CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.5)  
ID

CWE-1351: Improper Handling of Hardware Behavior in Exceptionally Cold Environments

Weakness ID: 1351
Abstraction: Base
Structure: Simple
Status: Incomplete
Presentation Filter:
+ Description
A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.
+ Extended Description

The hardware designer may improperly anticipate hardware behavior when exposed to exceptionally cold conditions. As a result they may introduce a weakness by not accounting for the modified behavior of critical components when in extreme environments.

An example of a change in behavior is that power loss won't clear/reset any volatile state when cooled below standard operating temperatures. This may result in a weakness when the starting state of the volatile memory is being relied upon for a security decision. For example, a Physical Unclonable Function (PUF) may be supplied as a security primitive to improve confidentiality, authenticity, and integrity guarantees. However, when the PUF is paired with DRAM, SRAM, or another temperature sensitive entropy source, the system designer may introduce weakness by failing to account for the chosen entropy source's behavior at exceptionally low temperatures. In the case of DRAM and SRAM, when power is cycled at low temperatures, the device will not contain the bitwise biasing caused by inconsistencies in manufacturing and will instead contain the data from previous boot. Should the PUF primitive be used in a cryptographic construction which does not account for full adversary control of PUF seed data, weakness would arise.

This weakness does not cover "Cold Boot Attacks" wherein RAM or other external storage is super cooled and read externally by an attacker.

+ Relationships
Section HelpThis table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
+ Relevant to the view "Research Concepts" (CWE-1000)
NatureTypeIDName
ChildOfPillarPillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things.703Improper Check or Handling of Exceptional Conditions
Section HelpThis table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
+ Relevant to the view "Hardware Design" (CWE-1194)
NatureTypeIDName
MemberOfCategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic.1205Security Primitives and Cryptography Issues
+ Modes Of Introduction
Section HelpThe different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
PhaseNote
Architecture and Design
Implementation
+ Applicable Platforms
Section HelpThis listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Language-Independent (Undetermined Prevalence)

Operating Systems

Class: OS-Independent (Undetermined Prevalence)

Architectures

Class: Embedded (Undetermined Prevalence)

Class: Microcomputer (Undetermined Prevalence)

Technologies

Class: System on Chip (Undetermined Prevalence)

+ Common Consequences
Section HelpThis table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Authentication

Technical Impact: Varies by Context; Unexpected State

Consequences of this weakness are highly contextual
Low
+ Potential Mitigations

Phase: Architecture and Design

The system should account for security primitive behavior when cooled outside standard temperatures
+ References
[REF-1181] Nikolaos Athanasios Anagnostopoulos , Tolga Arul , Markus Rosenstihl , André Schaller , Sebastian Gabmeyer and Stefan Katzenbeisser . "Low-Temperature Data Remnanence ATtacks Against Intrinsic SRAM PUFs". 2018-10-15. <https://ieeexplore.ieee.org/abstract/document/8491873/>.
[REF-1182] Yuan Cao , Yunyi Guo , Benyu Liu , Wei Ge , Min Zhu and Chip-Hong Chang . "A Fully Digital Physical Unclonable Function Based Temperature Sensor for Secure Remote Sensing". 2018-10-11. <https://ieeexplore.ieee.org/abstract/document/8487347/>.
[REF-1183] Urbi Chatterjee , Soumi Chatterjee , Debdeep Mukhopadhyay and Rajat Subhra Chakraborty . "Machine Learning Assisted PUF Calibration for Trustworthy Proof of Sensor Data in IoT". 2020-06. <https://dl.acm.org/doi/abs/10.1145/3393628>.
+ Content History
+ Submissions
Submission DateSubmitterOrganization
2020-10-23Paul A. WortmanWells Fargo
More information is available — Please select a different filter.
Page Last Updated: July 20, 2021