CWE-1268: Policy Privileges are not Assigned Consistently Between Control and Data Agents
Weakness ID: 1268
Abstraction: Base Structure: Simple
Status: Draft
Presentation Filter:
Description
The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.
Extended Description
Integrated circuits and hardware engines may provide access to resources (device-configuration, encryption keys, etc.) belonging to trusted firmware or software modules (commonly set by a BIOS or a bootloader). These accesses are typically controlled and limited by the hardware. Hardware design access control is sometimes implemented using a policy. A policy defines which entity or agent may or may not be allowed to perform an action. When a system implements multiple levels of policies, a control policy may allow direct access to a resource as well as changes to the policies themselves.
Resources that include agents in their control policy but not in their write policy could unintentionally allow an untrusted agent to insert itself in the write policy register. Inclusion in the write policy register could allow a malicious or misbehaving agent write access to resources. This action could result in security compromises including leaked information, leaked encryption keys, or modification of device configuration.
Relationships
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (CWE-1000)
Nature
Type
ID
Name
ChildOf
Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things.
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Hardware Design" (CWE-1194)
Nature
Type
ID
Name
MemberOf
Category - a CWE entry that contains a set of other entries that share a common characteristic.
The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
Phase
Note
Architecture and Design
This weakness may be introduced during the design of a device when the architect does not comprehensively specify all of the policies required by an agent.
Implementation
This weakness may be introduced during implementation if device policy restrictions do not sufficiently constrain less-privileged clients.
Applicable Platforms
This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Scope
Impact
Likelihood
Confidentiality Integrity Availability Access Control
Technical Impact: Modify Memory; Read Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands; Gain Privileges or Assume Identity; Bypass Protection Mechanism; Read Files or Directories; Reduce Reliability
High
Demonstrative Examples
Example 1
Consider a system with a register for storing an AES key for encryption or decryption. The key is composed of 128 bits implemented as a set of four 32-bit registers. The key registers are resources and registers, AES_KEY_CONTROL_POLICY, AES_KEY_READ_POLICY and AES_KEY_WRITE_POLICY, and are defined to provide necessary, access controls.
The control-policy register defines which agents can write to the read-policy and write-policy registers. The read-policy register defines which agents can read the AES-key registers, and write-policy register defines which agents can program or write to those registers. Each 32-bit register can support access control for a maximum of 32 agents. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent.
(bad code)
Register
Field description
AES_ENC_DEC_KEY_0
AES key [0:31] for encryption or decryption Default 0x00000000
AES_ENC_DEC_KEY_1
AES key [32:63] for encryption or decryption Default 0x00000000
AES_ENC_DEC_KEY_2
AES key [64:95] for encryption or decryption Default 0x00000000
AES_ENC_DEC_KEY_3
AES key [96:127] for encryption or decryption Default 0x00000000
AES_KEY_CONTROL_POLICY
[31:0] Default 0x00000018, meaning agent with identities "4" and "3" has read/write access to this register (i.e., AES_KEY_CONTROL_POLICY), AES_KEY_READ_POLICY, and AES_KEY_WRITE_POLICY registers
AES_KEY_READ_POLICY
[31:0] Default 0x00000002, agent with identity "1" can only read AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers
AES_KEY_WRITE_POLICY
[31:0] Default 0x00000004, agent with identity "2" can only write to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers
In the above example, the AES_KEY_CONTROL_POLICY register has agents with identities "4"and "3" in its policy. Assuming the agent with identity "4" is trusted and the agent with identity "3" is untrusted. The untrusted agent "3" can write to AES_KEY_WRITE_POLICY with a value of 0x0000000C thus allowing write access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_3 registers.
The AES_KEY_CONTROL_POLICY defines which agents have write access to the AES_KEY_CONTROL_POLICY, AES_KEY_READ_POLICY, and the AES_KEY_WRITE_POLICY registers,
The AES-key registers can only be read or used by a crypto agent with identity "1" when bit #1 is set.
The AES-key registers can only be programmed by a trusted firmware with identity "2" when bit #2 is set.
For the above example, the control, read-and-write-policy registers’ values are defined as below.
(good code)
Register
Field description
AES_KEY_CONTROL_POLICY
[31:0] Default 0x00000010, meaning only agents with an identity of "4" have read/write access to this register (i.e., AES_KEY_CONTROL_POLICY), AES_KEY_READ_POLICY, and AES_KEY_WRITE_POLICY registers
AES_KEY_READ_POLICY
[31:0] Default 0x00000002, meaning only trusted firmware with an identity of "1" can program registers:
AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3
AES_KEY_WRITE_POLICY
[31:0] Default 0x00000004, meaning only trusted firmware with an identity of "2" can program registers:
AES_ENC_DEC_KEY_0, AES_ENC_DEC_KEY_1, AES_ENC_DEC_KEY_2, AES_ENC_DEC_KEY_3
Potential Mitigations
Phase: Architecture and Design
Access-control-policy definition and programming flow must be sufficiently tested in pre-silicon and post-silicon testing
Phase: Implementation
Access-control-policy definition and programming flow must be sufficiently tested in pre-silicon and post-silicon testing
Notes
Maintenance
This entry is still under development and will continue to see updates and content improvements.
Description
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
