CWE-1223: Race Condition for Write-Once Attributes

Description

A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.

Submission Date :

Dec. 12, 2019, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

Intel Corporation

Extended Description

Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to defined default values that are hard coded in the hardware description language (HDL) code of the hardware unit. A common security protection method used to protect register settings from modification by software is to make them write-once. This means the hardware implementation only allows writing to such registers once, and they become read-only after having been written once by software. This is useful to allow initial boot software to configure systems settings to secure values while blocking runtime software from modifying such hardware settings.

Implementation issues in hardware design of such controls can expose such registers to a race condition security flaw. For example, consider a hardware design that has two different software/firmware modules executing in parallel. One module is trusted (module A) and another is untrusted (module B). In this design it could be possible for Module B to send write cycles to the write-once register before Module A. Since the field is write-once the programmed value from Module A will be ignored and the pre-empted value programmed by Module B will be used by hardware.

Example Vulnerable Codes

Example - 1

consider the example design module system verilog code shown below. register_write_once_example module is an example of register that has a write-once field defined. Bit 0 field captures the write_once_status value.



input [15:0] Data_in,input Clk,input ip_resetn,input global_resetn,input write,output reg [15:0] Data_out


Data_out <= 16'h0000; Write_once_status <= 1'b0;
beginend


Data_out <= Data_in & 16'hFFFE; // Input data written to register after masking bit 0Write_once_status <= 1'b1; // Write once status set after first write.
beginend


Data_out[15:1] <= Data_out[15:1];Data_out[0] <= Write_once_status;
beginend
module register_write_once_example();reg Write_once_status;always @(posedge Clk or negedge ip_resetn)if (~ip_resetn)else if (write & ~Write_once_status) else if (~write)endmodule

The first system component that sends a write cycle to this register can program the value. This could result in a race condition security issue in the SoC design, if an untrusted agent is running in the system in parallel with the trusted component that is expected to program the register.

<xhtml_ul><xhtml_li>Must confirm the Write_once_status (bit 0) value is zero, before programming register. If another agent has programmed the register before, then Write_once_status value will be one.</xhtml_li><xhtml_li>After writing to the register, the trusted software can issue a read to confirm that the valid setting has been programmed.</xhtml_li></xhtml_ul>Trusted firmware or software trying to set the write-once field:

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Go to

Visit http://cwe.mitre.org/ for more details.