Description
A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.
Integrated circuits and hardware IP software programmable controls and settings are commonly stored in register circuits. These register contents have to be initialized at hardware reset to defined default values that are hard coded in the hardware description language (HDL) code of the hardware unit. A common security protection method used to protect register settings from modification by software is to make them write-once. This means the hardware implementation only allows writing to such registers once, and they become read-only after having been written once by software. This is useful to allow initial boot software to configure systems settings to secure values while blocking runtime software from modifying such hardware settings. Implementation issues in hardware design of such controls can expose such registers to a race condition security flaw. For example, consider a hardware design that has two different software/firmware modules executing in parallel. One module is trusted (module A) and another is untrusted (module B). In this design it could be possible for Module B to send write cycles to the write-once register before Module A. Since the field is write-once the programmed value from Module A will be ignored and the pre-empted value programmed by Module B will be used by hardware.
Potential Impact
Access Control
Bypass Protection Mechanism
Demonstrative Examples
module register_write_once_example
(
input [15:0] Data_in,
input Clk,
input ip_resetn,
input global_resetn,
input write,
output reg [15:0] Data_out
);
reg Write_once_status;
always @(posedge Clk or negedge ip_resetn)
if (~ip_resetn)
begin
Data_out <= 16'h0000;
Write_once_status <= 1'b0;
end
else if (write & ~Write_once_status)
begin
Data_out <= Data_in & 16'hFFFE; // Input data written to register after masking bit 0
Write_once_status <= 1'b1; // Write once status set after first write.
end
else if (~write)
begin
Data_out[15:1] <= Data_out[15:1];
Data_out[0] <= Write_once_status;
end
endmoduleTrusted firmware or software trying to set the write-once field:
Must confirm the Write_once_status (bit 0) value is zero, before programming register. If another agent has programmed the register before, then Write_once_status value will be one.
After writing to the register, the trusted software can issue a read to confirm that the valid setting has been programmed.Mitigations & Prevention
During hardware design, all register write-once or sticky fields must be evaluated for proper configuration.
Detection Methods
- Automated Analysis — The testing phase should use automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.
Related Weaknesses
Frequently Asked Questions
What is CWE-1223?
CWE-1223 (Race Condition for Write-Once Attributes) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.
How can CWE-1223 be exploited?
Attackers can exploit CWE-1223 (Race Condition for Write-Once Attributes) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-1223?
Key mitigations include: During hardware design, all register write-once or sticky fields must be evaluated for proper configuration.
What is the severity of CWE-1223?
CWE-1223 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.