logo

Incorrect Chaining or Granularity of Debug Components

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when hardware debug components, such as test ports and scan chains, are incorrectly connected or organized within a chip's design. This misconfiguration can create unintended access paths, potentially exposing sensitive internal data or functions.

Extended Description

Modern chips incorporate specialized debug components like Test Access Ports (TAPs) for boundary scans, internal scan cells for stimulus/response testing, and custom tracing hubs for monitoring. If these elements are chained together incorrectly or organized with improper granularity during the design phase, it breaks the intended security model of the debug infrastructure. This design or synthesis error creates hidden backdoors or elevates access permissions within the chip. Attackers could exploit these flawed connections to bypass security controls, extract cryptographic keys, or manipulate the chip's internal state, turning vital debugging features into serious security liabilities.
Common Consequences 1
Scope: ConfidentialityIntegrityAccess ControlAuthenticationAuthorizationAvailabilityAccountability

Impact: Gain Privileges or Assume IdentityBypass Protection MechanismExecute Unauthorized Code or CommandsModify MemoryModify Files or Directories

Depending on the access to debug component(s) erroneously granted, an attacker could use the debug component to gain additional understanding about the system to further an attack and/or execute other commands. This could compromise any security property, including the ones listed above.
Detection Methods 2
Architecture or Design ReviewHigh
Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.
Dynamic Analysis with Manual Results InterpretationHigh
Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.
Potential Mitigations 1
Phase: Implementation
Ensure that debug components are properly chained and their granularity is maintained at different authentication levels.
Demonstrative Examples 1
The following example shows how an attacker can take advantage of incorrect chaining or missing granularity of debug components.
In a System-on-Chip (SoC), the user might be able to access the SoC-level TAP with a certain level of authorization. However, this access should not also grant access to all of the internal TAPs (e.g., Core). Separately, if any of the internal TAPs is also stitched to the TAP chain when it should not be because of a logic error, then an attacker can access the internal TAPs as well and execute commands there.
As a related example, suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented and the attacker can gain unauthorized access.
Observed Examples 2
CVE-2017-18347Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 series devices allows physically present attackers to extract the device's protected firmware via a special sequence of Serial Wire Debug (SWD) commands because there is a race condition between full initialization of the SWD interface and the setup of flash protection.
CVE-2020-1791There is an improper authorization vulnerability in several smartphones. The system has a logic-judging error, and, under certain scenarios, a successful exploit could allow the attacker to switch to third desktop after a series of operations in ADB mode. (Vulnerability ID: HWPSIRT-2019-10114).
Applicable Platforms
Languages:
Verilog : UndeterminedVHDL : UndeterminedNot Language-Specific : Undetermined
Technologies:
Processor Hardware : UndeterminedNot Technology-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Access Control (CWE-284)
Notes
MaintenanceThis entry is still under development and will continue to see updates and content improvements.