1. Home
  2. CWE Database
  3. CWE-1316
Base · Medium

CWE-1316: Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges

The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.

CWE-1316 · Base Level ·1 CVEs ·3 Mitigations

Description

The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.

Various ranges can be defined in the system-address map, either in the memory or in Memory-Mapped-IO (MMIO) space. These ranges are usually defined using special range registers that contain information, such as base address and size. Address decoding is the process of determining for which range the incoming transaction is destined. To ensure isolation, ranges containing secret data are access-control protected. Occasionally, these ranges could overlap. The overlap could either be intentional (e.g. due to a limited number of range registers or limited choice in choosing size of the range) or unintentional (e.g. introduced by errors). Some hardware designs allow dynamic remapping of address ranges assigned to peripheral MMIO ranges. In such designs, intentional address overlaps can be created through misconfiguration by malicious software. When protected and unprotected ranges overlap, an attacker could send a transaction and potentially compromise the protections in place, violating the principle of least privilege.

Potential Impact

Confidentiality, Integrity, Access Control, Authorization

Bypass Protection Mechanism, Read Memory, Modify Memory

Demonstrative Examples

An on-chip fabric supports a 64KB address space that is memory-mapped. The fabric has two range registers that support creation of two protected ranges with specific size constraints--4KB, 8KB, 16KB or 32KB. Assets that belong to user A require 4KB, and those of user B require 20KB. Registers and other assets that are not security-sensitive require 40KB. One range register is configured to program 4KB to protect user A's assets. Since a 20KB range cannot be created with the given size constraints, the range register for user B's assets is configured as 32KB. The rest of the address space is left as open. As a result, some part of untrusted and open-address space overlaps with user B range.
The fabric does not support least privilege, and an attacker can send a transaction to the overlapping region to tamper with user B data.
Since range B only requires 20KB but is allotted 32KB, there is 12KB of reserved space. Overlapping this region of user B data, where there are no assets, with the untrusted space will prevent an attacker from tampering with user B data.

Mitigations & Prevention

Architecture and Design

When architecting the address map of the chip, ensure that protected and unprotected ranges are isolated and do not overlap. When designing, ensure that ranges hardcoded in Register-Transfer Level (RTL) do not overlap.

Implementation

Ranges configured by firmware should not overlap. If overlaps are mandatory because of constraints such as a limited number of registers, then ensure that no assets are present in the overlapped portion.

Testing

Validate mitigation actions with robust testing.

Detection Methods

  • Automated Dynamic Analysis High — Review address map in specification to see if there are any overlapping ranges.
  • Manual Static Analysis High — Negative testing of access control on overlapped ranges.

Real-World CVE Examples

CVE IDDescription
CVE-2009-4419Attacker can modify MCHBAR register to overlap with an attacker-controlled region, which modification prevents the SENTER instruction from properly applying VT-d protection while a Measured Launch Env

CWE-284: Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Frequently Asked Questions

What is CWE-1316?

CWE-1316 (Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.

How can CWE-1316 be exploited?

Attackers can exploit CWE-1316 (Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges) to bypass protection mechanism, read memory, modify memory. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-1316?

Key mitigations include: When architecting the address map of the chip, ensure that protected and unprotected ranges are isolated and do not overlap. When designing, ensure that ranges hardcoded in Register-Transfer Level (RT

What is the severity of CWE-1316?

CWE-1316 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.