CWE-1323: Improper Management of Sensitive Trace Data
Description
Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.
Submission Date :
July 20, 2020, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
The Intel Corporation
Extended Description
To facilitate verification of complex System-on-Chip (SoC) designs, SoC integrators add specific IP blocks that trace the SoC's internal signals in real-time. This infrastructure enables observability of the SoC's internal behavior, validation of its functional design, and detection of hardware and software bugs. Such tracing IP blocks collect traces from several sources on the SoC including the CPU, crypto coprocessors, and on-chip fabrics. Traces collected from these sources are then aggregated inside trace IP block and forwarded to trace sinks, such as debug-trace ports that facilitate debugging by external hardware and software debuggers.
Since these traces are collected from several security-sensitive sources, they must be protected against untrusted debuggers. If they are stored in unprotected memory, an untrusted software debugger can access these traces and extract secret information. Additionally, if security-sensitive traces are not tagged as secure, an untrusted hardware debugger might access them to extract confidential information.
Example - 1
In a SoC, traces generated from sourcesinclude security-sensitive IP blocks such as CPU (withtracing information such as instructions executed andmemory operands), on-chip fabric (e.g., memory-transfersignals, transaction type and destination, andon-chip-firewall-error signals), power-managementIP blocks (e.g., clock- and power-gating signals), andcryptographic coprocessors (e.g., cryptographic keys andintermediate values of crypto operations), amongother non-security-sensitive IP blocks including timersand other functional blocks. The collected traces arethen forwarded to the debug and trace interface used bythe external hardware debugger.
The traces donot have any privilege level attached to them. Allcollected traces can be viewed by any debugger (i.e., SoCdesigner, OEM debugger, or end user).Some of thetraces are SoC-design-house secrets, while some are OEMsecrets. Few are end-user secrets and the rest arenot security-sensitive. Tag all traces with theappropriate, privilege level at the source. The bitsindicating the privilege level must be immutable intheir transit from trace source to the final, tracesink. Debugger privilege level must be checked beforeproviding access to traces. Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.