logo

Race Condition for Write-Once Attributes

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when an untrusted software component wins a race condition and writes to a hardware register before the trusted component can, permanently locking in an insecure value because the register is designed to be written only once.

Extended Description

In hardware design, critical security settings are often stored in write-once registers. These registers allow software to set a value—like a system configuration or a security policy—a single time after a reset, after which they become read-only. This mechanism is intended to let trusted boot firmware establish a secure baseline that untrusted runtime software cannot later alter. A security flaw emerges when the hardware design does not properly sequence access to these registers. If an untrusted software module (Module B) can issue a write command before the trusted module (Module A) does, the untrusted value gets permanently locked in. The trusted module's subsequent write is ignored, leaving the system configured with potentially insecure or incorrect settings for its entire operational lifetime.
Common Consequences 1
Scope: Access Control

Impact: Bypass Protection Mechanism

System configuration cannot be programmed in a secure way.
Potential Mitigations 2
Phase: Architecture and Design
During hardware design all register write-once or sticky fields must be evaluated for proper configuration.
Phase: Testing
The testing phase should use automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.
Demonstrative Examples 1
consider the example design module system verilog code shown below. register_write_once_example module is an example of register that has a write-once field defined. Bit 0 field captures the write_once_status value.

Code Example:

Bad
Verilog

module register_write_once_example (

verilog
The first system component that sends a write cycle to this register can program the value. This could result in a race condition security issue in the SoC design, if an untrusted agent is running in the system in parallel with the trusted component that is expected to program the register.

Code Example:

Good
Other

Trusted firmware or software trying to set the write-once field:

  • Must confirm the Write_once_status (bit 0) value is zero, before programming register. If another agent has programmed the register before, then Write_once_status value will be one.

  • After writing to the register, the trusted software can issue a read to confirm that the valid setting has been programmed.
Applicable Platforms
Languages:
Verilog : UndeterminedVHDL : Undetermined
Technologies:
System on Chip : Undetermined
Modes of Introduction
Architecture and Design
Related Attack Patterns
Related Weaknesses
ChildOf: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)