1. Home
  2. CWE Database
  3. CWE-1252
Base · Medium

CWE-1252: CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations

The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.

CWE-1252 · Base Level ·2 Mitigations

Description

The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.

CPUs provide a special bit that supports exclusivity of write and execute operations. This bit is used to segregate areas of memory to either mark them as code (instructions, which can be executed) or data (which should not be executed). In this way, if a user can write to a region of memory, the user cannot execute from that region and vice versa. This exclusivity provided by special hardware bit is leveraged by the operating system to protect executable space. While this bit is available in most modern processors by default, in some CPUs the exclusivity is implemented via a memory-protection unit (MPU) and memory-management unit (MMU) in which memory regions can be carved out with exact read, write, and execute permissions. However, if the CPU does not have an MMU/MPU, then there is no write exclusivity.

Potential Impact

Confidentiality, Integrity

Execute Unauthorized Code or Commands

Demonstrative Examples

MCS51 Microcontroller (based on 8051) does not have a special bit to support write exclusivity. It also does not have an MMU/MPU support. The Cortex-M CPU has an optional MPU that supports up to 8 regions.
Bad
The optional MPU is not configured.
If the MPU is not configured, then an attacker will be able to inject malicious data into memory and execute it.

Mitigations & Prevention

Architecture and Design

Implement a dedicated bit that can be leveraged by the Operating System to mark data areas as non-executable. If such a bit is not available in the CPU, implement MMU/MPU (memory management unit / memory protection unit).

Integration

If MMU/MPU are not available, then the firewalls need to be implemented in the SoC interconnect to mimic the write-exclusivity operation.

CWE-284: Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Frequently Asked Questions

What is CWE-1252?

CWE-1252 (CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.

How can CWE-1252 be exploited?

Attackers can exploit CWE-1252 (CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations) to execute unauthorized code or commands. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-1252?

Key mitigations include: Implement a dedicated bit that can be leveraged by the Operating System to mark data areas as non-executable. If such a bit is not available in the CPU, implement MMU/MPU (memory management unit / mem

What is the severity of CWE-1252?

CWE-1252 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.