CWE-1262: Improper Access Control for Register Interface
Description
The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.
Submission Date :
May 8, 2020, midnight
Modification Date :
2023-10-26 00:00:00+00:00
Organization :
Tortuga Logic
Extended Description
Software commonly accesses peripherals in a System-on-Chip (SoC) or other device through a memory-mapped register interface. Malicious software could tamper with any security-critical hardware data that is accessible directly or indirectly through the register interface, which could lead to a loss of confidentiality and integrity.
Example - 1
The register interface provides software access to hardware functionality. This functionality is an attack surface. This attack surface may be used to run untrusted code on the system through the register interface. As an example, cryptographic accelerators require a mechanism for software to select modes of operation and to provide plaintext or ciphertext data to be encrypted or decrypted as well as other functions. This functionality is commonly provided through registers.
Cryptographic key material stored in registers inside the cryptographic accelerator can be accessed by software.
Key material stored in registers should never be accessible to software. Even if software can provide a key, all read-back paths to software should be disabled.
Example - 2
The example code is taken from the Control/Status Register (CSR) module inside the processor core of the HACK@DAC'19 buggy CVA6 SoC [REF-1340]. In RISC-V ISA [REF-1341], the CSR file contains different sets of registers with different privilege levels, e.g., user mode (U), supervisor mode (S), hypervisor mode (H), machine mode (M), and debug mode (D), with different read-write policies, read-only (RO) and read-write (RW). For example, machine mode, which is the highest privilege mode in a RISC-V system, registers should not be accessible in user, supervisor, or hypervisor modes.
<xhtml_b>if ((riscv::priv_lvl_t'(priv_lvl_o & csr_addr.csr_decode.priv_lvl) != csr_addr.csr_decode.priv_lvl) && !(csr_addr.address==riscv::CSR_MEPC)) begin</xhtml_b>
csr_exception_o.cause = riscv::ILLEGAL_INSTR;csr_exception_o.valid = 1'b1;
csr_exception_o.cause = riscv::ILLEGAL_INSTR;csr_exception_o.valid = 1'b1;end// check access to debug mode only CSRsif (csr_addr_i[11:4] == 8'h7b && !debug_mode_q) beginendif (csr_we || csr_read) beginend
The vulnerable example code allows the machine exception program counter (MEPC) register to be accessed from a user mode program by excluding the MEPC from the access control check. MEPC as per the RISC-V specification can be only written or read by machine mode code. Thus, the attacker in the user mode can run code in machine mode privilege (privilege escalation).
To mitigate the issue, fix the privilege check so that it throws an Illegal Instruction Exception for user mode accesses to the MEPC register. [REF-1345]
<xhtml_b>if ((riscv::priv_lvl_t'(priv_lvl_o & csr_addr.csr_decode.priv_lvl) != csr_addr.csr_decode.priv_lvl)) begin</xhtml_b>
csr_exception_o.cause = riscv::ILLEGAL_INSTR;csr_exception_o.valid = 1'b1;
csr_exception_o.cause = riscv::ILLEGAL_INSTR;csr_exception_o.valid = 1'b1;end// check access to debug mode only CSRsif (csr_addr_i[11:4] == 8'h7b && !debug_mode_q) beginendif (csr_we || csr_read) beginend
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.