1. Home
  2. CWE Database
  3. CWE-1290
Base · Medium

CWE-1290: Incorrect Decoding of Security Identifiers

The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthoriz...

CWE-1290 · Base Level ·2 Mitigations

Description

The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.

In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute, etc.). Among various types of message information, a typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity). Sometimes the transactions are qualified with a security identifier. The security identifier helps the destination agent decide on the set of allowed actions (e.g., access an asset for read and writes). A decoder decodes the bus transactions to map security identifiers into necessary access-controls/protections. A common weakness that can exist in this scenario is incorrect decoding because an untrusted agent's security identifier is decoded into a trusted agent's security identifier. Thus, an untrusted agent previously without access to an asset can now gain access to the asset.

Potential Impact

Confidentiality, Integrity, Availability, Access Control

Modify Memory, Read Memory, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Quality Degradation

Demonstrative Examples

Consider a system that has four bus masters and a decoder. The decoder is supposed to decode every bus transaction and assign a corresponding security identifier. The security identifier is used to determine accesses to the assets. The bus transaction that contains the security information is Bus_transaction [15:14], and the bits 15 through 14 contain the security identifier information. The table below provides bus masters as well as their security identifiers and trust assumptions: The assets are the AES-Key registers for encryption or decryption. The key is 128 bits implemented as a set of four 32-bit registers. The AES_KEY_ACCESS_POLICY is used to define which agents with a security identifier in the transaction can access the AES-key registers. The size of the security identifier is 4 bits (i.e., bit 3 through 0). Each bit in these 4 bits defines a security identifier. There are only 4 security identifiers that are allowed accesses to the AES-key registers. The number of the bit when set (i.e., "1") allows respective action from an agent whose identity matches the number of the bit. If clear (i.e., "0"), disallows the respective action to that corresponding agent.
The following Pseudo code outlines the process of checking the value of the Security Identifier within the AES_KEY_ACCESS_POLICY register:
Informative
If (AES_KEY_ACCESS_POLICY[Security_Identifier] == "1")
                            
                            
                                Allow access to AES-Key registers
                            
                            
                                Else
                            
                            
                                Deny access to AES-Key registers
Below is a decoder's Pseudo code that only checks for bit [14] of the bus transaction to determine what Security Identifier it must assign.
Bad
If (Bus_transaction[14] == "1") 
                            
                            
                                Security_Identifier == "1"
                            
                            
                                Else
                            
                            
                                Security_Identifier == "0"
The security identifier is two bits, but the decoder code above only checks the value of one bit. Two Masters have their bit 0 set to "1" - Master_1 and Master_3. Master_1 is trusted, while Master_3 is not. The code above would therefore allow an untrusted agent, Master_3, access to the AES-Key registers in addition to intended trusted Master_1.
Good
If (Bus_transaction[15:14] == "00") 
                            
                            
                                Security_Identifier == "0"
                            
                            
                            If (Bus_transaction[15:14] == "01") 
                            
                            
                                Security_Identifier == "1"
                            
                            
                            If (Bus_transaction[15:14] == "10") 
                            
                            
                                Security_Identifier == "2"
                            
                            
                            If (Bus_transaction[15:14] == "11") 
                            
                            
                                Security_Identifier == "3"

Mitigations & Prevention

Architecture and Design

Security identifier decoders must be reviewed for design consistency and common weaknesses.

Implementation

Access and programming flows must be tested in pre-silicon and post-silicon testing in order to check for this weakness.

CWE-284: Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-1294: Insecure Security Identifier Mechanism

The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallo...

Frequently Asked Questions

What is CWE-1290?

CWE-1290 (Incorrect Decoding of Security Identifiers) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthoriz...

How can CWE-1290 be exploited?

Attackers can exploit CWE-1290 (Incorrect Decoding of Security Identifiers) to modify memory, read memory, dos: resource consumption (other), execute unauthorized code or commands, gain privileges or assume identity, quality degradation. This weakness is typically introduced during the Implementation, Architecture and Design phase of software development.

How do I prevent CWE-1290?

Key mitigations include: Security identifier decoders must be reviewed for design consistency and common weaknesses.

What is the severity of CWE-1290?

CWE-1290 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.