Missing Support for Security Features in On-chip Fabrics or Buses

Incomplete Base

Structure: Simple

Description

This vulnerability occurs when the communication channels (fabrics or buses) within a chip lack built-in or enabled security features, such as privilege separation or access controls, leaving data transfers unprotected.

Extended Description

Many on-chip communication systems, especially simpler or low-power designs, are built solely for moving data and lack interfaces to carry critical security attributes like privilege levels or device identity from a master component (like a CPU) to a slave (like a peripheral). Without these dedicated signals, the fabric cannot enforce security policies, making it unsafe for transporting any sensitive security metadata. Even when a bus specification includes optional security signaling, these features are often left unconnected or disabled when the hardware design is generated. Consequently, any peripheral that handles security-sensitive assets should not be connected directly to such a bus unless robust access control is implemented at an earlier point, such as a bridge or intermediary module, before transactions enter the insecure fabric.

Common Consequences 1

Scope: ConfidentialityIntegrityAccess ControlAvailability

Impact: DoS: Crash, Exit, or RestartRead MemoryModify Memory

Detection Methods 2

Architecture or Design ReviewHigh

Review the fabric specification and ensure that it contains signals to transfer security-sensitive signals.

Manual Static Analysis - Source CodeHigh

Lack of security features can also be confirmed through manual RTL review of the fabric RTL.

Potential Mitigations 1

Phase: Architecture and Design

If fabric does not support security features, implement security checks in a bridge or any component that is between the master and the fabric. Alternatively, connect all fabric slaves that do not have any security assets under one such fabric and connect peripherals with security assets to a different fabric that supports security features.

Demonstrative Examples 2

Several systems on chips (SoCs) use the Advanced-Microcontroller Bus Architecture (AMBA) Advanced-Peripheral Bus (APB) protocol. APB is a simple, low-power bus and uses the PPROT[2:0] bits to indicate the security state of the bus masters ;PPROT[0] indicates privilege, PPROT[1] indicates secure/non-secure transaction, and PPROT[2] indicates instruction/data. Assume that there is no fabric bridge in the SoC. One of the slaves, the power-management unit, contains registers that store the thermal-shutdown limits.

The APB bus is used to connect several bus masters, each with a unique and immutable hardware identity, to several slaves. For a CPU supporting 8 potential identities (each with varying privilege levels), 16 types of outgoing transactions can be made--8 read transactions with each supported privilege level and 8 write transactions with each supported privilege level.

Since APB PPROT can only support up to 8 transaction types, access-control checks cannot be performed on transactions going to the slaves at the right granularity for all possible transaction types. Thus, potentially, user code running on the CPU could maliciously corrupt the thermal-shutdown-configuration registers to burn the device, resulting in permanent denial of service.

In this scenario, only peripherals that need access protection from 8 of the 16 possible transaction types can be connected to the APB bus. Peripherals that require protection from the remaining 8 transaction types can be connected to a different APB bus. Alternatively, a bridge could be implemented to handle such complex scenarios before forwarding traffic to the APB bus.

The Open-Core-Protocol (OCP) fabric supports two configurable, width-optional signals for transporting security attributes: MReqInfo and SRespInfo. MReqInfo is used to transport security attributes from bus master to slave, and SRespInfo is used to transport security attributes from slave to bus master. An SoC uses OCP to connect several bus masters, each with a unique and immutable hardware identity, to several slaves. One of the bus masters, the CPU, reports the privilege level (user or super user) in addition to the unique identity. One of the slaves, the power-management unit, contains registers that store the thermal-shutdown limits.

Since MReqInfo and SRespInfo are not mandatory, these signals are not configured when autogenerating RTL for the OCP fabric. Thus, the fabric cannot be used to transport security attributes from bus masters to slave.

Code running at user-privilege level on the CPU could maliciously corrupt the thermal-shutdown-configuration registers to burn the device and cause permanent denial of service.

To address this, configure the fabric to include MReqInfo and SRespInfo signals and use these to transport security identity and privilege level to perform access-control checks at the slave interface.

References 2

AMBA APB Protocol Specification, Version 2.0

ARM

2010

https://www.eecs.umich.edu/courses/eecs373/readings/IHI0024C_amba_apb_protocol_spec.pdf

ID: REF-1139

Open Core Protocol Specification, Release 2.2

OCP-IP

2006

http://read.pudn.com/downloads95/doc/388103/OCPSpecification%202.2.pdf

ID: REF-1140

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Processor Hardware : UndeterminedNot Technology-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Attack Patterns

Related Weaknesses

ChildOf:

Protection Mechanism Failure (CWE-693)