for the integrity checking mitigation:

(good code)
Example Language:
void save_config_state()
{
void* cfg;
void* sha;

cfg = get_config_state();
save_config_state(cfg);

// save hash(cfg) to trusted location
sha = get_hash_of_config_state(cfg);
save_hash(sha);

go_to_sleep();
}

void restore_config_state()
{
void* cfg;
void* sha_1, sha_2;

cfg = get_config_file();
// restore hash of config from trusted memory
sha_1 = get_persisted_sha_value();

sha_2 = get_hash_of_config_state(cfg);
if (sha_1 != sha_2)
assert_error_and_halt();

load_config_file(cfg);
}

It must be noted that in the previous example of good pseudo code, the memory (where the hash of the config state is stored) must be trustworthy while the hardware is between the power save and restore states.

+ Potential Mitigations

Phase: Architecture and Design

Inside the IP, incorporate integrity checking on the configuration state via a cryptographic hash. The hash can be protected inside the IP such as by storing it in internal registers which never lose power. Before powering down, the IP performs a hash of the configuration and saves it in these persistent registers. Upon restore, the IP performs a hash of the saved configuration and compares it with the saved hash. If they do not match, then the IP should not trust the configuration.

Phase: Integration

Outside the IP, incorporate integrity checking of the configuration state via a trusted agent. Before powering down, the trusted agent performs a hash of the configuration and saves the hash in persistent storage. Upon restore, the IP requests the trusted agent validate its current configuration. If the configuration hash is invalid, then the IP should not trust the configuration.

Phase: Integration

Outside the IP, incorporate a protected environment that prevents undetected modification of the configuration state by untrusted agents. Before powering down, a trusted agent saves the IP’s configuration state in this protected location that only it is privileged to. Upon restore, the trusted agent loads the saved state into the IP.
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2020-07-16Accellera Systems Initiative
More information is available — Please select a different filter.
Page Last Updated: August 20, 2020