CWE-1234: Hardware Internal or Debug Modes Allow Override of Locks

Description

System configuration protection may be bypassed during debug mode.

Submission Date :

Jan. 15, 2020, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

Intel Corporation

Extended Description

Device configuration controls are commonly programmed after a device power reset by a trusted firmware or software module (e.g., BIOS/bootloader) and then locked from any further modification. This is commonly implemented using a trusted lock bit, which when set, disables writes to a protected set of registers or address regions. The lock protection is intended to prevent modification of certain system configuration (e.g., memory/memory protection unit configuration). If debug features supported by hardware or internal modes/system states are supported in the hardware design, modification of the lock protection may be allowed allowing access and modification of configuration information.

Example Vulnerable Codes

Example - 1

For example, consider the example Locked_override_register example. This register module supports a lock mode that blocks any writes after lock is set to 1.However, it also allows override of the lock protection when scan_mode or debug_unlocked modes are active.




lock_status <= 1'b0;

lock_status <= 1'b1;

lock_status <= lock_status
if (~resetn) // Register is reset resetnbeginendelse if (Lock)beginendelse if (~Lock)beginend


Data_out <= 16'h0000;

Data_out <= Data_in;

Data_out <= Data_out;
if (~resetn) // Register is reset resetnbeginendelse if (write & (~lock_status | scan_mode | debug_unlocked) ) // Register protected by Lock bit input, overrides supported for scan_mode & debug_unlockedbeginendelse if (~write)beginend
module Locked_register_example(input [15:0] Data_in,input Clk,input resetn,input write,input Lock,input scan_mode,input debug_unlocked,output reg [15:0] Data_out);reg lock_status;always @(posedge Clk or negedge resetn)always @(posedge Clk or negedge resetn)endmodule

If either the scan_mode or the debug_unlocked modes can be triggered by software, then the lock protection may be bypassed.

Either remove the debug and scan mode overrides or protect enabling of these modes so that only trusted and authorized users may enable these modes.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-667: Improper Locking

Go to

Visit http://cwe.mitre.org/ for more details.