Détail du CWE-1384

The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.

Hardware products are typically only guaranteed to behave correctly within certain physical limits or environmental conditions. Such products cannot necessarily control the physical or external conditions to which they are subjected. However, the inability to handle such conditions can undermine a product's security. For example, an unexpected physical or environmental condition may cause the flipping of a bit that is used for an authentication decision. This unexpected condition could occur naturally or be induced artificially by an adversary.

Physical or environmental conditions of concern are:

• Atmospheric characteristics: extreme temperature ranges, etc.
• Interference: electromagnetic interference (EMI), radio frequency interference (RFI), etc.
• Assorted light sources: white light, ultra-violet light (UV), lasers, infrared (IR), etc.
• Power variances: under-voltages, over-voltages, under-current, over-current, etc.
• Clock variances: glitching, overclocking, clock stretching, etc.
• Component aging and degradation
• Materials manipulation: focused ion beams (FIB), etc.
• Exposure to radiation: x-rays, cosmic radiation, etc.

Modes d'introduction

Architecture and Design : The product's design might not consider checking and handling extreme conditions.
Manufacturing : For hardware manufacturing, sub-par components might be chosen that are not able to handle the expected environmental conditions.

Plateformes applicables

Technologies

Class: System on Chip (Undetermined)
Class: ICS/OT (Undetermined)

Conséquences courantes

Exemples observés

Mesures d’atténuation potentielles

Phases : Requirements
In requirements, be specific about expectations for how the product will perform when it exceeds physical and environmental boundary conditions, e.g., by shutting down.
Phases : Architecture and Design // Implementation
Where possible, include independent components that can detect excess environmental conditions and have the capability to shut down the product.
Phases : Architecture and Design // Implementation
Where possible, use shielding or other materials that can increase the adversary's workload and reduce the likelihood of being able to successfully trigger a security-related failure.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Commentaire : Examine children of this entry to see if there is a better fit

Références

REF-1248

Categories of Security Vulnerabilities in ICS
Securing Energy Infrastructure Executive Task Force (SEI ETF).
https://inl.gov/wp-content/uploads/2022/03/SEI-ETF-NCSV-TPT-Categories-of-Security-Vulnerabilities-ICS-v1_03-09-22.pdf

REF-1255

Semi-invasive attacks - A new approach to hardware security analysis
Sergei P. Skorobogatov.
https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf

REF-1285

Physical Security Attacks Against Silicon Devices
Texas Instruments.
https://www.ti.com/lit/an/swra739/swra739.pdf?ts=1644234570420

REF-1286

On The Susceptibility of Texas Instruments SimpleLink Platform Microcontrollers to Non-Invasive Physical Attacks
Lennert Wouters, Benedikt Gierlichs, Bart Preneel.
https://eprint.iacr.org/2022/328.pdf

Soumission

Modifications