1. Home
  2. CWE Database
  3. CWE-1304
Base · Medium

CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginni...

CWE-1304 · Base Level ·3 Mitigations

Description

The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.

Before powering down, the Intellectual Property (IP) saves current state (S) to persistent storage such as flash or always-on memory in order to optimize the restore operation. During this process, an attacker with access to the persistent storage may alter (S) to a configuration that could potentially modify privileges, disable protections, and/or cause damage to the hardware. If the IP does not validate the configuration state stored in persistent memory, upon regaining power or becoming operational again, the IP could be compromised through the activation of an unwanted/harmful configuration.

Potential Impact

Confidentiality, Integrity

DoS: Instability, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other), Gain Privileges or Assume Identity, Bypass Protection Mechanism, Alter Execution Logic, Quality Degradation, Unexpected State, Reduce Maintainability, Reduce Performance, Reduce Reliability

Demonstrative Examples

The following pseudo code demonstrates the power save/restore workflow which may lead to weakness through a lack of validation of the config state after restore.
Bad
void save_config_state()
						{
						
							void* cfg;
							
							cfg = get_config_state();
							save_config_state(cfg);
							
							go_to_sleep();
						
						}
						
						void restore_config_state()
						{
						
							void* cfg;
							cfg = get_config_file();
							load_config_file(cfg);
						
						}
The following pseudo-code is the proper workflow for the integrity checking mitigation:
Good
void save_config_state()
						{
						
							void* cfg;
							void* sha;
							
							cfg = get_config_state();
							save_config_state(cfg);
							
							// save hash(cfg) to trusted location
							sha = get_hash_of_config_state(cfg);
							save_hash(sha); 
							
							go_to_sleep();
						
						}
						
						void restore_config_state()
						{
						
							void* cfg;
							void* sha_1, sha_2;
							
							cfg = get_config_file();
							// restore hash of config from trusted memory
							sha_1 = get_persisted_sha_value();
							
							sha_2 = get_hash_of_config_state(cfg);
							if (sha_1 != sha_2)
							
								assert_error_and_halt();
							
							
							load_config_file(cfg);
						
						}
It must be noted that in the previous example of good pseudo code, the memory (where the hash of the config state is stored) must be trustworthy while the hardware is between the power save and restore states.

Mitigations & Prevention

Architecture and Design

Inside the IP, incorporate integrity checking on the configuration state via a cryptographic hash. The hash can be protected inside the IP such as by storing it in internal registers which never lose power. Before powering down, the IP performs a hash of the configuration and saves it in these persistent registers. Upon restore, the IP performs a hash of

Integration

Outside the IP, incorporate integrity checking of the configuration state via a trusted agent. Before powering down, the trusted agent performs a hash of the configuration and saves the hash in persistent storage. Upon restore, the IP requests the trusted agent validate its current configuration. If the configuration hash is invalid, then the IP should n

Integration

Outside the IP, incorporate a protected environment that prevents undetected modification of the configuration state by untrusted agents. Before powering down, a trusted agent saves the IP's configuration state in this protected location that only it is privileged to. Upon restore, the trusted agent loads the saved state into the IP.

CWE-284: Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-345: Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid d...

CWE-1271: Uninitialized Value on Reset for Registers Holding Security Settings

Security-critical logic is not set to a known value on reset.

Frequently Asked Questions

What is CWE-1304?

CWE-1304 (Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginni...

How can CWE-1304 be exploited?

Attackers can exploit CWE-1304 (Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation) to dos: instability, dos: crash, exit, or restart, dos: resource consumption (other), gain privileges or assume identity, bypass protection mechanism, alter execution logic, quality degradation, unexpected state, reduce maintainability, reduce performance, reduce reliability. This weakness is typically introduced during the Architecture and Design, Integration phase of software development.

How do I prevent CWE-1304?

Key mitigations include: Inside the IP, incorporate integrity checking on the configuration state via a cryptographic hash. The hash can be protected inside the IP such as

What is the severity of CWE-1304?

CWE-1304 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.