CWE-1302: Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)

Description

The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.

In a System-On-Chip (SoC), various integrated circuits and hardware engines generate transactions such as to access (reads/writes) assets or perform certain actions (e.g., reset, fetch, compute). A typical transaction is comprised of source identity (to identify the originator of the transaction) and a destination identity (to route the transaction to the respective entity) in addition to much more information in the message. Sometimes the transactions are qualified with a Security Identifier. This Security Identifier helps the destination agent decide on the set of allowed or disallowed actions. A weakness that can exist in such transaction schemes is that the source agent does not consistently include the necessary Security Identifier with the transaction. If the Security Identifier is missing, the destination agent might drop the message (resulting in an inadvertent Denial-of-Service (DoS)) or take inappropriate action by default in its attempt to execute the transaction, resulting in privilege escalation or provision of unintended access.

Potential Impact

Confidentiality, Integrity, Availability, Access Control

Modify Memory, Read Memory, DoS: Crash, Exit, or Restart, Bypass Protection Mechanism, Execute Unauthorized Code or Commands

Demonstrative Examples

Consider a system with a register for storing AES key for encryption or decryption. The key is of 128 bits implemented as a set of four 32-bit registers.  The key registers are assets, and the register AES_KEY_ACCESS_POLICY is defined to provide the necessary access controls. 
						 The access-policy register defines which agents with a security identifier in the transaction can access the AES-key registers. Each bit in this 32-bit register defines a security identifier. There could be a maximum of 32 security identifiers that are allowed accesses to the AES-key registers. The number of the bit when set (i.e., "1") allows for a respective action from an agent whose identity matches the number of the bit; if set to "0" (i.e., Clear), it disallows the respective action to that corresponding agent.

Bad

Register
								Field description
							
							
								AES_ENC_DEC_KEY_0
								AES key [0:31] for encryption or decryption, Default 0x00000000
							
							
								AES_ENC_DEC_KEY_1
								AES key [32:63] for encryption or decryption, Default 0x00000000
							
							
								AES_ENC_DEC_KEY_2
								AES key [64:95] for encryption or decryption, Default 0x00000000
							
							
								AES_ENC_DEC_KEY_4
								AES key [96:127] for encryption or decryption, Default 0x00000000
							
							
								AES_KEY_ACCESS_POLICY
								[31:0] Default 0x00000004 - agent with Security Identifier "2" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers

The originator sends a transaction with no security identifier, i.e., meaning the value is "0" or NULL. The AES-Key-access register does not allow the necessary action and drops the transaction because the originator failed to include the required security identifier.

Good

Register
								Field description
							
							
								AES_ENC_DEC_KEY_0
								AES key [0:31] for encryption or decryption, Default 0x00000000
							
							
								AES_ENC_DEC_KEY_1
								AES key [32:63] for encryption or decryption, Default 0x00000000
							
							
								AES_ENC_DEC_KEY_2
								AES key [64:95] for encryption or decryption, Default 0x00000000
							
							
								AES_ENC_DEC_KEY_4
								AES key [96:127] for encryption or decryption, Default 0x00000000
							
							
								AES_KEY_ACCESS_POLICY
								[31:0] Default 0x00000002 - agent with security identifier "2" has access to AES_ENC_DEC_KEY_0 through AES_ENC_DEC_KEY_4 registers

The originator should send a transaction with Security Identifier "2" which will allow access to the AES-Key-access register and allow encryption and decryption operations.

Mitigations & Prevention

Architecture and Design

Transaction details must be reviewed for design inconsistency and common weaknesses.

Implementation

Security identifier definition and programming flow must be tested in pre-silicon and post-silicon testing.

Frequently Asked Questions

What is CWE-1302?

CWE-1302 (Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security id...

How can CWE-1302 be exploited?

Attackers can exploit CWE-1302 (Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)) to modify memory, read memory, dos: crash, exit, or restart, bypass protection mechanism, execute unauthorized code or commands. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-1302?

Key mitigations include: Transaction details must be reviewed for design inconsistency and common weaknesses.

What is the severity of CWE-1302?

CWE-1302 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.