CWE-1256: Hardware Features Enable Physical Attacks from Software
Software-controllable device functionality such as power and clock management permits unauthorized modification of memory or register bits.
Fault injection attacks involve strategic manipulation of bits in a device to achieve a desired effect such as skipping an authentication step, elevating privileges, or altering the output of a cryptographic operation. Techniques employed to flip bits include low-cost methods such as manipulation of the device clock and voltage supply as well as high-cost but more precise techniques involving lasers. To inject faults a physical access requirement is frequently assumed to be necessary. This assumption may be false if the device has improperly secured power management features that allow untrusted programs to manipulate the device clock frequency or operating voltage. For mobile devices, minimizing power consumption is critical, but these devices run a wide variety of applications with different performance requirements. Software-controllable mechanisms to dynamically scale device voltage and frequency are common features in today’s chipsets and can be exploited by attackers if protections are not in place. Other features, such as the ability to write repeatedly to DRAM at a rapid rate from unprivileged software can result in bit flips in other memory locations (Rowhammer).
The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (CWE-1000)
Relevant to the view "Hardware Design" (CWE-1194)
The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
Class: Language-Independent (Undetermined Prevalence)
Class: OS-Independent (Undetermined Prevalence)
Class: Architecture-Independent (Undetermined Prevalence)
Class: Technology-Independent (Undetermined Prevalence)
Memory IP (Undetermined Prevalence)
Power Management IP (Undetermined Prevalence)
Clock/Counter IP (Undetermined Prevalence)
The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
This example considers the Row-Hammar problem. .The Row-Hammar issue was caulse by a program in a tight loop writing repeatedly to a location to which the program was allowed to write but causing an adjacent memory location value to change.
Example Language: Other
Continuously writting the same value to the same address causes the value of an adjacent location to change value.
Preventing the loop required to defeat the Row-Hammar exploit is not always possible:
Example Language: Other
Redesign the RAM devices to reduce inter capacitive coupling making the Row-Hammar exploit impossible.
While the redesign may be possible for new devices, a redesign is not possible in existing devices. There is also the possibility that reducing capacitance with a relayout would impact the density of the device resulting in a less capable, more costly device.
Suppose a hardware design implements a set of software-accessible registers for scaling clock frequency and voltage but does not control access to these registers. Attackers may cause register and memory changes and race conditions by changing the clock or voltage of the device under their control.
This entry is still under development and will continue to see updates and content improvements. The title needs reevaluation. The Extended Description needs evaluation relative to the title and the intent of this hardware entry. The example is not really an example and needs rethought.
More information is available — Please select a different filter.