CWE-1290: Incorrect Decoding of Security Identifiers
Description
The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.
Submission Date :
April 29, 2020, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
Intel Corporation
Extended Description
In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity). Sometimes the transactions are qualified with a security identifier. The security identifier helps the destination agent decide on the set of allowed actions (e.g., access an asset for read and writes). A decoder decodes the bus transactions to map security identifiers into necessary access-controls/protections.
A common weakness that can exist in this scenario is incorrect decoding because an untrusted agent's security identifier is decoded into a trusted agent's security identifier. Thus, an untrusted agent previously without access to an asset can now gain access to the asset.
Example - 1
The following Pseudo code outlines the process of checking the value of the Security Identifier within the AES_KEY_ACCESS_POLICY register:
Allow access to AES-Key registers
Deny access to AES-Key registersIf (AES_KEY_ACCESS_POLICY[Security_Identifier] == "1")Else
Below is a decoder's Pseudo code that only checks for bit [14] of the bus transaction to determine what Security Identifier it must assign.
Security_Identifier == "1"
Security_Identifier == "0"If (Bus_transaction[14] == "1") Else
Security_Identifier == "0"
Security_Identifier == "1"
Security_Identifier == "2"
Security_Identifier == "3"If (Bus_transaction[15:14] == "00") If (Bus_transaction[15:14] == "01") If (Bus_transaction[15:14] == "10") If (Bus_transaction[15:14] == "11")
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.