CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components

Description
<p>An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.<p>
Extended Description

Chip designers often include design elements in a chip for debugging and troubleshooting such as:

  • Various Test Access Ports (TAPs) which allow boundary scan commands to be executed.
  • Scan cells that allow the chip to be used as a "stimulus and response" mechanism for scanning the internal components of a chip.
  • Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs.

    • Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.

Severity :

Medium

Possibility :

Low

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels Exploiting Incorrectly Configured Access Control Security Levels
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Hardware device has an exposed debug interface
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Ability to identify physical debug interfaces on a device
  • Medium Ability to operate devices to scan and connect to an exposed debug interface
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

A device to scan a TAP or JTAG interface, such as a JTAGulator

A device to communicate on a TAP or JTAG interface, such as a BusPirate

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-1296: Incorrect Chaining or Granularity of Debug Components

Visit http://capec.mitre.org/ for more details.