logo

Improper Restriction of Write-Once Bit Fields

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when hardware write-once protection mechanisms, often called 'sticky bits,' are incorrectly implemented, allowing software to reprogram them multiple times.

Extended Description

Hardware designs use special write-once or 'sticky' bit fields in control registers to lock critical settings. These are intended to be configured only once—typically during initial boot by trusted firmware—and then become permanently read-only. This mechanism is a fundamental security feature that prevents runtime software or malware from altering secure hardware configurations, such as memory protection or debug access controls. When this restriction fails, software can repeatedly overwrite these bits. A common implementation flaw is creating 'write-1-once' logic instead of true 'write-once' protection. In this flawed scenario, a bit might only become locked after being set to '1,' leaving it vulnerable if set to '0' first or allowing toggling between values. This exposes the hardware to privilege escalation, system compromise, or bypass of critical security boundaries.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailabilityAccess Control

Impact: Varies by Context

System configuration cannot be programmed in a secure way.
Potential Mitigations 2
Phase: Architecture and Design
During hardware design all register write-once or sticky fields must be evaluated for proper configuration.
Phase: Testing
The testing phase should use automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.
Demonstrative Examples 1
Consider the example design module system verilog code shown below. register_write_once_example module is an example of register that has a write-once field defined. Bit 0 field captures the write_once_status value. This implementation can be for a register that is defined by specification to be a write-once register, since the write_once_status field gets written by input data bit 0 on first write.

Code Example:

Bad
Verilog

module register_write_once_example ( input [15:0] Data_in, input Clk, input ip_resetn, input global_resetn, input write, output reg [15:0] Data_out );

reg Write_once_status;

always @(posedge Clk or negedge ip_resetn)

verilog
The above example only locks further writes if write_once_status bit is written to one. So it acts as write_1-Once instead of the write-once attribute.

Code Example:

Good
Verilog

module register_write_once_example ( input [15:0] Data_in, input Clk, input ip_resetn, input global_resetn, input write, output reg [15:0] Data_out );

reg Write_once_status;

always @(posedge Clk or negedge ip_resetn)

verilog
Applicable Platforms
Languages:
Verilog : UndeterminedVHDL : Undetermined
Technologies:
System on Chip : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Access Control (CWE-284)