Policy Uses Obsolete Encoding

Draft Base

Structure: Simple

Description

This vulnerability occurs when a hardware system uses outdated or deprecated encoding methods to enforce security policies and access controls.

Extended Description

In a System-on-a-Chip (SoC), different hardware components constantly generate transactions to read, write, or perform actions like reset or compute. Each transaction includes identifiers for its source and destination, and is often tagged with a Security Token. This token acts as a key, telling the destination what actions the transaction is permitted to perform. A policy encoder is responsible for creating these tokens by mapping transaction details to specific security permissions. A critical security flaw arises when this policy encoder relies on an obsolete or no-longer-trusted encoding scheme. Using weak or deprecated encoding undermines the entire access control system, as the security tokens can become predictable, forgeable, or easily bypassed. This leaves the chip's assets and functions vulnerable to unauthorized access or manipulation by malicious actors.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailabilityAccess Control

Impact: Modify MemoryRead MemoryModify Files or DirectoriesRead Files or DirectoriesDoS: Resource Consumption (Other)Execute Unauthorized Code or CommandsGain Privileges or Assume IdentityBypass Protection MechanismReduce Reliability

Potential Mitigations 1

Phase: Architecture and DesignImplementation

Security Token Decoders should be reviewed for design inconsistency and common weaknesses. Access and programming flows should be tested in both pre-silicon and post-silicon testing.

Effectiveness: High

Demonstrative Examples 1

For example, consider a system that has four bus masters. The table below provides bus masters, their Security Tokens, and trust assumptions. | Bus Master | Security Token Decoding | Trust Assumptions | | --- | --- | --- | | Master_0 | "00" | Untrusted | | Master_1 | "01" | Trusted | | Master_2 | "10" | Untrusted | | Master_3 | "11" | Untrusted | The policy encoding is to be defined such that Security Token will be used in implemented access-controls. The bits in the bus transaction that contain Security-Token information are Bus_transaction [15:11]. The assets are the AES-Key registers for encryption or decryption. The key of 128 bits is implemented as a set of four, 32-bit registers. | Register | Field description | | --- | --- | | AES_ENC_DEC_KEY_0 | AES key [0:31] for encryption or decryption, Default 0x00000000 | | AES_ENC_DEC_KEY_1 | AES key [32:63] for encryption or decryption, Default 0x00000000 | | AES_ENC_DEC_KEY_2 | AES key [64:95] for encryption or decryption, Default 0x00000000 | | AES_ENC_DEC_KEY_4 | AES key [96:127] for encryption or decryption, Default 0x00000000 | Below is an example of a policy encoding scheme inherited from a previous project where all "ODD" numbered Security Tokens are trusted.

Code Example:Bad
bash

The inherited policy encoding is obsolete and does not work for the new system where an untrusted bus master with an odd Security Token exists in the system, i.e., Master_3 whose Security Token is "11". Based on the old policy, the untrusted bus master (Master_3) has access to the AES-Key registers. To resolve this, a register AES_KEY_ACCESS_POLICY can be defined to provide necessary, access controls:

New Policy: | | | | AES_KEY_ACCESS_POLICY | [31:0] Default 0x00000002 - agent with Security Token "1" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers | The AES_KEY_ACCESS_POLICY register defines which agents with a Security Token in the transaction can access the AES-key registers. Each bit in this 32-bit register defines a Security Token. There could be a maximum of 32 security Tokens that are allowed access to the AES-key registers. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit and, if "0" (i.e., Clear), disallows the respective action to that corresponding agent. Thus, any bus master with Security Token "01" is allowed access to the AES-Key registers. Below is the Pseudo Code for policy encoding:

Code Example:Good
bash

References 1

Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux

Brandon Hill

02-01-2018

https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos(2023-04-07)

ID: REF-1093

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Not Technology-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Attack Patterns

Related Weaknesses

ChildOf:

Improper Access Control (CWE-284)