Missing Protection for Mirrored Regions in On-Chip Fabric Firewall

Draft Base

Structure: Simple

Description

An on-chip fabric firewall fails to apply its security rules to mirrored memory or MMIO regions, only protecting the primary address range. This allows attackers to bypass read/write restrictions by targeting the unprotected mirrored copies.

Extended Description

Many on-chip fabrics use mirrored memory regions—duplicate copies of original data—to provide redundancy and fault tolerance. However, a critical oversight occurs when the fabric's firewall enforces access controls only on the primary region and neglects to extend those same protections to the mirrored copies. This creates a security gap where the mirrored regions become unprotected backdoors to the same sensitive data. Attackers can exploit this gap to completely bypass the intended security policy. By simply reading from or writing to the mirrored address, they can leak confidential information from the original region or corrupt its data, undermining the firewall's entire purpose. To prevent this, any firewall rule for a primary memory region must be automatically and consistently applied to all of its mirrored counterparts.

Common Consequences 1

Scope: ConfidentialityIntegrityAccess Control

Impact: Modify MemoryRead MemoryBypass Protection Mechanism

Detection Methods 1

Manual Dynamic AnalysisHigh

Using an external debugger, send write transactions to mirrored regions to test if original, write-protected regions are modified. Similarly, send read transactions to mirrored regions to test if the original, read-protected signals can be read.

Potential Mitigations 2

Phase: Architecture and Design

The fabric firewall should apply the same protections as the original region to the mirrored regions.

Phase: Implementation

The fabric firewall should apply the same protections as the original region to the mirrored regions.

Demonstrative Examples 1

A memory-controller IP block is connected to the on-chip fabric in a System on Chip (SoC). The memory controller is configured to divide the memory into four parts: one original and three mirrored regions inside the memory. The upper two bits of the address indicate which region is being addressed. 00 indicates the original region and 01, 10, and 11 are used to address the mirrored regions. All four regions operate in a lock-step manner and are always synchronized. The firewall in the on-chip fabric is programmed to protect the assets in the memory.

The firewall only protects the original range but not the mirrored regions.

The attacker (as an unprivileged user) sends a write transaction to the mirrored region. The mirrored region has an address with the upper two bits set to "10" and the remaining bits of the address pointing to an asset. The firewall does not block this write transaction. Once the write is successful, contents in the protected-memory region are also updated. Thus, the attacker can bypass existing, memory protections.

Firewall should protect mirrored regions.

References 1

Address Range Memory Mirroring

Taku Izumi, Fujitsu Limited

2016

https://www.fujitsu.com/jp/documents/products/software/os/linux/catalog/LinuxConJapan2016-Izumi.pdf

ID: REF-1134

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Not Technology-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Attack Patterns

Related Weaknesses

ChildOf:

Improper Access Control (CWE-284)

PeerOf:

Mirrored Regions with Different Values (CWE-1251)