logo

Improper Zeroization of Hardware Register

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a hardware component fails to properly erase sensitive data from its internal registers before a new user or process gains access to the hardware block.

Extended Description

Hardware blocks, like cryptographic accelerators, use built-in registers to temporarily hold data during operations. These registers can retain sensitive information such as encryption keys or passwords, which becomes a security risk if not cleared. When control of the hardware switches—for example, during a mode change or between different software processes—the next entity accessing the registers might be able to read the previous user's leftover data. To prevent data leaks, hardware must actively clear its registers during user transitions or when a physical tamper event is detected. This clearing process, often called zeroization, is a critical security requirement in standards like FIPS-140-2 for ensuring that sensitive data isn't exposed unintentionally.
Common Consequences 1
Scope: Confidentiality

Impact: Varies by Context

The consequences will depend on the information disclosed due to the vulnerability.
Potential Mitigations 1
Phase: Architecture and Design
Every register potentially containing sensitive information must have a policy specifying how and when information is cleared, in addition to clarifying if it is the responsibility of the hardware logic or IP user to initiate the zeroization procedure at the appropriate time.
Demonstrative Examples 2
Suppose a hardware IP for implementing an encryption routine works as expected, but it leaves the intermediate results in some registers that can be accessed. Exactly why this access happens is immaterial - it might be unintentional or intentional, where the designer wanted a "quick fix" for something.
The example code below [REF-1379] is taken from the SHA256 Interface/wrapper controller module of the HACK@DAC'21 buggy OpenPiton SoC. Within the wrapper module there are a set of 16 memory-mapped registers referenced data[0] to data[15]. These registers are 32 bits in size and are used to store the data received on the AXI Lite interface for hashing. Once both the message to be hashed and a request to start the hash computation are received, the values of these registers will be forwarded to the underlying SHA256 module for processing. Once forwarded, the values in these registers no longer need to be retained. In fact, if not cleared or overwritten, these sensitive values can be read over the AXI Lite interface, potentially compromising any previously confidential data stored therein.

Code Example:

Bad
Verilog

...

verilog
In the previous code snippet [REF-1379] there is the lack of a data clearance mechanism for the memory-mapped I/O registers after their utilization. These registers get cleared only when a reset condition is met. This condition is met when either the global negative-edge reset input signal (rst_ni) or the dedicated reset input signal for SHA256 peripheral (rst_3) is active. In other words, if either of these reset signals is true, the registers will be cleared. However, in cases where there is not a reset condition these registers retain their values until the next hash operation. It is during the time between an old hash operation and a new hash operation that that data is open to unauthorized disclosure.
To correct the issue of data persisting between hash operations, the memory mapped I/O registers need to be cleared once the values written in these registers are propagated to the SHA256 module. This could be done for example by adding a new condition to zeroize the memory mapped I/O registers once the hash value is computed, i.e., hashValid signal asserted, as shown in the good code example below [REF-1380]. This fix will clear the memory-mapped I/O registers after the data has been provided as input to the SHA engine.

Code Example:

Good
Verilog

...

verilog

else if(hashValid && ~hashValid_r)** ```

verilog

data[0] <= 0;**

verilog
References 4
FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology
25-05-2001
https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402.pdf(2025-05-21)
ID: REF-267
Data Remanence in Semiconductor Devices
Peter Gutmann
10th USENIX Security Symposium
08-2001
https://www.usenix.org/legacy/events/sec01/full_papers/gutmann/gutmann.pdf
ID: REF-1055
sha256_wrapper.sv
2021
https://github.com/HACK-EVENT/hackatdac21/blob/b9ecdf6068445d76d6bee692d163fededf7a9d9b/piton/design/chip/tile/ariane/src/sha256/sha256_wrapper.sv#L94-L116(2023-12-13)
ID: REF-1379
Fix for sha256_wrapper.sv
2021
https://github.com/HACK-EVENT/hackatdac21/blob/e8ba396b5c7cec9031e0e0e18ac547f32cd0ed50/piton/design/chip/tile/ariane/src/sha256/sha256_wrapper.sv#L98C1-L139C18(2023-12-13)
ID: REF-1380
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
System on Chip : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Operation
Related Attack Patterns
Related Weaknesses
ChildOf: Sensitive Information in Resource Not Removed Before Reuse (CWE-226)
ChildOf: Sensitive Information in Resource Not Removed Before Reuse (CWE-226)