CWE-1244 Detail

The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.

Debug authorization can have multiple levels of access, defined such that different system internal assets are accessible based on the current authorized debug level. Other than debugger authentication (e.g., using passwords or challenges), the authorization can also be based on the system state or boot stage. For example, full system debug access might only be allowed early in boot after a system reset to ensure that previous session data is not accessible to the authenticated debugger.

If this protection mechanism does not ensure that internal assets have the correct debug access level during each boot stage or change in system state, an attacker could obtain sensitive information from the internal asset using a debugger.

Modes Of Introduction

Architecture and Design
Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Class: System on Chip (Undetermined)

Common Consequences

Observed Examples

Potential Mitigations

Phases : Architecture and Design // Implementation

For security-sensitive assets accessible over debug/test interfaces, only allow trusted agents.

Phases : Architecture and Design
Apply blinding [REF-1219] or masking techniques in strategic areas.
Phases : Implementation
Add shielding or tamper-resistant protections to the device, which increases the difficulty and cost for accessing debug/test interfaces.

Detection Methods

Manual Analysis

Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.
Effectiveness : Moderate

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

NotesNotes

CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.

References

REF-1056

Multiple Vulnerabilities in Barco Clickshare: JTAG access is not permanently disabled
F-Secure Labs.
https://labs.f-secure.com/advisories/multiple-vulnerabilities-in-barco-clickshare/

REF-1057

Attacks and Defenses for JTAG
Kurt Rosenfeld, Ramesh Karri.
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5406671

REF-1219

Blindsight: Blinding EM Side-Channel Leakage using Built-In Fully Integrated Inductive Voltage Regulator
Monodeep Kar, Arvind Singh, Santosh Ghosh, Sanu Mathew, Anand Rajan, Vivek De, Raheem Beyah, Saibal Mukhopadhyay.
https://arxiv.org/pdf/1802.09096.pdf

REF-1377

csr_regile.sv line 938
https://github.com/HACK-EVENT/hackatdac19/blob/57e7b2109c1ea2451914878df2e6ca740c2dcf34/src/csr_regfile.sv#L938

REF-1378

Fix for csr_regfile.sv line 938
https://github.com/HACK-EVENT/hackatdac19/blob/a7b61209e56c48eec585eeedea8413997ec71e4a/src/csr_regfile.sv#L938C31-L938C56

Submission

Modifications