CWE-1239: Improper Zeroization of Hardware Register

Description

The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.

Hardware logic operates on data stored in registers local to the hardware block. Most hardware IPs, including cryptographic accelerators, rely on registers to buffer I/O, store intermediate values, and interface with software. The result of this is that sensitive information, such as passwords or encryption keys, can exist in locations not transparent to the user of the hardware logic. When a different entity obtains access to the IP due to a change in operating mode or conditions, the new entity can extract information belonging to the previous user if no mechanisms are in place to clear register contents. It is important to clear information stored in the hardware if a physical attack on the product is detected, or if the user of the hardware block changes. The process of clearing register contents in a hardware IP is referred to as zeroization in standards for cryptographic hardware modules such as FIPS-140-2 [REF-267].

Potential Impact

Confidentiality

Varies by Context

Demonstrative Examples

The example code below [REF-1379] is taken from the SHA256 Interface/wrapper controller module of the HACK@DAC'21 buggy OpenPiton SoC. Within the wrapper module there are a set of 16 memory-mapped registers referenced data[0] to data[15]. These registers are 32 bits in size and are used to store the data received on the AXI Lite interface for hashing. Once both the message to be hashed and a request to start the hash computation are received, the values of these registers will be forwarded to the underlying SHA256 module for processing. Once forwarded, the values in these registers no longer need to be retained. In fact, if not cleared or overwritten, these sensitive values can be read over the AXI Lite interface, potentially compromising any previously confidential data stored therein.

Bad

...
						
						// Implement SHA256 I/O memory map interface
						// Write side
						always @(posedge clk_i)
							
							begin
								
								if(~(rst_ni && ~rst_3))
									
									begin
										
										startHash <= 0;
										newMessage <= 0;
										data[0] <= 0;
										data[1] <= 0;
										data[2] <= 0;
										...
										data[14] <= 0;
										data[15] <= 0;
										
									
								
							
						
					...

In the previous code snippet [REF-1379] there is the lack of a data clearance mechanism for the memory-mapped I/O registers after their utilization. These registers get cleared only when a reset condition is met. This condition is met when either the global negative-edge reset input signal (rst_ni) or the dedicated reset input signal for SHA256 peripheral (rst_3) is active. In other words, if either of these reset signals is true, the registers will be cleared. However, in cases where there is not a reset condition these registers retain their values until the next hash operation. It is during the time between an old hash operation and a new hash operation that that data is open to unauthorized disclosure.

To correct the issue of data persisting between hash operations, the memory mapped I/O registers need to be cleared once the values written in these registers are propagated to the SHA256 module. This could be done for example by adding a new condition to zeroize the memory mapped I/O registers once the hash value is computed, i.e., hashValid signal asserted, as shown in the good code example below [REF-1380]. This fix will clear the memory-mapped I/O registers after the data has been provided as input to the SHA engine.

Good

...
						
						// Implement SHA256 I/O memory map interface
						// Write side
						always @(posedge clk_i)
							
							begin
								
								if(~(rst_ni && ~rst_3))
									
									begin
										
										startHash <= 0;
										newMessage <= 0;
										data[0] <= 0;
										data[1] <= 0;
										data[2] <= 0;
										...
										data[14] <= 0;
										data[15] <= 0;
										
									end
									
								else if(hashValid && ~hashValid_r)
									
									begin
										
										data[0] <= 0;
										data[1] <= 0;
										data[2] <= 0;
										...
										data[14] <= 0;
										data[15] <= 0;
										
									end
									
								
							
						
					...

Mitigations & Prevention

Architecture and Design

Every register potentially containing sensitive information must have a policy specifying how and when information is cleared, in addition to clarifying if it is the responsibility of the hardware logic or IP user to initiate the zeroization procedure at the appropriate time.

Frequently Asked Questions

What is CWE-1239?

CWE-1239 (Improper Zeroization of Hardware Register) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.

How can CWE-1239 be exploited?

Attackers can exploit CWE-1239 (Improper Zeroization of Hardware Register) to varies by context. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-1239?

Key mitigations include: Every register potentially containing sensitive information must have a policy specifying how and when information is cleared, in addition to clarifying if it is the responsibility of the hardware log

What is the severity of CWE-1239?

CWE-1239 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.