CWE-1311: Improper Translation of Security Attributes by Fabric Bridge

Description

The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.

Submission Date :

May 24, 2020, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

Intel Corporation

Extended Description

A bridge allows IP blocks supporting different fabric protocols to be integrated into the system. Fabric end-points or interfaces usually have dedicated signals to transport security attributes. For example, HPROT signals in AHB, AxPROT signals in AXI, and MReqInfo and SRespInfo signals in OCP.

The values on these signals are used to indicate the security attributes of the transaction. These include the immutable hardware identity of the controller initiating the transaction, privilege level, and type of transaction (e.g., read/write, cacheable/non-cacheable, posted/non-posted).

A weakness can arise if the bridge IP block, which translates the signals from the protocol used in the IP block endpoint to the protocol used by the central bus, does not properly translate the security attributes. As a result, the identity of the initiator could be translated from untrusted to trusted or vice-versa. This could result in access-control bypass, privilege escalation, or denial of service.

Example Vulnerable Codes

Example - 1

The bridge interfaces between OCP and AHB end points. OCP uses MReqInfo signal to indicate security attributes, whereas AHB uses HPROT signal to indicate the security attributes. The width of MReqInfo can be customized as needed. In this example, MReqInfo is 5-bits wide and carries the privilege level of the OCP controller.The values 5'h11, 5'h10, 5'h0F, 5'h0D, 5'h0C, 5'h0B, 5'h09, 5'h08, 5'h04, and 5'h02 in MReqInfo indicate that the request is coming from a privileged state of the OCP bus controller. Values 5'h1F, 5'h0E, and 5'h00 indicate untrusted, privilege state.Though HPROT is a 5-bit signal, we only consider the lower, two bits in this example. HPROT values 2'b00 and 2'b10 are considered trusted, and 2'b01 and 2'b11 are considered untrusted.The OCP2AHB bridge is expected to translate trusted identities on the controller side to trusted identities on the responder side. Similarly, it is expected to translate untrusted identities on the controller side to untrusted identities on the responder side.



ahb_hprot, ocp_mreqinfo 


000: ahb_hprot = 2'b11;    // OCP MReqInfo to AHB HPROT mapping001: ahb_hprot = 2'b00;010: ahb_hprot = 2'b00;011: ahb_hprot = 2'b01;100: ahb_hprot = 2'b00;101: ahb_hprot = 2'b00;110: ahb_hprot = 2'b10;111: ahb_hprot = 2'b00;
case (p0_mreqinfo_o_temp[4:2])endcase
module ocp2ahb( ); output [1:0] ahb_hprot;        // output is 2 bit signal for AHB HPROTinput [4:0] ocp_mreqinfo;      // input is 5 bit signal from OCP MReqInfowire [6:0] p0_mreqinfo_o_temp; // OCP signal that transmits hardware identity of bus controllerwire y;reg [1:0] ahb_hprot;// hardware identity of bus controller is in bits 5:1 of p0_mreqinfo_o_temp signalassign p0_mreqinfo_o_temp[6:0] = {1'b0, ocp_mreqinfo[4:0], y};always @*beginendendmodule

Logic in the case statement only checks for MReqInfo bits 4:2, i.e., hardware-identity bits 3:1. When ocp_mreqinfo is 5'h1F or 5'h0E, p0_mreqinfo_o_temp[2] will be 1. As a result, untrusted IDs from OCP 5'h1F and 5'h0E get translated to trusted ahb_hprot values 2'b00.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-284: Improper Access Control

Go to

Visit http://cwe.mitre.org/ for more details.