1. Home
  2. CWE Database
  3. CWE-1311
Base · Medium

CWE-1311: Improper Translation of Security Attributes by Fabric Bridge

The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.

CWE-1311 · Base Level ·2 Mitigations

Description

The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.

A bridge allows IP blocks supporting different fabric protocols to be integrated into the system. Fabric end-points or interfaces usually have dedicated signals to transport security attributes. For example, HPROT signals in AHB, AxPROT signals in AXI, and MReqInfo and SRespInfo signals in OCP. The values on these signals are used to indicate the security attributes of the transaction. These include the immutable hardware identity of the controller initiating the transaction, privilege level, and type of transaction (e.g., read/write, cacheable/non-cacheable, posted/non-posted). A weakness can arise if the bridge IP block, which translates the signals from the protocol used in the IP block endpoint to the protocol used by the central bus, does not properly translate the security attributes. As a result, the identity of the initiator could be translated from untrusted to trusted or vice-versa. This could result in access-control bypass, privilege escalation, or denial of service.

Potential Impact

Confidentiality, Integrity, Access Control

Modify Memory, Read Memory, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands

Demonstrative Examples

The bridge interfaces between OCP and AHB end points. OCP uses MReqInfo signal to indicate security attributes, whereas AHB uses HPROT signal to indicate the security attributes. The width of MReqInfo can be customized as needed. In this example, MReqInfo is 5-bits wide and carries the privilege level of the OCP controller. The values 5'h11, 5'h10, 5'h0F, 5'h0D, 5'h0C, 5'h0B, 5'h09, 5'h08, 5'h04, and 5'h02 in MReqInfo indicate that the request is coming from a privileged state of the OCP bus controller. Values 5'h1F, 5'h0E, and 5'h00 indicate untrusted, privilege state. Though HPROT is a 5-bit signal, we only consider the lower, two bits in this example. HPROT values 2'b00 and 2'b10 are considered trusted, and 2'b01 and 2'b11 are considered untrusted. The OCP2AHB bridge is expected to translate trusted identities on the controller side to trusted identities on the responder side. Similarly, it is expected to translate untrusted identities on the controller side to untrusted identities on the responder side.
Bad
module ocp2ahb
	      ( 
	      
	        ahb_hprot, 
	        ocp_mreqinfo 
	      
	      ); 
	      
	      output [1:0] ahb_hprot;        // output is 2 bit signal for AHB HPROT
	      input [4:0] ocp_mreqinfo;      // input is 5 bit signal from OCP MReqInfo
	      wire [6:0] p0_mreqinfo_o_temp; // OCP signal that transmits hardware identity of bus controller
	       
	      wire y;
	      
	      reg [1:0] ahb_hprot;
	      
	      // hardware identity of bus controller is in bits 5:1 of p0_mreqinfo_o_temp signal
	      assign p0_mreqinfo_o_temp[6:0] = {1'b0, ocp_mreqinfo[4:0], y};
	      
	      always @*
	      begin
	      
	        case (p0_mreqinfo_o_temp[4:2])
		
	          000: ahb_hprot = 2'b11;    // OCP MReqInfo to AHB HPROT mapping
	          001: ahb_hprot = 2'b00;
	          010: ahb_hprot = 2'b00;
	          011: ahb_hprot = 2'b01;
	          100: ahb_hprot = 2'b00;
	          101: ahb_hprot = 2'b00;
	          110: ahb_hprot = 2'b10;
	          111: ahb_hprot = 2'b00;
		
	        endcase
	      
	      end
	      endmodule
Logic in the case statement only checks for MReqInfo bits 4:2, i.e., hardware-identity bits 3:1. When ocp_mreqinfo is 5'h1F or 5'h0E, p0_mreqinfo_o_temp[2] will be 1. As a result, untrusted IDs from OCP 5'h1F and 5'h0E get translated to trusted ahb_hprot values 2'b00.

Mitigations & Prevention

Architecture and Design

The translation must map signals in such a way that untrusted agents cannot map to trusted agents or vice-versa.

Implementation

Ensure that the translation maps signals in such a way that untrusted agents cannot map to trusted agents or vice-versa.

CWE-284: Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Frequently Asked Questions

What is CWE-1311?

CWE-1311 (Improper Translation of Security Attributes by Fabric Bridge) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.

How can CWE-1311 be exploited?

Attackers can exploit CWE-1311 (Improper Translation of Security Attributes by Fabric Bridge) to modify memory, read memory, gain privileges or assume identity, bypass protection mechanism, execute unauthorized code or commands. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-1311?

Key mitigations include: The translation must map signals in such a way that untrusted agents cannot map to trusted agents or vice-versa.

What is the severity of CWE-1311?

CWE-1311 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.