Uninitialized Value on Reset for Registers Holding Security Settings
Incomplete Base
Structure: Simple
Description
Security-critical logic is not set to a known value on reset.
When the device is first brought out of reset, the state of registers will be indeterminate if they have not been initialized by the logic. Before the registers are initialized, there will be a window during which the device is in an insecure state and may be vulnerable to attack.
Common Consequences 1
Scope: Access ControlAuthenticationAuthorization
Impact: Varies by Context
Potential Mitigations 2
Phase: Implementation
Design checks should be performed to identify any uninitialized flip-flops used for security-critical functions.
Phase: Architecture and Design
All registers holding security-critical information should be set to a specific value on reset.
Demonstrative Examples 1
Shown below is a positive clock edge triggered flip-flop used to implement a lock bit for test and debug interface. When the circuit is first brought out of reset, the state of the flip-flop will be unknown until the enable input and D-input signals update the flip-flop state. In this example, an attacker can reset the device until the test and debug interface is unlocked and access the test interface until the lock signal is driven to a known state by the logic.
Code Example:
Bad
Verilog
always @(posedge clk) begin
verilogThe flip-flop can be set to a known value (0 or 1) on reset, but requires that the logic explicitly update the output of the flip-flop if the reset signal is active.
Code Example:
Good
Verilog
always @(posedge clk) begin
verilogApplicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Related Weaknesses
Notes
MaintenanceThis entry is still under development and will continue to see updates and content improvements.