Mirrored Regions with Different Values

Description

This vulnerability occurs when a system maintains duplicate copies of data or resources (like cached memory or shadow registers) but fails to keep them synchronized. When mirrored regions hold different values, it can lead to incorrect system behavior, data corruption, or security breaches.

Extended Description

Mirrored regions, such as cache memory, shadow MMUs, or duplicated registers, are created to boost performance by keeping local copies of critical data. However, if these copies fall out of sync with the primary source—due to missed updates, delayed propagation, or spoofed requests—the system operates on stale or incorrect information. This desynchronization creates a window for attackers to exploit race conditions, intercept communications, or manipulate system state, potentially leading to information exposure or full system compromise. The core challenge is ensuring immediate and atomic synchronization across all copies whenever the original data changes. Common failure scenarios include the original copy not issuing update notifications, mirrored copies failing to apply updates, or attackers exploiting the brief lag during propagation. Without a robust coherence protocol that guarantees consistency, these performance optimizations introduce significant security risks equivalent to operating with corrupted or manipulated data.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailabilityAccess ControlAccountabilityAuthenticationAuthorizationNon-Repudiation

Impact: Varies by Context

Potential Mitigations 1

Phase: Architecture and Design

Whenever there are multiple, physically different copies of the same value that might change and the process to update them is not instantaneous and atomic, it is impossible to assert that the original and shadow copies will always be in sync - there will always be a time period when they are out of sync. To mitigate the consequential risk, the recommendations essentially are: - Make this out-of-sync time period as small as possible, and - Make the update process as robust as possible.

Effectiveness: Moderate

Demonstrative Examples 1

ID : DX-132

Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.

Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario.

Applicable Platforms

Languages:

VHDL : UndeterminedVerilog : Undetermined

Technologies:

System on Chip : Undetermined

Related Weaknesses

ChildOf:

Improper Preservation of Consistency Between Independent Representations of Shared State (CWE-1250)

Notes

Research GapIssues related to state and cache - creation, preservation, and update - are a significant gap in CWE that is expected to be addressed in future versions. It has relationships to concurrency and synchronization, incorrect behavior order, and other areas that already have some coverage in CWE, although the focus has typically been on independent processes on the same operating system - not on independent systems that are all a part of a larger system-of-systems.